当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2013-021055

漏洞标题:新浪某分站SQL注入漏洞,部分敏感数据泄露

相关厂商:新浪

漏洞作者: 喝醉的企鹅

提交时间:2013-04-01 11:49

修复时间:2013-05-16 11:49

公开时间:2013-05-16 11:49

漏洞类型:SQL注射漏洞

危害等级:中

自评Rank:10

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2013-04-01: 细节已通知厂商并且等待厂商处理中
2013-04-01: 厂商已经确认,细节仅向厂商公开
2013-04-11: 细节向核心白帽子及相关领域专家公开
2013-04-21: 细节向普通白帽子公开
2013-05-01: 细节向实习白帽子公开
2013-05-16: 细节向公众公开

简要描述:

eat.gd.sina.com.cn存在SQL注入

详细说明:

注入点:http://eat.gd.sina.com.cn/mssd_test/diy/content.php?id=5243

漏洞证明:

1.png


2.png


Database: web_eat
[115 tables]
+----------------------------+
| commend_article |
| eat_comment_config |
| eat_comments |
| eat_rstrt_info |
| food |
| food1 |
| food_menu_info |
| photos |
| print_serial |
| web_eat_search_count |
| web_mail |
| web_mssd2_last_vote |
| web_mssd2_last_vote_ip |
| web_mssd2_last_vote_limit |
| web_mssd2_month_ph |
| web_mssd2_pl_random |
| web_mssd2_pl_random1 |
| web_mssd2_rob_table |
| web_mssd2_rob_table_log |
| web_mssd2_rob_table_prizes |
| web_mssd2_rstrt_for_random |
| web_news_tag |
| web_post |
| web_post_all |
| web_rstrt |
| web_rstrt2 |
| web_rstrt_0903mssd |
| web_rstrt_2006_03_21 |
| web_rstrt_2006_05_19 |
| web_rstrt_KFC2008 |
| web_rstrt_KFC_Pic |
| web_rstrt_KFC_Video |
| web_rstrt_VIP |
| web_rstrt_VIP_BackGround |
| web_rstrt_VIP_Environment |
| web_rstrt_VIP_Kitchener |
| web_rstrt_VIP_Pic |
| web_rstrt_VIP_Video |
| web_rstrt_VIP_Vote |
| web_rstrt_article |
| web_rstrt_bak |
| web_rstrt_bak_bak |
| web_rstrt_card |
| web_rstrt_card_tmp |
| web_rstrt_chain |
| web_rstrt_checkUpdate |
| web_rstrt_ctpx |
| web_rstrt_ctpx090107 |
| web_rstrt_ctpx1228 |
| web_rstrt_ctpx1228_new |
| web_rstrt_ctpx_vote |
| web_rstrt_error |
| web_rstrt_fb |
| web_rstrt_fb_join |
| web_rstrt_fb_pic |
| web_rstrt_fb_pic_tmp |
| web_rstrt_fb_post |
| web_rstrt_fb_review |
| web_rstrt_food |
| web_rstrt_food_new |
| web_rstrt_lixa |
| web_rstrt_manager |
| web_rstrt_manager_modify |
| web_rstrt_map |
| web_rstrt_map_old |
| web_rstrt_model |
| web_rstrt_model_php |
| web_rstrt_newYearGift |
| web_rstrt_passage |
| web_rstrt_passage_bak |
| web_rstrt_passage_pic |
| web_rstrt_passage_post |
| web_rstrt_passage_post_pic |
| web_rstrt_pic |
| web_rstrt_pic_bak |
| web_rstrt_pic_tmp |
| web_rstrt_pic_uploads |
| web_rstrt_post |
| web_rstrt_qyzl |
| web_rstrt_qyzl_ct |
| web_rstrt_qyzl_rw |
| web_rstrt_register |
| web_rstrt_register1 |
| web_rstrt_snatch |
| web_rstrt_snatch1 |
| web_rstrt_snatch_pic |
| web_rstrt_snatch_tmp |
| web_rstrt_snatch_tmp1 |
| web_rstrt_sz_simple |
| web_rstrt_tmp |
| web_rstrt_union |
| web_rstrt_user |
| web_rstrt_user_grade |
| web_rstrt_user_pic |
| web_rstrt_user_vote |
| web_rstrt_zct |
| web_rstrt_zdiy |
| web_rstrt_zdiy_09 |
| web_rstrt_zdiy_author |
| web_rstrt_zdiy_author_2 |
| web_rstrt_zdiy_final |
| web_rstrt_zdiy_final_3 |
| web_rstrt_zdiy_final_vote |
| web_rstrt_zdiy_jubao |
| web_rstrt_zdiy_subject |
| web_rstrt_zdiy_tmp |
| web_rstrt_zmssd |
| web_rstrt_zmssd_action |
| web_rstrt_zmssd_lucky |
| web_rstrt_zmssd_prize |
| web_rstrt_zmssd_result |
| web_rstrt_zpc |
| web_rstrt_zpc_food |
| web_rstrt_zpc_pic |
| web_shop |
+----------------------------+

3.png


本人菜鸟一枚,第一次提交漏洞,wooyun管理给个邀请码学习呗!

修复方案:

SQL注入修复

版权声明:转载请注明来源 喝醉的企鹅@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2013-04-01 11:52

厂商回复:

感谢关注新浪安全,已安排人员进行处理。

最新状态:

暂无


漏洞评价:

评论