当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2012-010687

漏洞标题:乐视网某应用管理弱口令以及sql注入造成的结构扫射!

相关厂商:乐视网

漏洞作者: shine

提交时间:2012-08-08 11:13

修复时间:2012-09-22 11:14

公开时间:2012-09-22 11:14

漏洞类型:后台弱口令

危害等级:高

自评Rank:12

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2012-08-08: 细节已通知厂商并且等待厂商处理中
2012-08-08: 厂商已经确认,细节仅向厂商公开
2012-08-18: 细节向核心白帽子及相关领域专家公开
2012-08-28: 细节向普通白帽子公开
2012-09-07: 细节向实习白帽子公开
2012-09-22: 细节向公众公开

简要描述:


常说的一句话:“历史是惊人的相似!”

详细说明:


为什么这么说了?
看看这个case:
WooYun: 去哪儿test帐号弱口令了!


和上面这公司在技术选择上基本是一致的(当然,对于一般奋进型的公司都会这么选择!)。


漏洞证明:


http://pv.letv.com/index.html
LETV数据分析平台帐号弱口令:test test


从一个公司的test帐号弱口令说明什么了?至少是安全架构流程不完善,而不是意外!



注射点比较多,当然是同一个地方,“过滤条件:”处


'注射点



sql注射内容就不去看了,我们从Java异常机制的角度看看分层结构的弱点(因为java抛异常,也是分层的!):


注射的异常信息:

