安居客某重要站点存在SQL注射 | wooyun-2015-0147950| WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0147950

漏洞标题：安居客某重要站点存在SQL注射

漏洞作者：沦沦

提交时间：2015-10-20 09:33

修复时间：2015-12-04 10:10

公开时间：2015-12-04 10:10

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：厂商已经确认

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2015-10-20：细节已通知厂商并且等待厂商处理中
2015-10-20：厂商已经确认，细节仅向厂商公开
2015-10-30：细节向核心白帽子及相关领域专家公开
2015-11-09：细节向普通白帽子公开
2015-11-19：细节向实习白帽子公开
2015-12-04：细节向公众公开

简要描述：

详细说明：

POST /ajkbroker/combo/account/accountlog/ HTTP/1.1
Host: my.anjuke.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:41.0) Gecko/20100101 Firefox/41.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://my.anjuke.com/ajkbroker/combo/account/accountlog
Cookie: sessid=0D0EAA87-50D7-B260-1C7A-0B8B4B83042C; aQQ_ajkguid=26548930-F7AA-051F-9798-4D2B041ADD03; lps=http%3A%2F%2Fqingdao.zu.anjuke.com%2F%3Ffrom%3Dganji_pc_list_tab%7Chttp%3A%2F%2Fqd.ganji.com%2Ffang1%2Fa2%2F; ctid=15; twe=2; __xsptplus8=8.1.1445301187.1445302691.27%233%7Cqd.ganji.com%7C%7C%7C%7C%23%23vOb9WrRHO4vxZZSk7-3LL8MimjbyBQXb%23; als=0; ajk_member_captcha=94d9e25669d24705d9e26e19445f3552; _ga=GA1.2.2099664147.1445301245; Hm_lvt_c5899c8768ebee272710c9c5f365a6d8=1445301246; Hm_lpvt_c5899c8768ebee272710c9c5f365a6d8=1445302655; lui=261923%3A2; history=%2Fapi%2Flogin%2Fsubmit%3Fusername%3Dchenqiang%26password%3D123456%26remember%3Dtrue%26callback%3Dwindow.user.callbackDetail; UserType=2; me=1; aQQ_hzweb_uid=261923; jp_auth_info_new=v%2F4swQte7PeQh9FKGlERi%2BMDuFMvYBfHyAgjInnzlw2B3w; NewGuide=11171%405%3AId%26304800%2CBI%2611171%2CGT%265%2CGS%261%3B6581%405%3AId%26302174%2CBI%266581%2CGT%265%2CGS%261%7C1%3AId%26273311%2CBI%266581%2CGT%261%2CGS%261%3B66325%405%3AId%26335264%2CBI%2666325%2CGT%265%2CGS%261%3B74884%405%3AId%26340171%2CBI%2674884%2CGT%265%2CGS%261; ckimarkednum_343179=0; isp=true; PHPSESSID=5m5js7jmdr6lame8rfrjcd42t0; tuangou_list_ids=1%3A1; _gat=1; aQQ_modbbsadminauthinfos=tvlwxQ5W7P7Zk4ULWAtqmd0Ztkc%2FL0if9VhwcC64wRbk2CJci5gtTw; aQQ_Memberauthinfos=tKp6xg9e7aLZk4ULWAtqmd0Ztkc%2FL0if9VRsUSv%2FzATEqxpRiJkvT7jxCUzq; aQQ_haozuusername=%E7%8E%8B%E7%8E%89%E6%A2%85%7Cbroker%7Chttp%3A%2F%2Fmy.anjuke.com%2Fmy%2Fhome%2F%7Chttp%3A%2F%2Fagent.anjuke.com%2Fmy%2Flogout%2F; aQQ_Brokerauthinfos=svx4kFsCvvXZloQFXwlW541E5Ax6cRzDyQQgGHz%2BmHCClh0uiN1WOYHwNHHtRIUYdpEe0PsBZiU0fa27aAO6YP98kg; jp_member_id=1055754; jp_auth_info=5ec86848bee10868fbd41935e3db230c; usertype=2; aQQ_ajkauthinfos=4%2F5wlVoC76fZk4ULWAtqttVAkW0wS0nEuklMIiX7zGvh0iJWtJwUTrz1NXboRYEbeqka7%2F89biM0fa2GagSyavxElQuchKw; ajk_member_name=wangyumei; ckimarkednum_261923=0; ajk_member_id=261923
X-Forwarded-For: 8.8.8.8
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 42
logtype=*&ff=2015-09-21*&f=&tt=2015-10-20*&t=*

