奇客星空某分站sql注射漏洞

漏洞详情

披露状态:

2014-03-13: 细节已通知厂商并且等待厂商处理中
2014-03-13: 厂商已经确认,细节仅向厂商公开
2014-03-23: 细节向核心白帽子及相关领域专家公开
2014-04-02: 细节向普通白帽子公开
2014-04-12: 细节向实习白帽子公开
2014-04-27: 细节向公众公开

简要描述:

奇客星空某站sql注射漏洞

详细说明:

注入页面:

http://web.7k7k.com/code/ajax.php

post注入参数:

c_type,gid,sid

注射包:

POST /code/ajax.php HTTP/1.1
Content-Length: 189
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: http://web.7k7k.com
Cookie: PHPSESSID=8on74est1lj6um6tie17oqe2s2; sssg_client=web; qmr_client=web; timekey=9ffbd030a864485cf4537562e825de1a; username=oxdkpype; identity=oxdkpype; nickname=196502247; userid=484706292; kk=196502247; logintime=1394674336; k7_lastlogin=1394674397; loginfrom=0011; avatar=http%3A%2F%2Fsface.7k7kimg.cn%2Fuicons%2Fphoto_default_s.png; securitycode=56b74820576f6e7223b0ab449d073fbf; k7_union=9999999; k7_username=oxdkpype; k7_uid=484706292; k7_from=2762127; k7_reg=1394674336; k7_ip=222.138.229.47; userprotect=062ab4d5c8d6b340312100a831a6cb4e; userpermission=fb914e06e9616fb300c9811b11b68a0d; k7_lastlogin=2014-03-13+09%3A32%3A16; web_uniques=482233444; k7_gamekey=%5B%2221_1%22%2C%2221_12%22%5D; k7_gamelist=%5B%7B%22sname%22%3A%22%5Cu5929%5Cu5730%5Cu82f1%5Cu96c4%5B%5Cu53cc%5Cu7ebf%5Cu4e00%5Cu533a%5D%22%2C%22key%22%3A%22tdyx%22%2C%22gid%22%3A21%2C%22server_id%22%3A%221%22%7D%2C%7B%22sname%22%3A%22%5Cu5929%5Cu5730%5Cu82f1%5Cu96c4%5B%5Cu53cc%5Cu7ebf12%5Cu533a%5D%22%2C%22key%22%3A%22tdyx%22%2C%22gid%22%3A21%2C%22server_id%22%3A%2212%22%7D%5D; yourplayedwebgames=dcj%257C%25E9%25BE%2599%25E7%25BA%25B9%25E6%2588%2598%25E5%259F%259F%252Csq%257C%25E7%25A5%259E%25E6%259B%25B2%252Cyt%257C%25E5%25BE%25A1%25E5%25A4%25A9%252Cqjll%257C%25E5%25A5%2587%25E8%25BF%25B9%25E6%259D%25A5%25E4%25BA%2586%252Csctx%257C%25E7%25A5%259E%25E5%2588%259B%25E5%25A4%25A9%25E4%25B8%258B%252Ctdyx%257C%25E5%25A4%25A9%25E5%259C%25B0%25E8%258B%25B1%25E9%259B%2584
Host: web.7k7k.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36
Accept: */*

c_type=13945&gid=251&ran=0.14362087147310376&sid=2&username=cvdciknt





成功注入:

c_type.png



数据库:

db.png



当前用户:

user.png



点到为止,不继续了~

漏洞证明:

如上

修复方案:

过滤参数

版权声明:转载请注明来源 chopper@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:13

确认时间:2014-03-13 17:39

厂商回复:

感谢白帽作者反馈,确实有此漏洞,已修复,之后联系作者发送小礼物,希望和白帽人员进行合作

最新状态:

暂无


漏洞评价: