乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2012-08-08: 细节已通知厂商并且等待厂商处理中 2012-08-08: 厂商已经确认,细节仅向厂商公开 2012-08-18: 细节向核心白帽子及相关领域专家公开 2012-08-28: 细节向普通白帽子公开 2012-09-07: 细节向实习白帽子公开 2012-09-22: 细节向公众公开
常说的一句话:“历史是惊人的相似!”
为什么这么说了? 看看这个case: WooYun: 去哪儿test帐号弱口令了!
和上面这公司在技术选择上基本是一致的(当然,对于一般奋进型的公司都会这么选择!)。
http://pv.letv.com/index.htmlLETV数据分析平台帐号弱口令:test test
从一个公司的test帐号弱口令说明什么了?至少是安全架构流程不完善,而不是意外!
注射点比较多,当然是同一个地方,“过滤条件:”处
'注射点
sql注射内容就不去看了,我们从Java异常机制的角度看看分层结构的弱点(因为java抛异常,也是分层的!):
注射的异常信息:
Http status: 500 Internal Server ErrorajaxOptions: errorthrownError: undefined500 Servlet Exception[show] org.postgresql.util.PSQLException: ERROR: syntax error at or near "注射点" 位置:519org.springframework.web.util.NestedServletException: Request processingfailed; nested exception is org.springframework.dao.InvalidDataAccessResourceUsageException:could not execute query; SQL [select count(*) from ( select url, sum(pv)pv , sum(uv) uv, sum(uip) uip,'<a href=''#'' onclick=show(''common.html?name=urlIn&key='||replace(replace(url,'%','%25'),'&','%26') ||'&needProd=true&from=20120808&other=-'')>查看流入</a>'url_in , '<a href=''#'' onclick=show(''common.html?name=urlOut&needProd=true&key='||replace(replace(url,'%','%25'),'&','%26') ||'&from=20120808&other=-'')>查看流出</a>'url_out from t_stat_url_top where prod_code = 'ifeng' and tuiguang ='-' and day_time = '20120808' and url like '%'注射点%' group by url orderby pv desc) asdf]; nested exception is org.hibernate.exception.SQLGrammarException:could not execute query at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:656) at org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:549) at javax.servlet.http.HttpServlet.service(HttpServlet.java:119) at javax.servlet.http.HttpServlet.service(HttpServlet.java:96) at com.caucho.server.dispatch.ServletFilterChain.doFilter(ServletFilterChain.java:109) at com.caucho.server.webapp.WebAppFilterChain.doFilter(WebAppFilterChain.java:156) at com.caucho.server.webapp.AccessLogFilterChain.doFilter(AccessLogFilterChain.java:95) at com.caucho.server.dispatch.ServletInvocation.service(ServletInvocation.java:287) at com.caucho.server.http.HttpRequest.handleRequest(HttpRequest.java:811) at com.caucho.network.listen.TcpSocketLink.dispatchRequest(TcpSocketLink.java:1186) at com.caucho.network.listen.TcpSocketLink.handleRequest(TcpSocketLink.java:1148) at com.caucho.network.listen.TcpSocketLink.handleRequestsImpl(TcpSocketLink.java:1132) at com.caucho.network.listen.TcpSocketLink.handleRequests(TcpSocketLink.java:1055) at com.caucho.network.listen.TcpSocketLink.handleAcceptTask(TcpSocketLink.java:903) at com.caucho.network.listen.AcceptTask.doTask(AcceptTask.java:74) at com.caucho.network.listen.ConnectionTask.runThread(ConnectionTask.java:97) at com.caucho.network.listen.ConnectionTask.run(ConnectionTask.java:80) at com.caucho.network.listen.AcceptTask.run(AcceptTask.java:59) at com.caucho.env.thread.ResinThread.runTasks(ResinThread.java:164) at com.caucho.env.thread.ResinThread.run(ResinThread.java:130)Caused by: org.springframework.dao.InvalidDataAccessResourceUsageException:could not execute query; SQL [select count(*) from ( select url, sum(pv)pv , sum(uv) uv, sum(uip) uip,'<a href=''#'' onclick=show(''common.html?name=urlIn&key='||replace(replace(url,'%','%25'),'&','%26') ||'&needProd=true&from=20120808&other=-'')>查看流入</a>'url_in , '<a href=''#'' onclick=show(''common.html?name=urlOut&needProd=true&key='||replace(replace(url,'%','%25'),'&','%26') ||'&from=20120808&other=-'')>查看流出</a>'url_out from t_stat_url_top where prod_code = 'ifeng' and tuiguang ='-' and day_time = '20120808' and url like '%'注射点%' group by url orderby pv desc) asdf]; nested exception is org.hibernate.exception.SQLGrammarException:could not execute query at org.springframework.orm.hibernate3.SessionFactoryUtils.convertHibernateAccessException(SessionFactoryUtils.java:629) at