Http status: 500 Internal Server Error
ajaxOptions: error
thrownError: undefined
500 Servlet Exception
[show] org.postgresql.util.PSQLException: ERROR: syntax error at or near "注射点"
位置:519
org.springframework.web.util.NestedServletException: Request processing
failed; nested exception is org.springframework.dao.InvalidDataAccessResourceUsageException:
could not execute query; SQL [select count(*) from ( select url, sum(pv)
pv , sum(uv) uv, sum(uip) uip,'<a href=''#'' onclick=show(''common.html?name=urlIn&key='||
replace(replace(url,'%','%25'),'&','%26') ||'&needProd=true&from=20120808&other=-'')>查看流入</a>'
url_in , '<a href=''#'' onclick=show(''common.html?name=urlOut&needProd=true&key='||
replace(replace(url,'%','%25'),'&','%26') ||'&from=20120808&other=-'')>查看流出</a>'
url_out from t_stat_url_top where prod_code = 'ifeng' and tuiguang =
'-' and day_time = '20120808' and url like '%'注射点%' group by url order
by pv desc) asdf]; nested exception is org.hibernate.exception.SQLGrammarException:
could not execute query
at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:656)
at org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:549)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:119)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:96)
at com.caucho.server.dispatch.ServletFilterChain.doFilter(ServletFilterChain.java:109)
at com.caucho.server.webapp.WebAppFilterChain.doFilter(WebAppFilterChain.java:156)
at com.caucho.server.webapp.AccessLogFilterChain.doFilter(AccessLogFilterChain.java:95)
at com.caucho.server.dispatch.ServletInvocation.service(ServletInvocation.java:287)
at com.caucho.server.http.HttpRequest.handleRequest(HttpRequest.java:811)
at com.caucho.network.listen.TcpSocketLink.dispatchRequest(TcpSocketLink.java:1186)
at com.caucho.network.listen.TcpSocketLink.handleRequest(TcpSocketLink.java:1148)
at com.caucho.network.listen.TcpSocketLink.handleRequestsImpl(TcpSocketLink.java:1132)
at com.caucho.network.listen.TcpSocketLink.handleRequests(TcpSocketLink.java:1055)
at com.caucho.network.listen.TcpSocketLink.handleAcceptTask(TcpSocketLink.java:903)
at com.caucho.network.listen.AcceptTask.doTask(AcceptTask.java:74)
at com.caucho.network.listen.ConnectionTask.runThread(ConnectionTask.java:97)
at com.caucho.network.listen.ConnectionTask.run(ConnectionTask.java:80)
at com.caucho.network.listen.AcceptTask.run(AcceptTask.java:59)
at com.caucho.env.thread.ResinThread.runTasks(ResinThread.java:164)
at com.caucho.env.thread.ResinThread.run(ResinThread.java:130)
Caused by: org.springframework.dao.InvalidDataAccessResourceUsageException:
could not execute query; SQL [select count(*) from ( select url, sum(pv)
pv , sum(uv) uv, sum(uip) uip,'<a href=''#'' onclick=show(''common.html?name=urlIn&key='||
replace(replace(url,'%','%25'),'&','%26') ||'&needProd=true&from=20120808&other=-'')>查看流入</a>'
url_in , '<a href=''#'' onclick=show(''common.html?name=urlOut&needProd=true&key='||
replace(replace(url,'%','%25'),'&','%26') ||'&from=20120808&other=-'')>查看流出</a>'
url_out from t_stat_url_top where prod_code = 'ifeng' and tuiguang =
'-' and day_time = '20120808' and url like '%'注射点%' group by url order
by pv desc) asdf]; nested exception is org.hibernate.exception.SQLGrammarException:
could not execute query
at org.springframework.orm.hibernate3.SessionFactoryUtils.convertHibernateAccessException(SessionFactoryUtils.java:629)
at org.springframework.orm.hibernate3.HibernateAccessor.convertHibernateAccessException(HibernateAccessor.java:412)
at org.springframework.orm.hibernate3.HibernateTemplate.doExecute(HibernateTemplate.java:411)
at org.springframework.orm.hibernate3.HibernateTemplate.execute(HibernateTemplate.java:339)
at com.tj.dao.BaseDaoHib.getCountByNativeSQL(BaseDaoHib.java:244)
at com.tj.dao.BaseDaoHib.getPageInfo(BaseDaoHib.java:547)
at com.tj.service.PVService.getProObject(PVService.java:904)
at com.tj.service.PVService.access$0(PVService.java:712)
at com.tj.service.PVService$1.getObject(PVService.java:1088)
at com.tj.util.CacheUtilMem.autoCach(CacheUtilMem.java:154)
at com.tj.util.CacheUtilMem.autoCach(CacheUtilMem.java:143)
at com.tj.service.PVService.getCommonActionData(PVService.java:1082)
at com.tj.action.Common.getMetaAction(Common.java:346)
at sun.reflect.GeneratedMethodAccessor273.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.springframework.web.bind.annotation.support.HandlerMethodInvoker.invokeHandlerMethod(HandlerMethodInvoker.java:176)
at org.springframework.web.servlet.mvc.annotation.AnnotationMethodHandlerAdapter.invokeHandlerMethod(AnnotationMethodHandlerAdapter.java:426)
at org.springframework.web.servlet.mvc.annotation.AnnotationMethodHandlerAdapter.handle(AnnotationMethodHandlerAdapter.java:414)
at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:790)
at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:719)
