当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0137386

漏洞标题:中国联通某站基于SQL时间盲注+上万用户宽带帐号泄漏(DBA权限+18库)

相关厂商:中国联通

漏洞作者: 0x 80

提交时间:2015-08-29 15:37

修复时间:2015-10-15 17:58

公开时间:2015-10-15 17:58

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-08-29: 细节已通知厂商并且等待厂商处理中
2015-08-31: 厂商已经确认,细节仅向厂商公开
2015-09-10: 细节向核心白帽子及相关领域专家公开
2015-09-20: 细节向普通白帽子公开
2015-09-30: 细节向实习白帽子公开
2015-10-15: 细节向公众公开

简要描述:

中国联通某站基于SQL时间盲注+上万用户宽带帐号泄漏(DBA权限+18库)

详细说明:

http://iposs.sdinfo.net/ldims/szxAssess/szxAssessAction!queryPon.action?city_id=08000104&successFlag=0&statsDate=2015-04-01&endDate=2015-04-30

4576.png


可以看到endDate参数,是从2015-04-01到2015-04-30查询在,那么我们可以在源代码中看到

<thead>
	<tr>
		<td class="title_1" colspan="13">
			<div align="right">
				<a href="${request.contextPath}/szxAssess/szxAssessAction!exportPonSuc.action?city_id=08000104&successFlag=0&statsDate=2015-04-01&endDate=2015-04-30">
				<b>导出工单为excel</b></a>
			</div>
		</td>
	</tr>


我们来对ID进行修改
和对endDate参数修改
日期提前4个月
http://iposs.sdinfo.net/ldims/szxAssess/szxAssessAction!queryPon.action?city_id=08000106&successFlag=0&statsDate=2015-01-01&endDate=2015-05-05