org.springframework.orm.hibernate3.HibernateAccessor.convertHibernateAccessException(HibernateAccessor.java:412) at org.springframework.orm.hibernate3.HibernateTemplate.doExecute(HibernateTemplate.java:411) at org.springframework.orm.hibernate3.HibernateTemplate.execute(HibernateTemplate.java:339) at com.tj.dao.BaseDaoHib.getCountByNativeSQL(BaseDaoHib.java:244) at com.tj.dao.BaseDaoHib.getPageInfo(BaseDaoHib.java:547) at com.tj.service.PVService.getProObject(PVService.java:904) at com.tj.service.PVService.access$0(PVService.java:712) at com.tj.service.PVService$1.getObject(PVService.java:1088) at com.tj.util.CacheUtilMem.autoCach(CacheUtilMem.java:154) at com.tj.util.CacheUtilMem.autoCach(CacheUtilMem.java:143) at com.tj.service.PVService.getCommonActionData(PVService.java:1082) at com.tj.action.Common.getMetaAction(Common.java:346) at sun.reflect.GeneratedMethodAccessor273.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at org.springframework.web.bind.annotation.support.HandlerMethodInvoker.invokeHandlerMethod(HandlerMethodInvoker.java:176) at org.springframework.web.servlet.mvc.annotation.AnnotationMethodHandlerAdapter.invokeHandlerMethod(AnnotationMethodHandlerAdapter.java:426) at org.springframework.web.servlet.mvc.annotation.AnnotationMethodHandlerAdapter.handle(AnnotationMethodHandlerAdapter.java:414) at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:790) at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:719) at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:644) at org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:549) at javax.servlet.http.HttpServlet.service(HttpServlet.java:119) at javax.servlet.http.HttpServlet.service(HttpServlet.java:96) at com.caucho.server.dispatch.ServletFilterChain.doFilter(ServletFilterChain.java:109) at com.caucho.server.webapp.WebAppFilterChain.doFilter(WebAppFilterChain.java:156) at com.caucho.server.webapp.AccessLogFilterChain.doFilter(AccessLogFilterChain.java:95) at com.caucho.server.dispatch.ServletInvocation.service(ServletInvocation.java:287) at com.caucho.server.http.HttpRequest.handleRequest(HttpRequest.java:811) at com.caucho.network.listen.TcpSocketLink.dispatchRequest(TcpSocketLink.java:1186) at com.caucho.network.listen.TcpSocketLink.handleRequest(TcpSocketLink.java:1148) at com.caucho.network.listen.TcpSocketLink.handleRequestsImpl(TcpSocketLink.java:1132) at com.caucho.network.listen.TcpSocketLink.handleRequests(TcpSocketLink.java:1055) at com.caucho.network.listen.TcpSocketLink.handleAcceptTask(TcpSocketLink.java:903) at com.caucho.network.listen.AcceptTask.doTask(AcceptTask.java:74) at com.caucho.network.listen.ConnectionTask.runThread(ConnectionTask.java:97) at com.caucho.network.listen.ConnectionTask.run(ConnectionTask.java:80) at com.caucho.network.listen.AcceptTask.run(AcceptTask.java:59) at com.caucho.env.thread.ResinThread.runTasks(ResinThread.java:164) at com.caucho.env.thread.ResinThread.run(ResinThread.java:130)Caused by: org.hibernate.exception.SQLGrammarException: could not executequery at org.hibernate.exception.SQLStateConverter.convert(SQLStateConverter.java:90) at org.hibernate.exception.JDBCExceptionHelper.convert(JDBCExceptionHelper.java:66) at org.hibernate.loader.Loader.doList(Loader.java:2235) at org.hibernate.loader.Loader.listIgnoreQueryCache(Loader.java:2129) at org.hibernate.loader.Loader.list(Loader.java:2124) at org.hibernate.loader.custom.CustomLoader.list(CustomLoader.java:312) at org.hibernate.impl.SessionImpl.listCustomQuery(SessionImpl.java:1723) at org.hibernate.impl.AbstractSessionImpl.list(AbstractSessionImpl.java:165) at org.hibernate.impl.SQLQueryImpl.list(SQLQueryImpl.java:175) at org.hibernate.impl.AbstractQueryImpl.uniqueResult(AbstractQueryImpl.java:835) at com.tj.dao.BaseDaoHib$7.doInHibernate(BaseDaoHib.java:250) at org.springframework.orm.hibernate3.HibernateTemplate.doExecute(HibernateTemplate.java:406) at