当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-057921

漏洞标题:优酷网sql注射+各种敏感信息泄漏

相关厂商:优酷

漏洞作者: 卡卡

提交时间:2014-04-21 11:44

修复时间:2014-06-05 11:44

公开时间:2014-06-05 11:44

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2014-04-21: 细节已通知厂商并且等待厂商处理中
2014-04-21: 厂商已经确认,细节仅向厂商公开
2014-05-01: 细节向核心白帽子及相关领域专家公开
2014-05-11: 细节向普通白帽子公开
2014-05-21: 细节向实习白帽子公开
2014-06-05: 细节向公众公开

简要描述:


刚才网吧没机子,我把一个小学生机子抢了 他说要把我头按在键盘上,我哈哈哈哈哈,就凭fjdnxsbhsdjncbsbdhxbbsjwfujdjwjdshckhlnvsldkhl

详细说明:

sql注射:
注射链接:

http://volvocars.youku.com/api/staples/video-box.php?vid=XNDY5NDUxNDM2


由于对参数vid没过滤,造成sql注射

.png


数据库:

available databases [3]:
[*] db_events
[*] information_schema
[*] test


当前库:db_events
表:

Database: db_events
[242 tables]
+--------------------------+
| 7up_user |
| adidas_2010_football |
| adidas_2011_tvc_info |
| adidas_comments |
| aveo_clicks |
| aveo_comments |
| aveo_users |
| background_users |
| bosideng_1024_users |
| bosideng_code |
| bosideng_fake_users |
| bosideng_photos |
| bosideng_users |
| bosideng_video_vote_logs |
| bosideng_videos |
| bosideng_vote_logs |
| bsd_kpi_email |
| bsd_kpi_user |
| bsd_rt_log |
| bsd_user |
| bugles_videos |
| casesharing_2013 |
| cgirl2014_awards |
| cgirl_images |
| cgirl_users |
| cgirl_videos |
| chengxin_news |
| chery_comments |
| chery_photo_vote_logs |
| chery_photos |
| chery_users |
| chery_video_vote_logs |
| chery_videos |
| cityshow_comment |
| cityshow_data |
| cityshow_member |
| clear_game_log |
| clear_log |
| clear_rt_log |
| clear_users |
| crowneplaza_register |
| cruze_images |
| cruze_users |
| cruze_videos |
| deyi_tickets_users |
| dove_user |
| dove_video |
| etam_comment |
| etam_txt |
| fiesta_2011_guestbook |
| fm_dream |
| fm_kpi_member |
| fm_number |
| fm_number_bak |
| fm_number_t |
| fm_number_test |
| fm_support_log |
| fm_user |
| fm_vote_log |
| fm_work |
| ford_users |
| global_accounts |
| global_china |
| global_files |
| global_minisites |
| global_testing |
| global_units |
| greetingcard_params |
| gucci_comments |
| gucci_rt_logs |
| gucci_users |
| hkdl_users |
| ht_config |
| ht_guest |
| ht_user |
| htc_config |
| hvsop2013_awards |
| hvsop_comments |
| hvsop_live_email |
| hvsop_resumes |
| hvsop_users |
| hvsop_videos |
| hvsop_vote_logs |
| icedew_videos |
| jasmine_comments |
| jw2ask_marked |
| jw2ask_plans |
| jw2ask_questions |
| jw2ask_same_q |
| jw2ask_top30_grade_logs |
| kohler_comments |
| kohler_mm_awards |
| kohler_photo_vote_logs |
| kohler_photos |
| kohler_prize_logs |
| kohler_users |
| kohler_video_vote_logs |
| kohler_videos |
| lee_moment_photos |
| lee_moment_votelog |
| levis_data |
| levis_logs |
| levis_win |
| loreal_flash_ad |
| mabelline_users |
| mamonde_2013_videos |
| market_huanzhu_votes |
| marketing_apply_info |
| marketing_darenxiu |
| marketing_fashion |
| marketing_jianjiancao |
| marketing_kfc_avatar |
| marketing_kfc_cms |
| marketing_laifushi |
| marketing_upload_info |
| mmd_datas |
| mql_award |
| mql_seckill |
| mql_seckill_bak |
| mql_seckill_log |
| nfsq_users |
| nikegz_comments |
| nikegz_image |
| nikegz_pks |
| nikegz_videos |
| nivea_answer_logs |
| nivea_awards |
| nivea_final_awards |
| nivea_photos |
| nivea_question |
| nivea_users |
| nivea_vote_logs |
| onstar_regist |
| onstar_video |
| oreo_images |
| oreo_videos |
| pepsi_comments |
| pepsi_ecards |
| pepsi_media |
| pepsi_users |
| pepsi_videos |
| pepsi_vote_logs |
| pepsicny_videos |
| qingyang_comment |
| qingyang_videos |
| remyvsop_banner |
| remyvsop_comment |
| remyvsop_mobile |
| remyvsop_news |
| remyvsop_register |
| remyvsop_teams |
| remyvsop_videos |
| ricola_pincode |
| ricola_tickets |
| roewe_comment |
| roewe_config |
| roewe_guess |
| roewe_player |
| roewe_user |
| scj_users |
| sprite_users |
| sprite_videos |
| superb_comments |
| superb_comments_bak |
| superb_videos |
| sww_2011_users |
| sww_2011_videos |
| unit_cachedata |
| unit_comments |
| unit_misc |
| unit_news |
| unit_users |
| unit_videos |
| unit_visitors |
| unit_voting |
| vichy2013_awards |
| vichy2013_winners |
| vsop_email |
| vsop_live_mobile |
| vsop_loop_videos |
| vsop_lyp |
| vsop_users |
| vsop_videos |
| vsop_vote_email |
| wtcc_2011_guestbook |
| wtcc_2011_shots |
| wtcc_2011_users |
| wzmt_awards |
| wzmt_awards_bak |
| wzmt_seckill |
| wzmt_seckill_log |
| z_acer_user |
| z_bwnzb_user |
| z_eleven_user |
| z_fanta |
| z_fanta_email |
| z_ferrari |
| z_ferrero_user |
| z_huggies |
| z_huggies_comments |
| z_k3 |
| z_k3_user |
| z_k3_v |
| z_lenscrafter_pic |
| z_lenscrafter_user |
| z_loreal |
| z_market_disney |
| z_market_topchef |
| z_proya2011_100 |
| z_proya2011_code |
| z_proya2011_mblog |
| z_proya2011_pic |
| z_proya2011_user |
| z_proya2011_v2_pic |
| z_proya2011_v2_user |
| z_proya_pic |
| z_proya_user |
| z_remyclub_comment |
| z_remyclub_user |
| z_riich_user |
| z_sdeer_user |
| z_sepb_user |
| z_sgm15th |
| z_volvo |
| z_wp_code |
| z_young |
| z_z_comment |
| z_z_contact |
| z_z_contact2 |
| z_z_email |
| z_z_img |
| z_z_luck |
| z_z_module_luck |
| z_z_p |
| z_z_txt |
| z_z_txt_vote |
| z_z_v |
| z_z_vote |
| z_z_vote_id |
| z_z_vote_ip |
| zhijue_users |
| zqbb_videos |
+--------------------------+


