当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0128985

漏洞标题:新浪某站配置不当

相关厂商:新浪

漏洞作者: 路人甲

提交时间:2015-07-24 16:52

修复时间:2015-09-07 17:02

公开时间:2015-09-07 17:02

漏洞类型:系统/服务运维配置不当

危害等级:中

自评Rank:10

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-07-24: 细节已通知厂商并且等待厂商处理中
2015-07-24: 厂商已经确认,细节仅向厂商公开
2015-08-03: 细节向核心白帽子及相关领域专家公开
2015-08-13: 细节向普通白帽子公开
2015-08-23: 细节向实习白帽子公开
2015-09-07: 细节向公众公开

简要描述:

一点寒光万丈芒 屠尽天下又何妨 深埋不改凌锐志 一聚风云便是皇

详细说明:

eat.gd.sina.com.cn/include.tar.gz


1.png


<?php
/**
* 新浪广东美食频道通用餐厅库类.
*
* LICENSE
*
* @category eat.gd.sina.com.cn
* @package Eat_Core_Library
* @copyright Copyright (c) 2009 , LiXiang
* @license New BSD License
* @version $Id: Data.php 2009-06-16 $
*/
//require_once $_SERVER['DOCUMENT_ROOT']."/include/library/Common/Mysql.php";
require_once realpath(dirname(__FILE__))."/../Common/Mysql.php";
class Rstrt_Data
{
private $_db;
private $_host = "10.71.2.104";
private $_dbname = "web_eat";
private $_dbuser = "web_eat";
private $_dbpasswd = "giggle4sina";
private $_table = "web_rstrt";
private $_primaryKey = "RstrtID";
private $_where = " 1 ";
private $_fields = "*";
private $_groupby = "";
private $_orderby = "";
private $_limit = "";

private $_query = "";
/**
* 构造函数,初始化数据库连接.
*/
function Rstrt_Data($db="web_eat")
{
if($db!="")$this->_dbname = $db;
$this->_db = new Common_Mysql($this->_host,$this->_dbname,$this->_dbuser,$this->_dbpasswd,0);
$this->_db->connect();
}
//=============以下函数设置操作参数=================
/**
* 设置table和查询的内容.
* @param string $table
* @param string $fields
*/
public function from($table,$fields)
{
$this->_table = $table;
$this->_fields = $fields;
}
/**
* 设置条件
* @param string $where
*/
public function where($where)
{
$this->_where = $where;
}
/**
* 设置groupby
* @param string $groupby
*/
public function group($groupby)
{
$this->_groupby = $groupby;
}
/**
* 设置orderby
* @param string $orderby
*/
public function order($orderby)
{
$this->_orderby = $orderby;
}
/**
* 设置limit
* @param string|int $limit
*/
public function limit($limit)
{
$this->_limit = $limit;
}
/**
* 设置limit
* @param int $limit
* @param int $offset
*/
public function limitPage($curPage,$offset=10)
{
$this->_limit = ($curPage-1)*$offset.",".$offset;
}
//====================================
public function resetParams()
{
$this->_where = "";
$this->_table = "";
$this->_fields = "";
$this->_groupby = "";
$this->_orderby = "";
$this->_limit = "";
$this->_query = "";
}
/**
* 查询表信息.
* @param string $where
* @param string $fields
* @param string $orderby
* @param int|string $limit
* @return array
*/
public function select()
{
$result = array();
//$this->_where = mysql_escape_string($this->_where);
if($this->_where == "")$this->_where = "1";
if($this->_fields == "")$this->_fields = "*";
$query = " SELECT ".$this->_fields." FROM ".$this->_table." WHERE ".$this->_where." ";
if($this->_groupby != "")$query .= " GROUP BY ".$this->_groupby;
if($this->_orderby != "")$query .= " ORDER BY ".$this->_orderby;
if($this->_limit != "")$query .= " LIMIT ".$this->_limit;
$this->_query = $query;
$this->_db->query($query);
$i = 0;
while($row=$this->_db->fetch_row()){
$result[$i] = $row;
$i++;
}
return $result;

}//end function get
/**
* 查询餐厅库中符合条件的记录总数.
* @param string $where
* @return int
*/
public function selectCount()
{
$result = 0;
$query = "SELECT COUNT(*) as total FROM ".$this->_table." where ".$this->_where.";";
$this->_query = $query;
$this->_db->query($query);
$row = $this->_db->fetch_row();
$result = $row['total'];
return $result;

}
/**
* 输出query语句.
* @return string
*/
public function _toString()
{
return $this->_query;
}
}//end class

漏洞证明:

1.jpg

修复方案:

我是来找礼物的!

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:低

漏洞Rank:5

确认时间:2015-07-24 17:00

厂商回复:

感谢支持,已经通知业务整改

最新状态:

暂无