当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0137386

漏洞标题:中国联通某站基于SQL时间盲注+上万用户宽带帐号泄漏(DBA权限+18库)

相关厂商:中国联通

漏洞作者: 0x 80

提交时间:2015-08-29 15:37

修复时间:2015-10-15 17:58

公开时间:2015-10-15 17:58

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-08-29: 细节已通知厂商并且等待厂商处理中
2015-08-31: 厂商已经确认,细节仅向厂商公开
2015-09-10: 细节向核心白帽子及相关领域专家公开
2015-09-20: 细节向普通白帽子公开
2015-09-30: 细节向实习白帽子公开
2015-10-15: 细节向公众公开

简要描述:

中国联通某站基于SQL时间盲注+上万用户宽带帐号泄漏(DBA权限+18库)

详细说明:

http://iposs.sdinfo.net/ldims/szxAssess/szxAssessAction!queryPon.action?city_id=08000104&successFlag=0&statsDate=2015-04-01&endDate=2015-04-30

4576.png


可以看到endDate参数,是从2015-04-01到2015-04-30查询在,那么我们可以在源代码中看到

<thead>
<tr>
<td class="title_1" colspan="13">
<div align="right">
<a href="${request.contextPath}/szxAssess/szxAssessAction!exportPonSuc.action?city_id=08000104&successFlag=0&statsDate=2015-04-01&endDate=2015-04-30">
<b>导出工单为excel</b></a>
</div>
</td>
</tr>


我们来对ID进行修改
和对endDate参数修改
日期提前4个月
http://iposs.sdinfo.net/ldims/szxAssess/szxAssessAction!queryPon.action?city_id=08000106&successFlag=0&statsDate=2015-01-01&endDate=2015-05-05