242个表,不难看出信息量有多大了
只是检测,就没继续下去了
svn泄漏:

http://open.youku.com/docs/.svn/entries


http://open.youku.com/assets/.svn/entries


svn1.png

svn2.png

svn3.png

svn4.png

phpinfo:

http://trt.youku.com/index.php

phpinfo.png


漏洞证明:

.png


数据库:

available databases [3]:
[*] db_events
[*] information_schema
[*] test


当前库:db_events
表:

Database: db_events
[242 tables]
+--------------------------+
| 7up_user |
| adidas_2010_football |
| adidas_2011_tvc_info |
| adidas_comments |
| aveo_clicks |
| aveo_comments |
| aveo_users |
| background_users |
| bosideng_1024_users |
| bosideng_code |
| bosideng_fake_users |
| bosideng_photos |
| bosideng_users |
| bosideng_video_vote_logs |
| bosideng_videos |
| bosideng_vote_logs |
| bsd_kpi_email |
| bsd_kpi_user |
| bsd_rt_log |
| bsd_user |
| bugles_videos |
| casesharing_2013 |
| cgirl2014_awards |
| cgirl_images |
| cgirl_users |
| cgirl_videos |
| chengxin_news |
| chery_comments |
| chery_photo_vote_logs |
| chery_photos |
| chery_users |
| chery_video_vote_logs |
| chery_videos |
| cityshow_comment |
| cityshow_data |
| cityshow_member |
| clear_game_log |
| clear_log |
| clear_rt_log |
| clear_users |
| crowneplaza_register |
| cruze_images |
| cruze_users |
| cruze_videos |
| deyi_tickets_users |
| dove_user |
| dove_video |
| etam_comment |
| etam_txt |
| fiesta_2011_guestbook |
| fm_dream |
| fm_kpi_member |
| fm_number |
| fm_number_bak |
| fm_number_t |
| fm_number_test |
| fm_support_log |
| fm_user |
| fm_vote_log |
| fm_work |
| ford_users |
| global_accounts |
| global_china |
| global_files |
| global_minisites |
| global_testing |
| global_units |
| greetingcard_params |
| gucci_comments |
| gucci_rt_logs |
| gucci_users |
| hkdl_users |
| ht_config |
| ht_guest |
| ht_user |
| htc_config |
| hvsop2013_awards |
| hvsop_comments |
| hvsop_live_email |
| hvsop_resumes |
| hvsop_users |
| hvsop_videos |
| hvsop_vote_logs |
| icedew_videos |
| jasmine_comments |
| jw2ask_marked |
| jw2ask_plans |
| jw2ask_questions |
| jw2ask_same_q |
| jw2ask_top30_grade_logs |
| kohler_comments |
| kohler_mm_awards |
| kohler_photo_vote_logs |
| kohler_photos |
| kohler_prize_logs |
| kohler_users |
| kohler_video_vote_logs |
| kohler_videos |
| lee_moment_photos |
| lee_moment_votelog |
| levis_data |
| levis_logs |
| levis_win |
| loreal_flash_ad |
| mabelline_users |
| mamonde_2013_videos |
| market_huanzhu_votes |
| marketing_apply_info |
| marketing_darenxiu |
| marketing_fashion |
| marketing_jianjiancao |
| marketing_kfc_avatar |
| marketing_kfc_cms |
| marketing_laifushi |
| marketing_upload_info |
| mmd_datas |
| mql_award |
| mql_seckill |
| mql_seckill_bak |
| mql_seckill_log |
| nfsq_users |
| nikegz_comments |
| nikegz_image |
| nikegz_pks |
| nikegz_videos |
| nivea_answer_logs |
| nivea_awards |
| nivea_final_awards |
| nivea_photos |