325.png


宁阳局 	08091150101010105 	15-1-1 15:40:21.000 	053800374022 	10.212.9.46 	1 	0 	4 	1 		TA00053493 		处理工单j1420098021411430171911978(08091150101010105)时[EPON注册ONU(HGU)]=device operation failed ErrorCode: 2689018273;
宁阳局 	08091150101011182 	15-1-1 16:35:16.000 	053800751178 	10.212.9.4 	1 	0 	7 	2 	10.127.1.176 	TA00053643 		处理工单j14201013163586612061930315(08091150101011182)时[注册ONU]=resource conflict(ONUNO) ErrorCode: 2688880284;
宁阳局 	08091150103005104 	15-1-3 12:36:44.000 	ny091028 	10.212.9.5 	1 	0 	6 	6 	10.127.130.147 	TA00055866 		处理工单j14202598047686841234153920(08091150103005104)时[注册ONU]=resource conflict(ONUNO) ErrorCode: 2688880284;
宁阳局 	08091150103005485 	15-1-3 13:19:58.000 	053800780701 	10.212.9.32 	1 	0 	3 	3 			TA00055889 	处理工单j14202623993320971135142614(08091150103005485)时[GPON注册ONU(HGU)]=resource conflict(ONUNO) ErrorCode: 2688880284;
宁阳局 	08091150108015893 	15-1-9 9:13:32.000 	053800786296 	10.212.9.7 	1 	0 	4 	0 		TA00066933 		处理工单j14207660129905471284920127(08091150108015893)时[EPON注册ONU(HGU)]=resource conflict(ONUNO) ErrorCode: 2688880284;
宁阳局 	08091150109000533 	15-1-9 9:16:56.000 	ta15029097 	10.212.9.15 	1 	0 	18 	3 	10.127.41.186 		TA00067187 	处理工单j1420766216422762449027549(08091150109000533)时[GPON注册ONU]=device operation failed ErrorCode: 2689018273;
宁阳局 	08091150109007180 	15-1-9 11:42:22.000 	ta00011646 	10.212.9.5 	1 	0 	3 	2 	10.127.128.220 	TA00068236 		处理工单j14207749425835761556473041(08091150109007180)时[注册ONU]=resource conflict(ONUNO) ErrorCode: 2688880284;
宁阳局 	08091150109009002 	15-1-9 13:38:58.000 	053800607846 	10.212.9.32 	1 	0 	3 	7 	10.128.0.5 		TA00068401 	处理工单j1420781938190439410435405(08091150109009002)时[GPON注册ONU]=resource conflict(ONUNO) ErrorCode: 2688880284;
宁阳局 	08091150110013956 	15-1-10 15:53:44.000 	053800568918 	10.212.9.15 	1 	0 	18 	1 	10.127.36.234 		TA00069861 	处理工单j1420946988716361845468786(08091150110013956)时[GPON注册ONU]=resource is already exist ErrorCode: 1613561879;
宁阳局 	08091150111002596 	15-1-11 11:34:21.000 	053800615127 	10.212.9.36 	1 	0 	4 	6 			TA00070421 	处理工单j14209472612593761166090011(08091150111002596)时[GPON注册ONU(HGU)]=resource conflict(ONUNO) ErrorCode: 2688880284;
宁阳局 	08091150111007094 	15-1-11 13:33:05.000 	053800743045 	10.212.9.36 	1 	0 	4 	6 			TA00070867 	处理工单j1420954385029862986789156(08091150111007094)时[GPON注册ONU(HGU)]=resource conflict(ONUNO) ErrorCode: 2688880284;
宁阳局 	08091150111007248 	15-1-11 13:37:50.000 	ta15034168 	10.212.9.36 	1 	0 	4 	7 			TA00070877 	处理工单j1420954670511013676861807(08091150111007248)时[GPON注册ONU(HGU)]=resource conflict(ONUNO) ErrorCode: 2688880284;
宁阳局 	08091150111010617 	15-1-11 15:18:46.000 	13082778902@e 	10.212.9.36 	1 	0 	4 	7 			TA00071184 	处理工单j14209607266395652078506099(08091150111010617)时[GPON注册ONU(HGU)]=resource conflict(ONUNO) ErrorCode: 2688880284;
宁阳局 	08091150111016707 	15-1-12 10:45:02.000 	053800780537 	10.212.9.32 	1 	0 	4 	0 			TA00071809 	处理工单j14210307021999071930091560(08091150111016707)时[GPON注册ONU(HGU)]=resource conflict(ONUNO) ErrorCode: 2688880284;
宁阳局 	08091150112016448 	15-1-12 16:05:59.000 	053800593406 	10.212.9.33 	1 	0 	1 	4 		TA00072886 		处理工单j14210499594985612035854299(08091150112016448)时[EPON注册ONU(HGU)]=resource conflict(ONUNO) ErrorCode: 2688880284;
宁阳局 	08091150113015959 	15-1-13 16:04:24.000 	053800625179 	10.212.9.15 	1 	0 	18 	5 	10.127.42.240 		TA00073960 	处理工单j14211550030544762133428768(08091150113015959)时[GPON注册ONU]=resource is already exist ErrorCode: 1613561879;
宁阳局 	08091150114008900 	15-1-14 13:57:23.000 	053800457376 	10.212.9.8 	1 	0 	6 	6 			TA00075665 	处理工单j14212174611031632000530746(08091150114008900)时[GPON注册ONU(HGU)]=resource conflict(ONUNO) ErrorCode: 2688880284;
