EOMS password retrieval vulnerability + SQL Injection affects provincial core network management support systems of China Telecom, mobile and Unicom Operators

EOMS password retrieval vulnerability + SQL Injection affects provincial core network management support systems of China Telecom, mobile and Unicom Operators

It is said that the system was issued by the headquarters of the three major operators to the provincial level for monitoring the provincial core network support management system.

Detailed description:

Tests by mobile, telecom, and Unicom companies in a province found that EOMS exists, using a support system developed by java. Although mobile deleted the password retrieval function from the logon page, other carriers still knew the page address.

Password retrieval design features:

1. Enter the correct user name;

2. Send the verification code to your mobile phone;

3. Enter the verification code to reset.

A. The vulnerability starts when you enter a user name. when you enter a user name that does not exist, the system prompts that the user does not exist. The correct user name can be guessed here;

B. After the correct user name is entered, the system sends the verification code to the user's mobile phone. There are two types of attacks. One is that the verification code is directly returned to the page through the hidden tag, you can view the source code. Second, the verification code is too simple and has only four digits;

C. After resetting any user password, log on to the console and find a query box. The SQL injection vulnerability exists. Because the EOMS system is the core network monitoring and data collection system of operators, all systems share a database. In this case, any system has the SQL injection and Arbitrary File Upload vulnerabilities, this directly causes data leakage on the core database server.

D. The system has the Arbitrary File Upload Vulnerability in the ticket submission system. In combination with SQL injection, the uploaded file path can be found, resulting in getwebshell. This affects server security.

Proof of vulnerability:

Vulnerability proof. The following is only proof of two of the above two problems.

1. password retrieval vulnerability.

Direct Access: http://xxx.xxx.xxx.xxx: 8080/eoms/loginUserid. jsp to retrieve the password, enter the correct user name, the prompt that the verification code is successfully sent. Right-click the source code to reset the user password.
 

2. SQL injection. Find a form at will.
 

 

Solution:

Patch