当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0165545

漏洞标题:某广播电视网络某处存在SQL注入和反序列化漏洞(system权限)

相关厂商:cncert国家互联网应急中心

漏洞作者: 帅克笛枫

提交时间:2015-12-29 15:14

修复时间:2016-02-12 18:49

公开时间:2016-02-12 18:49

漏洞类型:命令执行

危害等级:高

自评Rank:15

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-12-29: 细节已通知厂商并且等待厂商处理中
2016-01-05: 厂商已经确认,细节仅向厂商公开
2016-01-15: 细节向核心白帽子及相关领域专家公开
2016-01-25: 细节向普通白帽子公开
2016-02-04: 细节向实习白帽子公开
2016-02-12: 细节向公众公开

简要描述:

~从来不怨命运之错
不怕旅途多坎坷
向着那梦中的地方去
错了我也不悔过
人生本来苦恼已多
再多一次又如何
若没有分别痛苦时刻
你就不会珍惜我
千山万水脚下过
一缕情丝挣不脱~

详细说明:

访问:http://**.**.**.**/about/company/intro/default.aspx,如图所示:

kg1.png

昆广网络,访问:http://**.**.**.**:8080/oaweb/,如图所示:

kg2.png

昆广网络协同办公系统,JBOSS中间件,存在反序列化漏洞,如图所示:

kg3.png

system权限

漏洞证明:

ip信息,如图所示:

kg4.png

系统开放的端口,如图所示:

kg5.png

系统用户,如图所示:

kg6.png

内网的其他机器,如图所示:

kg8.png

登录处存在注入,

POST /oaweb/start.form HTTP/1.1
Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/vnd.ms-powerpoint, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml, */*
Referer: http://**.**.**.**:8080/oaweb/
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C; .NET4.0E)
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
Host: **.**.**.**:8080
Content-Length: 1074
Proxy-Connection: Keep-Alive
Pragma: no-cache
Cookie: JSESSIONID=B043C0089E7648705EEA6DB534AF1BCF; Hm_lvt_a491a9311541b8db6c1e2fbd00fa3bcf=1451222240,1451302637; Hm_lpvt_a491a9311541b8db6c1e2fbd00fa3bcf=1451302637; orgCode=O=ypgc; orgName=昆广网络; unitName=综合管理部; unitCode=OU=bgs/O=ypgc; userCode=U=xuyinglun/O=ypgc; userName=徐英伦; loginType=loginByName
t%3Aformdata=H4sIAAAAAAAAAKVTT0gUYRR%2FLa2ZblpBeSo62KGg0XFXZ9eS2BQjWNxoK%2BgU33zz7TQyO980822rlyBIIcKyKNKQJDp0SLtk%2F1jEgwcJoUvXLoH7J6hLQacOvdnZzVIJpMsw7%2Ff%2B%2FN57v%2FfNfIVgbic0pQRxRHfWZQ7lGnMd6OaOLhGb0EtMEsRmrnCGJcodZhqqpBKXSXEVMUJFv8FMrTXFRNaOU2Fw6%2BC5xcZPe5Z%2BBmBLAkIXmckyzBIDJMME7E4MkiukzSSW3pYSjmHpR4dsAfUecy8yb9hL%2FyZ7Oe1wylw3lVUzhutiR35fi8%2B1SPrHo%2FcBgCF7lcgmrpvjjuZehqsA2EsNWB%2FiRQRzu6DZh02uG5YYxoaqqdsryFlENgjyk0PQUMO5jbMd%2BddslGdsbuHyXCmB4a3yhZXZ7%2BnXHx77I6ytFd1MrTPoRhcWEOzdtRahP3h1vapYxaGdJ2Z2jWJJdZBRgYoh2X4sKDGvusQGVSmDUpkeSYZbUtLRv%2ByLL48cWy4FoO4UbHW5IxLQiGpSx7A9MbxtIFl9Omua3mlU7YChVf%2B24TDeRfxh%2Fo4bsgGgQUCoODFaeLtQmr9Tyk8JOIxmceIWIsW7s6V7L8tPR31XcerG58nx8tyTlXy%2BMDJTuP1GwIF4vEsOK3I4ckLpivTF%2BqIxORJrb%2B%2BNdnbEI7IiC6hL9gzbOt1U4f8TOPLNTh86uffZ8Y0E9kYPVb7NAMGP%2BGxC5cmHxZvThbH7K%2FNjOFJUI0xNU6WT0HCsg8oKIVq4PR3u0FRFoSqOFEz2ENPEzNKLfCk%2FXV4YL%2BXn%2FubxCFpyzbDDh7B9C%2FdeO%2FGaDusC%2FPNugtDq87V4LavOMwf4Wncl5xfG08mhgwQAAA%3D%3D&userCode=U%3Dxuyinglun%2FO%3Dypgc&password=123456&loginType=loginByName&orgName=%C0%A5%B9%E3%CD%F8%C2%E7&userNo=


password存在注入,如图所示:

kg7.png

修复方案:

~修复~

版权声明:转载请注明来源 帅克笛枫@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:12

确认时间:2016-01-05 15:33

厂商回复:

CNVD确认并复现所述情况,已经转由CNCERT下发给云南分中心,由其后续协调网站管理单位处置.

最新状态:

暂无