at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:644)
at org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:549)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:119)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:96)
at com.caucho.server.dispatch.ServletFilterChain.doFilter(ServletFilterChain.java:109)
at com.caucho.server.webapp.WebAppFilterChain.doFilter(WebAppFilterChain.java:156)
at com.caucho.server.webapp.AccessLogFilterChain.doFilter(AccessLogFilterChain.java:95)
at com.caucho.server.dispatch.ServletInvocation.service(ServletInvocation.java:287)
at com.caucho.server.http.HttpRequest.handleRequest(HttpRequest.java:811)
at com.caucho.network.listen.TcpSocketLink.dispatchRequest(TcpSocketLink.java:1186)
at com.caucho.network.listen.TcpSocketLink.handleRequest(TcpSocketLink.java:1148)
at com.caucho.network.listen.TcpSocketLink.handleRequestsImpl(TcpSocketLink.java:1132)
at com.caucho.network.listen.TcpSocketLink.handleRequests(TcpSocketLink.java:1055)
at com.caucho.network.listen.TcpSocketLink.handleAcceptTask(TcpSocketLink.java:903)
at com.caucho.network.listen.AcceptTask.doTask(AcceptTask.java:74)
at com.caucho.network.listen.ConnectionTask.runThread(ConnectionTask.java:97)
at com.caucho.network.listen.ConnectionTask.run(ConnectionTask.java:80)
at com.caucho.network.listen.AcceptTask.run(AcceptTask.java:59)
at com.caucho.env.thread.ResinThread.runTasks(ResinThread.java:164)
at com.caucho.env.thread.ResinThread.run(ResinThread.java:130)
Caused by: org.hibernate.exception.SQLGrammarException: could not execute
query
at org.hibernate.exception.SQLStateConverter.convert(SQLStateConverter.java:90)
at org.hibernate.exception.JDBCExceptionHelper.convert(JDBCExceptionHelper.java:66)
at org.hibernate.loader.Loader.doList(Loader.java:2235)
at org.hibernate.loader.Loader.listIgnoreQueryCache(Loader.java:2129)
at org.hibernate.loader.Loader.list(Loader.java:2124)
at org.hibernate.loader.custom.CustomLoader.list(CustomLoader.java:312)
at org.hibernate.impl.SessionImpl.listCustomQuery(SessionImpl.java:1723)
at org.hibernate.impl.AbstractSessionImpl.list(AbstractSessionImpl.java:165)
at org.hibernate.impl.SQLQueryImpl.list(SQLQueryImpl.java:175)
at org.hibernate.impl.AbstractQueryImpl.uniqueResult(AbstractQueryImpl.java:835)
at com.tj.dao.BaseDaoHib$7.doInHibernate(BaseDaoHib.java:250)
at org.springframework.orm.hibernate3.HibernateTemplate.doExecute(HibernateTemplate.java:406)
at org.springframework.orm.hibernate3.HibernateTemplate.execute(HibernateTemplate.java:339)
at com.tj.dao.BaseDaoHib.getCountByNativeSQL(BaseDaoHib.java:244)
at com.tj.dao.BaseDaoHib.getPageInfo(BaseDaoHib.java:547)
at com.tj.service.PVService.getProObject(PVService.java:904)
at com.tj.service.PVService.access$0(PVService.java:712)
at com.tj.service.PVService$1.getObject(PVService.java:1088)
at com.tj.util.CacheUtilMem.autoCach(CacheUtilMem.java:154)
at com.tj.util.CacheUtilMem.autoCach(CacheUtilMem.java:143)
at com.tj.service.PVService.getCommonActionData(PVService.java:1082)
at com.tj.action.Common.getMetaAction(Common.java:346)
at sun.reflect.GeneratedMethodAccessor273.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.springframework.web.bind.annotation.support.HandlerMethodInvoker.invokeHandlerMethod(HandlerMethodInvoker.java:176)
at org.springframework.web.servlet.mvc.annotation.AnnotationMethodHandlerAdapter.invokeHandlerMethod(AnnotationMethodHandlerAdapter.java:426)
at org.springframework.web.servlet.mvc.annotation.AnnotationMethodHandlerAdapter.handle(AnnotationMethodHandlerAdapter.java:414)
at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:790)
at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:719)
at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:644)
at org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:549)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:119)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:96)
at com.caucho.server.dispatch.ServletFilterChain.doFilter(ServletFilterChain.java:109)
at com.caucho.server.webapp.WebAppFilterChain.doFilter(WebAppFilterChain.java:156)
at com.caucho.server.webapp.AccessLogFilterChain.doFilter(AccessLogFilterChain.java:95)
at com.caucho.server.dispatch.ServletInvocation.service(ServletInvocation.java:287)
at com.caucho.server.http.HttpRequest.handleRequest(HttpRequest.java:811)
at com.caucho.network.listen.TcpSocketLink.dispatchRequest(TcpSocketLink.java:1186)
at com.caucho.network.listen.TcpSocketLink.handleRequest(TcpSocketLink.java:1148)
at com.caucho.network.listen.TcpSocketLink.handleRequestsImpl(TcpSocketLink.java:1132)
at com.caucho.network.listen.TcpSocketLink.handleRequests(TcpSocketLink.java:1055)
at com.caucho.network.listen.TcpSocketLink.handleAcceptTask(TcpSocketLink.java:903)
at com.caucho.network.listen.AcceptTask.doTask(AcceptTask.java:74)
at com.caucho.network.listen.ConnectionTask.runThread(ConnectionTask.java:97)
