当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-065907

漏洞标题:中国气象局某站存在未授权访问#越权#注入#上传#敏感信息泄露

相关厂商:中国气象局

漏洞作者: 乐乐、

提交时间:2014-06-23 10:36

修复时间:2014-08-07 10:38

公开时间:2014-08-07 10:38

漏洞类型:未授权访问/权限绕过

危害等级:高

自评Rank:10

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2014-06-23: 细节已通知厂商并且等待厂商处理中
2014-06-27: 厂商已经确认,细节仅向厂商公开
2014-07-07: 细节向核心白帽子及相关领域专家公开
2014-07-17: 细节向普通白帽子公开
2014-07-27: 细节向实习白帽子公开
2014-08-07: 细节向公众公开

简要描述:

每周一都是一个让人想死的日子

详细说明:

http://grid.cma.gov.cn

//这个站存在的问题多了去了 我能力有限也就那样了
NEW FILE //服务器上的信息泄露 总感觉这里能有个什么突破

http://grid.cma.gov.cn/cmag/trac/newticket?reporter=anonymous&summary=AssertionError%3A+Session+ID+not+set&description=%3D%3D%3D%3D+How+to+Reproduce+%3D%3D%3D%3D%0D%0A%0D%0AWhile+doing+a+POST+operation+on+%60%2Fprefs%2Fadvanced%60%2C+Trac+issued+an+internal+error.%0D%0A%0D%0A%27%27%28please+provide+additional+details+here%29%27%27%0D%0A%0D%0ARequest+parameters%3A%0D%0A{{{%0D%0A{%27__FORM_TOKEN%27%3A+u%27519a024571067c73f538aa5f%27%2C%0D%0A+%27action%27%3A+u%27save%27%2C%0D%0A+%27loadsid%27%3A+u%27%27%2C%0D%0A+%27newsid%27%3A+u%27fbcdb1e8daf790312eaf0c26%27%2C%0D%0A+%27panel_id%27%3A+u%27advanced%27%2C%0D%0A+%27restore%27%3A+u%27\u8f7d\u5165%27}%0D%0A}}}%0D%0A%0D%0AUser+agent%3A+%60Mozilla%2F5.0+%28Windows+NT+6.1%3B+rv%3A30.0%29+Gecko%2F20100101+Firefox%2F30.0%60%0D%0A%0D%0A%3D%3D%3D%3D+System+Information+%3D%3D%3D%3D%0D%0A%E7%B3%BB%E7%BB%9F%E4%BF%A1%E6%81%AF%E4%B8%8D%E5%8F%AF%E7%94%A8%0D%0A%0D%0A%3D%3D%3D%3D+Enabled+Plugins+%3D%3D%3D%3D%0D%0A%E6%8F%92%E4%BB%B6%E4%BF%A1%E6%81%AF%E4%B8%8D%E5%8F%AF%E7%94%A8%0D%0A%0D%0A%3D%3D%3D%3D+Python+Traceback+%3D%3D%3D%3D%0D%0A{{{%0D%0ATraceback+%28most+recent+call+last%29%3A%0D%0A++File+%22%2Fusr%2Flib%2Fpython2.6%2Fsite-packages%2FTrac-0.12.1-py2.6.egg%2Ftrac%2Fweb%2Fmain.py%22%2C+line+511%2C+in+_dispatch_request%0D%0A++++dispatcher.dispatch%28req%29%0D%0A++File+%22%2Fusr%2Flib%2Fpython2.6%2Fsite-packages%2FTrac-0.12.1-py2.6.egg%2Ftrac%2Fweb%2Fmain.py%22%2C+line+237%2C+in+dispatch%0D%0A++++resp+%3D+chosen_handler.process_request%28req%29%0D%0A++File+%22%2Fusr%2Flib%2Fpython2.6%2Fsite-packages%2FTrac-0.12.1-py2.6.egg%2Ftrac%2Fprefs%2Fweb_ui.py%22%2C+line+77%2C+in+process_request%0D%0A++++template%2C+data+%3D+chosen_provider.render_preference_panel%28req%2C+panel_id%29%0D%0A++File+%22%2Fusr%2Flib%2Fpython2.6%2Fsite-packages%2FTrac-0.12.1-py2.6.egg%2Ftrac%2Fprefs%2Fweb_ui.py%22%2C+line+97%2C+in+render_preference_panel%0D%0A++++self._do_load%28req%29%0D%0A++File+%22%2Fusr%2Flib%2Fpython2.6%2Fsite-packages%2FTrac-0.12.1-py2.6.egg%2Ftrac%2Fprefs%2Fweb_ui.py%22%2C+line+148%2C+in+_do_load%0D%0A++++req.session.get_session%28oldsid%29%0D%0A++File+%22%2Fusr%2Flib%2Fpython2.6%2Fsite-packages%2FTrac-0.12.1-py2.6.egg%2Ftrac%2Fweb%2Fsession.py%22%2C+line+189%2C+in+get_session%0D%0A++++self.bake_cookie%28%29%0D%0A++File+%22%2Fusr%2Flib%2Fpython2.6%2Fsite-packages%2FTrac-0.12.1-py2.6.egg%2Ftrac%2Fweb%2Fsession.py%22%2C+line+170%2C+in+bake_cookie%0D%0A++++assert+self.sid%2C+%27Session+ID+not+set%27%0D%0AAssertionError%3A+Session+ID+not+set%0D%0A}}}&create=%E5%88%9B%E5%BB%BA#


1.png


2.png


这套系统根本不用登陆 直接就可以进行 各种操作

http://grid.cma.gov.cn/cmag/portal/guest/52/r/


QQ截图20140623093459.png


.png


.png


upload file // 这算是越权还是未授权

 可上传附件.png


 可上传附件2.png


 可上传附件3.png


.png


疑似sql盲注 //登陆框那里

http://grid.cma.gov.cn/cmag/portal/guest/home/r/


.png

漏洞证明:

QQ截图20140623093459.png

修复方案:

你们更专业

版权声明:转载请注明来源 乐乐、@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2014-06-27 22:30

厂商回复:

CNVD确认并复现所述子站漏洞情况,已经转由CNCERT尝试通过已经有联系渠道联系网站管理单位,后续也将上报国家信息安全协调机构。

最新状态:

暂无