logtype参数没进行过滤

漏洞证明：

POST /ajkbroker/combo/account/accountlog/ HTTP/1.1
Host: my.anjuke.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:41.0) Gecko/20100101 Firefox/41.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://my.anjuke.com/ajkbroker/combo/account/accountlog
Cookie: sessid=0D0EAA87-50D7-B260-1C7A-0B8B4B83042C; aQQ_ajkguid=26548930-F7AA-051F-9798-4D2B041ADD03; lps=http%3A%2F%2Fqingdao.zu.anjuke.com%2F%3Ffrom%3Dganji_pc_list_tab%7Chttp%3A%2F%2Fqd.ganji.com%2Ffang1%2Fa2%2F; ctid=15; twe=2; __xsptplus8=8.1.1445301187.1445302691.27%233%7Cqd.ganji.com%7C%7C%7C%7C%23%23vOb9WrRHO4vxZZSk7-3LL8MimjbyBQXb%23; als=0; ajk_member_captcha=94d9e25669d24705d9e26e19445f3552; _ga=GA1.2.2099664147.1445301245; Hm_lvt_c5899c8768ebee272710c9c5f365a6d8=1445301246; Hm_lpvt_c5899c8768ebee272710c9c5f365a6d8=1445302655; lui=261923%3A2; history=%2Fapi%2Flogin%2Fsubmit%3Fusername%3Dchenqiang%26password%3D123456%26remember%3Dtrue%26callback%3Dwindow.user.callbackDetail; UserType=2; me=1; aQQ_hzweb_uid=261923; jp_auth_info_new=v%2F4swQte7PeQh9FKGlERi%2BMDuFMvYBfHyAgjInnzlw2B3w; NewGuide=11171%405%3AId%26304800%2CBI%2611171%2CGT%265%2CGS%261%3B6581%405%3AId%26302174%2CBI%266581%2CGT%265%2CGS%261%7C1%3AId%26273311%2CBI%266581%2CGT%261%2CGS%261%3B66325%405%3AId%26335264%2CBI%2666325%2CGT%265%2CGS%261%3B74884%405%3AId%26340171%2CBI%2674884%2CGT%265%2CGS%261; ckimarkednum_343179=0; isp=true; PHPSESSID=5m5js7jmdr6lame8rfrjcd42t0; tuangou_list_ids=1%3A1; _gat=1; aQQ_modbbsadminauthinfos=tvlwxQ5W7P7Zk4ULWAtqmd0Ztkc%2FL0if9VhwcC64wRbk2CJci5gtTw; aQQ_Memberauthinfos=tKp6xg9e7aLZk4ULWAtqmd0Ztkc%2FL0if9VRsUSv%2FzATEqxpRiJkvT7jxCUzq; aQQ_haozuusername=%E7%8E%8B%E7%8E%89%E6%A2%85%7Cbroker%7Chttp%3A%2F%2Fmy.anjuke.com%2Fmy%2Fhome%2F%7Chttp%3A%2F%2Fagent.anjuke.com%2Fmy%2Flogout%2F; aQQ_Brokerauthinfos=svx4kFsCvvXZloQFXwlW541E5Ax6cRzDyQQgGHz%2BmHCClh0uiN1WOYHwNHHtRIUYdpEe0PsBZiU0fa27aAO6YP98kg; jp_member_id=1055754; jp_auth_info=5ec86848bee10868fbd41935e3db230c; usertype=2; aQQ_ajkauthinfos=4%2F5wlVoC76fZk4ULWAtqttVAkW0wS0nEuklMIiX7zGvh0iJWtJwUTrz1NXboRYEbeqka7%2F89biM0fa2GagSyavxElQuchKw; ajk_member_name=wangyumei; ckimarkednum_261923=0; ajk_member_id=261923
X-Forwarded-For: 8.8.8.8
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 42
logtype=*&ff=2015-09-21*&f=&tt=2015-10-20*&t=*

logtype参数没进行过滤

修复方案：

过滤

版权声明：转载请注明来源沦沦@乌云

漏洞回应

厂商回应：

危害等级：高

漏洞Rank：17

确认时间：2015-10-20 10:08

厂商回复：

感谢对安居客的支持！

WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0147950

漏洞标题：安居客某重要站点存在SQL注射

相关厂商：安居客

漏洞作者：沦沦

提交时间：2015-10-20 09:33

修复时间：2015-12-04 10:10

公开时间：2015-12-04 10:10

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：厂商已经确认

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源沦沦@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0147950

漏洞标题：安居客某重要站点存在SQL注射

相关厂商：安居客

漏洞作者： 沦沦

提交时间：2015-10-20 09:33

修复时间：2015-12-04 10:10

公开时间：2015-12-04 10:10

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：厂商已经确认

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2015-0147950"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 沦沦@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞概要关注数(24) 关注此漏洞

漏洞作者：沦沦

Tags标签：无

4人收藏收藏
分享漏洞：

版权声明：转载请注明来源沦沦@乌云