at com.caucho.network.listen.ConnectionTask.run(ConnectionTask.java:80)
at com.caucho.network.listen.AcceptTask.run(AcceptTask.java:59)
at com.caucho.env.thread.ResinThread.runTasks(ResinThread.java:164)
at com.caucho.env.thread.ResinThread.run(ResinThread.java:130)
Caused by: org.postgresql.util.PSQLException: ERROR: syntax error at or
near "注射点"
位置:519
at org.postgresql.core.v3.QueryExecutorImpl.receiveErrorResponse(QueryExecutorImpl.java:2062)
at org.postgresql.core.v3.QueryExecutorImpl.processResults(QueryExecutorImpl.java:1795)
at org.postgresql.core.v3.QueryExecutorImpl.execute(QueryExecutorImpl.java:257)
at org.postgresql.jdbc2.AbstractJdbc2Statement.execute(AbstractJdbc2Statement.java:479)
at org.postgresql.jdbc2.AbstractJdbc2Statement.executeWithFlags(AbstractJdbc2Statement.java:367)
at org.postgresql.jdbc2.AbstractJdbc2Statement.executeQuery(AbstractJdbc2Statement.java:271)
at org.apache.commons.dbcp.DelegatingPreparedStatement.executeQuery(DelegatingPreparedStatement.java:92)
at org.hibernate.jdbc.AbstractBatcher.getResultSet(AbstractBatcher.java:208)
at org.hibernate.loader.Loader.getResultSet(Loader.java:1812)
at org.hibernate.loader.Loader.doQuery(Loader.java:697)
at org.hibernate.loader.Loader.doQueryAndInitializeNonLazyCollections(Loader.java:259)
at org.hibernate.loader.Loader.doList(Loader.java:2232)
at org.hibernate.loader.Loader.listIgnoreQueryCache(Loader.java:2129)
at org.hibernate.loader.Loader.list(Loader.java:2124)
at org.hibernate.loader.custom.CustomLoader.list(CustomLoader.java:312)
at org.hibernate.impl.SessionImpl.listCustomQuery(SessionImpl.java:1723)
at org.hibernate.impl.AbstractSessionImpl.list(AbstractSessionImpl.java:165)
at org.hibernate.impl.SQLQueryImpl.list(SQLQueryImpl.java:175)
at org.hibernate.impl.AbstractQueryImpl.uniqueResult(AbstractQueryImpl.java:835)
at com.tj.dao.BaseDaoHib$7.doInHibernate(BaseDaoHib.java:250)
at org.springframework.orm.hibernate3.HibernateTemplate.doExecute(HibernateTemplate.java:406)
at org.springframework.orm.hibernate3.HibernateTemplate.execute(HibernateTemplate.java:339)
at com.tj.dao.BaseDaoHib.getCountByNativeSQL(BaseDaoHib.java:244)
at com.tj.dao.BaseDaoHib.getPageInfo(BaseDaoHib.java:547)
at com.tj.service.PVService.getProObject(PVService.java:904)
at com.tj.service.PVService.access$0(PVService.java:712)
at com.tj.service.PVService$1.getObject(PVService.java:1088)
at com.tj.util.CacheUtilMem.autoCach(CacheUtilMem.java:154)
at com.tj.util.CacheUtilMem.autoCach(CacheUtilMem.java:143)
at com.tj.service.PVService.getCommonActionData(PVService.java:1082)
at com.tj.action.Common.getMetaAction(Common.java:346)
at sun.reflect.GeneratedMethodAccessor273.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.springframework.web.bind.annotation.support.HandlerMethodInvoker.invokeHandlerMethod(HandlerMethodInvoker.java:176)
at org.springframework.web.servlet.mvc.annotation.AnnotationMethodHandlerAdapter.invokeHandlerMethod(AnnotationMethodHandlerAdapter.java:426)
at org.springframework.web.servlet.mvc.annotation.AnnotationMethodHandlerAdapter.handle(AnnotationMethodHandlerAdapter.java:414)
at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:790)
at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:719)
at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:644)
at org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:549)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:119)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:96)
at com.caucho.server.dispatch.ServletFilterChain.doFilter(ServletFilterChain.java:109)
at com.caucho.server.webapp.WebAppFilterChain.doFilter(WebAppFilterChain.java:156)
at com.caucho.server.webapp.AccessLogFilterChain.doFilter(AccessLogFilterChain.java:95)
at com.caucho.server.dispatch.ServletInvocation.service(ServletInvocation.java:287)
at com.caucho.server.http.HttpRequest.handleRequest(HttpRequest.java:811)
at com.caucho.network.listen.TcpSocketLink.dispatchRequest(TcpSocketLink.java:1186)
at com.caucho.network.listen.TcpSocketLink.handleRequest(TcpSocketLink.java:1148)
at com.caucho.network.listen.TcpSocketLink.handleRequestsImpl(TcpSocketLink.java:1132)
at com.caucho.network.listen.TcpSocketLink.handleRequests(TcpSocketLink.java:1055)
at com.caucho.network.listen.TcpSocketLink.handleAcceptTask(TcpSocketLink.java:903)
at com.caucho.network.listen.AcceptTask.doTask(AcceptTask.java:74)
at com.caucho.network.listen.ConnectionTask.runThread(ConnectionTask.java:97)
at com.caucho.network.listen.ConnectionTask.run(ConnectionTask.java:80)
at com.caucho.network.listen.AcceptTask.run(AcceptTask.java:59)
at com.caucho.env.thread.ResinThread.runTasks(ResinThread.java:164)
at com.caucho.env.thread.ResinThread.run(ResinThread.java:130)
--------------------------------------------------------------------------------
Resin/4.0.20 Server: 'default'