325.png


宁阳局 	08091150101010105 	15-1-1 15:40:21.000 	053800374022 	10.212.9.46 	1 	0 	4 	1 		TA00053493 		处理工单j1420098021411430171911978(08091150101010105)时[EPON注册ONU(HGU)]=device operation failed ErrorCode: 2689018273;
宁阳局 08091150101011182 15-1-1 16:35:16.000 053800751178 10.212.9.4 1 0 7 2 10.127.1.176 TA00053643 处理工单j14201013163586612061930315(08091150101011182)时[注册ONU]=resource conflict(ONUNO) ErrorCode: 2688880284;
宁阳局 08091150103005104 15-1-3 12:36:44.000 ny091028 10.212.9.5 1 0 6 6 10.127.130.147 TA00055866 处理工单j14202598047686841234153920(08091150103005104)时[注册ONU]=resource conflict(ONUNO) ErrorCode: 2688880284;
宁阳局 08091150103005485 15-1-3 13:19:58.000 053800780701 10.212.9.32 1 0 3 3 TA00055889 处理工单j14202623993320971135142614(08091150103005485)时[GPON注册ONU(HGU)]=resource conflict(ONUNO) ErrorCode: 2688880284;
宁阳局 08091150108015893 15-1-9 9:13:32.000 053800786296 10.212.9.7 1 0 4 0 TA00066933 处理工单j14207660129905471284920127(08091150108015893)时[EPON注册ONU(HGU)]=resource conflict(ONUNO) ErrorCode: 2688880284;
宁阳局 08091150109000533 15-1-9 9:16:56.000 ta15029097 10.212.9.15 1 0 18 3 10.127.41.186 TA00067187 处理工单j1420766216422762449027549(08091150109000533)时[GPON注册ONU]=device operation failed ErrorCode: 2689018273;
宁阳局 08091150109007180 15-1-9 11:42:22.000 ta00011646 10.212.9.5 1 0 3 2 10.127.128.220 TA00068236 处理工单j14207749425835761556473041(08091150109007180)时[注册ONU]=resource conflict(ONUNO) ErrorCode: 2688880284;
宁阳局 08091150109009002 15-1-9 13:38:58.000 053800607846 10.212.9.32 1 0 3 7 10.128.0.5 TA00068401 处理工单j1420781938190439410435405(08091150109009002)时[GPON注册ONU]=resource conflict(ONUNO) ErrorCode: 2688880284;
宁阳局 08091150110013956 15-1-10 15:53:44.000 053800568918 10.212.9.15 1 0 18 1 10.127.36.234 TA00069861 处理工单j1420946988716361845468786(08091150110013956)时[GPON注册ONU]=resource is already exist ErrorCode: 1613561879;
宁阳局 08091150111002596 15-1-11 11:34:21.000 053800615127 10.212.9.36 1 0 4 6 TA00070421 处理工单j14209472612593761166090011(08091150111002596)时[GPON注册ONU(HGU)]=resource conflict(ONUNO) ErrorCode: 2688880284;
宁阳局 08091150111007094 15-1-11 13:33:05.000 053800743045 10.212.9.36 1 0 4 6 TA00070867 处理工单j1420954385029862986789156(08091150111007094)时[GPON注册ONU(HGU)]=resource conflict(ONUNO) ErrorCode: 2688880284;
宁阳局 08091150111007248 15-1-11 13:37:50.000 ta15034168 10.212.9.36 1 0 4 7 TA00070877 处理工单j1420954670511013676861807(08091150111007248)时[GPON注册ONU(HGU)]=resource conflict(ONUNO) ErrorCode: 2688880284;
宁阳局 08091150111010617 15-1-11 15:18:46.000 13082778902@e 10.212.9.36 1 0 4 7 TA00071184 处理工单j14209607266395652078506099(08091150111010617)时[GPON注册ONU(HGU)]=resource conflict(ONUNO) ErrorCode: 2688880284;
宁阳局 08091150111016707 15-1-12 10:45:02.000 053800780537 10.212.9.32 1 0 4 0 TA00071809 处理工单j14210307021999071930091560(08091150111016707)时[GPON注册ONU(HGU)]=resource conflict(ONUNO) ErrorCode: 2688880284;
宁阳局 08091150112016448 15-1-12 16:05:59.000 053800593406 10.212.9.33 1 0 1 4 TA00072886 处理工单j14210499594985612035854299(08091150112016448)时[EPON注册ONU(HGU)]=resource conflict(ONUNO) ErrorCode: 2688880284;
宁阳局 08091150113015959 15-1-13 16:04:24.000 053800625179 10.212.9.15 1 0 18 5 10.127.42.240 TA00073960 处理工单j14211550030544762133428768(08091150113015959)时[GPON注册ONU]=resource is already exist ErrorCode: 1613561879;
宁阳局 08091150114008900 15-1-14 13:57:23.000 053800457376 10.212.9.8 1 0 6 6 TA00075665 处理工单j14212174611031632000530746(08091150114008900)时[GPON注册ONU(HGU)]=resource conflict(ONUNO) ErrorCode: 2688880284;
宁阳局 08091150114011158 15-1-14 15:04:32.000 053800483318 10.212.9.15 1 0 18 5 10.127.43.50 TA00076002 处理工单j1421223245508079449198458(08091150114011158)时[GPON注册ONU]=device operation failed ErrorCode: 2689018273;
宁阳局 08091150114014231 15-1-14 16:31:33.000 053800787037 10.212.9.23 1 0 2 5 TA00076514 处理工单j1421224293366977633202947(08091150114014231)时[GPON注册ONU(HGU)]=resource conflict(ONUNO) ErrorCode: 2688880284;
宁阳局 08091150114015300 15-1-14 17:04:13.000 ta000012757 10.212.9.9 1 0 3 0 10.215.46.153 TA00076666 处理工单j1421226253408777147533449(08091150114015300)时[注册ONU]=resource conflict(ONUNO) ErrorCode: 2688880284;
宁阳局 08091150115001518 15-1-15 8:54:17.000 053800617685 10.212.9.15 1 0 18 5 10.127.34.194 TA00076981 处理工单j14213124134106991917305981(08091150115001518)时[GPON注册ONU]=resource conflict(ONUID) ErrorCode: 2688880284;
宁阳局 08091150116011310 15-1-16 14:50:44.000 ta10082928 10.212.9.15 1 0 18 7 10.127.43.237 TA00079216 处理工单j1421396443502977570240349(08091150116011310)时[GPON注册ONU]=resource is already exist ErrorCode: 1613561879;
宁阳局 08091150118005695 15-1-18 11:31:38.000 053800780701 10.212.9.32 1 0 3 7 TA00081788 处理工单j14215518983093952139984211(08091150118005695)时[GPON注册ONU(HGU)]=resource conflict(ONUNO) ErrorCode: 2688880284;
宁阳局 08091150119003112 15-1-19 9:46:59.000 ta10018818 10.212.9.38 1 0 5 3 TA00082712 处理工单j14216320193528541119108354(08091150119003112)时[EPON注册ONU(HGU)]=resource conflict(ONUNO) ErrorCode: 2688880284;
宁阳局 08091150120001405 15-1-20 9:03:46.000 ta11086998 10.212.9.8 1 0 14 5 TA00084811 处理工单j1421716623971305702407452(08091150120001405)时[GPON注册ONU(HGU)]=resource is already exist ErrorCode: 1613561879;
宁阳局 08091150121001116 15-1-21 8:50:53.000 053800788667 10.212.9.12 1 0 2 3 10.128.192.53 TA00086006 处理工单j14218014536928561756996798(08091150121001116)时[注册ONU]=resource conflict(ONUNO) ErrorCode: 2688880284;
宁阳局 08091150121006719 15-1-21 12:44:41.000 053800791411 10.212.9.7 1 0 14 0 TA00086326 处理工单j142181548196623069929843(08091150121006719)时[EPON注册ONU(HGU)]=device operation failed ErrorCode: 2689018273;
宁阳局 08091150122010408 15-1-22 14:14:39.000 053800790147 10.212.9.61 1 0 2 4 10.151.224.22 TA00088721 处理工单j14219076222286771588122949(08091150122010408)时[注册ONU]=resource does not exist ErrorCode: 2686058552;
宁阳局 08091150122010575 15-1-22 14:20:55.000 053800790132 10.212.9.61 1 0 2 3 TA00088752 处理工单j1421907655832382495820703(08091150122010575)时[EPON注册ONU(HGU)]=resource does not exist ErrorCode: 2686058552;
宁阳局 08091150122011985 15-1-22 15:11:40.000 053800771701 10.212.9.15 1 0 11 2 10.127.45.93 TA00088934 处理工单j1421975573246999663370845(08091150122011985)时接收数据超时。