org.springframework.orm.hibernate3.HibernateTemplate.execute(HibernateTemplate.java:339) at com.tj.dao.BaseDaoHib.getCountByNativeSQL(BaseDaoHib.java:244) at com.tj.dao.BaseDaoHib.getPageInfo(BaseDaoHib.java:547) at com.tj.service.PVService.getProObject(PVService.java:904) at com.tj.service.PVService.access$0(PVService.java:712) at com.tj.service.PVService$1.getObject(PVService.java:1088) at com.tj.util.CacheUtilMem.autoCach(CacheUtilMem.java:154) at com.tj.util.CacheUtilMem.autoCach(CacheUtilMem.java:143) at com.tj.service.PVService.getCommonActionData(PVService.java:1082) at com.tj.action.Common.getMetaAction(Common.java:346) at sun.reflect.GeneratedMethodAccessor273.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at org.springframework.web.bind.annotation.support.HandlerMethodInvoker.invokeHandlerMethod(HandlerMethodInvoker.java:176) at org.springframework.web.servlet.mvc.annotation.AnnotationMethodHandlerAdapter.invokeHandlerMethod(AnnotationMethodHandlerAdapter.java:426) at org.springframework.web.servlet.mvc.annotation.AnnotationMethodHandlerAdapter.handle(AnnotationMethodHandlerAdapter.java:414) at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:790) at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:719) at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:644) at org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:549) at javax.servlet.http.HttpServlet.service(HttpServlet.java:119) at javax.servlet.http.HttpServlet.service(HttpServlet.java:96) at com.caucho.server.dispatch.ServletFilterChain.doFilter(ServletFilterChain.java:109) at com.caucho.server.webapp.WebAppFilterChain.doFilter(WebAppFilterChain.java:156) at com.caucho.server.webapp.AccessLogFilterChain.doFilter(AccessLogFilterChain.java:95) at com.caucho.server.dispatch.ServletInvocation.service(ServletInvocation.java:287) at com.caucho.server.http.HttpRequest.handleRequest(HttpRequest.java:811) at com.caucho.network.listen.TcpSocketLink.dispatchRequest(TcpSocketLink.java:1186) at com.caucho.network.listen.TcpSocketLink.handleRequest(TcpSocketLink.java:1148) at com.caucho.network.listen.TcpSocketLink.handleRequestsImpl(TcpSocketLink.java:1132) at com.caucho.network.listen.TcpSocketLink.handleRequests(TcpSocketLink.java:1055) at com.caucho.network.listen.TcpSocketLink.handleAcceptTask(TcpSocketLink.java:903) at com.caucho.network.listen.AcceptTask.doTask(AcceptTask.java:74) at com.caucho.network.listen.ConnectionTask.runThread(ConnectionTask.java:97) at com.caucho.network.listen.ConnectionTask.run(ConnectionTask.java:80) at com.caucho.network.listen.AcceptTask.run(AcceptTask.java:59) at com.caucho.env.thread.ResinThread.runTasks(ResinThread.java:164) at com.caucho.env.thread.ResinThread.run(ResinThread.java:130)Caused by: org.postgresql.util.PSQLException: ERROR: syntax error at ornear "注射点" 位置:519 at org.postgresql.core.v3.QueryExecutorImpl.receiveErrorResponse(QueryExecutorImpl.java:2062) at org.postgresql.core.v3.QueryExecutorImpl.processResults(QueryExecutorImpl.java:1795) at org.postgresql.core.v3.QueryExecutorImpl.execute(QueryExecutorImpl.java:257) at org.postgresql.jdbc2.AbstractJdbc2Statement.execute(AbstractJdbc2Statement.java:479) at org.postgresql.jdbc2.AbstractJdbc2Statement.executeWithFlags(AbstractJdbc2Statement.java:367) at org.postgresql.jdbc2.AbstractJdbc2Statement.executeQuery(AbstractJdbc2Statement.java:271) at org.apache.commons.dbcp.DelegatingPreparedStatement.executeQuery(DelegatingPreparedStatement.java:92) at org.hibernate.jdbc.AbstractBatcher.getResultSet(AbstractBatcher.java:208) at org.hibernate.loader.Loader.getResultSet(Loader.java:1812) at org.hibernate.loader.Loader.doQuery(Loader.java:697) at org.hibernate.loader.Loader.doQueryAndInitializeNonLazyCollections(Loader.java:259) at org.hibernate.loader.Loader.doList(Loader.java:2232) at org.hibernate.loader.Loader.listIgnoreQueryCache(Loader.java:2129) at