发新话题
打印

科迈RAS远程快速接入方案另一处SQL注入(无需登录DBA权限)

科迈RAS远程快速接入方案另一处SQL注入(无需登录DBA权限)

漏洞概要
缺陷编号:        WooYun-2015-124796
漏洞标题:        科迈RAS远程快速接入方案另一处SQL注入(无需登录DBA权限)
相关厂商:        深圳市科迈通讯技术有限公司
漏洞作者:        YY-2012
提交时间:        2015-07-08 11:54
公开时间:        2015-10-08 16:18
漏洞类型:        SQL注射漏洞
危害等级:        高
自评Rank:        20
漏洞状态: 已交由第三方合作机构(cncert国家互联网应急中心)处理
漏洞来源:        http://www.wooyun.org
Tags标签:SQL注射漏洞

漏洞详情披露状态:
2015-07-08:        细节已通知厂商并且等待厂商处理中
2015-07-10:        厂商已经确认,细节仅向厂商公开
2015-07-13:        细节向第三方安全合作伙伴开放(绿盟科技唐朝安全巡航
2015-09-03:        细节向核心白帽子及相关领域专家公开
2015-09-13:        细节向普通白帽子公开
2015-09-23:        细节向实习白帽子公开
2015-10-08:        细节向公众公开

简要描述:89案例。
详细说明:http://**.**.**.**/bugs/wooyun-2010-0117921与这个注入文件不同。



科迈RAS远程快速接入方案(远程快速应用接入)全版本都受影响的。

无需登录存在SQL注入。




code 区域POST /server/cmxfolder.php?pgid=AppList&SearchFlag=true&t=1433251155 HTTP/1.1
Content-Length: 118
Content-Type: application/x-www-form-urlencoded
Referer: **.**.**.**:81/
Cookie: PHPSESSID=jb7b826hb3p30jf2rdt17mr8n0; RAS_Client_Style=1; g_LanguageID=cn; RAS_Admin_UserInfo_Domain=aa-ecf4369da2f8; temp_DisplayName=tmtgrnvr; temp_Description=%E5%85%81%E8%AE%B8%E7%94%A8%E6%88%B7%E8%BF%9C%E7%A8%8B%E8%AE%BF%E9%97%AE%E6%AD%A4%E8%AE%A1%E7%AE%97%E6%9C%BA%E4%B8%8A%E7%9A%84%E6%96%87%E4%BB%B6%E5%A4%B9; ErrorInfo=%3Cbr+%2F%3E%E9%94%99%E8%AF%AF%E4%BF%A1%E6%81%AF%3A+Parameter+3%3A+%E7%B1%BB%E5%9E%8B%E4%B8%8D%E5%8C%B9%E9%85%8D%E3%80%82%0D%0A+++%3Cbr+%2F%3E%E9%94%99%E8%AF%AF%E6%89%80%E5%9C%A8%E6%96%87%E4%BB%B6%3A+C%3A%5CProgram+Files%5CComexe%5CRasMini%5Crasweb%5CApache2%5Chtdocs%5Csmarty-2.6.19%5CServer%5CCmxUserGroup.php+%3Cbr+%2F%3E%E9%94%99%E8%AF%AF%E6%89%80%E5%9C%A8%E8%A1%8C%E5%8F%B7%3A+386+%E8%A1%8C%3Cbr+%2F%3E
Host: **.**.**.**:81
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36
Accept: */*

clear=%e6%b8%85%e7%a9%ba&NMFind=%e6%90%9c%e7%b4%a2&pageNo=&sort=DisplayName&sortType=A&ViewAppFld=1&ViewAppValue=1

参数ViewAppFld


漏洞证明:










code 区域**.**.**.**:81/CmxDownload.php
**.**.**.**/CmxDownload.php
**.**.**.**:81/CmxDownload.php
**.**.**.**:8888/CmxDownload.php
**.**.**.**:81/CmxDownload.php
**.**.**.**:81/CmxDownload.php
**.**.**.**/CmxDownload.php
**.**.**.**/CmxDownload.php
**.**.**.**:8080/cmxlogin.php?t=14345927739642
**.**.**.**/cmxlogin.php?t=14345719793756
**.**.**.**:8080/CmxDownload.php
http://**.**.**.**:8080/CmxDownload.php
**.**.**.**:81/CmxDownload.php
**.**.**.**:8888/CmxDownload.php
**.**.**.**:8080/CmxDownload.php
**.**.**.**:8888/cmxlogin.php?t=13547228176021
**.**.**.**:81/CmxDownload.php
**.**.**.**:81/CmxDownload.php
**.**.**.**:8888/CmxDownload.php
**.**.**.**:8080/CmxDownload.php
**.**.**.**/CmxDownload.php
**.**.**.**:8000/cmxlogin.php?t=14344257908105
**.**.**.**:8000/cmxlogin.php?t=14344255806630
**.**.**.**:8000/CmxDownload.php
**.**.**.**:8080/CmxDownload.php
**.**.**.**/CmxDownload.php
**.**.**.**:8000/CmxDownload.php
**.**.**.**:8002/CmxDownload.php
**.**.**.**:81/CmxDownload.php
**.**.**.**:8080/CmxDownload.php
**.**.**.**:8080/CmxDownload.php
**.**.**.**:81/cmxlogin.php?t=14343482319389
**.**.**.**:8080/CmxDownload.php
**.**.**.**:81/CmxDownload.php
**.**.**.**:8001/CmxDownload.php
**.**.**.**:8000/cmxlogin.php?t=14343020933433
**.**.**.**/CmxDownload.php
**.**.**.**:8080/CmxDownload.php
**.**.**.**/CmxDownload.php
**.**.**.**:8000/cmxlogin.php?t=14342616673483
**.**.**.**:8080/CmxDownload.php
**.**.**.**:81/CmxDownload.php
**.**.**.**/CmxDownload.php
**.**.**.**:8080/CmxDownload.php
**.**.**.**:8000/CmxDownload.php
**.**.**.**:8000/CmxDownload.php
**.**.**.**:81/cmxlogin.php?t=14342148006227
**.**.**.**:81/CmxDownload.php
**.**.**.**:8000/CmxDownload.php
http://**.**.**.**/cmxlogin.php?t=14341807665134
**.**.**.**:8080/CmxDownload.php
http://**.**.**.**/cmxlogin.php?t=14341806064013
**.**.**.**/cmxlogin.php?t=14341805565006
**.**.**.**:8001/cmxlogin.php?t=14341775326147
**.**.**.**:8080/CmxDownload.php
**.**.**.**:8000/CmxDownload.php
http://**.**.**.**:8088/CmxDownload.php
**.**.**.**:8080/CmxDownload.php
**.**.**.**:8080/CmxDownload.php
**.**.**.**:81/CmxDownload.php
**.**.**.**:8080/CmxDownload.php
**.**.**.**:81/CmxDownload.php
**.**.**.**:8080/CmxDownload.php
**.**.**.**:8080/cmxlogin.php?t=14339409675130
**.**.**.**:8080/CmxDownload.php
**.**.**.**:8000/CmxDownload.php
http://**.**.**.**/CmxDownload.php
**.**.**.**:8000/CmxDownload.php
**.**.**.**:8080/CmxDownload.php
**.**.**.**:8080/CmxDownload.php
**.**.**.**:8080/CmxDownload.php
**.**.**.**:8888/CmxDownload.php
**.**.**.**:8080/CmxDownload.php
**.**.**.**:81/CmxDownload.php
**.**.**.**:8080/cmxlogin.php?t=14338222676437
**.**.**.**:8080/CmxDownload.php
**.**.**.**:8080/CmxDownload.php
**.**.**.**/cmxlogin.php?t=14337336287380
**.**.**.**/CmxDownload.php
**.**.**.**/CmxDownload.php
**.**.**.**:8000/cmxlogin.php?t=14337068121870
**.**.**.**:8888/CmxDownload.php
**.**.**.**:8080/CmxDownload.php
**.**.**.**/CmxDownload.php
**.**.**.**:81/cmxlogin.php?t=14336851360738
**.**.**.**:8080/CmxDownload.php
**.**.**.**:8888/cmxlogin.php?t=14336609488901
**.**.**.**:8888/CmxDownload.php
**.**.**.**:8888/cmxlogin.php?t=14336562079134

修复方案:过滤

版权声明:转载请注明来源 YY-2012@乌云

漏洞回应
厂商回应:
危害等级:高

漏洞Rank:17
确认时间:2015-07-10 16:17
厂商回复:CNVD确认并复现所述情况,已经由CNVD通过网站公开联系方式向软件生产厂商通报。
最新状态:暂无
原文:http://www.wooyun.org/bugs/wooyun-2015-0124796

TOP

发新话题