| nivea_question |
| nivea_users |
| nivea_vote_logs |
| onstar_regist |
| onstar_video |
| oreo_images |
| oreo_videos |
| pepsi_comments |
| pepsi_ecards |
| pepsi_media |
| pepsi_users |
| pepsi_videos |
| pepsi_vote_logs |
| pepsicny_videos |
| qingyang_comment |
| qingyang_videos |
| remyvsop_banner |
| remyvsop_comment |
| remyvsop_mobile |
| remyvsop_news |
| remyvsop_register |
| remyvsop_teams |
| remyvsop_videos |
| ricola_pincode |
| ricola_tickets |
| roewe_comment |
| roewe_config |
| roewe_guess |
| roewe_player |
| roewe_user |
| scj_users |
| sprite_users |
| sprite_videos |
| superb_comments |
| superb_comments_bak |
| superb_videos |
| sww_2011_users |
| sww_2011_videos |
| unit_cachedata |
| unit_comments |
| unit_misc |
| unit_news |
| unit_users |
| unit_videos |
| unit_visitors |
| unit_voting |
| vichy2013_awards |
| vichy2013_winners |
| vsop_email |
| vsop_live_mobile |
| vsop_loop_videos |
| vsop_lyp |
| vsop_users |
| vsop_videos |
| vsop_vote_email |
| wtcc_2011_guestbook |
| wtcc_2011_shots |
| wtcc_2011_users |
| wzmt_awards |
| wzmt_awards_bak |
| wzmt_seckill |
| wzmt_seckill_log |
| z_acer_user |
| z_bwnzb_user |
| z_eleven_user |
| z_fanta |
| z_fanta_email |
| z_ferrari |
| z_ferrero_user |
| z_huggies |
| z_huggies_comments |
| z_k3 |
| z_k3_user |
| z_k3_v |
| z_lenscrafter_pic |
| z_lenscrafter_user |
| z_loreal |
| z_market_disney |
| z_market_topchef |
| z_proya2011_100 |
| z_proya2011_code |
| z_proya2011_mblog |
| z_proya2011_pic |
| z_proya2011_user |
| z_proya2011_v2_pic |
| z_proya2011_v2_user |
| z_proya_pic |
| z_proya_user |
| z_remyclub_comment |
| z_remyclub_user |
| z_riich_user |
| z_sdeer_user |
| z_sepb_user |
| z_sgm15th |
| z_volvo |
| z_wp_code |
| z_young |
| z_z_comment |
| z_z_contact |
| z_z_contact2 |
| z_z_email |
| z_z_img |
| z_z_luck |
| z_z_module_luck |
| z_z_p |
| z_z_txt |
| z_z_txt_vote |
| z_z_v |
| z_z_vote |
| z_z_vote_id |
| z_z_vote_ip |
| zhijue_users |
| zqbb_videos |
+--------------------------+


242个表,不难看出信息量有多大了
只是检测,就没继续下去了
svn泄漏:

http://open.youku.com/docs/.svn/entries


http://open.youku.com/assets/.svn/entries


svn1.png

svn2.png

svn3.png

svn4.png

phpinfo:

http://trt.youku.com/index.php

phpinfo.png


修复方案:

你们懂得~~

版权声明:转载请注明来源 卡卡@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:20

确认时间:2014-04-21 11:46

厂商回复:

修复中,多谢提醒

最新状态:

暂无


漏洞评价:

评论

  1. 2014-05-15 15:27 | _Evil ( 普通白帽子 | Rank:418 漏洞数:59 | 万事无他,唯手熟尔。农民也会编程,别指望天...)

    优酷全娱乐

  2. 2014-06-05 11:56 | noob ( 实习白帽子 | Rank:81 漏洞数:18 | 向各位大神学习,向各位大神致敬)

    洞主,专业欺负小学生20年,仅收¥500,物超所值!有需求请私信!

  3. 2014-06-05 12:43 | f4ckbaidu ( 普通白帽子 | Rank:182 漏洞数:23 | 开发真是日了狗了)

    刚才有个屌丝过来跟爷抢机器,爷二话不说把那个sb的头按到键盘上让他爽了一把,哈哈哈哈

  4. 2014-06-05 14:09 | bey0nd ( 普通白帽子 | Rank:895 漏洞数:142 | 相忘于江湖,不如相濡以沫)

    刚才有个屌丝过来跟爷抢机器,爷二话不说把那个sb的头按到键盘上让他爽了一把,哈哈哈哈