org.hibernate.loader.Loader.list(Loader.java:2124) at org.hibernate.loader.custom.CustomLoader.list(CustomLoader.java:312) at org.hibernate.impl.SessionImpl.listCustomQuery(SessionImpl.java:1723) at org.hibernate.impl.AbstractSessionImpl.list(AbstractSessionImpl.java:165) at org.hibernate.impl.SQLQueryImpl.list(SQLQueryImpl.java:175) at org.hibernate.impl.AbstractQueryImpl.uniqueResult(AbstractQueryImpl.java:835) at com.tj.dao.BaseDaoHib$7.doInHibernate(BaseDaoHib.java:250) at org.springframework.orm.hibernate3.HibernateTemplate.doExecute(HibernateTemplate.java:406) at org.springframework.orm.hibernate3.HibernateTemplate.execute(HibernateTemplate.java:339) at com.tj.dao.BaseDaoHib.getCountByNativeSQL(BaseDaoHib.java:244) at com.tj.dao.BaseDaoHib.getPageInfo(BaseDaoHib.java:547) at com.tj.service.PVService.getProObject(PVService.java:904) at com.tj.service.PVService.access$0(PVService.java:712) at com.tj.service.PVService$1.getObject(PVService.java:1088) at com.tj.util.CacheUtilMem.autoCach(CacheUtilMem.java:154) at com.tj.util.CacheUtilMem.autoCach(CacheUtilMem.java:143) at com.tj.service.PVService.getCommonActionData(PVService.java:1082) at com.tj.action.Common.getMetaAction(Common.java:346) at sun.reflect.GeneratedMethodAccessor273.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at org.springframework.web.bind.annotation.support.HandlerMethodInvoker.invokeHandlerMethod(HandlerMethodInvoker.java:176) at org.springframework.web.servlet.mvc.annotation.AnnotationMethodHandlerAdapter.invokeHandlerMethod(AnnotationMethodHandlerAdapter.java:426) at org.springframework.web.servlet.mvc.annotation.AnnotationMethodHandlerAdapter.handle(AnnotationMethodHandlerAdapter.java:414) at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:790) at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:719) at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:644) at org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:549) at javax.servlet.http.HttpServlet.service(HttpServlet.java:119) at javax.servlet.http.HttpServlet.service(HttpServlet.java:96) at com.caucho.server.dispatch.ServletFilterChain.doFilter(ServletFilterChain.java:109) at com.caucho.server.webapp.WebAppFilterChain.doFilter(WebAppFilterChain.java:156) at com.caucho.server.webapp.AccessLogFilterChain.doFilter(AccessLogFilterChain.java:95) at com.caucho.server.dispatch.ServletInvocation.service(ServletInvocation.java:287) at com.caucho.server.http.HttpRequest.handleRequest(HttpRequest.java:811) at com.caucho.network.listen.TcpSocketLink.dispatchRequest(TcpSocketLink.java:1186) at com.caucho.network.listen.TcpSocketLink.handleRequest(TcpSocketLink.java:1148) at com.caucho.network.listen.TcpSocketLink.handleRequestsImpl(TcpSocketLink.java:1132) at com.caucho.network.listen.TcpSocketLink.handleRequests(TcpSocketLink.java:1055) at com.caucho.network.listen.TcpSocketLink.handleAcceptTask(TcpSocketLink.java:903) at com.caucho.network.listen.AcceptTask.doTask(AcceptTask.java:74) at com.caucho.network.listen.ConnectionTask.runThread(ConnectionTask.java:97) at com.caucho.network.listen.ConnectionTask.run(ConnectionTask.java:80) at com.caucho.network.listen.AcceptTask.run(AcceptTask.java:59) at com.caucho.env.thread.ResinThread.runTasks(ResinThread.java:164) at com.caucho.env.thread.ResinThread.run(ResinThread.java:130)--------------------------------------------------------------------------------Resin/4.0.20 Server: 'default'
先看这一行:[show] org.postgresql.util.PSQLException: ERROR: syntax error at or near "注射点" 位置:519
org.postgresql.util.PSQLException 抛的这一异常,那么使用的是postgresql的jdbc驱动包
然后仔细看看中间的Servlet异常,好象没有使用常用的Struts或WebWork框架,而直接使用的Spring的MVC,难道被Struts2的远程代码执行漏洞弄怕了?哈哈!以及hibernate3
Resin/4.0.20 Server: 'default' 和Resin容器!
没别的意思,无聊吐槽两句!哈哈!
对外的内部系统也要注意安全!(奥运会都快完了,电视机还没到!)
危害等级:高
漏洞Rank:12
确认时间:2012-08-08 11:31
唉,最近问题多多,实在不好意思,已经通知业务部门进行处理。同时我们将对所有系统进行排查,来避免此类问题。再次感谢。
暂无