宁阳局 	08091150114011158 	15-1-14 15:04:32.000 	053800483318 	10.212.9.15 	1 	0 	18 	5 	10.127.43.50 		TA00076002 	处理工单j1421223245508079449198458(08091150114011158)时[GPON注册ONU]=device operation failed ErrorCode: 2689018273;
宁阳局 	08091150114014231 	15-1-14 16:31:33.000 	053800787037 	10.212.9.23 	1 	0 	2 	5 			TA00076514 	处理工单j1421224293366977633202947(08091150114014231)时[GPON注册ONU(HGU)]=resource conflict(ONUNO) ErrorCode: 2688880284;
宁阳局 	08091150114015300 	15-1-14 17:04:13.000 	ta000012757 	10.212.9.9 	1 	0 	3 	0 	10.215.46.153 	TA00076666 		处理工单j1421226253408777147533449(08091150114015300)时[注册ONU]=resource conflict(ONUNO) ErrorCode: 2688880284;
宁阳局 	08091150115001518 	15-1-15 8:54:17.000 	053800617685 	10.212.9.15 	1 	0 	18 	5 	10.127.34.194 		TA00076981 	处理工单j14213124134106991917305981(08091150115001518)时[GPON注册ONU]=resource conflict(ONUID) ErrorCode: 2688880284;
宁阳局 	08091150116011310 	15-1-16 14:50:44.000 	ta10082928 	10.212.9.15 	1 	0 	18 	7 	10.127.43.237 		TA00079216 	处理工单j1421396443502977570240349(08091150116011310)时[GPON注册ONU]=resource is already exist ErrorCode: 1613561879;
宁阳局 	08091150118005695 	15-1-18 11:31:38.000 	053800780701 	10.212.9.32 	1 	0 	3 	7 			TA00081788 	处理工单j14215518983093952139984211(08091150118005695)时[GPON注册ONU(HGU)]=resource conflict(ONUNO) ErrorCode: 2688880284;
宁阳局 	08091150119003112 	15-1-19 9:46:59.000 	ta10018818 	10.212.9.38 	1 	0 	5 	3 		TA00082712 		处理工单j14216320193528541119108354(08091150119003112)时[EPON注册ONU(HGU)]=resource conflict(ONUNO) ErrorCode: 2688880284;
宁阳局 	08091150120001405 	15-1-20 9:03:46.000 	ta11086998 	10.212.9.8 	1 	0 	14 	5 			TA00084811 	处理工单j1421716623971305702407452(08091150120001405)时[GPON注册ONU(HGU)]=resource is already exist ErrorCode: 1613561879;
宁阳局 	08091150121001116 	15-1-21 8:50:53.000 	053800788667 	10.212.9.12 	1 	0 	2 	3 	10.128.192.53 	TA00086006 		处理工单j14218014536928561756996798(08091150121001116)时[注册ONU]=resource conflict(ONUNO) ErrorCode: 2688880284;
宁阳局 	08091150121006719 	15-1-21 12:44:41.000 	053800791411 	10.212.9.7 	1 	0 	14 	0 		TA00086326 		处理工单j142181548196623069929843(08091150121006719)时[EPON注册ONU(HGU)]=device operation failed ErrorCode: 2689018273;
宁阳局 	08091150122010408 	15-1-22 14:14:39.000 	053800790147 	10.212.9.61 	1 	0 	2 	4 	10.151.224.22 	TA00088721 		处理工单j14219076222286771588122949(08091150122010408)时[注册ONU]=resource does not exist ErrorCode: 2686058552;
宁阳局 	08091150122010575 	15-1-22 14:20:55.000 	053800790132 	10.212.9.61 	1 	0 	2 	3 		TA00088752 		处理工单j1421907655832382495820703(08091150122010575)时[EPON注册ONU(HGU)]=resource does not exist ErrorCode: 2686058552;
宁阳局 	08091150122011985 	15-1-22 15:11:40.000 	053800771701 	10.212.9.15 	1 	0 	11 	2 	10.127.45.93 		TA00088934 	处理工单j1421975573246999663370845(08091150122011985)时接收数据超时。


5647.png


http://iposs.sdinfo.net/ldims/szxAssess/szxAssessAction!queryLanAdsl.action?city_id=10&jr_type=3&successFlag=0&statsDate=2013-04-01&endDate=2015-04-06

7568.png


注入SQL:基于时间盲注
http://iposs.sdinfo.net/ldims/szxAssess/szxAssessAction!queryLanAdsl.action?city_id=08&jr_type=4&successFlag=0&statsDate=2012-11-01&endDate=2012-11-23
endDate参数与city_id参数分别存在注入

56.png


DBA权限

456.png


34.png


44.png


漏洞证明:

http://iposs.sdinfo.net/ldims/szxAssess/szxAssessAction!queryLanAdsl.action?city_id=08&jr_type=4&successFlag=0&statsDate=2012-11-01&endDate=2012-11-23


546.png

修复方案:

版权声明:转载请注明来源 0x 80@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2015-08-31 17:57

厂商回复:

CNVD确认并复现所述漏洞情况,已经转由CNCERT向中国联通集团公司通报,由其后续协调网站管理单位处置。

最新状态:

暂无