5647.png


http://iposs.sdinfo.net/ldims/szxAssess/szxAssessAction!queryLanAdsl.action?city_id=10&jr_type=3&successFlag=0&statsDate=2013-04-01&endDate=2015-04-06

7568.png


注入SQL:基于时间盲注
http://iposs.sdinfo.net/ldims/szxAssess/szxAssessAction!queryLanAdsl.action?city_id=08&jr_type=4&successFlag=0&statsDate=2012-11-01&endDate=2012-11-23
endDate参数与city_id参数分别存在注入

56.png


DBA权限

456.png


34.png


44.png


漏洞证明:

http://iposs.sdinfo.net/ldims/szxAssess/szxAssessAction!queryLanAdsl.action?city_id=08&jr_type=4&successFlag=0&statsDate=2012-11-01&endDate=2012-11-23


546.png

修复方案:

版权声明:转载请注明来源 0x 80@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2015-08-31 17:57

厂商回复:

CNVD确认并复现所述漏洞情况,已经转由CNCERT向中国联通集团公司通报,由其后续协调网站管理单位处置。

最新状态:

暂无


漏洞评价:

评论

  1. 2015-08-27 15:51 | 牛 小 帅 ( 普通白帽子 | Rank:407 漏洞数:94 | 什么狗屁爱,生活已乱套!人的一生中,...)

    时间盲注 学习

  2. 2015-08-28 08:47 | prolog ( 普通白帽子 | Rank:567 漏洞数:108 | 低调求发展)

    高产!

  3. 2015-08-31 18:16 | -路人甲- ( 路人 | Rank:11 漏洞数:4 | 你的是我的,是我的还是我的,拿走也没用。)

    还好不是联通宽带。吓死我了