先看这一行:
[show] org.postgresql.util.PSQLException: ERROR: syntax error at or near "注射点"
位置:519


org.postgresql.util.PSQLException 抛的这一异常,那么使用的是postgresql的jdbc驱动包


然后仔细看看中间的Servlet异常,好象没有使用常用的Struts或WebWork框架,而直接使用的Spring的MVC,难道被Struts2的远程代码执行漏洞弄怕了?哈哈!
以及hibernate3


Resin/4.0.20 Server: 'default' 
和Resin容器!


没别的意思,无聊吐槽两句!哈哈!


修复方案:


对外的内部系统也要注意安全!(奥运会都快完了,电视机还没到!)

版权声明:转载请注明来源 shine@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:12

确认时间:2012-08-08 11:31

厂商回复:

唉,最近问题多多,实在不好意思,已经通知业务部门进行处理。同时我们将对所有系统进行排查,来避免此类问题。再次感谢。

最新状态:

暂无


漏洞评价:

评论

  1. 2012-08-08 15:04 | 风萧萧 认证白帽子 ( 核心白帽子 | Rank:1020 漏洞数:76 | 人这一辈子总要动真格的爱上什么人)

    @乐视网 @shine 两位,有礼物不?我会给你惊喜的!

  2. 2012-08-08 15:56 | shine 认证白帽子 ( 普通白帽子 | Rank:831 漏洞数:77 | coder)

    @风萧萧 不知道有没有?不过他们内部好象现在比较忙;公司还是比较有朝气的,应用多而没有有条不紊,所以问题就多了!哈哈!